themadhatter, Yes a lot do get away with it but there are successes too.

Have a look at the FBI's Botroast & Botroast II. The shadowserver team shut down C&C Servers on a regular basis.

Remember that the server(s) controlling the bots are really just another host that is 'told' to act as a server and not a zombie, so the server could be anywhere in the world and likely is just another home users machine.

Additionally, some countries have very (read: non-existent) lax laws as to computer based crime. Hosting a malware server or malicious website used to infect users is not illegal. The Russian Business Network (RBN) have gotten away with this for years. Although recently they did move their servers.

There is also the issue of collaboration between the various law enforcement agencies in the different countries. All this takes time and is difficult to coordinate.

dean

Proudindian, what are you not sure about when it come to IRC-based botnets? 

You're correct about the stormworm DDoS'ing people tracing it's activity and spread. It tracks the source IP and downloads of the malware and duration between downloads. So if you're going to script the downloads of the malware then make sure that you randomize time between downloads.

dean

proudindian,

Here is a brief explanation of how a C&C IRC botnet works:

Once a host has been compromised and a new botclient has been created, the client will initiate communications with the Command & Control server. The client will join an IRC server (which can also be hosted anywhere).

The client will normally upload information into the channel about the compromised host as well. It then waits for commands to be issued through the channel.

For example: The botherder wants to DDoS a specific site for a customer. The botherder will send a command to some or all of the bots in the channel to DDoS the victim. That command could take the form of:

!ddos {target} {duration} {ddos type}

Each bot will then respond to those commands and initiate a denial of service attack against the target. After completing the attack the botclients will report back to the C&C server.

Today the botnets are far more complex and use far different mechanisms to communicate and remain active.

With regards to the perl code I posted about a bot that could do google lookups. That bot would be connected to an IRC server using the following command:

perl bot.pl {server}{port}{channel}

Once in the channel the bot will listen for commands such as:

!google {term}

It will then parse the results and display the first couple of urls. This is not a malicious bot and is really used to provide extra functionality in a channel. BTW the code I posted is not complete.

dean