Security through Insecurity

A few months ago, this website was hacked by a Russian group for the purposes of hosting Malware, specifically a botnet trojan. Ultimately, they used this site for several purposes such as to find other vulnerable sites, provide a direct download of viruses, and as a somewhat anonymous proxy for them to use. I was aware of this almost immediately, and began reversing their files to find out just who made these programs, and where they were coming from.

I’ve been very busy this summer, taking on a Job, and joining the Volunteer Fire Department, so progress was slow. But eventually I found a surprising unsecure botnet that was being hosted primarily in China, but also with backup servers in India, and Russia. I found a pretty decent net, consisting of over 200,000 infections. Gaining roughly 20,000 a day, but they were selling more of them.

An authhost was set on the bots, but other than that, the password to get into the channel was very simple, and it was easy to blend in. These bots were quite, obviously due to size, as it would ping out any user who tried to command 1000′s of bots at once when they all reply.

Eventually I was able to fully dismantle the botnet, as they had a small backdoor in their bots, allowing for super anonymous communication, kind of like a p2p network. The bots could be given commands directly, which is very common now days, but there was no authentication. Furthermore, if you told the bot to spread the command, it would assign 9 other bots to due the same, and they would all message every bot in the channel and server the command, and jump to the other servers and due the same, until all bots were updated. It would have been a nice feature… had it been secure.

Either way, I issued a command to update the password for a week, until they were all under my command. At this point, the bot masters began realizing they were losing control, and attempted to shut down the servers, but failed. I don’t know why they failed, but it was humorous watching them panic.

After I had control of the general population, I stopped all the attacks these bots had been performing (everything from password cracking, exploit scanning, and spamming), and uninstalled them. From that point I simply said have a nice day to the former Bot Masters.

I finally cleaned up this webserver from all they did, I was just lazy about doing it. Any way, I thought I’d share that little mishap in my research of botnets. It all happened because I choose to take the easy way one day, a mistake I should have known not to do, and I won’t do again.

Comments more than welcome, as well as questions.
Also, would you like to write on this Blog? Contact me here, or through josh@joshhouston.net . I’m looking for some good articles, there is no pay, just something to do in your free time like I do, as I’m extremely busy now days. Video Tutorials are the best in my opinion, either way, whether it be text or video, all I ask is a Full, Detailed write-up as I do myself.