steven@lovebug.org wrote:
We can e-mail or call the abuse in an attempt to shut down the server
in question. This probably works a little more than half of the
time, but still doesn't solve the problem of the infected clients or
tracking down the perpetrator. Do the ISPs/Hosting Server owners
have responsiblity to attempt to remove the trojans from the infected
machines? Many of the botnet trojans have uninstall/remove commands
that they could theoretically issue.
This is possible. You have to find the password used by the attackers to
"authenticate" themselves to the bots. And often you must have IRC-OP
status on the server to change your hostname. Then you can execute
commands and for example uninstall the bots from the victim's machine.
But there are problems with this approach: What are the legal
consequences? What about ethics?
Maybe that is asking too much, but what about trying to catch the
person running the botnet? How often do these ISPs/hosting providers
actually provide any of this information to the authorities? Even
then what can and will ever be done?
Presumably the best documented case in this area is "operation
cyberslam" (http://www.reverse.net/operationcyberslam.pdf).
Unfortunately, most of the time the authorities don't prosecute the
attackers...
Is there a place where current information can be given and it will
truly be investigated and action will be taken?
I am one of the authors of the "Know your Enemy: Tracking Botnets" paper
(http://www.honeynet.org/papers/bots/) and have some experience in the
area of botnets. My advise would be to pass the information about the
botnet to your local CERT. There are groups within the CERT community
that handle this kind of information. They are quite successful and
often can stop the incident.
Just my 0.02 Euro,
Thorsten
