Network News

X My Profile
View More Activity

Shadowboxing With a Bot Herder

Security Fix had an interesting online conversation Tuesday night with a hacker who controls a vast, distributed network of hacked Microsoft Windows computers, also known as a "botnet."

I went into the interview knowing very little about this individual, other than his online alter ego, "Witlog," and that he has infected close to 30,000 Windows PCs with his computer worm, which he claims is powered by code that he downloaded from a Web site, modified slightly, and set loose on the 'Net. I came away from the interview no more knowledgeable about his background, age, location or motivation, but perhaps with a stark reminder of how just a little bit of knowledge can be such a dangerous thing.

Witlog claims he doesn't use his botnet for illegal purposes, only "for fun." I found that claim pretty hard to believe given a) the income he could make installing ad-serving software on each computer under his control, combined with b) the risk he is taking of getting caught breaking into so many computers. The kid I wrote about in the Post magazine story on the connection between botnets and spyware was making $6,000 to $10,000 per month installing adware on a botnet half the size of the one Witlog claims to have.

I was introduced to Witlog through several security experts who are part of the Shadowserver.org crew, a group of talented volunteers who dedicate a great deal of their free time and energy toward making life more difficult for bot herders like Witlog. Shadowserver has been cataloging Witlog's every move for the past two months or so, and shared with me records showing Witlog seeding his botnet with adware from DollarRevenue.net, which pays distributors $0.30 for each install of their pop-up ad-serving software on a computer in the United States; distributors can earn $0.20 per install for Canadian PCs, and ten cents per install for computers based in the United Kingdom. Installs on PCs in other countries net the distributor two cents or less.

Witlog admitted to me that he made at least $400 by installing adware on his bots and conducting a petty distributed-denial-of-service attack against a couple of Web sites that knocked them offline for a while. For all I know, that could be the extent of it. He also admitted that he lets his buddies use his botnet for their own purposes, which he claims not to know much about.

But what blew me away was how he created the botnet, which is powered by a worm that spreads only through known network security holes in Microsoft Windows and which require no action on the part of the victim other that the failure to apply security patches and (maybe) use a simple firewall. Had he decided to spread his worm through more conventional means -- via Web links sent in instant message or as attachments in e-mail -- his botnet could probably have grown to twice its current size.

In this snippet of our conversation, I asked Witlog how and why he got his botnet started:

Witlog: why i did it? i've read an article on yahoo or smth like this 
Witlog: so when i've read that article, i thought "why not to make my own"?
SecurityFix: so did you just download the source from some site and set it loose?
Witlog: yes
Witlog: changed settings, and started it
Witlog: thats all
Witlog: anyone could do that
Witlog: you don't have to know many things to do a botnet like this

Over the past month and a half, Witlog used freely available source code for SDBot and built his botnet to 45,000 PCs. That is, until botnet hunters like Shadowserver and others put enough pressure on Witlog's Internet service provider to shutter Witlog.com, the domain name he was using to control his bot herd. That was only a temporary setback for Witlog, however, who simply registered a new bot control channel at Witlog.net. So far his network is back up to about 65 percent of its original size and growing by several thousand newly infected machines per day.

But again, Witlog says it's not about size, it's all about the fun of it. For guys like Witlog, building botnets can be akin to a kind of digital hide and seek. On Monday, he began using a new version of the code that runs his botnet (this is the sixth iteration). Less than 24 hours after he released it, the bot code was only detected as malicious by two out of more than a dozen or so of the major anti-virus scanners employed by the free virus-testing service over at VirusTotal.com; Two other anti-virus engines flagged it as "suspicious," but could not tell whether the file was overtly hostile.

Witlog may in fact be the product of a new generation of "script kiddiez"; the chief distinguishing feature of this generation being that instead of using Web site flaws to deface as many Web sites as possible, these guys are breaking into thousands of home and work PCs and taking them for a virtual joyride, often times all the way to the bank.

And it's not just hacked home PCs we're talking about either. According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.

By Brian Krebs  |  March 9, 2006; 12:11 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Video Guide: Securing Your Wireless Network
Next: Two Security Updates From Microsoft Next Week

Comments

What, no pictures?

Posted by: Larry Seltzer | March 9, 2006 1:47 PM | Report abuse

Hey Larry:

Thanks for stopping by. I would like to have returned the favor, but alas I tried to visit your blog, I was met with the following:

.Text - Application Error!
Details

A blog matching the location you requested was not found. Host = [blog.ziffdavis.com], Application = [seltzer]

oh well.

Posted by: Bk | March 9, 2006 2:05 PM | Report abuse

I hope you're getting a sizable kickback for promoting the services of thieves and vandals.

Posted by: Burke | March 9, 2006 2:19 PM | Report abuse

I follow your Security Fix column regularly. Thanks!

Q: When folks like Shadowserver investigate botnets, and find the location of the bot victims (like the Texas state govt hosts you mentioned today,) do they then go on to contact the bot victims to try to persuade them to lockdown their computers better, or don't they have the time or resources to do that kind of followup?

Posted by: KT | March 9, 2006 2:23 PM | Report abuse

Why aren't you at bluehat?

Posted by: David Maynor | March 9, 2006 2:23 PM | Report abuse

Microsoft should do its security fixes like these script kiddiez!

Posted by: just fix the damn thing | March 9, 2006 2:33 PM | Report abuse

this kid was mentioning articles being wrote about previous botnet owners, thanks for encouraging more youth to search sdbot on google, edit the source code and release the bots the ways he did.

good job being a responsible journalist.

what next on washingtonpost's blog? how to cook crack cocaine and setup a small drug ring in your town?

Posted by: hey | March 9, 2006 2:55 PM | Report abuse

i like pizza hut thin crust pepperoni pizza; but in general there's a local place that is much better

Posted by: ppcx | March 9, 2006 2:58 PM | Report abuse

New? Hardly.

Botnets have been happening for atleast the last decade, or at least as far back as I can remember. Botnets then were just as large, and used for the same things. The only difference then was that it was easier to exploit some random security hole, or easier to not be identified by a firewall.

Posted by: evilbadz | March 9, 2006 2:58 PM | Report abuse

To Maynor:

It's "black-n-blue" hat. Get it right :)

Posted by: Ken Pfeil | March 9, 2006 3:01 PM | Report abuse

that botherder guy was a hoot; he seemed to be interested in just doing a botnet rather than worrying about it infringing on someone else's personal property. he got code from someone else, infiltrated people's computers, and wasn't really concerned with what happened next. kinda like an intellectual exercise and not based in the real world. i don't think this guy was in the USA and isn't concerned with being arrested.

Posted by: ppcx | March 9, 2006 3:01 PM | Report abuse

KT: - Yes, we over at shadowserver.org report all of this activity to several law enforcement agencies and ISPs. For more on our process you can click on the "mission and process" link at the top of the shadowserver.org page.

JFTDT: We're working to fix it, we'd welcome your help!

Posted by: Nicholas Albright | March 9, 2006 3:04 PM | Report abuse

Response to hey:

It's not blogs, or articles that causes malicious activities to propagate. If someone was determined to find bots, worms, or how to build a meth lab, they could easily find it on the Internet without the help of blogs and articles.

Blogs and articles such as this help raise awareness of these issues among average users. That goes a lot further to help stem the tide than just ignoring the fact that these guys are really out there.

Posted by: SemperSecurus | March 9, 2006 3:10 PM | Report abuse

I couldn't have said it better SemperSecurus. There is no security in obscurity.

Posted by: nojokin | March 9, 2006 3:14 PM | Report abuse

Writing an article with some info about how a criminally minded sociopath does what he does, isn't going to cause anyone else to do it. Anyone so inclined can go find the info themselves without this article. Just like you can easily find recipes for bombs on the internet. Anyone who thinks that the best way to prevent information from being misused is to not talk about it is deluding themselves with the logic of a 6 year old.

Posted by: dur | March 9, 2006 3:15 PM | Report abuse

Hi David. Thanks for your question. A: I was never invited.

Posted by: Bk | March 9, 2006 3:19 PM | Report abuse

I R LIEK INTER NET WORMZ AND BOT NEZ.

Posted by: WORMZ | March 9, 2006 3:21 PM | Report abuse

Always blaming the writer.. I guess if nobody talked about it, it would all just disapear.

you dumbasses.

Posted by: Sure | March 9, 2006 3:24 PM | Report abuse

"this kid was mentioning articles being wrote about previous botnet owners, thanks for encouraging more youth to search sdbot on google, edit the source code and release the bots the ways he did."

The vast teenage Washington Post readership collectively laughs at you.

Posted by: annoying comments | March 9, 2006 3:27 PM | Report abuse

Outstanding article. thanks

Posted by: Justme | March 9, 2006 3:44 PM | Report abuse

Script Kiddies are worthless losers who can't hack it. People like that need to get some imagination and go learn C/C++ and do it themselves.

Posted by: script kiddies are losers | March 9, 2006 4:01 PM | Report abuse

@hey

Give me a break. The very fact that you have no clue that most of security types laugh at the idea of "security through obscurity." The real problem is:

1) Consumers being too stupid to update their Windows machines.
2) Consumers being too stupid to run a simple firewall.
3) Consumers being too stupid to run windows with full System Admin status all the time.
4) Consumers being too stupid to use an alternative browser like Firefox.
5) Consumers being too stupid to read about the free software they are installing and make sure they don't click "ok" to install spyware.
6) Consumers being too stupid to open and run attachments from people they don't know.
7) Consumers being too stupid run updated virus scanners and spyware scanners.
8) Microsoft for writting garbage software that has a slow and ineffective update cycle.
9) Adware writers for exploiting people described in items #1-#7.

Posted by: Thomas | March 9, 2006 5:09 PM | Report abuse

There are many things in life that are fun, but some of them carry of cost of spending a few more nights with Bubba than desired.

OUCH!

Posted by: ZOverLord | March 9, 2006 7:32 PM | Report abuse

I think it's possible, but Cia knows abou tit

Posted by: umbke | March 9, 2006 8:24 PM | Report abuse

I just infected this comment with a text-virus!

Posted by: HA! | March 9, 2006 8:44 PM | Report abuse


>> 1) Consumers being too stupid to update their >> Windows machines.

-- Ever hear of Kaiten.c? I have a couple hundred linux bot trojans too, don't make this a windows issue.


>> 3) Consumers being too stupid to run windows >> with full System Admin status all the time.

They can still be infected and connect to C&C's even with dropped privs, your point?


>> 4) Consumers being too stupid to use an
>> alternative browser like Firefox.

Alternate browsers and OS's only work till they are used by the vast majority....the popular get the worm.

>> 5) Consumers being too stupid to read about the >> free software they are installing and make sure >> they don't click "ok" to install spyware.

Cause if you say no it never installs the spyware huh?

>> Consumers being too stupid to open and run
>> attachments from people they don't know.

Or opening attachments from people they do know, since email worms can use your use contact lists too.


>> 9) Adware writers for exploiting people
>> described in items #1-#7.

10) The security teams who take this approch to security.

Posted by: Nicholas Albright | March 9, 2006 9:21 PM | Report abuse

> Alternate browsers and OS's only work till they are used by the vast majority....the popular get the worm.

Might be true, but then try to explain why new worms for Apache servers don't come out every day.

Posted by: Wilmer v/d Gaast | March 10, 2006 2:56 AM | Report abuse

Look HA!

Let me state it clearly, its a wINDOWS ISSUE. 9 years using linux on the open net. Firewall, dont use root, no ports open to the world. Never got infected. Seen my chaps at the office with winXP an 2000 get infected all the TIME, when I mean all the TIME I mean daily.

I do use an open source antivirus, just in case.


@hey get this:
Windows users are not DUMB, they lack knowledge.


Posted by: HA | March 10, 2006 3:56 AM | Report abuse

With security like in Windows none are to be blamed

Posted by: 100rabh | March 10, 2006 4:59 AM | Report abuse

With security like that in windows....none are to be blamed except MS

Posted by: 100rabh | March 10, 2006 4:59 AM | Report abuse

Interestingly enough, the user 100Rabh pretty much gives the type of comment I was thinking of writing here when reading through the number of messages already here.

Now, don't get me wrong, software-mistakes happen; there's no such thing as bug-proof software, typo's happen and programmers have bad days as much as you and I.

However, the _design_ of functionality in something as essential as an operating-system is _crucial_ to it's suitedness to the tasks it's designed to handle.

Unix, 25 years ago, struggled with the same pains as Windows is still struggling with now; back in those days people 'trusted eachother', permissions on services and files were relaxed and loose, that is, until the first famous worm was written for the worlds (still) most popular mailserver 'sendmail'.

Now, PC's have ultimately been a lot about 'You and the computer and nobody else', issues with multiple users using the same PC's resources at the same time, or even time-shared were non-existant up to recently. When the Internet came around the corner, suddenly an OS had to also take in account all kinds of other users demanding tasks from your PC and make sure that they were able to do 'as much as was needed, and nothing more'.

Unix learned the hard way that:
- Sharing writable-directories between users is a bad idea
- That having any 'well-named' file (like a .exe) is automatically executable is a BAD idea... you should set files executable by hand
- That to open/enable/execute/run anything 'by default' just because 'it's convenient' is a bad idea since it might seem a secure piece of software _today_, it might end up being a bug-ridden piece of legacy _tomorrow_.

There's numerous other well-known 'best-practices' out there that have been thought up, stresstested and documented over the course of the 80's and the beginning of the 90's before Microsoft one day decided to stand up and say 'By jove!.. I believe this internet-thingy is going to be the next big thing after all!. Let's repeat all mistakes made in the past and re-implement everything from scratch!'

They came back on a whole lot of those design-decisions already, but sadly it's now 2006 and we're still not seeing the biggest, richest and most 'successfull' corporation in the world able to find the will/power to re-work their efforts into something that can be maintained without a firewall and virus-scanners.
Because a virus is _nothing_ more than something which uses a bug in an OS's features to seperate 'what the user is allowed to do' and 'what only the admin should be allowed to do'... Those types of bugs shouldnt _be_ there and every effort should be taken to make sure they are prevented, detected, and/or fixed as soon as possible. Instead it seems MS has opted to go into the business of providing band-aids that will prevent the open wounds from being exploited instead of healing the patient's ailings or even innoculating the problem at the root.

You might say 'But windows is just the target of the most attacks because it's the most popular'. The apache-project and it's popularity as a webserver on the internet AND it's security-record at _least_ give a good indication that this is not quite something MS can hide behind; especially not since MS has a war-chest of literally billions to combat these problems with _if they wanted to_.

But why would you if people will continue to use it anyway (since everyone does and you can't get a machine ordered without it anyway and since MS doesnt make Word for anything else and .. etc etc..)
Like large miles-wide stretches of land with single-culture grain on it... a software-landscape with just one 'genetic strain' in it is going to be susceptible to a lot of ailments and diseases and is at risk of being wiped out altogether.
A mixed approach is a much better idea; the software and hardware industry is used to the idea of just having to suit one OS to make the most profit.. this is what is keeping back a market where there's a drive to 'just make it work on/for every OS/CPU/etc' since it really _isnt_ that hard and it'd really cut down on these types of targetted attacks against 'the biggest group'

Posted by: Justa | March 10, 2006 6:08 AM | Report abuse

Re: Users being stupid....

It comes down to a more fundamental problem from the earlier days of home PCs.

Most users don't want to know, and don't expect to have to know anything about their computer. They expect a computer to be as easy as a toaster.

They don't realise when they think this that actually, even a toaster isn't easy to use. They've learned that poking metallic objects into it when it's plugged in is a bad idea, and it takes effort to get the level of toasting right, especially if the bread is frozen. This is all just taken for granted, but when the new Computer comes along people seem to actually resent having to learn about it.

Computer software makers have, for years, pandered to this. So many security practices stop things "Just Working" and make the computer seem harder to use. Asking the user for a password for their system is considered a question too far. To get the "Easy to use" environment our toaster wielding users have expected computers have had to be a lot more trusting. Now they can't be.

It is only now that the maker of software most used by people is having to adapt their system to be more secure by default. It's also making it a lot more complex and harder to use.

Posted by: Richard | March 10, 2006 8:26 AM | Report abuse

1) When dos/win was evolving, there was no interweb. The security of a standalone machine is to keep people away from it. (remember the little round keyboard locks...?!) The little keylock was ok, untill we got the big idea to network an os that was built as standalone.

2) Blaming users' stupidity/ignorance is irrelevant. Many watch television; fewer can setup an A/V system, and fewer still can reapir one.

3) We all have failed to realize that we are early adopters, and being an early adopter is an uncomfortable place.

4) There has only recently been an economic reason to secure windows. MSFT is now doing it because it makes economic sense. It will take time. They will get there, but just as bank robbery will always happen, there will be risks and fraud.

5) Consider that being robbed over the internet, while a crime and unpleasant, at least will not likey result in the victim being brutalized or shot.

6) Turn 0FF the damn thing if you aren't using it.

Posted by: Rob | March 13, 2006 12:39 PM | Report abuse


- Thanks for this great post. You've got some really good info in your blog.
Mary Anne Martin
http://www.computersdiscountattic.com

Posted by: Mary Anne Martin | May 8, 2006 2:15 PM | Report abuse

11310. [url=http://www.linkedin.com/in/freecreditreport][b]Free Canadian Credit Report[/b][/url]
11479. [url=http://www.imeem.com/people/QKv5eRw/blogs/2008/08/09/s4RhHZsq/bad_credit_student_loans_loans_for_student_with_bad_credit][b]Bad Credit Private Student Loan[/b][/url]

Posted by: DeveEdure | August 15, 2008 6:32 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company