Shadowboxing With a Bot Herder
I went into the interview knowing very little about this individual, other than his online alter ego, "Witlog," and that he has infected close to 30,000 Windows PCs with his computer worm, which he claims is powered by code that he downloaded from a Web site, modified slightly, and set loose on the 'Net. I came away from the interview no more knowledgeable about his background, age, location or motivation, but perhaps with a stark reminder of how just a little bit of knowledge can be such a dangerous thing.
Witlog claims he doesn't use his botnet for illegal purposes, only "for fun." I found that claim pretty hard to believe given a) the income he could make installing ad-serving software on each computer under his control, combined with b) the risk he is taking of getting caught breaking into so many computers. The kid I wrote about in the Post magazine story on the connection between botnets and spyware was making $6,000 to $10,000 per month installing adware on a botnet half the size of the one Witlog claims to have.
I was introduced to Witlog through several security experts who are part of the Shadowserver.org crew, a group of talented volunteers who dedicate a great deal of their free time and energy toward making life more difficult for bot herders like Witlog. Shadowserver has been cataloging Witlog's every move for the past two months or so, and shared with me records showing Witlog seeding his botnet with adware from DollarRevenue.net, which pays distributors $0.30 for each install of their pop-up ad-serving software on a computer in the United States; distributors can earn $0.20 per install for Canadian PCs, and ten cents per install for computers based in the United Kingdom. Installs on PCs in other countries net the distributor two cents or less.
Witlog admitted to me that he made at least $400 by installing adware on his bots and conducting a petty distributed-denial-of-service attack against a couple of Web sites that knocked them offline for a while. For all I know, that could be the extent of it. He also admitted that he lets his buddies use his botnet for their own purposes, which he claims not to know much about.
But what blew me away was how he created the botnet, which is powered by a worm that spreads only through known network security holes in Microsoft Windows and which require no action on the part of the victim other that the failure to apply security patches and (maybe) use a simple firewall. Had he decided to spread his worm through more conventional means -- via Web links sent in instant message or as attachments in e-mail -- his botnet could probably have grown to twice its current size.
In this snippet of our conversation, I asked Witlog how and why he got his botnet started:
Witlog: why i did it? i've read an article on yahoo or smth like this
Witlog: so when i've read that article, i thought "why not to make my own"?
SecurityFix: so did you just download the source from some site and set it loose?
Witlog: changed settings, and started it
Witlog: thats all
Witlog: anyone could do that
Witlog: you don't have to know many things to do a botnet like this
Over the past month and a half, Witlog used freely available source code for SDBot and built his botnet to 45,000 PCs. That is, until botnet hunters like Shadowserver and others put enough pressure on Witlog's Internet service provider to shutter Witlog.com, the domain name he was using to control his bot herd. That was only a temporary setback for Witlog, however, who simply registered a new bot control channel at Witlog.net. So far his network is back up to about 65 percent of its original size and growing by several thousand newly infected machines per day.
But again, Witlog says it's not about size, it's all about the fun of it. For guys like Witlog, building botnets can be akin to a kind of digital hide and seek. On Monday, he began using a new version of the code that runs his botnet (this is the sixth iteration). Less than 24 hours after he released it, the bot code was only detected as malicious by two out of more than a dozen or so of the major anti-virus scanners employed by the free virus-testing service over at VirusTotal.com; Two other anti-virus engines flagged it as "suspicious," but could not tell whether the file was overtly hostile.
Witlog may in fact be the product of a new generation of "script kiddiez"; the chief distinguishing feature of this generation being that instead of using Web site flaws to deface as many Web sites as possible, these guys are breaking into thousands of home and work PCs and taking them for a virtual joyride, often times all the way to the bank.
And it's not just hacked home PCs we're talking about either. According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor.
Posted by: Larry Seltzer | March 9, 2006 1:47 PM | Report abuse
Posted by: Bk | March 9, 2006 2:05 PM | Report abuse
Posted by: Burke | March 9, 2006 2:19 PM | Report abuse
Posted by: KT | March 9, 2006 2:23 PM | Report abuse
Posted by: David Maynor | March 9, 2006 2:23 PM | Report abuse
Posted by: just fix the damn thing | March 9, 2006 2:33 PM | Report abuse
Posted by: hey | March 9, 2006 2:55 PM | Report abuse
Posted by: ppcx | March 9, 2006 2:58 PM | Report abuse
Posted by: evilbadz | March 9, 2006 2:58 PM | Report abuse
Posted by: Ken Pfeil | March 9, 2006 3:01 PM | Report abuse
Posted by: ppcx | March 9, 2006 3:01 PM | Report abuse
Posted by: Nicholas Albright | March 9, 2006 3:04 PM | Report abuse
Posted by: SemperSecurus | March 9, 2006 3:10 PM | Report abuse
Posted by: nojokin | March 9, 2006 3:14 PM | Report abuse
Posted by: dur | March 9, 2006 3:15 PM | Report abuse
Posted by: Bk | March 9, 2006 3:19 PM | Report abuse
Posted by: WORMZ | March 9, 2006 3:21 PM | Report abuse
Posted by: Sure | March 9, 2006 3:24 PM | Report abuse
Posted by: annoying comments | March 9, 2006 3:27 PM | Report abuse
Posted by: Justme | March 9, 2006 3:44 PM | Report abuse
Posted by: script kiddies are losers | March 9, 2006 4:01 PM | Report abuse
Posted by: Thomas | March 9, 2006 5:09 PM | Report abuse
Posted by: ZOverLord | March 9, 2006 7:32 PM | Report abuse
Posted by: umbke | March 9, 2006 8:24 PM | Report abuse
Posted by: HA! | March 9, 2006 8:44 PM | Report abuse
Posted by: Nicholas Albright | March 9, 2006 9:21 PM | Report abuse
Posted by: Wilmer v/d Gaast | March 10, 2006 2:56 AM | Report abuse
Posted by: HA | March 10, 2006 3:56 AM | Report abuse
Posted by: 100rabh | March 10, 2006 4:59 AM | Report abuse
Posted by: 100rabh | March 10, 2006 4:59 AM | Report abuse
Posted by: Justa | March 10, 2006 6:08 AM | Report abuse
Posted by: Richard | March 10, 2006 8:26 AM | Report abuse
Posted by: Rob | March 13, 2006 12:39 PM | Report abuse
Posted by: Mary Anne Martin | May 8, 2006 2:15 PM | Report abuse
Posted by: DeveEdure | August 15, 2008 6:32 PM | Report abuse
The comments to this entry are closed.