Know your Enemy: Tracking Botnets
Lance Spitzner’s Honeynet project is at it again. I just noticed this paper they wrote about bots… the quote made me laugh. Of all the reasons someone would break into my machine, stealing my Diablo 2 gear is probably pretty low on the list. All the kids on BattleNet tell me my gear stinks. (They usually use a different word.)
Another possibility is to install special software to steal information. We had one very interesting case in which attackers stole Diablo 2 items from the compromised computers and sold them on eBay. Diablo 2 is an online game in which you can improve your character by collecting powerful items. The more seldom an item is, the higher is the price on eBay. A search on eBay for Diablo 2 shows that some of these items allow an attacker to make a nice profit. Some botnets are used to send spam: you can rent a botnet. The operators give you a SOCKS v4 server list with the IP addresses of the hosts and the ports their proxy runs on. There are documented cases where botnets were sold to spammers as spam relays: “Uncovered: Trojans as Spam Robots “. You can see an example of an attacker installing software (in this case rootkits) in a captured example.