Botnet tracking
August 11, 2008 8:13 PM   Subscribe

Nyark, nyark. I got spam nerdery like nobody -- I've been a spam junkie since the 90's.
posted by Michael Roberts at 11:16 AM on August 12, 2008

Well, the practical application is to Know Thine Enemy. I've had several benefits from it: first, I know 15,000 IPs used to inject spam into Despammed.com, accounting for 3.9% of my spam right now -- I can block them specifically as soon as I have the time, and it's better in the end than simply blocking everything that looks like a DSL line. More sophistication in the filters is always a better thing.

Second, I've learned some Javascript. That's been fun. I haven't actually written much of it up yet, but one in particular was cool; it encrypted a payload script and used its own source and location URL as a key to verify it hadn't been modified before unpacking. (Of course, Javascript renders that kind of care moot, but it took me two days to figure it out.)

But mainly -- these jackholes are stealing the world's computers with the full knowledge of the Russian government and if you think they aren't the guys who took Estonia off the net, then I have a bridge I'd like to talk to you about. (If not this specific group, then another -- the principle applies nonetheless.)

Stupid little scripts like mine are part of the Internet's immune system. Eventually, it all adds up and we all become a little stronger, a little smarter.

But in the end? Spam nerdery. Or herdery. It's just a basic fascination. At some point, they'll start using self-modifying code and it'll all bootstrap up to intelligence and kill us.
posted by Michael Roberts at 12:51 PM on August 12, 2008

Holy schemoley, this got picked up by sans.org today and traffic is much, much more interesting!
posted by Michael Roberts at 5:14 PM on August 17, 2008

Many do. That's why these emails don't contain executables.

Instead, the operators of the botnet hijack server accounts (usually an FTP password obtained by means unknown) and store the executable there. Some simply link to the executable from the email. Some have a link to a PHP page which forwards to the executable. Some have a link to static HTML containing Javascript which forwards to the executable.

Not these guys. These guys link to the executable from something that looks a whole lot like a video. And just in case that doesn't work, they have a meta refresh that fires after 30 seconds (or 10). And just in case that doesn't work, they have an invisible iframe that loads Javascript that loads a different executable, or exploits vulnerabilities in your Quicktime or Flash plugins. And just in case that doesn't work, they pop up a window that says it's scanning for viruses and loads yet another executable while you're waiting, and if you try to close, it warns you that your system may not be secure if you stop it. (ha!) And just in case that doesn't work, they also pop up a Javascript window that won't let you close your browser without loading that damned executable.

But just attach an executable to the email? Sheesh. That's so twentieth, man. Nobody does that except my kid sister.
posted by Michael Roberts at 8:44 PM on August 18, 2008

I'm going to have to do some research on that, then -- I've never actually looked at bodies at all at Despammed; header filtration is already pretty effective.

So it occurred to me that if this botnet were DDoSing, say, Georgia, at a point in time, say, leading up to a Russian invasion, then you'd expect to see less spamming activity from the botnet during that time. Right?

Oh, that's a shame. No graphics in comments here. Well, I have the graph up on the project page. Go judge for yourself. And tell me if I'm just staying up too late or if there's some meaning there.
posted by Michael Roberts at 11:10 PM on August 18, 2008

Oh, and after my spiel yesterday, today the botnet is linking directly to hosted executables.

Whatever.
posted by Michael Roberts at 5:12 AM on August 19, 2008