4:20 PM -- Imagine meeting the enemy -- your attacker -- "face-to-face" in an IRC chat room. That's just what Will McCammon did this week when he followed a hacker's tracks to an Internet Relay Chat channel. "It was a lot of fun," McCammon told me. "I was able to do investigative work and meet a real person involved in an exploit." (See Fake VPN Purposely Tempts Fate.)
McCammon says there were over 200 bots in the IRC chatroom where he tracked down his attacker, who had fallen into a honeypot trap set by McCammon and his colleague, Albert Gonzalez, who run the Distributed Honeynets Project. The attacker broke into the honeypot's Red Hat 6.2 server, a part of the project's simulated enterprise VPN.
The meeting, albeit brief, gave McCammon a peek into the botnet underworld. He was able to "see" the IP addresses of other bots on the attacker's botnet, and talk directly to the attacker himself. And surprisingly, McCammon found it was almost as easy to track and find the attacker as it was for the attacker to fall for his bait, an unpatched Unix box.
So if it's this easy to track down an attacker, why aren't we catching more of these guys?
McCammon wonders the same thing. "If it's actually easier to infiltrate these guys than we previously believed, can we break them apart before they cause much damage?" He thinks ascertaining the psychology of the attacker may be one way of thwarting botnets.
Still, McCammon was only able to glean that the attacker appeared to be speaking Portuguese or a similar tongue, and that (like most attackers) he didn't lack in confidence when McCammon busted him. "He said he would take it [the server] down again soon," McCammon says. "But he never did."
Kelly Jackson Higgins, Senior Editor, Dark Reading