The Sting
What would you say if you met one of your attackers?
4:20 PM -- Imagine meeting the enemy -- your attacker -- "face-to-face" in an IRC chat room. That's just what Will McCammon did this week when he followed a hacker's tracks to an Internet Relay Chat channel. "It was a lot of fun," McCammon told me. "I was able to do investigative work and meet a real person involved in an exploit." (See Fake VPN Purposely Tempts Fate.)
McCammon says there were over 200 bots in the IRC chatroom where he tracked down his attacker, who had fallen into a honeypot trap set by McCammon and his colleague, Albert Gonzalez, who run the Distributed Honeynets Project. The attacker broke into the honeypot's Red Hat 6.2 server, a part of the project's simulated enterprise VPN.
The meeting, albeit brief, gave McCammon a peek into the botnet underworld. He was able to "see" the IP addresses of other bots on the attacker's botnet, and talk directly to the attacker himself. And surprisingly, McCammon found it was almost as easy to track and find the attacker as it was for the attacker to fall for his bait, an unpatched Unix box.
So if it's this easy to track down an attacker, why aren't we catching more of these guys?
McCammon wonders the same thing. "If it's actually easier to infiltrate these guys than we previously believed, can we break them apart before they cause much damage?" He thinks ascertaining the psychology of the attacker may be one way of thwarting botnets.
Still, McCammon was only able to glean that the attacker appeared to be speaking Portuguese or a similar tongue, and that (like most attackers) he didn't lack in confidence when McCammon busted him. "He said he would take it [the server] down again soon," McCammon says. "But he never did."
— Kelly Jackson Higgins, Senior Editor, Dark Reading
Read more about:
2007About the Author(s)
You May Also Like
Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024Extending Access Management: Securing Access for all Identities, Devices, and Applications
June 4, 2024Assessing Software Supply Chain Risk
June 6, 2024Preventing Attackers From Wandering Through Your Enterprise Infrastructure
June 19, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024