Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

9/24/2008
08:25 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Shadowserver to Build 'Sinkhole' Server to Find Errant Bots

New initiative will emulate IRC, HTTP botnet traffic

OWASP AppSec USA 2008 -- NEW YORK -- Ever wonder what happens to the bots when a botnet domain shuts down? The Shadowserver Foundation, a volunteer organization that gathers intelligence on the Internet’s dark side, has begun building a so-called “sinkhole” server that poses as those now-defunct malicious domain servers in order to find out what they left behind.

The project, which is in the early phases, will allow Shadowserver to emulate both botnet IRC and HTTP traffic as a way to study those botnets as well as find bots that remain infected by them, says Steven Adair, a security expert with Shadowserver, who revealed the new project to attendees of the OWASP USA security conference here.

“There are still a lot of [machines] communicating with” these now-defunct servers, Shadowserver’s Adair says. Shadowserver then could trace those infected machines and alert the organizations whose machines or Web servers are still infected by the botnets, he says. “We would register and take those [former malicious] domains.”

Shadowserver’s sinkhole server will be able to accept incoming traffic from infected machines as they try to communicate with their former command and control server, for example. “We’ll be able to see referrers, who came in and which sites or pages are infected,” Adair says.

It will also allow companies who know they have bots to direct their bot-infected traffic to the sinkhole server for Shadowserver to analyze, although Adair says he’s unsure if companies will use it that way.

HTTP remains the favorite communication method for botnets today, he says. One infamous HTTP-based botnet Shadowserver has been studying closely is Black Energy, which traditionally has been used for distributed denial-of-service (DDOS) attacks. (See Botnets Behind Georgian Attacks Offer Clues.) Black Energy this year went from just DDOSing to spreading keyloggers to steal credentials and passwords, Adair says. Like other botnets, it has been updating itself with new malware. “It went from a mundane botnet to stealing [credentials] and taking when it can from the same infection."

But even the deadliest botnets have their flaws. Adair disclosed two major vulnerabilities in the Black Energy bot code -- one that let him bypass authentication with the C&C infrastructure, and several cross-site scripting bugs. Those weaknesses could be used to turn the tables on the botnet -- another botnet could then infect Black Energy, for instance, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Open Web Application Security Project (OWASP)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
    Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-19645
    PUBLISHED: 2019-12-09
    alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
    CVE-2019-19678
    PUBLISHED: 2019-12-09
    In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
    CVE-2019-19679
    PUBLISHED: 2019-12-09
    In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
    CVE-2019-19647
    PUBLISHED: 2019-12-09
    radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
    CVE-2019-19648
    PUBLISHED: 2019-12-09
    In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.