Out of the shadows
Many of you may be aware of who I am, and why I cover botnets and malware. Still, most of you are not and this post is for you.
Richard Bejtlich sparked a flood of visitors to the site with a small mention in his TaoSecurity blog. I've tried to keep a low profile, enjoying the hunt without all the attention. Last year all the attention was too much.
....Once upon a time....
In October of 2004, Shadowserver was born. It was mostly created as an outlet for emotions I experienced after my fathers suicide. Like anyone would do, I spent several weeks looking through every file on his computer, and on the media found in his home. I was searching for answers.
What I found was a warez botnet using approximately 20 gig of his hard drive space. They ran a crummy bot that also ate up most of his processor power.
I taught myself how to analyze the bots network activity with a packet sniffer. Once I found out where the bot connected, I unleashed a personal campaign to shut down the network. I contacted service providers, the ISP's of other victims, and after about six weeks, the network was completely disassembled.
From then on, I was intrigued and worked to shut other networks down. After awhile I found there were so many networks that I had to focus on specific types. I focused on networks with more than 5000 drones, those launching denial of service, doing click fraud or running keyloggers.
Brian Krebs ran a very nice piece on my story and overnight Shadowserver became a household name. Dozens of people wanted to work with Shadowserver. Brian turned a small team of guys into botnet experts with the wave of his digital pencil.
We were quite successful finding botnets and getting those nets shutdown. I even showed off for law enforcement and groups of information security professionals.
Something encouraged me to go in another direction. I realized we were just playing wack-a-mole with these botnets. There were several times we saw botnets reappear days or weeks after we shut it down. Many times we were hit by denial of service attacks. Many of us collectively decided to change our focus and gather intelligence on these botnets.
The data we gathered could be submitted to FBI, US Secret Service, and foreign law enforcement. Our first attempt at gathering such intelligence was on the Witlog Botnet. Its a hard line to walk, sharing details with the public and not giving up data that will hurt a criminal investigation. Furthermore, botnet controllers tend to get upset when you share details of their network with the rest of the world.
Last year I turned The Shadowserver Foundation over to Andre and the rest of the team, in favor of a slightly more invisible roll in the fight against botnets. My mission is gathering intelligence, and once simplified, disseminating that intelligence to the general public. In September of 2006 a few of us left Shadowserver and founded this new team, DISOG.
Shortly after we put up our webpage, I was invited to give a talk at the 2007 Botnet Taskforce (FBI Press Release). I presented on what I believe could be the future of botnets. During my talk I told the room of 250+ law enforcement agents from all over the world that I thought the likely-hood of large scale peer to peer botnets were still several years away. Other researchers disagreed and there is little doubt how wrong I was!
Like they heard my words, within two months I blogged about Storm - the peer to peer botnet that has piqued the interest of more than a few people.
I will continue to post and share stories as I continue to learn, but make no mistake - I am not an expert. I am just another guy who wanted to learn something new and has had an excellent time doing it. If you want to meet the experts, visit Shadowserver, or Team Cymru.
I find it very fitting this post happened the day before the third anniversary of my fathers death.
-- Nicholas
Richard Bejtlich sparked a flood of visitors to the site with a small mention in his TaoSecurity blog. I've tried to keep a low profile, enjoying the hunt without all the attention. Last year all the attention was too much.
....Once upon a time....
In October of 2004, Shadowserver was born. It was mostly created as an outlet for emotions I experienced after my fathers suicide. Like anyone would do, I spent several weeks looking through every file on his computer, and on the media found in his home. I was searching for answers.
What I found was a warez botnet using approximately 20 gig of his hard drive space. They ran a crummy bot that also ate up most of his processor power.
I taught myself how to analyze the bots network activity with a packet sniffer. Once I found out where the bot connected, I unleashed a personal campaign to shut down the network. I contacted service providers, the ISP's of other victims, and after about six weeks, the network was completely disassembled.
From then on, I was intrigued and worked to shut other networks down. After awhile I found there were so many networks that I had to focus on specific types. I focused on networks with more than 5000 drones, those launching denial of service, doing click fraud or running keyloggers.
Brian Krebs ran a very nice piece on my story and overnight Shadowserver became a household name. Dozens of people wanted to work with Shadowserver. Brian turned a small team of guys into botnet experts with the wave of his digital pencil.
We were quite successful finding botnets and getting those nets shutdown. I even showed off for law enforcement and groups of information security professionals.
Something encouraged me to go in another direction. I realized we were just playing wack-a-mole with these botnets. There were several times we saw botnets reappear days or weeks after we shut it down. Many times we were hit by denial of service attacks. Many of us collectively decided to change our focus and gather intelligence on these botnets.
The data we gathered could be submitted to FBI, US Secret Service, and foreign law enforcement. Our first attempt at gathering such intelligence was on the Witlog Botnet. Its a hard line to walk, sharing details with the public and not giving up data that will hurt a criminal investigation. Furthermore, botnet controllers tend to get upset when you share details of their network with the rest of the world.
Last year I turned The Shadowserver Foundation over to Andre and the rest of the team, in favor of a slightly more invisible roll in the fight against botnets. My mission is gathering intelligence, and once simplified, disseminating that intelligence to the general public. In September of 2006 a few of us left Shadowserver and founded this new team, DISOG.
Shortly after we put up our webpage, I was invited to give a talk at the 2007 Botnet Taskforce (FBI Press Release). I presented on what I believe could be the future of botnets. During my talk I told the room of 250+ law enforcement agents from all over the world that I thought the likely-hood of large scale peer to peer botnets were still several years away. Other researchers disagreed and there is little doubt how wrong I was!
Like they heard my words, within two months I blogged about Storm - the peer to peer botnet that has piqued the interest of more than a few people.
I will continue to post and share stories as I continue to learn, but make no mistake - I am not an expert. I am just another guy who wanted to learn something new and has had an excellent time doing it. If you want to meet the experts, visit Shadowserver, or Team Cymru.
I find it very fitting this post happened the day before the third anniversary of my fathers death.
-- Nicholas
posted by Nicholas at
21:31
0 Comments:
Post a Comment
<< Home