Skip navigation.
Home

Collaborative Security against Malware and Botnets

|

Hi guys,

I am a researcher working on Botnets and Malware. In the previous months I have been studying Storm. What I have learned from this experience was really useful, but I have also seen that there is a lot of improving to be done in the way Malware and Botnets are fought.

Right now there is a huge waste of energy in the research on this topic. For example, there were different groups studying Storm (including mine) and all these group implemented their own crawler, they all reversed the binary and so on. That is, to understand how the three or four russian coders made Storm, dozens of researchers worked basically redoing the same stuff many times.

I have posted some of my findings and of my scripts here on Offensive Computing and I found it as a great resource. There are many skilled reversers here and security researchers. The only problem is that I don't think a forum is the best way to handle data regarding Malware and Botnets, because data on forums is sometimes to sparse. Wikis and Forges can be much better in this sense, they allow multiple people to work on the same project in a collaborative way.

So here is my proposal for the community. What about a central repository of all the information about Botnets including botnet-specific tools necessary to analyze and study them. Very much like SourceForge, but the goal of a project wouldn't be to create a software but to destroy a Botnet. For example there would a project about Storm, one about Rustock and so on, each project having a Project Lead and Team members.

So, each Botnet would be handled as a project where all the tools and programs used to inspect, analyze and infiltrate a Botnet would be available to the community with proper versioning support. Moreover all the 'intelligence' on the Botnet would be accessible through a Wiki.

This intelligence would include:

- how the Botnet spreads (email, browser exploits, etc)
- how the binary hides it self in the computer
- What the C&C channel is and how it could be stopped.
- Analysis on the Botnet's Spam and other possible uses.

This information would be really valuable to ISPs, Spam Filters, authorities, Registrars and could ultimately lead to dismantle Botnets faster.

Security Researchers are far greater in number than Cyber Criminals and far better skilled. It's time to put together all this knowledge.

I am open to suggestions on how a similar website could work, right now I have a domain name we could use collaborativesecurity.org.
And I could contribute all the information and programs I have coded and used to study Storm.
What could be the best way to implement the Web Application? Using GForge, Trac? Or coding a brand new application?

How would the community be organized and how the admission to participate within a Project could work?

And then if the site starts to be effective, how to protect it from DDoS?

A site like this and Offensive Computing would be complementary to each other :)

Thank you
Daniele

Interesting idea

Hello Daniele,

Although I do not agree with all your arguments, and I can't answer your questions, I totally agree with you that all the information regarding malware (botnets particulary) is to sparse.

www.honeynet.org , and others, does provide valuable information about botnets. But still it is very 'general'
I , personally, do like the idea of a 'central repository of all the information'.
And I took a look at your mentioned www.collaborativesecurity.org but I just get a login-screen. Maybe it is only an 'impression' of your idea. ;)

What I want to say is that if you need voluntary participants, I'm yours.

As you probably know (or maybe not) I did an in-depth-research of the storm-botnet.
At that time (christmas 2007) there was not much information available on the internet about Storm (a.k.a. Peed, Nuwar, Zhelatin, etc). And at that time I wished there was a central repository of information. But there wasn't. So I decided to analyze it by myself and published the (summary of) results here at OC.
I received a lot of replies, comments and request for more information in my mailbox.
And I felt the lack of a central repository for information.
So I have the experience also, and therefore: "I'm at your side".

I dont know how it can be a valuable addition to the other information-sources.
Or how to implement this. But if your idea of a central repository of malware (or botnet-)information becomes more 'realistic', please let me know.

Regards,
Chato Flores

totally agree

I'm a new researcher about botnet, and I also find there is very much general botnet knowledge, but it's very hard to find something really interesting, it really need a hub point to put all the valuable information together.

let's start then

Alright, my email address is dan.perito@gmail.com. (do we need any more to hide email addresses?)
Contact me so we can start talking about this :)

Daniele

so interesting..... i'd like

so interesting..... i'd like to be line-up with you all. I'm a newbie in OC though but I've been handling Virus/spyware/botnets/rootkits removal for quite sometime. We may not speak the same language but i'm pretty sure i can be a great help. I'd just like to say something about the antivirus company nowadays how come they don't hire people like who is so damn smart like here in OC. Up until now most of the antivirus companies cant remove a simple infection such as antivirus 2009 etc....