[Dshield] Working with the FBI: was RE: IRC BOT opportunity

Faber, Sidney sfaber at federatedinv.com
Thu Oct 13 11:46:21 GMT 2005

It's always a great idea to work with the FBI, to establish a
relationship with Law Enforcement before you really need them.  This is
a great excuse to start talking to them.  Plus, you want to make sure
they get your IP address(es) and any other info listed as a "good guy"
in case you show up in any logs.

But I'm not sure they'll actually be able to do much for you.  I've been
working with our local FBI office in Pittsburgh for over 5 years now, we
have a very active cybercrime squad.  They're a great resource to be
able to call them anytime I have a question.  But it seems to be a much
different issue to actually open up a case and have them actively work

Like everyone in cybersecurity, they're extremely busy, and their
technical staff is stretched.  With the exception of child porn, they
generally seem to triage cases based on damages:  if you've lost money
or trade secrets, you'll get attention.  They work a case with the
intent to prosecute.  But if it's just a botnet, and there's no explicit
loss, and you don't intend to bring anyone to court, why should they
spend time on it?  Sure it's wrong, and it's unethical, but so are a lot
of other things...

On the other hand, it seems like there have been some recent
improvements based on DHS's information sharing initiatives.  I recently
asked if they were really interested when I find malicious web sites
(ones that exist only to exploit PCs, take control of them, and drop
junk on them).  And they are.  I think they enter the information into
some type of national "tipline" cybercrime database, but I'm not too
sure what it's used for.

Also, keep in mind that in a case like this, you can't expect to call
the FBI and have them tell you "OK, go ahead and do XYZ and let me know
what you find out."  If law enforcement tells you how to react or what
information to provide, then you end up becoming an agent of law
enforcement (no longer just a system administrator), and you work under
a completely different set of rules for gathering and providing
evidence.  Which means that even if you're providing evidence for an
active case, it seems like a black hole to you, and you don't get
anything back out.

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Halsall, Mike
> Sent: Wednesday, October 12, 2005 3:49 PM
> To: General DShield Discussion List
> Subject: [Dshield] IRC BOT opportunity
> Question of the day:
> Recently I've been playing with an IRC BOT virus (a Randex 
> variant) that has come onto my college's campus.  These 
> viruses have become increasingly sophisticated in their 
> capabilities and have the ability to, of course, receive a 
> download command from their Op and go grab a file and run it 
> silently - hence introducing (yet) another ingress path for 
> more malware/viruses.
> Being curious, and taking the appropriate precautions 
> (anonymous proxies through Tor), I hopped onto the IRC server 
> these Bots were joining and made myself look like one of 
> them.  This server, in Hungary, controls ~17000 Bots.
> Over the past few days I've struck up conversations with the 
> Ops (3 of them), finally talking to their leader.  None of 
> them are all too technical, they don't code and are just into 
> this to make money (through spam (maybe some extortion?)).  
> In my conversation last night, I let the leader know that I 
> am a capable programmer (c/c++ skills) and know networks.  He 
> asked me to write them a new client, saying that he was sick 
> of this IRC based net and having to move every so often due 
> to being shut down (which does no good, because he still 
> retains his Bots). He says he has a friend with a really 
> large Botnet that uses a distributed P2P model.
> I see an opportunity here.  Not a big one.  Not changing the 
> world.  But a fun project, nonetheless.  Write a new client 
> for them that isn't IRC based.  Get them to push this new 
> client to their Bots.  Having written the code, I can then 
> break apart Botnet from the inside - not giving them a chance 
> to just hop to another host and even let the victims know 
> their machines are infected.  Also, it gives opportunity to 
> find out who these people are (they're in the States).
> I'd let certain organizations know what I would be doing (CERT, for
> instance) and pass them the source when it was ready to roll. 
>  However, before doing anything, I'd love to hear what you 
> think.  Let the ethical debate begin!
> Mike
> _________________________________________
> Using .Net? Need to know more about .Net Security? 
> http://isc.sans.org/banner_count.php?dest=dotnet
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 

Communication systems of Federated Investors, Inc. and its affiliates are for Federated business use only and are the property of Federated.  Federated reserves the right to review all messages on its systems for any purpose at any time and without any prior notification.  Information on the systems may be reviewed by supervisors and senior management, provided by Federated to regulators or law enforcement agencies, or used for other purposes consistent with Federated's business interests.

The contents of this message may be confidential and legally privileged.  If you have received this message in error, please notify us immediately by e-mail at notify at federatedinv.com and then delete this message from your system.  Please do not copy it or use it for any purposes, or disclose its contents to any other person.  To do so could violate state and Federal privacy laws.  Thank you for your cooperation.

More information about the list mailing list