RSA 2007: Botnet Live

| | Comments (0)

The dust has settled from RSA 2007, and it was standing room only as Wayne Porter and I explored the methods of shutting down Botnets by dealing with details outside of the Botnet itself - in other words, tackling the human angle as opposed server details to have a bigger impact on the bad guys.

Crowd at Botnet Live with Wayne Porter and Chris Boyd at RSA
Click to Enlarge

I believe the total audience was around four hundred people - thanks to all that came along, and also many thanks to the FaceTime research team who do an awful lot of work behind the scenes.

We provided a brief overview of the current Botnet hunting landscape, some top tips for getting stuff shut down when it's located in some far flung corner overseas and (most importantly), two case studies that illustrate the ways in which we use social media and storytelling to further the reach of our security tales, and spread the word on anything bad that happens to be going down at the time.

Wayne Porter handles this heavy quote- where you probably can't get a tee-shirt.
Click to Enlarge

Featured heavily were the Carder Botnet, and the Q8 Army Botnet.

In both cases, the Botnet itself was only the skeleton upon which we built an intricate weave of research and storytelling. We used all the borderline elements around the outskirts of each Botnet to build up an (almost) complete picture of the people behind it, and get something done about it. We also explored the idea that without even knowing it, one investigation can cause quite the fallout in completely unrelated areas and take down whole groups of people quite unintentionally.

There was a whole bunch of material here that wasn't published first time round - there were numerous reasons for this, but going into them would probably mean some guy would try and kill me with cheeswire, and it'd all go a bit Jason Bourne on you.

Of particular note was the custom built Q8 Army mIRC Tool. It had all sorts of crazy options built into it, and by and large they all did vaguely nasty things. We were also able to (finally) show many of the Q8 Army sites that we came across during the course of the original investigation. Many of these sites popped up on (or around) September 11th, 2001 - and yes, you can probably guess the kind of things they contained.

Dangerous botnet tools
Click to Enlarge

In addition, we tracked these guys back to 2001 (or thereabouts), where they were apparently stealing credit card information to purchase things like satellite equipment, radio / telecommunications gear and second hand PCs. What they intended to do with all that stuff, we can only speculate - but the implications are pretty disturbing, aren't they?

Once again, thanks to everyone who turned up, those who threw in some questions at the end and anyone who came up and said hello.

Wayne Porter and Chris Boyd aka Paperghost
Click to Enlarge

We had a blast and hopefully we'll be let loose on you all over again.

For further coverage, check out EWeek - Botnet Stalkers Share takedown Tactics, Affiliate Fair Play, RealTechNews and MCWResearch. From Finland and more to come.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on February 10, 2007 11:17 PM.

Getting Ready for RSA 2007 was the previous entry in this blog.

Botnet Basics is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.