-1

Whilst testing a server I discovered a botnet. I have the executable downloaded to the server and decompiled the file to get the strings from it.

My question is what would the next logical step be and how best to further decompile the evil httpd file? Also what would be the right thing to do (I.e. take over the botnet and shut it down or report it to someone?)

ack__
  • 2,728
  • 14
  • 25
Sam Aldis
  • 73
  • 7
  • Link to my break down is http://darknetuk.blogspot.co.uk/2014/04/a-botnet-and-bleeding-heart.html as question doesnt make sense without it.. I am not trying to push my blog as i will probably never post to it again.. It just shows the code and what stage i am at in researching this botnet – Sam Aldis Apr 14 '14 at 16:30
  • Please don't downvote, answers are good and this will be a good example for future posts like this. – ack__ Apr 14 '14 at 21:01

2 Answers2

5

When you attempt to take over control of a botnet, you are committing an act which is just as criminal as what the original owner of the botnet was doing. No matter how good your intentions are, you are taking control of other peoples IT systems, which is illegal in most parts of the world.

Report the botnet to the authorities. When you don't believe that they have the necessary know-how to deal with it adequately, you could offer your services as an IT security specialist to assist them, but do not attempt to do anything not coordinated with law enforcement. As an IT professional you are likely not familiar with proper police procedure. When you just run wild, you will likely destroy or invalidate evidence which is necessary for finding and prosecuting the people behind the botnet. That will not just prevent them for receiving their lawful punishment, it could bring you into legal trouble as well for inadvertently helping them to escape conviction.

Philipp
  • 48,867
  • 8
  • 127
  • 157
4

If the httpd file was replaced, what ELSE was replaced? This looks like a 'nuke from orbit' scenario.

As for taking over a botnet, that isn't a good idea. Whatever that botnet does can be attributed to you because you became one of the controllers in its network. Report to the authorities in your area.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • It doesnt actually seem to replace the httpd file but rather creates a .httpd file in the root of the file system which is then started on boot presumably this is so any "ps" command would show it as a innocent looking httpd process but woth the . infront wouldnt show up on normal "ls" the only other file i can tell that got replaced is wget which seems to contain the payload for syn floods etc. When i say take over the botnet i mean shut it down.. Most C&C's have a kill switch.. – Sam Aldis Apr 14 '14 at 16:20
  • 2
    As for shutting it down, my advice still applies. If you had the power to shut it down, what else could you have done? It's a little like having your fingerprints on a murder weapon, even if you were securing the weapon to prevent further harm. – schroeder Apr 14 '14 at 16:33