3

I asked if proxies really provide anonymity, and would like to know how hackers do it when they try to attack government websites and such.

They hack PCs making them zombies and them controlling them, using their victim's IP address for example? They connect to it using a VPN, what?

(I'm just curious)

Community
  • 1
Somebody still uses you MS-DOS
  • 285
  • 4
  • 13

3 Answers3

8

Hacker -> Compromised machine -> Compromised Machine -> Compromised Machine -> Govt. Machine

By bouncing connections, creating private proxies and commanding remote machines via IRC the controllers of, for example, large botnets are able to maintain anonymity whilst their compromised underlings (very publicly) perform the attacks, portscans, DDoS, spamming, sniffing, keylogging, identity theft or propagation of the botnet's own software etc.

Some interesting links include:

Andy
  • 5,190
  • 23
  • 34
7

You start with bots and rely on the ignorance of users. Then it spreads like a web on it's own.

At some point it's more work to trace it back than it is worth. If you slip it under the radar and time when the bots are discovered, it's harder to know when and where it originated.

Today they work in groups, so there's more dissemination from different near-simultaneous points.

Can they be traced? Yes, and there are groups that do this. Another issue is that if they're in other countries, what they're doing may not be illegal, or there are no laws allowing us to extradite them even if someone was willing to go through the paperwork.

Generally they're working through IRC channels and spreading out their communications redundantly. There are papers from security researches that outline how they operate if you google them for botnet control channels and google security researchers. They routinely infiltrate and watch botnet control channels to get an idea of how many systems are infected and what they're capable of...sophisticated networks even have methods in place of upgrading zombie systems remotely.

And technically they're not hackers. Hackers get quite irritated when you call criminals hackers. I think the preferred term is crackers, as in system crackers. Or black hats. Breaking systems now is quite lucrative and are backed by actual money and corrupted officials in some countries. It's no longer "hackers" who are showing contempt for ignorant users or showing how clever they are with racing animated ambulances across the bottom of the screen. They're out to steal money and passwords from people and use social engineering to rob others. If the bot is discovered it's quite by accident or inadvertent.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • 1
    +1, "At some point it's more work to trace it back than it is worth" - Correct, it's never truly anonymous; it's just so hard to figure out who is was that's it's no longer worth it. – Chris S May 14 '10 at 13:13
  • 2
    @Chris S: I wouldn't necessarily agree. The logging capability of most compromised home-user PCs and firewalls is such that, unless the ISP is keeping some kind of log data, its very likely that the attacker's "tracks" will be gone in a short period of time. I, for one, am happy that ISPs generally don't maintain packet-level logging of traffic. Three-letter government agencies may have some capability to do so, but for "mere mortal" organizations the "fidelity" of logs will, if only by economy, be somewhat low. – Evan Anderson May 14 '10 at 13:39
  • @Evan: I think that with enough correlating data, you can trace it. But it's not something most people do as a hobby. New bots spread rather quickly, so if you're watching for new infections you can trace it, whether through connections of web servers or mail servers...but it is a pain in the butt. Simply not worth tracing. You'd have to start higher up, like where the home users are *getting* the infection, not logs on the home system (browse-by infections, emailed...those logs are kept normally long enough to trace, and if your ISP didn't, the next in the web chain probably did.) – Bart Silverstrim May 14 '10 at 13:58
  • @Evan: Technically possible and feasible are very different things. – Chris S May 14 '10 at 18:48
5

In general, an attacker who wants to remain anonymous is going to use whatever mechanisms are available to obscure their identity. The technique you described-- launching attacks from compromised computers-- is a pretty common technique (see The Cuckoo's Egg for a late 1980's account of the use of such a technique by an attacker, for example). As an attacker, the goal is to make it administratively difficult enough for third parties to trace you back through the "hops" that your commands are moving through. Stack up enough hops through compromised machines (especially when they're in "backwater" countries with out-of-date laws about computer crime) and you make it difficult to discover where the attacker actually is.

As far as actually controlling the compromised computers, the attacker may use some already-installed program that listens for incoming requests. With OS's like Windows, though, that don't typically have TELNET or SSH daemons, its more likely that the attacker is going to leave some malicious software behind.

I'm not aware of off-the-shelf VPN tools being used in controlling compromised computers, but its certainly possible.

IRC was used, for a long time, as a "command and control" network for compromised computers. The compromised computers would logon to an IRC server, join a specific channel, and wait for commands.

Command and control networks in modern "bots" are getting fairly complex, and use public key encryption to authenticate commands. Further, there have been some "bots" with capabilities to detect tampering in the command and control network and, ultimately, launch DDoS attacks against someone who tries to forge command and control packets. (Pretty sneaky, that...)

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328