Jim Melnick (M.A ., Harvard U niversity; M.A ., U .S. N aval War College; and Colonel, U .S. A rmy
R eserves, Military Intelligence, retired) is the director of global threat intelligence at iSIGHT Partners,
Inc., based in Dallas. He formerly served with iDefense/ VeriSign, where he founded and managed
the Weekly Threat Report, cited by Business Week in 2005 as providing “some of the most incisive
analysis in the business, particularly about R ussian hackers.” Mr. Melnick is a recognized expert in
threat intelligence and cyber-crime issues as these relate to computer security, and has been cited in
such publications as the New York Times. He has also done groundbreaking research on numerous Chinese hacker groups. He has a master’s degree in R ussian area studies from Harvard U niversity and a master’s in national security and strategic studies from the U .S. N aval War College.
He served for 16 years as a civilian analyst in the U .S. Intelligence Community,
first at Fort Bragg, N orth Carolina, and later with the Defense Intelligence A gency
at the Pentagon in the Soviet political/military analysis division. During the Cold
War, he briefed senior Defense Department leaders during many key events, including
the fall of the Berlin Wall and the 1991 coup against former Soviet Communist
leader Mikhail Gorbachev. He also once presented a special briefing at the White
House Situation R oom during the R eagan presidency. Prior to leaving government
service in 2000, he received a Presidential Commission medal for his work on the
Y2K problem on behalf of the N ational Intelligence Council.
His articles have appeared in Investor’s Business Daily, the Naval War College Review,
the Journal of Slavic Military Studies, and elsewhere. He retired as a colonel in the
U .S. A rmy R eserves in 2006, where his last assignment was as the officer-in-charge
of a joint A rmy R eserves unit supporting the Office of the A ssistant Secretary of
Defense for N etworks and Information Integration at the Pentagon.
Ken Dunham (Certified Information Systems
Security Professional [CISSP], Global Information
A ssurance Certification [GIA C], Security E ssentials
Certification [GSE C], GIA C R everse E ngineering
Malware [GRE M] certification, GIA C Certified
Forensics A nalyst [GCFA ], and GIA C Certified
Incident Handler [GCIH] Gold Honors) has more
than a decade of experience on the front lines of
information security. A s director of global response
for iSIGHT Partners, Inc., he oversees all global
cyber-threat response operations. He frequently
briefs upper levels of federal and private-sector cyber-security authorities on emerging
threats, and regularly interfaces with vulnerability and geopolitical experts to
assemble comprehensive malicious code intelligence and to inform the media of
significant cyber-threats. A major media company identified Mr. Dunham as the
top-quoted global malicious code expert in 2006.
Mr. Dunham regularly discovers new malicious code, has written anti-virus
software for Macintosh, and has written about malicious code for A bout.com, SecurityPortal,
A tomicTangerine, U bizen, iDefense, and VeriSign. He is one of
the pioneers of Internet community anti-virus support, with websites rated as the
best global resource by Yahoo Internet Life, PC Week, A OL, and many others.
Mr. Dunham is a member of the High Technology Crime Investigation A ssociation
(HTCIA ), the Government E mergency Telecommunications and Wireless
Priority Service, the A nti-Virus Information E xchange N etwork (A VIEN ), Virus Bulletin,
InfraGard, an information security think tank, CME (Common Malware
E numerator), and many other private information-sharing channels. Mr. Dunham
also participated in the Central Intelligence A gency Silent Horizon (blue team) and
U .S. Department of Homeland Security CyberStorm (observer) exercises.
Mr. Dunham is a certified reverse engineer and regularly analyzes emergent
exploits and malicious code threats and actors targeting client networks. He also
works as a Wildlist R eporter each month with the Wildlist organization. He is
the author of several books and is a regular columnist for an information security magazine.
Mr. Dunham is also the founder of the Boise, Idaho, Information Systems
Security A ssociation (ISSA ) and Idaho InfraGard chapters.
Contents
Preface
Acknowledgments and Permissions
About the Authors
2 Thr34t Security Krew and the TK Worm
2.1 The Investigation of the Thr34t Krew
La n ce M u e ll e r
2.1.1 First DYN DN S A ccount (BestIce)
2.1.2 Second DYN DN S A ccount (Phreeze)
2.1.3 Third DYN DN S A ccount (D00M)
2.1.4 Seth Fogie
2.1.5 Help with A dditional Technical Details
2.1.6 A Trip A cross the Pond
2.1.7 Sitexec
2.1.8 DiSice
2.1.9 XaN iTH
2.1.10 Sitexec
2.1.11 Second Search Warrant Sweep
2.1.12 Jadaka
2.1.13 Mr40
2.1.14 Thr34t Krew Investigation: Concluding Comments
3 Demonstration: How a Hacker Launches a Botnet Attack
3.1 Step 1: Find, Modify, and Build a Bot
3.2 Step 2: Customize the Binary for A ttack
3.3 Step 3: Launch the A ttack
3.4 Step 4: Managing the Botherd
3.5 Step 5: Payloads, with an E mphasis on “Pay”
4 Introduction to the Use of Botnets in Criminal Activity
4.1 Timeline
4.2 Bots: A Pathway to Criminalization of the Information A ge
4.3 Bots: The Integrated Business Solution for Criminals
4.4 “Botmasters” Who Were Caught
4.4.1 International Botnet Task Force Conferences
4.4.2 Operation “Bot R oast” I and II
4.5 How Big Do Botnets N eed to Be to Pose a Serious Threat?
4.6 Peering Inside the IR C Botnet
4.7 Post-IR C-Based Bots
4.7.1 Botnet A ttack Statistics
4.8 Botnet Features and the Criminal E nterprise
4.8.1 A Modular A pproach to Botnets: A Major A id to
Criminals
4.8.2 Granular Spreading Capabilities
4.8.3 A “Service Bot”
4.8.4 The Degradation Feature of Botnets and Its Impact on Criminal A ctivity
4.9 Botherds Through the E yes of a Criminal Mind
4.10 Criminal Vectors U tilizing Bots
4.10.1 Theft of Sensitive Information
4.10.2 DDoS A ttacks and E xtortion
4.10.3 Bot for R ent or Hire
4.10.4 Spam
4.11 Spam Bots and Criminalization
4.11.1 Pump-and-Dump Fraud
4.11.2 Covert Communications
4.11.3 Click Fraud and A ffiliate A buse
4.11.4 A dware A buse
4.11.5 Taking Out the Competition
5 Botnets and the eCrime Cycle: The iSIGHT Partners’ Approach
6 Technical Introduction to Bots
6.1 Common Ports
6.2 Command and Control Strategies
6.2.1 IR C C&C
6.2.2 Peer-to-Peer C&C
6.2.3 Web-Based C&C
6.2.4 U se of E ncryption or Obfuscation
6.2.5 Types of Distributed Denial of Service (DDoS) A ttacks
6.2.6 Introduction to Selected Bots
6.2.6.1 A goBot
6.2.6.2 SDBot
6.2.6.3 PhatBot
6.2.6.4 The Infamous Hang-U P Team and IR C-Based Fraud Operations
6.2.6.5 R eptile
6.2.6.6 ZoTob
6.2.6.7 PBot
6.2.6.8 Tsunami
6.2.6.9 Kelvir
6.2.6.10 MetaFisher
6.2.6.11 Storm
7 Mitigation
8 Concluding Thoughts
USA Today: Botnets U sed for Blackmail in Cyber E xtortions
The Kraken Botnet
A Botnet That Targets .edu and .mil Servers
“Poisoning” the Storm Botnet
The Battle Is Joined!
The “Cyber Parasites” of the Internet
On the E dge of a Precipice
Glossary
Bibliography
Index
● Screenshot ●