Figure 2.9
Files Hidden
in the RECYCLER bin Folder
Included in the hidden directories were directories called _toolz, _pub
and another called sp33d.The botherder also stored stolen intellectual prop-
erty in the windows uninstall directories for windows patches (see Figure
2.10), such as the following example:
c:\WINDOWS\$NtUninstallKB867282$\spuninst\_tmp\__\«««SA©©Ø
N»»»\_Pub
We were able to track these using our workstation management tool,
Altiris from Altiris, Inc., by querying managed
workstations to see if these
directories were on them.
www.syngress.com
56
Chapter 2 • Botnets Overview
427_Botnet_02.qxd 1/9/07 9:49 AM Page 56
Figure 2.10
Hidden Directories for Stolen Intellectual Property
Some of the files were managed using the distributed ftp daemon
(Drftpd).The botnet clients run a slave application
and take direction from a
master ftp server. Others had only a simple ftp server such as a hacked copy of
ServU Secure from RhinoSoft.com. ServU is able to set up and use virtual
directories, including directories for media on different computers. In addition
it includes SSL for secure authentication and encryption
of transmitted files, a
big plus if you are stealing someone else’s intellectual property.
Figure 2.11 illustrates the use of botnets for selling stolen intellectual
property, in this case Movies,TV shows, or video.The diagram is based on
information from the Pyramid of Internet Piracy
created by Motion Picture
Arts Association (MPAA) and an actual case.To start the process, a supplier
rips a movie or software from an existing DVD or uses a camcorder to record
a first run movie in the theaters.These are either
burnt to DVDs to be sold
on the black market or they are sold or provided to a Release Group.The
Release Group is likely to be an organized crime group, excuse me, business
associates who wish to invest in the entertainment industry. I am speculating
that the Release Group engages (hires) a botnet operator that can meet their
delivery and performance specifications.The
botherder then commands the
botnet clients to retrieve the media from the supplier and store it in a partici-
pating botnet client.These botnet clients may be qualified according to the
system processor speed and the nature of the Internet connection.The huge
Internet pipe, fast connection, and lax security at
most universities make them
a prime target for this form of botnet application. MPAA calls these clusters
of high speed locations “Topsites.”
Do'stlaringiz bilan baham: