November 17, 2009, 3:40 PM — A self-proclaimed geek from the age of 14, Andre DiMino had always been interested in computers and networking. But it wasn't until he entered his professional life many years later that he became interested in the security side of that world.
"I was a system administrator for a fairly large network that experienced a significant hacking incident one weekend," said DiMino. "I became consumed with learning about the methods of attack, who might be involved, and where it came from. Right then, I became passionate about all aspects of security, as well as the various groups that carried out the attacks."
And today, in his forties, it is DiMino's interest in the dark side of security that consumes much of his free time. By day, DiMino is a professional digital forensic analyst. By night, he serves as director of an organization known as Shadowserver Foundation, a group of volunteers dedicated to sleuthing out cybercriminals and shutting them down.
DiMino, and another cofounder who is no longer part of the organization, launched Shadowserver in 2004 with the initial mission of tracking malicious activity online and finding some way to make it stop.
"We just kind of started chasing malware, chasing bots," said DiMino. "Mainly we were interested in understanding what malware did, where it went, how it was developed."
A good deal of their time was spent tracking malicious botnets, networks of compromised computers running software that is installed through virus or worms, without the owners' knowledge; these systems are then controlled remotely by a "bot master." They are used for various online crimes, including sending out spam, phishing, committing click fraud and launching denial-of-service (DDoS) attacks. Windows PCs are the typical target, although a Mac botnet was reported earlier this year.
Also see the interactive graphic What a Botnet Looks Like
Just five years ago, hunting botnets, said DiMino, was a much different game. The botnets were fairly straightforward, he said, and the primary method of communication was the IRC (Internet Relay Chat). DiMino and other volunteers were able to act like criminals by joining a botnet, watching its traffic to get an understanding of how it was architected and learn more its particular function. They found their efforts were worthwhile as they began contacting network hosts, alerting them that were supporting the botnets and seeing them shutdown.
"Things really started to snowball," said DiMino. "We decided it should be a service to the community to improve the safety of the internet. And we started to build a cross-section of security experts to help out."
Shadowserver now has ten of what DiMino called "carefully vetted" volunteers in several locations around the world. These cybercrime busters need to be of the utmost trustworthiness, he said, because the data which Shadowserver volunteers deal with is highly sensitive. And that is exactly what the bad guys want.
Tools of the trade
DiMino detailed the four-step process that Shadowerver employs to stop botnets. The group first detects malware by setting up honeypots (Internet-attached systems that are easy for hackers to find and infect), and they use many different types of technology to analyze incoming and outgoing traffic.
"In botnet/malware network analysis, we like do both dynamic and static analysis," said DiMino. "Dynamically, we want to study full content network traffic to help determine exactly what is happening on the wire. So open-source tools such as Wireshark, Chaosreader, Argus, etc., are helpful. We also do testing as to how intrusion detection systems may detect malicious network activity, so we use Snort as well. Then there are the various open source honeypots that we use as part of our malware collection. Any organization interested in malware detection/collection should run some sort of server-side honeypot at different points on their network. It can give a very good indication of what they're facing as far as potentially malicious traffic directed at them."
These honeypot sensors capture spam and malware which is then analyzed. Volunteers want to know about its network touch points; where does the malware go? Who does it attempt to contact? These are the first steps to finding a botnet. (See How Gozi's First Second Unfolds for a detailed look at one Trojan's behavior.) Unfortunately, it is not very simple and requires a delicate balance that allows them to both obtain information without contributing to the problem.
