RSA 2007: Botnet Live

"The important thing to remember is, it's NOT Bin Laden sitting in a cave buying fifty scud missiles on EBay". Chris Boyd, Today, in a big room somewhere

......and oh God, it was standing room only as Wayne Porter and I explored the methods of shutting down Botnets without actually bothering with the Botnet that much.

I believe the total audience was around four hundred people (plus a bunch standing at the rear). They had to actually call people back as they first entered the hall due to a TECH STAMPEDE, which was pretty awesome. Thanks to all that came along, and many thanks to the wonderful lady who asked the question that allowed me to fire out the above Bin-Laden-does-Ebay quote. I don't think I could have coped without it.

See the vaguely Boyd / Porter shaped blur up on the podium? Yeah, that was us.

We tried to keep the purely tech stuff down to a minimum, because let's face it, we've all heard that stuff before and there's only so many ways you can say OMFG BOTNETS ARE TEH BAD.

Instead, we provided a brief overview of the current Botnet hunting landscape, some top tips for getting stuff shut down when it's located in some far flung corner overseas and (most importantly), two case studies that illustrate the ways in which we use social media, storytelling and (my personal favourite) PANIC INDUCING TERROR to kick some ass and take some names.

Featured heavily were the Carder Botnet, and the Q8 Army Botnet.

In both cases, the Botnet itself was only the skeleton upon which a scaffold of buttkicking action was erected. We used all the borderline elements around the outskirts of each Botnet to build up an (almost) complete picture of the people behind it, and get something done about it. We also explored the idea that without even knowing it, one investigation can cause quite the fallout in completely unrelated areas and take down whole groups of people quite unintentionally.

I mean, it's pretty awesome when that happens.

At any rate, there was a whole bunch of material here that wasn't published first time round - there were numerous reasons for this, but going into them would probably mean some guy would try and kill me with cheeswire, and it'd all go a bit Jason Bourne on you.

Of particular note was the thingy in the screenshot - and by thingy, I mean custom built Q8 Army mIRC Tool. It had all sorts of crazy options built into it, and by and large they all did vaguely nasty things.

We were also able to (finally) show many of the Q8 Army sites that we came across during the course of the original investigation.

Many of these sites popped up on (or around) September 11th, 2001 - and yes, you can probably guess the kind of things they contained.

In addition, we tracked these guys back to 2001 (or thereabouts), where they were apparently stealing credit card information to purchase things like satellite equipment, radio / telecommunications gear and second hand PCs.

What they intended to do with all that stuff, we can only speculate. But I mean, it's pretty obvious they're not creating a pirate radio station or donating the PCs to hospitals.

Once again, thanks to everyone who turned up, those who threw in some questions at the end and anyone who came up and said hello.

We had a blast and hopefully we'll be let loose on you all over again.