BotTalk: A FireEye Security Blog

It may be surprising to some, but operating a botnet is not clearly illegal!  It certainly is not explicitly legal, but also is not definitively considered a crime....yet. To eliminate any possible loopholes, there’s pending legislation, dubbed the Cyber Crime Act, that would make it a federal crime merely to create and operate a bot network, even if no major damage were done.  There is also new Identity Theft legislation that just passed Senate committee review.

Cyber Crime Act of 2007
======
Specifically, the Cyber-Crime Act of 2007 will:

Could it be? A botnet being used to campaign for Republican candidate for president, Ron Paul.  I just read this Wired.com article where an U of Alabama researcher claims he has evidence that e-mail spam supporting Ron Paul is being distributed via botnets. 

'Criminal' Botnet Stumps for Ron Paul, Researchers Allege

Talk about campaigning in the Internet age....

I was asked this question ("Is it ethical to dismantle botnets?") recently and my initial reaction was that clearly dismantling an unauthorized creation was ethical.  But, the questioner insisted, the crude methods employed today like shutting down entire IRC servers are more destructive than the botnets themselves sometimes.  While I disagreed with the "destructiveness" aspect, I do see how disconnecting legitimate users of the server is becoming a larger ethical dilemma (mostly due to the evolving nature of botnets.)

Botnet C&C's are being installed on dual-use servers for lack of a better term.  There may be legitimate...

Tune in to learn more about bots!  This is really beginning to reach a new level of attention when PBS is explaining botnets (in their new WIRED Science series):

TECHNOLOGY: World War 2.0

In spring 2007, Estonia's banks and newspapers were shut down by an organized wide-scale cyber-attack using 'botnets. WIRED writer Josh Davis heads to the site of the attack to find out what happened, who did it, and what the heck a "botnet" is. (Video)

Search 'botnet' on YouTube and there's a fair number of bot herder (and vendor created) botnet videos. Botnets are reaching a new level of international attention.  It must be a rush to be able to control tens of thousands of machines, not to mention the tens of thousands of dollars a single botnet can generate in profits. But, who can you brag to about your exciting exploits? Fame may not be the goal any longer, but who can resist getting their 15 minutes of fame? We'll probably see a tell-all book ("How I funded my college education with a botnet") in the not-too-distant future.

So, here's an interesting trick I've been using, that I've never seen anyone mention before. One of the new features that AMD added to the x86 instruction set when they did the AMD64/x86-64, was that in "long mode" (64-bit mode), the encoding for the old 32-bit immediate offset addressing mode, is now a 32-bit offset from the current RIP, not from 0x00000000 like before. In English, this means that you don't have to know the absolute address of something you want to reference, you only need to know how far away it is from the currently executing instruction [technically the next instruction]. So, let's say you're writing a fairly generic execve() shellcode. I'm going to assume that everyone here has read Aleph One's paper on this, so I'm not going to repeat that here. (Gripe: What is it with all these shellcode tutorials, that are just slightly rewritten copies of "Smashing the Stack..."?) This is what we want to do: