Hacked - News Update - The Sinkhole
Episode Date: March 24, 2020Jordan & Scott discuss Shadowserver, sinkholes, and the people mapping malware . Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
It's June 2014, and Gameover is finally going down.
Game Over is, or was, is a very sophisticated botnet run by a Russian cybercrime syndicate.
It's this vast network of infected computers that the criminals controlled.
We could do a whole episode about how Game Over specifically worked, but the gist is,
a normal botnet is made up of a bunch of computers that have been infected with malware,
reporting back to a single control point, this central server.
The people who control that server control the network,
but this creates a vulnerability.
Because if you can take down the central control point,
you can take down the whole network.
Cut off the head, kill the beast.
Game Over took that idea and decentralized it.
It's a botnet that operates like a peer-to-peer network.
It's a hydra in this metaphor.
Chop off one head. No sweat. There are countless others.
All in, Gameover infected around a million systems globally.
It harvested banking information and was rented out in spam, DDoS, and online extortion campaigns
that made the people responsible around $100 million as a nice round estimate.
Operation Tovar was the international joint plan to take Game Over down.
and June 2014 was when they pulled the pin.
Taking down a vast international cybercrime network is a vast international operation.
FBI, Europol, NCA, and a bunch of private companies, universities, and institutions all working together.
It's easy to picture guys and trench coats confiscating gear.
It's easy to picture government lawyers handing court orders to domain registrars.
It's easy to imagine someone saying,
going, go. And a bunch of people jumping into action, chopping off all the hydras heads at once,
which leaves one last problem. What to do with this giant, rotting monster corpse?
In this case, the giant rotting monster corpses, it's data. A bunch of data flooding out of the
bodnet that now has to go somewhere. The solution is something called a sinkhole and the subject
of this update. In cybercrime parliol,
A sinkhole is where you redirect toxic internet traffic once you've taken over control of an online criminal enterprise.
It's this deep, dark hole where you can funnel the data, pick it apart, study it, and keep it quarantined.
Shadow Server is a volunteer-run organization that helps identify and quarantine these networks, and importantly, a really big sinkhole.
They served an essential role in taking down Gameover and most other high-profile botnet takedowns.
They're volunteers who aid some of the largest law enforcement agencies in the world in taking down organized cybercrime.
And this last week, they lost their main source of funding, which is a really bad thing at an even worse time.
This is Sincles, Shadow Server, and how we map malware on this hacked update.
So, Broadstrokes, how does a bot network?
How does a bot network?
well you have a lot of bots computers iot devices with malware etc these bots are spread out around the internet
and then usually there's a controller something that coordinates them all so sends out instructions
that gets propagated amongst the botnet telling all the bots what to do right and what can you
do with it with a bot net you can do all kinds of things DDoS obviously being one of the
major ones. Spamming, yeah, for sure you can change them all to mail servers and do spam,
spam nets, stuff like that. But I think the major thing is just, you know, DDoS. I think that's the
primary use of a botnet. Aside from just owning a lot of computers, which I'm sure comes with a lot
of, you know, power if you needed access to something inside of one of the networks that you
control a computer in. Before we get to taking these things down, is this a pretty high
level operation. Is this something kind of pedestrian or is this something that takes a little
bit more effort and coordination to put together? No, I think by the time you're trying to coordinate
and own and control a massive botnet, you're probably, this is, like, you know, if this isn't
your full-time job, it's leaning into that. You're trying to take that startup and go full-time.
Yeah, precisely. Like you're, you know, you've been flirting with it at nights and stuff,
working off it on the side of your desk and now you're trying to go full-time.
Sure, sweat equity. Yeah.
Okay, so let's flip it.
I'm trying to take down a botnet.
Talk me through how that process could even work.
We talk a little bit in the opening story of it being kind of like a hydra.
You've got to chop off all the heads at once.
Take me through, like, how would someone take down a botnet?
Yeah, well, I think that, and, you know, in relation to the opening story,
the big way that they've been doing it is just identifying them, you know,
seeing where they are, seeing where they're coming from,
seeing what kind of botnet and malware networks these are,
and then trying to figure out where they're being coordinated from.
So lots of these bots know to reach back to the coordination hub
and be like, hey, give me instructions.
Because, as you can imagine, the controller won't know how to tell,
like it won't know where all the bots get to, right?
Because this is kind of spreading like a virus.
So the controller won't know who's infected.
So the infected have to reach back to the controller and be like, hey, I'm infected, you control me, what should I do?
So in that reach back is where a lot of this kind of capture is happening.
So they're programmed to reach back to specific domain names.
And what they're doing is they're kind of poisoning that DNS and taking control of that controller traffic,
which is essentially stopping the infected hosts from reaching.
back to the controller. Does that make sense?
Yeah, I think so.
So I'm running one of these networks.
I've told all of these devices to report back to, you said, a DNS?
Yeah, so like, imagine you had, you know, Jordansbotnet.com, and control.organsbotnet.com
was the server that you wanted all of the infected hosts to reach back to.
if the entire internet can kind of coordinate itself to poison jordan's botnet.com's DNS and take control of traffic going to controller.
Dotjordansbotnet.com, you know, if we can hijack that traffic, we can, you know, do lots of things, notably identify and kind of start to look at ways of removing the botnet off of the infected
host, but also essentially just taking away any kind of control authority from you.
Okay, so step one is figuring out where all the traffic coming off these infected devices is
going to.
Right.
Because you've basically found the hacker at that point.
Yeah, so like just imagine like a virus spreading between hosts.
Once you put this virus or malware into the world, you don't know who gets infected.
So you need to be able to identify what computers out there I now control.
and the easiest thing to do is to have them kind of call back and say,
hey Jordan, I have it, you control me.
So once I've identified the domains where all that traffic is going to,
how do I take control of it so that the traffic is coming to me?
Yeah, so you're essentially the term that you want to start chatting about is sink-holing,
but really what it is is poisoning.
So you're saying, hey DNS server,
Instead of redirecting traffic to controller.jordansbotnet.com to this IP address, send it over to this new IP address.
And this new IP address could be, you know, some massive security association.
It could be, yeah, I've note, I think, you know, the original story and something that you've been reading about recently is Shadow Server,
which is a big not-for-profit association
that kind of looks to control, monitor,
and shut down these massive botnets.
Before you can control and monitor them, though,
you have to map them out.
How do you do that?
Yeah, so, like, Shadow Server has a bunch of honeypots,
which we've discussed in a previous episode.
So they kind of have vulnerable computers out there in the world
looking to get infected with these malware things
so that they can kind of stop and track
and monitor the network traffic coming and going from them.
which allows them to do a number of things like fingerprint the malware
so they can get a good understanding of what it is who made it,
as well as monitor the network traffic to see, you know,
hey, it's creating a private VPN tunnel to this server in Russia.
It turns out all of the infected hosts are probably creating that same VPN tunnel.
Let's look and identify all network traffic that looks like that,
and then we'll have a good understanding of who's infected.
Think about the last time you heard a breach,
story on this show. It always starts the same way. Someone somewhere saw something too late,
an alert buried, a signal missed, an SOC that just couldn't keep up. Arctic Wolf set out to solve that
problem by rebuilding security operations from the ground up for a world where attackers are
already using AI. They created the Aurora Super Intelligence Platform, a fully agentic system powered by
the swarm of experts. Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of
deterministic agents that handle whole entire workflows. Humans stay in the loop and on the loop
to validate the critical decisions and keep everything trustworthy. And all of this is just off
running on their secure operations graph. A constantly updating intelligence engine fueled by more
than 9 trillion telemetry events every week and over a decade of real world incident response.
The system reasons on real signals and real context, not synthetic training data. And the result is
the new Aurora agent SOC. It's the first SCC that is agent led by a
design, you get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions. The automation frees your concierge
security team to focus on higher value strategy and proactive risk reductions while the agents
handle the grind. If you want to see what trustworthy, production-ready AI and security operations
actually looks like, go to arcticwolf.com slash hacked. Never feel like cyber threats are evolving
faster than anyone can keep up? Last year, 2025 was nothing short of a record-breaking year for
major breaches, from sophisticated ransomware operators to AI-enabled attacks that turn defenses on
their head. Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing. These incidents aren't just news headlines.
They're learning opportunities. And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving the most impactful breaches of 2025. Their field CTO and security leaders are going to
unpack not just what happened, but why these attacks succeeded. And most importantly, what businesses
can do to fortify their defenses for it's too late. You're going to walk away with real insights and
how threat actors are evolving, how defenders are responding, and what strategies can help you
stay ahead of the next big breach. It's not fearmongering. It's practical, actionable, intelligence
from experts in the trenches. Register now at arcticwolf.com slash hacked.
What happens if we don't have something like this? Shadow Server specifically and then
organizations of this class. Yeah, I think what you're referring to is the fact that Cisco just
pulled their primary sponsorship from Shadow Server, which is probably greatly affecting their
operations. If they were to go away, then Botnets would run rampant. Or a new company would spin up
in its place. There's, you know, with opportunity or with problem comes opportunity. And I trust that
somebody will spin up to take care of that problem. So if Cisco has pulled out, for whatever reason,
Cisco pulled out, then, like, who funds this kind of operation?
Well, just think about, like, I remember doing an economic analysis on the cost of spam, you know,
in the early 2000s, and it's massive.
You know, back when spam was running rampant, just the data, just the power cost, the carbon
output of the power used to create and move all of the spam in the world.
Like, we're talking about so much data that, you know, there's an opportunity there,
Just like there's an opportunity here, you know, massive botnets aren't only a threat,
but they're also a major infrastructure headache.
You know, if you've got millions of hosts generating tons of garbage traffic
and piping that up over ISPs, over cell networks, you know, it's companies like that
that are going to then have to start paying the cost of it.
So I suspect that they'll quickly have their funding whole filled
or a company will spin up that does exactly the same thing.
and sells memberships to massive companies like telcos, internet service providers, etc.
The last question, what if we just do nothing?
What if a shadow server doesn't get more funding, it goes away,
and we just don't have this service anymore?
It's very much a bit of an analogy for what's going on the world right now.
We have a separate type of crisis that's spreading.
And if we all just ignored it, it would become paramount.
So we're all trying not to ignore it
And trying to do our parts
To kind of control and contain and slow it down
And that's the same with this
You know
Imagine if every botnet they've ever taken offline
Just grew and grew and grew and grew
And they were all just compounding
Imagine the infrastructure taxation
That that would be
Thanks for listening everybody
Up next we're going to jump over to Hacked After Dark
The segment of the show
Where we follow up on stuff we got wrong
and things people said to us on Twitter.
On today's episode of Hacked After Dark,
we're going to have a response to a gentleman who tweeted at us.
Twitter user at Lancaster,
rightfully pointed out that we,
in the last episode about personal and national responses
to the COVID pandemic,
we talked about what Iran was doing.
Iran was just distributing malware.
It's a separate thing.
But we did irreverently ask the question,
what use would location doubt to have in a crisis like this.
And he points out that Israel has been text messaging people saying,
hey, you were in a physical location where someone else was that had COVID.
So he rightfully points out there's a total use for having GPS data
that just didn't really occur to us when we were talking about that.
I feel like we're only weeks away from all being in proximity to people that have had it.
It just turns into spam at that point.
It just turns into a spam. It just turns into a botnet.