Hi,
I don't know if this is the right place to ask this question but I hope that you can give me some directions.
For my studies I would like to research a botnet…basically the anatomy of a botnet. However I do not know where I can find actual botnets and of course know if the botnet is current or not?
I may of course catch one by setting up a honeypot but then still comes the problem of knowing if it is a current botnet or not.
Thanks a lot for your support.
/R
I was pretty much wondering about (and wanting) the same thing myself, ycae, so I could do some very seriously isolated & tightly controlled experiments with such a network (internal, not connected to the Internet) as part of my PhD.
My two main considerations were (and are) the following
a. whether a very-small-scale (5-10 infected workstations of the ones assigned to me for my PhD) botnet would give me the sort of information that would be useable as a predictor of the behavior of larger-scale botnets
b. whether going through the trouble of spending time tracking one down (or actually sitting and writing a very basic one), using university resources and with the permission of my supervisory team, would still be considered illegal even though it will be purely for academic research purposes.
I would be quite surprised if a really current & up-to-date botnet (with all the IDS/IPS/detection-evading goodies etc) is even findable, as they tend to be a closely-guarded treasure-trove nowadays.
The only borderline-sufficient solutions I have thought up would be to either use an old & outdated (possibly IRC-based & controlled) botnet released to the public or to write a number of shell-scripts & C/Perl programs to control a number of utilities in a vaguely distributed fashion as a hopefully passable attempt at emulating the behavior of a botnet during an attack. Or, perhaps, possibly using something like a combination of Nessus, Arachni & Metasploit Framework-based attacks in a scripted fashion.
Any thoughts, ideas, suggestions or sage words of advice on the matter, anyone?
Personally, I would start by infecting yourself with a botnet client then monitor how the client relates to the rest of the botnet, the instructions sent to the client and the client actions. You may be able to trace the instructions back to the command server, or reverse engineer the instruction set. If your client is being sent instructions, then you can be sure that you're part of a 'live' botnet.
Make sure that you're operating in a controlled environment so that you're not causing harm to the rest of the internet.
You can find lists of active web hosted malware here
http//
Although most of the links are 'live', there is no guarantee that the malware at the other end will lead to a botnet infection.
join the wikileaks one!!