Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Infiltrate and 'Pollute' Storm Botnet

CmdrTaco posted more than 6 years ago | from the i'm-infiltrating-see-yeah dept.

Security 261

ancientribe writes "Dark Reading reports that a group of European researchers has found a way to disrupt the massive Storm botnet by infiltrating it and injecting "polluted" content into it to disrupt communication among the bots and their controlling hosts. Other researchers have historically shied way from this controversial method because they don't "want to mess with other peoples' PCs by injecting commands," said one botnet expert quoted in the article.

Sorry! There are no comments related to the filter you selected.

It's not Really... (5, Insightful)

cromar (1103585) | more than 6 years ago | (#23184714)

It's not really messing with other people so much as preventing them from messing with tons of other infected hosts. Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.

Re:It's not Really... (2, Insightful)

Charred Shaman (1162963) | more than 6 years ago | (#23184768)

Yeah, It's the botnet equivalent of counter-espionage. Really one for the good guys here.

Re:It's not Really... (5, Insightful)

idontgno (624372) | more than 6 years ago | (#23186014)

Yeah, It's the botnet equivalent of counter-espionage. Really one for the good guys here.

Well, possibly, but I think the moral conundrum isn't about attacking the botnet itself, but about the owners of the computers the botnet is unwittingly hosted on. All this "poisoning" activity affects the zombied PCs, after all.

To use a (non-car) analogy: Germany invaded Belgium in WWII. That was morally bad. Later, the allies counter-invaded Belgium. That was morally good. But the battles involved in both invasions weren't particularly great for Belgians.

Wow, Godwin in 2 posts... (5, Funny)

PRMan (959735) | more than 6 years ago | (#23186302)

That's got to be some sort of record...

Re:Wow, Godwin in 2 posts... (2, Funny)

Daimanta (1140543) | more than 6 years ago | (#23186442)

Scrap an I in WWII and youa re all set for a non Godwin post ;)

It was morally "good" -- from our perspective... (4, Insightful)

CFD339 (795926) | more than 6 years ago | (#23186472)

..because we won. History is written by the victors of course. Don't misunderstand me -- nothing could make me defend the German army's actions (or those of many of its citizens at the time). I'm only saying that had we lost that war, a different history might look upon the "re-invasion" of Belgium as a war crime.

Re:It's not Really... (5, Insightful)

moderatorrater (1095745) | more than 6 years ago | (#23184812)

Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.
Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.

It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.

Re:It's not Really... (-1, Offtopic)

zappepcs (820751) | more than 6 years ago | (#23184888)

I hope you get high positive mod points for this. I agree completely.

Re:It's not Really... (2, Informative)

Toandeaf (1014715) | more than 6 years ago | (#23185680)

Mod points are not supposed to be used as "I agree".

Re:It's not Really... (1, Interesting)

Moridineas (213502) | more than 6 years ago | (#23186268)

Well, if you agree, you probably feel that point is "+1 Insightful" or "+1 Interesting" whatever.

I do agree that the system of moderating on slashdot is HIGHLY overused by those who use them for their opinions. I've been guilty of this at times too, though I try not to.

Maybe we do need a "+1 I agree, good thinking!" and a "-1 I disagree, that's stupid!" that count as a different class of points. Dunno.

Re:It's not Really... (0)

Anonymous Coward | more than 6 years ago | (#23186370)

And common sense is not supposed to be used at "slashdot".

Re:It's not Really... (5, Insightful)

wizardforce (1005805) | more than 6 years ago | (#23185046)

Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.
an OS shouldn't allow that, then again it shouldn't allow you to get pwned by visiting malicious web pages or opening emails either. The problem is that you're talking about a hypothetical problem that may or may not exist. Storm is real and doing real damage to the world. sitting back and watching the fireworks just because you're afraid to break something is in my opinion irresponsible.

Re:It's not Really... (5, Insightful)

Anonymous Coward | more than 6 years ago | (#23185790)

Is it wrong to do something to an out of control car rolling down a hill on fire towards a school full of people? This is a lot like a computer being part of a botnet. It is possible you could cause some damage to the car which is not yours by directing it out of the way, but if you don't something bad will certainly happen.

Re:It's not Really... (1)

Oligonicella (659917) | more than 6 years ago | (#23185086)

From your point of view, it's more moral. Others might think that allowing known destruction to continue is not. Add to that just how "effective" monitoring, locating computers and helping the owners clean them has been to date and their disagreement isn't baseless.

Unlogical (0)

Anonymous Coward | more than 6 years ago | (#23185096)

You're basically the Dr. McCoy to the original poster's Spock. If Mr. Spock was here, I'm sure he would disagree with an argument based on the need of the many.

Re:It's not Really... (2, Informative)

peachstealingmonkeys (1268936) | more than 6 years ago | (#23185100)

Even though I agree with you on the second half of the comment I still think you are spreading FUD with the first part.. 1) "Researchers" don't "just" send the polluted hashes to the bots in hopes of it to disrupt communications. 2) They aren't "fuzzing" the bots looking for a vulnerability, that will disrupt a command channel and possibly crash a bot completely. That would be extremely irresponsible. 3) "Researchers" analyze the bot software localy in order to determine the correct hash strings to figure out the way to disrupt communication 4) obviously the 'attackers' can introduce a back process in to their bot software that would destroy the bot image and OS completely if such control channel disruption is detected, however it's pointless since the bot is out of the commission anyway.

Re:It's not Really... (5, Informative)

cromar (1103585) | more than 6 years ago | (#23185136)

Sure, in general that is a valid concern. However,

The pollution attack... "overwrites" the P2P botnet's key, an identifier that's used to get command information to the bots. Storm generates keys to find other bots, the researchers noted.
So there really isn't a risk, in this case, of executing maleficent code or overwriting large portions of anything. The Storm operators might modify the peers to self-destruct the host or something, though I doubt they will given that Storm needs the host to be at all useful.

Re:It's not Really... (5, Informative)

kaiser423 (828989) | more than 6 years ago | (#23185174)

If you RTFA, they are not sending any commands to the end computer. They are just disrupting communications between the nodes.

Effectively, fracturing the net into multiple pieces; not taking control o the computers and doing something.

This is not a counter-attack to the infection or anything like that. They're just jamming the comm system that the bots use. They're not actively doing anything to the bot or computer.

Re:It's not Really... (0, Redundant)

street struttin' (1249972) | more than 6 years ago | (#23186176)

Wait, if you what? What does RTFA mean?

Re:It's not Really... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23185234)

Are you aware you're talking about MILLIONS OF COMPUTERS, you idiot? Automated solutions are the only solutions.

Re:It's not Really... (4, Interesting)

el_flynn (1279) | more than 6 years ago | (#23185236)

Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.
True, but who's to say the resident malware isn't already doing that? Although I'm sure the bot manufacturer will take quite strong measures to stop this from happening, as it would really result in a non-productive bot. So the anti-bot programmer would just have to take similar steps I suppose.

It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection.
TFA says the researchers "saw between 5,000 and 40,000 machines online at a time."
Who, other than a NATO-type international task force, would have the resources to reach out to those 40k users and help them clean their machines? All you IT admins and helpdesk staff are already cringing at the thought of handling tens or hundreds of users -- can you even begin to imagine trying to explain to thousands of clueless users what's happened to their PC, and what steps to take to clean it?

Re:It's not Really... (3, Interesting)

graphicsguy (710710) | more than 6 years ago | (#23185896)

Who, other than a NATO-type international task force, would have the resources to reach out to those 40k users and help them clean their machines?
If it's easy to detect the traffic to/from a botnet computer, they should be cut off by their ISP. The ISP can then offer them both instructions and to sell them PC cleaning as a service before allowing them to re-activate their connection.

Re:It's not Really... (3, Insightful)

msimm (580077) | more than 6 years ago | (#23185260)

Running an infected bot is inherently risky, just like the virus or worm that caused it. Moral concerns should be moderated appropriately.

Re:It's not Really... (0)

Anonymous Coward | more than 6 years ago | (#23185298)

It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.
The article explains disrupting the communication of the bots, which seems like a good direction toward preventing what these botnets can do destructivly, DoS wise.

"Finding and helping" would not only force you to identify and communicate with infected users / computers, but is in no way practical.

Re:It's not Really... (0)

Anonymous Coward | more than 6 years ago | (#23185322)

"It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run."

Of course, everyone's assuming this story is legit. Sounds like a dummy story.

If I were a security consultant seriously interested in messing up Storm, I'd find a friendly lab willing to propagate a FALSE story like this, which will induce the STORM controllers to do something to recheck their communication links to their zombies. Traffic analysis on such a burst of activity would be very useful for analyzing the size of the botnet, or identifying cell controllers, etc.

Re:It's not Really... (2, Interesting)

hilather (1079603) | more than 6 years ago | (#23185324)

You know, wiping out a bot infected computer of any personal information or even all information might actually be doing that person a favour. It is better then having that information falling into the wrong hands. I could go either way on this, its the computer equivalent of vigilantes. But what happens when bot net controllers star to realize identity theft is a pretty lucrative business too?

Re:It's not Really... (1)

0100010001010011 (652467) | more than 6 years ago | (#23185332)

Maybe then the end user would be more careful in the future and it would take them off of the bot net.

I guess I've got my Evil bit set because if I had the know how I would send a low level format command out. The bot net would collapse, people profiting from it would stop and maybe people would start putting pressure on Microsoft to actually do something. Maybe even install a bootloader to display Apple, Ubuntu, & FreeBSD's websites.

Sure it's not nice, but if it gets people to actually take action then I'm all for it. There will always be more companies trying to profit, new botnets, etc, but if you can actually stop the botnet from starting by educating people, then you win.

Re:It's not Really... (1)

veganboyjosh (896761) | more than 6 years ago | (#23185718)

The bot net would collapse, people profiting from it would stop and maybe people would start putting pressure on Microsoft to actually do something. Maybe even install a bootloader to display Apple, Ubuntu, & FreeBSD's websites.

One problem i see with this is that the proverbial grandmother, whose infected machine has slowed or stopped working altogether, then associates Apple, Ubuntu, and FreeBSD with the reason why her computer stopped working. To her, and thousands like her, their machine stopped working, and now the people (behind the curtain...) want her to stop using MS? They must be evil, if they'll shut down her computer to get her to use "their" products.

Re:It's not Really... (4, Funny)

0100010001010011 (652467) | more than 6 years ago | (#23185894)

"Your version of Microsoft XP has expired. Please buy a version of Microsoft Vista at your nearest authorized Microsoft dealer. If your computer does not support Vista you will be required to upgrade your computer.

Thank you for supporting Microsoft".

How's that?

Re:It's not Really... (3, Funny)

Cro Magnon (467622) | more than 6 years ago | (#23186280)

And, can you picture the reaction of a Christian grandmother when her computer flashes the BSD devil at her?

Re:It's not Really... (1)

sabt-pestnu (967671) | more than 6 years ago | (#23186238)

if I had the know how I would send a low level format command out.
Leaving aside the issue of "they'll just do it again", your strategy fails in that by doing this, you take out one node at a time. Much like a virus that is "too successful" and kills its host before it reproduces.

I think you would get better results by passing your 'counterinfection' on for a bit before de-botting completely.

Re:It's not Really... (0)

Anonymous Coward | more than 6 years ago | (#23185350)

Well, as far as I can gather from TFA, they're only messing up the keys sent around Storm to prevent infected computers from identifying each other. If I understand correctly, this disrupts communication, because the bots stop talking to each other. I can't see how this can do any harm to the victims' computers.

Sadly (0)

Anonymous Coward | more than 6 years ago | (#23185414)

Sometimes the disease kills the host.

Re:It's not Really... (2, Insightful)

EncryptedSoldier (1278816) | more than 6 years ago | (#23185436)

LAWL! Yeah, that's a great idea. Lets go ringing doorbells! "Hi! Are you Mrs. Smith?" "Yes, I am. And who might you be?" "I'm John, and your computer is infected with a bot-net called Storm. You and millions of other users are infected and are constantly infecting other computers without your knowledge. I can fix your computer for $200, what do you say?" And even if that worked, it won't work for everyone. Too much time needed to fix it, too much money for it to be possible. Poisoning the botnet is the way to go.

Re:It's not Really... (0)

Anonymous Coward | more than 6 years ago | (#23185820)

Nah, I'd just automate the process. Send some sort of message to each person who is infected, letting them know that you will fix their computer for $200. Of course, to figure out who is infected, maybe you could put a program of some kind on an infected person's computer, which then puts this program onto the computer of everyone near them, etc. Then we can just send a message to all these people, letting them know that they're infected and asking for money!

We'll call the program the Storm Penetrating Automated Messanger, or SPAM for short.

Re:It's not Really... (5, Insightful)

Solandri (704621) | more than 6 years ago | (#23185510)

Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.
Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.
You're comparing a concentrated loss to a distributed loss. The correct assessment in that case is to sum up the losses on both sides. Say "poisoning" Storm results in 1000 users with wiped hard drives losing $10,000 worth of data and productivity (being very generous here). OTOH say letting Storm continue to operate results in 100 million users losing $1 each worth of productivity (spam) and data (compromised systems). That's a $10 million to $100 million balance in favor of poisoning Storm. Obviously the numbers here are made up and I honestly don't know if poisoning Storm is a good idea. But the point is that you just can't look at the losses on one side and say a course of action is unacceptable due to those losses. You have to compare the losses that might happen if you take action, to what losses will happen if you don't take action.

It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.
Do you maintain any computers for friends or family? No it won't be more effective in the long run. You help them clean their system, and they'll go right back to using it as always. In 6-12 months they'll call you back to help them clean it again. It's just an individual equivalent of a cost of doing business for them. Why should they bother to change their habits when they can pay you a hundred bucks or so every year to clean their system?

In that light, losing all their data might be just what's needed to get them to take computer security seriously. However, I'd consider it a last resort since it's a punitive action rather than a preventative action. The long-term solution is to accept that casual users are going to run their computers like this, and to come up with mechanisms which blunt or dilute the impact of compromised systems. We're already doing this with anti-virus and anti-spyware software, as well as flaming Microsoft so they fix all the security holes in Windows. But it may or may not also involve poisoning botnets.

Off the top of my head, I don't think you need to remove the botnet software. It's probably already secured the box against further infection. So all you need to do is scramble its communication and/or encryption so it doesn't/can't contact the bot master again. It could be as simple as changing one bit in an otherwise unused registry key. So "poisoning" a botnet may be much more benign than your worst case scenario.

Re:It's not Really... (1)

geekoid (135745) | more than 6 years ago | (#23185936)

Well, maybe your family are a bunch of idiots, but my family, and others I have dealt with have learned and developed better computer habits.

I hate that excuse so much. It's no different then any excuse any a fascist uses to 'fix' a problem.

This is an OS problem, and should be fixed as such.

Re:It's not Really... (1)

hostyle (773991) | more than 6 years ago | (#23186596)

your sig sucks.~

Re:It's not Really... (1)

AlecLyons (767385) | more than 6 years ago | (#23185522)

it's more moral and more effective in the long run.

And it's legal. Let's not forget that.

Re:It's not Really... (2, Funny)

Anonymous Coward | more than 6 years ago | (#23185528)

Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.
And if I were a botnet author, I'd make absolutely sure that signs of such tampering would result in this (the DISABLE_ZOMBIE command in version 1.00 effects the WIPE_WHOLE_DRIVE command in update 1.01). Watch as the self-appointed saviour destroys the data (bla bla backups) on half a million computers world wide.

The road to Hell...

Re:It's not Really... (4, Funny)

guruevi (827432) | more than 6 years ago | (#23185530)

Actually, it would be better to wipe their hard drive clean since then they would be directly impacted and see the loss caused by their stupidity. I already heard from users: yeah, I know I have a virus/trojan but it doesn't really do anything bad to my computer and that virus scanner makes my computer slower so I'll leave it there.

Also, it would give us geeks some extra income and we would have the opportunity to load Ubuntu on their machines.

Re:It's not Really... (2, Insightful)

MagdJTK (1275470) | more than 6 years ago | (#23185598)

I would argue that it is a computer owner's moral responsibility to make sure it's not doing any harm to others.

If someone leaves their bag unattended at a train station, they should expect it to be destroyed in order to protect the public. If someone doesn't secure their PC and it becomes a hazard to others, shouldn't it be taken out too, by any means?

Re:It's not Really... (2, Insightful)

ohtani (154270) | more than 6 years ago | (#23185692)

Since when would saying something along the lines of "del infectedprogram.exe" be the same as "format c:"?

Re:It's not Really... (0)

Anonymous Coward | more than 6 years ago | (#23185748)

If this is the same method as the one that was discussed on here a couple of weeks ago, then the researchers aren't sending commands at all.

Storm works on P2P systems, and as such nodes in Storm request work by issuing searches on the P2P network just like you would search for a file name. When another node has a command it replies back to the search with a specific file name, then the requesting node retrieves the file name (command) just like you would retrieve a file on P2P.

The researchers "poison" storm by making lots of nodes that reply back to the search request but don't actually have anything. So the requesting nodes are less able to get a command because they get overloaded with bogus search returns.

In short, the poisoners aren't sending any command, they are preventing others from sending commands.

Re:It's not Really... (1)

bryce4president (1247134) | more than 6 years ago | (#23185806)

So you have a botnet, its running amock causing unknown amounts of damage to people's property and putting even more people in harms way. And you really think its a bad idea for a few experts to scramble a hash on their computer "because it might wipe out their HDD". You have to have a better argument than that! I want to see an example of how you can scramble the hash and cause this. Has anyone proved that it can even be done? Until I see proof that there is a high risk that these guys could accidentally erase someone's HDD I say go get the bastards. That's like saying you we shouldn't have attacked Germany in WWII because someone innocent might die. Yeah, its war, innocent people die in war. The goal, however, is to keep that number as small as possible. The proportion of people saved in WWII heavily outnumbered the possible innocent lives that would be lost, and maybe I'm stretching the analogy a bit here, but I think that the number of HDD's that would be negatively affected is far lower than the amount of good that would come out of this. my $.02

Re:It's not Really... (2, Insightful)

rocketPack (1255456) | more than 6 years ago | (#23185900)

Should I not be held (somewhat) responsible if my unprotected gun is used in a crime? A computer with an internet connection has inherent risks, it's the users responsibility to secure and protect their own goods against damage, as well as malicious uses.

If your computer is damaged in an effort to mitigate a large-scale botnet causing massive infrastructure problems and costing people money, then perhaps you could at least learn something from the process.

I don't feel sympathy for their (speculated, potential) loss/damage, I feel pity for their ignorance. My dad always told me not to use tools without understanding how to use them properly and safely, there's no reason this logic can't apply to computers.

"help them clean" (1)

unity100 (970058) | more than 6 years ago | (#23186258)

its a pain to provide technical support for even uninfected computers, and you are telling us to help people clean their infected computers.

Re:It's not Really... (0)

Anonymous Coward | more than 6 years ago | (#23186382)

If someone's pet dog is rabid do you not have the right to shoot it?

Re:It's not Really... (2, Insightful)

Esc7 (996317) | more than 6 years ago | (#23186454)

I think the wording here should be that poisoning the botnet would be the MORAL thing to do (Stopping the botnet is a good thing for all!) But it would not be the ETHICAL thing to do (Respecting people's privacy is the rule that we hold to).

And in all dilemmas between morals and ethics the "right" thing to do must be weighed very carefully, there are no hard and fast rules that can be applied carte-blanche.

Re:It's not Really... (1)

SanityInAnarchy (655584) | more than 6 years ago | (#23186604)

Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.
Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.
Which the original bot might easily have done.

By the time a user is participating in a botnet, they are a lost cause. If you want to help them, fine, but do it before they get infected.

And anyone who doesn't do backups WILL lose data, it's only a question of when.

Re:It's not Really... (0)

Anonymous Coward | more than 6 years ago | (#23186622)

I don't know, a friend of the family recently opted to handle a severe malware infection by calling Dell support. Dell support directed her to use the hidden recovery partition, which promptly fdisked, formatted, and reinstalled Windows. Either way stupidity gets its proper reward.

Re:It's not Really... (1)

InlawBiker (1124825) | more than 6 years ago | (#23184878)

I agree. If they're unaware the bot is running they'll also be unaware of the anti-bot.

Re:It's not Really... (4, Insightful)

ChoppedBroccoli (988942) | more than 6 years ago | (#23185088)

You are right, it isn't necessarily a moral question. Obviously, the researchers are trying to do a good thing, and their good intentions are good and correct.

It is more of a legal/tehcnical question. Are you legally allowed to do this? And the major problem for researchers is that they have no cloak of anonymity like the bad guys do: they are easily linked/traced to all their actions by the mere fact that they publish their work and share their results. If anything goes wrong, or even if an overzealous user just wants to sue/go to court for the sake of suing, then the researchers are SOL.

It IS a gray area, even if you are morally correct.

Re:It's not Really... (1)

shawn(at)fsu (447153) | more than 6 years ago | (#23185468)

I was going to add that once your pc is part of a bot net its not really your machine anymore anyway. Its some one else's machine that you pay the electricity for and occasionally it will allow you to use if albeit at degraded performance.

Botnet wars (0)

Anonymous Coward | more than 6 years ago | (#23184754)

... at 11! Place your bets!

Lesbian Strapon Porno update. (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23184760)

If you like to see a picture-preview of the goods,the try this. [keepmyfile.com]

Two nice, young ladies in this scene, with a fair story-line. But they don't waste time to...

The file is here [megarotic.com]

Can someone please let me know if they thought this was useful?

Re:Lesbian Strapon Porno update. (0)

Anonymous Coward | more than 6 years ago | (#23184964)

Can someone please let me know if they thought this was useful?

No, it wasn't. ;)

Hmm... (0)

Anonymous Coward | more than 6 years ago | (#23184900)

Perhaps I am a bit naive, but if they are able to successfully "pollute" the botnet, why not simply send out code that instruct the bots to destruct (uninstall) themselves? As a former programmer, I certainly understand the difficulty in the protocol implementation, but if they've already gained enough insight to disrupt communication protocols, surely they can send out a termination signal. After instructing the bot to pass on the termination signal to the other bots, of course :-)

Re:Hmm... (1)

kirbysuperstar (1198939) | more than 6 years ago | (#23185240)

Probably a silly question, but what if there is no stop/terminate command? I mean, I guess there would be, but it's not completely far-fetched to think there might not be one.

Re:Hmm... (1)

Kiralan (765796) | more than 6 years ago | (#23185360)

Not naive at all, and potentially a valid attack. This assumes the bot has that command in its design. Otherwise, it would be necessary to overwrite the bot with a different program, which makes just about any form of counter-attack possible, as you are now the bot-master for that bot and its subordinates.

too much time on their hands? (-1, Flamebait)

suck_burners_rice (1258684) | more than 6 years ago | (#23184906)

It never ceases to amaze me how much extra time people seem to have on their hands. Do you mean to tell me that researchers don't have more important things to do, like, oh, I don't know, conducting research?!?!

Re:too much time on their hands? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23184992)

...like maybe perhaps research methods of disrupting botnets and see what results that type of research produces?

Botnet or Skynet? (1)

mathimus1863 (1120437) | more than 6 years ago | (#23184918)

Is anyone else bothered by the fact the summary might as well say "skynet" instead of "botnet" and it would make just as much sense.

I think the future has arrived.

Fair Play (4, Interesting)

FurtiveGlancer (1274746) | more than 6 years ago | (#23184926)

I submit that it's inherently fair and perfectly ethical to disrupt those who invade and steal from others. Even if the theft is one of compute cycles. Usually, we call those who disrupt invaders and thieves "heroes."

Great Idea!?... (1)

doc_doofus (1102559) | more than 6 years ago | (#23184930)

Because "What could possibly go wrong?"

Add free article. (2, Informative)

AltGrendel (175092) | more than 6 years ago | (#23184956)

Add free article here. [darkreading.com]

Who is liable in the event of retaliation? (3, Interesting)

Tanman (90298) | more than 6 years ago | (#23185006)

Ok, so here's a fun question: Lets say the botnet creators get pissed off and send out a code change that makes one of the standard commands change to be something like, oh, "wipe hard drive." The botnet creators then use different commands, but the researchers come along and issue the old command, thus wiping the users' hard drives.

Are the researchers liable since they technically issued the offending command while logged in as a remote user without the owner's permission?

Re:Who is liable in the event of retaliation? (5, Informative)

drrck (959788) | more than 6 years ago | (#23185158)

TFA states that they are changing the hash values that the bots use to talk to one another. They aren't issuing commands, they're interrupting the communication of the bots.

Re:Who is liable in the event of retaliation? (2, Insightful)

WK2 (1072560) | more than 6 years ago | (#23185736)

I thought of that too. It might be a good way for the botnet operators to keep security researchers of their backs. Fortunately, the botnet operators don't want to damage the computers any more than the security researchers do. Less, in fact, because the botnet operators think they "own" said computer.

Inject a vaccine? (1)

Ritz_Just_Ritz (883997) | more than 6 years ago | (#23185010)

It would be nice if the researchers could find a way to inject a "cure" and disable the malware on the target computer. I wouldn't have any moral/ethical problem with that. Of course, I guess it all depends on who is defining "malware." The RIAA might convince a judge that it is "OK" to innoculate pc's against P2P (pick your favorite client).

Cheers,

Re:Inject a vaccine? (1)

txoof (553270) | more than 6 years ago | (#23185124)

It would be nice if the researchers could find a way to inject a "cure" and disable the malware on the target computer. Once an infected host is identified, that data should be sent off to the ISP and the host should be blacklisted until the owner can be contacted and the computer cleaned. A simple method would be for bot-tracking squads to send authenticated lists of infected hosts to isps. The ISP would then block any and all outgoing requests on that host until the owner cleans up their computers. The ISP could then direct any web queries to a page informing them of the problem.
It's not perfect, but it could definitely ameliorate a good chunk of the problem. I'm sure some clever bot-herder would then try to take advantage of the reporting and blacklisting system and cause blackouts, but that's a problem for someone else.

Re:Inject a vaccine? (1)

Aram Fingal (576822) | more than 6 years ago | (#23185722)

You would have to be careful not to repeat the mistakes of the Welchia worm. [symantec.com] This is a worm destroying worm which attempts to remove the MS Blaster worm and download and install the patch for the vulnerability which MS Blaster (and Welchia itself) uses to infect computers. The problem is that Welchia disrupted network activity and caused PCs to reboot a unexpected times to complete instillation of the security patch. It is, therefore, considered to be malware and is removed by all the major antivirus products.

I blame the ISP's (0)

Anonymous Coward | more than 6 years ago | (#23185082)

ISP's can shut your service off if they detect you are spamming.. I've had clients with infected machines get shut off by their ISP (their entire Internet connection), so I know they can do it.

ISP's should stop investing in killing legitimate traffic (Torrents) and put that focus on keeping the Internet clean by disconnecting infected machines until they are fixed. Most ISP's offer free AV too, and I'm sure there are still some nubs out there who have no clue. Shut them off and they'll get a clue real quick.

Re:I blame the ISP's (3, Insightful)

drrck (959788) | more than 6 years ago | (#23185220)

ISPs aren't going to turn people off as Joe Sixpack has no idea what a bot is or where spam comes from. They would probably switch providers, as it's a lot easier than cleaning your computer.

Actually Reading the Article (4, Informative)

Kiralan (765796) | more than 6 years ago | (#23185190)

To the ones worried about the ethics, at least in this case: What the researchers did, in a sense, is change the 'name' and/or 'password' the bot uses to call the bot master and authenticate itself. In short, they removed the ability of the 'bot to get more commands.

Re:Actually Reading the Article (1)

geekoid (135745) | more than 6 years ago | (#23185956)

Yes, but did they need to access a computer they weren't authorized to access in order to do it.
That's the question.

Armageddon (2, Insightful)

spleen_blender (949762) | more than 6 years ago | (#23185202)

The war. IT BEGINS.


Seriously I'm personally excited by the fact that this essentially seems to offer a great draw to people with security skills to try being offensive where most of their efforts would be used defensively before.

Public Key Cryptography and Message Signing. (5, Insightful)

CodeBuster (516420) | more than 6 years ago | (#23185210)

I predict that the botnet authors will respond with the following counter-measures:

1) Command messages sent to the botnet by the operator will employ public key cryptography and message signing so that bots can determine real commands from headquarters (i.e. the bot net operator) from fake ones.

2) The bots themselves will use encryption to communicate amongst themselves and employ secret handshakes once the encrypted channel has been established to detect imposters. It would not be difficult to arrange for the botnet to automatically coordinate and begin punative attacks against hosts which attempt to inject false commands into the botnet.

Re:Public Key Cryptography and Message Signing. (3, Informative)

Uncle Focker (1277658) | more than 6 years ago | (#23185516)

2) The bots themselves will use encryption to communicate amongst themselves
They already do that now. That's one of the major issues with tracking down the whole extent of the botnet.

Re:Public Key Cryptography and Message Signing. (1)

jandrese (485) | more than 6 years ago | (#23185752)

The good news is that it's so damn hard to implement a crypto system properly that the botnet authors have probably screwed something up, especially since they can't just rely on a single host (or pool of hosts) to store the crypto keys (those would be an easy target for the anti-botnet folks). Key management is the #1 area where people screw up their crypto systems.

Re:Public Key Cryptography and Message Signing. (2, Funny)

el_flynn (1279) | more than 6 years ago | (#23185628)

And I would like to add my prediction: the botnet will implement captchas or kittens to detect the fake bots.

Re:Public Key Cryptography and Message Signing. (2, Informative)

Captain Spam (66120) | more than 6 years ago | (#23185646)

Actually, if I'm not mistaken, TFA claims that the researchers are using those exact vectors to do their counterattacks. As in, they mess with the encryption key so that any data that comes in from the controllers or other bots will be reported as bogus due to the controller/bot keys not matching. This, in a large way, renders the bot harmless, as it will now ignore all orders, expecting something signed by a key that will never arrive.

It's honestly a clever way to pull it off, though it does open the door to a malicious someone planting a legitimate key to someone else's commands, assuming it's as easy as the researchers seem to indicate to plant a bogus one. Or re-attacking the machine to put a Storm key back in.

Re:Public Key Cryptography and Message Signing. (0)

Anonymous Coward | more than 6 years ago | (#23186036)

Putting on his cynical hat....

Wow!! What incredible insight you have.

Removing cynical hat...

These things you call for have already happened, and on top of these is the addition of root-kits to several of the smaller malware applications.

We must destroy the net (1)

wiredog (43288) | more than 6 years ago | (#23185388)

in order to save it.

when you are fighting people (4, Insightful)

circletimessquare (444983) | more than 6 years ago | (#23185426)

who have no regard for morals or ethics, scrupulously conforming to morals and ethics hampers your ability to fight

the danger of course, is not to become what you fight by doing that

so you slightly bend the rules, all the time, without making the sort of flat out trangression of major moral issues that constitutes what criminals do

but you will still get flak from people who expect moral certitude from those who fight criminals, and criticize you like no tomorrow, all the while completely ignoring and not criticizing the criminals themselves

Re:when you are fighting people (1)

geekoid (135745) | more than 6 years ago | (#23185996)

The criminals aren't criticized because we know they are wrong, they're criminals.

"scrupulously conforming to morals and ethics hampers your ability to fight"

Yes, like needing warrants, or seeing that the innocent people you arrest have an 'accident'.
Innocent until proven guilty, and all that pesky stuff, really who needs it~

Reaction to this paper? (2, Insightful)

el_flynn (1279) | more than 6 years ago | (#23185580)

Since the researchers have already published their work [honeyblog.org] on the infiltration process, I'm sure by the time you read this piece of news the botnet owners and/or authors have already put an action plan in place to mitigate, or at least lessen, the effect.

Plus, if you read their published work, they readily admit that they are always one step behind the worm, and have to react whenever the attacker changes his tactics. The work mentions that "the attacker can easily change [a function of the Stormnet communication technique]... and then we need to analyze [our] binary again."

Criminals usually work faster than the good guys because they have more to lose.

The terminology is confused (5, Insightful)

Yurka (468420) | more than 6 years ago | (#23185630)

Computers in a botnet are not "peoples' PCs" anymore. They are not under control of the owner. This needs to be clarified again and again. When you see a Borg drone, you (try to) kill it. And Picard was right - you'll be doing it a favor.

Re:The terminology is confused (0)

Anonymous Coward | more than 6 years ago | (#23185906)

+1 insightful comment
-1 not a car analogy

Re:The terminology is confused (2, Funny)

geekoid (135745) | more than 6 years ago | (#23186018)

Of course they are, don't be stupid.
There is a program running on their computer.
  You also assume they don't want it there.

How active is storm currently? (2, Interesting)

damn_registrars (1103043) | more than 6 years ago | (#23185874)

I've seen previous allegations that Leo Kuvayev [wikipedia.org] has ties to the storm botnet. It of course is known that Mr. Kuvayev is a prolific spammer.

However, there hasn't been as much spam from Mr. Kuvayev - either in my own boxes, or mentioned recently on line. This leaves me to wonder if perhaps he isn't utilizing it as much as he used to?

While certainly the botnet has been used for more than just spam propagation, and Kuvayev has sent spam to a lot more people that just me, I still can't help but wonder if it either isn't as large or as active as it once was.

Re:How active is storm currently? (2, Interesting)

ahabswhale (1189519) | more than 6 years ago | (#23186148)

It's a shadow of its former self. Microsoft actually took them out, believe it or not. The Msft malicious software removal tool has taken care of it and the maintainers of the storm botnet got tired of dealing with it and let it go. See here for more info: http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx [technet.com]

So it's great that they came up with this but too bad it's pointless, at least for Storm. However, I'm sure they'll continue patting themselves on the back for fixing something that was already fixed.

SPY v. (nothing) (1)

xkr (786629) | more than 6 years ago | (#23185880)

Suppose it is the 1920's. Some cars have locks on the doors, some don't. There are no license plates. Organized crime is stealing cars, using them to commit bank robberies, then abandoning the cars. This is a huge problem, with hundreds of robberies per day.

Might it be appropriate to pass a law requiring all cars to have locks on the doors?

IMHO, technology people are so adverse to gov't regulation (OK, with good reason) that they are not willing to recognize that SOME regulation can be a good thing in an economic community.

If all PCs were required to have anti-virus software, and all ISPs were required to verify this, or to disconnect the customer, I suggest that the number of bots out there might drop 90%.

Yes, I realize that neither of these requirements are perfect, and there will always be SPY v. SPY competition. But right now we have SPY v. (nothing). No competition for the bad guys at all, and so we have 100 billion spams a day.

Re:SPY v. (nothing) (3, Insightful)

witherstaff (713820) | more than 6 years ago | (#23186136)

bad bad idea

I'd love to be required to have antivirus software on my linux/FreeBSD/Solaris machines. If you don't have a locked down box those systems can be just as bad as a botnet windows machine.

Or requiring comcast to have a rootkit on every machine you have to ensure that it's not infected. Sony computers would love that!

Re:SPY v. (nothing) (0)

Anonymous Coward | more than 6 years ago | (#23186210)

>If all PCs were required to have anti-virus software, and all ISPs were required to verify this, or to disconnect the customer, I suggest that the number of bots out there might drop 90%.

And this is why gov't regulation sucks. What about OSes that either don't need, or can't have anti-virus? Imagine a phone with all functions in ROM, that offers internet access. Now we need to include AV software that monitors... ???

Same thing with locks on cars. Imagine a car that uses an RF transmission from a key to start. You could have no locks on this car, the only problem left would be that the owner might find bums sleeping in it, but it resolves the major issue (crime).

Instead, you should put the problem on the owner of the item. Computers that infect other people should have owners that are fined. Cars that commit crimes should have owners that are fined. Judges would sort out the fringe cases (cars with locks that are defeated, AV software that is bypassed).

Re:SPY v. (nothing) (2, Insightful)

HikingStick (878216) | more than 6 years ago | (#23186286)

Just because they put locks on car doors doesn't mean everyone uses them. Then there's the issue of thos little magentic key holders in the driver's side wheel well...

Fools! (3, Funny)

Kingrames (858416) | more than 6 years ago | (#23185990)

Nuke the sites from orbit, it's the only way to be sure!

This was already covered, and more... (1)

bugnuts (94678) | more than 6 years ago | (#23186146)

... at the Usenix leet conference [usenix.org] covered by slashdot. [slashdot.org]

Go look through the articles... some of them rock. The technical knowledge of these guys, how they dismantled storm, etc is amazing.

It's a Trap... er, Dupe! (1)

sabt-pestnu (967671) | more than 6 years ago | (#23186300)

This story merely repackages this one [slashdot.org] .

Ain't their job. (1)

Zadaz (950521) | more than 6 years ago | (#23186518)

And by "other peoples' PCs" they of course mean the people who control Storm. The physical possessors of the computers have already given up ownership.

It's a real shame that this is being done by researchers and not security forces. The researchers are correct, it ain't their job. It should be done by people who we have already given the authority to trespass with cause.

Not going to happen. Sadly. I live in a place where violent crime is incredibly rare, but property crime is common. The most valuable things I own are the information on my computers, and yet there is no one that I can call if I'm attacked there.* Law enforcement has the technology of Wyatt Erp while the criminals have F22 with laser guided bombs and depleted uranium ammo.

I hope the researchers don't get brought up on charges, it would set a bad precedent. Since law enforcement will never get caught up, I'd like to see a law passed that gives immunity to this kind of action. If The Law is unwilling or unable to deal with a threat, they have to deputize citizens. Too bad The Law is unwilling to admit weakness or failure.

* Even if they steal my physical laptop there's only a minuscule chance that the police will do anything but take a report and notify me "if it turns up". Insurance will cover the physical loss, but not the potential repercussions of the loss (ID theft, proprietary business info, down time, etc.**)

** Yes, I encrypt but security is not an absolute.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?