Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Kraken Infiltration Revives "Friendly Worm" Debate

kdawson posted more than 6 years ago | from the damned-if-you-do dept.

Security 240

Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

cancel ×

240 comments

Sorry! There are no comments related to the filter you selected.

Had me up until the sensationalism (4, Insightful)

dreamchaser (49529) | more than 6 years ago | (#23236500)

" is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.

Re:Had me up until the sensationalism (4, Funny)

somersault (912633) | more than 6 years ago | (#23236518)

Cleary you have never been to Singapore.

Oh wait, wrong movie

Re:Had me up until the sensationalism (4, Funny)

morgan_greywolf (835522) | more than 6 years ago | (#23236586)

I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection.
Would that be a 'heartworm'?

Re:Had me up until the sensationalism (1)

morgan_greywolf (835522) | more than 6 years ago | (#23236614)

They are not even networked and they do not run Windows.
Actually, I have heard of critical medical devices running embedded Windows NT and/or embedded Windows CE. In fact, that's what these guys [jacobs-electronics.com] do. Okay, okay, so their Web designer isn't too bright and left the title tag as "Untitled Document". It least it was designed in Dreamweaver instead of FrontPage. :)

Re:Had me up until the sensationalism (2, Insightful)

mlwmohawk (801821) | more than 6 years ago | (#23236626)

I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.

Well, maybe not the primary machine, that may be true, but there are monitor "stations" on the patient floor at the nurses desk area that run networked windows using monitor applications to display heart data.

Re:Had me up until the sensationalism (1)

dreamchaser (49529) | more than 6 years ago | (#23236836)

Yes, but those are not the same thing, and the primary machine still has alerts that sound (quite loudly) if something goes amiss.

Re:Had me up until the sensationalism (2, Interesting)

seramar (655396) | more than 6 years ago | (#23236916)

I have two things to add, one in response to your comment about the monitoring stations and the other just in general on this topic, but they tie together: 1. If a hospital is running a machine that is vulnerable to any worm, including a friendly worm, then I question their entire network/security structure in the first place and it is only a matter of time until the monitoring station goes down, anyway. 2. Friendly worms? Definitely. I am a technician/manager of a small shop and see people whose machines are constantly bombarded with malware of all kinds. While it would hurt our bottom line to see friendly worms in the wild dismantling these botnets it would no doubt save a lot of people a lot of trouble. These folks who are infected generally don't know what their doing and don't care to learn - they're worried about using their computer to perform a certain task - not understanding the ins and outs of how it functions. If a few people are affected by some "friendly fire" so be it - they would have gotten infected in the first place.

Re:Had me up until the sensationalism (1)

Layer 3 Ninja (862455) | more than 6 years ago | (#23236648)

I think you would be suprised. The Labor and Delivery ward in our local hospital uses a monitoring program for the new borns. Eight little boxes on the screen showing heartbeat, heart rate, blood pressure, and tempurature. Its running on Window 2000. This is just a monitoring program and will never replace the army of nurses on that ward. Also, if the computer were to get some sort of malware, it cannot kill the babies. It will have to find another way.

Re:Had me up until the sensationalism (1)

Gerzel (240421) | more than 6 years ago | (#23236684)

You'd be surprised I'm guessing.

Think of it this way a company probably could save a lot of money if they could run a heart monitor through a generic machine rather than a dedicated machine. Also a program running on a more generic machine setup may also be able to collect other information and send it over the net to say, a doctor's pager automatically. So there are good reasons as to why a generic machine which might be infect-able would be used.

This is not to mention the other similarly critical uses a generic PC might be put into and connected to the net.

The heart monitor in the end is an example, and refers to an archetype of computer rather than a specific device.

Re:Had me up until the sensationalism (0)

Anonymous Coward | more than 6 years ago | (#23236702)

Hate to break it to you guys, but with companies like Cerner, McKesson and Epic, this sort of thing happens all the time. Their platforms run on windows (db on aix/vms/hpux/linux), but the gui to the patients EMR is windows based. I'm not sure i've seen one "run a heart monitor", but i can say for sure there are hundreds of thousands that provide a portal to patient data of all kinds...orders, results, demographics, etc etc.

Re:Had me up until the sensationalism (3, Insightful)

pipatron (966506) | more than 6 years ago | (#23236736)

And what happens to the patient if one of these goes down because of a virus?

Nothing. Absolutely nothing.

Re:Had me up until the sensationalism (1)

KlaymenDK (713149) | more than 6 years ago | (#23237062)

And what happens to the patient if one of these goes down because of a virus?

Nothing. Absolutely nothing.

And what happens when the patient subsequently crashes (ie. fatally worsened condition)?
Nothing. Absolutely nothing.

(What should have happened is that a nurse somewhere would be made immediately aware of the problem, and would be able to call a doctor and a crash cart...)

Your turn. ;-)

Re:Had me up until the sensationalism (1)

beckje01 (1216538) | more than 6 years ago | (#23236810)

Here ya go TLink [terumo-cvs.com] a heart monitor (well it monitors a lot of stuff.) used during cases in the Cardiac OR. But remember monitors are not life sustaining. Be more worried if the Windows CE based GUI for the pump goes down but most of those things don't have external access to anything.

Re:Had me up until the sensationalism (0)

Anonymous Coward | more than 6 years ago | (#23237182)

This actually happened (or close enough). A bot net infected a group of hospitals in the north west. It is the reason that the FBI recently got significantly more concerned with bot nets and the like.

http://seattletimes.nwsource.com/html/localnews/2002798414_botnet11m.html

Post brought to you by Hans Reiser's torn anus (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23237196)

This post is brought to you by Hans Reiser's shredded anus, which is by now no doubt being passed around the jail house like a pack of smokes. His poor anus probably now resembles a pastrami sandwich that fell apart. I wonder if he'll describe that experience in the passive voice...

Captcha is "consent." How appropriate...

Re:Had me up until the sensationalism (0)

Anonymous Coward | more than 6 years ago | (#23237208)

I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.


Wrong and wrong. Where I work we have networked heart monitors, several of them, and they do run windows. XP to be precise. The network is firewalled, naturally but we apply patches very rarely, about once a year and only after heavy testing.
While no worm has infected us yet, one could with just a little screwup by anyone in the IT dept. And god knows there are a lot of them now, with every service being outsourced to different companies. I know. I'm one of the outsourcees.

What kind of idiot... (2, Insightful)

llamalad (12917) | more than 6 years ago | (#23236502)

What kind of idiot would have a windows box controlling a heart monitor?

Re:What kind of idiot... (1)

Tim C (15259) | more than 6 years ago | (#23236568)

I wouldn't have a problem with the machine running Windows; I'd have a problem with it being on the network at all.

Re:What kind of idiot... (1)

nate_in_ME (1281156) | more than 6 years ago | (#23236610)

How do you think that more and more hospitals are able to monitor your vitals from their nurses' station rather than having to walk into each room and check the machines themselves? Some hospitals (especially in their OB department) even have it set up so the doctors can log in (usually via a VPN and citrix) to monitor their patients from home, and only actually come to the hospital when necessary.

Re:What kind of idiot... (1)

DarkKnightRadick (268025) | more than 6 years ago | (#23236902)

How do you think that more and more hospitals are able to monitor your vitals from their nurses' station rather than having to walk into each room and check the machines themselves? Some hospitals (especially in their OB department) even have it set up so the doctors can log in (usually via a VPN and citrix) to monitor their patients from home, and only actually come to the hospital when necessary.
That I have a problem with. If it was networked with the nurses station which was completely stand-alone, then that's fine, but to allow remote VPN access, even with CITRIX, encryption (it would have to be heavily encrypted, IMO, to make it even worth considering) and whatever other precautions you take, I would not be happy. Chances are the doc isn't a computer geek and doesn't know the first bit about securing his home PC.

Re:What kind of idiot... (1)

nate_in_ME (1281156) | more than 6 years ago | (#23237184)

The one hospital I worked with was very strict as far as what their requirements were for remote connections...I worked for a consulting firm which dealt with local doctors offices and it was actually a two tier setup...the doctor would VPN into their own office, and then that office had a fiber link to the hospital. Each stage of the connection had a separate authentication to get through, in addition to whatever login the individual program had...

Re:What kind of idiot... (1)

value_added (719364) | more than 6 years ago | (#23236850)

I wouldn't have a problem with the machine running Windows; I'd have a problem with it being on the network at all.

Brave soul.

heart.exe application error
the instruction at 0x6a9210e5 referenced memory
at 0x6a9210e5 the required data was not placed
into memory because of an I/O error status of
0xc0000185.
To continue, type an administrator password, and then click OK.

Well, if you ARE going to do something like that. (3, Insightful)

AltGrendel (175092) | more than 6 years ago | (#23236506)

For goodness sakes.

Don't tell anyone!!!

All the lawyers in the world will converge on you if you do.

Re:Well, if you ARE going to do something like tha (1)

jandrese (485) | more than 6 years ago | (#23236826)

If only they would do the same thing to the guys writing these worms.

Simple solution (1)

kryptKnight (698857) | more than 6 years ago | (#23236522)

Determine which is worse, the malignant effects of the botnet, or the inconvenience caused by bunches of people's computers restarting unexpectedly (and the associated loss of unsaved work, etc). Kraken is used to to send spam, which affects many more people than the 400,000 people infected.

By my reasoning, it'd be okay to send out a friendly worm, I just wouldn't brag about it afterwards.

Re:Simple solution (1)

danwesnor (896499) | more than 6 years ago | (#23236690)

If you're still getting spam, you really, really need to get a better e-mail filter.

Re:Simple solution (1)

lastchance_000 (847415) | more than 6 years ago | (#23237088)

I see very little spam in my inbox. That doesn't mean that the spam problem is solved. Filtering at the destination is better than nothing, but it is not a solution.

Re:Simple solution (1)

Serenissima (1210562) | more than 6 years ago | (#23237036)

If you're going to do it, just pop up a dialog box that says "'Random Running Program/Process' has encountered an error. If you do not restart, you will lose data. The computer will restart in 1-5 minutes"

Or even better, "You're computer has installed an update and requires a restart"

Most of the people who are running windows who are infected by the botnet for weeks/months/days probably aren't the users that are running SpyBot or Adware on a regular basis. If they see the message, they'll save everything and restart and not even think about it anymore. Even if a more advanced user questions the authenticity of the dialog box, if they know the computer is going to restart itself, they'll probably save everything they're working on.

I would guess (based on no scientific study or group of data) that the majority of people who see a message pop up on the screen are just going to click through it without a second thought. They're the same people that open up every email attachment and click on the banner ads that say "Your computer may be at risk!!ZOMG!!!"

If someone can patch their computer for them without them even knowing about it, is that really a bad thing? Do you think they'd EVER do it by themselves?

Re:Simple solution (0)

Anonymous Coward | more than 6 years ago | (#23237148)

Problem is, their fix is considered a felony in most industrialized countries. For one computer. As ridiculous as it sounds, if they implemented their fix on the entire network, they'd be bound to hit computers in their native country where they could be prosecuted and jailed. Even the sentencing could be non-concurrent.

A good worm ? (1)

Rastignac (1014569) | more than 6 years ago | (#23236528)

"A good worm is a dead worm !", afaik.

Yes, they should do it. (1)

LaminatorX (410794) | more than 6 years ago | (#23236530)

This is one of those moments where something ruthless should be done for the greater good. Then ends do not always justify the means, but in this case they would.

Re:Yes, they should do it. (1)

Tim C (15259) | more than 6 years ago | (#23236594)

It would be illegal in many (if not all) countries. Specifically here in the UK it would almost certainly fall foul of the Computer Misuse Act.

Re:Yes, they should do it. (2, Funny)

jimbolauski (882977) | more than 6 years ago | (#23236698)

There's an easy work around to this, just add a popup window saying "YOUR COMPUTER HAS WORMS PRESS OK TO FIX!" The majority of the people with worms on their computers would not think twice about pressing it.

Re:Yes, they should do it. (1)

Dersaidin (954402) | more than 6 years ago | (#23236798)

Or at least the ones who fell for it in the first place...

Re:Yes, they should do it. (0)

Anonymous Coward | more than 6 years ago | (#23236720)

So don't brag about it afterwords.

Pft (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23236538)

What do you think -- is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

If someones heart monitor software is part of a botnet, they are screwed anyway or could be any second, so I say go for it. :)

Re:Pft (0)

Anonymous Coward | more than 6 years ago | (#23237102)

computer controlling a heart monitor
The KEY word here is monitor. It would blip people would come running see what happened and move on...

It is not that big of a deal. Do it...

Friendly botnets would be sued. (1)

PMBjornerud (947233) | more than 6 years ago | (#23236540)

As someone said last time this topic was up. White-hats deploying "friendly" botnets will never see any benefit, but potentially be sued into oblivion. In the end, you're infiltrating someone elses computer, that is illegal even if you do it for a good cause.

The people deploying "evil" botnets do so for profit. And they earn enough to cover the risks.

In short, we're not going to see many friendly botnets.

Re:Friendly botnets would be sued. (1)

Constantine XVI (880691) | more than 6 years ago | (#23236582)

Simple.
Find some script kiddie, and pay him huge sums of cash to spread it for you. Works for the evil botnets

Kraken infiltration (1)

Daimanta (1140543) | more than 6 years ago | (#23236544)

OMG, It's a giant squid! Run for you [CARRIER LOST]

risk crashing a computer (1)

wiredog (43288) | more than 6 years ago | (#23236548)

controlling a heart monitor somewhere?

For FSM's sake, who thinks that heart monitors are both networked to the outside world and running Windows XP? Any manufacturer that did so would be open to all sorts of legal trouble, assuming they could get any hospital to risk using such a thing.

Re:risk crashing a computer (0)

Anonymous Coward | more than 6 years ago | (#23236678)

assuming they could get any hospital to risk using such a thing.

The way the NHS is going right now, it wouldn't surprise me in the least.

This Kraken 'bot (1)

smitty_one_each (243267) | more than 6 years ago | (#23236550)

This Kraken 'bot
Oh, fear it not
The zombie slave
Needs just
Burma Shave

Re:This Kraken 'bot (1)

Dr. Eggman (932300) | more than 6 years ago | (#23236576)

One of the best ones I've heard yet! Thank you.

Re:This Kraken 'bot (1)

will_die (586523) | more than 6 years ago | (#23236682)

Nice one.
Probably the best one I have yet to see.

DUH! (2, Insightful)

zappepcs (820751) | more than 6 years ago | (#23236552)

If you are going to write friendly software worms, why not take a moment to figure out what the hell kind of computer you are on, and make some decisions about whether to risk it, or simply report to someone that the computer is infected?

Am I the only one that thinks this is too simple to be questioned? Friendly.... it's a word that suggests something that does no harm. If the software can't figure out if there is no risk, then it should take no action other than reporting.

Safety, it's a big issue. VW will not be sending their high tech stuff to the states next year because of litigation concerns. They are right to do so, if there is no method to ensure your product does no harm, do not deploy it. period. unless you would like to spend time in court.

There have been dozens of anti-theft systems that would turn a car off after it's been stolen but due to concerns that it might do so while the car was traveling at speed on the highways, such products were never deployed.

Safety first. kill bad bots second. Sort of what the US police forces are supposed to do. Well, until someone gave them a taser gun. Now, shoot first is the rule because they won't get sued, and don't have to worry about it.

If you're going to write anti-worm software, safety is a major concern if you are acting without the owner/user's permission. There is NO way around that without incurring litigation risk.

Re:DUH! (1)

WiglyWorm (1139035) | more than 6 years ago | (#23236716)

Well, working in IT, the first thing I'd do if I started getting pop ups telling me "you're infected with such and such!" is find out what the hell was doing it and scrub it off my systems.

That's a very common ploy for virus makers to get you to a)pay them for scam antivirus software or b) go download even more malicious software. So, if my computer were infected and on the kraken botnet and I didn't know, I still probably wouldn't know even after your warning. I can hear a lot of "well gee if you get a warning, you should check in to it anyway!" Please. I wouldn't and most other people wouldn't either. An unsolicited, anonymous (or even not, I certainly wouldn't visit any website linked from an unsolicited virus warning) pop up tells you that you have a virus on a very busy day... are you going to look to see if the pop up is telling the truth, or assume it's a virus itself and squash it? Be honest now.

How much would you give up? (1)

MessyBlob (1191033) | more than 6 years ago | (#23236554)

The accpetability of this type of solution relies on trust, and on how much system and infrastructure resource people want to dedicate to 'social model maintenance'. Can many disparate organisations operate in this way, with their own agents squirreling in our systems on our behalf?

Is it better to have a central service that updates when mutually appropriate, rather than have services speculatively take up resources? Central resources benefit from economy of scale, but can be equally speculative in that they offer potentially glabal coverage.

Similar 'sacrifice' questions arise from P2P media solutions (e.g. Kontiki-based distribution), where users sacrifice some of their bandwidth and processing power for others, in order to obtain the media.

important difference (4, Insightful)

Tom (822) | more than 6 years ago | (#23236558)

(except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released)
That's not a small difference! Pushing an update to a known list of hosts is a vastly different thing from starting a self-replicating autonomous agent.

There is still the "messing with other people's computer" issue, of course.

Simple Answers for Complex Problems (0)

Anonymous Coward | more than 6 years ago | (#23236718)

How about instead of fixing the machine it launches a notification window that says "your system has been infected by the Kraken bot net, click here to fix". or even just launch a notification. This notifies the user that their machine has been compromised, without modifying system files on "critical systems" which as pointed out above, shouldn't have been networked to begin with (heart machines etc).

Re:Simple Answers for Complex Problems (2, Insightful)

MMC Monster (602931) | more than 6 years ago | (#23236966)

If I got a pop-up like that, I would likely think that it was going to either install another virus or that it was a pop-up from a website, trying to sell me something.

There is no way I would think it was legit.

Re:Simple Answers for Complex Problems (0)

Anonymous Coward | more than 6 years ago | (#23236992)

If I got a pop-up like that, I would likely think that it was going to either install another virus or that it was a pop-up from a website, trying to sell me something.

There is no way I would think it was legit.
And likely the next thing you would do would be run your antivirus software in boot mode, verify that your updates are installed, etc. aka you wouldn't have problem that they are trying to fix.

No dilemma (1)

Tom (822) | more than 6 years ago | (#23236598)

This raises the old moral dilemma about a hypothetical 'friendly worm'
No, it doesn't.

It raises the old moral dilemma about messing with other people's computers, for a good purpose.

But the "friendly worm" issue is a different one. The main problem is control. I've done the math and published a paper on this. You do not want to be the author of an out-of-control autonomous, self-replicating entity, no matter what it does.

So, like a dog, can you guarantee that it will listen to you, instantly, in all situations especially unfamiliar ones?

Re:No dilemma (1)

Constantine XVI (880691) | more than 6 years ago | (#23236618)

You do not want to be the author of an out-of-control autonomous, self-replicating entity, no matter what it does.
I'm sure Cyberdyne Systems wishes you were on their payroll.

Re:No dilemma (1)

Yetihehe (971185) | more than 6 years ago | (#23236666)

In this case, yes. They would not make "friendly worm", only update those worms which connect to them. So no autonomous spreading, only uploading to a list of kown hosts.

Infect the infection? (0)

Anonymous Coward | more than 6 years ago | (#23236606)

What if such a good virus were to only modify parts of the OS already modified by Kraken? Disrupting it and making it visible?

Hmmmm...

Ways of Terminating botnets. (1)

Zombie Ryushu (803103) | more than 6 years ago | (#23236620)

I'm, all in favor of terminating botnet infestations even if it means terminating the OS of the computer infected. I've wondered why the computer security feild has not had more people working hard of find ways of rendering these insecure machines useless. Seriously. If its infected, terminate it.

Re:Ways of Terminating botnets. (0)

Anonymous Coward | more than 6 years ago | (#23236704)

Ok Arnie but ... "I'll be back"!

Disinfecting is a little more forgiving!

Re:Ways of Terminating botnets. (1)

dave420 (699308) | more than 6 years ago | (#23237046)

Because it's illegal, and I doubt you'd want your machine being turned off by others. It would make more sense to tell the ISPs that their customers are infected, and even tell the customer directly. Being all dickish and holier-than-thou about it isn't going to help anyone, as it just puts folks off listening.

Re:Ways of Terminating botnets. (1)

WiglyWorm (1139035) | more than 6 years ago | (#23237114)

I've always wondered why the automotive industry has not had more people working hard to find ways of rendering broken down vehicles useless. Seriously. If it has leaky hoses or body rot, we should just forcibly remove it from their posession and send it to a scrap yard.

The law needs to catch up (3, Insightful)

Ice Tiger (10883) | more than 6 years ago | (#23236638)

As with many changes in technology the law is far behind. In this case they would foul of the same laws that would convict the original criminals. The law needs to be adapted to allow legally sanctioned actions like the one proposed to happen to fix the problem.

Botnets also span more than one country so maybe this needs to be international law.

Re:The law needs to catch up (1)

GregNorc (801858) | more than 6 years ago | (#23237014)

Exactly. For example, if someone attacks me in real life, and I use my martial arts skills to subdue them, I would not be charged with a crime - it would be self defense. It would be great if we could get a law to acknowledge some sort of "electronic self defense" right.

I've said it before: (1)

0100010001010011 (652467) | more than 6 years ago | (#23236642)

I guess I've got my Evil bit set because if I had the know how I would send a low level format command out. The bot net would collapse, people profiting from it would stop and maybe people would start putting pressure on Microsoft to actually do something. Maybe install a boot loader that puts up a "error" message:

"Your version of Microsoft XP has expired. Please buy a version of Microsoft Vista at your nearest authorized Microsoft dealer. If your computer does not support Vista you will be required to upgrade your computer.

Thank you for supporting Microsoft and not Linux or Apple. We appreciate your business.".
Sure it's not nice, but if it gets people to actually take action then I'm all for it. There will always be more companies trying to profit, new botnets, etc, but if you can actually stop the botnet from starting by educating people, then you win.

Re:I've said it before: (1)

dave420 (699308) | more than 6 years ago | (#23237078)

So... FUD much? :) You'd also get your ass handed to you by lawyers, many times over. Heck, even Apple might sue you for using their name in such an unscrupulous ploy. That's hardly educating people, but bullshitting them into doing what you want them to.

Barn door closed, horse left six months ago (3, Insightful)

glindsey (73730) | more than 6 years ago | (#23236662)

is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.

Re:Barn door closed, horse left six months ago (1)

verzonnen (816725) | more than 6 years ago | (#23236842)

is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.
What if that attempt caused that computer to reboot or even crash?

Re:Barn door closed, horse left six months ago (1)

johannesg (664142) | more than 6 years ago | (#23236924)

is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.
The botnet itself is not harmless, and could just as easily overload or crash the computers in a hospital or powerplant. In other words, doing nothing could potentially be far more harmful than trying to wipe out the botnet.

In light of this, and the tremendous resources being wasted by these botnets, I am strongly in favor of eliminating them entirely.

I wouldn't boast about it on slashdot (or anywhere else) though...

Re:Barn door closed, horse left six months ago (0)

Anonymous Coward | more than 6 years ago | (#23237154)

I say rip them apart. I've went over this a thousand times in my head and a good worm is the only thing that could possibly take care of the botnets. This is a freaking war and we are still hiding in our foxholes afraid to do anything. I would almost be willing to go to jail to see most of the spam disappear overnight.

Like Andy always told me... (0)

Anonymous Coward | more than 6 years ago | (#23236680)

get busy dying, or get Kraken.

The other questions are tougher (1)

postbigbang (761081) | more than 6 years ago | (#23236696)

Liability for 'curing' the problem is a great question. I don't want to see the 'cure' become another infection vector. Do we know that the cure is going to disable this network, but not enable a subsequent one?

It's a lead-pipe cinch that law enforcement people will and can do nothing to disable the network, and it-- like others-- represents a huge security hole and a big problem in terms of potential misuses of the existing botnet.

The 'authority' to even legally disable botnets is onerous. What's a botnet-- is p2p a botnet? Is every torrent site a botnet? Is every Skype user enabling a botnet?

Some Van Damme coder that goes over the line to disable them might be a hero. He/she might also be the unwitting infection vector for a subsequent botnet if they don't get their own code right.

Mandatory machine cleansers might be nice, the 'system health' check that Microsoft uselessly tried to employ with Windows 2008 server. There's no leadership to vet how this might be done, and how it's kept up to date, and what constitutes potential botnet user software found and what might be useful in terms of gateways to monitor traffic.

So botnets are going to continue to be a problem until wise people decide how to first cleanse the problem, then how to design operating systems (this means you) to prevent botnet infection, and be able to distinguish botnets from p2p/etc. apps that have legitimate use-- and what constitutes 'legitimate' use.

Bottom line: nothing changes soon, because there are too many issues surrounding the question(s).

IDS signatures (1)

BobVila (592015) | more than 6 years ago | (#23236700)

Why would Tipping Point kill the botnet with one blow, when they have IDS signature subscriptions to sell?

Moral Dillema? (0)

Anonymous Coward | more than 6 years ago | (#23236706)

IF there is no malicious code in the worm, it just cleans out botnet X and has the ability to be turned off, and can't be manipulated to do other things, and doesn't report back identifiable information, I say do it.

The potential for good far outweighs any risks.

The question posed 'what if you break a heart monitor running XP' is just silly and quite extreme.

And who's to say the botnet wouldn't eventually render that computer completely unusable.

If you relate this to a person being mugged on the street, do you stand by while the thug takes everything from someone? or do you get involved and help chase the thug away

I don't see how a botnet is that much different from a thug robbing someone on the street. Agressive action needs to be taken against these botnets.

Re:Moral Dillema? (0)

Anonymous Coward | more than 6 years ago | (#23236820)

The question posed 'what if you break a heart monitor running XP' is just silly and quite extreme.

How is this silly? If it were to happen would you be willing to take responsibility for a death?
As far as we know the worm is coexisting peacefully on the hijacked machines, it is in the bot owners interest not to interfere with the machines, if they break it they can no longer use it.
A better analogy would be a hostage taking, are you sure you can shoot the thug without hitting the victim? With tens if not hundreds of thousands of machines out there responsible for countless tasks there is a lot of risk if unleashing anything even with the best intetions.

Re:Moral Dillema? (1)

jonwil (467024) | more than 6 years ago | (#23237142)

A bot is more like someone breaking into your house and stealing your stuff. If someone was walking past your house and saw someone breaking in and stealing stuff, would you want that person to enter your house to try and stop the burglar (and to return all your stuff to you)?

Same thing applies here, would you want some random software program infesting your PC regardless of what it actually does?

Which surpasses its predecessors in size (1)

AHuxley (892839) | more than 6 years ago | (#23236708)

What it has an OS independent Mac and Linux payload too?

Non Assistance to person in danger should apply (2, Insightful)

mrboyd (1211932) | more than 6 years ago | (#23236740)

We have this law in my country where if you can help someone who is in danger without risking to harm yourself you may get legal trouble.

I am pretty sure that a good lawyer could twist it enough to sue those researcher because they DID not kill the botnet while they could. Instead they published a report explaining to the botnet creator how to plug the hole. Next time they should just ask for a subversion comiter account a fix it themselves.

I can almost see how the patriot act could apply here. I think those guy could be arrested for helping the terrorist(tm) by the friendly bunch at homeland security.

If you can kill the botnet please do it. Me million other will drop a donation in your paypal account to cover your legal fees.

Re:Non Assistance to person in danger should apply (1)

HetMes (1074585) | more than 6 years ago | (#23236816)

Woohoo! The Good-Samaritan Law! Silly me, thinking Seinfeld was a comedian...

Network Security (1)

losethisurl (980326) | more than 6 years ago | (#23236756)

The biggest problem with this whole thing is the problem facing any system that is, on it's merits alone, a good thing, is that the operators are human. Add the human element and you have a built in exploit.

What happens if BOFH numero uno for instance gets his hands on some access? What about someone 'trusted' to run it, does that mean they are themselves free of malice? Is the system itself going to be free of security holes?

I don't think you could reasonably comfort me with an answer to any of these questions.

Cleansing a Botnet is Murder. (2, Funny)

Lassiethebrave (1281162) | more than 6 years ago | (#23236768)

I do not eat meat, nor do i clean infected boxes; all life is holy...

Don't worry about heart monitors (1)

Aging_Newbie (16932) | more than 6 years ago | (#23236772)

They just monitor. Instead, worry about SCADA (Supervisory Control and Data Acquisition) [wikipedia.org] systems that do run on Windows. They are networked because the places they control are often lights-out and the human supervisors are off in an office building somewhere networked into the guts of the system they are running.

Vulnerable SCADA systems are numerous and Homeland Security [us-cert.gov] has several initiatives to get them under control. Earlier this year they demonstrated how easy it was to take over a generator and make it crash and burn ... So, fixing worms or not has its consequences. If you are successful you might reboot a control computer and bring down the grid. If you don't somebody in Russia might. In any case, with networked controllers all over in our water, gas, and electrical infrastructure, things will get interesting eventually. It is a sad situation the people who understand enough to automate large control systems don't realize the impact of a vulnerable network on their systems.

It's a tough call... (1)

CFBMoo1 (157453) | more than 6 years ago | (#23236784)

I'm in favor of them sending the fix to shut this down but at the same time I have to wonder what part of that botnet is connected to computers that could be monitoring a life support system for a patient in a hospital or something just as critical.

The fix could cost lives just as much as the infection could depending on what happens.

Yes IF... (1)

ifknot (811127) | more than 6 years ago | (#23236786)

Yes IF you can deal with the 3 main issues of 'friendly worms' (autonomous patching agents): 1/ Control (this may have been dealt with) 2/ Testing 3/ Consent I suspect the big stumbling block would be consent, any thoughts?

Re:Yes IF... (1)

NatasRevol (731260) | more than 6 years ago | (#23237092)

This may be a cheap shot, but it's true. They already consented by using Windows.

Opt-out? (1)

Walenzack (916393) | more than 6 years ago | (#23236800)

Well, you could just release the worm AND concise instructions on how to block it.

The only people I could think of that could REFUSE to update their computer / network (as opposed to just not caring), are network admins that have very good reasons (known incompatibilities, critical systems, etc.) for not doing so, or just feel more confident updating manually. If this "good worm" were to be released along with blocking instructions, this admins could decide whether to let it in or not; and the rest of the uncaring, "do as you want as long as it doesn't bother me", "i don't give a sh*t" mass would be happily up to date and (hopefully) with less vulnerabilities, for the good of all of us.

There's the problem where the "bad worms" make use of those instructions to block the "good worms" - up to you to find a solution for that problem.

The Least Malicious Action (1)

blavallee (729704) | more than 6 years ago | (#23236808)

I would change the wallpaper to display a notice about the infection.

Let the user know that their computer is responsible for SPAM, identity theft, and don't forget file sharing.

Maybe even mention that the RIAA will get them if they do nothing about it.

A better solution... (0)

Anonymous Coward | more than 6 years ago | (#23236814)

Like it or not, infected PC's are the private property of other people / organizations. The better solution (read the "right" solution) is simply to secure your own PC's from attacks and drop any traffic coming from nodes on that network.

Socialism starts when one person can take control of another person's private property for the greater good of another group. This debate isn't a debate of right vs wrong -- it is simply an argument over which version of socialism is more popular.

If its not yours, keep your hands off.

No Moral crisis here. (3, Insightful)

Forge (2456) | more than 6 years ago | (#23236838)

A botnet cleansing worm would IMHO be a good thing and not in the least morally ambiguous.

Imagine a similar situation among humans. A Virus breaks out which ravages whole populations. You find a cure which can be distributed by spiking the watter supply or by pumping it into the air.

I can tell you, the CDC (No. Not the "Cult of the Dead Cow". The other CDC) would only hesitate long enough to verify the safety of the cure before dispatching it.

Or lets come to a more reasonable and commonplace situation. A man infected with Rabies is not allowed to chose weather he will be treated. His infection impairs his judgment and makes him a danger to other people, therefore he is a hazard to be cured against his will.

Doesn't the same apply to a botnet member oblivious to it's own condition spewing it's infection, Spam and lord knows what else onto other computers?

Kevin.

Sabotage the botnet (4, Insightful)

CvD (94050) | more than 6 years ago | (#23236840)

I say yes, sabotage the botnet with friendly worms/bots. The owners of the infected computers don't know about the problem, don't care or don't know how to fix it.

I say vigilante action is okay, to protect ourselves (the people in the know adminning the networks and computers being attacked).

with great power comes great responsibility (1)

lophophore (4087) | more than 6 years ago | (#23236856)

I think there are ways they can proactively use their control over the botnet relatively safely.

They can update the infected computer with a program that causes an annoying popup to occur until the machine is sanitized by the owner. Then update the machine's firewall (if it has one) to block the controlling UDP port.

That solution should be fairly low risk.

I get so much spam of late, that I have no problem if they deliberately break the entire IP stack on the infected computers. Serves the owners right.

Let the ISP's handle it. (1)

ruin20 (1242396) | more than 6 years ago | (#23236936)

I think the detection method and patch solution should be handed off to the ISP. They are the ones that suffer the most damage from the worm besides the host and already have the identifying information for the customer so they can contact them in prior to the push.
And to everyone saying heart monitors are no big thing, people who use network attached heart monitors do so because they have some need to be monitored. So a monitor going off line is likely going to result in a false alarm generating a trip to the hospital or at the very minimum an emergency response team being dispatched to the residence.
And for someone with already substantial medical conditions, the extra expense might not be a non-trivial thing.

Self Defense ? (0)

Anonymous Coward | more than 6 years ago | (#23236938)

Let say, rather than attempting to fix the hijacked computer, they were disable because they pose an active threat.

I did this back in the code red worm days. (1)

Lumpy (12016) | more than 6 years ago | (#23236940)

I had all my servers issue a reverse "attack" to shutoff the IIS service and then put a winpopup up that their computer was infected with CodeRed virus and they need to take cleaning steps.

Buddies of mine were a bit less nice. They put the machines into spontaneous 3 minute reboot cycles. They figured that would get the users to get a clue and fix it. I though that was a bad idea.

What if the FBI is watching? (1)

Maximum Prophet (716608) | more than 6 years ago | (#23236954)

No, don't try to fix the machines. If the authorities are watching this worm, they may be tracking down the owners. If you mess with things, they'll come after you for obstructing justice.

I did this once... (2, Interesting)

el_flynn (1279) | more than 6 years ago | (#23236960)

...and nearly paid for it.

We were on the verge of fall break, and someone on campus had found out a 'catch-all' email address which was aliased to _all_ the university email addresses. So some dickwad started sending a weird email saying something like "Hey joe, where are you?", which everyone got, and everyone replied "Hey, I'm not joe -- who are you?" Which was then sent to everyone else.

The thing basically kept feeding back to itself and was threatening to get out of hand. Literally hundreds of emails started popping up. Of course, this was waaay back then, before the days of spam, so it was 'abnormal', 'weird' and annoying all at once. Since it was a friday evening, and knowing that at the rate it was going everyone's inbox would be flooded when they returned from the week-long holidays, I -- perhaps naively -- thought I'd put a stop to it.

I attached a large binary file to an email and sent it to that catch-all address, hoping that it would jam up the works enough that the network admins would notice.

Notice they did, and eventually I got called up to see the ombudsman -- who promptly said he was considering kicking me out of campus.

So yeah, one can have good intentions -- like what I did -- but the means to achieve that end may not be acceptable to everyone, even though it did get the job done.

My 2 cents anyway.

Vaccine (1)

unchiujar (1030510) | more than 6 years ago | (#23236964)

I think the issue is similar to vaccination http://en.wikipedia.org/wiki/Vaccination [wikipedia.org] where you will have a small part of the population vaccinated have adverse effects or die from the vaccine. However, this is risk worth taking because if the population were to be unvaccinated many more people will die or have after effects of the disease.

The 'friendly worm' should (0)

Anonymous Coward | more than 6 years ago | (#23237002)

wipe the users hard disk. That's oughta teach em to belong to botnets.

By analogy, it should be done (2, Insightful)

azgard (461476) | more than 6 years ago | (#23237124)

I would argue, by analogy, that it should be done, ie. the computer participating in a botnet should be patched.

Consider this example: You find that someone robbed your neighbor's apartment (who is on vacation), and left the door opened and broken. Should you fix the neighbor's door, or leave them open for anyone to enter?

The correct answer is: You should fix the door, but with the permission of the police. Therefore, I think, the computers should be patched, but with the approval of legal enforcement (if it's in the your country, patching computer in other country should be supervised by their legal enforcement).

This worked on the Borg infiltration ... (1)

Dragged Down by the (1004490) | more than 6 years ago | (#23237176)

Sleep ...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>