Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Torpig Botnet Hijacked and Dissected

timothy posted more than 5 years ago | from the why-would-you-want-to-get-rid-of-it dept.

Security 294

An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"

cancel ×

294 comments

Sorry! There are no comments related to the filter you selected.

uuh..yeah. (5, Interesting)

Anonymous Coward | more than 5 years ago | (#27812717)

why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?

Re:uuh..yeah. (5, Insightful)

shentino (1139071) | more than 5 years ago | (#27812747)

Funny thing is, if you do a favor for someone you don't even get thanked, but screw it up even a bit and you get slapped with a lawsuit.

Re:uuh..yeah. (5, Insightful)

DragonDru (984185) | more than 5 years ago | (#27812791)

I feel so conflicted. It is good they got enough information to tell law enforcement who the victims are, but I feel sad they did not do more to stop the botnet. However, there would be lawsuits if they had done more. Also, the bot masters now know exactly who was messing with their system (even their email addresses and their technique). Net effect, a botnet will go down slowly and some researches will get a *lot* of spam.

Re:uuh..yeah. (2, Insightful)

Swift2001 (874553) | more than 5 years ago | (#27813167)

We need the full weight of the law to come down on these creeps. How is this any better than a pickpocket, or a den of thieves? Answer, not at all. I understand that we like the freedom of the internet. But making a bot of somebody's computer is akin to rape. Stealing 10,000 credit cards warrants a life sentence, and governments must fund efforts to detect and arrest the people responsible. Plus, our banks and stores and so on must get smarter security.

Re:uuh..yeah. (4, Insightful)

Tenebrousedge (1226584) | more than 5 years ago | (#27813475)

Wow. The sentiment is unarguable, but the rest of your post is amazingly uninformed.

What is a den of thieves? Do thieves nest in the rafters of seedy pubs or something? Did anyone imply that credit card theft was "better" than some other kind of theft?

I understand that we like the freedom of the internet. But making a bot of somebody's computer is akin to rape.

Non sequitur. Also, the analogy is not appropriate: there is no physical harm being done.

...governments must fund efforts to detect and arrest the people responsible.

They do. Perhaps you can improve on that suggestion with some further content.

Plus, our banks and stores and so on must get smarter security.

Smarter than what? As long as they have massive amounts of valuable information, they are targets. However, that's not really the subject of TFA, which is the low-hanging fruit consisting of people using insecure browsers and operating systems. The people running Torpig didn't need to hack a bank, they just relied on people being idiots. Vista and Win7 may be steps towards a more secure desktop environment, but they're not a cure for the root issue: PEBKAC.

PEBKAC being ubiquitous, we should not expect a solution to the botnet issue any time soon. Just try and think of it as another idiot tax.

Re:uuh..yeah. (1, Interesting)

eiapoce (1049910) | more than 5 years ago | (#27813477)

I go as far as telling you that also the victims should be punished for leaving their machines wildly exposed to the botnet. Guess all of them they were running un-updated OS, without antivirus and/or firewall. Since it's obvious that these bots are used also in criminal attacks against other people (DDOS - Spamming - further botnet spreading) I don't see them as victims but more like accomplices.

If you are not willing to learn how to safely use a computer you shouldn't have one, just stick to a iPhone or other toys (Internet tablets).

Re:uuh..yeah. (3, Interesting)

RiotingPacifist (1228016) | more than 5 years ago | (#27813133)

Fine, use geo-IP to only uninfect computers that are in countries that:
1) Aren't sue friendly (e.g not the US)
2) Don't have any jurisdiction in your country (e.g not the US)

Re:uuh..yeah. (1)

calzakk (1455889) | more than 5 years ago | (#27813289)

But I bet most infected machines are probably in the US!

Re:uuh..yeah. (2, Insightful)

davester666 (731373) | more than 5 years ago | (#27813279)

But who do they know to sue?

If you're smart enough to hack into this botnet and make it do your bidding, your smart enough to not have commands sent to it traced back to you.

Re:uuh..yeah. (5, Funny)

Hognoxious (631665) | more than 5 years ago | (#27813319)

If you're smart enough to hack into this botnet and make it do your bidding, your smart enough to not have commands sent to it traced back to you.

True, but unfortunately it seems they aren't smart enough to keep quiet about it.

Re:uuh..yeah. (1)

erroneus (253617) | more than 5 years ago | (#27813313)

It just occurred to me. I have made the argument countless times that the true victims of all this "identity theft" are banks and large financial institutions and I still believe that is the case regardless of how much "big money" attempts to shift the blame and responsibility onto the people. What occurred to me is that if there were an interest larger than government that could get Microsoft to change its ways and fix its stuff, it would be "big money." I wonder if big money has even considered this?

Re:uuh..yeah. (1)

Insanity Defense (1232008) | more than 5 years ago | (#27813421)

What occurred to me is that if there were an interest larger than government that could get Microsoft to change its ways and fix its stuff, it would be "big money." I wonder if big money has even considered this?

They have. Why do you think that Microsoft have spent so much effort on security? Unfortunately expending effort does not mean the same thing as achieving success by that effort. Among their major efforts have been their repeated advertising campaigns, "Windows Version X.Y is our MOST secure Windows EVER!!!!!", or hadn't you noticed? Don't forget their defensive campaigns like "Get the Facts!!!!!".

Then of course there are those interests who want security to be low. Anti virus companies, Firewall makers. Police/National Security people who want to be able to access the computers of alleged criminals and so forth.

Re:uuh..yeah. (3, Interesting)

Fwipp (1473271) | more than 5 years ago | (#27812775)

Obligatory car analogy: If you owned a rental car company, would you outfit your fleet with a self-destruct procedure that could be initiated remotely?

Re:uuh..yeah. (4, Funny)

NoobixCube (1133473) | more than 5 years ago | (#27812809)

Yes, if it were an illegally operated rental car company, or if I were using the rental cars to smuggle banned substances or stolen goods. Turn the car into a smoking pile of twisted metal, and all the coke hidden in the seats suddenly isn't there anymore.

Re:uuh..yeah. (2, Interesting)

navyjeff (900138) | more than 5 years ago | (#27812967)

If you were watching a group that stole a fleet of cars, then figured out how to make keys for a bunch of their cars, would you pour sugar in the gas tanks after you were done joyriding to make sure they wouldn't be drivable again?

Re:uuh..yeah. (1)

supernova_hq (1014429) | more than 5 years ago | (#27812981)

Assuming the trojan is represented by the cars, what exactly would the users computer be? Or are you planning on destroying the computers themselves?

Re:uuh..yeah. (0)

Anonymous Coward | more than 5 years ago | (#27813285)

If you were watching a group that stole a fleet of cars, then figured out how to make keys for a bunch of their cars, would you pour sugar in the gas tanks after you were done joyriding to make sure they wouldn't be drivable again?

uuh..yeah.

Re:uuh..yeah. (4, Insightful)

LackThereof (916566) | more than 5 years ago | (#27812777)

why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?

Because that would be highly illegal. Just as illegal as creating the botnet in the first place. You can't just make modifications to 180,000 computers without their owners knowledge or consent.

Some governmental agency should man up and do it, though. Researchers have been hijacking botnets to study them for a while now, they almost have it down to a science. Someone in Homeland Security should just grow some balls and hire a team of professionals to hijack and destroy botnets.

Re:uuh..yeah. (4, Insightful)

corsec67 (627446) | more than 5 years ago | (#27812789)

Some governmental agency should man up and do it, though. Researchers have been hijacking botnets to study them for a while now, they almost have it down to a science. Someone in Homeland Security should just grow some balls and hire a team of professionals to hijack and destroy botnets.

What is to keep that agency from just hijacking and *keeping* the botnet? Suddenly you have a government agency with a trojan installed on many computers.

Re:uuh..yeah. (5, Insightful)

Opportunist (166417) | more than 5 years ago | (#27812793)

"If YOUR homeland security fiddles with MY government computer, get ready for international troubles."

Here's your reason why they don't.

Re:uuh..yeah. (2, Interesting)

RiotingPacifist (1228016) | more than 5 years ago | (#27813195)

"If YOUR homeland security fiddles with MY government computer, get ready for international troubles."

Link the IP to a location, then only fix bots in computers that are in your country, this has the additional advantage that you become more secure while your enemies get weaker. Alternatively, and i know that the American's about may find this crazy, you could ask permission of other countries to take out their bots too (as it benefits you that the bot net is dead). Ideally you could come to an agreement that protects you from prosecution of the laws you break, probably in exchange for the logs or some other evidence your not abusing the privilege. Hell the agreement could well be between a private (research) company and various countries police departments, avoiding the need for much of the bureaucratic bullshit you get when governments sort stuff out.

Re:uuh..yeah. (2, Interesting)

Insanity Defense (1232008) | more than 5 years ago | (#27813427)

"If YOUR homeland security fiddles with MY government computer, get ready for international troubles."

I would assume that the computer hacking side of government security does have their own form of black ops? A building/fake business with an internet connection under a false name. Of course any such "fiddling" would not remove the black op connection to your government system but merely the botnet that would be likely to be found eventually.

Re:uuh..yeah. (0)

Anonymous Coward | more than 5 years ago | (#27812995)

Sounds like it would fall within the NSA's mandate.

Re:uuh..yeah. (5, Informative)

VValdo (10446) | more than 5 years ago | (#27812779)

Although we could have sent a blank conguration le to potentially remove the web sites currently targeted by Torpig, we did not do so to avoid unforeseen consequences (e.g., changing the behavior of the malware on critical computer systems, such as a server in a hospital). We also did not send a conguration le with a different HTML injection server IP address for the same reasons. To notify the affected institutions and victims, we stored all the data that was sent to us, in accordance with Principle 2, and worked with ISPs and law enforcement agencies, including the United States Department of Defense (DoD) and FBI Cybercrime units, to assist us with this effort. This cooperation also led to the suspension of the current Torpig domains owned by the cyber criminals.

FTFA, they snaked a domain name they knew the botnet was going to use before the bad guys could, then just collected info sent to them by all the compromised systems.

The submission header and the body are encrypted using the Torpig encryption algorithm (base64 and XOR)

Torpig encryption algorithm: base64 and XOR. In contrast, Conficker uses all kinds of crypto (RC4, RSA, and MD-6 [sri.com] ).

W

Re:uuh..yeah. (4, Interesting)

phantomcircuit (938963) | more than 5 years ago | (#27813233)

Actually base64 and XOR is the obfuscation algorithm used for the configuration file. There is a separate encryption algorithm present that is entirely custom and which nobody has yet to break (although im guessing nobody has done a serious cryptanalysis either).

Re:uuh..yeah. (1)

RiotingPacifist (1228016) | more than 5 years ago | (#27813127)

which had already been registered by the criminals. Although we could have sent a blank conïguration ïle to potentially remove the web sites currently targeted by Torpig, we did not do so to avoid unforeseen consequences (e.g., changing the behavior of the mal-ware on critical computer systems, such as a server in a hospital). We also did not send a conïguration ïle with a different HTML injection server IP address for the same reasons.

I'm also under the impression that they couldn't uninstall the bots as they didn't have enough control. However i don't see why they couldn't change the page that is injected to a huge "your computer is infected, criminals have your bank details" and perhaps a url to a tool to remove the bot.

Hacking is hacking isn't it? (1, Redundant)

PitViper401 (619163) | more than 5 years ago | (#27812719)

I know what they did is good and all, but didn't they still commit a crime themselves?

Re:Hacking is hacking isn't it? (0)

Anonymous Coward | more than 5 years ago | (#27812741)

Not quite sure they would consider it a crime since the bot net was operating outside of the law. I however would not be surprised if they did get in trouble over some technicality.

Re:Hacking is hacking isn't it? (2, Interesting)

martin-boundary (547041) | more than 5 years ago | (#27813039)

It IS a crime. If they had control access to the botnet, then for the duration of time that they had control, they were responsible for what the botnet did during that time. Think of it as timeshare cracking.

Re:Hacking is hacking isn't it? (2, Insightful)

Insanity Defense (1232008) | more than 5 years ago | (#27813483)

It IS a crime. If they had control access to the botnet, then for the duration of time that they had control, they were responsible for what the botnet did during that time. Think of it as timeshare cracking.

Perhaps not. If I understand it correctly they acquired the domain (legally) and their only "control" act was to send the proper response when queried to find if they were the "masters". They then accepted the stolen data (that might well be a crime in itself though). Beyond saying "We are the correct site to send to" they don't seem to have sent any commands. Other than being in receipt of stolen data I don't think they could really be said to have any criminal acts here.

Re:Hacking is hacking isn't it? (0)

Anonymous Coward | more than 5 years ago | (#27812759)

Probably, but some well placed vigilante hacking could help the world. I mean if they have control how hard would it be to let that person know that they have a trojan. And to give directions on how to remove it

Re:Hacking is hacking isn't it? (1)

QuantumG (50515) | more than 5 years ago | (#27812825)

how hard would it be to let that person know that they have a trojan. And to give directions on how to remove it

That would actually be effective? Very hard.

Re:Hacking is hacking isn't it? (3, Interesting)

InfiniteLoopCounter (1355173) | more than 5 years ago | (#27812895)

Probably, but some well placed vigilante hacking could help the world. I mean if they have control how hard would it be to let that person know that they have a trojan. And to give directions on how to remove it

Unfortunately, that process would soon be usurped. There already is a class of malware called "rouge anti-virus" that gives false removal instructions, resulting in infection.

Better would be to plug the holes, and plug them fast enough so that you can't drive the proverbial slow moving truck, carrying a payload of *wares, through them.

Re:Hacking is hacking isn't it? (4, Informative)

mkairys (1546771) | more than 5 years ago | (#27812811)

The BBC got in trouble when they took control of a botnet for one of their technology shows: http://www.guardian.co.uk/technology/blog/2009/mar/12/bbc-botnet-legality-questioned [guardian.co.uk] . While this research was performed in the US, I think they must have broken a law somewhere. I don't see how grabbing personal info obtained illegally for the sake of research, even if they didn't infect the computers originally, makes it permissible under US law.

Re:Hacking is hacking isn't it? (0)

Anonymous Coward | more than 5 years ago | (#27813069)

Would I get in trouble if people just happened to send my website their personal info and I saved it? Even if I did not ask for it?

Re:Hacking is hacking isn't it? (1, Informative)

Anonymous Coward | more than 5 years ago | (#27813005)

First, define "hacking".

For your information, Linus Torvalds was and is a hacker. A REAL hacker, not one of those morons who ride on the coat tails of people like Torvalds, using a few half understood skills to wreak havoc on the int3rt00bz.

Without "hackers" you wouldn't have a computer, period.

Owning an automobile isn't illegal, nor is it illegal to understand how to hotwire a car. It isn't even illegal to hotwire a care, UNLESS you happen to be stealing the car.

Hacking, properly defined, is essential to computer science. Theft of data has no more to do with hacking than the theft of a car has to do with mechanical skills.

yes (5, Funny)

mofag (709856) | more than 5 years ago | (#27812723)

no, maybe, oh I don't know. Why do I get all the hard questions?

frosty piss! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27812727)

lol James got frosty piss LOL

3 years? Pfffft. (4, Insightful)

Opportunist (166417) | more than 5 years ago | (#27812815)

Take a machine. Install Windows XP SP1. Hook it to an unfiltered intenet access. Watch Sasser install. Mean time before infection: 30 seconds.

That nuisance is 5 years old and still running rampart. Now, far from being the threat that Torpig is, but it shows you just how hard it is to get rid of something. And unlike Torpig, it's not really "in use" anymore. Its maker is gone, it doesn't get any updates or new variants to faciliate infection. We're talking about the same old crapware that every single AV kit knows and removes by now. Worse, it's a threat that any halfway decently patched machine is not susceptible to.

And you want to get rid of Torpig?

Re:3 years? Pfffft. (4, Insightful)

socsoc (1116769) | more than 5 years ago | (#27812885)

Let's say I reinstall XP SP1 and somehow MS manages to have included a nic driver for my card. I then need that Internet access to download AV from my uni, patches from MS, etc. How do you expect a consumer to have a machine fully patched prior to the initial network connection?

Re:3 years? Pfffft. (4, Informative)

Hurricane78 (562437) | more than 5 years ago | (#27812903)

Give him a CD with XP which includes SP3 and all patches up to now, and he should be good for some time.

Give him Linux, and he will be good for a looong time.

Re:3 years? Pfffft. (4, Insightful)

socsoc (1116769) | more than 5 years ago | (#27813023)

Yes, consumers with their Dell OEM CD from seven years ago have easy access to slipstreamed SP3 CDs and know how to use Linux.

He'll be good until iTunes or some niche piece of software doesn't install and then he'll just be pissed at you.

We know better and we try to educate Joe Consumer, but Joe Consumer doesn't have our skills or knowledge, which was the point of my original post. The consumer is not to blame.

Re:3 years? Pfffft. (4, Insightful)

value_added (719364) | more than 5 years ago | (#27813363)

We know better and we try to educate Joe Consumer, but Joe Consumer doesn't have our skills or knowledge, which was the point of my original post. The consumer is not to blame.

Sorry, but the consumer is to blame. They may not, at the present time, have any legal obligations, and may not suffer any direct liabilities while remaining blissfully oblivious of the consequences of their actions or inactions, but we're free and justified for assessing the blame on them as we are on the malware authors as both share responsibility for their actions or omissions. To use a cliche, it always takes two to tango.

I don't care whether you're talking about a guy handing over money to an unscrupulous investor (or worse, trying to invest it themselves), someone doing home wiring without understanding electricity or codes, someone driving a car who ignores the relationship between speed and stopping distances, or someone who bought a product that doesn't do work as well as it was advertised, the blame rests ultimately with the individual who fucked up. That should come as no surprise given that individuals who do fuck rarely need encouragement or a convincing argument to admit they fucked up.

The standard here is one of reasonableness.

Is it reasonable to assume that computers are complex beasts and that malware is problem? Yes. The former is self evident and the latter is a also truism that can be cited by most Windows users or gleaned from the local news by everyone else. Then WTF is Joe Average doing trying to install an operating system? Or manage it? He has lots of alternatives including hiring the kid down the block or taking it the local shop.

Is it reasonable to assume that Macs are also complicated but Mac users can do without requisite knowledge or skill? Yes. The reasons for that are as numerous as why Windows users continue to suffer problems.

You can go on about complexity and missing skillsets, but none of those justify anything. If you're trying to comfort those who fucked up, you're doing them a disservice. If you're conceding that the battle is lost and ha ha this is the way things are and always will be, then you're being irresponsible and contributing nothing to the discussion or solution.

Personally, I'd go so far as to say that anyone who trots out the "poor user" argument (usually in combination with the "Everyone is using Windows so everyone is doing it, too!" argument) is they participate in extending the current state of affairs and are therefore part of the problem.

Why pay lip service to user education advocacy when responsibility and blame are pre-requisites? Start blaming. Blame everyone involved, but don't skip the person ultimately responsible. We'll all be better off for it.

How do I make such a CD? (3, Insightful)

jonaskoelker (922170) | more than 5 years ago | (#27813117)

Give him a CD with XP which includes SP3

I'm curious: how would I go about producing such a CD, without any of my boxes getting "sassered"?

I have: a Linux box. An OS-less laptop. Some XP recovery disks.

Re:3 years? Pfffft. (2, Insightful)

Wingman 5 (551897) | more than 5 years ago | (#27812931)

Any form of firewall, even a basic NAT from a home router would be sufficient to protect you until you are up to date on patches

Re:3 years? Pfffft. (1)

mOdQuArK! (87332) | more than 5 years ago | (#27813003)

Use a cheap hardware router to insulate your machine from the net while installing all security updates.

Re:3 years? Pfffft. (2, Informative)

GroovyTrucker (917003) | more than 5 years ago | (#27813259)

Easy, just download the SP2 file and the SP3 iso from Microsoft and burn them to CDs. Disconnect the computer from the net and after XP SP1 install, just run the SP2 and SP3 updates. I recently did it. Anyone else can.

Re:3 years? Pfffft. (0)

Anonymous Coward | more than 5 years ago | (#27813347)

Give him a CD/USB/whatever-fancy-your-hoody with the network/admin version of XPSP3 and tell him to not connect the computer to internet before he has installed it. That is a first easy step.
Seconds step is to do it for him.

That said I have seen a lot of computer shops being poor at reinstalling computers too, giving them virus-infested back to costumers...

Re:3 years? Pfffft. (1)

Yvanhoe (564877) | more than 5 years ago | (#27812953)

Some times I wonder if a vigilante approach à la code green (which mimicked the code red transmission but patched machines afterwards) isn't what we need. There are no authorities with a wide enough jurisdiction to prevent worms to happen or to cure them, so if one state begins to produce its own counter-worms, who could protest ?

Re:3 years? Pfffft. (1)

KlaymenDK (713149) | more than 5 years ago | (#27813447)

"Unsolicited white hat hacking" is rarely welcome, regardless that you might well be helping them out. Would you be unequivocally glad to see a stranger mowing your back yard lawn when you came home from work? With your own lawnmower, which was supposed to be in your shed. He's just helping out...

While there may not be an organisation to protest all of your, say, 300.000 patches, there may very well be an organisation willing to protest the 14 patches that hit their machines. The world of pain you'd be in would only be slightly different than if you'd been caught patching all 300.000.

Suggested punishment (4, Interesting)

rossz (67331) | more than 5 years ago | (#27812821)

How about we make the punishment for infecting a computer $100 and one day in jail for each system you infect. This way, someone who does something stupid but isn't actually malicious pays a few hundred dollars and spends a few days in jail while the real criminals pay big bucks and spend years in jail. For 180k systems, that's an eighteen million dollar fine and nearly five hundred years of jail time.

Of course, the problem is catching these bastards who tend to live in countries where the government doesn't care or is actively involved in these illegal activities (I'm looking at you Russia).

Re:Suggested punishment (1)

martin-boundary (547041) | more than 5 years ago | (#27813011)

How do you know it isn't the CIA, pretending to be Russian hackNO CARRIER...

Re:Suggested punishment (1)

syousef (465911) | more than 5 years ago | (#27813095)

How about we make the punishment for infecting a computer $100 and one day in jail for each system you infect. This way, someone who does something stupid but isn't actually malicious pays a few hundred dollars and spends a few days in jail while the real criminals pay big bucks and spend years in jail. For 180k systems, that's an eighteen million dollar fine and nearly five hundred years of jail time.

You'd hit incompetent virus writers as hard as the big criminals. Think of the Melissa worm. Written for a stripper by a loser and it got out of hand.

Re:Suggested punishment (2, Interesting)

calmofthestorm (1344385) | more than 5 years ago | (#27813107)

Do that and I might start writing viri

Re:Suggested punishment (5, Funny)

Toonol (1057698) | more than 5 years ago | (#27813147)

It's "Viruses". Just for future reference. I know, I'm being pedantic.

Re:Suggested punishment (5, Insightful)

Kaboom13 (235759) | more than 5 years ago | (#27813121)

It's already illegal. We don't need to run around making new laws. The problem is law enforcement world wide does not care. Even if the perpetrators of a major botnet are in their grasp, they will do their best to ignore it. If it happens on the internet, that means it's an international problem. Which means it's not their problem. They are too busy busting 19 year olds trying to sleep with 17 year olds, and "drug busts" of people licensed and permitted by their state government to grow marijuana, and harassing random people with the same name as a suspected "terrorist". Has anyone seen the FBI actually even investigate an identity theft case? We aren't talking criminal masterminds here, most of them could be tracked down with minimal effort.

The only solution to crap like this will have to be technical. I suspect for the internet to survive, enforcement will have to come at the ISP level. Automated detection of botnets and ddos attacks in progress is possible. What should happen is when it's detected you are infected, your upload is heavily throttled, and you are contacted to correct it. Failure to do so results in suspension of service. ISPs that don't implement it should face having all their packets dropped by everyone else. It won't stop the latest and greatest, but years old botnets could easily be stopped. The potential for false positives will suck, as will the temptation for ISP's to abuse it, but currently theres several botnets out there that could easily take down critical infrastructure if they decide to ddos it.

Re:Suggested punishment (1)

rolfwind (528248) | more than 5 years ago | (#27813357)

Wouldn't that mean Bill Gates would have to give most of his money back and be in jail for eons - seems a bit harsh :(

Re:Suggested punishment (1)

NickFortune (613926) | more than 5 years ago | (#27813425)

How about we make the punishment for infecting a computer $100 and one day in jail for each system you infect. This way, someone who does something stupid but isn't actually malicious pays a few hundred dollars and spends a few days in jail while the real criminals pay big bucks and spend years in jai

So Great Aunt Mildred opens an email with the subject "Mildred, Improtant News From An Old Friend!!1!", gets a worm, and winds up infecting the 30 people in her outlook contacts list.

She has to pay three grand in fines and spend a month in jail for this? I can't see that working.

So they committed a felony? (2, Insightful)

phantomcircuit (938963) | more than 5 years ago | (#27812835)

Let me get this straight. They took over a botnet, which consists of computers they are unauthorized to access. Not only did they commit a felony but then they wrote a paper about it?

The reason that nobody else has done this before is not because they are incapable of doing it. The reason nobody has done this before is because it is illegal

Re:So they committed a felony? (5, Insightful)

SydShamino (547793) | more than 5 years ago | (#27812867)

No, they purchased a domain name, set up servers to accept data sent to that domain, then collected that data. That their research had told them that the domain would be used by the botnet is incidental. If you mail your credit-card information to my domain, I haven't committed any crime if I accept it and turn it over to the authorities.

Re:So they committed a felony? (1)

QuantumG (50515) | more than 5 years ago | (#27812905)

The first host that sends a reply that identifies it as a valid C&C server is considered genuine,

They sent information.. that means they were illegally accessing a computer system.

Re:So they committed a felony? (1)

Jah-Wren Ryel (80510) | more than 5 years ago | (#27812921)

The first host that sends a reply that identifies it as a valid C&C server is considered genuine,

They sent information.. that means they were illegally accessing a computer system.

If that were true then any webserver replying to a request for a web page would also be illegally accessing the requester's computer system.

Seems legally sound to me that if you ask a question, you've consented to receiving a reply.

Re:So they committed a felony? (1, Insightful)

QuantumG (50515) | more than 5 years ago | (#27812937)

Umm.. no, they deliberately sent a message that said "send me the confidential information you have collected". There isn't a court in the land that wouldn't convict these bozos. All they have to rely on is that the majority of people infected with this ancient malware are not going to go after them, cause they're too stupid to know they are infected.

Re:So they committed a felony? (1)

jamesh (87723) | more than 5 years ago | (#27813041)

Umm.. no, they deliberately sent a message that said "send me the confidential information you have collected"

They only reverse engineered the software for interoperability reasons though. Botnet's are a monopoly so I think it's reasonable to allow them to develop a competing product, especially for research purposes :)

Who would bring criminal charges against the researchers though...

The botnet operators? Unlikely.

The owners of the computers that were unknowingly running the botnet trojans? Also unlikely, even if such research caused some major problems at a bank somewhere, what bank is going to put it's hand up and say "Our computers were infected with malicious software and your playing with it broke it"

The feds? What a PR disaster that would be!

Re:So they committed a felony? (0)

Anonymous Coward | more than 5 years ago | (#27813047)

"There isn't a court in the land"

That is probably true, if you live in the land of the anally retentives, who are incapable of understanding the spirit of the law, as opposed to the letter of the law.

I guess it would be the luck of the draw. If I were sitting in the jury, they would never be convicted. If twelve people such as your self were seated on the jury, automatic conviction. It really only takes one person such as myself to persuade the other 11 to try reading and understanding the law, as well as the instructions to the jury, along with all the evidence.

Re:So they committed a felony? (0)

Anonymous Coward | more than 5 years ago | (#27813083)

You think you're so smart? I'd wager if you and QuantumG were both on the jury, he'd convince you eventually.

Re:So they committed a felony? (2, Insightful)

QuantumG (50515) | more than 5 years ago | (#27813277)

That is probably true, if you live in the land of the anally retentives, who are incapable of understanding the spirit of the law, as opposed to the letter of the law.

Like, say, the USA?

Re:So they committed a felony? (1)

speedtux (1307149) | more than 5 years ago | (#27813333)

And what "spirit" would that be?

Let's say you're a university researcher and you get a drug cartel's leader's cell phone number assigned to you, and just for fun, you now impersonate him. People call you and say "should we kill Johnny?" and you respond "sure". They call and ask you "what bank account should we wire the profits to" and you give your own number. Etc. You keep dilligent statistics on how many people the cartel murdered and how much money they sent you.

That's pretty much what's going on here, only that the damage per victim is lower (but there are more of them).

The spirit, as well as the letter, of the law is that you're guilty.

Re:So they committed a felony? (0)

Anonymous Coward | more than 5 years ago | (#27813119)

Of course you didn't read the article.

There's no need for such message. You are given the information because you control the C&C domain, not because you explicitly asked for it.

Re:So they committed a felony? (1)

QuantumG (50515) | more than 5 years ago | (#27813173)

With domain ux, each bot uses a domain generation algorithm (DGA) to com-
pute a list of domain names. This list is computed independently
by each bot and is regenerated periodically. Then, the bot attempts
to contact the hosts in the domain list in order until one succeeds,
i.e., the domain resolves to an IP address and the corresponding
server provides a response that is valid in the botnet's protocol. If a
domain is blocked (for example, the registrar suspends it to comply
with a take-down request), the bot simply rolls over to the follow-
ing domain in the list.

Re:So they committed a felony? (1)

Jah-Wren Ryel (80510) | more than 5 years ago | (#27813219)

Lol, suck it up, you are wrong and you apparently know you are wrong and are cherry-picking quotes in order to mislead.

Is the size of your internet penis really so important?

Re:So they committed a felony? (1)

QuantumG (50515) | more than 5 years ago | (#27813267)

hehe, just cause you can't read..

Re:So they committed a felony? (1)

phantomcircuit (938963) | more than 5 years ago | (#27813213)

Obviously you did not.

Re:So they committed a felony? (1)

Jah-Wren Ryel (80510) | more than 5 years ago | (#27813201)

Umm.. no, they deliberately sent a message that said "send me the confidential information you have collected".

Ummmmmmm...... no. All they EVER sent was the string "okn" - no matter what the bot asked for, that's all they ever sent in return.

Re:So they committed a felony? (2, Insightful)

phantomcircuit (938963) | more than 5 years ago | (#27813209)

For that to be even remotely true I would have to be able to do exactly the same thing.

Something tells me that if I was to go and setup a domain to receive information stolen from home computers which I did not originally infect that it would still be a crime.

Just because the FBI is not going to go after them for it does not make it either legal or moral.

Re:So they committed a felony? (1)

JoeBuck (7947) | more than 5 years ago | (#27812913)

What are you going to charge them with? It appears that what they did was to register a domain that the botnet wanted to use and intercept the traffic. They didn't load code onto anyone's computer, or issue any commands to the botnot. So where's the felony?

Re:So they committed a felony? (1)

Ramidarigaz (1521789) | more than 5 years ago | (#27812929)

Let me get this straight. They took over a botnet, which consists of computers they are unauthorized to access. Not only did they commit a felony but then they wrote a paper about it?

The reason that nobody else has done this before is not because they are incapable of doing it. The reason nobody has done this before is because it is illegal

Also, as they stated, they were working with the DoD and the FBI.

Re:So they committed a felony? (1)

phantomcircuit (938963) | more than 5 years ago | (#27812951)

Unless they had a warrant for every single computer system they accessed it is still a crime. Just because the FBI did it does not make it illegal. You sound like Nixon.

Re:So they committed a felony? (0)

Anonymous Coward | more than 5 years ago | (#27813169)

Whoever allows their system to get infected and does nothing about it has pretty much given up its ownership for grabs, so cut the bullshit about warrants needed or illegally accessing someone's computer.

Also, I realize that most of you USians will never be able to wrap your thick heads around it, but there is a world outside of your great "land of the free and the brave". FBI doesn't mean shit out here.

Re:So they committed a felony? (1)

Pecisk (688001) | more than 5 years ago | (#27813135)

Is it really illegal? Or people who are scared that goverment will use this excuse to mangle some exploited Windows XP for their own use says so? :)

More to point, afaik what they done borders with illegal, but it would be very very hard to convince that harm to society is done (which is basis of *any* conviction, ask any lawyer).

And also all situation is farse - botnet owners and operators are laughing all the way to the bank, no one can shut them down because it is illegal (someone is stealing money and stopping them is illegal...yeah, right).

Re:So they committed a felony? (1)

forgottenusername (1495209) | more than 5 years ago | (#27813243)

I totally agree, we should limit all information gathering strategy to the strictest sense of the law, regardless of intent. Who cares that security researchers dissect these issues and come up with strategies to combat them! We should all fly blind because you have to get a little dirty to figure out what's going on.

"To notify the affected institutions and victims, we stored all the data that was sent to us, in accordance with Principle 2, and worked with ISPs and law enforcement agencies, including the United States Departmentof Defense (DoD) and FBI Cybercrime units, to assist us with this effort. This cooperation also led to the suspension of the current Torpig domains owned by the cyber riminals"

Those terrible, evil security researchers! They should be locked up - clearly the government and OS providers are doing a bangup job of protecting users private data by analyzing these threats in detail & shutting them down. Let's definitely keep the actual smart people who are willing to help and work with legal agencies shut down, so these poor malware providers can not be hassled by people using the only tactics that will actually provide information on how this shit works so we can have a small chance of temporarily shutting down a huge botnet, and getting some users patched.

What was your point again?

Who are you..? I'M B- (1)

TiggertheMad (556308) | more than 5 years ago | (#27813283)

The reason nobody has done this before is because it is illegal

"The proper authorities are helpless against the criminal scum plaguing the Internet. I shall become become a costumed vigilante hacker, but I need a sign...wait was that a frigging BAT that just hit the basement window...? What the hell? Now, wait...where was I...Oh, yes, I need a sign. I HAVE IT! I SHALL BECOME GOATSEE MAN!"

Ok hacker nerds, here is your chance to live out the fantasy. You have the talents, become a heroic hacker vigilante. You can break into people's computers, fix systems, counter hack black hats, and claim that you are 'the bat'. Get to it.

NO. NOT NOW. NOT EVER! I'M COMING FOR ALL OF YOU! (0)

Anonymous Coward | more than 5 years ago | (#27812845)

Isn't it time that US federal law requires all broadband operators to provide per-client client-configurable firewalls on their end of the last-mile by a date-certain that coincides with the current end of life on their equipment?

None of this would have been necessary if we had just stuck with X.25 and used X.PC instead of veering off into Vincent Cerf's private hell of TCP/IP and PPP. That it has taken 20 years (yeah, 20 years!) to figure out we need to add a firewall to the head-end routers is just totally unforgivable. At least now it can be done with a chip and remotely programmed by the Customer via the ISP's portal.

NO. NOT NOW. NOT EVER! I'M COMING FOR ALL OF YOU! (0)

Anonymous Coward | more than 5 years ago | (#27812889)

oh yeah, expect half of the Sub-Continent, Asia and Eastern Europe to weigh in on how bad X.25 would have been for them (because it had distance-based pricing instead of sticking with the traditional toll-free, toll and pay-per-call model that served us for the previous 40 years). I mean, without TCP/IP and distance-free pricing/leeching/peering, those people would have continued on in their own islands. Projects run by the guy who spent 20 years being paid by a university (cushy job) before he snapped and turned communist would still have gotten out there, but never would have swept the planet and destroyed the IT economy and given very bad, uneducated, radical people access to technology that makes them more productive. (Of course, it will take the bankruptcy of Apple and Microsoft in under 10 years and another 20 years of stagnation under LINUX when there is nobody left to copy and "no reason to change" before the now 20-somethings figure out they were used like toilet paper by older, much smarter communists like RMS and his radicalized elements like Mr. Cathederal.) Someday, history will record their names where they belong. Someday.

Fighting crime with crime? (1)

Sumbius (1500703) | more than 5 years ago | (#27812847)

Indeed, they proved what it is complitely possible to hijack a huge botnet and destroy a big part of it. (Well, everything is possible and there is quite much variation between different botnets, but still...) The problem is that they also gained access to a huge supply of bank account, credit card numbers and such. This itself can be consider a huge crime, even if they weren't planning to use them themselves. Legally speaking, hijacking it didn't differ much from creating a botnet for yourself. Also hijacking a botnet ofcourse involves interracting with the infected computers, which is a crime. Morally speaking this all is acceptable and benificial for the public good. Yet, legally speaking it seems a bit suspicious activity. You can't always be certain that the goal of this kind of operation is as naive as this time. Well anyway, good job!

Re:Fighting crime with crime? (1)

yahwotqa (817672) | more than 5 years ago | (#27813181)

What we need is Botman -- in public life, a wealthy young man, in private life, a vigilante in black cape, who hijacks botnets and brings them down.

WTF? (1)

religious freak (1005821) | more than 5 years ago | (#27812853)

Is the whole notion of a hacker that acts on behalf of the "public good" by shutting these things down (i.e. gray hat) just a myth?

Yeah, it's probably technically illegal, but I thought there were folks out there doing it. I'd be interested to know if any /.ers have ever engaged in trying to kill one of these things.

Speaking for myself... I haven't because of the technically illegal nature of the work (at least I think it'd be technically illegal). Plus, without ever doing it, I don't know enough about how to do it. Can't be that hard though. Why are these things allowed to exist?

Still, seems like a pretty cool thing to hack, and you're doing some good at the same time.

Re:WTF? (4, Insightful)

QuantumG (50515) | more than 5 years ago | (#27812883)

Getting altruism out of people is hard enough at the best of times. Asking for altruism when the likely reward is getting arrested.. no.

Re:WTF? (0)

Anonymous Coward | more than 5 years ago | (#27813063)

I got it! we can set up our own botnet to take down other botnets

No mention of Windows as the target (4, Informative)

david.emery (127135) | more than 5 years ago | (#27812911)

What bothered me after reading this paper is nowhere does this paper come out and say that the infected machines are all running Windows, although this is strongly implied by the description of how the virus works. The reader is left to wonder whether machines other than Microsoft Windows were infected.

Instead, the paper leaves the impression that all computing has the same architectural vulnerabilities. I thought that was a surprising defect, sufficient to make me wonder what else isn't captured/stated/analyzed in the paper.

Re:No mention of Windows as the target (0)

Anonymous Coward | more than 5 years ago | (#27813093)

Um...before you get a giant mac boner over there...don't forget that botnets are just as feasible on other systems. Just because no one wants to write a botnet to target 1% of the market (most of which are reading slashdot or are the gay artistic type) doesn't make your system immune.

The BBC has done this too (0)

Anonymous Coward | more than 5 years ago | (#27812919)

As said in the title it wasn't too long ago since the BBC did something similiar [bbc.co.uk] . However, I personally consider their purposes for this botnet a lot better than what we read here. First the BBC used this to make the common public aware of the dangers of their PC's being infected (and most of all: what might result from it).

But last and certainly not least they actually did shut the whole botnet down. Every single node got a massive warning about their PC being infected and that it should be cleaned up ASAP. And thats not what I'm reading here, therefor I consider this kind of abuse totally unacceptable.

Snail Mail Analogy (1)

daveime (1253762) | more than 5 years ago | (#27812991)

This I feel is a good analogy to old fashioned snail mail.

A package gets delivered by mistake to your house, it is obviously intended (addressed) for someone else, but you open it anyway.

Regardless of whether the contents are legal or illegal (drugs, fake currency, or just a birthday card) etc., you are still comitting a crime by opening it. You'd be hard pressed to use the "I'm a researcher" defense on that one.

I mean, that implies that anyone intercepting a botnet's stolen data can simply claim "they didn't write it, they were just researching it".

Re:Snail Mail Analogy (3, Insightful)

nacturation (646836) | more than 5 years ago | (#27813225)

Another analogy is that it's like buying a house at the address 1234 Main Street, Anywhere, USA knowing that other people would try to deliver packages to your address with a "Dear Occupant" label. It's not illegal to open those at all.

Re:Snail Mail Analogy (0)

Anonymous Coward | more than 5 years ago | (#27813293)

So, US Mail (USPS) is special because it's a US Government regulated monopoly.

> U.S. law provides for the protection of mail. Postal Inspectors enforce over 200 federal laws in investigations of crimes that may adversely affect or fraudulently use the U.S. Mail, the postal system or postal employees.

http://en.wikipedia.org/wiki/United_States_Postal_Inspection_Service

You can't use the USPS for your analogy.

A better analogy is this:

You're a guy standing on a street corner. A car comes speeding past you and someone or something inside the car tosses a ball to you.

That's email.

For HTTP, attach a string to the ball, you're able to remove the ball from the string and attach a ball of your own, as the car speeds away, the ball you've attached (if there is one) travels along with the car.

Now. Let's look at this piece at a time:
If someone throws stolen property at you (e.g. credit card numbers), which crimes have you committed?

There are probably two laws to worry about, receipt and possession. One would hope that there is some way for you upon receipt of the ball to notify the authorities and turn over the ball without being charged with a crime (* note that District Attorneys and similar people are responsible for deciding whether to actually charge you with a crime, one of the below links indicates cases in which the various departments declined to ask for prosecution).

http://www.law.cornell.edu/uscode/18/2315.html

Note that the law doesn't apply to forged items :)

OK, so how does one properly turn over this ball?

http://www.dhh-3.de/biblio/bremen/sow3/srlireco.htm

> A theft victim who locates stolen property in the US should first contact the Federal Bureau of Investigation.

So, having received this ball, if you suspect it's stolen, you should not cross state lines, but should immediately contact the FBI. In true /. fashion, I haven't read the article, but comments indicate that the authors were in contact with the FBI.

Torpig (4, Funny)

Nom du Keyboard (633989) | more than 5 years ago | (#27813043)

Why does this sound like a cross between an Onion and Swine Flu?

Re:Torpig (0, Redundant)

syousef (465911) | more than 5 years ago | (#27813109)

Why does this sound like a cross between an Onion and Swine Flu?

Take your pig...I mean pick:

- Huh? That's not how a knock knock joke starts!

- Because it shares much in common with self marinading swine flu.

and? (1)

SuperDre (982372) | more than 5 years ago | (#27813111)

did they contact the owners of an infected PC in anyway to tell them their PC is infected?

Watching Sausage being made... (2, Insightful)

xmundt (415364) | more than 5 years ago | (#27813489)

Greetings and Salutations...
          I have to say that the level of misunderstanding exhibited by MOST of the folks posting to this thread boggles the mind. Considering the alleged level of IT sophistication of the readers of /., it is even more amazing.
          I read the researcher's report, and, I have to say that I found it a well-reasoned and interesting analysis of a terrible problem on the Internet. However, without following their methodology, I do not believe they could have been able to do any where close to this level of analysis. These researchers not only produced a fairly scholarly analysis of a nasty and persistent problem, but, apparently went out of their way to work with the governmental authorities charged with controlling these sorts of crimes. So...why all the calls for them to be drawn and quartered in the public square? Have none of you ever heard of the concept of studying your enemy on a deep level, so to find its weaknesses, and make it easier to destroy? And as a part of that how do you propose to GATHER that information, short of following procedures that these researchers used?
          There are only a few, small quibbles I have with the paper. While they do say that they took a number of steps to secure the private information that they gathered while researching this virus, I would feel much better about reality if there was some assurance that this data set had been destroyed at the end of the study. I realise that arguments can be made that information, once gathered, tends to exist forever (after all, can we be sure that no copies were made?). However, with sufficient audit trails of what happened to the data, and who accessed it, this is a minimal problem. Of course, if the folks whose data had been intercepted were, indeed, contacted and made aware of the breach of their privacy, the usefulness of this data would erode away quickly, as CC numbers/banking information/passwords/etc were changed.
          Also, it was unclear to me exactly how they attempted to contact the people whose information had been compromised. Mainly this is curiosity on my part, because most of the methods that spring to mind (Email, IM, etc), are exactly the sorts of communications that I tend to filter out and delete with out any further attention. I suppose that a phone call from a complete stranger would certainly be a wake-up call, though.
          As for their activities being "illegal", while perhaps technically true, It is more a problem with the way the laws are written, rather than with their activities. Most folks do not understand that applying the law to a bad situation is akin to using a 20 lb sledgehammer to swat a mosquito. it is not a precision instrument. That is one of the many reasons that the justice system in America has avenues for appealing a case through several levels of juries and judges. The hope is that with enough people looking at it, a sane interpretation of the law will take root. Most of the current laws dealing with computer access and IT these days DO make security research difficult and problimatical, as their wording exposes even legitimate researchers to criminal charges. That is a legislative problem, though, and, not a sign that serious researchers who are trying to understand a complex and interesting problem on the net are "Doing Evil".

          In short...if you like eating sausage, you should NEVER watch it being made.
          Dave Mundt
 

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?