×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Man Challenges 250,000 Strong Botnet and Succeeds

CmdrTaco posted more than 4 years ago | from the i-fought-the-law-and-the-law-one dept.

Botnet 206

nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

206 comments

PR "Stuff" from Fireeye (4, Informative)

winkydink (650484) | more than 4 years ago | (#30576474)

For some value of "Stuff".

Yeah. He succeeded in eradicating the mega-D botnet. For about 2 weeks anyway.

From MessageLabs Intelligence: 2009 Annual Security Report "Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."

Re:PR "Stuff" from Fireeye (2, Informative)

Anonymusing (1450747) | more than 4 years ago | (#30576498)

Also, FTA: "Mushtaq and two FireEye colleagues..." -- not just one guy.

Re:PR "Stuff" from Fireeye (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30576680)

Jenny is a caucasian sixteen year-old girl, the daughter of a software engineer, who lives in the suburbs.

She is pregnant. Inside her belly is an unborn mongrel, the product of a drunken tryst with a twenty-three year-old Negro male she met at a party. She told Robert, her sixteen year-old caucasian boyfriend and honor student, that she was tired and going to sleep early before she ended the call and snuck out her window to go to a house party on the other side of the train tracks.

She had learned about the Negro culture from watching Viacom channels such as BET, VH1, and MTV. She was fascinated with their svelte street smarts and "straight-up" methods of communication. She also learned that black males prefer to have white women as their life-partners. The black men she saw on television and in real-life were well-built with good, toned musculature. She frequently fantasized about being held in a pair of strong, dark arms. She did not want to think of herself as a size-queen, but her mind occasionally wandered to black penises. She had never been filled with a big penis, but the seeds of desire were planted by her friend Michelle, an overweight caucasian with thin, stringy, greasy hair, who had a penchant for wearing animal prints. Michelle was the only women Jenny knew had been with a black man, and now Jenny herself was torn between her boyfriend and the man she met at the party, with who she continued to tryst.

Fortunately, Robert broke up with her. He couldn't tell her why, but he noticed that whenever he and Jenny made love, she was "bigger" inside. He noticed during foreplay that Jenny's vagina would dialate noticeably. She had developed a permanent Pavlovian response in anticipation of sex with black men, just as a coke addict clears his sinuses when he sees sugar, or as a nosepicker's nostrils flare. He was accustomed to her moan when he would first enter her, but she became much more silent. He could see the sadness in her eyes, and when the lovemaking was well underway, he would open his eyes to catch her staring at the ceiling or out the window.

Three months later, Jenny cried in horror as she discovered a cluster of red boils, with heads of yellowish liquid, in her vaginal area. The man she met at the party had since left her for her friend Michelle, and Jenny knew what had happened. In the heat of passion, all logic flies out the window. All good things must come to an end. Jenny was alone, having alienated her friends and family to embrace the Black culture. Jenny was dirty, having contracted particularly virulent strains of HSV-1 and HSV-2 from the man she had met at the party. Her stress revealed more noxious boils around her mouth right around the time she discovered that the man she had met at the party was seeing Michele before he was seeing her. He would have unprotected sex with Michelle and then without showering, he would meet Jenny the same day to have unprotected oral and vaginal sex with her.

But what does this have to do with botnets? Don't allow strange things into your system or bad things will happen.

Re:PR "Stuff" from Fireeye (0, Flamebait)

Anonymous Coward | more than 4 years ago | (#30577080)

...and now Jenny herself was torn between her boyfriend and the man she met at the party, with who she continued to tryst.

It's "with whom", you fucking illiterate dirtbag!

Re:PR "Stuff" from Fireeye (0)

Anonymous Coward | more than 4 years ago | (#30577238)

Soldat trolls are really fascinating.
Do you guys just write these things up on the fly?

Re:PR "Stuff" from Fireeye (2, Funny)

Anonymous Coward | more than 4 years ago | (#30577476)

I wrote it on the fly. Sometimes it all just comes to you when you're "in the zone". The community as a whole benefits when the trolls are somewhat literate and original. Like most Slashdot trolls, I used to copy and edit dirty stories from online before posting them, but that method is much more obvious and unfulfilling.

Slashdot is the foremost science and technology website and so its trolls should also held to higher standards of, um, trolling.

Re:PR "Stuff" from Fireeye (0)

Anonymous Coward | more than 4 years ago | (#30577492)

Very entertaining post, maybe a bit offtopic, not to mention vulgar and racist, but a surprisingly funny and entertaining read. Clever ending to tie into the topic too.

Re:PR "Stuff" from Fireeye (1)

nomadic (141991) | more than 4 years ago | (#30576572)

Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam

In other words he cut the amount of spam he sent in half? That's not too shabby.

Re:PR "Stuff" from Fireeye (5, Interesting)

Red Flayer (890720) | more than 4 years ago | (#30576612)

Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."

So now there can be coordinated effort against the new botnet, he'll come back with new bots, community response to kill that one off...

Fighting spammers is like fighting against a guerilla army. Constant vigilance, swift response times, and, eventually, wholesale destruction of the people supporting the guerillas will be necessary to win the war. Impact of spammers can be reduced by constant counter-attacks, but the only way to eliminate spam networks hosted on compromised machines is to remove compromised machines from the network (and as many compromisable machines as possible).

The cost of this may be too high to be worth it... but if you take away someone's internet access for a while when they get hosed, then maybe they'll stop getting hosed.

Re:PR "Stuff" from Fireeye (1)

LandDolphin (1202876) | more than 4 years ago | (#30576724)

So, Mega-D is going to be his Vietnam (Or Iraq)?

Re:PR "Stuff" from Fireeye (-1)

Red Flayer (890720) | more than 4 years ago | (#30576780)

Exactly. The only way for the US to have won in Nam would have been to destroy everything (which was humanely and politically unpalatable). The only way to win in Iraq is to turn it into a glass parking lot (which would also be humanely and politically unpalatable).

But with spam... that may be a bit more palatable, if we can get people to accept responsibility for getting hosed.

Re:PR "Stuff" from Fireeye (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30576876)

Exactly. The only way for the US to have won in Nam would have been to destroy everything (which was humanely and politically unpalatable).

Militarily the US beat the living shit out of the North Vietnamese. The reason for the loss was the failing will of the public in the US. If that hadn't happened the North Vietnamese would have thrown in the towel.

Bad war (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30576928)

Err? Reality check?

US were using napalm, hitting civillians and US soldiers alike.
Children with their skin burned off is not politically acceptable, and should not be in any country.
US lost the strategy and the political fight. They didn't even get a cease-fire deal to leave the country unharmed.
It was a total disaster and started a huge financial deficit.
What was the reason for going into Vietnam?
The fear-mongering politics was to blame, and was abandonded along with the Cold War in time.

US lost BECAUSE the North Vietnamese (backed by USSR) didn't throw in the towel.

Re:PR "Stuff" from Fireeye (0, Offtopic)

Anonymous Coward | more than 4 years ago | (#30576938)

Militarily the US beat the living shit out of the North Vietnamese. The reason for the loss was the failing will of the public in the US. If that hadn't happened the North Vietnamese would have thrown in the towel

I take it you mean the North Vietnamese that were still living in North Vietnam, since by the time we gave up the Viet Cong had moved into South Vietnamese towns where they looked and talked exactly like our allies, leading to the various infamous massacres that made it obvious that we had no fucking clue who the enemy was anymore, and nobody had any ideas on how to figure it out except to either kill everyone or have our soldiers march around in circles until someone killed them.

Re:PR "Stuff" from Fireeye (0, Offtopic)

techno-vampire (666512) | more than 4 years ago | (#30577250)

The reason for the loss was the failing will of the public in the US.

The real reason is that the NVA waited until after the US pulled out then violated the treaty they'd signed and invaded. When that happened, the US Congress also ignored its treaty obligations and sent nothing but some token munitions.

Re:PR "Stuff" from Fireeye (0)

Anonymous Coward | more than 4 years ago | (#30577666)

Doubt it. The US lost not for any other reason except for the fact that the Vietnamese were fighting for their freedom. I don't know the original quote, but it's alluded to here [globalpost.com] (Posted by Gico Dayanghirang on April 2, 2009 11:16 ET). Consequently, that's why they'll lose Iraq and Afghanistan.

Re:PR "Stuff" from Fireeye (2, Interesting)

RobertM1968 (951074) | more than 4 years ago | (#30577578)

Exactly. The only way for the US to have won in Nam would have been to destroy everything (which was humanely and politically unpalatable). The only way to win in Iraq is to turn it into a glass parking lot (which would also be humanely and politically unpalatable).

But with spam... that may be a bit more palatable, if we can get people to accept responsibility for getting hosed.

Since such a solution in the computer world would NOT be unpalatable, then, this is the answer...

"Zero-Zero-Zero Destruct Zero" [wikia.com]

Re:PR "Stuff" from Fireeye (0)

Anonymous Coward | more than 4 years ago | (#30577592)

I think removing spammers is easier. They are not that numerous. And don't say, most of them are abroad. The infected bots are too.

Re:PR "Stuff" from Fireeye (1)

shentino (1139071) | more than 4 years ago | (#30577040)

Finally, someone treats the army of compromised computers like what it really is, an army.

Time to stop any jerkoff from starting an ISP. (1)

yourassOA (1546173) | more than 4 years ago | (#30576550)

By cutting off the botnet's pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down.
Don't allow overseas ISP real estate on the internet, why allow an ISP that condone/allow such activity, the ability to even access the internet?

Replace spam with copyright infringements (0)

Anonymous Coward | more than 4 years ago | (#30576890)

Now, if RIAA were to say that the ISPs used by ipredator [ipredator.se] should not be allowed to access the internet backbone, you would probably immediatelly see the problems in that statement.

Command & Control (5, Informative)

phantomcircuit (938963) | more than 4 years ago | (#30576604)

All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.

Obviously this was a temporary solution.

Re:Command & Control (2, Interesting)

bragr (1612015) | more than 4 years ago | (#30576682)

It is, from what I read it seams that the botnet generates a random domain every hour or day to fall back on, and all they did was knock out the existing C&C and register all the fall back domains for the next 2 weeks. Surely the botnet will have taken a hit, and the information gathered will possible help reduce the number of infections, but it wasn't shut down permanently.

What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.

Re:Command & Control (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30576748)

Sophisticated botnets use encryption to verify that the payloads and instructions from the C&C server are genuine. Plus there's the possibility that you'd get in trouble for essentially breaking into people's computers.

Re:Command & Control (1)

hedwards (940851) | more than 4 years ago | (#30577812)

But, requiring greater sophistication reduces the profitability of spamming. Most spammers use non-compliant mail programs for a reason, which is why greylisting has worked so well for so long and will likely be a part of the solution for some time to come. Same thing here, requiring encryption limits the amount of work that a particular computer can do since gumming up a computer tends to draw attention and cause the owner to take it in for a repair.

But the other thing it does is increase the amount of sophistication necessary to create the tools and somewhat increase the cost of getting into the game as well as the cost of staying current.

Re:Command & Control (1)

mysidia (191772) | more than 4 years ago | (#30578118)

It's not that hard... there are free encryption libraries, many cheap authenticators, stream ciphers, e.g. Poly1305-AES, Salsa20/8, Curve25519, Rabbit, Blowfish, for actual data. No need to use AES-768 here.

Actually, message encryption isn't required to protect against command hijacking, only digital signing and public key authentication (using a MAC) which is extremely cheap, and easy to do, thanks to open source OpenSSL and also, crypto libraries built into Windows.

server digitally signs a MAC / message hash with DSA, client authenticates only the hash, then validates the message matches the hash.

I think the only reason botnet operators aren't widely using message authentication, is they know, security researchers rarely go on the offensive, there might be legal issues with tampering with their code, AND:

There's no point in trying to defeat security researchers, with digital signatures.

Security researchers are essentially hackers themselves -- bringing in bloat like cipher code makes it probable the security researchers can find a buffer overflow, or other exploitable element in the botnet code itself, thus the bloat involved to digitally sign things becomes self-defeating.

Re:Command & Control (4, Insightful)

abulafia (7826) | more than 4 years ago | (#30576782)

What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.

Funny you concentrate on a claimed conflict of commercial interest.

It also would have opened them up to a potentially huge legal problem. No matter how carefully coded an uninstaller, the likelihood of some number of machines having problems after being infected by a remover, when talking about .25M machines, is high. Such an action also is criminal computer intrusion in its own right.

No person in their right mind would do such a thing.

Re:Command & Control (4, Funny)

vlm (69642) | more than 4 years ago | (#30576826)

No person in their right mind would do such a thing.

Which makes me all the more surprised that no one has tried.

Re:Command & Control (1)

ceoyoyo (59147) | more than 4 years ago | (#30577078)

There have been several cases of people trying the "helpful malware" trick. The most recent widely publicized incident I remember was the guy who wrote some code to exploit jailbroken iphones with default passwords and replace the wallpaper with a warning to change the password.

Re:Command & Control (2, Interesting)

c6gunner (950153) | more than 4 years ago | (#30577324)

Which makes me all the more surprised that no one has tried.

It's been done on a smaller scale. Back when botnets were still mostly communicating via IRC, I took down a few myself. The difference it that I didn't document the process and then blab about it to the media in order to advertise my security products/services.

Re:Command & Control (2, Insightful)

bragr (1612015) | more than 4 years ago | (#30576934)

Legal implications aside, this is an interesting ethics question. Is it more ethical to interfere with another's property, without permission, to solve a larger problem, or is it more ethical to respect private property and privacy? Surely there are cases for both.

If I remember correctly, sometime in the last year, a security research team from UCSD (I think) hijacked a portion of a botnet to research the success of spam and how botnets operate. I believe that after they finished, they caused the bots under their control to self destruct, and the BBC rented a botnet for an article, both bringing up similar ethical questions.

Re:Command & Control (2, Insightful)

MikeURL (890801) | more than 4 years ago | (#30577212)

The question that I raise when I read stories like this is why does the US Government allow these botnets to operate. Clearly the ability exists to shut them down and it is easy enough to understand why some private group does not want the liability for 250,000 PCs. But one of the sprawling alphabet soup of federal government agencies surely could take on this task.

Re:Command & Control (1)

thejynxed (831517) | more than 4 years ago | (#30577438)

Why shut them down when you can seize control of them and use them yourself?

This is turning a blind eye, my friend.

They make an arrest and get a big article in the paper once in awhile just to say they are doing something, and to justify those tax dollars being added to their budgets.

Seriously, after the recent articles about the Air Force creating their own botnets for "cyberwar" with China or Russia, does this surprise anyone?

Re:Command & Control (1)

Rich0 (548339) | more than 4 years ago | (#30577980)

Yup, I'd certainly have no qualms about the FBI cutting down the waste that is spam by killing botnets. The really big ones don't just sprout overnight, and they are probably easier to take down than they are to build. Most likely the US already has sufficient survailence on its border routers to trace this sort of thing, and if nothing else they can easily shut out the bot operator and poison the bots DNS so that they phone home to the FBI.

Liability isn't an issue for the US government. At most you might have foreign governments upset that the US is intruding into systems outside its jurisdiction, but the US probably just needs to tell them that if they don't hack into US computers, the US government won't hack into theirs. For governments that are friendly there could even be cooperative efforts.

Re:Command & Control (2, Interesting)

c6gunner (950153) | more than 4 years ago | (#30577362)

Legal implications aside, this is an interesting ethics question. Is it more ethical to interfere with another's property, without permission, to solve a larger problem, or is it more ethical to respect private property and privacy? Surely there are cases for both.

I don't really see an ethical issue. If someone stole your car, would you be upset if an anonymous stranger stole it back without your permission and delivered it to your door? Maybe some people would, but they have to be insanely rare. The only issue here is the legal one, and it's not one that can be easily resolved.

Re:Command & Control (2, Interesting)

whoever57 (658626) | more than 4 years ago | (#30577528)

I don't really see an ethical issue. If someone stole your car, would you be upset if an anonymous stranger stole it back without your permission and delivered it to your door?

What if they got into an accident and wrecked your car on the way to your house? The risk is that any bot removal might have side effects.

Re:Command & Control (2, Insightful)

c6gunner (950153) | more than 4 years ago | (#30577604)

What if they got into an accident and wrecked your car on the way to your house? The risk is that any bot removal might have side effects.

That's a legal issue, not an ethical one. If someone t-bones me at an intersection tomorrow I won't think of them as an evil person, but I will hold them legally accountable.

Re:Command & Control (1)

psnyder (1326089) | more than 4 years ago | (#30578176)

If someone stole your car, would you be upset if an anonymous stranger stole it back without your permission and delivered it to your door?

Nobody stole the computer. They just infected it. The majority of computers are still usable and the owners don't know they've been infected.

Car analogies break down.

Re:Command & Control (0)

Anonymous Coward | more than 4 years ago | (#30577496)

Is it more ethical to interfere with another's property, without permission, to solve a larger problem, or is it more ethical to respect private property and privacy?

That is a false dichotomy. It is not a matter of solving a larger problem. The question to answer is: Do you defend someone else against certain intrusion of privacy and loss or damage of private property, even if that means you run a small risk of your own actions causing intrusion of privacy and loss or damage of private property? Does the inaction of people with infected computers justify action which may cause further damage to their systems? IMHO it does, but unless someone is attacking you and you're acting in self-defense, such action should only be taken by law-enforcement under authorization of a judge.

Re:Command & Control (1)

mysidia (191772) | more than 4 years ago | (#30578224)

If you see a lamp on the ground and the couch burning through your neighbor's front window, is there a problem with you opening the front door, and dragging a bucket in, to douse the flames?

Yeah, I guess they could have you thrown in jail for barging in like that, and getting some water on their rug....

Re:Command & Control (1)

soundguy (415780) | more than 4 years ago | (#30577136)

It also would have opened them up to a potentially huge legal problem. No matter how carefully coded an uninstaller, the likelihood of some number of machines having problems after being infected by a remover, when talking about .25M machines, is high. Such an action also is criminal computer intrusion in its own right.

No person in their right mind would do such a thing.

Wrong. A motivated person who knew he could not get caught COULD easily do such a thing. And they SHOULD. Any computer that is accessible via any kind of network is subject to intrusion, compromise, and possible complete destruction. That's simply the facts of life. You accept that possibility by connecting your computer to the outside world. It doesn't matter if it gets mangled by Eastern European hackers, well-meaning but inept vigilantes, or government spooks. Whatever happens to it is YOUR fault, whether someone else broke the law or not.

The only "safe" computer is one that hasn't been turned on yet.

Re:Command & Control (0)

Anonymous Coward | more than 4 years ago | (#30577890)

Wrong. A motivated person who knew he could not get caught COULD easily do such a thing. And they SHOULD. Any computer that is accessible via any kind of network is subject to intrusion, compromise, and possible complete destruction. That's simply the facts of life. You accept that possibility by connecting your computer to the outside world. It doesn't matter if it gets mangled by Eastern European hackers, well-meaning but inept vigilantes, or government spooks. Whatever happens to it is YOUR fault, whether someone else broke the law or not.

The only "safe" computer is one that hasn't been turned on yet.

The fact that you are encouraging people to break into and destroy other's data shows that you do not have the maturity to be allowed to do things online on your own.

If I get a new computer, I will need to be online in an unprotected status for at least a few minutes while I download the various antivirus, anti-malware and other security programs in order to properly safeguard myself. If something happens to my computer before I even have a chance to protect myself, is it my fault? Or is it the fault of the asshole malware creator who destroys data belonging to others and cause undue hardship to those affected in order to appease some sadistic worldview?

If you cannot understand this, or if you still think that it is okay to break into other people's system and wreck things, I have to wonder if perhaps you are one of those that causes so much headache(from trying to get rid of your malware) and heartache(when priceless data such as photographs and video are destroyed) to others online.

Re:Command & Control (1)

hardburn (141468) | more than 4 years ago | (#30577204)

Not so much being out of your right mind, but rather, having sufficiently flexible ethics and keeping a clear image of your goal in mind. Kind of like what Lelouch vi Britannia would do if he ran a security company rather than trying to take over the world.

Re:Command & Control (1)

sjames (1099) | more than 4 years ago | (#30577990)

The big problem is that even if you do it perfectly so that you do no harm whatsoever, the odds are a number of those machines will have unrelated problems that you'll be blamed for.

Re:Command & Control (1)

FictionPimp (712802) | more than 4 years ago | (#30578014)

How many people would even notice. If they have a botnet node running on their machine do you really think they are going to notice if you screw it up more?

Re:Command & Control (1)

Fnord666 (889225) | more than 4 years ago | (#30577992)

What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.

No, what they should have done was hijacked the botnet using the fallback domains and nuked the offending bots from orbit. It's the only way to be sure. Seriously. Distribute a payload that reformats the primary boot partition.

Yeah that's how I read it too (2, Interesting)

Weaselmancer (533834) | more than 4 years ago | (#30576930)

All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.

Obviously this was a temporary solution.

Yeah, it sort of seems like they could have done a better job. If they could get cooperation from the primary ISP of the main C&C controller, and they could even set up honeypots that would accept connections to count the number of computers in the botnet - why not do more than simply remove the command servers?

Why not set up a bogus C&C server to have the botnet erase itself?

I'm not promoting a "format c:" option here (although that would work, obviously) - but why not have the botnet destroy itself once you breach it's command structure? Have the botnet pass around a binary that erases the botnet binaries from the infected PC on the next reboot, then force a reboot? The researchers certainly know enough to create such a binary. And they obviously know enough about command parsing if they can make honeypots. Why not go that extra 2% and kill the thing?

The hard work was already done it seems. This botnet could be completely dead, not just disconnected and waiting.

Re:Yeah that's how I read it too (1)

bragr (1612015) | more than 4 years ago | (#30577022)

This makes sense to me, if they have really been studying it to the degree they claim, I'm sure they know every file and registry key associated with the bot, and exactly what each one does. It that position, I don't see why a clean removal, with no collateral damage, would not be possible, especially since the bot wouldn't be trying to defend against the removal.

Signed software. (2, Interesting)

khasim (1285) | more than 4 years ago | (#30577312)

Have the botnet pass around a binary that erases the botnet binaries from the infected PC on the next reboot, then force a reboot?

Because most of them depend upon digitally signed updates now. So you cannot use the zombie code to remove the zombie code unless you first have the key.

Which makes it rather difficult.

On the other hand ... writing a removal routine should be a LOT easier. A clean removal. Removing just the zombie code and ALL of the zombie code.

The problem then would be getting it to run on the zombies.

This is where the ISP's come in. It's easy enough for them to redirect all your traffic to a web page with the removal code available there. And since it is easy enough to identify the zombies, their IP addresses and their ISP's ... that should be easy, right?

Except it would cost the ISP's some money and they won't do that unless someone forces them to spend the money. So it will take a new law requiring them to do so.

Wow (0)

Anonymous Coward | more than 4 years ago | (#30576620)

It sounds like Ghost in the Shell-like tactics. Did he do it manually or from his cyberbrain?

Last week I killed seven with one blow... (0)

tyroneking (258793) | more than 4 years ago | (#30576658)

... ants that is...

Re:Last week I killed seven with one blow... (0)

Anonymous Coward | more than 4 years ago | (#30577388)

... ants that is...

You certainly are one primo blower.

Treat the illness, not the symptoms... (1)

Last_Available_Usern (756093) | more than 4 years ago | (#30576660)

All of the effort associated with this, and other endeavors to thwart botnets, would really be better served isolating the primary reason why these botnets continue to be successful and create new ways to thwart them before they occur. The machines that are infected are still vulnerable. All the original botnet owner is going to do is modify a new botnet to use different domains or IP's and back to life it comes.

Re:Treat the illness, not the symptoms... (2, Insightful)

Paradigm_Complex (968558) | more than 4 years ago | (#30577140)

I'm usually not trying for "insightful" when I quote comedians, but: "You can't fix stupid." - Ron White

As long as there are stupid people out there using computers which are connected to the internet, they'll find a way to get their machines pwned. Unless you're proposing the anti-botnet efforts be directed towards keeping stupid people off internet-connected computers, I don't see a viable way to "treat the illness."

Re:Treat the illness, not the symptoms... (1)

ClosedSource (238333) | more than 4 years ago | (#30577268)

Perhaps "You can't fix stupid" but sometimes you can replace it. The Internet protocols and infrastructure just weren't designed with security in mind. Well designed products/services for consumers don't rely on sophisticated knowledge for safety and efficacy.

Re:Treat the illness, not the symptoms... (0)

Anonymous Coward | more than 4 years ago | (#30577466)

Pretty much what ClosedSource said above me. The issue isn't going to be fixed a the user level, or even the users' OS level because there will always be people using old, unpatched systems.

The issue has to be resolved at a higher level. The ISP's is the most likely, but assuming local providers can be wrangled into submission creating a "national firewall" for unwanted sources/traffice makes the most sense. However, that of course would lead to speculation about government abuse (ie. China v2.0).

Re:Treat the illness, not the symptoms... (1)

Interoperable (1651953) | more than 4 years ago | (#30577996)

As long as people are willing to execute programs with administrative privileges to get free wallpapers there will be botnets. People should be held accountable for damages caused by their machines, wittingly or unwittingly. Unsafe conditions on property are certainly grounds for a negligence charge and municipalities often compel unsafe or even unsightly conditions to be remedied. Electronic conditions should be handled similarly.

Re:Treat the illness, not the symptoms... (3, Interesting)

Requiem18th (742389) | more than 4 years ago | (#30577240)

What illness Windows? The Windows ecosystem security is hopelessly broken.

Lot's of outdated machines won't upgrade because the upgrades are expensive, and even if they were free they might brake software OR compatibility, and even if they are free and don't break compatibility many of these systems use pirate copies of Windows and they aren't going to expose themselves to unexpected lockouts.

No, the solution is implementing a counter-spaming initiative at the ISP level. With counter spaming I mean spaming the spamers, NO, I don't mean naively counter-spaming their email addresses, I mean spaming their honey pot channels, there was a thunderbird extension for this, basically they follow the links in the spam message and sign up/buy whatever they ask for, credit card numbers, friend email addresses, SSN, etc, all fake of course. Unlike their source email addresses they use to spam, they DO pay attention to information sent this way, because it is the way they make money, it's their biggest weak point, spam that and you take them out of business.

Arms race (2, Interesting)

Locke2005 (849178) | more than 4 years ago | (#30576686)

Sure, cutting off botnet access to C&C machines works now, but what happens when they adopt a true peer-to-peer control structure, rather than the primitive centralized control structure they are using now?

Re:Arms race (2, Interesting)

winkydink (650484) | more than 4 years ago | (#30576750)

The p2p C&C infrastructure has been talked about since at least 2005. Not much has been seen "in the wild". It has been speculated that this is because a p2p botnet infrastructure has, by its very nature, a much lower efficacy.

Which makes sense if you think about it. (1)

khasim (1285) | more than 4 years ago | (#30577036)

Let's use this botnet as an example. 250,000 zombies. What is the likelihood of finding another zombie with random scanning? Not to mention that not everyone leaves their machines on all the time. And even the machines that are on all the time don't always keep the same IP address. Comcast seemed to change my IP address every month.

Somehow, somewhere, the new code has to be uploaded to the zombies. New spam messages. New address to send the spam to. Patches to the zombie code. No matter how you phrase it, that's Command and Control.

Propagating those updates is simple if all the zombies know them. It becomes very slow if it is random chance that propagates the updates.

Of course, you can speed up the process by having the zombie increase the scans. But then you run the risk of the person complaining that their machine is "slow" and having someone wipe it and re-install it.

A layered approach would be the best for the zombie master. Centralized C&C for speedy deployments with P2P for a fall-back in case the original C&C is unavailable. At least then he could regain control of the zombies.

BUT!!!!!

Why isn't anyone focusing on the domain names? Implement a 1 week wait for new domain name deployments so that the payment has time to clear the bank. That way you'll be able to identify the guy paying for the domain names.

As always, follow the money.

Re:Which makes sense if you think about it. (1)

c6gunner (950153) | more than 4 years ago | (#30577412)

Let's use this botnet as an example. 250,000 zombies. What is the likelihood of finding another zombie with random scanning?

Yah, I know! Although we're really going to be in trouble if someone figures out a way to store IP addresses in some sort of file. Why, if that were to happen, they might even be able to pass the IP lists from one computer to another! I hope that nobody ever comes up with something like that ....

Yeah, you might want to think about that one, too. (1)

khasim (1285) | more than 4 years ago | (#30577572)

Yah, I know! Although we're really going to be in trouble if someone figures out a way to store IP addresses in some sort of file. Why, if that were to happen, they might even be able to pass the IP lists from one computer to another!

Given that the majority of zombies are on home ISP networks (such as Comcast), all that would take to defeat would be for Comcast and other to rotate the IP addresses by 1 whenever the zombie traffic becomes problematic.

So the list of IP addresses becomes useless and the zombies have to fall back to random scanning.

Last week your IP address was 10.10.10.10? This week it is 10.10.10.11. So none of the other zombies can find you at the old address.

Re:Yeah, you might want to think about that one, t (1)

c6gunner (950153) | more than 4 years ago | (#30577858)

Given that the majority of zombies are on home ISP networks (such as Comcast), all that would take to defeat would be for Comcast and other to rotate the IP addresses by 1 whenever the zombie traffic becomes problematic.

Yuhuh. So since most guns are owned by law-abiding citizens, all it would take to stop murder-by-shooting is to make it illegal, right?

I'm not trying to be a smartass ... actually, yeah, I am, but seriously ... even if 99% of bots were on Comcast, and even if you could rotate all 99% of addresses all at once ... that still leaves 2,500 bots out there whose addresses will remain the same. The botnet could restructure itself in a matter of hours.

Re:Arms race (1)

MadnessASAP (1052274) | more than 4 years ago | (#30577044)

Then we are all truly fucked.

Or alternatively the internet becomes a whole lot more fun as we learn to take control of parts of the botnet by hijacking these p2p links.

Re:Arms race (2, Insightful)

mysidia (191772) | more than 4 years ago | (#30578242)

I think it's so hard to develop good peer-to-peer network structure that it might not happen.

There aren't that many truly peer-to-peer networks that have ever succeeded.

I'd say the Internet itself, but even the Internet has to have DNS...

Something central has to give you a starting point, at least.

I've yet to see any peer to peer network technologies that don't require a "seed list" of some central nodes to initially connect to the network.

Antibiotic abuse (1)

gmuslera (3436) | more than 4 years ago | (#30576818)

Only the really strong, and the ones that managed to evolve will survive. And without the competition of the "weak" ones, they will prevail, and leaving you with no tool to get rid of them. Darwin have precedence over Moore.

Re:Antibiotic abuse (1)

TubeSteak (669689) | more than 4 years ago | (#30576994)

Only the really strong, and the ones that managed to evolve will survive. And without the competition of the "weak" ones, they will prevail, and leaving you with no tool to get rid of them. Darwin have precedence over Moore.

The only problem with your analogy is that, generally speaking, the good guys own the middleground.
We may not control the hardware that is getting botted, but we do control the DNS and we do control the ISPs.
The blackhats have no choice but to go through hardware we control in order to reach their target.
It's just a matter of marshalling the resources we have in order to close down (domestic) botnets.
Unfortunately, it'll still be just a game of whack-a-mole until all version of Windows in use have robust security.

Re:Antibiotic abuse (1)

Arancaytar (966377) | more than 4 years ago | (#30577898)

until all version of Windows in use have robust security

That's from some verse in the Book of Revelation, isn't it?

Re:Antibiotic abuse (1)

taustin (171655) | more than 4 years ago | (#30577434)

Are you referring to the criminals running the botnets, or to the crusaders who combat them? Because if your evolutionary pressure applies to one, it certainly must apply to the other.

shows its possible (4, Interesting)

Gothmolly (148874) | more than 4 years ago | (#30576892)

1 guy, in 2 weeks, trashed a botnet. Why again can't major ISPs do this? Oh wait, they're getting paid to look the other way by their colocation clients (the spammers).

Re:shows its possible (1)

emilper (826945) | more than 4 years ago | (#30577210)

yeah, right, the ISPs are greedy bastards ... now, please, tell me, how would an ISP know that one of the dedicated servers it sold, or one of the collocated servers it hosts, is a C&C server for a botnet ? Please, ton't tell me they should look inside the packets, or plot traffic, destinations etc. ... that's invasion of privacy at best, industrial espionage at worst, and I would not want to host my servers with an ISP that does that on a regular basis.

Until C&C data bounced around by botnets will look radically different from legitimate trafic from, for example, a SOAP server, ISPs cannot do police work. Know an ISP that hosts botnet-related servers ? Please, tell them: they will be quite grateful to kick the bastards out and rent the space to companies that need a vanity page.

Re:shows its possible (1)

element-o.p. (939033) | more than 4 years ago | (#30577288)

Seconded.

I used to work at an ISP with a rather...ummm...rabid...abuse administrator. The dude literally had a zero tolerance policy towards spam from our network. I saw him shut down a number of Internet customers who probably had no intention of violating our AUP's, and (IMHO, at least) had no idea why what they were doing might be frowned upon.

Then we got a several-thousand dollar a month customer who claimed that he wanted to build a VoIP network, but either 1) did not understand anything at all about network security or 2) was lying about the primary source of income for his servers. His servers were hacked (so he says) about once a month, and every time I tried to shut down his network, I was told to reenable his account because he had "fixed the problem". Yeah, right.

Money talks, unfortunately.

Re:shows its possible (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30577328)

At least one professional security researcher, with the resources of a professional computer security firm spent two years studying the way a particular botnet worked. At the end of that, he and two professional security colleagues, along with however many people at various ISPs and domain registrars, worked to suppress the activities of the botnet. The continued suppression effort is planned to be handed off to a group of volunteer computer security professionals.

One guy in two weeks did not trash a botnet.

Is Spam really that evil? (3, Insightful)

tjstork (137384) | more than 4 years ago | (#30577018)

I'm only asking, because, as much as we hate botnets and trojans and malware, that, any sort of world capable of rapidly sniffing out and squelching "bad" content is a world that is capable of sniffing out and squelching out "any" content. Perhaps in this case, just as many of us accept some combination of deaths from gun violence, abortions, incendiary speech, and family breakdowns and other things, that come as a consequence of the misuse of freedom, might accept spam as a misuse of freedom too, rather than try and trade it all for a world that has no freedom at all.

Re:Is Spam really that evil? (0)

Anonymous Coward | more than 4 years ago | (#30577108)

OTOH without a constant arms race between the censors and the spammers, we won't have the necessary tools for either.

What is "evil"? (2, Insightful)

khasim (1285) | more than 4 years ago | (#30577120)

I'm only asking, because, as much as we hate botnets and trojans and malware, that, any sort of world capable of rapidly sniffing out and squelching "bad" content is a world that is capable of sniffing out and squelching out "any" content.

It isn't the content. It's the volume (number of messages in this case).

You can say whatever you want. But when you start flooding mail servers with your messages, you've lost the moral high ground.

Now as to whether blocking zombies is the same a sorting through the content of email messages ... if you're worried about that I recommend encryption. There are lots of forms of encryption available.

Perhaps in this case, just as many of us accept some combination of deaths from gun violence, abortions, incendiary speech, and family breakdowns and other things, that come as a consequence of the misuse of freedom, might accept spam as a misuse of freedom too, rather than try and trade it all for a world that has no freedom at all.

That's a rather extreme jump. So far I haven't seen anyone proposing that we surrender all of our Freedoms.

Re:What is "evil"? (0)

tjstork (137384) | more than 4 years ago | (#30577186)

That's a rather extreme jump. So far I haven't seen anyone proposing that we surrender all of our Freedoms

Oh I think I've probably posted in favor of instituting IPV6 and mandatorily identifiable IP addresses, executing spammers, torture for passwords, and worse. Now I'm just arguing the opposite side of the coin as its worth exploring.

Re:Is Spam really that evil? (0)

Anonymous Coward | more than 4 years ago | (#30577192)

Cost out per person per minute per machine for the billion or so people affected with this shit. Add in the costs of all the software people use to reduce spam, add in the costs of people installing, updating, maintaining this anti-spam software for every company or home machine that uses it. Add in the costs of delayed mail, false positives etc. Spam has nothing to do with freedom, no legitimate company will use it as a marketing tool. Spam isn't unwanted adverts, you can opt out of legitimate company campaigns. Spammers do not send from their own email addresses, they fake the headers to pretend to be from someone else, this is pure fraud. Guess who gets the bounced mail? Yup, the victim of the domain fraud. If you're still stuck with dial up and find you're email address has been used as a sender by a spammer, you can lose your net connection because so much shit is bouncing back to you, your pipe is effectively fscked by the crap coming in. I could go on far longer. Follow the money, the company ultimately processing the transactions should be treated as part of the spammers' networks. Hit them with fines, massive fines, this will allow class action suits against them. They'll soon hand over affiliates getting commission. These in turn can do jail time, 1 day per spam.

Re:Is Spam really that evil? (1)

Paradigm_Complex (968558) | more than 4 years ago | (#30577304)

Abortion is complicated, but the aspects of the other things you've mentioned, such as gun violence, which make them evil is that they (unjustly) hurts others. The reasons the possibility is allowed is because there are justified uses for these actions/tools that don't (unjustly) harm others. For example, guns: target shooting doesn't hurt anyone, and self-defense is justified. There is no aspect of spam which makes the possibility of spam acceptable. It actively harms others... and that's it.

You're right that action against spammers could be used against "good guys," but that alone isn't enough to make it unacceptable. Things which stop murders and rapists can also be used to stop "good guys," but are necessary nonetheless.

There is a line which shouldn't be crossed in the name of stopping it - raping and killing someone's family members as torture to force someone to find the ISP of a spammer, for example, isn't justified. But the actions described in TFA are certainly acceptable against spam, even if the same actions could be used against the innocent.

Yes, spam really is that evil, and it should be stopped.

Re:Is Spam really that evil? (1)

hardburn (141468) | more than 4 years ago | (#30577320)

In the office, every spam message that pops up has to be checked by the worker and deleted. This is a small cost for each individual message, but when you receive thousands per day (which you easily can) it all adds up to a whole lot of people-hours.

Plus, there's the administrative and hardware cost of the extra traffic, which is a significant percentage IP traffic these days.

Re:Is Spam really that evil? (1)

FictionPimp (712802) | more than 4 years ago | (#30578048)

I'm surprised spam is really still an issue. I have not seen a spam message in m personal or work email accounts in at least a year.

It all stopped once we moved our mail to google.

Re:Is Spam really that evil? (1)

FictionPimp (712802) | more than 4 years ago | (#30578056)

Granted, my spambox has hundreds of messages in it, but I never see them. I haven't had a false positive either.

if no one ever sees the spam, what is the point of sending it?

Re:Is Spam really that evil? (0)

Anonymous Coward | more than 4 years ago | (#30577470)

Perhaps in this case, just as many of us accept some combination of deaths from gun violence, abortions, incendiary speech, and family breakdowns and other things, that come as a consequence of the misuse of freedom, might accept spam as a misuse of freedom too, rather than try and trade it all for a world that has no freedom at all.

None of your examples are consuming 75% to 95% of the available resources at any given time.

Re:Is Spam really that evil? (0)

Anonymous Coward | more than 4 years ago | (#30577542)

Well, considering how some of the 409 spam has lead to significant financial loss and death, I'd say it can be. However, I won't say that it *is* because people who act upon those messages had the choice to think about their decisions before making them.

Re:Is Spam really that evil? (1)

Daley_G (1592515) | more than 4 years ago | (#30577780)

...and you're right. Consider the local library's "freedom" to the public internet. You can't do squat on those machines - either legitimate or not - because they're locked-down. You're granted a small bit of "freedom" in exchange for a high level of immunity. On the other hand, not running any sort of antivirus, spam filter or firewall means you have complete, unrestricted access, but at a penalty. Sure, modern society is capable of stopping the bad guys, but at what cost? I don't want my ISP filtering my access any more than I want my government telling me who to work for.

Athletic Doping Metaphor (1)

MarkvW (1037596) | more than 4 years ago | (#30577138)

The USOC once gave max due process to suspected drug cheats. Dopers would get off for the stupidest reasons. Now, the focus has shifted to a 'you are responsible for the content of your own body.' This has been good for sport.

Just like a polluted athlete pollutes his sport, so does a bot pollute the internet. Suspending access is not a question of right or wrong, it is a question of ensuring the integrity of the network.

The world will get to that place sooner or later.

In related news .... (4, Funny)

PPH (736903) | more than 4 years ago | (#30577746)

... botnet sends android back in time to kill researcher's mother.

Fines to cure malware? (1)

Interoperable (1651953) | more than 4 years ago | (#30577796)

I wonder if fines could be an effective solution to botnets. Certainly the only way to treat the problem is to make people responsible for what their computers are up to. If people were held accountable for spam sent from their machines and were fined appropriately they may be more inclined to watch what ends up on their machines.

Of course, there's a theme among the non-"tech-savvy" public to utterly refuse to understand how the technology they use works. Fines on bots would likely be a boon for virus scan companies but other efforts may be required to convince the general public to care. What's needed is less focus on ill-defined "threats" and more on general understanding.

The role of Microsoft (1)

dhammabum (190105) | more than 4 years ago | (#30577960)

I see nothing here about what I see to be one of the primary culprits. Microsoft have consistently produced easily exploited, vulnerable software. And they run services and programs with full system access. Sure, they have improved somewhat lately, but they continue to include legacy code in SMB and probably in Office and IE - the whole code base is no doubt riddled with it. No way you should be able to compromise a system with a just a document or a web page.

There are enough vulnerabilities in Linux and MacOS, no doubt, but not such easy meat as Windows.

An idea: (0)

Hurricane78 (562437) | more than 4 years ago | (#30578016)

If the botnet client runs on your own computer... then by definition, your own CPU interprets the list of commands that it resembles.

So nothing can stop you from modifying that program in-place, so it infects all other clients too, until the whole botnet in yours. At least if the clients have some update mechanism.

With a bit of luck, you could even trick the original “owner” into getting infected by your own trojan horse, find out all contact / address data on his system, where he lives, and either send him the cops, or beat him up.
I’d choose: Gay child porn with dead animals on his computer, and then the cops beating him up. ^^

More questions than answers (1)

Earthquake Retrofit (1372207) | more than 4 years ago | (#30578128)

I still don't see why the company that makes the penis pills isn't arrested. Why do I hear ads for e-mail marketing services on NPR? A non-governmental approach would be to convince 'legitimate' businesse' that their profits are at risk from spam. Trillion dollar multi-nationals might not be averse to extra-judicial means.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...