Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Waledac Botnet Now Completely Offline, Experts Say

kdawson posted more than 4 years ago | from the it's-dead-jim dept.

Botnet 91

Trailrunner7 writes "After Microsoft's actions to take down the Waledac botnet last month, there was some question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections. But more than three weeks after the takedown, researchers say that Waledac has essentially ceased communications and its spam operations have dropped to near zero. One researcher said that Waledac now seems to be abandoned. 'It looks crippled, if not dead,' said Jose Nazario, a senior security researcher at Arbor Networks."

Sorry! There are no comments related to the filter you selected.

When the stars are once again right... (5, Funny)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31500020)

That is not dead which can eternal lie.

And with strange aeons even death may die.

Re:When the stars are once again right... (5, Funny)

GuJiaXian (455569) | more than 4 years ago | (#31500142)

If spam was about Cthulhu, I probably wouldn't mind it so much. If spam *is* Cthulhu, well, I'm avoiding the Hormel section at the grocery store from now on.

Re:When the stars are once again right... (4, Funny)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31500172)

"They were not composed altogether of flesh and blood. They had shape...but that shape was not made of matter."

Might want to stay away from the spam...

Re:When the stars are once again right... (0)

Anonymous Coward | more than 4 years ago | (#31501014)

Wait...so the botnets emanated from the eternal abyss?? It all makes sense now...

Those crazy gnostics!

Re:When the stars are once again right... (1)

Rakishi (759894) | more than 4 years ago | (#31501728)

So how much sanity do spam filters have and what happens when it runs out?

Re:When the stars are once again right... (4, Funny)

lastchance_000 (847415) | more than 4 years ago | (#31500506)

In Soviet R'lyeh, spam eats you!

Re:When the stars are once again right... (1)

Dachannien (617929) | more than 4 years ago | (#31503100)

If spam *is* Cthulhu, well, I'm avoiding the Hormel section at the grocery store from now on.

The Cthulhu, ham, eggs, and Cthulhu hasn't got much Cthulhu in it.

tell microsoft to *stop* fixing bugs (1)

h00manist (800926) | more than 4 years ago | (#31500854)

Now they want to kill spam and viruses. Sheesh. I thought they were all about generating jobs, not killing them. If they keep killing botnets and viruses and stop creating widely-deployed web browsers and operating systems with no reliability and security, who's going to keep paying us to keep fixing these things all the time? Tell them to bring back win98 and the com2: irq conflicted dial-up modems. That was great, generated tech calls all day long. At least we have usb, fast-mutating, and browser-installed viruses now.

Bu$ine$$ Opportunity (1)

zkp (1634437) | more than 4 years ago | (#31501690)

Dear Sir or Madaam:

My name is John Waledac. I am the designer and owner of a profitable spam company. Recently, my company has fallen upon hard times as several of our servers have broken down. We have the funds to replace these servers, but it will take several weeks to transfer the funds from our bank in Nigeria. This delay could cost our company thousands of dollars. This is where you come in. I am seeking investors to loan up to $100,000 for the purchase of new servers. When the funds from Nigeria arrive you will be reembursed with 20% interest. This whole process should be fully accomplished within 25-30 working days, further information will be given to you as soon as I receive your positive response via e-mail or telephone. If you are interest urgently reach me through the above stated email,telephone numbers to enable me give you the full details of this transaction and how it is going to work out. If you decide to invest I need you to send me

1. Your Name and Address
2. Your Telephone Number
3. The Amount You Wish to Invest
4. Your bank account number

Sincerely,

John Waledac

Tel:011234-8035647626.

NB: Kindly send further correspondence to jwaledac@fastermail.com

Re:tell microsoft to *stop* fixing bugs (2, Interesting)

Lotana (842533) | more than 4 years ago | (#31502758)

While the parent is intended as a joke, the idea that quality software will put people out of work is quite widespread among people in IT. Which is quite a sad state of affairs as it is such an obvious case of a broken window fallacy. [wikipedia.org] Rather then spending resources on fixing up damage, it is much more production to direct it on creation of new things or modifying existing to better meet the demand.

Is the source of this attitude the built in obsolescence idea from manufacturers? Do developers really think that once the perfect software is delivered the requirements will never again change and never need to be modified? Do they not enjoy adding new features and solutions, and would rather spend their time fixing the broken parts of releases? Even the support personnel should realize that there would still be a need for them in order to answer questions of the new users.

Microsoft kills competition (0, Troll)

SnarfQuest (469614) | more than 4 years ago | (#31500032)

So Microsoft just killed off one of its competators. Now their "security update" messages will be able to get through easier.

Re:Microsoft kills competition (1)

Alwin Henseler (640539) | more than 4 years ago | (#31500486)

Competitors? More like it kicked a parasite off its back.

Still however useless (4, Insightful)

0racle (667029) | more than 4 years ago | (#31500062)

question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections

I think everyone knew the answer was, no it will not have an effect on spam levels or malware infections. Oh it succeeded in taking the botnet offline, MS did something real here, but taking just one offline doesn't mean much.

Re:Still however useless (3, Interesting)

Volante3192 (953645) | more than 4 years ago | (#31500270)

Useless in what way? Sure, on a global scale spam is still rampant, but they did show the tactic used has promise and worth pursuing.

True, we can't say for certain whether the tactic actually cut the head from the body or if operations were just moved to a new botnet and the original Waledac CENTCOM let MS think they had their victory but it's something, which is a little bit more than we had prior.

Re:Still however useless (3, Insightful)

Moryath (553296) | more than 4 years ago | (#31500606)

Sadly true. Waledac might have been a "mature and no longer really expanding" botnet. Botnets do have a certain shelf-life before they start to die through attrition; either the maker comes up with a new propagation method (virus/etc), or it hits a point and stops really expanding, followed by the slow inevitable decline as machines die, or get reformatted, or get overwritten by a newer botnet. There have been botnets that targeted other botnets for invasion/absorption quite a few times.

If this can help catch and destroy botnets earlier on, it might be more effective.

The better goal should, of course, be to make systems (and users) more spam-proof. User education would be a good start, as would home ISP's putting everyone's computers behind a proper NAT rather than using cable modems that expose the user to the naked wild. I've seen more home users who "just put up with" what would seem to be obvious virus/problem behavior merely because they were terrified of having to back up their data or reformat...

Re:Still however useless (1, Informative)

Anonymous Coward | more than 4 years ago | (#31500778)

putting everyone's computers behind a proper firewall

Fixed that for you.

Re:Still however useless (1)

Sir_Lewk (967686) | more than 4 years ago | (#31501420)

Really. People need to learn that 'stateful firewall' and 'NAT' are two completely different things. Especially with ipv6 hopefully being deployed enmass sometime this century.

Re:Still however useless (1)

LordLimecat (1103839) | more than 4 years ago | (#31502050)

NATs provide many of the same benefits as a firewall, and most NAT-ing devices have a SPI Firewall included. Ever wonder what that "enable SPI" function on a linksys does?

AFAIK NAT is as much protection as the average home user needs-- they wont know how to get a more serious firewall working properly (ever try to show a user how to configure one of those software firewalls to allow their favorite app?), and viruses will find a way around software firewalls anyways (ie, bypassing them with kernel level hijinx). The main thing is to make sure the standard windows management ports arent directly probeable over the web.

Not to mention that Windows XP SP2 and up already HAVE firewalls, and the vista / 7 ones are actually pretty decent.

Re:Still however useless (1)

HolyCoitus (658601) | more than 4 years ago | (#31503604)

NAT and SPI will serve the same purpose in this instance. However, NAT is not required for SPI and is not interesting in a firewall discussion IMO.

NAT merely creates a situation where the packets run into a dead end if not explicitly told to go someplace. SPI is the opposite, where a dead end is created explicitly for a packet that would normally be forwarded.

NAT in all but niche cases serves no purpose with IPV6. A firewall set to filter all inbound packets would serve the same purpose as NAT does today without an added layer of complication.

Re:Still however useless (1)

twidarkling (1537077) | more than 4 years ago | (#31500276)

but taking just one offline doesn't mean much.

Actually, it does. It means that a botnet CAN be defeated. We constantly see stories about how control servers are up and going again hours or days after some are taken offline. A good step to solving the problem is proving that a solution can actually exist.

Re:Still however useless (4, Insightful)

plover (150551) | more than 4 years ago | (#31500310)

This was a lot larger than taking down a rogue host. This is 1,500,000,000 fewer spams per day on the net.

Cut out two billion spams here and there and pretty soon you're talking about real effectiveness.

Sure, they could probably do more, but every journey begins with a single step. Shut down the easy ones first. Pick the low-hanging fruit. Then go back and take down another, and another. At this point it could be all they could get done in a short amount of time, and in any case it's still a good start.

Re:Still however useless (0)

Anonymous Coward | more than 4 years ago | (#31500570)

They could also be just exercising out how to do this. What went right what went wrong etc....

Re:Still however useless (1)

ircmaxell (1117387) | more than 4 years ago | (#31500652)

And to be fair, the Bot-Nets could be using this as an exercise as well... They Hydra can only ever be killed if there exists a root node. If there is no head, killing one will have no effect on the whole (As multiple more would spring up in its place)...

Re:Still however useless (2, Insightful)

maxume (22995) | more than 4 years ago | (#31500906)

Except the malware writers are not mythical creatures, they have real world considerations.

So improving security practices and doing the work to eliminate existing bots can actually make a difference.

Re:Still however useless (5, Insightful)

Alwin Henseler (640539) | more than 4 years ago | (#31500330)

As long as the source of the spam/malware problem isn't held accountable, nothing much will change.

The ultimate source (not cause!) of this problem is of course users that get spam, and then go on to send money to the folks that spammed them. But next in line are those companies that use spam, spread through malware-infected PC's, to sell their products (or sell worthless/dangerous crap, for that matter). Such shady companies should be put out of business, their CEO's thrown in jail ASAP (through whatever -legal- means), and profits confiscated to support the anti-spam operation.

Focussing on botnets is a good thing, but IMHO useless. Focussing on the folks running them is better, but the next botnet-operator-wannabee will step right in. Instead, efforts should focus on the businesses paying these fuckers.

Re:Still however useless (2, Insightful)

David Jao (2759) | more than 4 years ago | (#31501396)

The ultimate source (not cause!) of this problem is of course users that get spam, and then go on to send money to the folks that spammed them. But next in line are those companies that use spam, spread through malware-infected PC's, to sell their products (or sell worthless/dangerous crap, for that matter). Such shady companies should be put out of business ...

The majority of spam today does not conform to this model. A 419 scam [wikipedia.org] leads to Nigeria, where anti-spam laws do not apply. Stock spam [wikipedia.org] promotes a company, but the company being promoted is neither responsible for the spam nor profits from it. Even for the small minority of spam that does directly promote a company product, your proposal accomplishes nothing other than to open up a new way for enemies of a company to anonymously destroy said company: namely, simply send out forged spam to promote the company's products, and wait for the police to put the (innocent) company out of business.

Spam is a hard problem to solve. Almost anything you can think of will have been tried before, and won't work.

Re:Still however useless (1)

LordLimecat (1103839) | more than 4 years ago | (#31502154)

What about Blue Frog [wikipedia.org] antispam? Seemed to work well enough to get a ton of spammers to DDOS them off the map, not to mention the reports of backbone router tampering. I remember when this was going on, and the size of the attack was pretty staggering.

Sure, spam has changed since then, and a lot of the websites that are offered via spam disappear very quickly, but a solution that harnesses the collective power of users to effectively perform a legal DDoS on networks originating spam seems like a very powerful solution to me.

Re:Still however useless (2, Interesting)

stonewallred (1465497) | more than 4 years ago | (#31502624)

If the US government was serious about ending spam, it could be done easily. Of course the government is not interested, but the capabilities are there. Most bot-net operators are not nameless, faceless shadows. They just live in places that will not prosecute them or cooperate with the US. If Microsoft or Google slapped 1 million dollar bounties on the fuckers if they are delivered to US soil, the bot-nets would shut down so fast your head would spin off.

Re:Still however useless (5, Interesting)

IamTheRealMike (537420) | more than 4 years ago | (#31500588)

There aren't that many botnets out there. I think most reputable observers peg it at around 6 or 7 big ones, from a spam perspective anyway. So taking one down is actually pretty awesome. Remember when McColo disappeared and spam levels dropped massively overnight? It wasn't that McColo itself pumped out spam, it was that the botnet C&C servers lived there.

As somebody who actually has to deal with the impacts of large botnets as part of my job at Google, I'd like to congratulate and thank the guys at Microsoft for this victory. Whether it has a noticeable impact on spam or not, it sends a powerful message to people thinking of making their own botnet - it can all end suddenly.

Building and maintaining a botnet is already pretty hard work .... between AV firms, Microsofts MSRT, users noticing problems and wiping the OS, removals by rival botnets and generally improving PC security botnet building has gone from something every man and his dog was doing to something very few can do well. Hardly any botnets become big. Most abuse I deal with comes in via bots that are apparently being shared or rented out to different (sometimes competing) spammers. That's an encouraging sign.

Re:Still however useless (0)

Anonymous Coward | more than 4 years ago | (#31502320)

The thing is if you succeed in taking out the C&C servers you'll just end up with a distributed C&C algorithm. At which point it becomes a race of who has more resources and since the guys with the botnet infected the computers initially only need have a list of the computers to connect to some of them... well, you are screwed.

Re:Still however useless (1)

Lotana (842533) | more than 4 years ago | (#31502932)

So what is your solution to combating global spam problem?

Do you propose that security researchers go after thousands upon thousands of infected hosts? How would you clean them out when then are located in another jurisdiction? I hope you realize that they can't just DoS it down as it could be doing some vital tasks (For example if a machine in a hospital is infected).

And the problem can't be fixed with educating the user, because they don't care and don't want to care. See dancing pigs problem. [wikipedia.org] It really does not matter what operating system they use, as a user is more than happy to provide the root password in order to get what he/she wants.

Going after the head of the botnet sounds like the only logical choice left. It is a lot easier to investigate and offline five control machines rather than thousand of infected hosts. Will this end up with more sophisticated botnets? Of course. But it is better than doing nothing at all!

Re:Still however useless (1)

plover (150551) | more than 4 years ago | (#31508824)

The "infected hospital PC" problem is one we've talked about before. It's worth going over again so people understand why sending a cleanup message is not the best idea.

The scenario is that a good Samaritan wants to send a "clean-out-the-infection" message through the botnet to all infected hosts, and a lifesaving machine in a hospital is infected. Some preliminary assumptions to make are that the good Samaritan has no way of contacting the machine's owner to determine if it's a mission critical or lifesaving machine, and has no way to advise them of the existence of the malware.

The lifesaving machine can be in one of three states: 1) fully operational as designed and desired (no infection) 2) partially operating (infected but usable) 3) bricked.

I would suggest that restoring the machine to state 1 is technically impossible. There is no way to determine how much the bot impacted configuration changes while it was active. Maybe it prevented a software patch that the machine owner thought was installed correctly. In any case we know it's not a guarantee -- many PC's never properly uninstall software even when the application is cooperative, let alone hostile malware designed to resist uninstallation.

Most of us would categorize the infected machine in state 2 - partially operating, but compromised in some way. In this case the attempt to remove the infection might leave it in a similar state, possibly worse, possibly better. For purpose of categorization, we can rank them by the probability that the machine can properly perform its lifesaving function. Let's say the manufacturer's spec is for it to perform 99.99% of the time. An infected machine might perform correctly 95% of the time. A post-infection cleaned up machine might perform correctly 99% of the time, or it might perform correctly 50% of the time, or even 0% of the time.

State 3 means that the good Samaritan intentionally created a Denial of Service situation. The potentially life-saving machine is discovered to be an unusable brick while the patient is in emergency need of treatment.

Finally, keep in mind that the good Samaritan doesn't personally know the outcome of any given machine's remote repair. He has no way of determining if the repaired machine ended up in state 1 or 2.

Since the good Samaritan cannot guarantee that the machine will end up better than it was, he should not risk making it worse. The ethics of the situation are such that the best outcome the good Samaritan can do is to kill the command and control network, and leave the individual machine owners responsible for their own cleanup.

Re:Still however useless (1)

countertrolling (1585477) | more than 4 years ago | (#31504108)

Hardly any botnets become big.

They don't have to become big once they reach their target. Too big attracts unwanted attention.. Expect more focus and a more "subtle" approach.

In other words... (1)

Capt.DrumkenBum (1173011) | more than 4 years ago | (#31500104)

Its dead Jim.

Re:Its dead Jim. (1)

snikulin (889460) | more than 4 years ago | (#31500266)

I think it was "Zed's dead, Baby, Zed's dead"

Re:Its dead Jim. (0, Offtopic)

srussia (884021) | more than 4 years ago | (#31500678)

Capt.DrumkenBum (1173011) said: Its dead Jim.

snikulin (889460) said: I think it was "Zed's dead, Baby, Zed's dead"

You guys should swap UIDs.

MS is more clever? (0)

fragmentate (908035) | more than 4 years ago | (#31500190)

I'm finding it hard to believe that MS brought down the behemoth by secretly bringing down those domain names.

On the other hand, maybe the little miscreants that created this botnet actually made the assumption that the domains couldn't be suspended. That still brings up the question, how long can this court-ordered suspension really last? Indefinitely is not a definite answer.

Going to go check my spam folder now... maybe it's got less crap in it now.

Re:MS is more clever? (1)

Saishuuheiki (1657565) | more than 4 years ago | (#31500316)

A court order to remove domain name registrations could certainly be permanent. Even if it was a theoretically legitimate action (not the case here) since you have to re-register every year anyways, it's effectively a $5 loss to lose a domain permanently.

Re:MS is more clever? (2, Interesting)

idontgno (624372) | more than 4 years ago | (#31500454)

What MS should do is to re-register the domain names and point them to a C&C server they host. Then they have a wild botnet in a cage to be researched until they can find the best way to eradicate the thing, and others like it.

Or else command it to DDOS their foes. MWAHAHAHA!

Re:MS is more clever? (2, Funny)

Lumpy (12016) | more than 4 years ago | (#31500494)

What MS should do is to re-register the domain names and point them to a C&C server they host

What kind of C&C server? Red alert? Tiberium wars? I prefer a Generals C&C server myself...

Re:MS is more clever? (3, Funny)

sopssa (1498795) | more than 4 years ago | (#31500540)

Duh, C&C 4 [wikipedia.org] came out today, he's obviously talking about that.

Re:MS is more clever? (2, Informative)

Anonymous Coward | more than 4 years ago | (#31500716)

Since the only responses you have at the moment are smart-ass, I'll respond seriously.

While I'm unsure of the specifics of this particular botnet, most of the big current botnets cryptographically sign commands, and ignore any that don't validate. Which means that unless there's a flaw in whatever encryption they used, there's nothing that approach would do other than waste money on domain name registration.

Re:MS is more clever? (1)

idontgno (624372) | more than 4 years ago | (#31500878)

That's why I said "research". When you take possession of a house after foreclosure or seizure, sometimes you have to take some time to pick the locks.

The bots will contact their C&C servers. Find one a bot that you can get client-side access to. Study the malware from both ends. Reverse-engineer the crypto.

At a minimum, there's a list of bot clients you can work thru to de-fang and clean up.

Re:MS is more clever? (1)

Sir_Lewk (967686) | more than 4 years ago | (#31501576)

Modern day crypto is not your grandfathers cesarean cipher. One does not simply "reverse engineer RSA [wikipedia.org] " which is undoubtably what they are using if they are smart.

Strike that, "which is undoubtably what they are using if they possess the knowledge of your average freshman CS major". It's not exotic stuff.

Re:MS is more clever? (1)

idontgno (624372) | more than 4 years ago | (#31502124)

Again, you have access to both endpoints. For instance, you have a credible chance at cracking it if you can monitor cleartext in the process space of the client system.

Or, you know, maybe not, since teh evil h@x0rs are so 1334. Maybe we should all just surrender now and put in our recurring purchase order for herbal v1@gra or whatever.

Feh. Botnet takeover is a historical fact. It may be an arms race, but there will always be a defender response. And don't forget the classic anti-DRM mantra: in some place, at some point in the process, cleartext must exist. That's where the system is vulnerable and crackable.

Re:MS is more clever? (0)

Anonymous Coward | more than 4 years ago | (#31503524)

Again, you have access to both endpoints.

And, again, IT DOESN'T MATTER. You have the public key of a public key cryptosystem. They don't even make an ATTEMPT at obfuscating it... why would they? The public key and a buck fifty will get you a cup of crappy fast-food coffee.

'Recovering' the private key is a whole different bag of worms. You're not going to do it, unless there was a serious oversight.

Re:MS is more clever? (1)

plover (150551) | more than 4 years ago | (#31509434)

By endpoint, I assume the GP poster means not the C and C servers, but the bot-herder's personal PC with the private key. The one he uses to sign the commands. That is indeed one place the system is vulnerable. The other is that there may be a security vulnerability in the bot implementation that would permit an unauthorized connection to take over the bot, perhaps via buffer overflow or something. Y'know, the "endpoints."

Yes, if he thought that the C and C servers contain the private key, he's very much mistaken.

Re:MS is more clever? (0)

Anonymous Coward | more than 4 years ago | (#31573980)

By endpoint, I assume the GP poster means not the C and C servers, but the bot-herder's personal PC with the private key. The one he uses to sign the commands. That is indeed one place the system is vulnerable. The other is that there may be a security vulnerability in the bot implementation that would permit an unauthorized connection to take over the bot, perhaps via buffer overflow or something. Y'know, the "endpoints."

Yes, if he thought that the C and C servers contain the private key, he's very much mistaken.

Except nowhere was it even hinted at that they have the signer's computer. They don't even have the C&C computers, they only have the C&C domain names.

Re:MS is more clever? (1)

plover (150551) | more than 4 years ago | (#31578318)

I know. I was just being supportive of "idontgo", because he sounded like he was claiming people would "reverse engineer" RSA, which is ridiculous. I'm sure he must have meant something else.

However, there is a potential vulnerability in what he's saying (even if he's saying it wrong.) The vulnerability is in the zombies. The zombies have to phone home to register. How does the C & C server know if it should trust a zombie? Is it susceptible to some kind of protocol exploit (a buffer overrun, a malformed URL, etc.)? While it won't ever have the private key, it might cough up a list of zombies.

Re:MS is more clever? (1)

sopssa (1498795) | more than 4 years ago | (#31504014)

Oh, nice amount of talking without knowing anything here. I suggest you take a look at Public-key cryptography [wikipedia.org] . There is no way you're going to crack such + RSA by "monitoring cleartext". If you do, and sure let us know when that happens, you're just pwned every single government, bank, company, telecommunications line and Internet in the world.

Re:MS is more clever? (1)

Sir_Lewk (967686) | more than 4 years ago | (#31504190)

The security of any good cryptosystem must rest solely on the secrecy of the key, not the secrecy of the implementation details. This is Cryptography 101 stuff here, you can't just "capture the enemy enigma machine" and call it a day anymore. Read that link I gave you before you make yourself look even more of a fool.

The bots presumably have a copy of the public key and will only listen to commands signed by the private key. Only the original command server has the private key, given the public key you cannot determine the private key in any realistic amount of time. Not a challenging concept. This isn't defeatism, it is reality, and no amount of wishful thinking is going to change that.

This has absolutely nothing to do with DRM, but you cannot possibly understand why not unless you get some basic facts right so go do so.

Here, I'll even get you started with some more links:

http://en.wikipedia.org/wiki/History_of_cryptography#Modern_cryptography [wikipedia.org]
http://en.wikipedia.org/wiki/Public-key_cryptography [wikipedia.org]

The short story is, this isn't about not knowing the plaintext (we already know it if we care to know), this is about convincing the bots you are the real command server, which you cannot do without the private key, which you cannot get. Thus: absolutely no point in pretending to be the command server.

There is no excuse for spouting your mouth off without knowing what you're talking about when there are so many excellent sources of information right at your fingertips. You should be ashamed of yourself.

Re:MS is more clever? (1)

idontgno (624372) | more than 4 years ago | (#31508436)

I don't normally respond to arrogant tards, but I'll make an exception in your case.

The plaintext you're looking for is the private key. This is a fully automatic system, so the key has to be stored someplace. If you own both endpoints, you almost certainly own the keystore. If the keystore is protected, the passphrase (or equivalent) to open it is also stored someplace in the clear (or obfuscated, which is reversible).

Got it?

Now, admittedly, if the keystore is on a third server someplace, it becomes harder, but since the private key has to be IN THE CLEAR in order to use it for signature purposes, if you can monitor process space you can find it.

Re:MS is more clever? (1)

Sir_Lewk (967686) | more than 4 years ago | (#31508884)

The plaintext you're looking for is the private key.

Your terminology is all fucked up because you still have not bothered to research what you are talking about. Keys are keys, plaintext is plaintext, and ciphertext is ciphertext. Do not confuse them.

If you own both endpoints

But you don't. A critical part of the server is the private key. Without the private key any server you may have created is worthless.

If the keystore is protected, the passphrase (or equivalent) to open it is also stored someplace in the clear

If by 'in the clear' you mean 'in some guy's head', then you might be right.

Now, admittedly, if the keystore is on a third server someplace

Of course it is.

..., but since the private key has to be IN THE CLEAR in order to use it for signature purposes, if you can monitor process space you can find it.

You only use the public key for verifying the signature. You can know that all you want and it won't get you anywhere. The private key is used to create signatures on a machine you do not control.

Your original proposal:

What MS should do is to re-register the domain names and point them to a C&C server they host.

Is absolutely worthless. You don't have the private key used to sign commands, so pretending to be a command server gets you shit.

If you can manage to get the private key, then that obviously means you have access to the machine used for signing commands, and the original command servers. In that case "re-register the domain names and point them to a C&C server they host" is once again absolutely pointless.

Seriously man, just go do some preliminary reading or something. It won't be an admission of defeat, I will never even know you did so. Read wikipedia and walk away from this discussion a smarter man, leaving me to think that I was unable to reach you.

Re:MS is more clever? (1)

idontgno (624372) | more than 4 years ago | (#31511686)

But you don't. A critical part of the server is the private key. Without the private key any server you may have created is worthless.

THUMP. THUMP.

That's my forehead on the desk. You're right, the good guys don't have access to the real C&C server. Therefore, the command signing process can't be spied. Therefore, there's no way to spoof valid signed commands.

I lost track of the "not owning the real server" issue. That's what happens when you fall in love with an idea; love is blind.

So, lacking any weaknesses in any client bot you can get hold of, the best you can probably do is to note clients as they try to contact the spoofed server and get notification out to the owner of the botted machine. For a quarter-million nodes, that's a lot of work.

UPDATE: Looks like honeynet.org thinks there is an unspecified weakness [honeynet.org] in Waledec's crypto methodology, and payloads can be decrypted. I don't know if that's enough to step into the place of the real C&C network, though.

Re:MS is more clever? (1)

plover (150551) | more than 4 years ago | (#31579076)

Just because someone pinged me in this thread, I want to point out the different machines involved:

  • Zombie: Infected PC. Executes only those instructions whose digitally signature matches that of an included self-signed certificate. (RSA signatures are not reversible.) Connects to C&C servers using a technique known as fast-flux proxies.
  • Command and Control: Middleman server. Accepts connections from zombies and the master. Forwards copies of digitally signed instructions. Fast-flux proxies help hide this server's location.
  • Master: This is the PC owned by the botherder. It connects to C&C servers via fast-flux proxies just like any other zombie. It contains the private key of the self-signed certificate distributed to all zombies. It is the only machine that can digitally sign instructions. It is also likely to be the only machine that has the tools to maintain the botnet and check its status.

If the botnet is operated by a gang, there may be more than one copy of the master. But each master has to be carefully guarded.

Sure, you can decrypt the instructions at a specific node. You can connect to the C&C server and try to inject your own instructions. The C&C server probably won't even accept them if their signature isn't valid. And no zombie will execute those instructions without first checking their signatures.

Re:MS is more clever? (1)

h00manist (800926) | more than 4 years ago | (#31500912)

They could spread the "windows" virus and take over all computers in the world and make them reboot all the time! oh they already did that.

Re:MS is more clever? (1)

techno-vampire (666512) | more than 4 years ago | (#31500664)

Going to go check my spam folder now... maybe it's got less crap in it now.

My spam folder's had much less in it for about a week now. I don't know how much of this was caused by bringing down this one botnet, but it must have had some effect, all of it good.

Rise of the machines (1)

boundary (1226600) | more than 4 years ago | (#31500246)

Waledac will be back... as SkyNet.

Somehow, I don't think he's dead yet, Jum (0)

Anonymous Coward | more than 4 years ago | (#31500254)

Main characters seldom die off, not unless they've moved to a new show. So, figure he'll be back, meaner and badder than ever. It's just too much like taking candy from a baby not to.

How about taking down... (2, Insightful)

lbalbalba (526209) | more than 4 years ago | (#31500524)

The bloody botnet operator's and malware author's ? Isn't this like fighting the symptoms instead of the cause ?

Re:How about taking down... (2, Informative)

Volante3192 (953645) | more than 4 years ago | (#31500634)

If it's that easy why haven't you done it?

Seriously, though, if the controllers are smart, we'll never catch them. Look at the Mariposa botnet. From what I read about that, while law enforcement got the network down, they didn't have any of the people. It took the bold, stubborn move of one of the controllers trying to regain command (from his own system no less) to catch the people behind it. If the operators walked away, what are the odds we'd catch them?

Re:How about taking down... (1)

Gordo_1 (256312) | more than 4 years ago | (#31501132)

You give criminals too much credit. The human element is the thing that always seems to get criminals. The fact that they've put all this hard work and effort into building this massive botnet means it's not easy to just walk away at the first sign of potential trouble. It's easy to get sloppy when you've never been caught in months or years of operation and the only thing between you and control of millions of computers is a seemingly innocuous connection to a host.

Re:How about taking down... (1)

Volante3192 (953645) | more than 4 years ago | (#31501278)

You give criminals too much credit. Ok, so it's a big 'if.' It's akin to gambling. You gotta know when to hold em, know when to fold em, know when to walk away, know when to run.

And if Waledac is just one network they have, it'd be easier to give up one.

Anyway, going back to Mariposa, it *did* take bringing down the network to get the people behind it. So to find those in control, perhaps you must first take control.

Re:How about taking down... (1)

bloodhawk (813939) | more than 4 years ago | (#31501298)

These are not your average criminals, they are technically savy, well financed underground organisations, they aren't some drugged up retard running into a liquor store to rob it with his mothers tights pulled over his face. Not every criminal is stupid and the possibility of getting caught is enough to keep smart ones from getting sloppy.

Re:How about taking down... (0)

Anonymous Coward | more than 4 years ago | (#31500862)

Well their intent is to keep selling Windows..

The Ubuntu community is dedicated to fight the cause.

Re:How about taking down... (1)

Hurricane78 (562437) | more than 4 years ago | (#31514966)

How about taking down...
The bloody botnet operator's and malware author's financer? Isn't this like fighting the symptoms instead of the cause ?

There, fixed that for you.
No need to thank me.
But if you got any hot girls... ;)

Re:How about taking down... (1)

lbalbalba (526209) | more than 4 years ago | (#31515630)

Yeah, you fixed that for me. Guess that the financers are the real root cause here... Thanks.

"... if not dead." (1)

dwiget001 (1073738) | more than 4 years ago | (#31500538)

It's restin'.

Re:"... if not dead." (1)

Volante3192 (953645) | more than 4 years ago | (#31500646)

Pining for the fjords.

Re:"... if not dead." (1)

Locke2005 (849178) | more than 4 years ago | (#31500698)

E's off the twig! 'E's kicked the bucket, 'e's shuffled off 'is mortal coil, run down the curtain and joined the bleedin' choir invisibile!! THIS IS AN EX-BOTNET!!

Re:"... if not dead." (0)

Anonymous Coward | more than 4 years ago | (#31500766)

Look you, if 'e adn't downed all of the CnC infrastructure at once, that botnet woulda muscled it's way up to those mail servers and VOOM!

to all Waledac clients (0)

Anonymous Coward | more than 4 years ago | (#31500562)

our botnet is just down for a couple of hours due to maintainance. we'll back online soon and kindly apologize for any inconvenience caused.

'It looks crippled, if not dead' (1)

CODiNE (27417) | more than 4 years ago | (#31500674)

Just like it's maker if he made contracts with the wrong people.

Cool! (1)

Zamphatta (1760346) | more than 4 years ago | (#31500684)

Oh, this must be why my spam messages went from over 300 per day, down to just around 20-30 in the past couple weeks. Here I thought Gmail improved their spam filters.

Re:Cool! (1)

pandrijeczko (588093) | more than 4 years ago | (#31501160)

It doesn't seem to have affected me - since Microsoft took the domains down around about 25th February, I have spam in my Gmail filter since 19th February and there's no change.

What is interesting is that having looked at what's in the Gmail spam filter, it does seem I am getting near-enough 15 spam emails every day; I've never realised before how evenly distributed the spam actually is.

I am Muyiwa Ige (0, Funny)

Anonymous Coward | more than 4 years ago | (#31500696)

ATTN.: sir,

I got your contact through email business directory and decided to send my proposal to you. I am MUYIWA IGE the first son of the late chief BOLA IGE,the attorney general of the fedeal rebulic of Nigeria who was killed by hired assasin on the 23rd of december 2001 by an unidentified gun men believed to be link to our government of which it is a daily case going on in my country's dailies now.

Two months ago he was attempted to be murdered but unfortunately God speared his life for us.It was then he had to reveal some vital informations as regards his life to me before he was finally killed in december. All accounts belonging to my father both local and abroad had been frozen and his investments seized by the government believing in thier false allegation that he made away of $2 billion dollars of (NEPA)national electricity power authority of which i know is just a ploy to eliminate him by the people in power that he is fustrating thier evil intentions through the human right pubic hearing for violation of right and cruelsome killings during the military regime to carry out thier traits to suffer the mases for thier selfish interest instead of the interest of the nation.We are now in a dileman as ou live are in danger till after the investigations.

Two weeks to the christmas holiday in 2001 being on the 4th of december,my dad spoke to me at lenght about life and it realities .He told me he deposited a trunk box containing us$25.5m with a security in EAUROPE(UK) all in the aim of retrieving it himself before he was finally killed before the christmas. According to him the content of the box was registered as government classified papers with his influence and was moved out of my country through diplomatic courrier.He wanted to safeguard the funds for foriegn investment after his retirement before he was killed.

In the light of this as the next of kin i am now contacting you a foreigner to assist ME in retrieving the boxes and depositing of the fund into your foreign account hence the need to contact you. I and my mother had agreed to give you 30% of the fund for your assistance and 10% for any expenses you might incur in the course of this transaction, we want to believe that you will not sit on the money when paid into your account. I want you to understand that there is no risk involve as we have worked out modalities for the smooth actualization of this goal. The boxes presently is in a security vault of this company in their offshore office in SPAIN.i will require the following for effecting the documents of claim and identification.:

1] Your driving license to assure us of your person

2] Your private telephone and fax numbers.

I will send the following:
3] The receipt of the ware bill used in sending the boxes
4] The deposit certificate


All these will be send through YOUR FAX NUMBER then you will proceed for claim after due schedule with them.you

I wish to state here that we are left with nothing as we survive by the grace of God. I hope you understand our predicament so as to save me and my family from hopeless future (S.O.S.)

All contacts for now should be through my personal email address for security reasons.

Waiting your urgent response.

Best regards,

MUYIWA IGE.

Can a relevant botnet be shut down? (1)

looney9 (413470) | more than 4 years ago | (#31500700)

I'll never bemoan a success in the victory against cybercrime, but it would be nice if one of these announcements came against a botnet that was still relevant and sending out large amounts of spam like Rustock. When the trumpet was sounded by Microsoft about the death of the Storm botnet, it was about 18 months since it had been highly relevant.

As others have said, shutting down individual botnets doesn't have long-term effects. That lesson was learned when McColo was taken offline.

It's not dead... (2, Funny)

Jaysyn (203771) | more than 4 years ago | (#31500846)

... it's pining for the fjords!

Re:It's not dead... (1)

guygo (894298) | more than 4 years ago | (#31505150)

It's not pining, it's passed on. This botnet is no more. It has ceased to be. It's expired and gone to meet it's maker. This is a late botnet!

Re:It's not dead... (0)

Anonymous Coward | more than 4 years ago | (#31513606)

Beautiful plumage, though...

Poor Design (3, Informative)

phantomcircuit (938963) | more than 4 years ago | (#31501148)

The only reason this worked is that the botnet was poorly designed. It relied on at least one of the command and control servers being available. If they all get taken down at the same time you destroy the botnet. This is not how most other botnets work, this is not a tactic that worked against this specific botnet and will not work against other botnets.

Other botnets generate new domain names fairly regularly. All the botnet controller needs to do is register one of those domains before it is generated. Good luck getting a court order to ban all the generated domains for the next few years.

Chilling effect (3, Interesting)

Culture20 (968837) | more than 4 years ago | (#31501630)

Other botnets generate new domain names fairly regularly. All the botnet controller needs to do is register one of those domains before it is generated. Good luck getting a court order to ban all the generated domains for the next few years.

No problem. Individual court orders should do the trick. After seeing 200+ ISPs going through depeering hell, Hosting providers will be a lot more careful who they let have a server. Of course, this is a less than ideal scenario for IT folk in general (especially because it puts the onus on hosting providers to monitor traffic), but it might be effective.

Re:Chilling effect (1)

hakr89 (719001) | more than 4 years ago | (#31521350)

Your post advocates a

(x) technical (x) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

---

Additionally, you underestimate how difficult it would be to completely screen out every potential botnet spammer, especially with the extreme profitability of spam allowing them to masquerade as something other than a spammer. How do you propose you screen someone who wants to spend $200 a month to rent a dedicated server?

I am Muyiwa Ige, son of the late chief Bola Ige (2, Funny)

zkp (1634437) | more than 4 years ago | (#31501472)

FROM: MUYIWA IGE

ATTN.: sir,
I got your contact through email business directory and decided to send my proposal to you. I am MUYIWA IGE the first son of the late chief BOLA IGE,the attorney general of th e fedeal rebulic of Nigeria who was killed by hired assasin on the 23rd of december 2001 by an unidentified gun men believed to be link to our government of which it is a daily case going on in my country;s dailies now.

Two months ago he was attempted to be murdered but unfortunately God speared his life for us.It was then he had to reveal some vital informations as regards his life to me before he was finally killed in december. All accounts belonging to my father both local and abroad had been frozen and his investments seized by the government believing in thier false allegation that he made away of $2 billion dollars of (NEPA)national electricity power authority of which i know is just a ploy to eliminate him by the people in power that he is fustrating thier evil intentions through the human right pubic hearing for violation of right and cruelsome killings during the military regime to carry out thier traits to suffer the mases for thier selfish interest instead of the interest of the nation.We are now in a dileman as ou live are in danger till after the investigations.

Two weeks to the christmas holiday in 2001 being on the 4th of december,my dad spoke to me at lenght about life and it realities .He told me he deposited a trunk box containing us$25.5m with a security in EAUROPE(UK) all in the aim of retrieving it himself before he was finally killed before the christmas. According to him the content of the box was registered as government classified papers with his influence and was moved out of my country through diplomatic courrier.He wanted to safeguard the funds for foriegn investment after his retirement before he was killed.

In the light of this as the next of kin i am now contacting you a foreigner to assist ME in retrieving the boxes and depositing of the fund into your foreign account hence the need to contact you. I and my mother had agreed to give you 30% of the fund for your assistance and 10% for any expenses you might incur in the course of this transaction, we want to believe that you will not sit on the money when paid into your account. I want you to understand that there is no risk involve as we have worked out modalities for the smooth actualization of this goal. The boxes presently is in a security vault of this company in their offshore office in SPAIN.i will require the following for effecting the documents of claim and identification.:

1] Your driving license to assure us of your person

2] Your private telephone and fax numbers.

I will send the following:
3] The receipt of the ware bill used in sending the boxes
4] The deposit certificate

All these will be send through YOUR FAX NUMBER then you will proceed for claim after due schedule with them.you

I wish to state here that we are left with nothing as we survive by the grace of God. I hope you understand our predicament so as to save me and my family from hopeless future (S.O.S.)

All contacts for now should be through my personal email address for security reasons.

Waiting your urgent response.

Best regards,

MUYIWA IGE.

MY PERSONAL EMAIL
ADDRESS(muyiige@mail.com)ALTERNATIVE RESPONSE

Cast away that which is useless. (1)

RavenChild (854835) | more than 4 years ago | (#31501540)

The spammers using this botnet most likely cut it off to work on enlarging another.

Why waste time(read money) repairing something broken when the new, harder to kill version does the same thing in the same time-cost?

Is spam really still a problem? (1)

Jenming (37265) | more than 4 years ago | (#31502948)

Sure my spam folder always has shit in it, but really none of it ever makes it through Googles spam filters into my inbox.

Re:Is spam really still a problem? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31503938)

Sure my spam folder always has shit in it, but really none of it ever makes it through Googles spam filters into my inbox.

Spam is still a problem for network operators who have to increase capacity to carry the spam, endpoints that need to buy faster processors to weed out the spam, and users whose filters don't catch all or most spam.

Then there are the other criminal enterprises and activities that spammers seem to invariably be attached to.

Re:Is spam really still a problem? (1)

drinkypoo (153816) | more than 4 years ago | (#31507862)

My spam folder has been up over 15,000. Right now it's at 3,524. I get one or two spams per day, although frankly I think google is putting them there deliberately to get them checked off by me, because I'm a good spam classifier.

Waledac? It's for you. (0)

Anonymous Coward | more than 4 years ago | (#31504364)

The fat lady is singing. [thefatlady...online.com]

SO what.... (1)

hesaigo999ca (786966) | more than 4 years ago | (#31507516)

Tell me you took down the Zeus botnet, then I will say you accomplished something, but of course the least dangerous botnet will be easier to take down, even the script kiddies know to cycle their botnets, and out with the old in with the new. So what if the botnet you took down is old and degenerate and has almost no spam left attached to its name, you can still make a name for yourself by taking it down, right?

Just checked Spamcop (1)

BlindBear (894763) | more than 4 years ago | (#31510240)

I just checked spamcop stats page, we had a few quiet days but everything is back to normal, thanks for coming.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?