×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Cripple Pushdo Botnet

timothy posted more than 3 years ago | from the nothing-wrong-with-the-word-cripple dept.

Botnet 129

Trailrunner7 writes with this from ThreatPost: "Researchers have made a huge dent in the Pushdo botnet, virtually crippling the network, by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet. Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet's spam operations. After doing an analysis of Pushdo's command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

129 comments

Legal hacking? (4, Interesting)

Creepy Crawler (680178) | more than 3 years ago | (#33407352)

I wonder if the courts would issue an order that would legalize hacking of unstoppable network computers to prevent ongoing attacks?

Other normally illegal tactics can be utilized legally, if a judge deems them necessary or in a court of law. You know, 1st degree murder vs E-Chair?

Re:Legal hacking? (5, Insightful)

Ethanol-fueled (1125189) | more than 3 years ago | (#33407384)

Don't know if you got the memo, but the feds pay others to do the dirty work for them.

Fed: "Wanna work with the FBI, Fido? Wanna help us catch bad guys?"
Snitch: "Yeahyeahyeahyeahyeahyeah!
Fed: "There's an athiest group that looks suspicious. I think they're laundering money to fund their picnics. You need to infiltrate them, earn their trust, and if you don't find anything make something up so we have a good excuse to raid their headquarters. You will get a pat on the head and a nice, big doggy bone if we get convictions. Snitch: "Yeahyeahyeahyeahyeah!

[ Months later, a number of the atheist group's members are arrested for child pornography for unwittingly having nude pics of their 17 year-old sons and daughters who kept them stored "privately" in facebook ]

Fed: "Bad news, Fido. The D.A. wants to charge you with computer crimes. You're expected to do 5 years in the pen."
Snitch: *whimper*
Fed: "It's okay, you helped us save the children. Just suck it up and don't drop the soap."

Re:Legal hacking? (3, Interesting)

WrongSizeGlass (838941) | more than 3 years ago | (#33408216)

I'm sorry to be the one to tell you this, but your little 'story' is very reminiscent of the ABC After School Special "When Good Dogs Do Bad Things (And Hard Time) For Good Reasons". Be on the look out for a little 'invitation' to a court party being held in your honor thrown by the ASSAA and their affiliated legal teams. ;-)

Re:Legal hacking? (5, Insightful)

Martin Blank (154261) | more than 3 years ago | (#33407640)

There's no legal authority for the courts to order such actions. Even execution orders are authorized by the legislative body, approved by the chief executive, and carried out by subordinates to the executive (subject to the lack of intervention by the judicial body). Any offensive action against spammers/hackers would require a similar path.

Re:Legal hacking? (1)

dimeglio (456244) | more than 3 years ago | (#33408254)

A simple legislation can give more powers to ISPs and policing agencies to perform such actions. Provided of course they are constitutional.

Re:Legal hacking? (4, Interesting)

FriendlyLurker (50431) | more than 3 years ago | (#33407874)

If it hasn't happened already - how long before they control the biggest botnets on the block (they being "security intelligence firm's"), to meet the Cyber-defense budget laid down by American taxpayers. Personally I prefer to setup a few spam filters on my servers over having Goverments use their shady "security intelligence firm's" to take websites like wikileaks offline.

Re:Legal hacking? (4, Funny)

WrongSizeGlass (838941) | more than 3 years ago | (#33408226)

What you're looking for is the B-Team, a team of anti-botnet soldiers of fortune on the run from the RIAA after being branded as criminals for a "download they didn't commit."

Re:Legal hacking? (0)

Anonymous Coward | more than 3 years ago | (#33408432)

Wouldn't that be the CD-Team?

I would love to see... (5, Interesting)

ysth (1368415) | more than 3 years ago | (#33407360)

I would love to see stories like this publishing a full list of the providers who didn't take down a server.

Re:I would love to see... (0)

jdpars (1480913) | more than 3 years ago | (#33407370)

I'm not sure it was a matter of providers who did and did not agree. I doubt the researchers were able to find all of the C&C servers.

Re:I would love to see... (3, Informative)

Anonymous Coward | more than 3 years ago | (#33407386)

Read the f**king article:

Unfortunately, not all providers were responsive and thus several Command & Control servers are still online at this point," researcher Thorsten Holz wrote.

Re:I would love to see... (1)

bloodhawk (813939) | more than 3 years ago | (#33407420)

Well if you had read the article you would have been sure. if you are going to make a comment about something at least spend the 5 seconds it takes to scan the article to see if you are just plain wrong.

Re:I would love to see... (0)

Anonymous Coward | more than 3 years ago | (#33407792)

So not only you didn't RTFA, but on top of that you even didn't bother to RTFSummmary. Either that, or your reading comprehension is below zero.

Re:I would love to see... (3, Interesting)

mysidia (191772) | more than 3 years ago | (#33407546)

So would I like to see that.

So I could switch to those providers, and know they wouldn't be messing with my server without talking to me just because some er "researcher" decided they thought the server might be some sort of C&C

I imagine there could be some legal concerns of the researchers were to publish such a list... it might seem like extortion "Take down that server, or we'll publish your name!"

Or it might attract more business to those providers.. the, er, bad guys, would also know some go-to providers [not that they don't already]

Re:I would love to see... (5, Informative)

rastos1 (601318) | more than 3 years ago | (#33407614)

So I could switch to those providers, and know they wouldn't be messing with my server without talking to me just because some er "researcher" decided they thought the server might be some sort of C&C

I assume that the providers were just notified by the researcher and were able to see for themselves whether the server is doing something malicious or not. In addition every ISP I've dealt with, has a contract clause that allows them to cancel the service if you use it to violate the laws of the country - which is often the case when sending SPAM. You are then free to sue them if you believe that terminating the service was not justified.

Re:I would love to see... (4, Insightful)

nacturation (646836) | more than 3 years ago | (#33407764)

I assume that the providers were just notified by the researcher and were able to see for themselves whether the server is doing something malicious or not.

And when they look into it, they'll probably see a bunch of SSL-secured HTTP requests.

In addition every ISP I've dealt with, has a contract clause that allows them to cancel the service if you use it to violate the laws of the country - which is often the case when sending SPAM. You are then free to sue them if you believe that terminating the service was not justified.

A command and control server doesn't send out spam. It only acts as a server for the bots that do all the spam sending.

Re:I would love to see... (2, Interesting)

Ihmhi (1206036) | more than 3 years ago | (#33408178)

A command and control server doesn't send out spam. It only acts as a server for the bots that do all the spam sending.

Replace "send out spam" with "store pirated media" and "command and control server" with "torrent-indexing website", and you essentially have the same argument for not interfering with their operations.

Re:I would love to see... (1)

WrongSizeGlass (838941) | more than 3 years ago | (#33408236)

Replace "send out spam" with "store pirated media" and "command and control server" with "torrent-indexing website", and you essentially have the same argument for not interfering with their operations.

True, but the 'R' in RIAA doesn't stand for 'Researcher' ...

Re:I would love to see... (1)

camperdave (969942) | more than 3 years ago | (#33408556)

Replace "send out spam" with "store pirated media" and "command and control server" with "torrent-indexing website", and you essentially have the same argument for not interfering with their operations.

There's a HUGE difference between sending data and storing data.

Re:I would love to see... (1)

KiloByte (825081) | more than 3 years ago | (#33407856)

Removing any number but ALL servers does entirely no good. The only effect is slowing the botnet for a day while the zombies fall back to surviving servers.

And, like an incomplete antibiotics therapy, it gives the botnet's herder a clue -- that he needs to move to more resilient techniques instead of relying on fixed, easy to remove, servers.

Re:I would love to see... (1, Informative)

Anonymous Coward | more than 3 years ago | (#33408080)

They've done that ages ago. In case these researchers actually did had taken down all the C&C servers, the bots would go into rendezvous mode and based on an algorithm, start generating thousands of domain names per day. Now all the people behind the botnet need to do is to register one of those domains and upload their signed update on it with a list of new C&C servers, and the botnet is back up and running.

These aren't some 90's irc botnets and the people running them aren't stupid. With these methods, it's practically impossible to bring down the big botnets. You may slow it down for a few days or "cripple" it's spam sending while the botnet re-organizes, but I think I have better ways to spend three years.

sadface! (5, Funny)

bwayne314 (1854406) | more than 3 years ago | (#33407408)

Wait, so I wont be getting any more exciting opportunities to add inches to my penis? What about all that steady income I was getting helping out Nigerian bankers!?!? How am I going to feed my family and satisfy my wife?

Re:sadface! (2, Funny)

Anonymous Coward | more than 3 years ago | (#33407422)

How about you sell your wife to some Nigerians and they can satisfy her?

And they never link to the original source...why? (4, Informative)

SheeEttin (899897) | more than 3 years ago | (#33407414)

Seriously, guys, why does nobody ever link to the original source? ThreatPost [threatpost.com] got it from M86 Security [m86security.com] got it from TLLOD [tllod.com]. Would it kill the submitters to link to the original, or the editors to fix it?

Re:And they never link to the original source...wh (1)

adolf (21054) | more than 3 years ago | (#33407790)

Seriously, guys, why is this the only +5 post in the article?

Has the news media finally surpassed Slashdot in news-related facts to such an extent that there is no meaningful commentary which is attached to a story?

WTF?

Should I re-up my subscription to the local dead-trees rag?

Re:And they never link to the original source...wh (3, Insightful)

houghi (78078) | more than 3 years ago | (#33407990)

Editors? I don't think that word means what the editors think it means.

Re:And they never link to the original source...wh (0)

Anonymous Coward | more than 3 years ago | (#33408250)

If you'd like to see better submissions perhaps you could improve the quality of submissions by submitting more stories yourself?

Unresponsive providers might be more likely... (5, Insightful)

paper tape (724398) | more than 3 years ago | (#33407426)

Unresponsive providers might be more likely to respond if responsive parties who controlled upstream routers were to stop routing traffic from them.

All traffic.

Pretty much (4, Informative)

Sycraft-fu (314770) | more than 3 years ago | (#33407628)

I think we need to start having more of a "you play nice or don't play on the net" kind of system going on. Providers are not expected to be perfect, nobody is perfect, just to be responsive to complaints/problems. If you aren't you get warned and if you keep ignoring it you just get shut out by all major networks. You then have to prove you took care of the problem and will play nice before you get let back in.

That's how we do it at work, actually. I work at a university and we have a lot of research labs, some of which are totally independent of our central control. When a system in there gets infected, we see if we can track someone down who can deal with it, if nobody is there or everyone claims ignorance, we shut down all network access. When that happens people get a hold of us surprisingly fast and the person who needs to deal with the system is found. Once they take it offline to be dealt with and promise to behave, network access is restored.

I think the big network providers need to work out a system like this, where if a given company is unresponsive, you can file a complaint with them. They then warn the company and if they are still unresponsive, cut access. After all the crap causes them problems as well.

Re:Pretty much (2, Interesting)

DNS-and-BIND (461968) | more than 3 years ago | (#33407648)

The Internet is a default-accept network. Changing it to a default-deny network would have far-reaching consequences way beyond taking down spam networks. Which would you rather have, the internet of today or "we'll shut you down or else" decisions being made by drunk-on-power nerds?

Re:Pretty much (2, Insightful)

ergrthjuyt (1856764) | more than 3 years ago | (#33407666)

Doesn't sound like he was proposing a default-deny network, just proposing actual consequences for breaking the law (which in most jurisdictions requires the disconnection of illegal servers upon notification)

That's not what I'm proposing (5, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#33407984)

I'm proposing that people deal with their own dirty laundry, and if they won't, that the people above them do. For example if I am causing a problem, my ISP will call me and say "Hey fix your shit." Happened many years ago, a roommate got a virus on his computer. They called me, I turned it off, life was good. Should I refuse, however, the ISP would have shut down my line. They were not interested in sending out viruses all over the place.

What I'm proposing is that the big bandwidth providers take the same attitude. If some hosting provider has systems doing evil, you contact them. However if they refuse to deal with it, you can then contact the big providers. They can check, if evil is going on they warn the company. If it doesn't stop, they shut down the links.

I fail to see a problem here. Such a thing wouldn't be done capriciously because it is against a business's best interest. If a customer is paying money and not causing problems of course they want to keep the connection active. They don't want to turn it off for fun (and probably break the contract).

All lines have AUPs, even big ones. I just think they need a mechanism to allow for complaints and enforcement, and something that is less severe than a total disconnection. Rather than something having to get to the "You cause so much trouble you are in violation of the contract and we stop selling service to you," point instead they can say "You've refused to deal with complaints so you are blocked, fix your shit and promise to listen in the future and we turn you back on."

The reason I want to see this is first because I want less shit on the net, but also because with many things you find you either self regulate or the government will regulate you. What happens if instead the US government, or a council at the UN gains complete regulatory power and can tell providers who to shut down? I'd much rather have it as a self regulating system.

It works well for ISPs, and most ISPs do it. As I said, as a university we are an ISP and we do just that. We investigate and respond to claims of malicious network activity. However, we need a higher level to deal with the ISPs that won't respond to the complaints.

Re:That's not what I'm proposing (2, Interesting)

belthize (990217) | more than 3 years ago | (#33408422)

I don' t think that will work so well. The C&C machines are on ISP's who are peered with major ISP's that are much more interested in money than the small amount of traffic coming from C&C. The individual zombie nodes are so distributed that the labor costs of properly determining whether a down stream client is infected, or is not being dealt with fast enough far outweighs the costs of shutting down the network to that client's ISP/owner.

If they shutdown some site for sending spam or a virus or what not that site is much more likely to just find a new ISP.

If this was costing ISP's money and there was a cost effective way to deal with it they would. It doesn't and there isn't so they don't.

It's doable in your environment precisely because your down stream clients have no alternative. If you cut their line they can't go to on-campus network company B and link up.

Re:That's not what I'm proposing (1)

hedwards (940851) | more than 3 years ago | (#33408572)

The main problem there is that back in olden times people pretty much had to know things about computers to get online. These days not so much, anything more complicated than turning it on or accessing the internet (By which I really mean IE) is deemed to be too complicated and time consuming to worry about. And no amount of nagging or information seems to be able to penetrate their minds that it's a very serious risk with potential life changing consequences.

Re:Pretty much (0)

Anonymous Coward | more than 3 years ago | (#33408718)

now decisions are being made by some drunk-on-money ISPs....

Re:Pretty much (0)

Anonymous Coward | more than 3 years ago | (#33407866)

I think we need to start having more of a "you play nice or don't play on the net" kind of system going on.

That's sounds very scary. Who defines what "nice" is? You assume that people are good and won't redefine "nice" to "anything I don't like".

The problem with the somewhat narrow-minded "let's just go vigilante on the bad guys and forget all laws" approach is that it can (and will) be easily abused.

Re:Pretty much (1)

WrongSizeGlass (838941) | more than 3 years ago | (#33408270)

That's sounds very scary. Who defines what "nice" is? You assume that people are good and won't redefine "nice" to "anything I don't like".

You mean like those who have mod points on /.?

The problem with the somewhat narrow-minded "let's just go vigilante on the bad guys and forget all laws" approach is that it can (and will) be easily abused.

I guess it would require us to pick our poison. Deal with an ISP that gets to deny access if they think you're doing something wrong (besides exceeding undefined bandwidth limits, running a small web server at home, etc) or deal with botnets flooding the internet with spam, malware and all the associated traffic it generates (which uses up some of that precious bandwidth).

It could get messy if a large backbone provider cut off access to a large or mid-sized ISP because they didn't cut off access to someone leasing a block of IP's that didn't cut off access to a company with infected computers.

Re:Pretty much (0)

Anonymous Coward | more than 3 years ago | (#33408274)

I think we need to start having more of a "you play nice or don't play on the net" kind of system going on.

Wow. Is spam really that much of a problem to you? It's seems like spammers are to nerds what terrorists are to the common citizens.

Calm yourself the fuck down.

Re:Unresponsive providers might be more likely... (1)

maxwell demon (590494) | more than 3 years ago | (#33407688)

And you surely would like it if your business comes to a screeching halt, just because you happen to have your server hosted by a provider who also hosts a server which some researchers claim to be a botnet server, and your provider doesn't believe them.

Re:Unresponsive providers might be more likely... (1)

Interoperable (1651953) | more than 3 years ago | (#33407722)

I'm sure there aren't many companies that would put up with that at all. That's why it would be so effective; not many ISPs would remain in business if they failed to protect their customers from such shut-offs.

Re:Unresponsive providers might be more likely... (1)

maxwell demon (590494) | more than 3 years ago | (#33407784)

Yeah, it would make it a very effective blackmailing tool. "Nice server you have there for your business. It would be too bad if your provider were told you were controlling a botnet from there ..."

Yes, you could then get the server up again by proving that you didn't have any botnet activity on it. But until then, you already lost serious money.

Re:Unresponsive providers might be more likely... (1)

Joce640k (829181) | more than 3 years ago | (#33407878)

I"m pretty sure they'd check it out first...this isn't DMCA we're talking about here.

Re:Unresponsive providers might be more likely... (1)

maxwell demon (590494) | more than 3 years ago | (#33407970)

How exactly would they check it out? Check that there are indeed bots contacting your server? It should not be hard for the criminal to add your server to some bot's list of servers to contact (the bot will not get any useful response from your server, but that's no problem, the bot will simply ignore any useless replies). How is the provider to distinguish https requests which return useful commands for the botnet from https requests which don't? Note that any user-facing web server handling confidential data will have to accept HTTPS requests.

Re:Unresponsive providers might be more likely... (1)

hedwards (940851) | more than 3 years ago | (#33408588)

You have an alternative? An obscene amount of this sort of traffic is served up by a small number of providers. Usually offshore where the authorities don't care and they aren't the kind of ISP that businesses would typically want to be hosted by because any ISP that looks the other way while cybercriminals and in some cases organized crime runs amok, could very easily not notice somebody stealing your data.

Re:Unresponsive providers might be more likely... (4, Interesting)

FlyingGuy (989135) | more than 3 years ago | (#33407972)

This reminds of a story that may be more tech myth and legend and if it is not true it should be and it goes something like this:

Back in the early days of the net when the major interconnects were MAE East and MAE West and other interconnect points had not been established almost everything routed through these two points.

So the story goes that there was a tech who dutifully monitored the system during his shift. He had noticed that someone from another country was trying to get access to files on a certain server at major university. Now he was curious because he saw the same attempts over and over again over a rather long period of time. Now since we all forget password or thing we know them and then try and try without success this is not that unusual and normally after fumbling around we will just contact the machines owner and ask for the correct password. Now in those days it was still a relatively small group of folks so there were not a whole lot of questions asked.

But the tech in question started noticing the pattern was limited to times when the people attending these machines would not be there.

So he sent off an e-mail to the admins he knew and they had not been requested to change or provide any passwords.

So our intrepid tech sent off an e-mail to the administrators of the location of the seeming intruder and asked that they have him stop. Well the admins said that it was really none of their business anyway and being in a foreign country our admin had no say over what anyone there did. The long and short of it was that the apparent intruder kept it up.

So one night our intrepid admin had had enough, so he did what he thought might get peoples attention. He simply unplugged the cable that was the source of the problem and effectively disconnecting an entire country from MAE West!

Well in a few hours phones started ringing into MAE West asking questions and trying to figure out what was wrong? He told them he had asked, many time for the admins of the network that the rude behavior was originating from to kindly ask the owner of the machine to stop and had been rudely rebuffed to say the least.. He also said when the attempted intrusions stop, he would plug them back in. To say the least they stopped in fairly short order and he plugged them back in.

Now that is a bit far flung because I doubt there is any one cable that could disconnect an entire country but I am pretty sure you could simply route class A's to /dev/null. Perhaps that what it will take to get ISP's to get serious. Just pull their plug until they behave. Everyone peers in someplace so it should not be that hard to go and find that Ethernet cable and simply unplug it and leave it dangling until their behavior changes/

Re:Unresponsive providers might be more likely... (1)

WrongSizeGlass (838941) | more than 3 years ago | (#33408280)

You had me going until you said he "simply unplugged the cable". We both know a dissed and powerful nerd would have cut the cable in a classic display of nerd rage. ;-)

Cyberterrorism is ok, huh? (-1, Flamebait)

znerk (1162519) | more than 3 years ago | (#33407436)

Not that I'm condoning their behavior (far from it, I hate spammers), but... where do we draw the line? Is it now ok to hack anyone who has broken the law?

Which of you hasn't gotten a traffic ticket, owns no mp3s, has never pirated a movie, video, music, ebook, *something*?

You've never even *accidentally* viewed questionable content?

Jaywalking?
Loitering? ("Honestly, I'm waiting for my friend to pick me up, officer...")
Overdue library books?

Where do we draw the line?

Re:Cyberterrorism is ok, huh? (4, Informative)

Xiroth (917768) | more than 3 years ago | (#33407452)

If you bother to RTFS, you'll note that they worked with the content providers - they shut the servers down themselves. No hacking involved.

Re:Cyberterrorism is ok, huh? (1)

Cylix (55374) | more than 3 years ago | (#33407504)

I read that as RTS and had questioned the initial benefits.

I eventually realized that I would never understand your comment until I played a few rounds of starcraft.

Which brings me to my next realization....

Re:Cyberterrorism is ok, huh? (1)

Dekker3D (989692) | more than 3 years ago | (#33407756)

Which brings me to my next realization....

... You can only win by zerg rushing the botnet?

Re:Cyberterrorism is ok, huh? (1)

Cylix (55374) | more than 3 years ago | (#33407502)

All of those crimes should be punishable by firing squad, drinking or smoking. (possibly taxes)

I know which one I'll pick, but a few will likely make a poor choice.

biuro kredytowe (-1, Offtopic)

julialouis (1888972) | more than 3 years ago | (#33407450)

Wow!! What nice info on this post! All information really useful. I like your stuff very much.I was wondering of your post.Thanks for sharing this helpful post.Keep it up! biuro kredytowe [b20.pl]

"For years..." (1)

Joce640k (829181) | more than 3 years ago | (#33407458)

I seem to be missing something here. Somebody please remind me what Windows Malicious software remover and all those antivirus programs are supposed to be doing.

Re:"For years..." (4, Informative)

rudy_wayne (414635) | more than 3 years ago | (#33407530)

Somebody please remind me what Windows Malicious software remover and all those antivirus programs are supposed to be doing.

They don't do anything if you don't use them.

Re:"For years..." (1)

drinkypoo (153816) | more than 3 years ago | (#33408408)

They don't do anything if you don't use them.

pretty sure I was infected and windows update dropped me an updated malicious software removal tool and cleaned it up. I was having that wacky mouse button behavior, couldn't click to login, clicks closed chrome tabs, and more. some reports say it was the result of an infection, which you could remove with spybot in safe mode. I didn't even get that far (it's just my entertainment PC, and it's not a big deal if someone knows what I watch on netflix) before Microsoft fixed it for me. Well, as far as I can tell. It's not in their best interest to have botnets making them look like assholes, you know.

Re:"For years..." (1)

John Hasler (414242) | more than 3 years ago | (#33408668)

it's just my entertainment PC, and it's not a big deal if someone knows what I watch on netflix

What about all the spam it was hammering out? As soon as you believe a machine to be infected the honorable thing to do is unplug it from the Net until you can fix it.

Re:"For years..." (1)

drinkypoo (153816) | more than 3 years ago | (#33408706)

What about all the spam it was hammering out? As soon as you believe a machine to be infected the honorable thing to do is unplug it from the Net until you can fix it.

It wasn't actually hammering any (significant volume of?) spam out. I can see my bandwidth use, I have a monitor on the single point of in/egress. Pretty sure it was some kind of spy from its interference with input.

Re:"For years..." (1)

Spad (470073) | more than 3 years ago | (#33407902)

Expire 30 days after you purchased the machine and then have all their warnings ignored by their users.

Alternatively, be forced into permitting the execution of malicious code because their users really, really want to see the dancing bunny.

Re:"For years..." (1)

jimicus (737525) | more than 3 years ago | (#33408198)

I seem to be missing something here. Somebody please remind me what Windows Malicious software remover and all those antivirus programs are supposed to be doing.

If the people whose PCs are spewing out such garbage were aware of the issue, don't you think they'd have taken steps to resolve it years ago?

The problem is a combination of ignorance ("How was I to know that?") and technology not meeting expectations ("It's my computer, it can't run anything I don't tell it to!")

Re:"For years..." (1)

John Hasler (414242) | more than 3 years ago | (#33408678)

If every outgoing spam cost them $5 they'd become "aware" very quickly (yes, I know that's impractical and a bad idea for many reasons).

Re:"For years..." (1)

dotwhynot (938895) | more than 3 years ago | (#33408208)

I seem to be missing something here. Somebody please remind me what Windows Malicious software remover and all those antivirus programs are supposed to be doing.

The biggest problem is people not using them - not using automatic windows update (or very frequently manual) and not having up-to date malware and antivirus (it's free [microsoft.com] and some, like this one, are not the resource hogs fx old Norton was infamous for.)

Nothing is 100% secure, but boy to this take care of most of it, as you correctly are saying (when I turn my sarcasm detector off :)

fx Windows had actually Conficker patched quite early, in Windows Update, it became the big ongoing epidemic because of unpatched machines (people not doing auto- or frequent updates, for some reason or other).

And some people are probably going to suggest Mac or Linux at this point, fair enough, but for people that wants or needs to use Windows, it isn't that hard to have a quite secure and trouble free Windows 7 setup (decade old XP is starting to be another story).

Re:"For years..." (1)

Insanity Defense (1232008) | more than 3 years ago | (#33408530)

(people not doing auto- or frequent updates, for some reason or other).

Among the reasons for not doing auto updates are patches from Microsoft hosing your system.

A couple of personal examples:

An update to IE made it impossible for ANY program to access the internet with that computer. Why an IE update was able to block other programs was never clear but shows why the integration of programs for marketing reasons is a bad idea.

Another one "updated" a driver for the motherboard to an older version that predated that motherboard and BSOD'd the machine.

Re:"For years..." (1)

hedwards (940851) | more than 3 years ago | (#33408600)

malware removers are great, but they're only a portion of the solution. A proper firewall, sandbox, antivirus and anti-malware is really the bare minimum needed on Windows. Beyond that you need common sense, vigilance and some knowledge of security. The problem is that it's a relatively small number of people that actually go that route.

Is this really a big deal (1)

Mr. Freeman (933986) | more than 3 years ago | (#33407466)

They have been studying this since 2007 and now, three years later, have only managed to take 20 of the 30 control servers offline. Good work, to be sure, but it's not even a dent in terms of amount of malware stopped. How many other worms/viruses have been created in the past three years that are still running? And how much work would it take to bring Pushdo back to full force? Put some other C&C servers online and push out an updated list through the current C&C servers.

The only reason this was got crippled was because it was the focus of a particular bit of research. There's no way in hell that the same amount of effort could possibly be put towards stopping even a majority of other, equally dangerous, malware.

A small victory in a huge war.

Re:Is this really a big deal (1)

Joce640k (829181) | more than 3 years ago | (#33407528)

I'm just reading this doc [trendmicro.com] and the whole thing seems to be an exercise in fail on the part of Windows and antivirus programs:

* Detection of this is as easy as looking for a file "Rs32net.exe" in the Windows system folder.

* Subverting Windows' "safe mode" is as simple as writing registry values to "HKLM\SYSTEM\CurrentControlSet\Safeboot\Minimal\[EXEFILENAME]"

* Making sure you load into memory *before* the antivirus is as simple as this [microsoft.com] (yet somehow the antivirus programs can't use this technique??)

etc.

Re:Is this really a big deal (1)

Aeternitas827 (1256210) | more than 3 years ago | (#33407568)

Concievably, the methods used by these researchers could be examined within their particular community (meaning, in this case, other research labs/firms seeking to eliminate these sorts of threats), and with greater analysis and numbers behind the existing data, adaption and use of this research could be utilised--in an accelerated timeline--against other botnets.

That said, will the war ever truly be won? Very likely not; hackers, malware authors, and the like will continue to get more ingenious, which will prevent real-time analysis and extermination of C&Cs for botnets (and there's nothing to say that, even with 100% elimination of one botnet's C&Cs, that it could not be revived at some later point if needed, with newly planted/created C&Cs); but should a better picture of how to manage and mitigate these threats become evident and applicable with any reliable speed, it will become more of a war of attrition than a lost cause.

Re:Is this really a big deal (1)

Requiem18th (742389) | more than 3 years ago | (#33407662)

The battle won't be won because stupid people insist on running Windows and running every attachment mail their way and every pirated software they get from warez sites.

Re:Is this really a big deal (2, Interesting)

twidarkling (1537077) | more than 3 years ago | (#33407736)

Stupid people would be stupid on any OS. There is no reason in the world to suspect that if Windows disappeared that virus/malware creators would shrug and go "Oh well, we're fucked, guess we find real jobs," or that stupid people would suddenly go "Gee, that document my friend sent me is asking to install a program, that doesn't seem right." As long as you insist on "It's a Windows problem" rather than "It's a user education problem" the battle will never be won.

Re:Is this really a big deal (1)

John Hasler (414242) | more than 3 years ago | (#33408698)

As long as you insist on "It's a Windows problem" rather than "It's a user education problem" the battle will never be won.

As long as you insist that it is a "user education problem" the battle will never be won. It's a user motivation problem and no, I don't know how to solve it.

Re:Is this really a big deal (1)

Dekker3D (989692) | more than 3 years ago | (#33407768)

The battle won't be won because stupid people insist on running Windows and running every attachment mail their way and every pirated software they get from warez sites.

Funny, that. I'm a Windows XP user, and I download quite a bit of questionable software but I haven't had any virus for the last couple of years. The problem is not with Windows, the problem is with stupid people. A bit of education would easily reduce the size of botnets a lot.

Re:Is this really a big deal (1)

maxwell demon (590494) | more than 3 years ago | (#33407838)

The battle won't be won because stupid people insist on running Windows and running every attachment mail their way and every pirated software they get from warez sites.

Funny, that. I'm a Windows XP user, and I download quite a bit of questionable software but I haven't had any virus for the last couple of years. The problem is not with Windows, the problem is with stupid people. A bit of education would easily reduce the size of botnets a lot.

How can you be sure? Botnet viruses try to make themselves as unnoticeable as possible.

Re:Is this really a big deal (1)

Joce640k (829181) | more than 3 years ago | (#33407886)

That's what you think...but how do you know for sure?

Re:Is this really a big deal (0)

Anonymous Coward | more than 3 years ago | (#33408200)

Even if you're using OSX or Linux or BSD....how do YOU know for sure YOU haven't been infected? Yeah, that's what I thought.

Re:Is this really a big deal (1)

Patch86 (1465427) | more than 3 years ago | (#33407580)

Correct me if I'm wrong, but wouldn't adding new C&C servers be as simple as pushing an update to the bots? If there are still remaining C&C servers to update with (let alone still a third), that should be pretty routine for them.

Shutting down 20 out of 30 servers seems worse than useless to me. If you need to get all 30 at once, all that has been achieved is that they're back to square one.

Re:Is this really a big deal (2, Interesting)

SL Baur (19540) | more than 3 years ago | (#33407830)

Correct me if I'm wrong, but wouldn't adding new C&C servers be as simple as pushing an update to the bots? If there are still remaining C&C servers to update with (let alone still a third), that should be pretty routine for them.

Not in this case. This botnet apparently can spread other client side malware, but doesn't attempt to infect new servers.

That's a very hard problem and I guess that's good.

New servers can be added manually though. Part of their protocol involves the client receiving updated lists of servers. That's why even though this was first detected in 2007, had the servers attacked repeatedly over the years as in this article, the botnet is still around.

The associated articles only discuss how the client side works. All the fascinating code is on the server side and apparently has not been broken.

If you need to get all 30 at once, all that has been achieved is that they're back to square one.

True. The loss of 2/3 is a minor setback and one that's happened before. This isn't the Black Knight. Servers can be added to this botnet, while limbs cannot be regrown.

In case it isn't obvious by now, this botnet was done by someone who has some experience in (Soviet) military network programming (C3I). What will happen when (laid off, down on their luck, etc. etc.) US C3I experts turn to the dark side?

And in other news Ten unrelated ISP corpses found. (0)

Anonymous Coward | more than 3 years ago | (#33407526)

Bystanders report the ten were nuked by a BGP attack from orbit.

Re:And in other news Ten unrelated ISP corpses fou (1)

mysidia (191772) | more than 3 years ago | (#33407576)

Unfortunately, the rumors were greatly exagerated. The nukes didn't find their targets, because the folks who identified the servers were so unkind that they didn't publish the IP addresses^H^H^H^H^H^H^H^H^H^H^H^H coordinates

Slashdot editors will approve anything... (0)

gavron (1300111) | more than 3 years ago | (#33407578)

It takes ONE (1) command/control server to keep the botnet functioning.

TEN (10) were left up.

NOTHING was "seriously crippled" nor was the botnet affected. This is a perfect example of a non-story about a good attempt that failed.

They've been "Trying since 2007" and can't take down 30 servers. Fair enough. There are lots of countries that don't cooperate with self-styled "authorities". How is this a story?

Did some widdle person need to publish something to get their widdle higher degree?

This is not a success.

There was nothing "crippled" here nor "seriously crippled" nor "partially crippled."

This is an example of a non-story about an abject failure.

It's like Bruce Willis taking out 2/3 of the asteroids about to blow up the Earth.

E

Re:Slashdot editors will approve anything... (4, Informative)

PatPending (953482) | more than 3 years ago | (#33407638)

NOTHING was "seriously crippled" nor was the botnet affected. This is a perfect example of a non-story about a good attempt that failed.

"Nothing?" "Attempt that failed?"

Look at their graph: from a high of 1,400 on 3 Aug to 0 on 26 Aug. -- that ranks as both a "seriously crippled" and "success" in my book.

So while you chose to belittle their achievements, I for one chose to say a silent "Thank you! Well done!" for their years of persistence in fighting this war.

Re:Slashdot editors will approve anything... (1)

maxwell demon (590494) | more than 3 years ago | (#33407742)

We don't know what really went on. Maybe the botnet operators have a second botnet, and after detection of the attack they decided to temporally only use the other one in order to make the attacker think the attacked botnet were dead and lose interest in it.

It's not dead yet, it's getting better (2, Interesting)

SL Baur (19540) | more than 3 years ago | (#33407892)

Look at their graph: from a high of 1,400 on 3 Aug to 0 on 26 Aug. -- that ranks as both a "seriously crippled" and "success" in my book.

So while you chose to belittle their achievements, I for one chose to say a silent "Thank you! Well done!" for their years of persistence in fighting this war.

I did. Color me unimpressed. This isn't the first time that this botnet's servers have had their numbers reduced.

I didn't see any analysis of what is going on server side and that is where all the interesting code is.

Their client/server protocol is self-repairing in that servers can propagate new IP lists of servers to clients. According to the various articles, (some of) the servers have been taken down before.

Apparently nothing is known about what is going on server side.

This botnet puts a high priority on not being detected (according to TFAs).

All that is happening now is a reconfiguration. Lay low, infect new servers, then it's business as usual.

Oh and my threat estimate of this botnet is very high. It's MS Windows only at the moment, of course, but the analysis seems to indicate that with not much additional work, could function in a heterogeneous network.

Re:Slashdot editors will approve anything... (1)

Joce640k (829181) | more than 3 years ago | (#33407900)

Come back with next week's numbers and we'll see if this was a "success" or not...

Swatting At Flies (1)

phantomcircuit (938963) | more than 3 years ago | (#33407596)

So they take down 2/3rds of the C&C servers and by tomorrow the entire net will be redirected to 30 brand new C&C servers.

DMCA (0)

Anonymous Coward | more than 3 years ago | (#33407684)

They circumvented a protection measure... Someone should slap them with a DMCA lawsuit.

Damm researchers.. always screwing up the internet.

10 C&C server left? Sounds like a lost battle. (1)

gweihir (88907) | more than 3 years ago | (#33407700)

"Cripple" sounds entirely too optimistic. Maybe "somewhat inconvenience" is the right term here. C&C servers can be added easily, if the design is right. In fact, if the operators know their business, they will have standby-servers that can be activated within minutes.

And again some "security researchers" vastly overstate their success. I find that highly unethical.

Re:10 C&C server left? Sounds like a lost batt (0)

Anonymous Coward | more than 3 years ago | (#33408050)

What about "gently tickle"

sure, sure (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33407836)

researchers

No, you aren't. I don't know why people working in IT security have the ego to always add the word "researcher" to their title. Just because your job involves problem solving it doesn't mean you're a "researcher" as the term is understood everywhere else. Anyway, where does your R&D budget come from for this team of "researchers", and what do you get back?

at Last Line of Defense

Who? So many overgrown hax0rs slapping a stupid name on their activities and calling themselves a business, using inflated claims of leet-sounding achievements for PR then pushing security "solutions" to idiots.

a security intelligence firm

lol. k guise. security intelligence [swcp.com]. security intelligence [nsa.gov]. yuo [rajuabju.com].

Look, it's cool what you've done. But would you kindly put yourself into context and stop adopting a pompous vocabulary unique to your trade? Perhaps the state of PC security wouldn't be so dire if it wasn't such a mixture of AV vendors enjoying protection money and ADHD-crippled scene d00ds lacking formal grounding and in a permanent state of 14 year old.

Posting AC because the kid has a water pistol and it's too early in the morning to get wet.

Surveillance and tracking instead of shut down (3, Insightful)

La Gris (531858) | more than 3 years ago | (#33407848)

I wonder why the police did not just add spying logging equipments, kept silent and followed wires (IP addresses ) and money transfers. (obviously, someone paid for the servers, even with stolen cards). Shutting down 2/3rd of C&C is like 2/3rd done job. The organized crime behind this is still runing fine.

Re:Surveillance and tracking instead of shut down (1)

jimicus (737525) | more than 3 years ago | (#33408202)

My guess would be that people running large botnets do not tend to contact hosting providers and pay for a years' hosting with a legitimate credit card which they own and is registered to their home address.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...