Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Take Down Koobface Servers

kdawson posted more than 3 years ago | from the pennies-at-a-time dept.

Botnet 35

splitenz notes the first actions in the war against the Koobface botnet, taken on the heels of a comprehensive report (PDF) on the operations of the botnet and the criminal gang behind it. The researchers who analyzed Koobface are the same ones who brought Ghostnet to light. "Security researchers, working with law enforcement and Internet service providers, have disrupted the brains of the Koobface botnet.The computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline late Friday (US Pacific time). Criminals behind the botnet made more than $US2 million in one year. Facebook accounts are used to lure victims to Google Blogspot pages, which in turn redirect them to Web servers that contain the malicious Koobface code. This action is only a stage in the war against Koobface."

Sorry! There are no comments related to the filter you selected.

Subject (0)

Anonymous Coward | more than 3 years ago | (#34217024)

All your base are belong to us.

not sure (4, Funny)

phantomfive (622387) | more than 3 years ago | (#34217068)

I'm not sure how they did this exactly, but I'm pretty sure they didn't do it with the SQLNinja hacker tool from Fedora.

Awesome job guys.

koobface, from wikipedia: (0)

Anonymous Coward | more than 3 years ago | (#34217078)

> Upon receipt, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface is able to infect their system

Why were people running a "flash player update" from a third party web site they got to from Facebook?

PEBKAC. When are we going to start expecting people to act responsibly online? We expect them to drive their car responsibly. We expect them to act responsibly when using heavy machinery. It's time to expect the same of their computer, given that the internet is resource shared by the whole world. You don't get to just abuse it because you were too stupid not to run "af39.ru/ThisIsAnAdobeUpdateHonest!.exe". Those people need to be kicked off the net until they can demonstrate that they can play nicely with the rest of us.

Re:koobface, from wikipedia: (0)

Anonymous Coward | more than 3 years ago | (#34217134)

FYI: the domain af39.ru does not exist.

Re:koobface, from wikipedia: (0)

Anonymous Coward | more than 3 years ago | (#34218258)

Yeah, that's because somebody took it out of the DNS records.

Re:koobface, from wikipedia: (2, Insightful)

Kosi (589267) | more than 3 years ago | (#34217170)

Those people need to be kicked off the net until they can demonstrate that they can play nicely with the rest of us.

Although the BOFH in me would like that, thoroughly fining them would be enough. And if we really had a law that would allow to ban people from the net for incompetence, how long would it take that it would be abused to cut off government critical voices and the like? Or some evil corp gets the machine of a critical blogger infected and he's offline. Not with me.

Re:koobface, from wikipedia: (0)

Anonymous Coward | more than 3 years ago | (#34217224)

(I am the AC you replied to).

> how long would it take that it would be abused to cut off government critical voices and the like?

Damnit! That's a good point :(. Although with the "evil corp" example, I'd argue people should be keeping their systems safe from evil corporations as well as evil crime syndicates.

But maybe you're right, just a fine would suffice. It could increase as you keep doing it.

Re:koobface, from wikipedia: (1)

Kosi (589267) | more than 3 years ago | (#34217518)

Although with the "evil corp" example, I'd argue people should be keeping their systems safe from evil corporations as well as evil crime syndicates

Are you safe from someone secretly breaking into your house and infecting your machine? And do you really only use software that is 100% proven to be not exploitable on machines with net connection? C'mon, it has to stay reasonable. You can't expect everyone to go online with Linux Live CDs or from a VM that is reverted to a clean snapshot after the session. Which are about the only ways to really stay clean.

Re:koobface, from wikipedia: (0)

Anonymous Coward | more than 3 years ago | (#34217626)

> Are you safe from someone secretly breaking into your house and infecting your machine?

No, but as you say, it has to stay reasonable. Of all the millions of botnet systems out there, I don't think very many were infected through that attack vector. It's pretty rare that major corporations break into people's homes. I won't say never... just not something I worry about, and if they're going to do that, they could do even nastier things like plant evidence of a felony.

As for being safe from normal web surfing, so far I have yet to get a virus or malware, even on my Windows machines, going back to W2K days. It actually isn't all that hard. It's part of responsible use of a shared public facility, much like not drifting into opposing lanes of traffic while driving.

Re:koobface, from wikipedia: (2, Insightful)

bfree (113420) | more than 3 years ago | (#34217208)

Why were people running a "flash player update" from a third party web site they got to from Facebook?

They are used to seeing the "you need the latest flash to view this content, click here to install it now". Sure when it's done the "normal" way the executable they randomly install will come from Adobe, but the entire process is begging for this tomfoolery.

To those who can't guess, I use Linux, won't install anything from Adobe and use noscript in the browser so forgive me if the "official" process has changed from the above idiotic implementation.

Re:koobface, from wikipedia: (2, Informative)

hairyfeet (841228) | more than 3 years ago | (#34220430)

That is why I have been saying for ages the most common software like Flash, along with updates to drivers like NV and ATI, should come through Windows Update. But sadly every Joe Schmo company that didn't get included would scream "antitrust!". What I've found to work in the meantime with clueless users is simply tell them "If a site says you need to update Flash or Java or whatever, go here [ninite.com] , put checkboxes on what you need, then run it". Ninite has all the most common like Flash, Silverlight, .NET, Java, as well as browsers, media players, KLite Codec pack for those that get the "you need codecs to play" problem, pretty much anything they need.

I tell them if the site still demands they install something after running Ninite it is a virus and should be ignored and avoided. It does help to cut down on the clueless ones whose machines I don't have direct access to. For those I DO have access to I have Update Checker [filehippo.com] installed and running in the background so they KNOW if Filehippo don't tell them there is an update there is NO update. Everyone makes fun of the "stupid" users, but really nobody can know everything and some of these sites are damned hard to tell from real. Giving the clueless a few tools such as this really helps cut down the infections, although I think windows Update doing it would be even better.

So... (1)

Yvan256 (722131) | more than 3 years ago | (#34217268)

Upon receipt, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player.

So what you're saying is that it's somehow Adobe's fault? /duck

Re:koobface, from wikipedia: (1)

st0rmshad0w (412661) | more than 3 years ago | (#34217390)

In my working experience, while inability to safely drive a vehicle or properly operate machinery is cause enough for firing, I have YET to see anyone fired from a job due to their inability to properly is a computer. Even if using one is ESSENTIAL to their job. Even if their reckless usage causes actual damages.

I can't see how responsible computer use will get to be expected in the home user world when businesses don't even expect their employees to properly use them.

Re:koobface, from wikipedia: (1)

shentino (1139071) | more than 3 years ago | (#34218224)

Considering that we have graphics cards potentially on the way to being hacked so that you can't even be sure of the URL after checking the address bar, I think it's high time to stop blaming the victim and start calling these "separators of fools and their money" what they really are.

Thieves, cheaters, hackers, and most of all, terrorists.

Thieves because they steal, cheaters because they happily break the same rules that the rest of us are required to follow, hackers because of how they draft our machines into their botnet armies, and terrorists because of how they use that electronic firepower.

I will never forget when one company called Blue Security had the balls to stand up to spam...and got blown to bits by a DDoS attack.

They are victims, plain and simple. Sure, the stupid ones fall first, but nobody is really immune. It's just a case of low hanging fruit being the first to be harvested. If the scammers run out of stupid people they will happily start escalating to snare smarter folks.

Their computers do, however, pose a menace. They are infectious. And we should treat them like we do real people who have communicable diseases. We should quarantine them, and stop them from causing more damage.

Anyone who plays the "blame the victim" card is blinding themselves to just how serious of a problem there is, not to mention giving all those hackers a free pass just because they're giving out electronic darwin awards.

Re:koobface, from wikipedia: (1)

reiisi (1211052) | more than 3 years ago | (#34221736)

I'll agree with you if you will agree that Microsoft (and now Apple) are the primary abusers.

Bill Gates just couldn't leave another opportunity to rule the world alone long enough for the tech to mature enough for ordinary people to use it.

Re:koobface, from wikipedia: (1)

couchslug (175151) | more than 3 years ago | (#34224496)

"When are we going to start expecting people to act responsibly online? "

Never, and the expectation that "they" will act reasonably is itself unreasonable.

Fight Fire With Fire. (1)

Frosty Piss (770223) | more than 3 years ago | (#34217132)

OK, now, I'll expect to hear a lot of bleating about how it's unethical to use Black Hat methods to take down Spam Bot Networks...

Folks, spammers don't play by the rules, and playing by the rules will not, in the long term, even dent spammers.

If we're not willing to us a "no holds barred" approach to attacking the spam bot issue, well, you better just get used to more and more spam.

Re:Fight Fire With Fire. (2, Insightful)

John Hasler (414242) | more than 3 years ago | (#34217182)

It may be reasonable to start doing something against the bots but "no holds barred" is never justified. "Fighting fire with fire" just burns everything down.

Re:Fight Fire With Fire. (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#34217308)

...but "no holds barred" is never justified. "Fighting fire with fire" just burns everything down.

Bullshit. And, quite clearly, your approach has not, is not, and probably will not be successful.

Therefor, I suggest you get used to lots of spam, and please stop complaigning since you are unwilling to do anything effective to deal with it.

Re:Fight Fire With Fire. (2, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#34217362)

In particular because vigilantes have a bad reputation when it comes to correctly identifying targets and having a low occurrence of collateral damage. You get people who very much have the crusader mentality who get convinced of their own righteousness and infallibility. It leads to problems, it leads to innocents getting caught up on a large scale. Whenever you ahve to start up with "The ends justify the means," it generally means that they in fact don't.

Re:Fight Fire With Fire. (1)

Securityemo (1407943) | more than 3 years ago | (#34220836)

However, if no viable alternative exists it's the lesser of two evils. A functioning police system and judiciary is a luxury and a means to an end, not a moral cause in and of itself. Spam and botnets currently lie mostly outside of the reach of the law, so if something is to be done about it it's going to be done by private forces. It's not so much a slippery slope as a slippery ladder, stretching back to before the first societies arose. And we still haven't found the bastard that soaped it up.

Re:Fight Fire With Fire. (1)

couchslug (175151) | more than 3 years ago | (#34224890)

""Fighting fire with fire" just burns everything down."

That is a much-cherished asserted conclusion promulgated by those who are emotionally uncomfortable with force.

Re:Fight Fire With Fire. (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34217210)

OK, now, I'll expect to hear a lot of bleating about how it's unethical to use Black Hat methods to take down Spam Bot Networks... Folks, spammers don't play by the rules, and playing by the rules will not, in the long term, even dent spammers. If we're not willing to us a "no holds barred" approach to attacking the spam bot issue, well, you better just get used to more and more spam.

My reply is off-topic but I found it interesting to s/spammers/terrorists/ and etc.:

OK, now, I'll expect to hear a lot of bleating about how it's unethical to use Black Hat methods to take down Terrorist Networks... Folks, terrorists don't play by the rules, and playing by the rules will not, in the long term, even dent terrorists. If we're not willing to us a "no holds barred" approach to attacking the war on terrorism issue, well, you better just get used to more and more terrorism.

Re:Fight Fire With Fire. (4, Funny)

WrongSizeGlass (838941) | more than 3 years ago | (#34217294)

If we're not willing to us a "no holds barred" approach to attacking the spam bot issue, well, you better just get used to more and more spam.

I'm working on crossing a Predator Drone with traceroute. Right now it's more like 'Tron' meets the 'A-Team' but it's still in the development phase. I'll let you know when I'm ready to test it ;-)

Re:Fight Fire With Fire. (0)

Anonymous Coward | more than 3 years ago | (#34235478)

stfu noob....

Re:Fight Fire With Fire. (0, Offtopic)

PietjeJantje (917584) | more than 3 years ago | (#34217348)

In that case, since we like the widen our search in our next case, Sir, we'll search all of your traffic data and what you typed into Google the last year.

Re:Fight Fire With Fire. (0, Flamebait)

pgmrdlm (1642279) | more than 3 years ago | (#34218178)

If you receive a notice of high bandwidth usage after a pattern of never going over a specific amount in a month. Whats your problem?

Profiling of bandwidth use would be a very good tool. And I feel completely legitimate. Your a 68 year old parent who is using 40 gig a month of bandwidth. This is after a pattern over several years of only 1 gig a month. You think that shouldn't be questioned???

And based on your snotty response to the previous person. Yes, I expect you to flame me. Go for it, I'm waiting with a reply already typed.

Agreed, 110%: This article (.pdf) helped me... apk (0)

Anonymous Coward | more than 3 years ago | (#34217666)

I, for one, am glad KOOBFACE is taking a beating from guys like these & others like they - & this article was helpful to me, especially the accompanying linked-to .pdf file that was their "detailed report", because it was detailed.

APK

P.S.=> Detailed enough for me to add another 17 known bad sites &/or servers to my custom HOSTS file that blocks this online threat, & all known others like it, out... apk

Re:Fight Fire With Fire. (1)

JonySuede (1908576) | more than 3 years ago | (#34218194)

If we're not willing to us a "no holds barred" approach to attacking the spam bot issue, well, you better just get used to more and more spam.

By fighting fire with fire you risk disrupting the whole internet; spam is nothing compare to the shit you could unleash by doing so. The worst than happen when spam cross my filter is that I have to press flag as spam, considering the trouble caused, this problem does not deserve anymore resources than it currently has.

Re:Fight Fire With Fire. (1)

John Hasler (414242) | more than 3 years ago | (#34218422)

The worst than happen when spam cross my filter is that I have to press flag as spam, considering the trouble caused, this problem does not deserve anymore resources than it currently has.

It's much worse than that. Spam accounts for more than 90% of email traffic arriving at servers. There is also much more to malware than spam. Don't lose track of the fact that bots are computers controlled by criminals. There are probably hundreds of millions of them.

Re:Fight Fire With Fire. (0, Offtopic)

pgmrdlm (1642279) | more than 3 years ago | (#34218620)

My biggest problem is not spam. But people that get infected with key loggers or other data gathering tools which give up everything about them. Loss of income, loss of privacy.

I think everyone lose's track of that fact.

Bravo! (1)

biskit (55311) | more than 3 years ago | (#34217326)

Well Done.

Good job guys, but... (2, Insightful)

exentropy (1822632) | more than 3 years ago | (#34217368)

The researchers took down three C&C servers (yay) but this doesn't get to the crux of the problem. We've been hijacking C&C's for decades; Malware authors are just moving to a P2P model (e.g. Stuxnet). These researchers should figure out how to stop the mass FTP compromises, or advise Google and Facebook on how to prevent their sites from being used as a platform for these attacks. Maybe then we could start solving this Malware problem...

Re:Good job guys, but... (1)

Securityemo (1407943) | more than 3 years ago | (#34220848)

But that wouldn't be any fun.

TANSTAAFM (1)

sesshomaru (173381) | more than 3 years ago | (#34219832)

TANSTAAFM: There Ain't No Such Thing As A Free Market.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?