×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Tracking Emerging 'Darkness' Botnet

Soulskill posted more than 3 years ago | from the new-kid-on-the-block dept.

Botnet 85

Trailrunner7 writes "Researchers are tracking a new botnet that has become one of the more active DDoS networks on the Internet since its emergence early last month. The botnet, dubbed 'Darkness,' is being controlled by several domains hosted in Russia and its operators are boasting that it can take down large sites with as few as 1,000 bots. The Darkness botnet is seen as something of a successor to the older Black Energy and Illusion botnets and researchers at the Shadowserver Foundation took a look at the network's operation and found that it is capable of generating large volumes of attack traffic. 'Upon testing, it was observed that the throughput of the attack traffic directed simultaneously at multiple sites was quite impressive,' Shadowserver's analysts wrote in a report on the Darkness botnet. 'It now appears that "Darkness" is overtaking Black Energy as the DDoS bot of choice. There are many ads and offers for DDoS services using "Darkness." It is regularly updated and improved and of this writing is up to version 7. There also appear to be no shortage of buyers looking to add "Darkness" to their botnet arsenal.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

85 comments

Charlie Murphy virus? (4, Funny)

MrEricSir (398214) | more than 3 years ago | (#34467242)

"AAAAAH! It's a celebration, bitches!"

Re:Charlie Murphy virus? (1)

windcask (1795642) | more than 3 years ago | (#34467270)

Fuck your couch.

Re:Charlie Murphy virus? (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34467328)

That brings up a good point. How come all the successful botnets and viruses have pretty easy and also socially friendly names? 'Darkness', 'Illusion', 'Black Energy', 'Stuxnet', 'Conficker'

Where's the
f*cksh*tc*nt*ssb*tchp*ssylol Botnet - and why don't I get to hear it on the news every other week?

Re:Charlie Murphy virus? (1)

KublaiKhan (522918) | more than 3 years ago | (#34467408)

Because the zombie-herders have realized that people are more likely to spend money on "Darkness" than "AssReamer 22k" ...though, IIRC, Conficker is bowlderized from its original name. And Stuxnet may or may not have been the product of some government.

Re:Charlie Murphy virus? (1)

blair1q (305137) | more than 3 years ago | (#34467650)

And Stuxnet may or may not have been the product of some government.

All the more reason that camouflage requires that it be named Felchnet.

Re:Charlie Murphy virus? (0)

Anonymous Coward | more than 3 years ago | (#34468528)

Did it just get dark in here?

Re:Charlie Murphy virus? (1)

shnull (1359843) | more than 3 years ago | (#34470532)

let's just block all access to all non government approved ip's. It would be like having a nice hot firewall in a new cold war from the other side without the need for a real iron curtain. party time indeed

Slightly related question (2)

afaik_ianal (918433) | more than 3 years ago | (#34467254)

Slightly related question: how on Earth would one pay for use of a botnet like this?

It's not like you're going to hand your credit card details over to someone like this, right?

Re:Slightly related question (4, Insightful)

machxor (1226486) | more than 3 years ago | (#34467268)

My assumption is that someone needing a service like this would use *YOUR* credit card details to pay for it ;-)

Re:Slightly related question (1)

afaik_ianal (918433) | more than 3 years ago | (#34467356)

But surely the owners of the botnet would already have access to thousands of stolen credit cards. Surely the owner's of the botnet are going to be pretty pissed off if the payment bounces because someone notices the several thousand dollar change on their stolen card.

Re:Slightly related question (2)

windcask (1795642) | more than 3 years ago | (#34467554)

That's why you use a different credit card every month. You might get a rejection every once in a while, but the only people who will notice the charge are those that don't use their cards very often in the first place.

Re:Slightly related question (0)

Anonymous Coward | more than 3 years ago | (#34468260)

....the only people who will notice the charge are those that don't use their cards very often in the first place.

And anal people like me that actually reconcile their accounts every month.

Re:Slightly related question (1)

vxice (1690200) | more than 3 years ago | (#34469006)

It could easily be traded for a list of more cc#s, email lists or something else that could be traded over the net.

Re:Slightly related question (1)

windcask (1795642) | more than 3 years ago | (#34467298)

It's not like you're going to hand your credit card details over to someone like this, right?

Let's seeee. If you're already in the business of botnets and malware, odds are you can get your hands on a stolen credit card fairly easily...

Re:Slightly related question (3, Informative)

afaik_ianal (918433) | more than 3 years ago | (#34467414)

Ahh, I've answered my own question by re-reading TFA. They accept payment by WebMoney.

To those that answered "they use stolen credit cards", seriously, just think that through. Just because they're criminals, does not mean they're stupid. That they're not getting caught suggests they're not *that* stupid.

Re:Slightly related question (0)

Anonymous Coward | more than 3 years ago | (#34467568)

Why wouldn't you use legit payment methods?

Honor among thieves and all that, but more likely: reneging on someone providing a service would be a good way to get that service yanked out from under you, along with a black mark to your name. Reputation means a lot of things to these types of people...

Furthermore, would you rip off a paying customer? What if that customer was mafilliated? Didn't think so.

Re:Slightly related question (0)

Anonymous Coward | more than 3 years ago | (#34467570)

Well duh, not mine.

Re:Slightly related question (1)

Will.Woodhull (1038600) | more than 3 years ago | (#34467600)

how on Earth would one pay for use of a botnet like this?

I understand that the USA Government can simply open a Swiss bank account for the vendor. Or pay in bullion to vendor's destination of choice.

As to how private individuals might pay for this service, I'm pretty sure that in the post Wikileaks era, instructions for that will become available in the usual locations. But first things first.

referral payments (1)

SethJohnson (112166) | more than 3 years ago | (#34469070)

I am betting the spammer has opened up referral accounts with companies that sell pharma, etc. and will pay a percentage of sales that come routed from the ads the spammer sends. So, it's not like someone approaches the spammer saying, "I want these ads sent out. Here's some money." The spammer approaches third-party vendors who have referral programs and opens accounts for that yield a commission on every sale that comes to the site with referral ID XYZ.

As an example, the viagra referral program [supergenericviagra.com]:

Now-a-days, affiliate marketing is becoming one of the most popular forms of advertising on the web. It provides low cost way to market the products and services. Web masters or Internet Marketers have a huge opportunity to monetize their web sites more efficiently. So if you are a web master, web site owner, or associated with email marketing, you can make a fortune through online pharmacy affiliate program at eMedOutlet.com

Seth

Re:Slightly related question (2)

Charliemopps (1157495) | more than 3 years ago | (#34469358)

Go to Walmart. You can pick up a credit card in the checkout that you can load with cash right there. No name, no address to trace back to you.

Version Numbers (2, Funny)

multipartmixed (163409) | more than 3 years ago | (#34467278)

> It is regularly updated and improved and of this writing is up to version 7

That's nothing -- I heard this one goes up to 11!

Re:Version Numbers (0)

Anonymous Coward | more than 3 years ago | (#34467370)

> It is regularly updated and improved and of this writing is up to version 7

Sounds just like Windows. ;)

Re:Version Numbers (0)

Anonymous Coward | more than 3 years ago | (#34469010)

It IS just like Windows.

Re:Version Numbers (0)

Anonymous Coward | more than 3 years ago | (#34467544)

> It is regularly updated and improved and of this writing is up to version 7

That's nothing -- I heard this one goes up to 11!

Mine is at version 5,653,897.2874563 So not only is it the best (because of the highest revision level) but the most accurate (because of the highest number of decimal places).

Re:Version Numbers (1)

donscarletti (569232) | more than 3 years ago | (#34468080)

This is just the number of times it has been updated, not an arbitrary internal version numbering system, any comparison to arbitrary scales is invalid. This sort of development is hardly publicized, the official major, minor, patch and build numbers, if they exist at all are not publicly known. External security researchers can just say that the first version they see is version 1, the second is version 2, all the way up to the seventh iteration which is version 7. This is not Java or Winamp.

With the prevelance of high speed connectivity... (1)

gimmebeer (1648629) | more than 3 years ago | (#34467358)

...and the continuance or use stupidity, botnets are just going to get more and more effective with less and less bots required.

Slashvertising botnets now ? (3)

billcopc (196330) | more than 3 years ago | (#34467368)

Are we really slashvertising botnets now ? "up to version 7"... I mean come on, who actually gives a shit ? Botnets exist, and they tend to be based in Russia, which is why I think someone should do the world a solid and drive a backhoe across eastern Europe.

Re:Slashvertising botnets now ? (2)

c6gunner (950153) | more than 3 years ago | (#34468008)

Botnets exist, and they tend to be based in Russia, which is why I think someone should do the world a solid and drive a backhoe across eastern Europe.

That's a quick way to fame, anyway. You'd always be remembered as the first man to wear an ICBM as a suppository.

Re:Slashvertising botnets now ? (1)

PremiumCarrion (861236) | more than 3 years ago | (#34471190)

I hate to be the person to say this, but surely it's more apt:
In Soviet Russia, ICBM wears you.

Just when I consider the suppository idea and relative sizes it seems more accurate a description of the process

Re:Slashvertising botnets now ? (0)

Anonymous Coward | more than 3 years ago | (#34471612)

Most spam originates in USA. We should do the rest of the world a favour and nuke it.

Re:Slashvertising botnets now ? (1)

tehcyder (746570) | more than 3 years ago | (#34473462)

And it doesn't even matter if the bit about spam turns out to be true, as long as we were acting in good faith with the best intelligence we could fit together for our purposes.

Re:Slashvertising botnets now ? (1)

jon3k (691256) | more than 3 years ago | (#34510914)

haha damn where are my mod points when I need them. can I drive the backhoe?

What did the five fingers say to the face? (-1)

Anonymous Coward | more than 3 years ago | (#34467432)

Slap!

King Kong ain't got shit on me!

Peer-to-peer (1)

jibjibjib (889679) | more than 3 years ago | (#34467626)

> controlled by several domains hosted in Russia

Why are all the major botnets still controlled by domains? It makes them easier to trace and easier to shut down. Is peer-to-peer really that hard?

Re:Peer-to-peer (3, Interesting)

Plekto (1018050) | more than 3 years ago | (#34467752)

The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets. It's like watching some nature show where they sit passively while the huge coyote mauls the little pet. At some point you would think that they would try to do something.

Of course, there is a simpler method open to authorities, which is to just not accept connections from Russia. If need be, just cut the wire until the local government hunts these criminals down.

Re:Peer-to-peer (4, Insightful)

KublaiKhan (522918) | more than 3 years ago | (#34467976)

Because there are ethical considerations involved.

Standard research ethics forbids the researchers from interfering with what is being researched. Part of this is to ensure the safety of the researchers: when the coyote's eating the yorkie, there's a very real danger of the researcher getting bitten by a rabid coyote. Likewise, if the researchers take over a botnet, there's a very real danger that their activities could be traced and the Russian Mafia comes and pays them a visit.

The other part is that the conclusions that they could draw may not be as valid (or completely invalid) if they have interfered. Certainly no respectable peer-reviewed journal would accept the research if it's been tainted like that.

Also, there's a lot more to be learned by watching it evolve naturally; the researchers may require some time to catch the full context of the setup, whereas if they interfered right away they could lose sight of certain management techniques or whatnot that would otherwise help in the botnets' defeat.

Finally, the action you propose is actively illegal. Just because it's a crime against another criminal doesn't mean they can't be prosecuted for it.

Re:Peer-to-peer (2)

KiloByte (825081) | more than 3 years ago | (#34468424)

The line in WikiLeaks cables that the Russian government is Mafia-driven is quite an understatement.

The authorities there know damn well who's herding botnets, but taking them down would be like taking another department of your own company.

Re:Peer-to-peer (1)

Plekto (1018050) | more than 3 years ago | (#34470648)

If all else fails, the telecommunications companies that own the backbone can literally cut Russia's feed until they get their act together and do something about it.

Simple as turning the connection off - that will get their attention. And as a multinational company, they are pretty much impossible to do much against(unlike a country).

Re:Peer-to-peer (1)

MareLooke (1003332) | more than 3 years ago | (#34471060)

Yeah, and to thank us for that they'll just cut gas supplies to eastern europe, we know how well that worked out last time...

Re:Peer-to-peer (1)

mapkinase (958129) | more than 3 years ago | (#34471910)

"could be traced and the Russian Mafia comes and pays them a visit."

Any examples of connection between traditional organized crime and cybercrime leading to physical violence against generally speaking, people of cyberspace?

Re:Peer-to-peer (1)

hesaigo999ca (786966) | more than 3 years ago | (#34473152)

Yeah ....but I think his real point was ...

if I see you being butt raped in some dark alley by some gang of big burly guys..., and I am video taping it (like a nature show) ....would you rather I put down my camera and get involved to help you from suffering what you are going through either by hitting them on the head with a club, or calling the police,

or I could just say to myself, ....it is important to document what is happening so as to later better understand what was going on there, and maybe come up with a future solution to avoid this from ever happening again....I will let you decide.

Re:Peer-to-peer (1)

ArsenneLupin (766289) | more than 3 years ago | (#34473596)

or I could just say to myself, ....it is important to document what is happening so as to later better understand what was going on there,

It is important that you finish taping the event. Not only for the reasons that you say, but also for uploading it so that other people can wank off to it too.

and maybe come up with a future solution to avoid this from ever happening again....I will let you decide.

that would be kinda sad, as we would have to watch the same tape over and over again.

Re:Peer-to-peer (1)

c0lo (1497653) | more than 3 years ago | (#34468186)

The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets.

Because you are drinking from the same well?

Re:Peer-to-peer (1)

glwtta (532858) | more than 3 years ago | (#34470396)

It's like watching some nature show where they sit passively while the huge coyote mauls the little pet.

What the hell kind of fucked up "nature shows" do you watch, where pets are mauled by coyotes?

Re:Peer-to-peer (1)

brirus (1938402) | more than 3 years ago | (#34471630)

That sets a very bad precedent. Blocking communication between countries amounts to censorship. Besides, there have GOT to be some honest Russian web sites out there! I know it!

Re:Peer-to-peer (1)

Plekto (1018050) | more than 3 years ago | (#34480142)

You forget that the *companies* that own the cables and machinery of the Internet absolutely have the right to block content that is harmful or wasteful of their resources and hardware. It says so in every contract at every level. When Russia "allows" a carrier to have coverage in a city or region, both sides have such clauses in the fine print to protect themselves.

This isn't about nations, which can cause all sorts of problems and incidents by doing such actions against other nations, but multi-national companies that aren't associated with any one government. They could make a decision to block a neighboring country's or customer's main arteries and restrict that flow to a trickle.

ie - "find another provider"
Eventually Russia (as an example) might very well find itself running out of companies that want to work with it. That's perfectly fair, isn't it?

What needs to happen is for them to get tougher and in the case that a researcher finds a problem provider, at least notify the company instead of sitting on their hands passively watching.

http://en.wikipedia.org/wiki/E-mail_spam [wikipedia.org]
80% of spam is sent via botnets. Of course, a little research shows that 30% of all botnets are in Brazil and only 7% are in Russia. (roughly 20% of spam by volume, though, is sent from the U.S. - and that's entirely within their rights to crack down upon - just read your terms of service)

While cutting off Russia might be somewhat problematic(though all of the EU which most of the wires route through has laws against spam), I doubt if cutting off Brazil and smaller countries until they clean up their act would amount to much international fallout. Doubly so since these are companies and not governments making the decision that it's just too expensive and too risky to do so any more.

And as for the other person's comment about it turning into "Bambi", well, we're talking about over 20 billion dollars a year in lost productivity just in the U.S. alone. There's a real reason TO keep the coyotes out of the hen house, no matter how fascinating it might be to watch. I guess a better analogy would have been a nature show about wolves and the scene being one getting into a commercial poultry farm. I'd expect the farm/business to be a MITE bit angry if they passively sat back and let several thousand dollars worth of damage occur just to get their film done.

Re:Peer-to-peer (1)

jon3k (691256) | more than 3 years ago | (#34510942)

Most botnets are in the US because it's easier to deliver mail to your target when it's sitting in the same netblock, instead of crossing a couple continents and an ocean. The question isn't where the infected machines are, it's who's running them.

They can't touch me, & here is HOW/WHY (0)

Anonymous Coward | more than 3 years ago | (#34473398)

From the source article, I obtained their server's domain/hostnames and nameservers, which I now have added to my custom HOSTS file... & blocked out, thus:

0.0.0.0 greatfull-toolss.ru
0.0.0.0 ns1.reg.ru
0.0.0.0 ns2.reg.ru
0.0.0.0 greatfull.ru
0.0.0.0 ns1.arbusi-host.net
0.0.0.0 ns2.arbusi-host.net
0.0.0.0 hellcomeback.ru

They're not going to get to ME, because I cannot get to they now... & what I can't touch, I cannot be "burned" by, simple!

HOSTS as blacklists, work! Some evidences & cases why you may be interested in implementing such protective (and speed gaining features too) measures:

---

15++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:

1.) Adblock blocks ads in only 1 browser family (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).

2.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html [networkworld.com] for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via PINGS &/or WHOIS though, regularly, so you have the correct IP & it's current)).

6.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

7.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://ddanchev.blogspot.com/ [blogspot.com]
http://www.malware.com.br/lists.shtml [malware.com.br]
http://www.stopbadware.org/ [stopbadware.org]
http://blog.fireeye.com/ [fireeye.com]
http://mtc.sri.com/ [sri.com]
http://news.netcraft.com/ [netcraft.com]
http://www.shadowserver.org/ [shadowserver.org]

REGULARLY UPDATED HOSTS FILES SITES (reputable/reliable sources):

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
http://someonewhocares.org/hosts/ [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
http://hosts-file.net/?s=Download [hosts-file.net]
https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

8.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

9.) AdBlock & DNS servers are programs, and subject to bugs programs can get. Hosts files are merely a filter and not a program, thus not subject to bugs of the nature just discussed.

10.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs.

11.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

12.) You don't have the sourcecode to Adblock. With hosts you don't even need source to control it (edit, update, delete, insert of new entries via a text editor).

13.) Hosts files are easily secured via using MAC/ACL &/or Read-Only attributes applied.

14.) Custom HOSTS files also speed you up, unlike anonymous proxy servers systems variations (like TOR, or other "highly anonymous" proxy server list servers typically do, in the severe speed hit they often have a cost in).

15.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own (such as has been seen with the RBN (Russian Business Network) lately though it was considered "dead", other malwares are using its domains/hostnames now, & this? This stops that cold, too - Bonus!)...

* MINOR "CAVEATS/CATCH-22's" - things to be aware of for "layered security" + HOSTS file performance - easily overcome, or not a problem at all:

A.) HOSTS files don't function under PROXY SERVERS - Which is *the "WHY"* of why I state in my "P.S." section below to use both AdBlock type browser addon methods (or even built-in block lists browsers have such as Opera's URLFILTER.INI file, & FireFox has such as list as does IE also) in combination with HOSTS, for the best in "layered security" (alongside .pac files + custom cascading style sheets that can filter off various tags such as scripts or ads etc.) - but proxies, especially "HIGHLY ANONYMOUS" types, generally slow you down to a CRAWL online (& personally, I cannot see using proxies "for the good" typically - as they allow "truly anonymous posting" & have bugs (such as TOR has been shown to have & be "bypassable/traceable" via its "onion routing" methods)).

B.) HOSTS files do NOT protect you vs. javascript (this only holds true IF you don't already have a bad site blocked out in your HOSTS file though, & the list of sites where you can obtain such lists to add to your HOSTS are above (& updated daily in many of them)).

C.) HOSTS files (relatively "largish ones") require you to turn off Windows' native "DNS local client cache service" (which has a problem in that it's designed with a non-redimensionable/resizeable list, array, or queue (DNS data loads into a C/C++ structure actually/afaik, which IS a form of array)) - mvps.org covers that in detail and how to easily do this in Windows (this is NOT a problem in Linux, & it's 1 thing I will give Linux over Windows, hands-down). Relatively "smallish" HOSTS files don't have this problem (mvps.org offers 2 types for this).

D.) HOSTS files, once read/loaded, once GET CACHED, for speed of access/re-access (@ system startup in older MS OS' like 2000, or, upon a users' 1st request that's "Webbound" via say, a webbrowser) gets read into either the DNS local caching client service (noted above), OR, if that's turned off? Into your local diskcache (like ANY file is), so it reads F A S T upon re-reads/subsequent reads (until it's changed in %WinDir%\system32\drivers\etc on Windows, which marks it "Dirty" & then it gets re-read + reloaded into the local diskcache again). This may cause a SMALL lag upon reload though, depending on the size of your HOSTS file.

Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security"...

APK

P.S.=> Some more notes on DNS servers & their problems, very recent + ongoing ones:

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

---

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

---

DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com]

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

---

Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even GOOGLE DNS, & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)

---

Then, there is also the words of respected security expert, Mr. Oliver Day, from SECUNIA.COM to "top that all off" as well:

A RETURN TO THE KILLFILE:

http://www.securityfocus.com/columnists/491 [securityfocus.com]

Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, from my initial & subsequent posts here in this very exchange no less... & guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly!

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also)... apk

Re:Peer-to-peer (1)

tehcyder (746570) | more than 3 years ago | (#34473484)

The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets. It's like watching some nature show where they sit passively while the huge coyote mauls the little pet. At some point you would think that they would try to do something.

Why? It then stops being a nature show, and turns into Bambi.

Re:Peer-to-peer (2)

blair1q (305137) | more than 3 years ago | (#34467756)

Decentralized control makes it easier to hijack the whole thing.

Re:Peer-to-peer (1)

complete loony (663508) | more than 3 years ago | (#34468682)

Not necessarily. With properly implemented public/private crypto you can make it basically impossible to hijack. It might still be possible to disrupt it though.

[OTSO] Reminds me of.. (0)

Anonymous Coward | more than 3 years ago | (#34467690)

"Watchers of the Dark" by Lloyd Biggle Jr.

An excellent sci-fi detective story. "Sinister, invisible forces of a secret mental weapon known only as The Dark are threatening the entire Primores galaxy, several transmitting leaps away from Earth. By the time a bizarre Mr. Smith comes to detective Jan Darzek's New York office, whole planets have been lain waste. Darzek is offered a million dollars by Smith to accept a job that will almost certainly be fatal: identify the incredible power that is about to overwhelm the few remaining planets in the beleaguered galaxy, so that these worlds might somehow halt the rampage."

The Darkness (botnet) (1)

Anonymous Coward | more than 3 years ago | (#34467848)

*(obligatory band reference joke)*

Anyone caught operating The Darkness botnet is surely riding a one-way ticket to Hell (and back).

ho8o (-1)

Anonymous Coward | more than 3 years ago | (#34467930)

are incompatible Jesus Up The that has grown up Bureaucratic and do, and with 4ny this very moment, irrecoverable

Just some Mountain Dew, Cheetos, and... (2)

Captain Spam (66120) | more than 3 years ago | (#34468058)

Researchers Tracking Emerging 'Darkness' Botnet

Pssht, easy. Just cast magic missile at it. That's a proven method of attacking the darkness.

Why don't... (1)

vrythmax (1555425) | more than 3 years ago | (#34468224)

we just write a counter virus since the botnets can only exist on wide open systems. Infection vectors should be easy. Be funny to see a botnet infected.

Re:Why don't... (0)

Anonymous Coward | more than 3 years ago | (#34468454)

This happens all the time, a bunch of bots actually remove their "competitors" from systems already infected with another bot.

Does not compute... (0)

Anonymous Coward | more than 3 years ago | (#34469556)

if someone is savy enough to write (or even use) such a piece of code, why DOS attacks? Unless, of course that someone works for a government agency and wants to limit...say something like the wikileaks server. I mean if they are that smart, why not hack into, say, a couple million on line bank accounts and just draw out $.25 per month of each one. That'd net you a cool 6 mil smackers per year.
I mean what's the point?

Re:Does not compute... (1)

dropadrop (1057046) | more than 3 years ago | (#34472082)

if someone is savy enough to write (or even use) such a piece of code, why DOS attacks? Unless, of course that someone works for a government agency and wants to limit...say something like the wikileaks server. I mean if they are that smart, why not hack into, say, a couple million on line bank accounts and just draw out $.25 per month of each one. That'd net you a cool 6 mil smackers per year. I mean what's the point?

I think generally the point is to make money. If they have customers prepared to pay for the attacks, then it's worth it for them. Looking at articles regarding the botnet it seems they will make about 50$ for 24h of attacks. From their price list I would guess that's for about 30 attacking hosts... I don't think the people behind the attacks really care why somebody is paying them to do it.

bizGnAtch (-1)

Anonymous Coward | more than 3 years ago | (#34469892)

Save Linux from a Fucking numbers, what we've known blue, rubber bought the farm.... megs of ram runs or make loud noises Anyone that thinks suuport GNAA,

I will never get how this is still a problem (0)

Anonymous Coward | more than 3 years ago | (#34470116)

FTA : AS49089 is a small provider that only seems to be announcing the /24 netblock 91.212.124.0/24

Why don't Level 1 carriers simply start discarding ANYTHING coming or going to that netblock ? If anything legitimate is running there, they will get so pissed it will force the host to clean his network.

ISP's could also disconnect any host they determine is a bot ...

Am I oversimplifying things or is there a lack of goodwill somewhere ?

Re:I will never get how this is still a problem (1)

RMH101 (636144) | more than 3 years ago | (#34471050)

blacklisting blocks in increasing size if the host doesn't fix spammers is how SPEWS/SORBS etc spam blocklists work. You'd be amazed how many people don't get this, and think that the blocklist cabals are the devil

Get off my lawn! (1)

MistabewM (17044) | more than 3 years ago | (#34474362)

I wish I could go back in time and slap myself for being involved in some of these projects in my youth. We just used them to flood other people off irc though, and I don't think I know anyone that actually wrote vx to spread the net. Its sad when your children grow up to be assholes.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...