Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Kelihos Botnet Comes Back To Life

samzenpus posted more than 2 years ago | from the always-put-one-in-the-brain dept.

Botnet 97

angry tapir writes "A botnet that was crippled by Microsoft and Kaspersky Lab last September is spamming once again and experts have no recourse to stop it. The Kelihos botnet only infected 45,000 or so computers but managed to send out nearly 4 billion spam messages a day, promoting, among other things, pornography, illegal pharmaceuticals and stock scams. But it was temporarily corralled last September after researchers used various technical means to get the 45,000 or so infected computers to communicate with a "sinkhole," or a computer they controlled."

cancel ×

97 comments

Sorry! There are no comments related to the filter you selected.

Expected (5, Informative)

icebike (68054) | more than 2 years ago | (#38909847)

Researchers knew that it would only be a matter of time before its controller used the botnet's complex infrastructure of proxy servers and communication nodes to regain control.

The linked story says they fully expected this, and that the method they used (sink-holing) was never expected to be a permanent solution. One has only to hope that stating they have no "recourse" is merely baffle-gab to embolden the controllers. It might also mean "lets make believe we haven't compromised some of the bots and planted a few or our own".

They also suggest that the suspected Russian controller couldn't be extradited, but conveniently neglect to mention that Kaspersky Lab is a Russian company that could influence internal Russian enforcement actions.

Kaspersky Lab Expert Maria Garnaeva Posts in her Blog some of the difference between the new and old control mechanisms: http://www.securelist.com/en/blog/655/Kelihos_Hlux_botnet_returns_with_new_techniques [securelist.com]
She also mentions it is not as bleak as the original article, because:

It is still possible to neutralize the botnet with sinkholing but using slightly different techniques as was used before, and it is still possible to push an update tool on infected machines to neutralize the botnet. In this case the botmasters need to infect machines again to build another botnet.

Re:Expected (0)

Anonymous Coward | more than 2 years ago | (#38910125)

Which OS do all these botnets run on?

Re:Expected (5, Funny)

EdIII (1114411) | more than 2 years ago | (#38910181)

Which OS do all these botnets run on?

Silly question.

Windows. Obviously.

Macs are immune to all attacks and viruses and Linux just does not have the market share to be a target of interest. All regulars here on Slashdot know this. You must be new here.

Re:Expected (2)

Shavano (2541114) | more than 2 years ago | (#38910901)

Macs aren't immune. Getting users to install malware is easy, but why bother. Windows is easier and more wisely deployed.

Re:Expected (4, Funny)

yog (19073) | more than 2 years ago | (#38910923)

Macs aren't immune. Getting users to install malware is easy, but why bother. Windows is easier and more wisely deployed.

You mean, less wisely?

Re:Expected (1)

Shavano (2541114) | more than 2 years ago | (#38927529)

That's a typo. I meant to type "widely". The distance between the virtual keys on my phone is about a third the width of my finger.

A contextual spellchecker would flag the words "Windows wisely" as a probable typo.

Re:Expected (-1)

Anonymous Coward | more than 2 years ago | (#38911981)

>Macs are immune to all attacks and viruses and Linux just does not have the market share to be a target of interest. All regulars here on Slashdot know this. You must be new here.

I do believe you have that backwards. Linux systems have a very different and very secure structure which makes them near immune to these attacks. Macs on the other hand, tho a branch off Unix, is still susceptible to these scripts and such, but the market share for Macs is too small for anyone to care. I hope you enjoy your walled garden, Appledrone.

Re:Expected (0)

Anonymous Coward | more than 2 years ago | (#38913151)

*whooosh*

Re:Expected (-1)

Anonymous Coward | more than 2 years ago | (#38912675)

Macs aren't immune...

Re:Expected (5, Insightful)

Lotana (842533) | more than 2 years ago | (#38911007)

No OS is immune to the dancing pig problem [wikipedia.org] .

Re:Expected (1)

Sulphur (1548251) | more than 2 years ago | (#38911305)

No OS is immune to the dancing pig problem [wikipedia.org] .

The porcine polka?

Re:Expected (1)

queBurro (1499731) | more than 2 years ago | (#38912999)

the sow salsa? the boar bachata?

Re:Expected (1)

queBurro (1499731) | more than 2 years ago | (#38913005)

the trotter tango?

Re:Expected (1)

jamiesan (715069) | more than 2 years ago | (#38914851)

The Hambada?

Who do you trust? (1)

anubi (640541) | more than 2 years ago | (#38911733)

You hit the nail on the head there, Lotana.

Thanks for the link. I knew user ignorance is the primary vector for malware spreads, but I did not know what to call it.

Corporations/Governments seem to love to keep underlings ignorant so they can be controlled - Knowledge is Power.

Ignorance of digital hygiene on the internet is just as risky as ignorance of bacterial hygiene in the kitchen.

A big problem is a few people profit immensely from privileged information. They will lobby like hell to keep it that way.

There was once a time I knew exactly how my machine worked, but with the advent of all sorts of proprietary protocols and formats, I have no idea of what is and is not legitimate traffic on my machine.

Can I trust even an antivirus company?

The Kelihos botnet that sent up to 3.8 billion spam e-mails per day before being taken offline by Microsoft and Kaspersky Lab four months ago was created and controlled by a software developer who formerly worked for an antivirus firm, Microsoft said in a civil lawsuit updated yesterday. [arstechnica.com]

I can't tell you how many times I have had rogue scripts pop up on my system, warning me I was infected and needed to "click here" to fix it - for free.

I absolutely hate this circus certain "businessmen" have foisted on us by "working with" other trusted businesses to use proprietary technologies which I cannot verify whether or not they have other motives. The simplest apps now require megabytes of code and use tunneling protocols. Its now illegal to even discuss who is using what and how to see into what it is doing. How do I know if they are honest?

As far as I am concerned, these botnets are the internet equivalent of typhoid Mary [about.com] .

Re:Expected (4, Funny)

93 Escort Wagon (326346) | more than 2 years ago | (#38912489)

Darn, I was hoping your link led to a page with dancing pigs on it!

Re:Expected (0)

mihajul (1650525) | more than 2 years ago | (#38912609)

Accidentally modded parent troll. This will fix that.

Re:Expected (1)

Sparx139 (1460489) | more than 2 years ago | (#38912919)

If you're running Firefox or Chrome (or any browser that allows greasemonkey scripts), you can install the moderatrix [userscripts.org] script to add a confirm button to Slashdot. It's saved me many a time

Re:Expected (1)

mynicknamewasused (962741) | more than 2 years ago | (#38913435)

http://www.youtube.com/watch?v=23keslsTQR4 [youtube.com] there you got

Re:Expected (1)

Boscrossos (997520) | more than 2 years ago | (#38914231)

Okay, I admit it. I clicked it. So what did I win/infect my pc with?

Re:Expected (4, Insightful)

korgitser (1809018) | more than 2 years ago | (#38910561)

Kaspersky Lab is a Russian company that could influence internal Russian enforcement actions.

You must be new to the eastern hemisphere. In the sovereign democracy of Russia, the enforcement influences companies, not the other way around.

Re:Expected (1)

Sarten-X (1102295) | more than 2 years ago | (#38914243)

There's labor unions there, too?

Re:Expected (1)

Shavano (2541114) | more than 2 years ago | (#38910879)

Have they considered following the money trail and targetting the operators and clients for arrest or assassination?

Re:Expected (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38911037)

Simpler option: Temporarily direct the botnet to a sinkhole not to take it down, but to add movie download/seeder functionality to it. Then sit back and watch the **AAs take it down piece by piece.

Re:Expected (1)

c0mpliant (1516433) | more than 2 years ago | (#38912897)

Ah the classic US foreign policy. If we can't arrest them, kill them, legally or otherwise...

Re:Expected (1)

Shavano (2541114) | more than 2 years ago | (#38927803)

Obviously, the assassination comment was in jest. The arrest possibility is serious. These operators and the people who pay them are a criminal enterprise. Law enforcement could shut them down if they wanted to. The botnet would still be there if anybody wanted to use it. So you wait for it to go active again and round up the next batch of perps.

You still have to deal with non- cooperating jurisdictions. But users could use fairly simple means to block spam from them because they have identifiable ranges of IPs.

There's no perfect solution. But law enforcement can help.

Re:Expected (2)

BosstonesOwn (794949) | more than 2 years ago | (#38910977)

Why not just turn on windows auto update fix whatever maybe stopping auto update from running and plant the removal tool on windows update. If done via the bot nets control servers who can really tell who did it ?

Just asking this but kaspersky is Russian and no extradition right. They can kick it off with barely any worries.

Heroes (3)

Lotana (842533) | more than 2 years ago | (#38910987)

Security researchers really are the unsung heroes.

If there are anyone reading Slashdot who works in that area: I would like to express my deepest gratitude for all the efforts you go through in combatting this global problem. Thank you so much for making the web a less shit place to be.

Workable solution? (4, Insightful)

Runaway1956 (1322357) | more than 2 years ago | (#38911729)

Half the business world seems to believe that it is acceptable to mail my ISP, and have me disconnected from the internet if I download a couple of songs, movies, or whatever. Three strikes, and you're out.

So - why isn't anyone clamoring to have these machines disconnected by the ISP's? If they had all those machines communicating with a sinkhole for months, then surely they have identified real IP addresses for most, if not all of them.

We have the ability to unplug people and computers from the internet. Why do we only want to use that ability to punish small time downloaders?

Re:Workable solution? (0)

Anonymous Coward | more than 2 years ago | (#38916767)

Because there's no money to be made by disconnecting those machines

Re:Workable solution? (0)

Anonymous Coward | more than 2 years ago | (#38922921)

I see you can't tell the difference between downloading and uploading. Although I suspect your ignorance is willful.

Re:Expected (2)

hairyfeet (841228) | more than 2 years ago | (#38912973)

Didn't a family member of one of the Kaspersky Lab head honchos get snatched by the Russian mob? Frankly they may be afraid to push for enforcement as you say, afraid they will find a loved one in a ditch. There is a good reason why Eastern EU is used so much by malware guys, its because there is still a lot of pretty wild west lawlessness there where you can get by with pretty much anything as long as you have the cash. I can't blame the Kaspersky Lab guys for not getting too nasty with someone that close to their homes. The creator of the botnet also formerly worked at an AV firm [arstechnica.com] which obviously gave him good general knowledge on how to get around AV scanners.

And let me just say before we get the usual "Herp Derp use Linux" karma whoring that 1.- the number one source of infections since Vista has been the USER who bypasses the security for the malware, and 2.- Linux [secunia.com] is not [secunia.com] immune [secunia.com] to vulnerabilities. Hell even Kernel.org [slashdot.org] and MySQL [slashdot.org] have been pwned before.

In the end it simply comes down to the fact that criminals are lazy, hell if they weren't they'd be working honest jobs. With over half a billion Windows machines if you even get 1% you've just made yourself a huge payday whereas with Linux you'd have to hit a much bigger percentage to get the same payout. but as we saw with both OSX and the MacDefender and Android which is of course Linux based and all the bugs its got that if you get enough numbers you'll get pwned like everybody else. Operating systems nowadays are some of the most complicated pieces of code on the planet PERIOD. Hell I doubt even Linus Torvalds could tell you with 100% certainty what even a tenth of the code on your average distro is actually calling when you launch so the odds of ANY OS being immune to these kinds of attacks is frankly laughable. Sure you CAN make one damned near immune, by using SELinux or GPOs, but the resulting system will be painful to use and nobody will want to run it.

Re:Expected (1)

Runaway1956 (1322357) | more than 2 years ago | (#38915621)

I'll just say, that I hate hearing that Android is "linux based". The wife's computer has nothing that didn't come from a trusted repository. The two worst things on her computer are Java and Flash - and only one of those came from a proprietary vendor. That is "Linux".

My own computer has a lot more proprietary stuff on it than hers does. I play with VMWare, I've diddled with some game emulators, and I experiment with stuff now and then, just to see what it does. Even so, there is nothing on my machine that can gain root access, that I haven't researched pretty thoroughly before downloading and installing.

Android? I think that it is safe to say that each and every version in use is "proprietary", and the source code is obscured in some way or another. The guy who owns the phone is NOT ROOT. Worse, the Android marketplace has invited totally unknown people to "develop" for Android, then failed to properly police their marketplace.

Yeah, any Unix-like has vulnerabilities. In the hands of an idiot, the most secure Unix-like installation in the world can and will be compromised. But, I'll still put my faith in most of the distros trusted repositories. If something strange happens, the news hits the web pretty quickly, and I can inspect the source code for every package on my machine, and compile them for myself if I like.

Hell, those Gentoo nuts do it routinely, just for fun!

Re:Expected (1)

hairyfeet (841228) | more than 2 years ago | (#38916789)

Trusted repos like the one that was serving a malware ridden Quake 3 for over a year? THOSE repos? Or how about how this pwnage [theregister.co.uk] or how MySQL was serving malware [slashdot.org] how about that? Being open doesn't give you any magical protection friend, you can be pwned just as easily, hell I'd be amazed if even 10% of the code in your distro has been looked at by any eyes other than the ones that actually wrote the code. Quick can you tell me what calls the Synaptic package manager is using? Hell look at how much dead cruft was just sitting in OO.o and that is one of the if not THE most popular program in Linux distros! if that one was a creaky mess just waiting for pwnage what makes you think anything else in the stack is in better shape? The simple fact is malware writers are criminals and criminals are lazy. If Linux every gains closer to 10% as Apple did you'll be serving malware before you can say RMS friend, count on it. Its just right now you have security through obscurity, same as i don't see any OS/2 viruses showing up on Securina.

During a raid; are the peers involved? (1)

Anonymous Coward | more than 2 years ago | (#38909867)

The common answer is no. When they roll up a botnet they usually pick up the suspects which have been using this botnet, but all the peers are usally (if not most often) left alone.

Not surprising considering the kind of peers, but doesn't that aspect alone make scenario's like these plain out obvous? Its only a matter of time before another "botmaster" picks up where the previous owner was cut off.

It's a zombie botnet (1)

shikitohno (2559719) | more than 2 years ago | (#38909901)

so clearly, all we need to do is find the head and shoot it.

Re:It's a zombie botnet (1)

TWX (665546) | more than 2 years ago | (#38909937)

Already been done. Another head finds the body. Didn't you even read the summary?

Re:It's a zombie botnet (1)

shikitohno (2559719) | more than 2 years ago | (#38909953)

I did, and they only got the limbs the first time. They managed to slow things down a bit, but the head got smarter about how it went about its business, grabbed a new body, and kept on going.

aren't there some structural ways to curtail this? (3, Insightful)

TWX (665546) | more than 2 years ago | (#38909979)

I assume that the zombie-workstations send out e-mail via SMTP. Why not require real mail servers to comply with DNS to have an MX record for the domain or IP, and to then have SMTP servers for a given network or internet service provider throttle the number of e-mail per unit of time and to limit the number of recipients to human real-world numbers?

That would prevent a non-MX mail server from being able to send mail since other mail servers would reject it based on DNS, and would prevent zombie botnets from using the SMTP servers of the service provider that the computer is connected to in order to spam through.

It wouldn't eliminate spam, but it might serve well to reduce it significantly. Yes, it would require some more programming in the SMTP daemon, but it shouldn't jack with the protocol.

Re:aren't there some structural ways to curtail th (1)

Anonymous Coward | more than 2 years ago | (#38910077)

because MX implies location for reception, not necessarily for sending. get any kind of serious mail volume and you'll very quickly decide to separate your outbound SMTP from your inbound SMTP.

Re:aren't there some structural ways to curtail th (0)

Anonymous Coward | more than 2 years ago | (#38910151)

Then maintain separate MX records for inbound and outbound SMTP. Any legitimate business should have no trouble getting a second record. And this is not preventing unregistered SMTP from sending mail. Just throttling.

Re:aren't there some structural ways to curtail th (3, Interesting)

mortonda (5175) | more than 2 years ago | (#38910619)

MX record is inbound only. period.

However, ISP's could block outbound port 25 unless using their servers (such as my cable company) and/or make arrangements for a particular IP range to be outgoing mail servers. That starts to make sending servers a little more accountable.

If you need to send mail direct to a server outside this network, use ssl and submission port, not port 25.

Re:aren't there some structural ways to curtail th (0)

Anonymous Coward | more than 2 years ago | (#38910099)

The problem is eMail and its technical basis are seriously flawed from the very beginning. Invented in the 70s, spam and other malevolent uses of eMail were not considered as it was invented for use in a scientific setting and intended for proper scientists at universities to exchange messages. SMTP = SIMPLE mail transport protocol.

What we would need is eMail 2.0.
A seriously beefed up system, redesigned from the ground up.
Problem is : eMail 1.0 and its infrastructure of POP3/SMTP servers is so deeply embedded, you would need to update and change ALL operating systems, ALL eMail clients, ALL script engines (PHP, PERL, etc) used to send eMail from webpages, ALL eMail servers, etc. That's one heck of a challenge. Good luck.

Re:aren't there some structural ways to curtail th (2)

garyebickford (222422) | more than 2 years ago | (#38910155)

Other problem is: How to do that without essentially eliminating all illusions of privacy.

Re:aren't there some structural ways to curtail th (1)

Grishnakh (216268) | more than 2 years ago | (#38911187)

That actually doesn't sound quite that hard. Changing PHP and Perl would be easy; the maintainers of those languages would simply change their implementations to use email 2.0. As soon as web hosts upgrade, they'd be using the new version, and web hosts usually stay fairly current on scripting languages because customers demand it (newer versions, particularly with PHP, mean more built-in functions and easier coding).

With email servers, again there's not that many pieces of software out there that are really popular, maybe a dozen or so. In the Linux world at least, they just need to get sendmail and postfix to switch to email2.0, then get the distros to push it out to everyone as a "security update" (instead of making them wait for the next distro upgrade, as many times people don't upgrade their distros for a long time if ever), and it's done.

Same for email clients; there's just not that many in widespread use. Changing Outlook would get most desktop users right away, then after that probably Thunderbird. Surely Gmail, Hotmail, and Yahoo could change fairly quickly, affecting the bulk of email users.

The big problem I see is all the people using their crappy ISP's crappy webmail client. But even these are largely a limited group of applications, such as SquirrelMail, so once those get changed, the ISPs would just need to change.

If it was all done with a 1-year transition period, it'd be feasible to get most people and companies switched over I think, and the leftovers would be forced to switch at the end of the transition period or just not use email any more.

Re:aren't there some structural ways to curtail th (0)

Anonymous Coward | more than 2 years ago | (#38913953)

I know! I know!

Let's make email that supports Javascript!

Re:aren't there some structural ways to curtail th (4, Interesting)

nman64 (912054) | more than 2 years ago | (#38910243)

There are plenty of rules that could be set up to prevent rogue systems from sending spam, but the problem is with getting network operators and individual server administrators on board. Trying to get all network operators (or ISPs) around the world doing something is like herding cats. Trying to get all individual server administrators to do something is like herding millions of catnip-infused cats.

Your thought about MX records is not quite right. There is a difference between servers that recieve mail (which should be pointed to by MX records) and servers that send mail (which should have valid PTR records in reverse DNS for their IP). While a single server may perform both duties, that is not by any means guaranteed. One action that would block a large number of infected systems from delivering their spam would be receiving mail servers blocking all mail from senders that do not have a valid RDNS record. This is the correct version of your proposal, and some major providers already do this. An even greater benefit could be achieved if all ISPs were to block outbound traffic headed for TCP port 25 by default, requiring subscribers to "opt-in" to initiate port 25 traffic. Some ISPs already do this, but far too many do not. Yet another good measure would be for recipients to block mail from servers that fail to identify themselves with a valid fully-qualified domain name in their HELO message and require that domain to resolve by DNS. Like the RDNS solution, this would require all legitimate mail server operators to set their sending servers up properly. As more receiving operators start blocking non-compliant mail servers, we may slowly push more sending server operators to do things right, but it is a long, slow process when users demand that every legitimate message get through.

Re:aren't there some structural ways to curtail th (2)

Obfuscant (592200) | more than 2 years ago | (#38910393)

and servers that send mail (which should have valid PTR records in reverse DNS for their IP).

Since MUA can use SMTP to send email, it is not required that there be a PTR for every sending host. It is true that there MAY be one, but it isn't a requirement. Large sites that may not publish DNS records for every internal system can likely get around any requirement from the recipient MTA by using a central mail server through which outgoing mail is sent. That server would have a PTR (and SPF) record.

That, however, seems to be an undesirable solution when it comes to an ISP serving many customers, however.

Re:aren't there some structural ways to curtail th (2)

nman64 (912054) | more than 2 years ago | (#38910503)

End-users should not be using SMTP to communicate directly with recipient servers, and almost none do. Nearly all ISPs provide authenticating SMTP relays for their subscribers, and end-users should be using those ISP-provided SMTP servers or some other mail provider's SMTP servers to relay their mail. If they have some legitimate reason to send mail directly (such as operating their own server), then requiring them to ask their ISP for a port 25 blocking exemption is perfectly reasonable.

Legitimate large-volume senders have already dealt with this. I haven't encountered any legitimate large-volume senders in recent history that do not have valid PTR records for all of their outbound relays.

Blocking servers without a valid RDNS record may not be part of any proper standard, but it is slowly becoming a de facto standard.

Re:aren't there some structural ways to curtail th (1)

Obfuscant (592200) | more than 2 years ago | (#38911331)

End-users should not be using SMTP to communicate directly with recipient servers, and almost none do.

"Almost none"? I believe that Outlook does. Evolution does. Pine does. The mail program on my smart phone uses SMTP to send email. I would hardly call that "almost none".

Nearly all ISPs provide authenticating SMTP relays for their subscribers,

Yes, which talk SMTP to the "end user".

Legitimate large-volume senders have already dealt with this.

They haven't already dealt with some new proposal that requires MX records for sending hosts and "human" limits on sending email.

Re:aren't there some structural ways to curtail th (1)

Anonymous Coward | more than 2 years ago | (#38911721)

SMTP consists of both a message submission part and a message transfer part. They both use the same protocol and appear extremely similar.

The way it works is, Sender connects to SMTP Server S and transfers message. SMTP Server S connects to SMTP Server R and transfers message. Recipient connects to Server R (via POP3 for example) and retrieves the message.

Nearly all ISPs provide authenticating SMTP relays (Server S in the explanation) so that the Sender never needs to communicate directly to Server R.

Re:aren't there some structural ways to curtail th (1)

nman64 (912054) | more than 2 years ago | (#38911779)

End-users should not be using SMTP to communicate directly with recipient servers, and almost none do. (Emphasis added.)

"Almost none"? I believe that Outlook does. Evolution does. Pine does. The mail program on my smart phone uses SMTP to send email. I would hardly call that "almost none".

I very much doubt your mail client is configured to send mail directly. It almost certainly has an SMTP relay configured for sending mail. Nearly all MUAs lack the option to send directly -- they require that a relay be configured.

Nearly all ISPs provide authenticating SMTP relays for their subscribers,

Yes, which talk SMTP to the "end user".

Legitimate large-volume senders have already dealt with this.

They haven't already dealt with some new proposal that requires MX records for sending hosts and "human" limits on sending email.

"This" in my statement above specifically referring to having the appropriate PTR records set up, as the context in the following (unquoted) sentence indicates. No part of my post supports any funky use of MX records or sending volume limits.

Context -- it changes things.

Re:aren't there some structural ways to curtail th (4, Informative)

Obfuscant (592200) | more than 2 years ago | (#38910327)

Why not require real mail servers to comply with DNS to have an MX record for the domain or IP,

Because there is no rule that says any destination must have an MX record associated with it. RFC 5321 lists how to determine the host a server connects to, and "no MX" is an allowed case.

and to then have SMTP servers for a given network or internet service provider throttle the number of e-mail per unit of time and to limit the number of recipients to human real-world numbers?

What is a "human real-world number"? How do you deal with mailing lists that have hundreds of recipients? One email to the list results in hundreds of emails all at the same time.

That would prevent a non-MX mail server from being able to send mail since other mail servers would reject it based on DNS,

I'm sorry, but I don't think you understand the purpose of an MX record. The MX record isn't for the SENDING server, it is so the sending server can find a defined host to which email FOR a domain is sent. In fact, if an MUA uses SMTP to send mail, then it is highly unlikely that the sending host (the user's computer) will be the address pointed to by the MX record for any domain.

Yes, it would require some more programming in the SMTP daemon, but it shouldn't jack with the protocol.

As long as you don't consider "not being able to send email at all" a problem, no, your idea won't "jack with the protocol".

The more correct means of dealing with the problem is two-fold. SPF (sender permitted|policy framework) is how a recipient server looks up the authorized hosts that might be sending it email from a domain. Greylisting is how a server typically dispatches botnet senders, since the botnet is usually not going to try resending an email after getting a 500-level error.

Re:aren't there some structural ways to curtail th (0)

Anonymous Coward | more than 2 years ago | (#38916837)

Typo or mistake, you mean to say 400-level. If it's 500, no one's coming back.

Re:aren't there some structural ways to curtail th (4, Informative)

EdIII (1114411) | more than 2 years ago | (#38910441)

Jeez where do I start? You must not be that familiar with email or how it is actually run today.

First off, email is an archaic platform that gets a bunch of glue and duct tape every so often.

Why not require real mail servers to comply with DNS to have an MX record for the domain or IP, and to then have SMTP servers for a given network or internet service provider throttle the number of e-mail per unit of time and to limit the number of recipients to human real-world numbers?

You can already do this with most mail servers. You have two problems here:

1) Requirement.
2) ISP involvement.

You cannot legally compel any person operating a mail server to do anything as part of configuration. The only legal liability I am aware of is sending SPAM itself, and even then the claim that you are merely a victim usually works.

ISPs don't want to be involved on a general basis. On business connections they don't do a damn thing, because businesses would go ape shit. I would. On residential connections some have at some points in time restricted port 25 destination traffic and the TOS usually prevent operating services off the IP address anyways. That being said, it has been awhile since I have actually seen a US based ISP actually block port 25 traffic anymore.

What is done on a day-to-day basis now:

1) Inspection of the IP address communicating with the mail server. Policy based lists, which are contributed to by the ISPs, tell us if it is a residential connection (Dynamic IP address ranges). There are also other lists that allow us to see if that specific IP address is flagged for SPAM. Look at Spamhaus or Cisco's Senderbase products. If the IP address is on a list it the session can be terminated immediately or the SPAM score increased sufficiently.

2) Headers. Who is it being sent to? Who is it being sent from? You have to ignore who the email is claiming to be from in most cases since that is easily forged. Every part of the email address can be forged except the remote IP address. Sent to addresses can be on white list to get it into the Inbox regardless of SPAM heuristics. Part of what you seemed to be alluding to is the EHLO statement. You check the reverse DNS for the remote IP address and see if it matches, or even exists in the first place. You're right that most real mail servers run by professionals, and not on home networks, will have a proper reverse DNS. Shutting down the connection solely based on that is questionable though.

3) URI inspection. Parse out all the links in the email and compare them against lists of known malware host sites. Fairly effective, and I personally don't allow the email to even reach the junk mail folder when one is found. New URIs pop up very fast so this is only effective for older campaigns.

4) Certifications, DKIM, SPF. These are methods outside of the mail server communication that involve 3rd parties, certificates, and DNS records that can validate a mail server as authentic and provide policies on how to treat remote IP addresses.

5) Anti-virus and Anti-malware. Inspection of attachments.

6) Heuristics. Evaluating all of the above plus content inspection to arrive at an overall SPAM score. If it exceeds the threshold throw it in the junk mail folder.

Now that is just off the top of my head for the mail servers I run. You also alluded to gray listing which is temporarily denying an email and asking that it be resent later. This is controversial because a lot of people are waiting for an email ASAP and can't wait 15 minutes. Throttling is also not very useful because on an IP address basis the SPAM load is distributed.

There are already quite a number of tools to reduce SPAM. The biggest problem I face is backlash from executives. Requiring proper reverse DNS left out half the vendors we were communicating with right off the bat. I have had to tone down the security a number of times because the remote part has no clue what they are doing with a mail server or even how to request a reverse DNS be set up by their ISP for a static IP address they have.

That is it a nutshell really. If everyone implemented what we have already, especially SPF, we could drastically reduce SPAM tomorrow. However, there is no real way to compel people to properly configure their mail servers and shutting them out does not work because you get screamed at to let them back in.

P.S - A mail server that was flagged by Senderbase and Spamhaus as sending out huge volumes of SPAM I had to specifically white list because we needed their emails and requiring them to fix their shit was not an option. Anytime a problem occurs it does not matter if it takes "two to tango", it's your fault.

Re:aren't there some structural ways to curtail th (1)

mcavic (2007672) | more than 2 years ago | (#38910679)

They hit me today (or someone did) by authenticating to my mail server using a password stolen from one of my remote users. If I didn't have any remote users, it wouldn't have been possible. But at least I caught it quickly when the user reported getting lots of bounce messages.

Re:aren't there some structural ways to curtail th (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38910927)

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

commons (5, Insightful)

Tom (822) | more than 2 years ago | (#38910055)

What I don't get in the whole spam saga - and I've been following it for 15 years now - is why it is possible for law enforcement to cooperate internationally and do joint raids in several countries when it comes to fake products, unauthorized DVD presses or computer games piracy groups - but not when it comes to spam.

Ask Spamhaus - we know most of the top offenders. We know who they are and in many cases we know where they live. And law enforcement is sitting on their hands.

Because it is a small damage on many people - an attack on the commons, not on one particular company or individual. We as humans assess damages instinctively, not mathematically. And that leads to crazy results. We consider someone stealing $50k from a bank a serious criminal, but someone stealing $0.01 from 50 mio. people is a nuissance - even though the actual damage is 10 times higher.

Sadly, that's a trend not only with spam. When Mommy Jane illegally downloads a Disney movie, she is fined ridiculous amounts of money. When Disney corrupts the law to steal from the public domain by retroactively taking content back under copyright, or extending it so it enters it later (if ever), it is hard to even explain to people why that's bad.

We have lost the concept of the commons, and that is the real tragedy of the commons, not the bullshit neo-liberal bedtime story by the same name.

Re:commons (5, Interesting)

shikitohno (2559719) | more than 2 years ago | (#38910145)

It's possible simply because law enforcement, particularly where property is concerned, doesn't exist to protect the common man. Law enforcement and property law exist to protect the rich from the common folk. Protecting your average joe is outside the scope of their purpose, so they won't bother to do it. Now if you could write a spam bot that exclusively targeted Disney or the UMG and their employees, and caused those groups to lose even the slightest amount of money, I wouldn't be surprised to see some overkill operation taken by the police to find out who was behind it. Then they'd wind up looking at serious jail time and fines, for the crime of having picked the wrong victim.

Re:commons (1)

EdIII (1114411) | more than 2 years ago | (#38910501)

That would not even be prosecuted under SPAM. It would be considered a DDOS and most likely part of a terrorist act. Since there is campaign contributions involved... you would see several three-letter-agencies involved and a predator drone sent to the remote site or some CIA asset in the area ready to "fake a heart attack" at a coffee shop.

Re:commons (1)

Sulphur (1548251) | more than 2 years ago | (#38911469)

It's possible simply because law enforcement, particularly where property is concerned, doesn't exist to protect the common man. Law enforcement and property law exist to protect the rich from the common folk. Protecting your average joe is outside the scope of their purpose, so they won't bother to do it.

It costs money to enforce the law. If they operate like a wolf chasing a mouse, then they risk budget cuts and firings.

Re:commons (2)

Obfuscant (592200) | more than 2 years ago | (#38910415)

Ask Spamhaus - we know most of the top offenders. We know who they are and in many cases we know where they live. And law enforcement is sitting on their hands.

What do you want them to enforce? Spam laws vary from laughable (CAN-SPAM act) to nonexistant. Do you want US marshalls breaking down the doors of a Moscow apartment to enforce CAN-SPAM?

Re:commons (0)

Anonymous Coward | more than 2 years ago | (#38910495)

The only way LE will care about spam is if it can be linked to funding terrorism. If al-Qaeda ever starts selling penis enlargment products and advertises them via spam, you can bet botnets will get taken down pronto.

Re:commons (1)

EdIII (1114411) | more than 2 years ago | (#38910609)

In all seriousness if you threw 100 people in jail tomorrow, SPAM would take a small hit then climb back up to regular volumes. What is needed is going after the people paying for SPAM. That is possible some of the time. I agree with your sentiment.

However, what I find surprising after following it as long as you have is why, why, why have we not made a concerted effort as a group to fundamentally change the way email works? Where is the IPv6 analog for email?

Do you know how ridiculous it is that executives continue to scream about how difficult it is to send 40 meg attachments through email when every single part of that transaction is exquisitely unsuited to doing so? There is a reason why they call it Base 64 encoding and not Base 64 compression.

Changing email to allow the transmission of binary attachments to accompany would be a step forward instantly. That would just be one of a hundred different things I could think to do off the top of my head.

SPF, reverse DNS, and DKIM are already set up to be incredibly effective if every major provider and business just got on board and excluded every one else. That, is the real problem. To solve SPAM we need to undergo some growing pains and nobody wants to do that.

I have ideas, but I am not enough of a hard core coder to create a hybrid email 2.0 engine that is platform agnostic and still allows legacy connections till we can kill it. Where is Google in this? The number of Beta projects that they come up with and kill is astounding. You would figure that they could just throw a department of a 100 people together with a budget and knock out an Open Source email 2.0 platform in a year. It would be in their best interest too. Imagine being the company that stopped SPAM?

Prediction: Email will remain unchanged even 10 years after we fully deploy IPv6. Which will be devastating to email since IP addresses will be given out like *candy* and be less effective as blocking tools.

Re:commons (1)

Tom (822) | more than 2 years ago | (#38913141)

However, what I find surprising after following it as long as you have is why, why, why have we not made a concerted effort as a group to fundamentally change the way email works?

We have. But inertia is a force more powerful than any amount good ideas put together. Just ask Microsoft - their past mistakes are their worst enemies.

The technology isn't the problem. I believe we have the solution for every single "but" from a technological POV.

The problem is that we have several billions of devices out there that speak SMTP, POP3 and IMAP and nobody wants to exclude any of them. We have thousands of programs interfacing the these protocols. Millions of hacks, injections, senders and receivers. Our entire infrastructure is built on this old system.
As long as you keep the old e-mail system around for compatibility reasons, you've not gained anything but added a lot of complexity to the system at considerable cost.

Yes, I do think that the major movers could get together and could get it done. But they would have to stop thinking like a business. They would have to agree to set a deadline and stop accepting old-system e-mail on that day, no matter how much it hurts.

But that's not going to happen. What is going to happen is that we move away from e-mail. Already a lot of people I know don't use e-mail anymore. If you want to reach them, you send them a message on FB or whatever.

This will accelerate the death of e-mail. Because with less signal, the signal-to-noise ratio drops.

Botnet as the new MegaUpload? (0)

Anonymous Coward | more than 2 years ago | (#38911143)

An interesting thought occurred to me. Spam earns a pittance for the pirates -- so instead of dishing out viagra e-mails, suppose they were to turn that huge bot-net cloud into some kind of distributed Megaupload (which I understand was quite profitable). Files would be spread out across the cloud, with extensive use of duplication and parity to cope with the constant ebb-and-flux of zombie hosts.

You wouldn't be able to earn legitimate advertising dollars, but the viagra spammers would probably still pay you (plus super-users who wanted bonus bandwidth).

Re:Botnet as the new MegaUpload? (1)

Freddybear (1805256) | more than 2 years ago | (#38911257)

And with every download you get the latest malware too.

Re:Botnet as the new MegaUpload? (1)

Tom (822) | more than 2 years ago | (#38913111)

Spam earns a pittance for the pirates

There's your wrong assumption.

The top spammers have all grown rich doing it. Maybe not Megaupload rich, but in the same ballpark. We're talking houses, cars, several millions here.

Sissies (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38910113)

"We could have issued an update to those machines to clean them up, but in several countries that would be illegal," said Ram Herkanaidu, security researcher and education manager for Kaspersky Lab.

Don't be a sissy! If you have the means to clean up machines infected with a botnet client without screwing it up, do it! If some pedantic rule-thumper complains about good-faith efforts to make clueless people's spamming machines stop doing that, rat them out by name to The Internet and sit back and watch a million people demand video evidence of their head being placed on a spike.

Re:Sissies (1)

runner_one (455793) | more than 2 years ago | (#38910177)

I wish I could take every mod point I ever had and put on this one post.

Re:Sissies (4, Insightful)

garyebickford (222422) | more than 2 years ago | (#38910213)

OTOH, felony convictions can be soooo tiresome, although they do often come with free room and board. And then there's the question of whether a convicted, imprisoned felon is still liable for all the $million+ civil suits by every luser out there who thinks that your clean-up virus (which is what it is) has destroyed their porn collection. Hint - still liable.

Re:Sissies (0)

Anonymous Coward | more than 2 years ago | (#38911341)

OTOH, felony convictions can be soooo tiresome, although they do often come with free room and board. And then there's the question of whether a convicted, imprisoned felon is still liable for all the $million+ civil suits by every luser out there who thinks that your clean-up virus (which is what it is) has destroyed their porn collection. Hint - still liable.

I accept this mission. They can all have a cut of the 3 bucks in my bank account.

Re:Sissies (2)

Solandri (704621) | more than 2 years ago | (#38911055)

It's been tried before, but doesn't always work as intended. Welchia [wikipedia.org] was apparently released by a white hat to secure machines against Blaster, but its aggressive use of network scans to find other potentially vulnerable systems ended up being more of a headache than Blaster on some networks.

Re:Sissies (1)

jamesh (87723) | more than 2 years ago | (#38912811)

I don't think your idea is particularly insightful. The problem is that if the user was dumb enough to install malware in the first place, simply removing the malware won't fix things in the long term, so it's a hell of a risk to take for no long term gain. They might get a short term gain but they already got that without doing anything illegal.

Even the obvious solution of just nuking the PC's from orbit (only way to be sure!) won't solve anything. The user will just buy another PC and get it infected again.

The problem is the combination of a user stupid enough to get infected and not know it, combined with a computer that allows the user to install unsigned software. I want a computer that is completely locked down like an iPhone (eg Windows 8), with a toggle switch inside to unlock it for the rest of us. The switch wouldn't be particularly hard to find or anything, just an "i know what i'm doing" switch. I can't see any other way.

Re:Sissies (1)

Shavano (2541114) | more than 2 years ago | (#38927677)

You fail to account for the fact that the bypass switch would soon be set in the wide-open mode.

Re:Sissies (0)

Anonymous Coward | more than 2 years ago | (#38912989)

"without screwing it up" is the crucial part. Who is to say that the machine you're applying the fix to isn't already so b0rked that applying the fix will have unwanted side-effects?

Plus, any machine that has been infected should be wiped and re-installed, anyways - since you can't tell what might have happened on it since the hacker took control.

And if you scroll through the slashdot news of the last few months, you'll notice quite a few reports of infected machines that should never have had internet access to begin with, for security reasons - but still had. Now imagine trying to "fix" these remotely without having the slightest clue what else might have happened on them, what they are good for, and what could happen when they produce irregular, unreliable results or go offline completely. Combine that with a litigation-happy society and you won't find an insurance company willing to cover your lower back.

Re:Sissies (1)

biodata (1981610) | more than 2 years ago | (#38913417)

So I see that you are advocating that various governmental and commercial agencies should deliberately interfere with the software running on many people's private computers, without their knowledge, and with no recourse for any damage caused. No thanks.

too few intermediates care (3, Interesting)

Tom (822) | more than 2 years ago | (#38910135)

The reason these assholes can run all over us is that too few of those involved care. I am very happy that MS has started to care, and it's probably the only good thing they've done all century, but it really is a powerful signal.

The next people who need to start caring are the ISPs. Just recently I complained to my own ISP that they are hosting the actual website that the spam I get is advertising. They told me to use the "unsubscribe" link. Yeah, right. Living under a nice rock there, customer service idiot?

I'm all for making ISPs responsible if they knowingly host spammers. I'm for vigilante action at this point, as nothing else seems to work. Get Anonymous on the subject. Blast the ISPs who say "fuck off" when you point out that they have a spammer in their hosting center off the 'net.

We all know that there is no single, simple solution to the issue. So instead of looking for it, why not combine all the imperfect, partial solutions we have? Let MS & Co. take down the botnets. Put pressure on the CC companies to stop dealing with them. Make the banks liable and cut off the money flow. Make the ISPs care and make it harder (thus more expensive) for the spammers to find a home. Shoot some spammers. Shoot some idiots who keep them in business by buying from them. Sacrifice a goat, stick needles in a puppet and pray to your god(s). Do it all at once.

Re:too few intermediates care (1)

EdIII (1114411) | more than 2 years ago | (#38910657)

I know that I am replying to you twice here, but why go after the command and control? Most SPAM is sent from infected computers and not infected servers. To my knowledge at least.

Residential ISPs would be doing a service if they shut off a connection and routed all port 80 requests to a web page explaining to the consumer that they have been identified as belonging to a bot-net and are harming others through their continued inaction. Give them links to solutions. Allow some proxied access to Google maps to find Geek Squad or some shit. Upsell a service to come out to their home and fix the computer.

They could *make* money going out to homes and fixing the infected computers and offer computer classes to educate people on dangerous behavior. Personally, I recommend the cattle prod approach in class. "No Bobby. Don't click the link until you inspect where it goes. Remember? **ZAP**".

As for the data centers that are doing hosting you can already take pretty severe action against them if *we* all as a *group* /dev/null'd their traffic for a couple of hours. That will wake somebody up in a second.

I know. We got on a list for a short time and it made us find the cause, kill it viciously, and wait anxiously for the rest of the world to start accepting our traffic again.

Re:too few intermediates care (1)

jamesh (87723) | more than 2 years ago | (#38912827)

Residential ISPs would be doing a service if they shut off a connection and routed all port 80 requests to a web page explaining to the consumer that they have been identified as belonging to a bot-net and are harming others through their continued inaction. Give them links to solutions. Allow some proxied access to Google maps to find Geek Squad or some shit. Upsell a service to come out to their home and fix the computer.

This is already being done and is getting more widespread, and when it's done well it's great, but the last time I helped someone fix up a spambot I then called the ISP and asked to be unblocked and they completely denied they were blocking, even though it was plainly obvious that it was happening.

There are a few blacklists around for infected PC's and more and more banks are refusing to let you log in if malicious activity has been detected coming from your IP address.

Until the botnet's become completely P2P with no central C&C server(s), detecting C&C traffic is easy enough that all ISP's should be doing it.

Re:too few intermediates care (1)

Tom (822) | more than 2 years ago | (#38913105)

Until the botnet's become completely P2P with no central C&C server(s), detecting C&C traffic is easy enough that all ISP's should be doing it.

They will the moment enough ISPs do it that it hurts them. The concepts and technology have been around for almost a decade.

Re:too few intermediates care (1)

Tom (822) | more than 2 years ago | (#38913095)

Residential ISPs would be doing a service if they shut off a connection and routed all port 80 requests to a web page explaining to the consumer that they have been identified as belonging to a bot-net and are harming others through their continued inaction. Give them links to solutions. Allow some proxied access to Google maps to find Geek Squad or some shit. Upsell a service to come out to their home and fix the computer.

I used to work for an ISP and actually proposed exactly that solution... I don't remember, maybe 8 years ago? Must've been around that.

Technology? No problem, easy to do.

Legal is the mess. Unless you've done this from the start, it means changing contracts. I could never get it pushed through because legal and marketing resisted.

That is why I think we need to make ISPs responsible - right now, their "safe" choice is always with the spammers. Making them responsible in whatever way - legal, financial or by shooting them - would change that.

As for the data centers that are doing hosting you can already take pretty severe action against them if *we* all as a *group* /dev/null'd their traffic for a couple of hours. That will wake somebody up in a second.

They don't care. They already know that most of their crap goes straight into the filters.

But most of them pay by traffic, as they are hosted as business customers, often wholesale (so they can run their own server). Max out their line for an hour. Double the time every time they spam again.

Yes, I know... due process and all, hitting innocents. I know. The problem is that the right approach with all these things in it has been failing us for two decades.

Too many ISPs are in for it... (1)

John Bokma (834313) | more than 2 years ago | (#38911081)

They [ISP] told me to use the "unsubscribe" link.

I wish I could say that you made that up, but alas. Other pathetic replies are

  • You shouldn't publish your email address everywhere
  • What's your email address, so we can ask our customer to remove it off the list (list washing)
  • Why don't you firewall our customer

The latter ISP didn't like my bugging them too much, and in the end they firewalled my IP address in their firewall, so their customer couldn't spam me anymore.

Some ISPs just don't care. For example, I have been receiving spam for 19 9.10 2.22 8.21 9/~lightfoo/tracking&campaign=t-a-x&subid=main&var=jonxqo (ip address mangled) several times earlier this week, and last week. Reported it to ServInt via SpamCop.net (several times), direct email (several times), in their live chat, and in the end on their Facebook page. My comments on the latter they deleted, and of course I am now blocked...

Reporting spam is becoming more and more a pain in the ass. A lot of ISPs have non-working abuse@, or they seem to have an abuse@ only it's internally routed to /dev/null. When complaining with the ISP you are told to email to abuse@ (did that, 5 times already), or use their online form (with a CAPTCHA and/or other forms of major PITA). And maybe, maybe, if you're really lucky, the ISP resolves the issue within 48 hours of your tenth complaint (8 days later...)

Really, if you want spam to stop, make ISPs and hosting providers pay for mess coming out of their network. Right now it's a tough choice: dropping the spammer, or hosting it for another month. The latter makes another 20 USD and maybe people bitching about spam have given up by then...

How to neutralize the botnet? (1)

dgharmon (2564621) | more than 2 years ago | (#38910189)

"It is impossible to neutralize a botnet by taking control over the controller machines .. It is still possible to push an update tool on infected machines to neutralize the botnet" Securelist.com [securelist.com]

How to neutralize the botnet, use Ubuntu [ubuntu.com] on the desktop ...

Ubuntu? Neutralizes nothing (0)

Anonymous Coward | more than 2 years ago | (#38910379)

Why don't you recommend a bulletwound victim just shoot up heroin? Same thing. Android alone, a Linux variant, shows that once Linux obtains a large marketshare on a platform (smartphones, essentially pc's themselves) it too will be as victimized as Windows has been, and largely only due to being the most used on a given platform (because malware makers do not target 'crowds of 1' and are like pickpocket thieves - they go to where the most people are in crowded thoroughfares, to maximize the victim potential of their efforts)). There is NO Linux that is anymore immune to concentrated specific attacks anymore than Windows is on PC's, or ANDROID (a Linux variant with the lion's share of the market on smartphones). You're only recommending a temporary fix, because Linux can be attacked just as easily as any other computing platform there is and ANDROID proves it.

Re:Ubuntu? Neutralizes nothing (2)

qualityassurancedept (2469696) | more than 2 years ago | (#38910751)

the whole point of the repositories is that they are managed and controled so when you sudo apt-get or yum install something you are getting software from within a walled garden. Of course, you might get goofballs just building things from sources infected/compromised, but how many people who build from source are going to that moronic? And how many computers could you infect by that method? The problem with Windows and Android is that software/apps are available to end users that is not in any way controlled for quality. Debian/Ubuntu and Fedora exist mostly because of the repos. Real people control those repos and control for quality.

Re:Ubuntu? Neutralizes nothing (1)

Fned (43219) | more than 2 years ago | (#38910783)

The problem with Windows and Android is that software/apps are available to end users

agreed

Plenty of other infestation vectors exist (0)

Anonymous Coward | more than 2 years ago | (#38911553)

What about email based attacks? What about maliciously scripted site attacks??

Fact is, You're overlooking a hell of a lot of possible other sources that are a LOT MORE PREVALENT FOR ATTACKING OTHERS, MOSTLY, other than app repositories even beginning to "keep end users safe".

Here's some proofs of that based on research:

http://betanews.com/2012/01/25/the-top-10-web-security-threats-you-should-avoid/ [betanews.com]

Pertinent quote/excerpt:

"The compromised website is still the most effective attack vector for hackers to install malware on your computer with 47.6 percent of all malware installs occurring in that manner, says security firm AVG. Another 10.6 percent are tricked into downloading exploit code -- many times, without their knowledge -- by clicking on links on pages to sites hosting malware... It also found that faked pharmacy sites are a popular attack method, seen in about 10.4 percent of all attacks. Fake antivirus scanners remain a popular malware injection method at 8.4 percent. "

---

* Fact is, what I noted, compromised sites, comprises 77% of malware installations - not what users download & install themselves (ala shareware/freeware sites like download.com etc./et al)...

APK

Easy fix (0)

Anonymous Coward | more than 2 years ago | (#38910433)

1. Track the botnet operators to their "C&C bunker" (LOL)
2. Storm in, guns blazing.
3. What problem?

Shut them down (2)

ryanw (131814) | more than 2 years ago | (#38910473)

Any machine being used for purposes outside of the intent of the owner should be shut down. Owners should be notified and given time to respond, but if they are unaware of the additional traffic their computer is spewing then they should be shut down until corrected.

Unfortunatly service providers probably don't care, they would probably rather have the $29.99/mo customer rather then shutting them down until it's fixed.

Re:Shut them down (2)

Slackus (598508) | more than 2 years ago | (#38910703)

And why do you think a method to shut them down won't be abused?

Re:Shut them down (0)

Anonymous Coward | more than 2 years ago | (#38910763)

xs4all will firewall and proxy people running known worms and trojans, inform them, and help them clean up the mess.

Re:Shut them down (0)

Anonymous Coward | more than 2 years ago | (#38911193)

29.99 with an overage fee of 50$ due to downloading so much** ;)

thanks again caps Go Go bandwidth lies*

*note I am having a bit o fun I pay 99$ and 50$ overage with 50% off I am an employee this brings me to within 10$ more then the local unlimited 12MB pipeline of other isp's in my area but for 10$ more ill support my company. with out the 50% F that. I do download about 1-2TB every month thou soooooo yeah...

**Caps suck

Re:Shut them down (1)

evilviper (135110) | more than 2 years ago | (#38911893)

Unfortunatly service providers probably don't care, they would probably rather have the $29.99/mo customer rather then shutting them down until it's fixed.

1). Gain control of botnet.
2). Look up support@ email addresses of all major ISPs.
3). Write code to lookup a user's ISP (based on IP address, whois, traceroute, etc), and return the ISP's own email address(es).
4). Push code out to botnet. Have botnet run code.
5). Order botnet to begin spamming ISPs responsible for botnet, as hard and fast as possible.
6). Hide. There will be fallout. But ISPs will get the clue that they need to keep their subscribers under control.

Turn it over to the feds (0)

Anonymous Coward | more than 2 years ago | (#38910661)

Let them take it down national security is at risk.
It could do a lot more than send spam.

I don't get it... (1)

Anonymous Coward | more than 2 years ago | (#38910775)

promoting, among other things, pornography, illegal pharmaceuticals and stock scam

Pornography - What's the problem with that? It's not like we don't want that, now is it?
"Illegal" pharmaceuticals - Well, the pharma industry certainly doesn't want that. After all, it could harm the sales of their harmful pharmaceuticals.
Stock scam - Huh? There's stock options that are not a scam? The whole stock marked is a scam by definition.

I have no problem with calling it spam and scams. I have a problem with there being spam and scams that somehow are "excluded" and OK, like that of Eli Lilly, Monsanto, Goldman Sachs, Apple/MS, Vivendi, and their competitors.

Make Love Not Spam (0)

Anonymous Coward | more than 2 years ago | (#38912595)

How hard can it be? - The legendary DDoS'ing screen saver did the right thing IMHO.

It's just a question of DDoS'ing all the members of the botnet, kicking them off the net. We're almost exclusively talking regular PC's with limited bandwidth so it should be trivial to choke them off the net. Should get the attention of the owners that might wake up and do something about it... or just turn off his/hers now worthless computer... both would stop the zombie cold.

Yes, it's the right thing to do because anybody who allows his/her machine to do evil is evil by definition and it's always right to fight evil. Keeping a machine patched and protected is so simple it hurts. If you don't you're intentionally causing the evil to happen. You should know better. Windows has a fairly well-functioning auto update feature, and there's lots of anti-virus and firewall software out there (newer Windows includes one as well), including decent free stuff, so there's no excuse. Failing to stay vigilant is evil.

Yes, I've had various Windows boxes for decades and I've never had an infection, despite being actively online for 12+ hours each day. But I've always been careful to keep things updated, and of course to use a browser that helps protect the system.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>