Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Botnet Flaw Lets Researchers Disrupt Attacks

Soulskill posted more than 2 years ago | from the perhaps-should-have-hidden-the-on/off-switch dept.

Botnet 26

Trailrunner7 writes "A team of researchers has discovered a weakness in the command-and-control infrastructure of one of the major DDoS toolkits, Dirt Jumper, that enables them to stop attacks that are in progress. The discovery gives the researchers the ability to access the back-end servers that control the attack tool, as well as the configuration server, and key insights into the way that the tool works and how attackers are using it. Dirt Jumper is not among the more well-known of the DDoS attack toolkits, but it's been in use for some time now and has a number of separate iterations. The bot evolved from the older RussKill bot over time, and various versions of the tool's binary code and back end configuration files have been made public. Researchers have watched as the bot has been used in attacks around the world against a variety of targets, and now they've been able to find a crack in the malware's control infrastructure."

cancel ×

26 comments

Sorry! There are no comments related to the filter you selected.

crack in the malware's control infrastructure (1)

fustakrakich (1673220) | more than 2 years ago | (#41001615)

Yet another example of country coming apart at the seams.

Re:crack in the malware's control infrastructure (1)

Razgorov Prikazka (1699498) | more than 2 years ago | (#41001825)

Well, the first crack of course is getting rid of M$ and use a proper OS instead.
After that one could go after the baddies...

Re:crack in the malware's control infrastructure (-1)

Anonymous Coward | more than 2 years ago | (#41001863)

You're $o witty and $mart! Oh, and FUNNY, Holy ball$ that'$ funny. Plea$e have my babie$, unle$$ you're male. Then I'll have your babie$.

No Homo.

Re: NO MICROS~1 HOMOS~1 .. (0)

Anonymous Coward | more than 2 years ago | (#41002095)

YOU'RE SO WITTY~1 AND SMART~1! OH, AND FUNNY~1, HOLY BALLS~1 THAT'S FUNNY~1. PLEASE HAVE MY BABIES~1, UNLESS YOU'RE MALE~1. THEN I'LL HAVE YOUR BABIES~1. NO HOMOS~1.

Re:crack in the malware's control infrastructure (3, Insightful)

Krojack (575051) | more than 2 years ago | (#41001905)

Correction, The proper fix would be to not let click happy stupid people use the internet.

It's already been proven that Linux & Mac OS's can also be infected so it really doesn't have anything to do with MS. It all comes down to the end user and installing every little stupid thing and clicking on anything that jumps in front of them.

Re:crack in the malware's control infrastructure (2)

tlhIngan (30335) | more than 2 years ago | (#41002437)

It's already been proven that Linux & Mac OS's can also be infected so it really doesn't have anything to do with MS. It all comes down to the end user and installing every little stupid thing and clicking on anything that jumps in front of them.

Not to mention it seems a lot of malware these days are usermode based. They're not trying to hide from users anymore, other than being plausibly-sounding processes with plausible paths. Everything they need to do the user can do - they don't need admin anymore (admin was required because they wanted to hide).

Getting admin these days often requires a dialog box popping up on the user for admin priviledges. Which is a great way to announce your presence to the user. But just being an innoculous sounding process that can hide amongst the other processes is often good enough. After all, if the malware decided it would be called "init" on Linux or "launchd" on OS X, most users wouldn't know that something is wrong (other than it not being PID 0). Or perhaps the malware can see the user runs GNOME, and call itself gnome-terminal. Or on OS X, Safari.app.

Re:crack in the malware's control infrastructure (1)

jones_supa (887896) | more than 2 years ago | (#41007685)

Hmm, seems that you could actually create some sort of protection against this by writing a program which checks for spurious duplicates of system files.

Re:crack in the malware's control infrastructure (1)

tlhIngan (30335) | more than 2 years ago | (#41002551)

The proper fix would be to not let click happy stupid people use the internet.

Then we might as well bottle the internet back up as a DARPA research curiousity then.

Generally speaking, the security model assumes people know what they're doing, which is patently false. The computer and the internet are essential tools these days for many occupations, whether or not the people want it. A mechanic probably has to use a computer to diagnose a modern car, but he certainly doesn't need to know how to reinstall Windows or compile a kernel or other crap (to him). He just wants to see what errors there are, use his experience and then find the mystical place to do the $1000 tap to fix the problem.

Ditto the internet - the sales guy is wheeling and dealing and sending specs to customers trying to make money for the company over the 'net. He doesn't need to know the details of TCP/IP or Ethernet or how the packet gets from here to there - he just makes the sales.

Basically these days, the security model should include the fact that people who do not know better have a necessity to use the computer and the internet. We don't train the mechanic how to type and install Windows/Linux/blah and admin it, we train the mechanic how to most effectively extract the data the ECU provides to solve the problem.

It's time security models take note that Dancing Pigs [wikipedia.org] are here to stay. Which may explain the rise of locked down tablets and walled gardens.

Re:crack in the malware's control infrastructure (0)

Anonymous Coward | more than 2 years ago | (#41008179)

"happy stupid people" are the Internet.
Without them, we would still have only documents and missile control commands taking up the bandwidth

Re:crack in the malware's control infrastructure (1)

somersault (912633) | more than 2 years ago | (#41008973)

I'm pretty sure we'd still have plenty of online gaming too.

Re:crack in the malware's control infrastructure (1)

mcgrew (92797) | more than 2 years ago | (#41013591)

It's already been proven that Linux & Mac OS's can also be infected

I don't think "infected" is the right word for a trojan. However, Windows is the only OS that one could get infected by a virus (not trojan) by simply opening an email or visiting a web page.

That said, Windows is a lot more secure than it used to be. I doubt anyone but the click-happy who are dumb enough to answer "would you like to let this program change your computer?" would say "yes" if they thought they were going to a linked web page.

It writes itself (0)

marcello_dl (667940) | more than 2 years ago | (#41001743)

Yo dawg,
I herd you like to exploit flaws,
so I put a flaw in your flaws exploit kit,
so you can exploit flaws while your devkit's flaw is exploited.

Is it better to have a dog (-1)

Anonymous Coward | more than 2 years ago | (#41001829)

on the roof of your car or the roof of your mouth?

http://www.breitbart.com/Big-Hollywood/2012/08/15/Devo-to-Release-Song-Highlighting-Romney-Dogs-Roof-Ride

Re:Is it better to have a dog (-1)

Anonymous Coward | more than 2 years ago | (#41001911)

Bwahahhaa

I think the song's release is coinciding with the release of Obama's new cookbook.

binary code (1)

GuldKalle (1065310) | more than 2 years ago | (#41001879)

The bot evolved from the older RussKill bot over time, and various versions of the tool's binary code and back end configuration files have been made public.

What does that mean? Was some of the code stored in another numeral system? And why was the code so hard to get hold of?

Re:binary code (0)

Anonymous Coward | more than 2 years ago | (#41001915)

Not sure if serious...
"Binary code" means compiled code (i.e. executable files) as opposed to the original source code.

Re:binary code (1)

X0563511 (793323) | more than 2 years ago | (#41002133)

Work with me here...

What do you get out of a compiler? A binary.

Re:binary code (1)

GuldKalle (1065310) | more than 2 years ago | (#41003099)

Yeah, OK. But why was it so hard to get hold of? Couldn't they just pull it from any infected machine?

Not bricked yet? (1)

tomhath (637240) | more than 2 years ago | (#41002471)

I'm surprised some company or country hasn't gotten PO'd enough to write a counterattack that just bricks all the infected machines in a botnet.

Re:Not bricked yet? (0)

Anonymous Coward | more than 2 years ago | (#41002997)

How do you brick spoof'ed IPs?

Re:Not bricked yet? (1)

GuldKalle (1065310) | more than 2 years ago | (#41003147)

Does it spoof the IP? Wouldn't ISPs spot IP packets originating in their own network, but not looking like they did?

Security Flaw in the Security Flaw! (1)

fm6 (162816) | more than 2 years ago | (#41002649)

Really, how could the editor overlook such a cute headline?

If the botnet was open source.... (1)

Anonymous Coward | more than 2 years ago | (#41002707)

.... the researchers would be able to submit a patch.

Why are they telling us? (1)

mdfst13 (664665) | more than 2 years ago | (#41003069)

I wonder why they are announcing the security flaw in the malware. Shouldn't they try to exploit the security flaw to find the malware users first?

What's the benefit of reporting the flaw? Usually, people report security flaws so that the application writer can close them. Do they actually want the DDOS kit to close its security flaw? Does that make the world better in some way?

The only possible advantage that I can see is that it might make other malware users more careful about using similar software. And of course, smart malware users will no longer use Dirt Jumper. However, if they just switch from Dirt Jumper to another DDOS kit, it seems that we are worse off (DDOSed by a kit without a security flaw to exploit).

The optimal time to make this kind of announcement would be after it becomes common knowledge in the malware community, preferably by publication of the proceedings of some prosecutions. At that time, it gives minimal benefit to existing malware users while still scaring potential malware users from jumping on the bandwagon. I wouldn't expect the scare benefits to be that large, so the benefit from an early announcement is small.

Re:Why are they telling us? (1)

SomeJoel (1061138) | more than 2 years ago | (#41003605)

If they don't report any progress, they'll lose their funding.

I disrupt ALL botnets constantly... apk (0)

Anonymous Coward | more than 2 years ago | (#41008843)

See subject-line above: I get a daily listing of their C&C Servers and block them off in my custom hosts file (currently @ 1,800,275++ of KNOWN bad sites-servers/hosts-domains that serve up malicious content, &/or botnet C&C servers, as well as bogus DNS servers they use).

For those of you that run Microsoft Windows 32 or 64 bit? An automated hosts file creation & mgt. program:

---

APK Hosts File Engine 5.0++ 32/64-bit:

Screenshot -> http://start64.com/images/win64/security/apk-hosts-file-engine-1.png [start64.com]

&

Download Site #1 -> http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

or

Download Site #2 -> http://securemecca.com/public/APKHostsFileInstaller/2012_06_01/APKHostsFileEngineInstaller32_64bit.exe.zip [securemecca.com]

---

INSTALLATION:

a.) Extract its sfx installer file from the zipfile
b.) Run the installer from inside ANY folder you like, extracting the executables + datafiles to any folder you wish (usually one you create for it, doesn't matter where, but you MUST run it as administrator for FULL functionality (simple & the "read me" tab shows how easy THAT is to do))
c.) Then, & lastly - Run either the 32-bit OR 64-bit version (rightclick on the executable & set it to run as Administrator, OR, make a shortcut that can for FULL functionality (like write-protecting the hosts file, & more...))

---

What's it do for you?

Custom hosts files gain me the following benefits (A short summary of where custom hosts files can be extremely useful):

---

1.) Blocking out malware/malscripted sites
2.) Blocking out Known sites-servers/hosts-domains that are known to serve up malware
3.) Blocking out Bogus DNS servers malware makers use
4.) Blocking out Botnet C&C servers
5.) Blocking out Bogus adbanners that are full of malicious script content
6.) Getting you back speed/bandwidth you paid for by blocking out adbanners + hardcoding in your favorite sites (faster than remote DNS server resolution)
7.) Added reliability (vs. downed or misdirect/poisoned DNS servers).
8.) Added "anonymity" (to an extent, vs. DNS request logs)
9.) The ability to bypass DNSBL's (DNS block lists you may not agree with).
10.) More screen "real estate" (since no more adbanners appear onscreen eating up CPU, Memory, & other forms of I/O too - bonus!)
11.) Truly UNIVERSAL PROTECTION (since any OS, even on smartphones, usually has a BSD drived IP stack).
12.) Faster & MORE EFFICIENT operation vs. browser plugins (which "layer on" ontop of Ring 3/RPL 3/usermode browsers - whereas the hosts file operates @ the Ring 0/RPL 0/Kernelmode of operation (far faster) as a filter for the IP stack itself...)
13.) Blocking out TRACKERS
14.) Custom hosts files work on ANY & ALL webbound apps (browser plugins do not).
15.) Custom hosts files offer a better, faster, more efficient way, & safer way to surf the web & are COMPLETELY controlled by the end-user of them.

---

* The malwarebytes/hpHosts site admin another person/site hosting it (Mr. Steven Burn, a competent coder in his own right), said it's "excellent" in fact and has seen its code too...

(Write him yourselves should anyone doubt any of this -> services@it-mate.co.uk , or see his site @ http://hosts-file.net/?s=Download [hosts-file.net] [hosts-file.net] )

A Mr. Henry Hertz Hobbitt of securemecca.org &/or hostsfile.org can also verify that this program is safe - write him @ -> hhhobbit@securemecca.com

---

* I told myself (since i built it in late 2003 in version 1.0++ & have rebuilt it 5x since in Borland Delphi 3.0/5.0/7.0 32-bit & currently into 64-bit using Delphi XE2) this:

That IF things didn't get better on the "malware front" by 2012, out it would go for the general public to get the above enumerated multiple & versatile benefits custom hosts yield for end users!

(Mainly in saving them money on speed + bandwidth they pay for each month as well as added "layered-security"/"defense-in-depth" AND reliability & even a bit better "anonymity", all noted above...).

APK

P.S.=> It works for ALL of the enumerated benefits above - here are the SPECIFICS/Details of those:

---

A.) Offers massively noticeable increased speed for websurfing via blocking adbanners

B.) Offers increased speed for users fav. sites by hardcoding them into the hosts file for faster IP address-to-host/domain name resolutions (which sites RARELY change their hosting providers, e.g.-> of 250 I do, only 6 have changed since 2006 - & when sites do because they found a less costly hosting provider? Then, they either email notify members, put up warnings on their pages, & do IP warnings & redirectors onto the former IP address range to protect vs. the unscrupulous criminal bidding on that range to buy it to steal from users of say, online banking or shopping sites).

C.) Better "Layered-Security"/"Defense-In-Depth" via blocking host-domain based attacks by KNOWN bad sites-servers that are known to do so (which IS, by far, the majority of what's used by both users (hence the existence of the faulty but for most part working DNS system), AND even by malware makers (since host-domain names are recyclable by they, & the RBN (Russian Business Network & others)) were doing it like mad with "less than scrupulous", or uncaring, hosting providers)

D.) Better 'anonymity' to an extent vs. DNS request logs (not vs. DPI ("deep packet inspection"))

E.) The ability to circumvent unjust DNSBL (DNS Block Lists) if unjust or inconveniences a user.

F.) Protection vs. online trackers

G.) Better security vs. the DNS system being "dns poisoned/redirected" (a known problem for recursive DNS servers via port 51/53 misdirection)

H.) Write protecting the hosts file every 1/2 second (supplementing UAC) - even if/when you move it from the default location via this registry entry (which if done, can function ALMOST like *NIX shadow passwords because of this program):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters

And changing the "DataBasePath" parameter there (I do this moving it to a faster media, a "true SSD" using DDR-2 RAM, in the 4gb Gigabyte IRAM I have).

I.) Automatic downloading & Alphabetic sorting of hosts files' records entries (for easier end user mgt. manually) from 15 reliable sources (of 17 I actually use).

J.) Manual editing of all files used (hosts to import list, hosts itself in its default location of %windir%\system32\drivers\etc, the hosts files to import/download & process, & favorite sites to reverse dns ping to avoid DNS (noted above why)).

K.) Removal scanners (if the users decide to remove hosts entries from imported data they can check if the site is indeed known as bad or not (sometimes 'false positives' happen, or just bad entries, or sites clean themselves up after infestation due to vulnerable coding etc./et al)).

L.) Removal of bloating material in many hosts files like Comments (useless bulk in a hosts file that's "all business")

M.) Removal of bloating material in many hosts files like Trailing comments after records (produces duplicates)

N.) Removal of bloating material in many hosts files like Invalid TLD entries (program checks this in a BETTER method than the API call "PathIsURL")

O.) Removal of bloating material in many hosts files like Trims entries (vs. trailing blanks bloat on record entries)

P.) Removal of bloating material in many hosts files like the conversion of the larger & SLOWER 127.0.0.1 blocking "loopback adapter" address (slower due to larger size bytes wise to parse, & slower if loopback happens) to the smaller/faster to parse & load 0.0.0.0

Q.) Uniformity of ALL entries in hosts (as to records inserted & format they use - reducing bloat AND repeated bloating entries).

R.) Filtration-Removal of sites that IF in a hosts file are KNOWN to cause problems on larger portals that use CDN etc.

S.) Custom hosts files protect ALL webbound programs, not just webbrowsers (like AdBlock addons, & it doesn't even block ALL adbanners by default anymore) & it does so @ a more efficient faster level (Ring 0/RPL 0/Kernelmode) acting merely as a filter for the PnP design IP stack, vs. the slower level webbrowser programs & their addons operate in (Ring 3/RPL 3/Usermode), which addons slow them even more by "layering on" parsing & processing that browser addons layer on.

T.) Custom hosts files also offer the speedup to favorite sites noted above, & even firewalls + browser addons do NOT offer that...

---

& MORE, in roughly 15 minutes runtime (on an Intel Core I7 920 Quad/4 core cpu @ 2.67ghz) & faster on faster CPU's (e.g. - Intel Core I7 3960 "extreme" 6-7 core CPUs = 7 minute runtime) & slower on slower CPU's (Intel 1.5ghz Celeron single core = 45 minutes).

(Above all else - Enjoy the program: It works!)

Thanks for your time...

... apk

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?