Creators of Massive Botnet Arrested

DigitumDei writes "Dutch police has nabbed 3 men (aged 19,22, & 27) who alledgedly used the toxbot trojan to create a botnet of over 100000 machines. The trio conducted a DDOS attack against an unnamed US company in an extortion attempt, as well as using phishing tactics to hijack PayPal and eBay accounts. From the article: 'Police seized computers, cash, a sports car, and bank accounts at the three men's residences, and additional arrests are expected. The three were to be taken before a magistrate in Breda, a city approximately 25 miles south of Rotterdam, on Friday. The botnet was dismantled, prosecutors said, with help from the Dutch National High Tech Crime Center; GOVCERT.NL, the Netherlands' Computer Emergency Response Team; and several Internet service providers, including the Amsterdam-based XS4ALL.'"

Extortion?

Dat's a nice website ya got dere. SHAME if sumtin happened to it.

/Godfather music in background

Re:Extortion?

[pnice]

I thought the point of these attacks was to bring the page down so they could no longer conduct business and make money. Gambling, sports betting, high traffic ecommerce sites...places like that lose money per a second when their equipment is down. If the amount it costs to keep the DDOS from happening (the payoff) is much less than the amount of money they would lose if their site went down there is a good chance the people will pay to keep it from happening. At least I thought that was why they would do it.

Re:Extortion?

[sleeper0]

The motivation behind this kind of extortion is (obviously) money. It definitely happens and companies definitely do pay. It doesn't usually happen to the largest and best connected firms, and not that much to US based firms as compared to the rest of the world, but it's going on all the time. It doesn't get a lot of press because victims that pay are very unlikely to publicize the event. It is mostly focused on business that do most or all of their revenue over the net.

You greatly underestimate the trouble an extremely large DDOS network can cause via sheer packet volume. It might make you reboot your server or pay more in bandwidth for the month? First off the targets of these things are using pretty substantial server farms, not your debian server you have your cat's pictures on. The servers may or may not crash but they certainly wont handle the load. And neither will your load balancers, database servers, routers, firewalls, IDS's, the list goes on and on. Not only that but your ISP won;t handle the load either, all of their stuff starts to break. And depending on how far down the food chain you are maybe your ISP's ISP. All the way up to the tier 1 who can handle it but certainly doesnt want to.

The short answer is is even if all of your technology works flawlessly and isn't crashing left and right (which it most certainly will be), you've never bought a pipe nearly big enough to handle the traffic you're getting so your real customer's traffic is taking forever or just getting dropped on the floor. After 6-24 hours of your DDOS problems impacting all their other customers, your ISP gets their providers to null route your IP space, putting you in the dead calm of the eye of the storm. Everything works again now, except your customers can't reach you. If you measure your earnings based on people connecting to your shop or services that is obviously a very big deal.

If you fight, the fight is going to be very tough. First you need a sympathetic ISP that will let you fight and help you fight - that probably isn't your existing ISP and ones that will are in short supply. Basically a tier 1 or major colos that are very undersold so they have the bandwidth to burn without taking out the rest of their customers. Next you need someone who understands what needs to be done and fast and will work around the clock to do it - realistically you're probably looking at maybe hundreds of people total in the US that have a very strong background in such things and would be available - and maybe dozens of people that have actual direct experience (on that scale). They will obviously cost money. So will building a completely brand new intelligent filtering network over night - in addition to the hardware costs of the new boxes and the connection costs for the new ISP - this isnt off the shelf software either, at least probably not.

Maybe you can start seeing why it's a bit more of a big deal than maybe rebooting your software - why people choose to pay - and that's why it's profitable.

Re:Extortion?

[turbofisk]

Yes there was, and it was a fabulous read... Here's a link: http://it.slashdot.org/article.pl?sid=05/05/04/133 7237&tid=172

a botnet of over 100000 machines

[wiredog]

I hereby declare a new metric for measuring the size of botnets: The MegaBot. 1 MegaBot==10E6 Bots.

Re:a botnet of over 100000 machines

[catch23]

My math is a bit rusty, but isn't 100000 == 10e5? It should be a 100 kilobot instead....

Re:a botnet of over 100000 machines

[mustafap]

>1 MegaBot==10E6 Bots.

No no no no no. How many times to we have to tell you?

1MegaBot == 1024*1024 bots.

Dammed marketing bots.

Re:a botnet of over 100000 machines

[Jugalator]

No no no no no. How many times to we have to tell you?
1MegaBot == 1024*1024 bots.

No!! You're talking about a MebiBot!

// Random Mebi Enforcement Zealot

Wow.

[Black+Parrot]

A city-wide Thieves Guild is understandable, but a National Crime Center is just going too far.

mmm

the creators of the slashdot network are still at large tho :)

Good!

[RedNovember]

I'm happy these guys were arrested. Things like this scare companies and people away from technology. Not to imply that modern companies will survive without computers, but will your boss think long and hard before approving tech budgets? You bet. I've never heard of a bunch of crackers extorting a company.

This will also give them pause when hiring former hackers. They might think "Is this guy going to give extortionists inside info?"

On the other hand, security folks may have a budget windfall thrown their way. Considering '"Each time the Trojan was stopped by anti-virus defenses, they made a new version," he said. "This was not just a one-off. The sheer number of variants shows this wasn't a crime they committed just once."' Those security people better get to it.

Re:Good!

[LiquidCoooled]

the problem with most DOS attacks that hit the news is once it hits the news, thousands of individual web users from around the world all click the link just to see if the site is still down.

Each person doing that is unwittingly taking part in the DOS attack.
If you think slashdot effect is bad, think about the slashdot AND routers/yahoo/NYT/humble news sties all ganging up on one site.

This is how googlewent down recently, not because of the worms activity, but because of peoples curiosity.
Sure, the worm had an effect, but nowhere near as bad as the casual knock on effect of browsing.

How many times have you done the following:

Seen a story saying xyz.com is under attack.
Your action -
"is it still under attack?" .....CLICK.... .....no response..... .......CLICK CLICK.....
"Yep, its still down".

if thats similar to your actions, congrats, you are personally a bot :)

About time

[dow]

I get so many of these zombie machines trying things everyday and never hear about anyone getting caught. Hope they get sentenced to ten years of Windows XP.

Re:About time

[mindaktiviti]

Because we all know that 10 years of WinME would result in cruel and unusual punishment, even for them.

Why?

[AAeyers]

...who alledgedly used the toxbot trojan to create a botnet of over 100000 machines.

It seems a little harsh to get arrested for only infecting 32 machines.....

Re:Why?

[Filip22012005]

You're thinking of a bitnet.

Related concepts: the batnet and the butnet.

And then, there's also the botnut (three of which got arrested), the bitnut (such as yourself), the butnut (erm...), the botknit (a network of 100000 computers strung together by my grandma), the botNAT, and the bitenight (Buffy the movie).

Re:Why?

[flosofl]

...who alledgedly used the toxbot trojan to create a botnet of over 100000 machines.

It seems a little harsh to get arrested for only infecting 32 machines.....

Ha!

Judging from the replies, there's only 10 types of people who understood the post.

Those who got the joke and those who didn't.*

*-Shamelessly ripped off a ThinkGeek T-Shirt...

Re:If only i had my own 100k computer matrix...

[kalirion]

What's the point when you can just put in your maximum bid and eBay raises your active bid as the bidding warrants?

How do you dismantle a botnet?

Surely those computers are still vulnerable to the toxbot trojan at best, or just waiting for somebody to give the right commands at worst.
Unless you use the trojan to patch the system of course, but that would be illegal.

Re:Good, but...

[seti]

When I was in uni, we had a guy from the Belgian Computer Crime Unit (CCU) come and talk to us about computer criminality. We asked a load of questions, including whether they actually actively went after casual downloaders. Basically they said they were so swamped going after child pornography sites, they did not have any resources at all for those kind of activities.

Most police "cybercrime" units are still very underfunded.

Sure, this will solve the problem...

[dachshund]

The lesson for these guys is: next time you try to profit off of your computer crime, make sure that you have strong connections with organized crime, or live in a country with lax computer crime laws and have a tight financial relationship with the police. I'm glad to hear about this sort of thing, but I don't think it's going to do anything to actually reduce the number of bots out there. Rather, it'll just ensure that future botnets are run by nastier, better-protected individuals and organizations.

I wonder what it would take to convince the world that these unsecured machines are an actual security threat, rather than an annoyance?

What a great idea...

[MarkusQ]

The botnet was dismantled, prosecutors said, with help from...

Why didn't I think of that! That's 100,000 lusers that won't be getting infected again soon, unless they learn enough to reassemble their boxen, by which point...*sigh* What am I thinking? They'll probably just buy new systems and throw the piles of parts out. They'll be back on bot nets by this weekend.

What they need to do is dismantal the owners!

--MarkusQ

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Good, but...

Well, just like the marijuana laws on the books (forced by other countries), it's public policy not to enforce things that are considered a waste of law enforcements time.

The government said themselves that making file sharing a criminal offence just turns a large portion of the population into criminals for no real benefit. This is similar to the drugs policy. From Wikipedia:

However, a policy of non-enforcement has led to a situation where reliance upon non-enforcement has become common, and because of this the courts have ruled against the government when individual cases were prosecuted.

This is because the Dutch Ministry of Justice applies a gedoogbeleid (policy of tolerance) with regard to soft drugs: an official set of guidelines telling public prosecutors under which circumstances offenders should not be prosecuted. This is a more official version of the common practice in other countries, in which law enforcement sets priorities as to which offenses are important enough to spend limited resources on.

Proponents of gedoogbeleid argue that such a policy offers more consistency in legal protection in practice, than without it. Opponents of the Dutch drug policy either call for full legalization, or argue that laws should penalize morally wrong or decadent behavior, whether this is enforceable or not.

So no, the government tends to go after real criminals, rather than waste time on teenagers with too much free time.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Damn.

[wiredog]

I saw that as 1000,000 machines, but it's only 100,000 machines. So it's a 0.1 megabot botnet, not a full megabot botnet.

Environmental problem

[rbanffy]

It seems to me that unpatched Windows boxes are becoming an environmental problem ;-)

Re:Environmental problem

[onepoint]

What I would like to see is all those machines patched up, I would guess that it could be possible to slide a patching program via the bot-net.

Onepoint

p.s. In thinking about this, I find that most likely it would be illegal

Limited time

[squoozer]

I forsee the day when bot nets are a thing of the past. While I admit that currently most police forces couldn't catch a virus by opening infected email things seem to be changing.

The scale of setting up a useful botnet is such that there are thousands of tiny ways that you could screw up and leave a drity great big flag pointing out your location / identity. Even the most carefully created botnet will contain some useful information to track down it's owner. In fact the very nature of the beast means that at some point you will have to contact it which potentially gives away your location. Ok you can run through proxies and use other methods to hide you identity but it only takes one slip up which someone technical is watching. Of course you also have the problem of collecting you payments. While you might be able to hide in the online world hiding from the banking world is much harder. At some point you have to collect you money.

All in all I think it would be easier to just go into kidnapping or drug dealing. The profit margin has got to be higher.

Re:Limited time

[patio11]

Kidnapping for money (in the US, at least) is completely dead, for a couple of reasons. First, the FBI has long considered every incident of kidnapping to be a personal vendetta against them and they play for keeps -- unless you're the pedophile who kidnaps a kid and kills them within 24 hours, they WILL catch you. And they will, likely as not, kill you in the attempt and when the guy who does gets back to the office his hand will be sore from all the high-fives. We're not nearly so effective at taking care of drug dealers, but drug dealers are -- they've got a mortality rate of about 10-25% a year in some cities, and most of them only clear minimum wage (see Freakonomics -- excellent book, by the way). Computer crimes, by contrast, are punished relatively leniently, investigated seldomly, have zero physical risk, and pay better. Whats not to like for the unscrupulous type, aside from having a higher barrier to entry than kidnapping/drug dealing?

Re:25 miles south of Rotterdam?

[badfish99]

I always thought that Americans were just plain ignorant about European geography. Now I know it's because you've been going round telling them that Madrid is close to London.

Re:25 miles south of Rotterdam?

[Koredor]

Does this info really help? How many Americans know Rotterdam?

Rotterdamn....that sounds vaguely familar.. Oh yeah now I remember it was one of my options for music in Ridge Racer for Play Station.

As to not be marked off-topic, the question really becomes not what to do with those behind the botnet, but what to do with the botnet itself. One could patch the entire network via the use of the very trojan that created it (which we know is illegal), but I think this might be a good change to get some extra cycles for SETI. I can just see Team Dutch National High Tech Crime Center moving up the rankings now.

Re:Let the punishment fit the crime

[pe1rxq]

Because real studies have shown that stiff sentences do wonders besides making the pitchfork carying mob happy?

Re:glaring gramatical error

[DigitumDei]

Unfortunately I am not.

Blushing profusly right now; amazing how previewing twice just meant I read "has" as "have" in my mind twice.

Linux not being used enough?

[Tominva1045]

...or use Linux.

Are Linux boxes invulnerable? Is the gauntlet being thrown at our feet? (lol)

I'm happy they did get nabbed though. There are plenty of fun things to do in life instead of extortion.

Re:Let the punishment fit the crime

[pe1rxq]

I know the ideas and reasoning behind stiff sentences, that doesn't mean it works.
Like amputating a hand after stealing, very scary but does it actually make crime rates go down?
If one isn't afraid of getting caught the sentence doesn't matter.

Re:25 miles south of Rotterdam?

[nomadic]

It is, Madrid is only 786 miles from London. That's less than the distance between New York and Chicago.

Re:25 miles south of Rotterdam?

[Jardine]

interesting stats there. [ 144 thousand times * holland = canada ]. hello dont believe this.

It's more like 240 * Holland = Canada.

Re:Good, but...

[CmdrGravy]

Listen, here's a hot tip if you ever want to get on a cops good side ( such as when they are giving you a traffic ticket or whatever ). All you have to do is ask them loudly "Why aren't you out catching the real criminals eh ?" and they will instantly feel warm and friendly towards you and treat you with the deference, courtesy and respect you deserve.

RE: How to dismantle a botnet!!

[A.K.A_Magnet]

OK I'm a bit late on this story, but maybe some mods will be late too ;)

As an IRC admin for few years, I saw many botnet channels. The botnet masters enjoy putting their bots on IRC (on a secret channel) because it's a third party who provides the communication support, IRC is a good message demultiplexer, and they think it's safe since they only log on IRC with a proxy.

They can identify themselves with a given bot by going private (PRIVMSG .ident ) or just on the channel, the PRIVMSG will be sent to every bot. Now 100k bots in a channel is a lot but I have seen 30k already.

The bots had random nicks so we just put a bot of ours with a random nick in the channel, logged everything and then get the login/pass (I guess in this case Dutch police had the login/pass pair from the PCs they seized). Then we looked out for the bot version, looked on the web for commands (usually, the bot masters are script kiddies and just build the bot from an "automatic" builder they download on the web... they wouldn't even build from the sources).

All of the bots I encountered disposed of attacks commands et al, but also a clean removal command. That's what we used.

Now I don't know about the bot in this story, but most likely the botnet masters HAD a mean to contact them all (now is it IRC-like with a big channel, or distributed among the bots à la DNS, I don't know... But even if the removal command isn't here, there's still a way to tell the bot to execute a given binary they download from a given URL).

And I don't think that would really be illegal, remember, the PC owners rarely know they are infected or don't care. They won't know or won't care either if someone removes the bot for them. And if they say something, just sue them since it means they were part of the attack knowingly ;). Who would want to be part of the botnet ? :)

Anyway I hope we could shut down more of these networks (and MS should pay for their dismantle since nearly all zombies networks are running Windows).

Who is this XS4ALL?

[horza]

What is the real identity of this Dutch ISP XS4ALL? Fighting spammers (though losing appeal), defending the rights of clients to hyperlink and refusing to be bullied by court orders, and now taking down BotNets. Apparently the founders sold out for millions, but they seem to go well beyond the Google "do no evil" philosophy to pro-actively defending the rights of their customers at considerable risk to themselves. It's the kind of company the deserves to win an awful lot of business.

Phillip.

Re:Who is this XS4ALL?

[AlXtreme]

XS4ALL was founded in '93 as the Dutch version of Demon, the UK ISP. In spite of the KPN (ex government-controlled/monopoly telco) buy-out, they have maintained their philosophy of protecting the interests of their customers and doing the Right Thing(tm).

Strong ties with Bits for Freedom (our version of the EFF), best Dutch ISP year after year, support for *nix systems, frequent new experimental services. Only pain is that they're also one of the more expensive ISP's. You get what you pay for, and with XS4ALL they give you the works.

(for the record, I'm a long-time customer so I am rather biased. But these guys aren't your average ISP)

Re:Who is this XS4ALL?

[SillyNickName4me]

Hmm, not entirely accurate I believe..

This (ad at the bottom of the page) is where XS4ALL started. They were basicly the first public ISP in the Netherlands (tho I am not entirely sure, 'stichting Simplex' was there at around the same time from what I recall)

Demon and XS4ALL definitely have things in common, but I think that has more to do with both having started in the very early days of public internet access, and still believing that they connect computers to a big network (as opposed to the content focus that many an ISP seems to have). Both give you a fixed IP and your own hostname, allow you to run servers including smtp and http etc.

At any rate, XS4ALL grew out of a desire to provide cheap access to the 'live internet' as opposed to the then common uucp mail/news access. The people behind it had been involved in the Datanet 1 (X25 network similar to Tymnet and the like) and the BBS scene, and had been running a somewhat substantial (100+ nodes) uucp network for some time. They went for nothing less making it possible for every person with the proper equipment to become a full host on the Internet, an attitude which is still pretty much there in modern XS4ALL.

AH well.. thanks for reminding me of that time.. had fun looking up some info on it today, and reading back about the early days of Internet access overhere. Heh, to think that I have a nice 8mbit up/1 mbit down connection here that costs about 1/5th per month when compared to the initial internet connection (at a whopping 19k2) that XS4ALL used themselves to get on the net :)

I did not use XS4ALL much during those early days, mostly because I got a free account from IGN with which I had internet access with local dialin from about any major city worldwide, and I had a rather good access deal with Simplex for my home network. I can confirm your comments about the quality of XS4ALL and their generally nice attitude towards issues that concern their private customers.

Re:Good, but...

[lawpoop]

Do the Dutch really have a Justice system based on gobbledegook?

Re:glaring gramatical error

[Winkhorst]

GRAMMATICAL, damn it!

Re:If only i had my own 100k computer matrix...

[pclminion]

What's the point when you can just put in your maximum bid and eBay raises your active bid as the bidding warrants?

Because bidding on an item calls attention to it. If bidding activity on an item is fierce and heavy, sniping has no benefit. But imagine a situation where you are vying for an item with only one other person. You do not want to set your maximum bid right away, because the other guy's valuation of the item is probably similar to yours -- he'll bid up right away. The other person, of course, follows the same logic and also starts with a lowball bid. Now, since neither party is using automatic bidding, they have to keep checking on the item to see if they've been outbid. What sniping does is allows the other person to become complacent, and not set their actual maximum bid. You can then come in at the last second and bid slightly over them and get the item before they can react.

The reason bidders behave this way is because they are hoping the other guy doesn't know the "true value" of the item. Placing a realistic maximum bid would only drive the price up. But if you are knowledgable of an item's true value and conceal that from the other participants by bidding low at the beginning, you have a better chance of getting the item at a lower price.

Suddenly, the botnet ads are gone

[Animats]

SpecialHam, the spammer forum, usually is full of ads for botnets. But not today. There are far fewer ads for "proxies" today. And there are notes like "hey, watch yourself" and worries about "spamhaus honeypots".

So there's been some effect. The spammers are becoming afraid. Not very afraid. Yet. But afraid. It's becoming hard to spam without committing multiple felonies. Those felonies are leading to a few arrests and jail sentences. Not many, but enough to scare off many spammers. The remaining spammers look more and more like traditional crooks.

There's plenty of stuff on SpecialHam for law enforcement to go after. "Special Hurricane Katrina Promotions". "Offshore bank accounts for sale". Anyone active against spam should be looking there.

The New Yorker: Zombie Hunters

[blueZhift]

The October 10 New Yorker magazine has a nice companion piece to this story, "The Zombie Hunters: On the trail of cyberextortionists" by Evan Ratliff. The article describes the tactics of the extortionists and those who track them down or thwart their attacks. Probably nothing new to the /. crowd, but a good read nonetheless. Here's a link.

http://www.newyorker.com/fact/content/articles/051 010fa_fact