Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet on Botnet Action

Posted by CmdrTaco on from the thats-not-hot dept.

Dausha writes "The Tech Web news site reports a story about Botnet turf wars. Botnets have been around for a while, and are increasing in severity. The latest innovation finds Bots capturing and securing host computers from other bots. Security includes installing software patches, shutting down ports, etc."

50 of 187 comments (clear)

  1. Note to Editors by Billosaur · · Score: 5, Funny

    Never let CmdrTaco come up with headlines after a night of watching girl-girl porn... the images created are... disturbing...

    --
    GetOuttaMySpace - The Anti-Social Network
    1. Re:Note to Editors by TheMeuge · · Score: 5, Funny

      How do you think he came up with his username?

    2. Re:Note to Editors by JamesTRexx · · Score: 2, Informative

      You were thinking of a clusterfuck too?

      --
      home
    3. Re:Note to Editors by thestudio_bob · · Score: 5, Insightful

      Seriously, why couldn't some kind of "GOOD" botnet be created that does this? If the spammers can do it, why can't Microsoft, Yahoo, Goolge, AOL, Symantec or someone? A botnet that goes around and secures all these drone computers would save the connected world a lot of headaches.

      --
      The real Sig captains the Northwestern. This one captains /.
    4. Re:Note to Editors by jojoba_oil · · Score: 2, Funny
      Couple that with a quote I pull directly from TFA:

      It's one incestuous ecosystem.
    5. Re:Note to Editors by dkf · · Score: 4, Funny

      Yeah, it should have been 'Informative'.

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    6. Re:Note to Editors by AndersOSU · · Score: 3, Insightful

      because it is self defeating. If you clean up a computer, you no longer have access to a computer that would clean up other computers.

    7. Re:Note to Editors by smooth+wombat · · Score: 4, Funny
      But what will CmdrTaco do when he is NEVER allowed to come up with headlines?


      Work on the broken mod point distribution code?

      --
      We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    8. Re:Note to Editors by qwijibo · · Score: 4, Interesting

      Because good has to be much more diligent, and that is orders of magnitude harder.

      When you're working for evil, you don't have to worry about collateral damage. If you cause one system out of 100 to stop working completely, or just have some incompatibility that makes it less useful to the user, you don't care. If they didn't want to be infected, they'd have better security. Propagating evil viruses, trojans and worms is easy because you can be careless and expect the rest of the world to reboot if you have a bug.

      This is also why large organizations have people to test that patches don't break the necessary functionality in their supported applications. If something breaks, they have to support it, so they make sure it's not going to come back to bite them. This takes a fair amount of time, people, and all of the supported configurations to ensure that things are safe. It's a real pain in the neck (or other body part) to do a good job at this.

      The most secure machine is one that is turned off, unplugged and locked in a room that has an armed security guard with standing orders to shoot everyone. That's not the computer usage model that any of the companies listed want to encourage. They want the user to be insecure to different degrees.

    9. Re:Note to Editors by bhmit1 · · Score: 4, Insightful

      Seriously, why couldn't some kind of "GOOD" botnet be created that does this? If the spammers can do it, why can't Microsoft, Yahoo, Goolge, AOL, Symantec or someone? A botnet that goes around and secures all these drone computers would save the connected world a lot of headaches.
      Because of liability and money. A large company won't do this because if they take control of your machine against your will through a security hole (and there's no other way they'd put a dent in the problem if people had to volunteer to have this installed) they are liable for any damage that does and open themselves up for trespassing lawsuits. Consider a patch that a company is not installing because it conflicts with business critical applications or because they are aware of an even bigger security hole it exposes.

      As for some hacker doing it, it's all about money, and maybe a little fame. Doing this puts you in a worse position than the airline ticket hacker. So anyone that exposes themselves to this kind of risk, does so for money. And right now, there's money to be made in cutting out the competition in terms of making your botnet bigger than theirs and less likely to be removed (users are less likely to notice just one bot).
    10. Re:Note to Editors by Chosen+Reject · · Score: 4, Insightful

      "And now we see that evil will always triumph, because good is dumb."

      --
      Stop Global Warming!
      Just say no to irreversible processes!
    11. Re:Note to Editors by HUADPE · · Score: 3, Informative
      Seriously, why couldn't some kind of "GOOD" botnet be created that does this? If the spammers can do it, why can't Microsoft, Yahoo, Goolge, AOL, Symantec or someone? A botnet that goes around and secures all these drone computers would save the connected world a lot of headaches.

      It's illegal. Botnets constitute several levels of fraud in that they a. install software without your consent; b. steal your bandwidth to copy themselves; and c. then use your computer to commit some other crime.

      c. would not be done by a "good" botnet, but a. and b. would. Even if all the hijacks came from a commercial server set up for it, a. would be violated. If you think click-through EULAs are invalid...just imagine the invalid-ness of a botnet install.

      --
      This sig has not been evaluated by the FDA. It is not designed to diagnose, treat, prevent, or cure any disease.
    12. Re:Note to Editors by ajs318 · · Score: 2, Informative

      Because regardless of your intentions, it would still run afoul of the Misuse of Computers Act 1990.

      --
      Je fume. Tu fumes. Nous fûmes!
    13. Re:Note to Editors by It'sYerMam · · Score: 3, Informative

      Hmm, I don't think this has been thought through properly. (regardless of the insightful mod) Just because you've patched up the security hole on the host computer doesn't mean you can't still send stuff out. And of course, it's less than trivial to build in a time delay before the bot patches security holes and terminates itself, during which time it infects as many PCs as it can - so if, by some mechanism, the way you got in is related to the way you're sending yourself out, it would still work.

      --
      im in ur .sig, writin ur memes.
    14. Re:Note to Editors by number1scatterbrain · · Score: 2, Funny

      I built a cluster, and the bots fucked it.

      --
      Remember the future...
    15. Re:Note to Editors by plover · · Score: 4, Interesting
      I'm not so sure about this. Why does good have to be diligent and honest? Why can't this be done by vigilante groups who are not officially sanctioned, but nobody complains about them?

      The internet is still pretty much wide open, with no single governing body. A vigilante group could operate out of any number of less-than-cooperative countries. And this vigilante group does NOT have to be 100% good or careful. These zombies exist because their owners don't know or care enough to keep their machines safe, and now they're out attacking the rest of us. I have about zero tolerance for dangerously ignorant people or their hardware when it's threatening mine.

      In medical terms, these zombies would be defined as malignant cancerous cells, and botnets as tumors. And to carry the medical analogy further, the treatment is to kill the rogue cells. We don't contact them, and ask "hey, Mr. Cancerous cell, you're hurting the rest of us, would you please stop?" No, we use chemo and radiation and surgery and remove and destroy the tumors so they don't spread further.

      I really don't see why a vigilante group can't send out "good-faith" efforts to patch bad machines. If those machines die as a result of a bad patch, well, perhaps its because they deserved to die. I certainly wouldn't complain if someone started actively dismantling these networks.

      --
      John
    16. Re:Note to Editors by HAKdragon · · Score: 2, Funny

      You know, that's one of the things I really don't miss about running Windows...

      --
      "Our opponent is an alien starship packed with atomic bombs. We have a protractor."
    17. Re:Note to Editors by DarkDaimon · · Score: 2, Funny

      I thought Windows was a botnet!

    18. Re:Note to Editors by karmatic · · Score: 4, Interesting

      I certainly wouldn't complain if someone started actively dismantling these networks.

      Some of us try.

      A while ago, I got a spam message, trying to infect me and connect me to a botnet - the software was a hacked up mIRC client with some DLL plugins. The client would automatically open a second connection, connect to a random network and channel, and proceed to spam people with virus messages on join. ("Type //some evil command to get op!, etc.")

      After talking to the admins, we banned the owners (only certain nicknames were allowed to control the bots), and replaced them with an eggdrop that had the infected people download and install an automatic cleaner. Thousands of infected computers were cleaned overnight, and hundreds more over the next few weeks. Is it possible that the cleaner broke a machine or two in the process? Possible, but unlikely (would be most likely due to a variant of the bot). Oh well - it made the IRC servers I used a lot more useful.
    19. Re:Note to Editors by qwijibo · · Score: 2, Insightful

      Good has to be diligent and honest to be good. You can argue shades of gray, but that's just another way of saying degrees of evil.

      When you decide to be a vigilante group and dish out your style of justice for others' perceived sins, you are at best what Machiavelli describes astutely as "other than good."

      I'm a sysadmin, so if I were a juror and your "other than good" tactics landed you in court, I would not in good conscience be able to vote to convict you for trying to do something about these idiots. However, you should realize that good faith is not inherently good, and frequently creates the good intentions with which the road to hell is paved. If you're willing to live with possible consequences for your "other than good" tactics, I'm willing to look the other way. After all, the net harm would have to be less than the botnets are causing now.

    20. Re:Note to Editors by karmatic · · Score: 2, Informative

      Uhhh, not to be inflammatory and all, but who the fuck are you to take it upon yourself to install your own trojan?


      Well, that certainly sounds like you're trying to be inflammatory, but I'll bite.

      A trojan is a specific type of program that masquerades as one thing, but is in fact another. The original attack was most definately a trojan. As such, I can only assume that either a) the owner of the machine didn't know about it, and has no desire for it to continue, or b) it's a botnet owner - I don't care about them anyway.

      The program that was sent to the client was very, very simple, and very limited. It looked for a running hidden mIRC.exe copy in a very specific hidden directory inside the windows directory. If found, it would terminate only that mIRC.exe, delete that specific hard-coded trojan-specific directory (no other legitimate program would be there), and remove the registry entry used to load it at startup.

      As for "how do you know"? Well, it was a simple small app, and a decompile would show what it did. Or, the source code could be taken and recompiled, and compared. The app had my name and email in it, for heaven's sake.

      As for the "YOU COMMITTED A CRIME" part - it would be interesting to see that argument in court. I connected to a publically accessable chat server, with the consent (implied and explicit) of the owner of that server. I placed a program to connect to a chat room, and simply pasted a command containing a URL. Arguably, the trespass was already done, and there was plenty of evidence to indicate that it was done without the consent of the owner of the computer. If anything, my script would "un-do" the harm originally done - it would be difficult to convince a judge that the Mens Rea was present for Computer Tresspass; given the rather limited scope and simplicity of the program, recklessness or negligence would be rather difficult to prove. Also, there was most certainly no intent to commit an act of Computer Trespass, further complicating a case against me.

      Besides, good luck getting that one past a jury of my peers. "Their computers were infected, and attacking other computers online. I cleaned them up, at no charge, and restored them to how they were before they were attacked." - you really think you could convince a jury of 12 to convict for that?
  2. So many Bender jokes. . . by smooth+wombat · · Score: 3, Funny

    so little time.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    1. Re:So many Bender jokes. . . by Billosaur · · Score: 3, Funny

      The other thought that came to mind was "Autobots, attack!", but that's just me...

      --
      GetOuttaMySpace - The Anti-Social Network
  3. Funny 404 by gblackwo · · Score: 4, Funny

    Got a good couple 404 error from slashdot on this page before anyone had commented, I thought the bots had a foothold.

  4. "Botnet on Botnet Action" by circletimessquare · · Score: 2, Funny

    that is some strange evolution going on. it seems that some of the porn spam bots have learned how to spam slashdot with story title submissions

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  5. I can see it now... by Mockylock · · Score: 5, Funny

    In a dark area of Brooklyn, servers have a standoff wearing their bandanas, willing to die for their turf.

    "We are better with patches", says GlobalBot international server.

    InterSearchBot united server sneers, "PATCHES!?... WE DON' NEED NO STINKING PATCHES!"

    --
    "Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
  6. So Possibly... by QBasicer · · Score: 4, Insightful

    ...the botnet creaters are trying to make their botnets more secure, and prevent other botnets from taking over the host? I'm not sure whether this is good or bad. The bad news is that it may be harder for them to detect and eliminate, but the good news is that it may keep down multiple infections?

    --
    x86, oh yes, I'm pro.
    1. Re:So Possibly... by plover · · Score: 5, Insightful

      I don't report zombies on Comcast addresses probing my home web server to Comcast because I'm afraid they'll just get all pissy about my running a web server. It's strictly a "personal use" server, and it doesn't see a megabyte of traffic a day, but you never know what's going to tweak the wrong person. I figure it's better to stay below the radar, keep the patches current, keep watching the logs and put up with the probes.

      --
      John
  7. Marching down the road of informational warfare by Anonymous Coward · · Score: 3, Informative

    This was predicted in the past, but here's one of the roadmaps:

    http://www.iwar.org.uk/iwar/resources/treatise-on- iw/iw.htm

    Quite a lot of reading, but its not too bad. Seems like all that is happening is that the crooks are catching up with the research faster than the commercial people are.

  8. The fat years are over by Opportunist · · Score: 5, Interesting

    The time when there was still a market to grow into with botnets is over. The big surge of new, clueless morons filling the net is slowly coming to an end, and even the morons now start using firewalls and AV tools (still no brains, but hey, I'm already happy with small steps).

    So the maximum amount of machines to have is pretty much reached. Now the battle for the precious dimwits started. Well, it started some time ago, but we now get a lot of bot malware that actually tries to kick out the competition.

    What for, one may ask. Why the overhead? I mean, what's wrong with 2 competing botnetters controlling a computer?

    Bandwidth. You can only pump so much spam out of a machine with a given bandwidth. If two try that at the same time, they have to share. And sharing is not really a trait of a botnetter.

    So, let the games for the herd begin. If anyone's looking for me, I'm in the lobby getting popcorn.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:The fat years are over by Applekid · · Score: 5, Insightful

      There's a little more than just bandwidth. If your botnet can gain one extra machine, that's an advantage of +1. If your bothnet can gain control of a machine belonging to a competing botnet and kick it off that one into yours, you gain one extra machine and remove one from your opponent for an advantage of +2.

      When it comes down to botnets being commissioned for Spam and DDoS attacks, the one with the most machines gets the highest bid, and the difference between that bid and the second best is likely directly related to how many computers make up the difference.

      There's a bit of an evolutionary war that's continuing. It's not enough to get your bot client installed. It's facing selection pressure from smarter users, better anti-virus/rootkit detection, firewalls making it harder to propagate, and more aggressive opponent bots.

      Sounds very similar to nature's natural selection.

      --
      More Twoson than Cupertino
    2. Re:The fat years are over by misleb · · Score: 3, Insightful

      There's a bit of an evolutionary war that's continuing. It's not enough to get your bot client installed. It's facing selection pressure from smarter users, better anti-virus/rootkit detection, firewalls making it harder to propagate, and more aggressive opponent bots.


      So if there is an intelligent designer behind the changes in the bots in response to selective pressure, is that evolution or intelligent design?

      -matthew
      --
      "THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
    3. Re:The fat years are over by plover · · Score: 2, Interesting

      And if you use your bot to retrieve a competing bot, you can reverse engineer your opponent's command and control structure. Why fight for one advantage at a time when you can 0wn his entire botnet? Game, set and match.

      --
      John
  9. Evolution by Shambly · · Score: 5, Insightful

    I think this one oneupmanship is very good. Sure bots are bad but if we look at a virus they are now developing a symbiotic relationship with the hosts. How long until they become indispensable to the security unconscious consumer. Sorta like how bacteria evolved into helping the organism it inhabited. Very interesting to see where this will ultimately lead.

    1. Re:Evolution by Pollardito · · Score: 2

      for every bacteria that helps an organism, there are probably 2 or 3 that hurt them but this analogy is particularly weak because these computer viruses are only taking their beneficial steps to a certain point...they're not stopping themselves from ruining your PC. i'm not sure why you'd want a rooted computer that steals your bandwidth, your data, and ultimately your money just because it keeps other viruses from doing the same

    2. Re:Evolution by vivaoporto · · Score: 3, Informative

      I can tell you in advance, without charge, where this will lead. Just like a disease vector, these machines will continue to be used by the botnet masters to infect other machines, spread SPAM, steal the very machine owner personal data and, in general, obfuscate illegal activities.

      I don't know from where people commenting this article got the idea that having only one "infection" that don't totally destroy the machine is a good thing, even for the machine owner. Actually, it is very worse, because if people don't notice any different behavior they will not worry to fix the machine, even if they know about the infection. And in the end of the day, they will be the first to lose their money in some scam that they inadvertently help to spread.

      People don't infect machines nowadays on the evilness of their hearts, only to wreak havoc or for bragging rights, not anymore. Now they do it for profit, it is organized crime that is happening there. Have no illusions about it.

  10. Oblig by xBOISEx · · Score: 5, Funny

    "Begun, this bot war has"

  11. Botnet Gang Fights? by hcmtnbiker · · Score: 5, Funny

    *Cues West Side Story finger snapping*

    --
    If i had one dollar for every brain you dont have, i would have $1.
    1. Re:Botnet Gang Fights? by zippthorne · · Score: 2, Funny

      Yeah, 'cause nuthin' says "gang bangers" like a choreographed dance-fight to hip music...

      --
      Can you be Even More Awesome?!
  12. What I want to see is a Botnet that by gurps_npc · · Score: 2, Interesting
    hunts down pop-up advertiserment programs and either destroys them or tags them (so that pop-up blockers will automatically shut them down).

    With all the punk 1eet programers out there, you would think that someone would spend time writing this instead of silly viruses.

    I am tired of having pop-up advertisements beat my pop-up blocker.

    --
    excitingthingstodo.blogspot.com
  13. botnets evolve themselves out of business? by Maximum+Prophet · · Score: 4, Insightful

    If botnet A installs patches 1,2 & 3, and botnet B simultaneously installs patches 4, 5, & 6, could the target machines be completely immunized after the next reboot?

    --
    All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
    1. Re:botnets evolve themselves out of business? by Yetihehe · · Score: 2, Informative

      Yes, but they still have those two botnet's so they are not secure.

      --
      Extreme Programming - Redundant Array of Inexpensive Developers
  14. What's another word for pirate treasure? by spun · · Score: 2, Funny

    All I could think of when reading this headline was Buck Rogers in the 25th Century. Specifically the second season, when they introduced Twiki's robot girlfriend. You know, the one who said "bootybootybooty," instead of "bidibidibidi."

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  15. Re:Could someone explain the closing of ports? by dkf · · Score: 4, Informative

    Could someone explain why it is important that ports are closed?
    The only way to have a message received off the internet is to have a port open. Most ports on desktop computers are only opened to specific machines while you're uploading or downloading some data (whether web, email, or any of a myriad other things). But on server computers, ports have to be open for connections from client machines which are potentially anywhere. If the software behind those ports isn't careful, it's possible to attack the machine through them.

    Desktop systems are usually not as highly protected on the inside as server systems (alas) so having a firewall that blocks off server ports "Just In Case" is a good plan.

    (And yes, I've left out lots of detail from this potted explanation.)
    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  16. Re:This has been going on for years, by Opportunist · · Score: 2, Interesting

    Ain't that easy.

    Windows is the primary target simply because it has a market share of roughly 90% in the consumer area. You may safely assume that a business server is administrated by someone who has at least half a clue and uses security features, no matter how lenient, so the consumer is the core target group for botnetters.

    Since most modern attack schemes rely not on system weaknesses but on user stupidity, this would work in every environment.

    What it really has to do with is users clicking on everything and allowing everything their (rarely but still sometimes existing) security tools ask them to allow.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  17. Unfortunately, this is not true by Mostly+a+lurker · · Score: 2, Interesting
    The use of AV, anti spyware and personal firewall products is increasingly ineffective in preventing infection. If these products are fully up to date, the good ones will currently stop about 80% of the malware thrown at them, and the situation is becoming worse. The trend towards broadband routers with embedded NAT firewalls helps, but infections through email attachments and visiting malicious websites is not going to decrease: it is going to continue to increase. As the botnets become oriented primarily towards identity theft, industrial espionage and other kinds of high profit operations, you are also going to see these nets become more stealthy and harder to detect. By next year, they are going to be prevalent in corporate networks and often present for long periods without detection.

    With profits already dwarfing that of the global drug business, there is every incentive for these tech savvy mafias to continue their heavy investment in improving their infrastructure. Most people in IT do not even yet realise the scope of the threat we are facing.

    1. Re:Unfortunately, this is not true by Opportunist · · Score: 2, Interesting

      What part of it is not true?

      Corporate networks are largely unintersting. Few people store their personal information on their corporate machines, simply because it would be against their working contract in most places to use the machine for personal business. At best such networks would be interesting for their bandwidth, but they are usually a lot closer monitored than private machines and nets.

      Yes, the stealthyness will increase. It already does. 2 years ago the average malware was an easily detectable process, now it is a thread in a running process and will evolve into a full blown rootkit in no time. I give us about 6 months tops before rootkits become a real problem. The trials are already out and running.

      AV tools are improving, too. But there is no replacement for brains and common sense. Unfortunately, a lot of machines are lacking in the user department. And what's worse, they're not upgradable.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Unfortunately, this is not true by Mostly+a+lurker · · Score: 2, Insightful
      The initial realization of the scale of the problem came from an FBI study last year. You can start with Malware Trends. However, it is important to note matters are deteriorating faster than anticipated when that article was written last year.

      You might also read Bumper crop of malware expected in 2007 which starts with Gartner's prediction that

      75% of all enterprises will become infected with undetected, financially motivated malware by the end of 2007.
      Unfortunately this is all too real and there are no quick fixes.
  18. Map? by andrewd18 · · Score: 3, Interesting

    What I'd like to see is a map of IP addresses, perhaps by provider, with the "turf" colored by type of infection. That would be awesome.

  19. There were worms that would target other worms.... by jthrelfall · · Score: 2, Informative

    For the folks discussing having 'good' botnets, does anyone remember the Nachi worm? It's purpose was to use the same Windows RPC DCOM vulnerability that Lovesan (an 'evil' worm) used. It would then kill the lovesan processes and download the necessary patches from M$ to prevent further re-infection. It would then search out network segments for other machines to 'fix' Nice in concept, but the amount of network traffic that this created when it was in search mode would overwhelm closet switches in a decent sized LAN environment (minded, Lovesan did as well...). A company I was with had a branch office whose network manager was slow on patches. They got infected with both worms successively. While Nachi wiped out Lovesan (eventually), the office network was still useless until Nachi was cleaned off as well. Relying on autonomous software outside of your control to randomly secure machines is a bad idea.