FBI Releases Results of Operation Bot Roast

coondoggie writes to tell us that the FBI has released the findings of their recent botnet study and have identified over 1 million botnet crime victims. "The FBI is working with industry partners, including the Computer Emergency Response Team Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Microsoft and the Botnet Task Force have also helped out the FBI. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity, the FBI said in a statement.Bots are widely recognized as one of the top scourges of the industry. Gartner predicts that by year-end 75% of enterprises 'will be infected with undetected, financially motivated, targeted malware that evaded traditional perimeter and host defenses.'"

Why not shut them down?

[DamonHD]

I would have thought that a nice call from the FBI to the CxOs of the main appropriate ISPs and a selection of those users on the fastest connections (ie with the most capacity to be damaging) would have a salutary effect.

And then a follow up with negligence-related charges for those who refused to give a f**k maybe?

Rgds

Damon

seems low

[wizardforce]

1 million in botnets/[100 million?] in at least the US so that works out to about 1% by crude estimation so does anyone else think these numbers are a bit low? especially since

Google's Ghost in the Browser study looked at over 4.5 million Web pages, and found that 10% of them were capable of activating malicious codes and 16% were suspected to contain codes that might be a threat to computers.

how many computer users dont patch/update their computers or use a very old version? how many of those wouldnt know if they were infected or have an infected computer as it is?

And here come the phishers....

[HTH+NE1]

Anyone else think this will start a new wave of phishing where botnet controllers send e-mail messages out forged as coming from FBI.gov to people telling them their machines are infected with bots (linking to the URL in parent) and that they need to install the program attached to the e-mail that is claimed to remove the offending software but in fact turns your machine into another zombie?

Re:Botnet

[DragonWriter]

Botnets were never a problem until Microsoft Windows became ubiquitous.

Windows was ubiquitous long before botnets became a problem.

Botnets became a problem as full-time internet access by unsophisticated home users became more ubiquitous, and Windows was the primary target because it was the main OS used by the targeted users. If there had been a Mac OS or Linux monoculture instead, people would have been tricked into install malicious software on those platforms instead.

Re:It's good to see the FBI getting a clue.

[dedazo]

This is a Windows problem and the relative risks should be published.

I don't know what "the relative risks" means, but since none of my Windows machines are in a botnet, and there are millions and millions of them that are not, this is not a Windows problem. It's a basic user education problem. Windows may have more attack vectors than other OSes, but that doesn't mean they are not known or are impossible to avoid. Simple common sense goes a long way. People get infected with botware because they download things they shouldn't or don't bother to keep their machines up to date by turning on automatic updates so they don't have to worry about anything.

If you think one chmod +x is an insurmountable obstacle to turning your shiny Linux or OS X box into a bot, remember that people get infected by executables in password protected ZIP files and that all of the most massively distributed worms have all required significant user intervention to propagate. Maybe one of these days you'll inherit 800 million completely clueless users, and maybe then you'll call it a "Linux problem"?

Think globally, act locally.

[khasim]

The problem is, there'll probably be too many jurisdictions involved.

And ... ?

There isn't any way to shut down all of the zombies. But our government CAN act to shut down the zombies here.

What happens when the controlling computer is in China, Russia, etc. Even if you do get the foreign government to cooperate and the controlling ISP, how do you know when it ends?

First off, there is NOTHING stopping our FBI from contacting law enforcement agencies in Russia or China. They may not help, but then again, they may help.

Then, you track the traffic back from that machine. And from the next machine. And from the next machine.

How do you really know that computer isn't compromised and being controlled from elsewhere.

Simple. The commands have to come from somewhere. You can monitor all inbound and outbound connections. That will tell you what machines that machine is communicating with. You just keep checking each of those to see whether the trail continues or ends.

And even if you do finally nail one guy running a botnet, how many others will take his place?

A lot. So?

Do we stop arresting criminals just because other criminals will perform the same crimes?

Its not like they'll be arresting guys day after day... this would take months or even years of investigation to properly prosecute a person.

Not really. There's no reason why it would take more than a week. If the zombies are not receiving commands, then they're not sending spam or doing DDoS attacks. In which case, the problem is already solved.

If they are receiving commands, then you've just gotten another link. Maybe more than one link.

In the meantime, the ISP's are limiting the damage caused by those zombies.

Re:Think globally, act locally.

[Knara]

Not really. There's no reason why it would take more than a week. Doesn't seem like you are all that familiar with the realities of red tape and bureaucracy, not to mention cost-benefit ratio for something like that.

Problem between keyboard and chair

[athloi]

While I am fond of the users I support, I find it takes a lot of education to get them to stop falling for the most common scams: funny email attachments, phishing, and phone calls asking for their credit card numbers. They're not stupid people. They're just a little clueless and disconnected from a world that, quite frankly, bores and intimidates them.

I would like to suggest that, whatever operating system we put on the desktop for the average person, there be some initiative to educate them in best practices computing, even if only for the 4-10 common tasks (email, websurfing, games, mp3s, pr0n, quicken, word processing) they will use. I volunteer to design and write the curriculum if there's some rational initiative to get it out there to the human herd.

They didn't say that's *all* the zombies

[billstewart]

They said they'd found a million of the things - they weren't claiming to have caught all the zombies in the country or world. It's a good start, especially if they can get them cleaned up and watch for attempts at re-infecting them. It may be the low-hanging fruit, and they busted a couple of the zombie operators, which is good.

Of course, busting the operators also means there'll be some thousands of zombies out there who are waiting for Master to tell them what to do next, and some of them may get exploited by other people. But it's still a good start.

Re:Botnet

[Skrynesaver]

Unix and Linux machines may not be as plentiful, they are how ever high net worth targets, granted CS students run Linux on a home made boxin their bedroom, however large institutions run Unix and Linux on their servers and store data of real value on them, the reason windows boxes are targeted is that they are the low hanging fruit, relatively easy pickings

Who are you?

Does Microsoft pay you to discredit free software and open source?

Re:Or another approach.

[plover]

The problem with this approach is it's borderline vigilantism.

I'd love it if ISPs would set snares for bot-infested computers, and technologically it's not hard: nobody at home-66-99-11-22.comcast.net should ever be forwarding packets from any external networks, let alone a hundred random networks a second. And some ISPs do trap that traffic and block it. But apart from DDoS attacks, what constitutes "legitimate" from "illegitimate" traffic? Connecting on odd ports to distant machines? That's how the internet works!

So the ISPs can identify them. Botnet investigators can identify some of them, too. But the computer still belongs to the owner. Neither the ISP nor the botnet investigators nor the FBI have the right to "hack into" the machine to try to fix it -- even if it would be best for everyone, even if the owner would appreciate the effort, they can't touch it unless they have explicit permission from the owner. Otherwise they're violating the law just as much as the original infector. So they will have to go to the machine owners, one at a time, and ask them to clean them up. With a million machines, and a million clueless users, that's a lot of work.

I think it would be easier to have the ISPs examine their terms of service, then reroute all traffic from any bot-infested address to termsofservice.random-isp.com and wait for their owners to complain to their ISP. Have the ISP tell the owners "Your computer is violating your Terms of Service agreement. You must fix it before we will reconnect you to the internet. If you need help, " ... blah blah blah. It would be a lot easier to contact a thousand ISPs than a million clueless users, and the ISPs would probably be more willing and able to help than the users.

This solves the problems of distributing fixes AND the legal issues. You have no constitutional right to connect to the internet, and most contracts for ISP service include stipulations against operating malicious software, which gives the ISPs the right to disconnect you for violating their TOS. It'd still be a pain in the butt, but at least it would be a manageable pain in the butt.