Slashdot Mirror
FBI Releases Results of Operation Bot Roast
coondoggie writes to tell us that the FBI has released the findings of their recent botnet study and have identified over 1 million botnet crime victims. "The FBI is working with industry partners, including the Computer Emergency Response Team Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Microsoft and the Botnet Task Force have also helped out the FBI. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity, the FBI said in a statement.Bots are widely recognized as one of the top scourges of the industry. Gartner predicts that by year-end 75% of enterprises 'will be infected with undetected, financially motivated, targeted malware that evaded traditional perimeter and host defenses.'"
and go straight to the source
http://www.fbi.gov/pressrel/pressrel07/botnet0613
There would be an RFC for getting an email address for an ip address and it wouldn't take an expert to figure out how to contact the right person when you see a machine doing something it shouldn't.
How we know is more important than what we know.
I would have thought that a nice call from the FBI to the CxOs of the main appropriate ISPs and a selection of those users on the fastest connections (ie with the most capacity to be damaging) would have a salutary effect.
And then a follow up with negligence-related charges for those who refused to give a f**k maybe?
Rgds
Damon
http://m.earth.org.uk/
how many computer users dont patch/update their computers or use a very old version? how many of those wouldnt know if they were infected or have an infected computer as it is?
Sigs are too short to say anything truly profound so read the above post instead.
Anyone else think this will start a new wave of phishing where botnet controllers send e-mail messages out forged as coming from FBI.gov to people telling them their machines are infected with bots (linking to the URL in parent) and that they need to install the program attached to the e-mail that is claimed to remove the offending software but in fact turns your machine into another zombie?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Dear Computer Owner,
Your computer has been determined to be infected by a malicious program that gives control to another person. Please double-click on the link to find out how to get your computer disinfected.
FBI
No. Really.
I aim to misbehave.
Every IP address belongs to a block that has been assigned to some ISP.
Simply find the block containing that IP address and then find the ISP controlling that block.
Now, whether the ISP is going to spend any time (time == money) on dealing with the problem is the next issue.
Is the victim the person whose computer is serving spam, or the person whose computer is receiving spam?
Who is the real victim here?
chirp
Wrong, wrong, and wrong. Get your blind hatred out of the way for a second, and you might realize that there are more than just windows boxes hooked up to the tubes.
All the windows boxes dissapear, so the bot-lovers would start targeting linux and OSX.
Don't think that just because there isn't a very active threat against those platforms doesn't mean that one isn't possible.
Living With a Nerd
...that OS/2 would be the dominant operating system by, IIRC, 1993 or thereabouts.
I just did some Googling on things like "bad Gartner predictions" and "missed Gartner predictions" or '"Gartner predictions" scorecard' hoping that someone had tried to keep tabs on them, but found to my disappointment virtually no relevant hits. Everyone discusses them in the months after they're released, nobody seems to check back even as recently as a year.
Of course, with predictions like these for 2002... "During 2002, leading-edge businesses will exploit application integration to generate business innovation...." how the heck would anyone ever figure out whether or not it was fulfilled?
I can't believe people pay Gartner for this stuff.
"How to Do Nothing," kids activities, back in print!
Windows was ubiquitous long before botnets became a problem.
Botnets became a problem as full-time internet access by unsophisticated home users became more ubiquitous, and Windows was the primary target because it was the main OS used by the targeted users. If there had been a Mac OS or Linux monoculture instead, people would have been tricked into install malicious software on those platforms instead.
That they are looking into the problem is a good start. Gmen reading are advised to consult with the Honeynet Project and regard vector vendor "help" with suspicion. It would also be nice to see them call a spade a spade and abandon the false OS neutrality that keeps them for doing so. This is a Windows problem and the relative risks should be published. Otherwise they are lying to us and keeping information we can all use locked away. Most importantly, though, they need to clean their own house.
Friends don't help friends install M$ junk.
And
There isn't any way to shut down all of the zombies. But our government CAN act to shut down the zombies here.
First off, there is NOTHING stopping our FBI from contacting law enforcement agencies in Russia or China. They may not help, but then again, they may help.
Then, you track the traffic back from that machine. And from the next machine. And from the next machine.
Simple. The commands have to come from somewhere. You can monitor all inbound and outbound connections. That will tell you what machines that machine is communicating with. You just keep checking each of those to see whether the trail continues or ends.
A lot. So?
Do we stop arresting criminals just because other criminals will perform the same crimes?
Not really. There's no reason why it would take more than a week. If the zombies are not receiving commands, then they're not sending spam or doing DDoS attacks. In which case, the problem is already solved.
If they are receiving commands, then you've just gotten another link. Maybe more than one link.
In the meantime, the ISP's are limiting the damage caused by those zombies.
While I am fond of the users I support, I find it takes a lot of education to get them to stop falling for the most common scams: funny email attachments, phishing, and phone calls asking for their credit card numbers. They're not stupid people. They're just a little clueless and disconnected from a world that, quite frankly, bores and intimidates them.
I would like to suggest that, whatever operating system we put on the desktop for the average person, there be some initiative to educate them in best practices computing, even if only for the 4-10 common tasks (email, websurfing, games, mp3s, pr0n, quicken, word processing) they will use. I volunteer to design and write the curriculum if there's some rational initiative to get it out there to the human herd.
technical writing / development
A. Everyone "knows" that the NSA is doing its utmost to listen to all internet traffic.
B. It would do the NSA no good to listen to everything without filtering out the 99.999% which is irrelevant. Ergo, they must have pattern filters.
C. Botnets must be a big part of the filtered traffic.
D. NSA must be aware of botnets, their patterns, their control channels, their zombie elements.
E. Yet botnets continue.
F. The NSA must want them to continue unmolested.
The NSA knows how botnets work, and could hijack them at any time. The only reason to do so is to keep them in reserve for their own use.
I suggest the NSA would hijack botnets for counterattack if the US nets were attacked by another country.
That's my conspiracy theory, I hope you like it.
Infuriate left and right
Then a few months back I get word from my credit card company that someone had hacked into my account online (using my username and password), changed my billing address to someplace in NJ, then proceeded to try to charge a bunch of stuff on the account (luckily the CC company caught on to them and locked it down). I couldn't figure out how they did it.
Then a few months after that, I started to notice my computer acting strange. My router would be showing HEAVY activity even when I wasn't doing anything and Windows wasn't downloading updates. Eventually, I realized that someone must had botted my computer (still don't know exactly what they were up to, but I'm sure it involved sending out letters from an innocent Nigerian official just wanting people to help him transfer some money). That's how they got my account info for my credit card.
Anyway. I wiped the whole system clean (even tried out Linux for a while, but didn't care for it) and now the problem is gone. But it still makes me nervous as Hell. What drives me crazy is that I can't figure out how they did it. But, as a hacker friend once said: If it's on a network, it can be hacked--period.
SJW: Someone who has run out of real oppression, and has to fake it.
Due to its ubiquity, MS is attacked much more than other systems, but the assumption that other systems are by default more secure is a statement of belief, not fact. How is your system configured? It makes a big difference. MS systems can be configured for many different security environments. The locked down deployments are very secure (their intended usage is Department of Defense deployments, etc). Wide open rich functionality client deployments are more functional, but less secure. The same tradeoffs exist in the Linix and BSD worlds. The current CERT and related vulnerability databases do not show that the *nix world has a clear superority over current comparable Windows products.
Web 2.0 is all but identical to cross-site scripting as a feature. The vulnerabilities here are so pervasive that users have virtually no way of protecting themselves if they want to have the rich web-based functionality. This is not MS specific.
Is the FBI allowed to do this? Did they get special dispensation from the RIAA and MPAA to work on a project that appears to be completely unrelated to copyright infringement?
Stop-Prism.org: Opt Out of Surveillance
The problem is, there'll probably be too many jurisdictions involved. What happens when the controlling computer is in China, Russia, etc.
Did you read the article? The three people cited as running massive botnets all lived in the United States.
From the FBI press release cited above: "To date, the following subjects have been charged or arrested in this operation with computer fraud and abuse in violation of Title 18 USC 1030, including:
I don't disagree that the global nature of the Internet makes investigation and prosecution of such actions difficult. But there are probably enough botnet operators here in the States to keep the FBI busy for some time to come.
Finding out that my PC has been Zombified, Or the FBi informing me they found my PC zombified.
OSGGFG - Open Source Gamers Guide to Free Games
Of course, busting the operators also means there'll be some thousands of zombies out there who are waiting for Master to tell them what to do next, and some of them may get exploited by other people. But it's still a good start.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Unix and Linux machines may not be as plentiful, they are how ever high net worth targets, granted CS students run Linux on a home made boxin their bedroom, however large institutions run Unix and Linux on their servers and store data of real value on them, the reason windows boxes are targeted is that they are the low hanging fruit, relatively easy pickings
"Linux is for noobs"-The new MS fud strategy
Q8 Bots
Q8bot is a very small bot, consisting of only 926 lines of C-code. And it has one additional noteworthiness: It's written for Unix/Linux systems. It implements all common features of a bot: Dynamic updating via HTTP-downloads, various DDoS-attacks (e.g. SYN-flood and UDP-flood), execution of arbitrary commands, and many more. In the version we have captured, spreaders are missing. But presumably versions of this bot exist which also include spreaders.
Emphasis mine.
So these 'reasonable people' who know far more about computer security than you ever will actually assume the exact opposite of what you do. Nice try at misrepresenting the linked document though, you almost got me there. A paranoid person will wonder if M$ has not honeynetted honeynet themselves with bogus infected GNU/Linux machines. No, not even paranoia stretches that far. Irritating Windoze defender If that's a label that I apparently have to assume to tell the truth around here, then I'll take it with gusto.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
I'd love it if ISPs would set snares for bot-infested computers, and technologically it's not hard: nobody at home-66-99-11-22.comcast.net should ever be forwarding packets from any external networks, let alone a hundred random networks a second. And some ISPs do trap that traffic and block it. But apart from DDoS attacks, what constitutes "legitimate" from "illegitimate" traffic? Connecting on odd ports to distant machines? That's how the internet works!
So the ISPs can identify them. Botnet investigators can identify some of them, too. But the computer still belongs to the owner. Neither the ISP nor the botnet investigators nor the FBI have the right to "hack into" the machine to try to fix it -- even if it would be best for everyone, even if the owner would appreciate the effort, they can't touch it unless they have explicit permission from the owner. Otherwise they're violating the law just as much as the original infector. So they will have to go to the machine owners, one at a time, and ask them to clean them up. With a million machines, and a million clueless users, that's a lot of work.
I think it would be easier to have the ISPs examine their terms of service, then reroute all traffic from any bot-infested address to termsofservice.random-isp.com and wait for their owners to complain to their ISP. Have the ISP tell the owners "Your computer is violating your Terms of Service agreement. You must fix it before we will reconnect you to the internet. If you need help, " ... blah blah blah. It would be a lot easier to contact a thousand ISPs than a million clueless users, and the ISPs would probably be more willing and able to help than the users.
This solves the problems of distributing fixes AND the legal issues. You have no constitutional right to connect to the internet, and most contracts for ISP service include stipulations against operating malicious software, which gives the ISPs the right to disconnect you for violating their TOS. It'd still be a pain in the butt, but at least it would be a manageable pain in the butt.
John
It's right here.
That's a good start. If you're going to insist on using Windows, wiping and reinstalling on a regular basis is a must. I recommend at least annually. More often if you use Yahoo search, flash games or shareware. If you use AOL or MSN and chat or IRC, you may as well boot from the Windows install CD each day.
Getting it set up the way you like it, and creating an "image" file of that setup with Symantec Ghost or something like it makes the process a lot less painful.
Or you could try actually solving the problem, but I note from your post you don't care for that answer for some non-specified reason.
If you do ecommerce from a platform you know to be insecure, don't expect everyone here to lobby for legal solutions to your technical problem.
Help stamp out iliturcy.
Having scanned through the entries in this topic, I see it has moved on from the tired old "bash Microsoft" and "extol Linux" rot. Then there are a few suggestions about how to track botnets and shut them down. The FBI 1 million infections number has been quoted as a US-centric benchmark.
A few months back a botnet herder in Europe went down for running ONE 1.5 million seated botnet. The global botnet infection numbers are therefore in the tens to hundreds of millions of infected machines. Forget about what platform they run on. Obviously the numerical majority of infections will always be on the OS that has the most prevalence. And it will never be the same percentage for higher use as lower use OS. That's because higher use attracts a much higher level of interest by the infection writers. So let's climb down off the hackneyed hobby-horses.
Now to come to the point - shutting down botnets.
Does anyone imagine for one moment that none of the millions of infected machines are sitting under the watchful eyes of law enforcement, botnet tracking operations, and university labs? Who do you think first knows (after the perpetrator) when a spam-bot turns into a DDOS bot? Who thinks that nobody is watching and tracking the CC&C IRC commands coming down to the watched bots?
Catch up with reality. The FBI is working on very specific intelligence from some very intelligent researchers.