Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Infiltrate and 'Pollute' Storm Botnet

Posted by CmdrTaco on from the i'm-infiltrating-see-yeah dept.

ancientribe writes "Dark Reading reports that a group of European researchers has found a way to disrupt the massive Storm botnet by infiltrating it and injecting "polluted" content into it to disrupt communication among the bots and their controlling hosts. Other researchers have historically shied way from this controversial method because they don't "want to mess with other peoples' PCs by injecting commands," said one botnet expert quoted in the article.

35 of 261 comments (clear)

  1. It's not Really... by cromar · · Score: 5, Insightful

    It's not really messing with other people so much as preventing them from messing with tons of other infected hosts. Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.

    1. Re:It's not Really... by Charred+Shaman · · Score: 2, Insightful

      Yeah, It's the botnet equivalent of counter-espionage. Really one for the good guys here.

    2. Re:It's not Really... by moderatorrater · · Score: 5, Insightful

      Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea. Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.

      It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.
    3. Re:It's not Really... by wizardforce · · Score: 5, Insightful

      Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.
      an OS shouldn't allow that, then again it shouldn't allow you to get pwned by visiting malicious web pages or opening emails either. The problem is that you're talking about a hypothetical problem that may or may not exist. Storm is real and doing real damage to the world. sitting back and watching the fireworks just because you're afraid to break something is in my opinion irresponsible.
      --
      Sigs are too short to say anything truly profound so read the above post instead.
    4. Re:It's not Really... by ChoppedBroccoli · · Score: 4, Insightful

      You are right, it isn't necessarily a moral question. Obviously, the researchers are trying to do a good thing, and their good intentions are good and correct.

      It is more of a legal/tehcnical question. Are you legally allowed to do this? And the major problem for researchers is that they have no cloak of anonymity like the bad guys do: they are easily linked/traced to all their actions by the mere fact that they publish their work and share their results. If anything goes wrong, or even if an overzealous user just wants to sue/go to court for the sake of suing, then the researchers are SOL.

      It IS a gray area, even if you are morally correct.

    5. Re:It's not Really... by msimm · · Score: 3, Insightful

      Running an infected bot is inherently risky, just like the virus or worm that caused it. Moral concerns should be moderated appropriately.

      --
      Quack, quack.
    6. Re:It's not Really... by EncryptedSoldier · · Score: 2, Insightful

      LAWL! Yeah, that's a great idea. Lets go ringing doorbells! "Hi! Are you Mrs. Smith?" "Yes, I am. And who might you be?" "I'm John, and your computer is infected with a bot-net called Storm. You and millions of other users are infected and are constantly infecting other computers without your knowledge. I can fix your computer for $200, what do you say?" And even if that worked, it won't work for everyone. Too much time needed to fix it, too much money for it to be possible. Poisoning the botnet is the way to go.

    7. Re:It's not Really... by Solandri · · Score: 5, Insightful

      Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.
      Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.
      You're comparing a concentrated loss to a distributed loss. The correct assessment in that case is to sum up the losses on both sides. Say "poisoning" Storm results in 1000 users with wiped hard drives losing $10,000 worth of data and productivity (being very generous here). OTOH say letting Storm continue to operate results in 100 million users losing $1 each worth of productivity (spam) and data (compromised systems). That's a $10 million to $100 million balance in favor of poisoning Storm. Obviously the numbers here are made up and I honestly don't know if poisoning Storm is a good idea. But the point is that you just can't look at the losses on one side and say a course of action is unacceptable due to those losses. You have to compare the losses that might happen if you take action, to what losses will happen if you don't take action.

      It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.
      Do you maintain any computers for friends or family? No it won't be more effective in the long run. You help them clean their system, and they'll go right back to using it as always. In 6-12 months they'll call you back to help them clean it again. It's just an individual equivalent of a cost of doing business for them. Why should they bother to change their habits when they can pay you a hundred bucks or so every year to clean their system?

      In that light, losing all their data might be just what's needed to get them to take computer security seriously. However, I'd consider it a last resort since it's a punitive action rather than a preventative action. The long-term solution is to accept that casual users are going to run their computers like this, and to come up with mechanisms which blunt or dilute the impact of compromised systems. We're already doing this with anti-virus and anti-spyware software, as well as flaming Microsoft so they fix all the security holes in Windows. But it may or may not also involve poisoning botnets.

      Off the top of my head, I don't think you need to remove the botnet software. It's probably already secured the box against further infection. So all you need to do is scramble its communication and/or encryption so it doesn't/can't contact the bot master again. It could be as simple as changing one bit in an otherwise unused registry key. So "poisoning" a botnet may be much more benign than your worst case scenario.

    8. Re:It's not Really... by MagdJTK · · Score: 2, Insightful

      I would argue that it is a computer owner's moral responsibility to make sure it's not doing any harm to others.

      If someone leaves their bag unattended at a train station, they should expect it to be destroyed in order to protect the public. If someone doesn't secure their PC and it becomes a hazard to others, shouldn't it be taken out too, by any means?

    9. Re:It's not Really... by ohtani · · Score: 2, Insightful

      Since when would saying something along the lines of "del infectedprogram.exe" be the same as "format c:"?

      --
      Pancakes. Oh I blew it.
    10. Re:It's not Really... by Anonymous Coward · · Score: 5, Insightful

      Is it wrong to do something to an out of control car rolling down a hill on fire towards a school full of people? This is a lot like a computer being part of a botnet. It is possible you could cause some damage to the car which is not yours by directing it out of the way, but if you don't something bad will certainly happen.

    11. Re:It's not Really... by rocketPack · · Score: 2, Insightful

      Should I not be held (somewhat) responsible if my unprotected gun is used in a crime? A computer with an internet connection has inherent risks, it's the users responsibility to secure and protect their own goods against damage, as well as malicious uses.

      If your computer is damaged in an effort to mitigate a large-scale botnet causing massive infrastructure problems and costing people money, then perhaps you could at least learn something from the process.

      I don't feel sympathy for their (speculated, potential) loss/damage, I feel pity for their ignorance. My dad always told me not to use tools without understanding how to use them properly and safely, there's no reason this logic can't apply to computers.

    12. Re:It's not Really... by idontgno · · Score: 5, Insightful

      Yeah, It's the botnet equivalent of counter-espionage. Really one for the good guys here.

      Well, possibly, but I think the moral conundrum isn't about attacking the botnet itself, but about the owners of the computers the botnet is unwittingly hosted on. All this "poisoning" activity affects the zombied PCs, after all.

      To use a (non-car) analogy: Germany invaded Belgium in WWII. That was morally bad. Later, the allies counter-invaded Belgium. That was morally good. But the battles involved in both invasions weren't particularly great for Belgians.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    13. Re:It's not Really... by Esc7 · · Score: 2, Insightful

      I think the wording here should be that poisoning the botnet would be the MORAL thing to do (Stopping the botnet is a good thing for all!) But it would not be the ETHICAL thing to do (Respecting people's privacy is the rule that we hold to).

      And in all dilemmas between morals and ethics the "right" thing to do must be weighed very carefully, there are no hard and fast rules that can be applied carte-blanche.

    14. Re:It's not Really... by bigstrat2003 · · Score: 4, Insightful
      It's not particularly illegitimate to use them in that fashion, though. It's a matter of allocating limited resources, really. While I'll mod up posts I disagree with, but are insightful, if there are no posts I agree with available... I'd rather spend those mod points giving karma to people I agree with. Is it fair? Not entirely, but with only 5 or 10 points, there's only so much good you can do.


      The real moderation bias which is a cause for concern is modding with negative mods as a substitute for "disagree". That's bullshit, and there's no excuse for it.

      --
      "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
    15. Re:It's not Really... by Anonymous Coward · · Score: 2, Insightful

      Due to technical realities actively commanding a person's PC without permission may be the only way to counter these bot nets. If you fail to secure your system properly and ISPs are unwilling to block these comprimised systems then the law should allow it. If you suffer data loss then that was no different then damage caused by fire fighters trying to stop a fire from spreading.

    16. Re:It's not Really... by couchslug · · Score: 4, Insightful

      "It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run."

      It would also be prohibitively complex and expensive. The idea that morality obligates us to do things that are wildly unlikely to work is questionable.

      Consider "help them clean their computer and prevent another infection" for what it REALLY means. That can be anything from a complete reinstall of the OS and all apps to replacing the computer with a more secure (and securED) OS because the original machine isn't suitable. There is no reasonable guarantee afterwards that the machine won't get 0wn3 again by the same or a new threat.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    17. Re:It's not Really... by Mister+Whirly · · Score: 3, Insightful

      "So there really isn't a risk, in this case, of executing maleficent code or overwriting large portions of anything."

      That was also the line of thinking by Robbert Morris when he released "the great worm" back in 1988. We know how that turned out. There is ALWAYS some risk.

      --
      "But this one goes to 11!"
    18. Re:It's not Really... by moxley · · Score: 4, Insightful

      I understand what you're saying, but I am not sure I agree in full.

      There is no question that biased moderations occur - this is a large part of why meta-moderation is important - it is a way to "moderate the moderations."

      Certainly I am sure that even when people are being responsible that personal opinions can come into play. I am sure we all may have made blunders in this way before.

      "INSIGHTFUL" is supposed to mean exactly that, that the comment is insightful, interesting is supposed to mean interesting, etc.

      If people are truly abusive as a pattern, the meta moderation system should catch them. Labelling comments as "Agree" or "Disagree" has no relative value because such comments are so subjective and (other than turning an issue into a popularity contest) doesn't serve the community but providing useful feedback that can be used to determine who is elligable to moderate, etc.

    19. Re:It's not Really... by Sancho · · Score: 2, Insightful

      I don't think that it's feasible to identify people who are infected and help them clean their computers--at least, not for these researchers. Also, there's no patch for human gullibility--so what's to say that the person won't get infected all over again?

      While I think that poisoning Storm is a gray area, I don't think that these researchers are going to be able to lead the charge to clean up end-users PCs.

    20. Re:It's not Really... by Bryansix · · Score: 2, Insightful

      I'm sorry but while this idea looks good on paper it is bullshit in real life. Most people with home Internet service have more then one computer on their network. Then you have business customers who have 5-100 computers on their network. They can't just walk up to the infected computer and take it offline because they don't know which one it is. Most Anti-Virus programs can't fully detect things like the storm worm and some even get eaten alive by it. A much better thing would be an automated service that just emails the customer to notify them of the problem so they can take action.

      I say all this because I'm tracking a botnet right now and it's a pain in the ass. The last thing I need to for my Internet to go off. This would take down our phones as well since we have hosted VOIP and would banckrupt our company. I don't think an ISP wants that lawsuit on it's hands. I already have Trend Micro's Client/Server security agent installed on all of the computers here. Still the problem persists.

    21. Re:It's not Really... by Eighty7 · · Score: 2, Insightful

      You can be sued for anything. Being sued for something doesn't mean that act is: illegal, immoral, unethical, or mean.

      I think his point was that they can sue you and they can win. Are there any good samaritan laws for hacking into someone's computer? Rather the opposite, i think.
    22. Re:It's not Really... by ScentCone · · Score: 2, Insightful

      I like dogs, and would never hurt one for no reason. But I'd still kill a rabid one, especially if I thought it was about to hurt someone else. Finding its owner, and thoughtfully explaining the history and mitigation strategies related to rabies - as the dog is chewing some kid's arm off, or killing someone else's pet - might feel more politically correct, but it's absurd, too. Poisoning the botnet is a good thing.

      --
      Don't disappoint your bird dog. Go to the range.
  2. Re:too much time on their hands? by Anonymous Coward · · Score: 1, Insightful

    ...like maybe perhaps research methods of disrupting botnets and see what results that type of research produces?

  3. Armageddon by spleen_blender · · Score: 2, Insightful

    The war. IT BEGINS.


    Seriously I'm personally excited by the fact that this essentially seems to offer a great draw to people with security skills to try being offensive where most of their efforts would be used defensively before.

  4. Public Key Cryptography and Message Signing. by CodeBuster · · Score: 5, Insightful

    I predict that the botnet authors will respond with the following counter-measures:

    1) Command messages sent to the botnet by the operator will employ public key cryptography and message signing so that bots can determine real commands from headquarters (i.e. the bot net operator) from fake ones.

    2) The bots themselves will use encryption to communicate amongst themselves and employ secret handshakes once the encrypted channel has been established to detect imposters. It would not be difficult to arrange for the botnet to automatically coordinate and begin punative attacks against hosts which attempt to inject false commands into the botnet.

    1. Re:Public Key Cryptography and Message Signing. by ymgve · · Score: 2, Insightful

      It's a good thing the storm "encryption" is just plain XOR with a 40-bit string that hasn't changed in half a year, then.

  5. Re:I blame the ISP's by drrck · · Score: 3, Insightful

    ISPs aren't going to turn people off as Joe Sixpack has no idea what a bot is or where spam comes from. They would probably switch providers, as it's a lot easier than cleaning your computer.

  6. when you are fighting people by circletimessquare · · Score: 4, Insightful

    who have no regard for morals or ethics, scrupulously conforming to morals and ethics hampers your ability to fight

    the danger of course, is not to become what you fight by doing that

    so you slightly bend the rules, all the time, without making the sort of flat out trangression of major moral issues that constitutes what criminals do

    but you will still get flak from people who expect moral certitude from those who fight criminals, and criticize you like no tomorrow, all the while completely ignoring and not criticizing the criminals themselves

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  7. Reaction to this paper? by el_flynn · · Score: 2, Insightful

    Since the researchers have already published their work on the infiltration process, I'm sure by the time you read this piece of news the botnet owners and/or authors have already put an action plan in place to mitigate, or at least lessen, the effect.

    Plus, if you read their published work, they readily admit that they are always one step behind the worm, and have to react whenever the attacker changes his tactics. The work mentions that "the attacker can easily change [a function of the Stormnet communication technique]... and then we need to analyze [our] binary again."

    Criminals usually work faster than the good guys because they have more to lose.

    --
    The Wknd Sessions - Malaysian and South East Asia independent music
  8. The terminology is confused by Yurka · · Score: 5, Insightful

    Computers in a botnet are not "peoples' PCs" anymore. They are not under control of the owner. This needs to be clarified again and again. When you see a Borg drone, you (try to) kill it. And Picard was right - you'll be doing it a favor.

    --
    I can assure you, the best way to get rid of dragons is to have one of your own.
  9. Re:Who is liable in the event of retaliation? by WK2 · · Score: 2, Insightful

    I thought of that too. It might be a good way for the botnet operators to keep security researchers of their backs. Fortunately, the botnet operators don't want to damage the computers any more than the security researchers do. Less, in fact, because the botnet operators think they "own" said computer.

    --
    Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
  10. Re:SPY v. (nothing) by witherstaff · · Score: 3, Insightful

    bad bad idea

    I'd love to be required to have antivirus software on my linux/FreeBSD/Solaris machines. If you don't have a locked down box those systems can be just as bad as a botnet windows machine.

    Or requiring comcast to have a rootkit on every machine you have to ensure that it's not infected. Sony computers would love that!

  11. Re:SPY v. (nothing) by HikingStick · · Score: 2, Insightful

    Just because they put locks on car doors doesn't mean everyone uses them. Then there's the issue of thos little magentic key holders in the driver's side wheel well...

    --
    I use irony whenever I can, but my shirts are still wrinkled...
  12. It was morally "good" -- from our perspective... by CFD339 · · Score: 4, Insightful

    ..because we won. History is written by the victors of course. Don't misunderstand me -- nothing could make me defend the German army's actions (or those of many of its citizens at the time). I'm only saying that had we lost that war, a different history might look upon the "re-invasion" of Belgium as a war crime.

    --
    The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln