Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Infiltrate and 'Pollute' Storm Botnet

Posted by CmdrTaco on from the i'm-infiltrating-see-yeah dept.

ancientribe writes "Dark Reading reports that a group of European researchers has found a way to disrupt the massive Storm botnet by infiltrating it and injecting "polluted" content into it to disrupt communication among the bots and their controlling hosts. Other researchers have historically shied way from this controversial method because they don't "want to mess with other peoples' PCs by injecting commands," said one botnet expert quoted in the article.

8 of 261 comments (clear)

  1. It's not Really... by cromar · · Score: 5, Insightful

    It's not really messing with other people so much as preventing them from messing with tons of other infected hosts. Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.

    1. Re:It's not Really... by moderatorrater · · Score: 5, Insightful

      Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea. Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.

      It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.
    2. Re:It's not Really... by wizardforce · · Score: 5, Insightful

      Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.
      an OS shouldn't allow that, then again it shouldn't allow you to get pwned by visiting malicious web pages or opening emails either. The problem is that you're talking about a hypothetical problem that may or may not exist. Storm is real and doing real damage to the world. sitting back and watching the fireworks just because you're afraid to break something is in my opinion irresponsible.
      --
      Sigs are too short to say anything truly profound so read the above post instead.
    3. Re:It's not Really... by Solandri · · Score: 5, Insightful

      Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.
      Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.
      You're comparing a concentrated loss to a distributed loss. The correct assessment in that case is to sum up the losses on both sides. Say "poisoning" Storm results in 1000 users with wiped hard drives losing $10,000 worth of data and productivity (being very generous here). OTOH say letting Storm continue to operate results in 100 million users losing $1 each worth of productivity (spam) and data (compromised systems). That's a $10 million to $100 million balance in favor of poisoning Storm. Obviously the numbers here are made up and I honestly don't know if poisoning Storm is a good idea. But the point is that you just can't look at the losses on one side and say a course of action is unacceptable due to those losses. You have to compare the losses that might happen if you take action, to what losses will happen if you don't take action.

      It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.
      Do you maintain any computers for friends or family? No it won't be more effective in the long run. You help them clean their system, and they'll go right back to using it as always. In 6-12 months they'll call you back to help them clean it again. It's just an individual equivalent of a cost of doing business for them. Why should they bother to change their habits when they can pay you a hundred bucks or so every year to clean their system?

      In that light, losing all their data might be just what's needed to get them to take computer security seriously. However, I'd consider it a last resort since it's a punitive action rather than a preventative action. The long-term solution is to accept that casual users are going to run their computers like this, and to come up with mechanisms which blunt or dilute the impact of compromised systems. We're already doing this with anti-virus and anti-spyware software, as well as flaming Microsoft so they fix all the security holes in Windows. But it may or may not also involve poisoning botnets.

      Off the top of my head, I don't think you need to remove the botnet software. It's probably already secured the box against further infection. So all you need to do is scramble its communication and/or encryption so it doesn't/can't contact the bot master again. It could be as simple as changing one bit in an otherwise unused registry key. So "poisoning" a botnet may be much more benign than your worst case scenario.

    4. Re:It's not Really... by Anonymous Coward · · Score: 5, Insightful

      Is it wrong to do something to an out of control car rolling down a hill on fire towards a school full of people? This is a lot like a computer being part of a botnet. It is possible you could cause some damage to the car which is not yours by directing it out of the way, but if you don't something bad will certainly happen.

    5. Re:It's not Really... by idontgno · · Score: 5, Insightful

      Yeah, It's the botnet equivalent of counter-espionage. Really one for the good guys here.

      Well, possibly, but I think the moral conundrum isn't about attacking the botnet itself, but about the owners of the computers the botnet is unwittingly hosted on. All this "poisoning" activity affects the zombied PCs, after all.

      To use a (non-car) analogy: Germany invaded Belgium in WWII. That was morally bad. Later, the allies counter-invaded Belgium. That was morally good. But the battles involved in both invasions weren't particularly great for Belgians.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  2. Public Key Cryptography and Message Signing. by CodeBuster · · Score: 5, Insightful

    I predict that the botnet authors will respond with the following counter-measures:

    1) Command messages sent to the botnet by the operator will employ public key cryptography and message signing so that bots can determine real commands from headquarters (i.e. the bot net operator) from fake ones.

    2) The bots themselves will use encryption to communicate amongst themselves and employ secret handshakes once the encrypted channel has been established to detect imposters. It would not be difficult to arrange for the botnet to automatically coordinate and begin punative attacks against hosts which attempt to inject false commands into the botnet.

  3. The terminology is confused by Yurka · · Score: 5, Insightful

    Computers in a botnet are not "peoples' PCs" anymore. They are not under control of the owner. This needs to be clarified again and again. When you see a Borg drone, you (try to) kill it. And Picard was right - you'll be doing it a favor.

    --
    I can assure you, the best way to get rid of dragons is to have one of your own.