Slashdot Mirror
Estonian ISP Shuts Srizbi Back Down, For Now
wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."
Ok, am I being thick here, but why can't some enterprising soul (or organisation), use the algorhythm to take control of the bots and then gets them to purge or go inactive?
However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions . . .
Couldn't the registrars run that algorithm ahead of time and ban (or track down) new registrations for those domains?
http://outcampaign.org/
To all the people who are saying "just take the botnet down with that control system", this isn't always possible.
Think, for instance, of a virus that not only has this sort of "find my controller" system but that, when it finds instructions, checks an attached PGP public key to ensure their integrity and that they came from the original author. If this particular virus doesn't have it, the next breed will. That makes it completely immune to "false" updates, in the same way that Linux repositories and Windows Update are... unless you have the private key associated with that virus' creation, you can't issue an update that it will take notice off.
You can't stop things like this by just intercepting the botnets... you can slow them, hinder them, give you time, but there are ways around everything. The way to stop it is to SHUT OFF USERS who have those botnets, who have allowed their computers to be compromised. Permanantly. Give them the incentive to actually keep their systems clean. They can move to another ISP etc. but the only way to stop them is to show them that leaving their PC open to infection is the problem here, along with an OS that allows that sort of compromise to be so easy, and not that some kid in Russia is somehow smarter or more resourceful than the entire world's IT experts.
I don't know if this worm actually does have a signed update system, but it's a very easy thing to do, with tons of well-audited, open-source, freely available code to do it for you. I would be very surprised if some malware somewhere wasn't already doing it.
I'd love to see that too. Spoofing traffic on IRC is easy. But the problem is the commands must be signed using the bot herder's private key. It's apparently a very large key, (1024 BYTE iirc) and no one has managed to break it yet.
I bet there are several groups working on them though. Problem is, each time the herder pushes an update, they could rekey it, placing everyone's break attempts back on square 1.
My PERSONAL preference here is that the command sent should cause the participating computers to post a notice on the user's screen telling them they've been owned, that their computers have been being used to harm the public, and that they (the computers) have been rendered inactive and they'll have to take the computer into the shop for repair. (because no doubt they're infested with more than just this botnet) Some may say that's going too far, but imho, it's completely reasonable. They should share some of the responsibility for the actions of their computer after allowing it to be hijacked and being used to abuse ME. How about it just delete their NIC drivers and post the message?
I work for the Department of Redundancy Department.
The Russian authorities have an attitude problem, and don't give a tinker's damn about the crime being committed from their soil, as long as it isn't Russian citizens being targeted. Which goes part-way to explain why cybercriminals NEVER target people in their own countries.
You misspelled 'American' in your post. Twice.
> How about it just delete their NIC drivers and post the message?
Formating hard disks and writing a message to the boot sector will be a bit more efficient than this. Remember, a clean install in case of an infection is recommended even by Microsoft.
In essence this is the largest game of Wack-A-Mole ever played.
I say don't drink and drive, you might spill your drink. Before you get behind the wheel just stop and think.
Yeah coz no-one here would take control of a hugely profitable bot-net given the chance???
Yes, but a good 90% of the public doesn't have the skills to do this. And while as a PC repairman I wouldn't mind the extra business, in this shitty economy there are going to be plenty that can't afford to take it in, especially if all they have in their area is the ID10Ts at Worst Buy.
My solution would be this: Since most of us believe in OSS, and I am sure that many FLOSS guys read Slashdot, why can't we get together to help those infected Windows users and thus help us all?(And no, I don't mean by sending them a link to Ubuntu). Here is what we need: We need a small Linux based DOSbox that will autorun an antivirus cleaner and delete or quarantine any infections it finds. It needs to be small, so we can send the file or the link even to those with crappy connections, and should have a freeware burner software built in so they can simply double click they file and it will burn the ISO. Then they can simply reboot and let the tool do its job.
You see it is nearly impossible to remove an infection from a running OS, and most users simply don't have the skills required to run the complicated Linux security CDs which is the only thing I have even found which comes close. And we could even use it to promote FOSS by having links to FOSS like FF, OO.o, GNUCash, etc in a simple "more free software" link which the virus cleaner could drop on their desktop. This could help spread the word to those unfamiliar with FOSS while at the same time helping to cut down the slowdown from infected machines puking all over the net. It could be updated every week with the latest definitions to whichever free AV scanner was used, and if you wanted to get fancy you could even have it install a free AV like ClamWin with the scans and updates scheduled via Scheduled Tasks.
I have looked all over the web and have yet to find anything like that which I just described, and sadly programming is a skill I don't have so I can't build it myself. But it seems to me like this would be a great way to not only help clean up the net but spread the word about FOSS(and yes, you could have links to Ubuntu on the free software page) to those who may have never heard of it before. And if it is small and easy I'm sure that sites all over the net would be happy to promote it, as nobody likes all the spam and botnet traffic. The authors could even accept donations on their website for maintaining it and make a little scratch while they help to clean up the garbage. Sounds like a win/win to me.
ACs don't waste your time replying, your posts are never seen by me.
Stay the hell away from both my computer and my wallet.
THIS, from a person whose computer is already hijacked and being used for illegal activities?
Using evil methods to accomplish noble goals is still evil. Once you accept computer hijacking under some circumstances, how do you define the motives for which it's ok? Would it be ok to create or use a zombie net to process SETI or protein folding data? To scan for other zombies? How about DB indexing for your job?
If you're going to try to claim the moral high ground, you need to stick to the high ground and not compromise your ethics for the sake of expediency.
>>>I'm doing you a favor
The road to tyranny is paved with good intentions. Most of the men who we study in history class as "evil" would have repeated the exact same phrase: "I'm doing you a favor" as they burned books, or raided homes, or whatever other anti-human rights crime they committed.
FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
Disabling someone else's machine is immoral, no matter what your goal might be.
Does "disabling" include cutting off network connectivity? In today's environment of cloud computing and web2.0 apps, being cut off from the net is arguably the same as disabling a machine entirely.
And to extend the logic a bit further, it is immoral for an ISP to cut off somebody's account if that account is being used to spew spam. Or to extend things a bit further, it's immoral for an upstream to cut off a downstream spam sewer ... or for anything like RBL or SBL to exist since it can be used to facilitate disruption of network service.
I'm not trying to explicitly condone an approach where zombies are vandalized to render them inoperable, but I'm trying to point out how this entire argument is shades of grey - at some point, action against criminal networks involves infringement on people's "right" to do whatever they want with their money, their computer, their internet connection, etc.
... and one other thing to keep in mind: when the day comes (becuase it's a when not an if) that terrorist organizations hire a botnet to attack the computers that control the electric grid, or to perform supercomputing nuclear simulations, or any number of other things ... you are going to see some serious shit being done to botnets and zombies, and it will be done by governments not by random vigilantes.
If libertarians are so opposed to effective government, why don't they all move to Somalia?