Researchers Hijack Mebroot Botnet, Study Drive-By Downloads

TechReviewAl writes "Researchers at the University of California at Santa Barbara hijacked the Mebroot botnet for about a month and used it to study drive-by downloading. The researchers managed to intercept Mebroot communications by reverse-engineering the algorithm used to select domains to connect to. Mebroot infects legitimate websites and uses them to redirect users to malicious sites that attempt to install malware on a victim's machine. The team, who previously infiltrated the Torpig botnet, found that at least 13.3 percent of systems that were redirected by Mebroot were already infected and 70 percent were vulnerable to about 40 common attacks."

70%

[matt4077]

Isn't IE marketshare about 70%? What a coincidence!

Re:70%

[CodeBuster]

From TFA: "The next two most popular operating systems were Mac OS X 10.4 'Tiger' and Mac OS X 10.5 'Leopard,' which accounted for 6.4 percent of all visitors."

This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well with code on the main exploit servers (the ones which initiate the drive by downloads) targeting vulnerabilities in some Apple Mac OS versions. The Mebroot gang is apparently among the more sophisticated bot net operators (i.e. they support alternative OSs or browsers). The Mac people need to learn some humility or they will be in for some nasty surprises as Windows becomes a more hardened target and Mac OS becomes more popular.

Re:70%

[tsm_sf]

I've never really understood the whole Mac vs. WIndows debate, and it's even more pointless now that you can have Mac, Win, and Linux running on the same box at the same time. Now, vi vs. emacs is a legitimate jihad.

((vi is better))

Re:70%

[CodeBuster]

((vi is better))

VI VI VI is the number of the beast!

Re:70%

[RyuuzakiTetsuya]

Uhhh no.

The article doesn't state which OSes were infected, just how many users were directed to the point of infection.

Mebroot doesn't infect OS X.

Re:70%

[chiguy]

Now, vi vs. emacs is a legitimate jihad. ((vi is better))

Sure, that's because you haven't figured out elisp. It should be

(setq vi better)
or
(setq is-vi-better (better vi emacs))

Re:70%

[camperslo]

This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well

No, it means that the infected websites redirected visitors including Mac users. They were victims of redirection only at that point. It's the sites that people got redirected to that did the actual user-machine infecting. The article only says that six vulnerabilities were targeted but it doesn't say which. Mebroot (Master Boot Record Rootkit) is Windows based and isn't new.

"Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet's owners with remote control over that machine."

I'm not an expert, but the Mebroot description at F-Secure appears to show Windows systems as the target. Of course other mutations could potentially be created to target vulnerabilities on OS X or other platforms, but once in it couldn't just install the same Windows rootkit.
(below from F-Secure, not article)
http://www.f-secure.com/weblog/archives/00001393.html

The actual site hosting the exploit code utilizes the following exploits:

          Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
          AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
          Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
          GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
          Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
          Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
          DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
          Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow

from article:
"The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit."

For things that have been fixed, I think Mac users are generally a bit better about having OS and browser updates. Of course, like everyone else, they can still reduce significantly reduce risk by disabling browser functionality except when needed (as with NoScript and Firefox).

I'm concerned updates in other applications may be missed not only by users, but even developers.
VLC promptly was updated for some vulnerabilities in underlying ffmpeg code, but users aren't always good about keeping VLC up to date (the older version for OS X 10.4 got an update as well as the current release.

There are a many video conversion, dvd assembly and other programs built on Windows and OS X using ffmpeg behind the scenes. In some cases the developers make little or no mention of it (LGPL/GPL compliance is a problem too). These programs don't seem to be getting the newer ffmpeg builds that address the problems.

http://secunia.com/advisories/36805

Re:70%

[fhuglegads]

((vi is better))

VI VI VI is the number of the beast!

I thought it was vi vi vi - editor of the beast

Like stealing illicit drugs?

[mcrbids]

Strikes me that this is a "crime" somewhat akin to stealing money from a drug dealer. Sure, I guess you are doing something "illegal" since it's not your money, but it's not like the drug dealer is going to report you to the police...

Announcing this activity publicly doesn't strike me as particularly prudent, even if it is valuable information...

Re:Like stealing illicit drugs?

[ground.zero.612]

You mean colleges and universities are held to a double standard? Blasphemy! Next you'll be trying to tell me that politicians and government officials are held to a double standard...

Re:Like stealing illicit drugs?

[noundi]

Strikes me that this is a "crime" somewhat akin to stealing money from a drug dealer. Sure, I guess you are doing something "illegal" since it's not your money, but it's not like the drug dealer is going to report you to the police...

Announcing this activity publicly doesn't strike me as particularly prudent, even if it is valuable information...

Not even that. There is absolutely no personal gain for them in this. Even stealing the money has a gain and this experiment neither hurts nor benefits anybody. It's a completely neutral act not to be trolled into some nonsensical paralell about murder or theft.

Re:Like stealing illicit drugs?

[palegray.net]

This is more like intercepting and recording the conversations had among a network of criminals, which yields a lot of good insights into how these organizations operate. This can be extremely valuable information if it's forwarded to appropriate law enforcement personnel, which don't always have the technical talent or resources to conduct investigations like this in the first place.

Re:Like stealing illicit drugs?

[clone53421]

I RTFA'd (shocking, yes) and – now I'm no expert, but – I don't think they did break any laws.

Re:Like stealing illicit drugs?

politicians and government officials are NOT held to a double standard...

FTFY

Re:Like stealing illicit drugs?

[girlintraining]

It's a completely neutral act not to be trolled into some nonsensical paralell about murder or theft.

The law criminalizes behavior, not intent. Intent is no longer necessary to be convicted in the United States. It's not a troll to point this out, and there was no parallel made to murder, only theft. And it is arguably theft: If someone burglarizes your home, and then another person comes in after and "studies" the scene, it is still unlawful entry. When they "hijacked" the botnet, it moved from unlawful entry to theft of services, because in order to do that they need to send commands to the client on the machine.

While it is valuable knowledge in learning what the state of the art is in botnets, they should restrict themselves to studying machines under their own administrative control and/or machines which they have permission to conduct those activities on.

Re:Like stealing illicit drugs?

[mcrbids]

The information gained doesn't benefit them? Why else did they do this, then? Benefit isn't just cash, you know. Anythiing that provides an advantage is a 'benefit'...

Re:Like stealing illicit drugs?

[amicusNYCL]

The law criminalizes behavior, not intent. Intent is no longer necessary to be convicted in the United States.

I'm not sure how many juries you've been on, but when I was on a jury 2 weeks ago for a criminal case the judge made it explicitly clear several times that we could only find the defendant guilty if evidence showed, beyond a reasonable doubt, that he intended to commit the crime (theft). In fact, intent is part of the definition of theft, which needs to be met in order to find someone guilty.

Civil cases are held to a lower standard, but criminal cases require "beyond a reasonable doubt". In fact, the very reason why he was found not guilty is because the prosecutor could not prove intent in a way that satisfied the indictment. It's extremely difficult to prove intent, the prosecutor was able to show intent to commit the crime several months after the crime was allegedly committed, but because of the wording of the indictment we could not find evidence of intent when the specific events happened. The prosecutor understood why we reached the verdict we did.

That sounds a little vague, I'll be happy to go into details of the trial if you're interested.

Re:Like stealing illicit drugs?

[kdemetter]

It's more like a private investigation of a crime , finding proof and then making it public.
This is something journalists do all the time.

Re:Like stealing illicit drugs?

[Nadaka]

They violated the DRM placed on the legally copyrighted software produced by bot net authors. They committed a US federal felony according to the DMCA.

Re:Like stealing illicit drugs?

[postbigbang]

No, they shouldn't restrict themselves.

They're fucking heros.

Did they do bad by manipulating the botnet? Sure. Tsk tsk.

Can they crack that egg and get rid of it now? Yeah. The sad thing is they'll need some court order to do it, rather than take the leech offline and be done with it. I wish they could trace route it so that a little drone could drop by the instigator's address with a payload of green goo.

Sounds like a testosterone reaction but consider just how many machines are bot'd these days and how rotten the state of operating systems protection is, and how foolish users are, and how much hardware is under control of the bad guys. Then admonish them for trying to crack this nut.

I'm not trying to start a flame war, but your boundaries are a little too kindergarten for me.

Re:Like stealing illicit drugs?

[conureman]

Did the EULA forbid reverse-engineering? If so these guys could be in a lot of trouble.

Re:Like stealing illicit drugs?

[shentino]

Agreed.

One caveat though...

If the research is being accomplished by intercepting information being sent to their own computer, then it is completely legal.

Having said that, I disagree with publication for two reasons:

1. It can alert the botnet operators, and in such a case disclosure could very well be interpreted as obstructing an investigation.

2. Overzealous prosecutors may decide to pounce.

Re:Like stealing illicit drugs?

[noundi]

The information gained doesn't benefit them? Why else did they do this, then? Benefit isn't just cash, you know. Anythiing that provides an advantage is a 'benefit'...

Sorry I expressed myself poorly. Their gain is virtually everybodys gain as it benefits us all except the criminals at hand. I stand corrected, yet even stronger on the fact that it was a neutral act. Had they kept the information for themselves on the other hand.

Re:Like stealing illicit drugs?

[poopdeville]

I'm not sure how many juries you've been on, but when I was on a jury 2 weeks ago for a criminal case the judge made it explicitly clear several times that we could only find the defendant guilty if evidence showed, beyond a reasonable doubt, that he intended to commit the crime (theft). In fact, intent is part of the definition of theft, which needs to be met in order to find someone guilty

That's true of theft, and any other crime where "mens rea" is a criminal element. There are crimes of strict liability as well, and "mens rea" (a guilty mind) does not enter into guilt or innocence. (It can enter into sentencing)

Re:Like stealing illicit drugs?

They didn't actually take control of the botnet. They predicted what domain would be registered one day by the botnet owners (there's an algorithm they use to pick domains to connect to) and registered it ahead of them. They then waited to see what machines connected so they could tell who was getting attacked by this. No takeovers of the machines, no theft of the botnet's services. Just data mining.

Re:Like stealing illicit drugs?

So he unintentionally stole something, and then later decided he wanted to steal it (thus he now had intent), but he did not steal it because he discovered he had already done so?

Re:Like stealing illicit drugs?

[Runaway1956]

Well, politicians aren't held to ANY standard. Witness that senator for Mass they screwed into the ground just weeks ago. Ask the former Governor of Illinois what standards he was held to. He just went to far when he tried to auction off a senate position. I wonder what the results would be if I googled "Where to congressmen stick their peckers?" Employees and appointees have higher standards than elected officials, but that doesn't mean much.

Re:Like stealing illicit drugs?

[Eternauta3k]

1. Mistakenly take home someone's cellphone
2. Decide to keep it

How about that?

Re:Like stealing illicit drugs?

Their gain is virtually everybodys gain as it benefits us all except the criminals at hand.

So, we can use this for our master's thesis too?

Re:Like stealing illicit drugs?

[amicusNYCL]

It was a case where one guy was buying a car from another guy, paid for it, and never got it. There was no evidence which showed that the seller intended to keep the money and the car at the time the money changed hands. So, according to the indictment he did not steal the money. They showed intent several months later when he modified the car (you wouldn't modify a car unless you considered it yours), but the indictment clearly stated that he was being charged for theft by intending to deprive the buyer of his property (money) when he took the payment, not several months down the line whenever he decided to keep the car. If the state had worded the indictment differently so that we could establish intent at a later date then he would have been found guilty.

Re:Like stealing illicit drugs?

[PRMan]

They should have forced all the machines to install Microsoft Security Essentials for free...

Re:Like stealing illicit drugs?

[PRMan]

If there ever was a situation that required Jury Nullification...

Re:Like stealing illicit drugs?

[Ethanol-fueled]

Larceny.

Re:Like stealing illicit drugs?

[mysidia]

How this works in reality, is typically, to do the research, the researcher will get a sample of 'test machines' they own infected by visiting a drive-by-downloader's site in a specially controlled environment. Where they monitor all the botnet node's network activities, block any unexpected ones, and "de-fang" or "make benign" its activities (e.g. if it normally sends spam with a malware link, they may replace the link with a beacon link). The other possibility is they work with people whose machines are already infected.

In either case, the botnets are so large, that a few added nodes does not cause the botnet to do any more harm, and disinfecting those machines or disabling them would not significantly help anyone.

In either case, they own the equipment, and they don't approve of the malicious software's activities, they themselves act in a manner that doesn't increase the harm done by the botnet, they arrange matters in such a way that people who interact with "their nodes" are not harmed or any worse off because of their research activities. Breaking into software running on their computers is not like stealing from drug dealers... it's more like sneaking up behind a cat burglar sneaking out a window in your house, going towards your neighbor's house and cutting an enormous hole in their bag as they climb out your window.

Botnet infiltration is more like a researcher pretending to be a drug dealer.

The researcher gets drugs from the drug lord

Sends the drugs to the lab for analysis.

Covertly replaces the active ingredient in the drugs with a safe placebo.

e.g. Bag of coke gets replaced with a bag of sugar. Anything in pill form gets replaced with sugar pill disguised as the original. (Basically, deletes the dangerous ingredient)

Adds a tracer ingredient, like an edible RFID tag, and an edible GPS-based tracking device.

Passes along the drug down the line...

Or sells it, just in the manner directed to do by the drug lord.

But the researcher doesn't do it... let's say the "drug dealer" is a robot the drug lord was spreading around and deployed on the researcher's computer... the researcher hacked the program to do something other than what the drug lord expected.

Re:Like stealing illicit drugs?

[mysidia]

Without the details of their research methodology at hand, you have no basis for claiming they might have committed a crime.

Maybe if/when they publish their paper, you can reasonably assess that, not until then.

Re:Like stealing illicit drugs?

[mysidia]

Greater knowledge? It's intangible, but still a benefit.

There's also a possibility of notoriety or fame.

And maybe a line in the resume, for the paper... which could translate into money or more opportunities at a later date.

Re:Like stealing illicit drugs?

[mysidia]

Probably not. Certain types of research fall into a special exemption from the DMCA's anticircumvention provisions.

In this case, they were conducting security research, to assist in reducing piracy of malicious software.

Also, to pursue a DMCA action against the researchers, the botnet authors will have to identify themselves.

In the process, they will expose themselves to counterclaims to by the researchers who discovered their software illegally propagated itself to their computers, constituting "Gaining Access" without authorization, for the purposes of the US Computer Fraud and Abuse act.

Re:Like stealing illicit drugs?

[BosstonesOwn]

Why clean up microsofts issue , force them to install ubuntu ! and watch hilarity ensue :)

Re:Like stealing illicit drugs?

[BosstonesOwn]

This is alashdot , you don't need facts. Just an opinion, and some cheetoh's in your mom's basement.

Re:Like stealing illicit drugs?

[L4t3r4lu5]

It's like stealing a sports car from your neighbour, but returning it the next morning with a tank full of petrol and £20 towards maintenance costs in an envelope on the passenger seat.

Bringing you car analogies for all occasions!

Re:Like stealing illicit drugs?

[L4t3r4lu5]

Been on a jury, wasn't informed of that particular right. In fact the words used were "You must find the defendant either guilty or not guilty."

In all honesty, though, I would say I was the only person in the trial who didn't find it a total time soak. You won't get jury nullification when the jurors don't care enough about justice to concentrate fully.

Re:Like stealing illicit drugs?

[clone53421]

Of course they won't tell you about it (in fact, I've heard that mentioning jury nullification can get one rejected from jury duty). And yes, you must find them either guilty or not guilty... jury nullification occurs when the jury rules a defendant not guilty in blatant disregard for the law (which would find the person guilty) because they believe the law is wrong. Needless to say, judges & lawmakers don't like the concept.

Re:Like stealing illicit drugs?

[treeves]

IANAL, but according to the wikipedia article on larceny, that is not larceny.

Without consent

The taking must be without the consent of the owner. This means that the taking must have been accomplished by stealth, force, threat of force, or deceit. If the offender obtained possession lawfully then a subsequent misappropriation is not larceny.

Intent to steal (animus furandi)

The offender must have taken the property with the intent to steal it. Traditionally intent to steal is defined as the intent to deprive the owner of the possession of the property permanently. However, intent to steal includes other states of mind such as the intent to recklessly deprive the owner of the property permanently. A person who takes property of another under the mistaken belief that the property belongs to him does not have the requisite intent to steal. Nor does a person "intend to steal" property when he takes property intending to make temporary use of it and then return the property to the owner within a reasonable time.

Re:Like stealing illicit drugs?

[eihab]

It was a case where one guy was buying a car from another guy, paid for it, and never got it. There was no evidence which showed that the seller intended to keep the money and the car at the time the money changed hands. So, according to the indictment he did not steal the money. They showed intent several months later when he modified the car ...

Doesn't the fact that he didn't deliver the car for several months show that he "intended" to take the money and run?

Also, you said earlier that this was a criminal case:

I'm not sure how many juries you've been on, but when I was on a jury 2 weeks ago for a criminal case ...

How did the guy failing to deliver a car someone purchased become a criminal case? It sounds to me like (and I'm quoting Chris Rock) "this is something Judge Judy could've knocked out in half an hour, plus commercials!"

Re:Like stealing illicit drugs?

[amicusNYCL]

Doesn't the fact that he didn't deliver the car for several months show that he "intended" to take the money and run?

Not in it itself, there could be several reasons why the car wasn't delivered. Maybe the buyer never arranged pickup. There wasn't any evidence either way (there was a remarkable lack of communication for a $12k deal).

How did the guy failing to deliver a car someone purchased become a criminal case?

I believe theft of greater than $4000 is criminal in this state, the indictment specified he was being charged with theft of between $4000-$25000 (even though he was specifically being charged with theft of $12300, they still included that language).

"this is something Judge Judy could've knocked out in half an hour, plus commercials!"

Yeah, seriously. After the trial the prosecutor told us that she offered him a misdemeanor charge if he just gave the guy the car (which was already impounded), and he apparently declined. It was a 4-day trial that could have probably been solved with a phone call and apology.

Re:Like stealing illicit drugs?

[left00coaster]

It seems pretty clear they did it "pro bono" -- i.e., free and for the public good. It may not be the way you personally choose to act, but you should be able to at least imagine that other people could be guided by impulses more altruistic than your own.

Re:arrest them

[noundi]

so universities can break the law but common criminals can't? remind's me of nazi/japanese experiments on humans in the name of 'science'.

Really? Intercepting a botnet reminds you of experiments leading to the deaths and suffering of thousands of helpless adults and children? No I see your point, exactly the same thing.

Karma at it's finest

[Flowstone]

Leave it to people who exploit pcs to get sloppy enough to leave the kitchen door unlocked. Its more like carjacking a carjacker's own personal vehicle. News or no news, its a ray of sunshine that reminds us that this universe still has a balance. And it's got a sense of humor.

Re:Karma at it's finest

Yeah or these "researchers" are the ones that created the botnet in the first place... hmmmm

Re:Karma at it's finest

Leave it to people who exploit pcs to get sloppy enough to leave the kitchen door unlocked.

Its more like carjacking a carjacker's own personal vehicle. News or no news, its a ray of sunshine that reminds us that this universe still has a balance. And it's got a sense of humor.

I think your taking the universe out of context.

Re:arrest them

[clone53421]

so universities can break the law

They broke the law? Citation needed.

Oh wait... you didn't even RTFA.

Maybe

[SnarfQuest]

Maybe they were able to break into it because (dun dun dun) they wrote it!

Isn't that how things work in all those lousy movies with some kind of computer virus in them.
Or that Mac virus can infect alien computers

Re:Maybe

[BosstonesOwn]

fortran is universal !!!

Great idea, narrowly averted

[catmistake]

If this can be done, hijacking botnets, it should be... and then the botnet should be neutralized. Didn't anyone think of this?

Re:Great idea, narrowly averted

[RollingThunder]

Yes, many times, and each time it's shot down based on the liability issues around forcibly patching other people's computers without their consent.

Re:Great idea, narrowly averted

[John+Hasler]

Read the article. They didn't gain control of the botnet.

Re:Great idea, narrowly averted

Hijak the botnet and use it to push updates to all the fools that got owned by botnet

Re:Great idea, narrowly averted

[Zocalo]

I think the same idea came up when this group hijaaked the Torpig net, and quite probably on several other similar occassions. Unfortunately, that opens up a whole new can of worms, if you'll excuse the pun. Specifically, if they issue commands for a botnet to shut itself down, or try to patch a vulnerable system, then they potentially become liable for whatever might go wrong. What if that vulnerable system was responsible for something critical and hadn't been patched because the patch broke the application, for instance? Or if the Botnet's "suicide" command did indeed remove the problem... by completely wiping the hard disk of infected systems?

Re:Great idea, narrowly averted

If this can be done, hijacking botnets, it should be... and then the botnet should be neutralized. Didn't anyone think of this?

I worked at a company that infiltrated a couple of botnets for research purposes. We could have shut them down but the legal department said "no way!" since it would expose us to serious liability for any machines that died or lost data that resulted or may have resulted from uninstalling and patching the bots.

We did notify authorities in various jurisdictions and give them what they needed to do it, but as far as I know they only acted on it once. Some scandinavian country (don't remember which) had a chunk of cable modem addresses being DDoS'd and they took responsibility and shut down the botnet dong it. In general though, private companies and universities could, but it is a huge legal risk. Governments seem uninterested. Who, exactly, has jurisdiction to install and uninstall software without the owners permission on machines scattered across the globe?

Re:Great idea, narrowly averted

[clone53421]

Yes.

They didn't exactly hijack the botnet. They just hijacked it's reproductive system. RTFA.

It spreads by a javascript which the criminals were able to inject into innocuous sites. This javascript sent visitors to an auto-generated URL which was registered by the botnet owners. This URL hosted the actual exploit which attempted to attack vulnerable visitors who landed there from the javascript. The URL changed every day, but by predicting it, the researchers were able to register domains before the botnet owners. As a result, victims of the drive-by javascript landed on the researchers' server instead of the botnet owners' servers. Needless to say, the researchers didn't attack the visitors and exploit their machines, but they did do some profiling to find out what sort of computers were hitting their server and how many of the visitors were unpatched, vulnerable boxes.

Re:Great idea, narrowly averted

[brainboyz]

They've been doing that for years. The trick is to disassemble them fast enough that the bot writers can't adapt the net to avoid your code. The other problem is it's actually illegal to do that because then you're hacking the infected machine to install your code: which is criminal computer trespass (not that charges are filed often, but the threat is there).

Re:Great idea, narrowly averted

[catmistake]

What if that vulnerable system was responsible for something critical and hadn't been patched because the patch broke the application, for instance?

Ah, I've seen you've read the Admin Handbook: "Even if your critical system has been compromized and is a zombie in some malicious botnet, do not patch the vulnerability if the patch might compromise your critical system."

/sarcasm yes, if it's not broken, don't fix it... then again, your definition of broken appears to be broken

Re:Great idea, narrowly averted

[Ethanol-fueled]

Apparently the job has alredy been delegated to the DHS/ICE who conduct clandestine international operations under the guises of thinking of the children among other things.

Recent Slashdot article somewhat related.

Based on the way the DHS conducts themselves at state and international borders inside or out of airports, giving them more ability to bully citizens is certainly a bad idea. In fact, the creation of the DHS was a bad idea. Soon agents will be receiving warrants to sieze all of your computers because they saw that you visited the pirate bay or isohunt.

Re:Great idea, narrowly averted

[catmistake]

This liability excuse sounds like bullshit. Who is liable for a zombie? Let's do a little metaphor:
Rob Zombiemaster is robbing a bank. During the robbery, in a failed attempt to stop it, a guard shoots and misses Zombiemaster and hits the bank president in the head, killing him instantly, but also causing him to drop his cigarette into some flammable solvent someone was working with in the vicinity. The bank goes up in flames and burns down the whole block, killing everyone except Rob Zombiemaster and the guard. Zombiemaster escapes clean, with the money, and never killed anyone. The guard tells the authorities the tragic truth about his actions.

With whom does the liability for this catastrophe lay? With the guard? He did kill his boss and everyone on the block except the robber, so that's a reasonable assumption, though wrong. The liability for the deaths and property destruction still rests squarely on the shoulders of the wily Rob Zombiemaster, who, upon capture, will promptly be charged with multiple counts of murder long before he's charged with mere bank robbery. The guard gets off scott free.

Those lawyers sound more like lazy CIO's, but with no law degree, and less balls.

Re:Great idea, narrowly averted

[cowscows]

Sure, it certainly makes sense when you explain it out like that, but that doesn't mean that a family member of one of the innocent people who died isn't going to decide that they deserve money as compensation for their emotional pain and anguish. Zombiemaster is nowhere to be found, so they decide they're going to sue the bank, and the guard.

I would certainly argue that the guard isn't guilty of any wrongdoing, at least from a morality point of view. But when the law considers liability, we're not talking about morality. And even if the judge ends up ruling in favor of the guard, who knows what sort of legal bills he'll have racked up in the process.

Re:Great idea, narrowly averted

[Zocalo]

I didn't say "don't fix the issue", just that there are occassions where you can't immediately apply a patch, no matter how desirable it might be. Sadly this scenario does happen from time to time and particularly so with enterprise applications, where "enterprise" is defined as "very expensive software with only a comparatively small number of customers and an even smaller group of developers". It's not just expensive, non-COTS applications either. Case in point Microsoft's DLL Hell v2.0 issue. Equally, it's not just a Windows issue; some time ago I had a business critical manufacturing application segfault when attempts were made to run it under an updated version of the Linux Kernel on a test box. Unfortunately said Kernel was released to address a rather trivial exploit and we had to try and mitigate the risk as best as possible while waiting for the vendor to fix the problem.

Re:Great idea, narrowly averted

[gmhowell]

When the legal standard is tougher than the moral standard, the law is a failure, ie, prohibition of alcohol.

Re:Great idea, narrowly averted

Exactly - if they took over the botnet, they'd technically be liable for anything it does after that. Maybe kinda sorta. Lawyers get paid either way.

Re:Great idea, narrowly averted

>With whom does the liability for this catastrophe lay? With the guard?

Yes, with the guard. The guard didn't have to pull the trigger. He made the decision to pull the trigger. It's an accident, so I don't think the guard is guilty of murder. Maybe some sort of manslaughter.

The bank robber isn't liable for the guard's actions. It would be different if the robber put the guard in the position where it was the guard's life or the robber's life. In that case the guard would have been acting in self defence. "Preventing a robbery" isn't an act of self defence.

Re:Great idea, narrowly averted

[Zalminen]

And similarly the culprit for the property destruction is the idiot smoking near flammable solvent - the bank president.

not as bad

but same idea, doing things in the name of science though they are illegal justifies anything. and yes hijacking a botnet is illegal if you didn't know.

Re:not as bad

Actually the experiments of the nazis were likely legal within their juristinction. Law is not always the best standard to measure if something should/can be done or not "in the name of science".

The Nazi experiments were against humanity, while trying to understand how botnets work clearly isn't. That's why it is not even remotely the same thing.

Re:arrest them

[conureman]

I used to have a rather gruesome book detailing some of those experiments, and while I don't think a lot was gained by transplanting spare heads onto victims &c., I understand that the data from dropping "test subjects" into ice water to see how long it took them to die has been quite valuable for things like Naval Air rescue planning. Always look on the bright side, mate.

Re:arrest them

[jdgeorge]

It's the principle of the thing. Botnet creators are entitled to a reasonable expectation of privacy, under the law, right? Besides, if it were YOUR botnet they were infiltrating, you would be pissed, too.

Re:arrest them

It is exactly the same thing for those of us with boundary issues, or anyone trying to argue in good faith. I happen to be both. I don't give a damn about human suffering--I do care that "scientists" appear to get a free pass to circumvent the law--which is clearly the point the person was making.

You might want to say we should address the issue and not compare the two--one being supposedly horrible. Fine...all well and good. But at the core, you have just ran an argument by appeal to emotion...that is to say...you have failed to make a correct argument.

It isn't law if one group gets to ignore it and another is punished--it's privilege. The same privilege exerted by the the group that already Godwinned this debate--the claim that they were above the law because they did it for a good reason.

No law broken here

[doug141]

RTFA. Researchers registered domains that were next in line to receive messages from the infected machines, and listened to what was coming in.

Go after the software companies

[dmomo]

Often, these bot nets are designed to install software for commission. The company paying the commission should be held accountable. They can play dumb and claim that they didn't know it was being installed in this manner, sure. But it would be fairly simple to make it so the installed software makes itself known to the user. It would be fairly simple to make it easy to un-install as well.

I know there are ways around it. But, it'd be great to see the companies selling the products that are making revenue to be accountable. They are enabling it. And they know it.

Re:Go after the software companies

[AlexBirch]

You could do a civil lawsuit where the burden of proof is that it's more likely that they knew than they didn't.

Re:Go after the software companies

[Thaelon]

They are enabling it. And they know it.

Why sugar coat it like that?

They're paying for it. And they know it.

Re:Go after the software companies

[Monkier]

How does the company paying commission make money off this? Redirecting your browser to their spammy search engine, pop up ads?

Re:Really?

[Idiomatick]

There have been studies on how far people travel daily/weekly/monthly. To do so, the study used thousands of people's locations based on cellphones. The participants of the study were fully unaware that they were being tracked for months. At least this one isn't scary...

disinfected?

did they at least disinfect the systems? kinda seems dumb to infiltrate a botnet and not take it down.

btw, the "unknown variable" ("The second characters of the day's most popular search term on Twitter.") can likely be subverted by working with twitter to return some static string after determining it's part of the botnet via the http request header (i doubt they are emulating a browser).

Re:disinfected?

[WaXHeLL]

RTFA -- they hijacked the domains where the drive-by download exploits were stored, not the botnet itself.

Also, they were emulating a browser, because the javascript based "drive-by" is 100% browser based (ie, you don't get infected if you're not browsing a compromised website).

Re:arrest them

[Nadaka]

http://slashdot.org/comments.pl?sid=1393007&cid=29649223&art_pos=1

Yes, they actually did commit a crime. and yes I did RTFA. They reverse engineered the algorithm of the js package. That algorithm was essentially copy protection aka DRM. This is a federal felony under the DMCA.

I was just thinking that myself

[phorm]

I'm not sure how many of these "companies" have a solid US presence, but there are plenty of scummy ones like those "antivirus 2009" and the like (which fake an infection to then sell you fake antivirus software to remove it). I believe a lot of these are run by offshore outfits from Russia, etc but I wouldn't be surprised to see a bunch of local companies complicit with them as well.

Somebody nailing them would make me a very happy person, more than when I managed to catch them trying to spoof my own site(s) with URLs for their infectoware products and got a few high-level domain names yanked away from them...

Re:I was just thinking that myself

[thejynxed]

RBN - Russian Business Network. That's a good chunk of who is behind those.

This could be avoided.

[hesaigo999ca]

Think of all the illegal copies of windows....now imagine that overnight they were to offer a special deal for those with an illegal copy of windows. Buy a license from us for 6months at 50$
rechargeable every 6months after that...atleast everybody and their grandmother would get the first 6 months, get their updates, be rid of 90% of viruses and problems, getting rid of 3/4 of the botnets out in the wild, and then when it came to the next 6motnhs, Microsoft would have made their money already, the people will probably revert back to being non legal, with no ill effects, except for those talked into keeping their copies legit for further patches. The people that did buy legal copies would not have anything to bitch about, as these were not legit copies and revert back to being bad people...which most owning a legit copy do not want to be branded...
everybody wins.

Re:This could be avoided.

however, those with "illegal" copies of windows won't pay $60 for 6 months of a license. They'll just keep their "illegal" copy and go on their way.

The fix, is for msft to actually send out the updates without nagging updates saying your computer is not registered/licensed and thus is susceptible to being infected with a botnet.

Don't blame the computer user, blame the software provider.

Re:This could be avoided.

[Judinous]

I'm not sure what planet you're from, but around these parts, pirated copies of Windows pass WGE checks just fine.

Re:This could be avoided.

[theArtificial]

Windows Genuine Exploits?

Re:This could be avoided.

Windows Geniuine Edvantage?

Re:This could be avoided.

[hesaigo999ca]

care to share, I have yet to find one that does,
but if you say there is, I would be very glad to know how to get one.

Re:arrest them

[clone53421]

Oh, you weren't trying to be funny? "legally copyrighted software produced by bot net authors"? How exactly did they copyright anything, and how was it legal?

Re:arrest them

[Nadaka]

All creative works (software included) are under copyright from the moment they are published under US law (most other western nations as well).

Re:arrest them

[Nadaka]

oh... sorry about the multiple replies, I didn't notice that you were the parent author for both posts.

I am pointing out that it is a crime, not that it should be a crime.

Wow...

[jbezorg]

so universities can break the law but common criminals can't? remind's me of nazi/japanese experiments on humans in the name of 'science'.

Wow... you put the "Hyper" in hyperbole.

I think you pulled enough G's ( unit: Godwin ) there to create a cognitive singularity.

And now for something completely different...

[Impy+the+Impiuos+Imp]

> "Researchers...hijacked the Mebroot botnet for about a month and used it to study
> drive-by downloading...The team, who previously infiltrated the Torpig botnet,

now intends to infiltrate Borg-infested systems by following a Borg cube as it travels Borg territory, under the assumption they'll be ignored indefinitely as a non-threat.

Re:Really?

[poopdeville]

+5 Insightful really? To legally intercept and record conversations of suspected criminals in the USA you need a judge to issue a fucking warrant. I am not a lawyer but I don't think I need to be to make that statement. (Oh and please don't try and quote Patriot Act shit on this, it will just make me laugh)

No, you DON'T need a warrant to record private conversations of suspected criminals (or anybody), unless you are a government official acting in a capacity of law enforcement.

Private citizens can record whatever the hell they want, unless there are specific laws against it. Some states require every party to consent to recording conversations. Many do not.

Re:arrest them

[noundi]

It is exactly the same thing for those of us with boundary issues, or anyone trying to argue in good faith. I happen to be both. I don't give a damn about human suffering--I do care that "scientists" appear to get a free pass to circumvent the law--which is clearly the point the person was making.

You might want to say we should address the issue and not compare the two--one being supposedly horrible. Fine...all well and good. But at the core, you have just ran an argument by appeal to emotion...that is to say...you have failed to make a correct argument.

It isn't law if one group gets to ignore it and another is punished--it's privilege. The same privilege exerted by the the group that already Godwinned this debate--the claim that they were above the law because they did it for a good reason.

First of all I was replying to the comment by GP, and there was no argument in this post by this AC. Secondly while the AC was trying to bind the events together I was showing how to separate them, using the exact same type of rhetoric as him. You try to sound sophisticated, yet you fail epically. And no -- a complete lack of empathy isn't a "point of view", it's called sociopathy.

Hats off to the UCSB guys

[benjfowler]

They have some serious cojones to be messing with dangerous organised criminals. Good on 'em and I hope they keep fighting the good fight -- and not come unstuck. They are stepping on the toes of some seriously ugly, violent people.

Re:arrest them

[gmhowell]

My father is a doctor, and I raised this point with him. He indicated that while there were some very broad things that could be drawn from these 'studies', most of them were flawed in major ways that precluded their ongoing usefulness. In particular, he mentioned some of the Nazi studies that may have started, on the surface, to have a legitimate scientific goal, but they were quickly revealed as a means to explore the depravity of the researcher.

Re:arrest them

[conureman]

I guess I equivocated too much. The cold water survival times were useful data, which has found purpose, but indeed the other stuff was incredible mad-scientist stuff that clearly illustrated deep derangement on the part of the psychos doing the work. I wish I still had that book, it was truly INcredible, and I'd like to show it to some of the stupid Nazi-symps in my ghetto hometown.

Reductio ad Nazium

so universities can break the law but common criminals can't? remind's me of nazi/japanese experiments on humans in the name of 'science'.

Really? Intercepting a botnet reminds you of experiments leading to the deaths and suffering of thousands of helpless adults and children? No I see your point, exactly the same thing.

Dude... Why even bother to reply? This is a classic case of reductio ad Nazium, he managed to Godwin the entire discussion with the first post.

Video of the Tech Talk by these Researchers Here

[grendelb]

Richard Kemmerer, one of the authors, gave a Tech Talk at Google titled "How to Steal a Botnet and What Can Happen When You Do." The video of the talk is available on YouTube.

Re:Really?

[mysidia]

In the vast majority of states they cannot, at least one party to the conversation has to consent. In some states, all parties must consent.

In those states they can... as long as they don't violate federal (or state) wiretap laws in the process.

It generally means they can record conversations they have in a public place, but they can't hook up recording gear to the phone box outside people's houses.

And they may be able to record conversations in a private place, using a very sensitive microphone, provided they avoid violating breaking + entering and trespass laws, they should be OK, although may be subject to civil prosecution.

On the other hand... if the journalist doesn't mind becoming a criminal themselves, they could choose to break any or all these laws.. once they publish the recording, it cannot easily be suppressed.

Re:arrest them

[mysidia]

Oh hot damn... Godwinn'ed...

I didn't even think it was possible to relate this subject to Nazis.. Mad props to you.

But these botnet studies (at least the well done ones) are in no way similar. Most security researchers actually are very careful with their methodology, and perform their studies in a way that assures they won't cause any harm (except maybe to the botnet operator by revealing their methods, in some cases).

Re:arrest them

[mysidia]

It's not a crime. It's a specious theory that the code the botnet authors utilize might somehow be viewed by the court as a technical measure that effectively controls access to or ability to copy a work, and that the researchers did circumvent those controls under 1201(a)(1)(A) of the DMCA.

The belief that the malware can be considered a "publication" is in doubt. The software is non-creative, non-beneficial.

But you have forgotten (j) Security Testing. - (2) Permissible acts of security testing. - Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.

And also, S1204(b) (b) Limitation for Nonprofit Library, Archives, Educational Institution, or Public Broadcasting Entity.â" Subsection (a) shall not apply to a nonprofit library, archives, educational institution, or public broadcasting entity (as defined under section 118 (g).[1]

Also, failure to register as required by S 407(a), has an effect: 1208 S 408(f)(4)... If you don't register the work within 3 months of publication, you lose the right to most infringement actions, except a 106A(a) infringement (infringement of author's right to attribution and integrity).

So by failing to register, the author loses a lot of rights.

Re:arrest them

[peektwice]

AC does have a bit of a point in his troll. There is a certain criminal element to the "researcher's" tactics. Is it ethical to break the law to study lawbreaking?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:arrest them

[gmhowell]

All credit goes to the GP for mentioning Imperial Japan, a Godwinning on the sly.

Pre register domains with patches

[Mr.+Freeman]

So, The researchers were able to preregister the domains that the botnet was going to use to download software. Wouldn't it be possible to upload a patch to the website (obviously formatted such that it would be downloaded and executed by the infected machines)? I think that'd be pretty damn funny and efficient. Every infected machine patching itself at once and eliminating the virus. Some of the machines wouldn't be online at the time, but any machine not online also isn't a risk.

Re:Really?

[ground.zero.612]

There have been studies on how far people travel daily/weekly/monthly. To do so, the study used thousands of people's locations based on cellphones. The participants of the study were fully unaware that they were being tracked for months. At least this one isn't scary...

I don't trust college kids, most of them today are fanbois. I don't trust the government, most of them are totalitarians, egalitarians, corporatists or socialists. That said, I trust the government officials 1000 times more than I trust some college prick.

Where is the oversight? Where is the transparency? Which judge signed the wire tap warrant that gave these motherfuckers the legal right to spy on people? The fact is, no judge in their right mind could ever sign a broad sweeping warrant against multiple John Does, it's just not possible. Making this "study" a complete fraud, a crime, unethical, and a violation of the Constitutional rights of everyone they spied on.

Please mod me flamebait again I really need to lower my Karma.

Re:Really?

[ground.zero.612]

+5 Insightful really? To legally intercept and record conversations of suspected criminals in the USA you need a judge to issue a fucking warrant. I am not a lawyer but I don't think I need to be to make that statement. (Oh and please don't try and quote Patriot Act shit on this, it will just make me laugh)

No, you DON'T need a warrant to record private conversations of suspected criminals (or anybody), unless you are a government official acting in a capacity of law enforcement.

Private citizens can record whatever the hell they want, unless there are specific laws against it. Some states require every party to consent to recording conversations. Many do not.

Yes you DO need a warrant to perform a wiretap. Period. A phone call, email, IM, etc, are all protected speech. I can happily arrange an experiment, one in which you illegally perform a wiretap on me, and one in which I alert the authorities of your behavior. Would you like to participate?

Re:Really?

[ground.zero.612]

On the other hand... if the journalist doesn't mind becoming a criminal themselves, they could choose to break any or all these laws.. once they publish the recording, it cannot easily be suppressed.

Amen. Relating to the story, apparently if you are a college student you can participate in these criminal activities and the fanbois will support you.

Re:Really?

I can happily arrange an experiment, one in which you illegally perform a wiretap on me, and one in which I alert the authorities of your behavior. Would you like to participate?

Sure, and then I'll laugh at you for your silly antics and your ignorance of the actual laws governing recording of private conversations in my state. If I'm a party to the conversation, I can record it (this is, in fact, true of most states).

Re:arrest them

[clone53421]

RTFA; they didn't break the law at all. They reverse-engineered an injection script, registered some attack domains before the botnet owners were able to do so, and then profiled the machines which were sent to their honeypot server by the injection script. (The script was a javascript which was somehow injected into innocuous sites by the hackers; its purpose was to redirect visitors to the actual malicious URL, which was auto-generated and different each day – but predictable, so that the botnet owners, or the researchers, could register it ahead of time and set up a server there.)

The only questionable thing they did was to reverse-engineer the script, but since it was Javascript they already had the source code; there really wasn't any reverse-engineering (in the true sense of the term) involved. Besides which, that's already allowing DMCA protection for malicious code and somehow I don't think that would hold up in court...

Re:arrest them

[clone53421]

Another thing... Javascript = source code. Obviously, if you publish your source code, people can examine it and see how it works. You really can't call what the researchers did "reverse engineering". (Nor can you call the Javascript source code "copy protection" or DRM.)

Go all the way

[Alarindris]

I wish these researchers would stop being pussies and destroy some of these botnets.

Fuck the legal issues, who the hell is going to sue you for destroying a botnet?

Re:Really?

[poopdeville]

Well, you're inviting me to record your conversation. So I'm pretty sure I will be okay. I'm game.

Re:Really?

[ground.zero.612]

Well, you're inviting me to record your conversation. So I'm pretty sure I will be okay. I'm game.

Ahh, so asking you to break the law is justification for breaking the law? I see how your mind works now...

Re:Really?

[poopdeville]

You already consented to being recorded. How would I be breaking the law by recording a conversation between us?

Re:Really?

[ground.zero.612]

You already consented to being recorded. How would I be breaking the law by recording a conversation between us?

I can't consent to illegal activities. Your circularly flawed logic does not compute.

I can happily arrange an experiment, one in which you illegally perform a wiretap on me

You are free to break the law. You are also bound by it, and may be required to suffer the consequences of doing so.

Re:Really?

[palegray.net]

Let's go back to what you said before.

I can happily arrange an experiment, one in which you illegally perform a wiretap on me, and one in which I alert the authorities of your behavior. Would you like to participate?

Now that's some seriously skewed logic... by you arranging the "wiretap" in question, you're directly consenting to the recording. Now, let's look at what you just said:

I can't consent to illegal activities. Your circularly flawed logic does not compute.

Once again, you're not consenting to illegal activity in a case where you're the one offering to arrange the event, given the fact that it would then be perfectly legal. If you're going to accuse someone of lacking basic logic skills, you should probably make sure you're not the one in need of an education.

What is your level of formal education, anyhow?

Re:Really?

[ground.zero.612]

Let's go back to what you said before.

I can happily arrange an experiment, one in which you illegally perform a wiretap on me, and one in which I alert the authorities of your behavior. Would you like to participate?

Now that's some seriously skewed logic... by you arranging the "wiretap" in question, you're directly consenting to the recording. Now, let's look at what you just said:

I can't consent to illegal activities. Your circularly flawed logic does not compute.

Yes let's run around in more circles and go back to what I said.

I can happily arrange an experiment, one in which you illegally perform a wiretap on me, and one in which I alert the authorities of your behavior. Would you like to participate?

As a citizen I cannot give you permission to violate the law. That means that inviting you to participate in an experiment where you commit an illegal activity in no way gives my consent for you to commit said illegal activity. For you to be correct, I would have had to have worded it not only specifically without the qualifier "illegally," but also without the word "experiment." So, it would have looked more like the following sentence:

I can happily arrange for you to perform a wiretap on me, would you like to?

That would be an invitation and consent to do a wiretap, not an invitation and consent to break the law.

Once again, you're not consenting to illegal activity in a case where you're the one offering to arrange the event, given the fact that it would then be perfectly legal.

Once again, you are trying to use your circularly flawed logic, but as I said before it does not compute.

If you're going to accuse someone of lacking basic logic skills, you should probably make sure you're not the one in need of an education. What is your level of formal education, anyhow?

3 years of technical college for computer programming (Fortran/Pascal/C/C++), 2 years of community college for mathematics (calculus), English, and Japanese, and 1 year of university for Japanese.

I very easily see your circular logic. I can, in fact, write your argument compared to mine in pseudo code to prove that yours is basically a silly infinite loop.