Researchers Take Down a Spam Botnet

The Register is reporting on the takedown of a botnet once responsible for 1/3 of the world's spam. The deed was done by researchers from the security firm FireEye, who detailed the action in a series of blog posts. PC World's coverage estimates that lately the botnet has accounted for 4% of spam. From the Register: "After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. ... Almost immediately, the spam stopped, according to M86 Security blog. ... The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change. ... With [the] head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control..."

good work

[HalifaxRage]

now get going on the other 96%

Re:good work

[Romancer]

So it took them how long between the time it was generating 30% and now when it is generating 4%?

That's a little too late guys.

Re:good work

[socceroos]

I'd like that too. Although, my IPCOP firewall with CopFilter installed has been killing 99.92% of the spam coming into our network. Really pleased with it.

On a more related note, would this be classed as vigilante justice? Justified?

I think its a cool idea for universities with security classes to study this kind of thing and 'bring it down - safely' as a project. I know I'd enjoy it.

Re:good work

[calmofthestorm]

It'd be a great project, though you do want to be careful, some of these viri are designed to do harm if disabled improperly, and some of these computers could be in situations where their failure could cause the loss of lives.

Again, not saying don't do it...saying do it carefully.

Re:good work

[socceroos]

I heartily agree. Hence the 'safely' part. =)

Identifying exactly what is infected and where would be a colossal task. Especially when you consider that you have to identify 'mission critical' hardware.

Re:good work

[Lennie]

You obviously don't work for an ISP, we have to drop SMTP-connections on everything which looks to much like a bot just because of the large number of connection that we get, so we're able to have the legit connections and because scanning all the content would just be to much to handle.

You would be amazed at the volumes of e-mail ISP's get. More then 98% of it is crap you don't want to receive.

Re:good work

[socceroos]

Yeah, the Australian ISP that we go through (Telstra) actually forces everyone to use their SMTP servers to send email. According to a friend that works there, they do scan all these emails for spam content (can't confirm). I absolutely loath it. Although that doesn't stop anyone outside the country sending spam in.

Re:good work

[jamesh]

some of these viri are designed to do harm if disabled improperly, and some of these computers could be in situations where their failure could cause the loss of lives.

If you have a computer that could fail in such a way that lives could be lost, and the computer is in a situation where it has enough connectivity to the internet to form part of a botnet, then all bets are off anyway.

IMHO, the best way to resolve the botnet is to overwrite the bootsector (but not the partition table) and do a hard reboot. Easy to recover from and minimises the further damage that could be done. Also resolves the "lives could be list" problem.

Re:good work

[sanso999]

I love how, in the midst of this tech talk, there is comparison being made between 1/3 and 4%. Reminds me of that problem with the space craft and metric.

Re:good work

[Fulcrum+of+Evil]

you are suggesting that someone hooked up a life critical system to the public internet? That in itself should be a felony.

Re:good work

[MadnessASAP]

Well 1/3 is hard to express as a percentage.

Re:good work

[Falconhell]

Approximately 33.3% is SO difficult to write after all!

Re:good work

[Ash+Vince]

It'd be a great project, though you do want to be careful, some of these viri are designed to do harm if disabled improperly, and some of these computers could be in situations where their failure could cause the loss of lives.

Well then hopefully harm will be done, and users whos machines have been sending me spem for the past three years will lose a shitload of data and learn to implement better security in future. Sorry, but I really do thing the only way people learn to adopt a more responsible attitude to IT security is when it is thumped into them why they should.

Re:good work

[techno-vampire]

I have two questions: first, has what they're doing put a significant dent into the load of spam originating in Australia? Second, is the delay caused by scanning small enough not to be an issue? If the answers to both questions are "yes," I see no problem with it. If not, what problems do you find it causing?

Re:good work

[calmofthestorm]

Oh indeed. But guess what: They are. Maybe in the obvious stupid way, maybe it's a computer that used to be an office machine and got repurposed (intentionally or accidentally) without a reimage. Maybe there's a firewall snafu.

Although loss of life is the obvious example of oh-shit resulting from computer failure, there are many, MANY situations where it could lead to tremendous loss of capital (remember back when the LSE went down for a day due to using MS software a few months ago?

Re:good work

[interkin3tic]

some of these viri are designed to do harm if disabled improperly, and some of these computers could be in situations where their failure could cause the loss of lives.

Wow. What is the motivation behind this? Hoping that people will be afraid to run cleanup on their infected computers, keeping the botnet from shrinking? Some bullshit like "my victims deserve to be screwed over so I'm going to make sure to do as much damage after I'm done with them?"

Re:good work

[socceroos]

But that's only approximate! Expressed as 1/3 ensures there is no room for error when calculating.

Re:good work

[socceroos]

The motivation? I've heard it described by some friendly 'hackers' as, and I quote, "for the lols".

Re:good work

[calmofthestorm]

Not always intentionally so designed, though that can be a cause. The crippling effects are just as often a result of the elaborate things viri do to hide themselves and prevent removal.

For example, suppose a virus is designed to patch a system DLL so that it includes a copy of the virus. Now suppose that the patch basis it's using disagrees from thecurrent version of the DLL. GNU Patch would refuse to do the patch if it couldn't be done safely, but the viruses doing binary patches on DLLs may not be so concerned with data integrity.

Similar nastiness in the registry, and you can have a system failure waiting to happen. And with Windows, even modern ones, many failure types are sufficient to crash the system.

Re:good work

[Interoperable]

Right...because the botnet was measured to be producing precisely 1/3 of the world's spam. I suspect that the original estimate was sufficiently inaccurate that more than one significant figure would not really be justified, let alone an exact value.

Re:good work

[socceroos]

It has caused email systems to be slower, yes. Emails that would otherwise arrive instantly are actually taking minutes, and on some rare occasions, hours to traverse the tubes to their intended destination. Plus, personally I don't like ISP's grabbing control of my email and 'scanning for spam'. Paranoia? Maybe, but I'd rather be on the safe side.

Re:good work

[sjames]

I would argue that if the system is THAT critical, it should have been kept virus free. The fact that it's part of a botnet could be taken to mean the owner doesn't particularly care if it fails somehow. Those of us who actually bother to look in on our servers from time to time are really tired of "OMG the indoor dog potty" and such coming from those who don't.

Re:good work

[socceroos]

Check.

I'm going to fall back to my backup argument: writing 1/3 is easier and quicker than writing 33.3%.

Re:good work

Identifying exactly what is infected and where would be a colossal task.

Why not take down the source?

Re:good work

1/3 is 0.3 (30%). Or did you fail college chemistry and the significant digits exercises?

Re:good work

[Tynin]

Comically, not scanning for spam can cause spammers to recognize your servers are a safe haven, and the amount of spam can rise. As the amount of mail rises, the time it takes to process it goes up and delays occur. Putting in a spam filtering/scanning solution shouldn't increase the time it takes to get through the system by all that much and should decrease the levels of spam you get. Obviously it could have even bigger slow downs in the filtering/scan solution given a large enough amount of spam, but generally these solutions are setup in rather large clusters of servers to handle the load or at least that is my experience.

Having worked at a major hosting provider and a few ISPs, it was simply staggering how much spam would come through. It is hard to make email instant at a company level, it is crazy hard to make email instant when you host hundreds of thousands of domains who use you for their MX. Staggering... is such an understatement.

Anyhow, don't want your ISP's mail server logic screening through your email? Setup your own mail server, and welcome to the world of personally managing your own spam hell.

Re:good work

[socceroos]

They don't scan incoming mail, only outgoing mail from any client connected to their network.

This is a key point.

They don't actually filter all your incoming mail for you for spam content, they only check all the mail you send from your mail server or any of your mail clients.

I do actually maintain an email server for the company I work for. The ammount of spam that is blocked daily from getting into our network (blocked at the perimeter by IPCop) is truly amazing. And that's only for an average SMB.

Re:good work

[MadnessASAP]

Ahhh... touche, at least someone else here is thinking.

Re:good work

[Kalriath]

Because, dumbass, then we'd just have more OSX viruses. And we all know how fast Apple is at fixing flaws.

Re:good work

[Kalriath]

For example, suppose a virus is designed to patch a system DLL so that it includes a copy of the virus. Now suppose that the patch basis it's using disagrees from thecurrent version of the DLL. GNU Patch would refuse to do the patch if it couldn't be done safely, but the viruses doing binary patches on DLLs may not be so concerned with data integrity.

Funnily enough, that's exactly why Blaster resulted in so many crashes - it was written to patch the RPC Subsystem, and on virtually every copy of Windows current at that time it patched with the wrong addresses (as the library was updated between the time of the virus writing and its release), causing the service to crash. When it crashed, Windows would immediately initiate a reboot, as the RPC service is considered critical.

Re:good work

LULZ.

Re:good work

[Tynin]

Ah, the bastards. Well, at least they are likely keeping their network from spewing spam out to the world. But I agree with your paranoia, they wouldn't need to scan your outgoing mail to determine spam, just monitoring network traffic patterns (although I guess a low intensity spammer could avoid detection). Thanks for the clarification.

Re:good work

1/3 is 0.3 or (30%)

1/3 + 1/3 + 1/3 = 3/3 or 1
0.3 + 0.3 + 0.3 = 0.9.

So... 1 = 0.9?

Did I just fail?

Re:good work

[fizzer06]

It's been a long time, but isn't it something like "33.33333%" with the last couple of 3's having a bar above them? (I don't know how to duplicate that on my keyboard).

Re:good work

[Verdatum]

I notice that the article is tagged with "vigilante". While we're at it, let's go the next step:

"What are you!?!"

"I'm Botman."

Re:good work

[shentino]

Whoopdedoo, now we have high tech learning how to take hostages.

Don't negotiate with terrorists.

I hear that abductions in china (by non government entities at least) are rare because the chinese authorities are ruthless and give no quarter, so the bad guys know they can't win just by taking a hostage.

Re:good work

[shentino]

How much of it actually passes an integrity/authorization check like dkim or spf?

Maybe if those were made more widespread we could do a good bit better job tracing and jailing these bastards... ...or blacklisting accomplice ISPs that don't give a rat's arse about the spam they are sending.

Forgery allows spammers to operate anonymously.

Re:good work

[socceroos]

Thank you, sir, for clarifying my light hearted point.

Re:good work

First viruses, then virii, and now, viri. Just say virus. Virus is an uncountable word. Virus was originally thought to be a liquid that caused disease.

Re:good work

OSX: 113 threats found.

Linux: 33 threats found.

Windows: 100,000+ threats found.

Re:good work

[Phroggy]

Just on my tiny little server I run at home for a handful of friends and family, with one single domain, I block an average of 416 SMTP connections per day based solely on DNSRBLs plus another 876 per day based on a slew of custom rules I've developed. After that, SpamAssassin blocks 82 messages per day and quarantines 48 more.

That's something in the neighborhood of one spam attempt EVERY MINUTE of every day, 24/7/365, on a tiny little personal server hosting only one domain for a small handful of users.

Re:good work

Hmm.. about proportional to their respective market shares...

Re:good work

It breaks SPF which IMHO is a good anti spam practice for many domains.

If my ISP started intercepting email from my server then I'd have to put all their servers in my SPF records. Then any one of Telstra's users could pretend to be my domain.

While SPF has many problems the main ones are:
1)List expanders pretending to be the originating user.
2)Or are due to ISPs stopping SMTP getting to the correct relay.

Sort of is a chicken and egg problem. ISPs need to protect users who run bots from damaging their reputation but then the users can't get to the mail server that is authorative regarding the email because the ISP is in the way.

Re:good work

[simoncpu+was+here]

Yes, that's correct. "For teh lulz."

Re:good work

[mpe]

Yeah, the Australian ISP that we go through (Telstra) actually forces everyone to use their SMTP servers to send email. According to a friend that works there, they do scan all these emails for spam content (can't confirm).

Which means they also provide a service for spammers to find out what is likely to get through spam filters. (Or at least through Telstra's).

Re:good work

You seriously can't do the math yourself?

No wonder you pay the Microsoft tax.

Re:good work

[houghi]

Not instantly, but minutes and sometimes hours? Kids these days. Look up the SMTP protocol. It is not intended to be an instant messenger. There are even almost standard responses after certain times. First it says NOT to re-send the message, but the system is still trying (which causes people to re-send the email immediately) then after 4 days of trying at different intervals, it will tell you it won't be able to send the message.
That is if all seems to be well. Otherwise other messages arrive.

Email is like electronic-mail. Mail is not intended to be instant. It needs to be processed. If you want messages instantly deliverd, you should use something that is intended to be used as for instant messaging.

Re:good work

At my 1000 user site, we get up to 200000 bad messages dropped on connection, daily.

Re:good work

[Rick+the+Red]

So, what happened? Did its volume drop from 33.3% to 4%, or did its volume stay the same and the total spam problem got that much larger?

Re:good work

yup
in fact, 3 digits, with the bar, is quite enough.

Re:good work

[promythyus]

Well done, you just explained one of the most repeated maths "wtf" moments in history.

Re:good work

[Erik+Hensema]

How do you determine an smtp connection to be 'too much like a bot'? I'm genuinely interested because I'd like to be able to do that too.

Re:good work

[CmdrGravy]

No chance.

Guess what, people designing systems on which peoples lives actually directly depend do not simply rip out some old box from an office when they need a new server.

Likewise any system like the stock exchange, in situations like that companies don't care how much money they throw at stuff and since it's their money they're going to be losing if it goes wrong they are generally very careful indeed about randomly hooking up critical infrastructure to the internet.

Re:good work

Verizon does the same thing for DSL and FiOS here in the US.

Re:good work

[Random5]

The problem is this is no longer consistent with how people use email. I'm well aware of how SMTP was designed, but these days people have an expectation of an email arriving within 5 minutes and it tends to disrupt business processes when it takes any longer than this.

Re:good work

[Random5]

(oops).... and there is no good replacement for it that is instantaneous. If an email is not arriving in my experience most people will send a fax, because they know as they send it that within 5 minutes it will either be there or they'll get an error from the originating fax machine.

No instant messaging services (at least none that I've heard of) provide easy sending of attachments (usually they require a direct connection between the PCs running the software which is difficult in the land of NAT and firewalls), they only support a couple of sentences of text and most importantly they do not allow you to communicate with someone who you have not communicated with before easily.

Google Wave is close to what's needed here (it's very instantaneous, supports attachments, advanced formatting, communicating with anyone whose google wave address you know even if they haven't got you on their contacts list etc...

We need an upgrade of the delivery and read verification use and handling - say light up emails blue in the 'sent items' folder once they've been received by the recipients server, then green once they've been read. Have a combination indicator where there are multiple recipients and highlight their names in these colours in the To field when you check the email. The current implementation in outlook is horrible and not very supported among other email providers.

Re:good work

[Random5]

You don't think spammers are capable of doing this anyway? I guarantee you they're already doing this for every major webmail provider out there.

Re:good work

[Alioth]

Think yourself lucky. On my personal email address alone, I hit a new record on Tuesday - 1219 spam emails in just one day, to just one account. The amount of spam for the last few months has really started to climb rapidly, I expect that I'll be getting in excess of 2000 spam emails to this one account per day within 4 months.

Fortunately, SpamAssassin catches all but a very small handful.

Re:good work

My compliments to Telestra. If every ISP did this it would pretty much end spam.

Re:good work

[NotBornYesterday]

1 = 0.9 only for very small values of 1.

Re:good work

If you have a computer that could fail in such a way that lives could be lost, and the computer is in a situation where it has enough connectivity to the internet to form part of a botnet, then all bets are off anyway.

But, my pacemaker runs off software on my Windows Mobile phone, and it has to be online at all times else the pacemaker limited warranty expires!

Re:good work

[badevlad]

Wow! I asked myself: "Why I receiving much less SPAM this year than several years ago?" Now I have the answer. Thank you, Good Guys!

Re:good work

[sabt-pestnu]

Sadly, it does happen that computers that are on critical care monitoring systems get infected.

One example? A stand-alone system (or connected to internal LAN *only*). Someone brings their USB key in with the latest video from You-tube. Voila. If not the video itself, then the USB key.

Re:good work

[Jared555]

Lots of hospital computers are not life critical but could significantly increase the risk of someone dying if they fail. The networked machines that an ICU has that show every person's vitals (I think some hospitals have this on big screens above the nurses station similar to how NOC employees monitor their networks) could fail without someone dying, but you now have to manually go and check every system every so many minutes taking time away from treating patients.

I believe similar monitoring is done in normal hospital rooms anymore depending on the hospital. You may not hear the alarm on the heart monitor when the nurses station is 200 feet away and the door is closed. Many of these systems are networked so that those same nurses/doctors can pull up test information (even MRI or X-Ray results) sometimes even as the tests are being done. Not every facility has the budget to maintain 2 or more completely isolated networks.

The system that was in my hospital room last time (surgical recovery) was a wireless networked laptop (windows xp) that they used to verify medications/patient arm bands/etc. If this would fail, do they have backup systems (paper), probably if they are up to date with the computers. Is it going to increase risk of human error, especially with staff who are used to relying on the computer systems, yes.

The point of this massive post is, even if the system itself failing doesn't mean someone is going to die as a direct result, in a hospital there is a pretty good probability that it could significantly increase the risk of someone dying because they couldn't have an cat scan done because the computer crashed, etc.

Re:good work

[Jared555]

The fun part is not just the people designing the medical equipment can be at fault. (Computers just running software that interacts with the equipment, etc. can be almost as life critical as the equipment itself.)

I am almost positive the MRI machines at one nearby hospital are at least indirectly connected to the internet as they can send the results through the network to whoever ordered the test, even while the test is being done. I could see a plus as long as this is done correctly as the company that manufacturers or maintains the equipment could have their own monitoring in place to detect early warning signs of failure (or over irradiation in the case of x-ray and cat machines, from an earlier article)

Re:good work

[Jared555]

The point isn't loss of data, it is loss of the lives of people who had nothing to do with the security of the systems.

Re:good work

[Ash+Vince]

If anyone responsible for machine that is crucial to keep someone alive lets the PC get infected with malware they are so inept I do not even want to think about it. This is just not a realistic situation apart from in a 1 in a million corner case of the utmost stupidity.

Re:good work

[sglines]

I can attest to the volume of junk passed as email. I've had the same email address since the early 1990's. I get ~30 legitimate emails a day. My filters (Spamassassin, RTBL's and iptables - yes I run Linux) reject between 3,000 and 8,000 emails every day.

Re:good work

[DaVince21]

But that's not 1/3rd, it's just an approximation!

Re:good work

[DaVince21]

Unfortunately, the reply from FireEye is that it would be illegal, even if there are "good" intentions behind it, so they won't be doing it.

Re:good work

[Lennie]

The spammers were the first to adopt dkim/spf and put in DNS some of the IP-adddresses of the botnet.

Re:good work

[Lennie]

We use a scoring system, we have a number of checks on the systems which only mailservers should be talking to, like:
- is the SMTP-client adhering to the standard. using an EHLO/HELO and is the hostname used with the HELO a FQDN
- is the IP-address on a number of DNS-BL's
- is the IP-address sending a lot of messages in a _very_ short time
- does the FQDN match with the rev. DNS hostname of the IP-address
- does the IP-address have a dynamic IP-address in the rev. DNS hostname, like 123.123.123.123.dyn.dsl.provider

if the score is to high, trow it at greylisting, if everything seems mostly ok, let it try to deliver a message.

have a look at: postfix, postfwd and postscreen

We don't use postscreen yet, but we will add it later. Postscreen also checks what spamd from OpenBSD already can do for years: is the SMTP-client waiting for replies from the SMTP-server. And similair checks. If not, it's probably a spammer just trying to stream all the SMTP-commands as fast as possible.

I think that's enough to get started. :-)

Any more?

[SatanClauz]

Are there any more that have been taken down? This is honestly the first i've ever heard of!

Now, part two: I don't know how these things work, but, why does it seem so hard to track these things down and find the source?

Re:Any more?

[Binder]

Well... first you have to find their command and control channels. Then you have to figure out how they work. Many times the command and control is both distributed and encrypted so it is very hard to "chop the head off"

Re:Any more?

[socceroos]

I'm not sure its so much about finding the source as it is figuring a fool-proof way of taking it down legitimately, legally and permanently.

Re:Any more?

[Monkeedude1212]

Eh, depends what you're looking at. Other Botnets have been taken down, usually by physically arresting the hacker who started it. I'm sure that they've tried to stop other Spam Botnets before. They didn't actually STOP Ozdok, they just dented it a bit.

It's difficult to track how these things start because essentially you've got about a million breadcrumbs to go through.

Lets say you've got 3 computers, A, B, and C. A infects B, B infects C. There is no direct correlation between A and C, so you have to work your way all the way up the chain. Now imagine you've got a million infected PC's. Who infected who? How do you work your way backwards? There's lots of ways to do this, most simple of which is to look at the contacts and determine which of the contacts is infected. Then determine the time and date of which the infection occured (Date Modified/Date Created on the file). Whoever was first was who infected the others.

The problem with killing it is that it has a "multi layered fallback mechanism" - which is a fancy way of saying it replicates itself. It can do this by either having a secondary program or script copy itself back onto the infected PC when it detects the original infection is gone, or it can do this by RE-infecting any of the computers it was sent to infect in the first place.

I hope thats enough to make you stagger and wonder exactly how much damage they could have possibly done to this botnet.

Re:Any more?

[Entropius]

Why does it have to be done legitimately and legally?

When the law is habitually incapable of solving a problem, it should be solved extralegally.

Re:Any more?

[socceroos]

I tend to agree. But, this still excludes many institutions and agencies from actually being able to devote resources to such things without being fearful of the law.

Re:Any more?

[shentino]

Especially if they have a mccolo type back door to run away through.

Re:Any more?

[physburn]

Its a major reversing engineering effect to find out a botnet is controlled. First you'd need to a get access to a computer running the bot, and get the code, decompile it, and find out we're its reporting to, then you have to take down every controlling system. Not easy, and not something down for fun. ISP should club together and fund more security operations against botnets. Like the impressive effect in the article.

---

Computer Security Feed @ Feed Distiller

Re:Any more?

[mpe]

Why does it have to be done legitimately and legally?
When the law is habitually incapable of solving a problem, it should be solved extralegally.

"The law" has plenty of weapons available. As well as being able to act "creativly" when it wants to.
If the police can raid (and shut down) a business which might be using a few too many copies of some obscure piece of software they can most certainly do the same kind of thing to the likes of McColo.

Re:Any more?

[LowTechSwede]

It's just so sad that they don't. The cost of spam to the world must heavily outweigh the cost of copyright infringements, even if you don't happen to share my view that the true cost of most copyright infringements is zero for the owner and beneficial for the world at large. On top of that you have all the harm the botnetters cause to all those inadvertent botowners and all of us who try to protect ourselves from becoming one.

Re:Any more?

[VisceralLogic]

I hope thats enough to make you stagger and wonder exactly how much damage they could have possibly done to this botnet.

If you read the actual FireEye blog, it seems like they've got a pretty good handle on it...

Re:Any more?

[GameboyRMH]

physically arresting the hacker who started it.

AKA Meatsnarfing

Re:Any more?

[DaVince21]

Because FireEye doesn't want to get in legal trouble?

Patches?

[l0perb0y]

I hope they'll patch these machines. Otherwise, how long will it be before the bot wrangler just takes his net back?

Better yet, just wipe the hard drives. The users might think harder about security if something other than their net connection gets abused.

Re:Patches?

[socceroos]

Wiping their computers would slow things down, but it certainly wouldn't change anything. They'd be at it again as soon as they were back up and running with an OS.

Re:Patches?

[somersault]

Not to mention a lot of people would be seriously PISSED and you'd be in deep legal shit for messing with other people's computers.. I'm sure these guys could still face possible trouble even for just admitting they've brought down the head of the botnets, but IMO they're pretty justified to do that. Wiping people's machines, while tempting, is just a no-no. If we want vigilante justice to become more acceptable in these situations, then it's best to be 'nice' about it.

Re:Patches?

[SydShamino]

I'm sure these guys could still face possible trouble even for just admitting they've brought down the head of the botnets

And what exactly have they done that's illegal? They registered some domain names. They reported domain names used by spammers to their registrars, with documentation, and those registrars cut off the domains. They reported IP addresses used by spammers to their hosts, and those hosts cut off the IP addresses. They have received botnet requests at their sinkhole, but they are merely logging IP addresses, not returning commands to the botnet. They'll use the IP addresses to one-by-one have the ISPs notify their customers.

There's no law that says you can't do any of the above things. If the botnet was written so that lack of command from a control server resulted in destruction, then the botnet creators are solely responsible. If you stopped a robber and, as a result, the robber's hostage at home died from dehydration, do you get charged with murder? No, they do.

Re:Patches?

[nneonneo]

In all likelihood, they couldn't send commands even if they wanted to: modern botnets typically check incoming data against an internally held digital signature, and so forging commands is extremely difficult (basically impossible) without the private key which corresponds to the signature.

Re:Patches?

[Nefarious+Wheel]

Not to mention a lot of people would be seriously PISSED and you'd be in deep legal shit for messing with other people's computers.. I'm sure these guys could still face possible trouble even for just admitting they've brought down the head of the botnets, but IMO they're pretty justified to do that. Wiping people's machines, while tempting, is just a no-no. If we want vigilante justice to become more acceptable in these situations, then it's best to be 'nice' about it.

I was about to post a "yes, take the bots down, destroy them" comment -- then thought, hey - that sword cuts two ways. If one group gets away with vigilante destruction of targeted systems, then what's the difference if a group we don't agree with - say, the RIAA or MPAA - starts using this precedent as justification and starts taking down systems themselves? Slippery slope doesn't *begin* to describe it.

The problem is - once you start bypassing the justice system for good reasons, it becomes easier to do it for bad ones. Take it to the courts with a winning strategy and let them take them down. That way at least you might get public funding for bringing the bastards under the gun.

Re:Patches?

[Plekto]

Better yet, just wipe the hard drives. The users might think harder about security if something other than their net connection gets abused.

Easier yet would be to add those infected machines to the block lists. That would get people's attention just as well and keep them from infecting others.(as a side effect, most ISPs would find their entire cable modem DNS ranges blocked, but no big loss there... might actually prompt them to get serious about spam, even.)

Re:Patches?

[somersault]

It was the wording of the summary led me to believe they'd actively attacked the control channels rather than doing everything legally, my bad.

Re:Patches?

[Erik+Hensema]

Won't work at all. First of all they're using hotmail to send their mail. Everybody uses hotmail, right?

Second, if they're using their ISP's smarthost, that smarthost will most likely happily accept any mail. And the smarthost won't be on a blacklist, since the botnet will just do direct-to-mx.

The only solution which is centrally enforceable is blocking smtp connections going out of the ISP network. Force endusers to use the ISP's smarthost. The botnet won't be able to do direct-to-mx, and the ISP can easily scan outgoing mail and block spammers.

95% (I made that number up) of all spam you receive originates from ISPs which don't block outgoing SMTP connections. The remaining 5% is sent from hacked webservers, corporate accounts, through smarthosts, etc.

So *please* encourage your ISP to filter outgoing SMTP connections. It makes the world a better place. If you don't like your ISP's smarthost, then just do SMTP AUTH over tcp port 587 to connect to some other smarthost outside their network.

Re:Patches?

[Plekto]

Perhaps a simpler solution, then, might be for companies to block all incoming traffic from ISPs that don't do filtering and authorization. I guarantee that if Comcast's or Earthlink's customers suddenly can't get to YouTube/Goolge or Itunes because they have blocked those companies' entire DNS ranges, that will get them to enforce stricter traffic filtering.

While there is net neutrality in theory, the reality is that these large companies can de-facto enforce any scheme that they want in this manner. It's their hardware, after all, and they can decide what they want to accept and run on it, after all. Google could easily just decide that it will only accept connections from ISPs who are compliant with what they consider "normal" security measures. Get serious about spam and security or explain to your angry customers why it all stopped working suddenly. Just three companies alone would be enough (Google, Apple, and Microsoft) to make bad ISPs shape up their act. And the controlled/hijacked smaller ones who don't comply quickly get added to the block lists after a month or two.

Re:Patches?

[Uzuri]

Why the hell do botnets have better security than stuff that really needs it? O.o

Re:Patches?

[nneonneo]

Simple capitalism: these things make money for the operators, so they have incentive to protect their assets; in the case of a botnet, this means protecting their zombie machines from being controlled by someone else, and preventing the machines from being easily cleaned.

Good!

Now I don't have to worry about throttled torrent downloads.

Re:Good!

[amicusNYCL]

Now I don't have to worry about throttled torrent downloads.

Uh right, problem solved there. In other news, once you get an oil change in your car you no longer have to rotate the tires.

Re:Good!

[Yvan256]

I learned about that just in time! I'm calling right away to cancel that tire rotation appointment I had for tomorrow!

Re:Good!

[socceroos]

You forgot to include your closing sarcasm tag.

Re:Good!

[MrNaz]

Yea I made that mistake. My car just stopped on the freeway, and when I called the roadside assist service for a jump start, they tried to upsell me a tank of gas.

Damn salespeople.

Re:Good!

[tacarat]

I'll be happy when they start upselling items from their fully stocked mini-bar.

Re:Good!

[value_added]

Uh right, problem solved there. In other news, once you get an oil change in your car you no longer have to rotate the tires.

Obviously you've never worked with Windows users.

Re:Good!

Now I don't have to worry about throttled torrent downloads.

Uh right, problem solved there.

That's funny, I read the OP as the poster joking about getting his outbound bandwidth back now that his machine isn't sending spam anymore. Don't know if he was being funny, but it didn't quite come across that way.

Re:Good!

[nneonneo]

That is, until botnet operators start using BitTorrent (or a derivative of it) to transmit commands and Comcast gets a new excuse to throttle torrents.

All your SPAMbot are belong to us

[MountainLogic]

Had to be said

Re:All your SPAMbot are belong to us

[socceroos]

What would you do with your newly acquired SPAMbot network? Would the power go to your head?

Since the bots all deserve to be botted, I might set up a beowulf cluster with them and distributed render Big Buck Bunny for the fun of it. =)

Re:All your SPAMbot are belong to us

[Interoperable]

I think all hijacked botnets should be made to run BOINC distributed computing projects. The users who can't keep their machines secure and contribute a huge volume of spam to the internet should be sentenced to community service. In form of having their machines dedicate most clock cycles to the advancement of esoteric scientific pursuits.

True heroes

[ManlySpork]

These researchers are true heroes saving the internet from impending doom.

Mega-D 2.0

[tacarat]

1) Counter-attack researchers
2) Analysis and evaluation
3) Rebuild and redeploy
4) Profit

Hopefully those hacked machines get addressed quickly. While the botnet itself is down, there's probably a few ways to grab the zombies and make a new system.

Re:Mega-D 2.0

[socceroos]

No way! All this time, the three question marks was referring to Rebuild and redeploy?

Re:Mega-D 2.0

[tacarat]

Yep. Just make sure you uncheck the "hide answer" option. Tools > Options > ROFLCOPTOR Config

Wrong title, not 'taken down'

[RichardDeVries]

From TFA:

Only two command server were found to be located outside the USA. So does it mean that shutting these servers down would result in a complete botnet shut down? Keeping in view Ozdok's multi layered fallback mechanism the answer here is 'no'.

and

After seeing all these fallback mechanisms, it doesn't look very easy to kill Ozdok in one go but hurting this beast might not be that difficult.

Re:Wrong title, not 'taken down'

[Meshach]

I guess that the important this is that this process will make a dent in the spammers processes.

Until now attempts to actually trace and shut down have not been fruitful. I think the face that something was done is very positive.

Re:Wrong title, not 'taken down'

[RichardDeVries]

I agree, of course. However, I was pointing out that the claim the title makes is false. A spam botnet has been taken down when it is permanently disabled. (And the spammers themselves at the least publicly taunted by John Cleese, but that is my personal opinion).

Re:Wrong title, not 'taken down'

SHUT UP FART BOY

Re:Wrong title, not 'taken down'

[shentino]

Sounds also like a damn good reason why it's futile trying to rely solely on US law enforcement to take these bad boys down.

I bet several of them are hosted in countries that don't give a flying fuck about the US.

Iran being one of them.

I wouldn't be surprised if some governments even look the other way on purpose just to spite the west.

Re:Wrong title, not 'taken down'

[RealGrouchy]

What? Why waste John Cleese on that?

Use an impersonator. A bad one. That'll punish them.

- RG>

What OS?

[Yvan256]

What's the Windows OS percentage of that botnet?

Re:What OS?

> What's the Windows OS percentage of that botnet?

Didn't you know? Windows has 100% market share in botnet zombie machines.

Re:What OS?

[socceroos]

As the clients they do. But as always, Linux servers hog the bot controller market share.

Re:What OS?

[tokul]

What's the Windows OS percentage of that botnet?

http://www.symantec.com/security_response/writeup.jsp?docid=2008-021215-0628-99
100%, minus controllers, that might run on any OS

Re:What OS?

[bigredradio]

See, Bill Gates wants a monopoly everywhere! Anti-trust! Anti-trust, help help I'm being repressed.

Re:What OS?

Yeah, I even heard he has a monopoly on sexual interactions with his wife. This has just got to stop.

Re:What OS?

Linux servers hog the bot controller market share.

Saying that is like saying that all main frames are evil because Wall Street uses them to make pennies more per trade than a normal trader can.

People specifically using a certain OS for a specified server task is not the same as pwning 264,000 windows computers and turning them into clients for your malicious deeds. The main server task was malicious, but the fact that it ran on Linux, OSX, Windows, or even DEC Ultrix does not make the OS itself bad.

If TFA says otherwise (like "spliot city on them thar Linux boxen!"), then I guess you are right. But I didn't see it.

Re:What OS?

I think I just puked a little in my mouth.

Nope. I am pretty sure I did.

Re:What OS?

[socceroos]

Mhm, you make good points.

....but, I was only making a parody to the current statistics for market share with Linux v Windows on desktop and server. Oh well, I'd say whoosh....but I'm going to give you this one since I didn't include my closing tag () - I could have been a legitimate troll.

Re:What OS?

[socceroos]

Agh, dumb filter - the sarcasm tag.

Re:What OS?

[NotBornYesterday]

Nope. Turns out that when you figure what Bill's time is worth, it's cheaper to have someone with a H1B visa do it.

Re:What OS?

Actually, I did miss your point. It was late at night on what became a 15.5 hour day.

But, I was also thinking about the point beyond the point: even a spammer wants his core business on the most sturdy structure (and z/OS main frames are just too damn expensive). ;)

Call of Duty - Modern Warfare 2

[Jetrel]

Great work! I would of done it but I was at home sick... *Cough*

Re:Call of Duty - Modern Warfare 2

This isn't that hard. Come on, dude.

And meanwhile...

[damn_registrars]

Another botnet is on the verge of picking up a good number of those systems. Within a very short while we'll see the spam levels right back where they were before. Anti-botnet activities are good when done in the name of anti-botnet activity, but they are weak efforts in the name of stopping spam. The way to stop spam is to fight it as the economic problem that it is; if people continue to go after the symptoms of spam like this they will continue to find themselves quickly thwarted.

Re:And meanwhile...

[somersault]

Spam isn't so much an economics problem as a "some people are just dicks" problem. A lot of the problem with spam is the current system we use for email. It was never intended for such widespread use and has little-to-none in the way of authentication or security measures. You can encrypt emails for security sure, but it doesn't help get around the problem of spam..

Re:And meanwhile...

[Capt.DrumkenBum]

Another botnet is on the verge of picking up a good number of those systems.

I wouldn't be so sure about that. I seem to remember a year or so ago reading about someones honeypot experiment. One of the first things done to the machine after the hacker got access was to close several common vulnerabilities.
I don't know about this botnet, but if I were an evil bastard who managed to take over your computer, the first thing I would do would be to make sure your computer stayed mine.
In fact from time to time I have considered the possibilities of a virus that would turn on automatic updates, turn on the firewall, and install an anti-virus product.

Re:And meanwhile...

[popo]

How exactly does one fight the economic problem? And does it involve giving everyone a pony?

Re:And meanwhile...

[mcrbids]

The way to stop spam is to fight it as the economic problem that it is; if people continue to go after the symptoms of spam like this they will continue to find themselves quickly thwarted.

Sure. Let's educate every farking idiot on the face of the earth. Just like we did with consumers the world over in every single city across the fruited plain. It's worked well for hundreds of years! "Buyer beware" and Heaven help you if you should get defrauded...

What's that you say? We didn't do that? Instead, we instituted "consumer protection" laws that require vendors to adhere to minimal standards of conduct and safety? Laws that prevent manufacturers from making unsafe cars and selling poisoned food? You mean, I can go into pretty much any restaurant and be confident that I probably won't get some terrible disease from poorly cooked food and un-refrigerated meats?

Yes, on the 'net, it's the wild, wild west, all over again. But now problems "over there" have become problems "over here", and suddenly, things like the sorry legal state of Nigeria and Somalia are in our face. Will we fix it overnight? No, but we will fix it. Sure, we'll never get rid of it completely - the Mafia still exists, and gangs still thrive in areas of the mostly controlled First World. (We can get greatly mitigate the gangs by legalizing their primary revenue stream, the drugs, but while related, that's another post)

The thing is that by legally controlling the terms of commerce, we promote healthy commerce. Outlawing commerce altogether has roughly the same effect of not regulating it at all - fraud and crime sets in, legitimate business moves out. To control spam, we need to control commerce, world wide. And that's a big, big problem that will take at least a generation or two to handle.

Re:And meanwhile...

[iris-n]

In fact from time to time I have considered the possibilities of a virus that would format the hard disk.

As a time bomb, you see.

But I always think about the grannies losing the family photos and I give up.

Or it could be distributed only through porn.

Nothing against porn. But that would select out (most) grannies, leaving the stupid fucks who hunt for porn in IE6.

Humm. I'm getting bitter. Better stop with the porn and get sex.

Re:And meanwhile...

[damn_registrars]

Sure. Let's educate every farking idiot on the face of the earth. Just like we did with consumers the world over in every single city across the fruited plain. It's worked well for hundreds of years! "Buyer beware" and Heaven help you if you should get defrauded

If you somehow took what I said to mean that I wanted to do what you are suggesting, then I ask you to go back to read it again.

To control spam, we need to control commerce, world wide. And that's a big, big problem that will take at least a generation or two to handle.

That is a bit closer to what I was suggesting, but going from the opposing side of the same coin.

Re:And meanwhile...

[damn_registrars]

Spam isn't so much an economics problem as a "some people are just dicks" problem

That statement is accurate only for those who believe that spam is sent out to piss you off. Perhaps the spam you receive is somehow different from the spam that is sent to me? The spam that is sent to my addresses is sent to sell various products or services. And why is the spam sent to sell products? Because someone is paying the spammer to send it.

Spam is a product that people are willing to pay for.

Hence spam is a economic problem, because there is economic incentive to send it. Billions or trillions of spam messages can be sent at nearly no cost to the spammer; very little business needs to come from those spam messages to make them incredibly profitable.

A lot of the problem with spam is the current system we use for email. It was never intended for such widespread use and has little-to-none in the way of authentication or security measures.

I have yet to see a proposed replacement for the existing email system that actually suggests anything that would make a bit of meaningful difference for spam issues.

You can encrypt emails for security sure, but it doesn't help get around the problem of spam..

I agree with you on that. Encryption isn't worth squat in regards to spam.

Re:And meanwhile...

What about Internet Mail 2000?

The Spammer needs to hold all the emails on their own email server until the client email program decides to download it. Email which is never collected will take up storage on their server and they can't fly by night since if they disconnect the server then the email will never be delivered.

There isn't any working implementation AFAIK but you did say "proposed replacement".

Re:And meanwhile...

Here's something I've never really understood.

Spam is sent for advertising, thus someone paid the advertiser to send the spam.

The advertising readily identifies the product being advertised, why can't authorities lean on the product's makers to find out who they enlisted to send the spam?

Re:And meanwhile...

[shentino]

Joe jobs, for one. Sending spam advertising someone without their consent is a pretty damning smear tactic.

I'd say to go after anyone that profits from spam. Considering how big a business it is (enough to have 95 percent of all emails be spam), there's probably quite a few stakeholders getting a piece of the pie.

I say to give all those stakeholders some laxative and make them disgorge their ill-gotten dirty money.

At the top of the list, ISPs that sign pink contracts and, in exchange for whopping payments, look the other way when their users spam.

Also there's a jurisdictional challenge involved in dealing with spam outside the country you are policing.

Re:And meanwhile...

[pwilli]

If the spammer owned the email server, he wouldn't need much space to store spam mails. He could send out billions of notifications to potential receivers and create the spam mails on the fly when a receiver wants to download the mail.

Not only would the spammer ultimately save bandwidth in this case by only sending the full mails to those who "requested" them by reacting to the notification, but he would get first class information about validity of email adresses. In addition, the receiver would have to do his own spam filtering, because his ISP likely can't decide if a notification is spam or not - and therefore will have to forward all notifications to the client (A notification may be completely unrelated to the actual mail that is waiting for delivery).

If the mail server is not his own server, the spammer doesn't care for storage space requirements anyway and will keep on spamming as usual.

Internet Mail 2000 would imho make most things even worse than they are, without providing any benefits besides "unlimited inbox size" - which is pretty much useless to most people.

Re:And meanwhile...

And the "first world" is actually not the USA, because a) most spam originates from the USA and b) the USA is well known for avoiding regulations to limit enterprise in favour of citizen rights (note that I'm not using the word "consumer" to describe citizen!).

Perhaps I'm being too cynical, but I'd gladly be proven wrong... /Simon

Re:And meanwhile...

[KlaymenDK]

Spam isn't so much an economics problem as a "some people are just dicks" problem

That statement is accurate only for those who believe that spam is sent out to piss you off. [...] Spam is a product that people are willing to pay for.

You and the GP are both correct -- the dicks are (also) to be found among those who are willing to pay. Yeah I know there's a double entendre there, but I'm just using the GP's wording here. What I mean is that spam wouldn't be so much of a problem if it wasn't profitable. Hence, part of the blame lies with the very, very few recipients who choose to become customers; they may not realise that in doing so they are pissing off the rest of us (on the other hand, if they do realise but just don't care, that's another issue and more difficult to deal with).

Re:And meanwhile...

Spam is a product that people are willing to pay for.

Really? Half the spam I get is blank. Or has some vaguely friendly hello type message in the body, but no advertising. Or has some Markov text. Or advertises a product but doesn't tell me where to get the product or who to pay for it even if I wanted it.

While no doubt there is something of a competence gap when it comes to spammers, reducing it to a pure economic product is misleading. What's the economic value of 500,000 messages that contains only the plain text "&GREETTEXT& hello Cynthia. we've got the best deals anywhere. time is money friend"? I can't imagine the incentive for blowing CPU time, bandwidth, and spambot operator time on sending a message that literally can not possibly prompt a transaction since it contains no offer of one.

Re:And meanwhile...

[damn_registrars]

Joe jobs are certainly one part of it.

Another part is that a very significant share of the spamvertisements are for products that are being sold through countries that don't care at all about spam. Sure, your inbox may have thousands of emails from the "Canadian pharmacy", but that domain is likely registered in China and hosted in Russia. Hence there is nothing "Canadian" about (aboot?) it. And the people profiting from it are in countries where no authorities have any interest in stopping the spamming.

Re:And meanwhile...

[fritsd]

What's the economic value of 500,000 messages that contains only the plain text "&GREETTEXT& hello Cynthia. we've got the best deals anywhere. time is money friend"?

It poisons the Bayesian anti-spam filters, so that the real spam can get through more easily, and false positives (losing your real e-mail) becomes more likely, making you more likely to turn those anti-spam filters off.
There's a strong bias in good spam filters; accidentally receiving some extra spam messages is perceived as much less harmful than accidentally destroying your legitimate e-mails.

Re:And meanwhile...

The spam that is sent to my addresses is sent to sell various products or services.

No, spam is sent for two reasons. The first is similar to what you think it's for, but the word to use is "advertising" not "selling".
The other is to find out if someone is a) actually using the address and b) dumb enough to reply to it and c) hopefully give out some useful personal info.

But nobody is actually using spam to sell stuff... at least not for very long. The bulk of what is truly spam is pure garbage, but a good bit of legitimate email is often classified as spam.

It's kind of a personal nitpick... but spam was originally used to simply indicate an act, not content. i.e. I could spam your mailbox by sending a large quantity of messages, even if they are all legitimate, and a single illegitimate email is not really spam. Phishing maybe, but not spam. Unfortunately this meaning is completely lost on most of the general public and sadly many in the tech industry. I can spam all kinds of things, if I spam your connection with pings that is still spamming in the original sense of the word, but now we have to call it flooding so that people don't get confused. Well, more confused anyhow.

The most important point is that just because YOU don't want to get an email, that does NOT make it spam, or make the person sending it a spammer.

Jinx...

[imaniack]

I just hope Netcraft does not jinx this by reporting premature death of botnets...

A little known fact about security firm "FireEye"

[turing_m]

At company picnics, employees are encouraged to take part in "Whack-a-mole" competitions during summertime, and ice sculpting during the winter.

Stop talking sense man!

[hellfire]

Next thing you know we'll take the same approach to murder, theft, gangs, drugs, etc and soon we'll end up with a utopia... then how will the billionaires get $100 bills to light their $500 cigars???

Re:Stop talking sense man!

[secolactico]

Come on, it's not that hard to get one hundred pesos.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Er.

[Velorium]

Since when does 1/3 equal 4%?

Re:Er.

Since when does 1/3 equal 4%?

"Once". Read it again. "Once", as in, "in the past". The botnet was *once* responsible for 1/3rd, but more recently is only responsible for about 4%. Meaning, all this hoopla for an organization that went after some spammers who crippled the Internet in their heyday, but are now basically chillin' with umbrella drinks in Florida.

Re:Er.

[Jeian]

once responsible for an estimated third of the world's spam

lately the botnet has accounted for 4% of spam

Re:Er.

[greyhueofdoubt]

The 'net used to account for 1/3, but since that time it has either shrunk due to patches or other 'nets have vastly outpaced it. That caught me off guard, too.

-b

Re:Er.

[Urza9814]

It was _once_ responsible for 1/3 of the spam. By the time the researchers got to it and took it out it had already dropped to only 4% for other reasons.

Re:Er.

[Velorium]

Ah, thank you.

Re:WTF?

[socceroos]

Seriously. Can someone please give me a reasonable explanation that rogue CnC servers and registrars are allowed to continue operations?

Because its actually the government who creates and controls these 'botnets'. They're used to spy on us since they have a computer on each end of each router meaning they can reliably trace data streams in foreign countries to their true original source.

Ok, so that wasn't necessarily accurate. But, I've heard on the low-down that the fellows who were working on Titan Rain are currently trying to map the Chinese governments botnet across the world. Its funny that a growing proportion of our electronics are being sorced from China.

Nothing against the Chinese - great guys and I love mandarin. Just some actions of their leaders seem a bit 'off base' - outside my comfort zone.

In the words of Riddick...

[popo]

"You keep what you kill."

Now... what to do with this enormous botnet?

Re:In the words of Riddick...

Let me tell you about this business proposition... ;)

Yeah, but...

My wife just called from home. Apparently my server just melted.

Re:WTF?

First they came for the spammers, and I did not speak out—because I was not a spammer;
Then they came for the crackers, and I did not speak out—because I was not a cracker;
Then they came for the hackers, and I did not speak out—because I was not a hacker;
Then they came for the pirates, and I did not speak out—because I was not a pirate;
Then they came for me—and there was no one left to speak out for me.

Legality?

[Hurricane78]

I'm not against taking down a botnet. But I still think that basic laws are more important. If we don't apply the same rights on really everybody, those "rights" become meaningless.

FireEye isn't exactly a police or government agency. How exactly can they raid zombie computers of private people? I can't think of any way that this is legal. Which does not make them better than what they are "prosecuting" (A term, that when associated with a private company, usually makes a crime itself.)

Is it like Blackwater? A bunch of criminals who like to legally murder and beat up people? Just that here they like to raid computer systems?

If you take down a botnet, do it in a legal way!!

Re:Legality?

[JohnFen]

From reading all the FireEye blog posts on the operation, I can't find any point where they broke the law or even behaved in a way that violated anybody's rights.

What they did was to coordinate things so that ISPs and domain registrars followed existing procedures to shut down sites and revoke domain names. They also found some domain names that were programmed to be used as fallbacks but had not yet been registered, then registered those.

It looks like at no time did they actually hack anybody or penetrate computers, either innocent bystanders or guilty people, nor did they use the botnet themselves, so there's no legal or ethical problem here -- assuming their reports are complete and correct, obviously.

Re:Legality?

[ProfessionalCookie]

Zombies aren't people.

Re:Legality?

They didn't raid or take over zombies. They just killed as many of the C&Cs for Ozdok all at once. This was following the Abuse notification process with Hosting providers and ISPs. See the prior blog post:
http://blog.fireeye.com/research/2009/11/smashing-the-ozdok.html

1. Abuse notifications to all the ISPs involved.
2. Working with registrars to take down all the registered CnC domains.
3. Registration of all unused CnC domains.
4. Registration of all unused CnC domains.

    No zombies were harmed or violated in the process. Clearly that is illegal.

Re:Legality?

[cdrguru]

So what laws do you think are being broken? And how would any government prosecute someone or even collect evidence to be used in a prosecution? They might have an IP address, but we have just spent a few years proving in courts that an IP address cannot be connected to an individual.

In most of the places where the people who are running these things are located it simply isn't against the law to do so. You might be surprised at how many places it is legal to defraud and steal from US citizens when it is not legal to do the same things to their fellow countrymen. End result is, there really isn't any prosecution possible.

Re:Legality?

Don't drown yourself on all that liberal kool-aid.

Anyone reading slashdot should already know that law enforcement is always two steps behind, and way more than that with computers and the internet. Who better to do damage to spammers and other "cyber"-criminals than the geeks who understand how the technology works. I wish more people were interested in and actively trying to take down these spam networks. And instead of reading stories about how has grown to over 9000!! zombie hosts, I'd like to hear about some geeks figuring out ways to stop and prevent these botnets.

Re:Legality?

[iceaxe]

Zombies aren't people.

Correct, Soylent Green is.

Re:Legality?

[John+Hasler]

> How exactly can they raid zombie computers of private people?

No computers were "raided". Read the articles. Breach your contract with your ISP/hosting service/registrar and they can terminate service without notice.

I for one....

[countach]

I for one welcome our new botnet masters.

That's great, but...

[element-o.p.]

...the cynic in me wonders whether or not the researchers might be risking legal problems by doing this (at least in Illinois, Colorado, Delaware, Michigan, Oregon, Pennsylvania, and Wyoming and possibly Arkansas, Florida, Georgia, Massachusetts, Tennessee, and Texas as well).

Re:That's great, but...

[L4t3r4lu5]

FireEye employees have access computer systems they are not authorised to access, and have halted services and caused malicious damage. Bottom line.

If any of those control servers were in the UK, I'd be writing to my MP to illustrate this point and calling for extradition of all employees which engaged in this activity. Garry McKinnon performed no such actions of damage, with no intent to deny access to any system whatsoever, unlike these "security researchers" (crackers).

Troll? No, just looking for some consistency.

Re:That's great, but...

Yes, but to file a lawsuit you would have to identify yourself as the owner of the spambot network (or at least the herder of all the spambots). By identifying yourself, you open yourself up to lawsuits from a multitude of ISPs.

Re:That's great, but...

[John+Hasler]

> FireEye employees have access computer systems they are not authorised to
> access, and have halted services and caused malicious damage.

They did no such thing. They coordinated actions by ISPs and registrars, none of who did anything illegal. Read the article.

Re:That's great, but...

[L4t3r4lu5]

You must be... Oh, you're not.

Wow.

Makes you wonder, doesn't it?

[Weaselmancer]

If we want vigilante justice to become more acceptable in these situations, then it's best to be 'nice' about it.

Ever read Frank Herbert's The White Plague? It's about a scientist on a trip to Ireland who loses his family in an IRA bombing. He goes nuts and engineers a virus to kill every woman on the planet, figuring "if it has to happen to me, then I'm going to share my misery with the world."

Where am I going with this?

We have some pretty epic hackers on the planet. Guys who can disassemble code by looking at it. Guys who don't give one billionth of a crap about legality. Doubt me? Go check your local torrent tracker. There are groups of people out there who break commercial software all the time. They do it for breakfast.

How much harder could hacker-originated code like botnets be?

Eventually you're going to get some hacker who has simply had enough. And he's going to form the internet version of the Lincoln County Regulators, go rogue, figure out every botnet they can get their hands on, and wipe every single PC they can right through the bot's command channel.

It's not IF, it's WHEN.

Remember - you heard it here first. This is going to happen. Some holier-than-thou uberhacker is going to figure "fuck 'em if they can't handle basic security - they're fucking up MY INTERNET" and lay waste to them all, nuke-it-from-orbit style.

I'm honestly surprised it hasn't happened yet.

Re:Makes you wonder, doesn't it?

There are groups of people out there who break commercial software all the time.

Writing (and distributing) viruses and cracking software are worlds away in terms of morality. Cracking just requires curiosity and a certain level of indifference to the profits of usually-enormous companies. It's a neutral act in itself, but can be considered varying degrees of good or bad depending on the circumstances. Creating viruses for commercial gain is arguably the exact opposite. It's just unambiguously evil, massively harmful, and motivated by pure greed.

Re:Makes you wonder, doesn't it?

[Weaselmancer]

I'm not debating the morality of any of it - just noting that the skill sets are the same. If you can break commercial software, breaking botnets is certainly within your ability. Both require patience, insight, and some skill with a disassembler.

And some day some uberhacker (white hat or black hat - don't care which) is going to get fed up with all this spam. And do something...epic.

Re:Makes you wonder, doesn't it?

[onepoint]

While I hope what you say comes true, the problem with your argument is diversity of operating systems. given we can do a basic split of end users OS's... say 80% windows based the rest UNIX based. but then it's broken down by flavor ( red-hat, win2000, winme...)

so Mr. I-hate-the-internet-and-I-am-going-to-fix-it, please design it to be multi-flavored

Re:Makes you wonder, doesn't it?

[Weaselmancer]

No no no! You've missed my point. *I* won't be the one to do any of this. I am not Mr. I-am-going-to-fix-it. Holy crap no! I have a career and a family. I'm way too old for lulz. I'm just saying human nature being what it is, someone eventually will.

And when that someone does, then it'll become a thing. Others will follow. Cowboy justice for anyone who can't secure their systems. It won't happen in a single stroke. One botnet will get hit. Others will get the idea and hit other botnets. It'll become the next new internet game. Used to be cracking DVD protections was enough sport to keep these guys busy. Now it's on to bigger game, so back up your data files everyone.

What I'm saying is that right now, there is a teenaged kid somewhere. Probably in the Netherlands or some other hacker friendly country where if you do something like this you get a couple of years of community service. It's snowing, he's bored, and all the women are wearing parkas so there is nothing to do. And he keeps having to reconfigure his mail server. Whitelists, blacklists, pattern matching...it's pissing him off.

Then he's gonna have an idea.

A couple of weeks later some botnet is going to be completely in the hands of someone who has bigger ideas than spam. He's gonna nuke them. The whole thing.

Honestly I really am surprised it hasn't happened yet. Botnets are a beautiful hack target.

Re:Makes you wonder, doesn't it?

[somersault]

Well, I'm pretty sure I've read of botnets actaully attacking each other, but usually for their own gain rather than to actually reduce the spam load. I've always liked the idea of taking these down myself, but I've never really looked into security in a big way, especially from a blackhat perspective. The chances of someone being both skilled, motivated and altruistic enough to just take all the zombies down seems pretty low. Especially considering most of the motivation for this stuff is money. We'd need to have the online equivalent of Batman or Ironman. Someone who already has all the money they want, yet has a will to do good, and a lot of brainpower just sitting there wanting to be exercised. And is not scared of breaking a few laws to get things done. Heh.

Re:Makes you wonder, doesn't it?

I hope it happens soon!

Re:Makes you wonder, doesn't it?

[Weaselmancer]

He needn't be like Batman. He would probably be more like the Joker.

"Some people just want to see the world burn."

Just imagine a storm of "format c:" commands sent through a botnet. That'd cut down on your spam problem pretty quick, wouldn't it?

I think it's more likely that my hypothetical teenager would be doing this for reasons that would be tough to describe as "good". A half a million formatted PCs aren't going to get this guy a hero label by any stretch.

Although a greater good would come from it. Imagine how concerned about security your average Joe would be if every time he hooked his machine up to the net it would get formatted. He'd demand action, right now!

Re:Makes you wonder, doesn't it?

[RAMMS+EIN]

Why, how did you know. I do live in the Netherlands. And I am pissed off that I have to spend effort on my mail servers to curb the spam. Can't tell if the women are wearing parkas, cause I can't see any from my basement.

Lucky for the world, it's not snowing.

Re:Makes you wonder, doesn't it?

[onepoint]

back in my day's of phreaking, it was the challenge of the hack. In this case I am hoping that the hacker will see that he's taken out the entire spam bot networks, make himself popular (and makes himself a target), then he get's a call from the NSA saying they are going to hire him for 400K a year.
Bank! Bank! Bank!

Re:Makes you wonder, doesn't it?

[RealGrouchy]

Remember - you heard it here first. This is going to happen. Some holier-than-thou uberhacker is going to figure "fuck 'em if they can't handle basic security - they're fucking up MY INTERNET" and lay waste to them all, nuke-it-from-orbit style.

Actually, I heard it on Slashdot from someone else, yesterday. Someone was sick of people not changing some default passwords on their jailbroken iPhones, so he designed a virus to RickRoll them.

And nobody had to nuke anybody.

- RG>

Re:Makes you wonder, doesn't it?

[Weaselmancer]

back in my day's of phreaking, it was the challenge of the hack.

Exactly. It's one thing to place hackers against software companies or the ??AA's protection scheme of the day. But those are chump change. This ups the ante. This would be hackers against other hackers. Far better sport.

The person who does this need not be a superhero or a villain. Just bored and looking for a few laughs. I have to admit, if I were younger...I might be tempted. Botnets are a sweet target. It would be fun breaking one.

Re:Makes you wonder, doesn't it?

[IonOtter]

There's an extremely important flaw in your theory?

The owners of those botnets have no problems with putting a bullet in people's heads.

Perhaps not all of the botnets are owned by such groups, but not that many are going to be willing to play a real-world version of Minesweeper. At least not for long, anyway.

Re:Makes you wonder, doesn't it?

[onepoint]

your younger days, Ha. hacking is fun for all ages.
this really seems like a fun challenge, now where can i find some code....
oh let me open up a honey pot. that should get me something...

looks like I am going to have to learn a few things ...
I'm too old to code till 5am, I'll code till 1am

What to do with the zombies

[mattr]

We really need an analysis done and report made to the public security community. This is a unique chance to discover what are the real vulnerabilities to the mass of computing power on which criminals prey.

A federal or state level court needs to authorize the researchers to do such an analysis. Even a single state would be enough, if the zombie IPs can be reliably mapped to that state. I would envision the analysis to include:

- Make a full study of many individual zombie PCs: What antivirus, firewall, OS, applications, etc. are installed, including version numbers and a fingerprint (to identify whether they are super-vulnerable copies from warez sites, infected OEMs, etc.).
- Monitor usage of a small number of PCs to identify what user habits lead to zombification, based on the theory that these PCs will become zombies of another botnet soon probably. What should be monitored, and for how long?
- Contact (with law enforcement assistance) a small number of individual users to interview them. Publish anonymized interviews for representative cases so the public can better learn what constitutes dangerous habits.
- Report anonymized individual representative cases, trends and statistics.

Discuss whether the defanged botnet should be used to destroy other botnets. Too much discussion would alert the other net owners. People could opt in based on a message sent to infected PCs, if the authorities support it, but unless those bots are hardened they might open the owners to retaliatory attacks.

At least, let's find out if antivirus really doesn't work, what habits led to botnet creation, and how can we alert zombie owners so they adopt more secure practices.

4% less SPAM

I know not all of you here like SPAM very much, but it has been a classic for many, many years. Now that 4% of SPAM has cut production, there are going to be many unhappy faces and SPAM inflation. Think of the families struggling to get by!

Re:WTF?

[mpe]

Why is some obscure security firm doing the job that governments should have done 10 years ago?

Exactly we hear about "researchers" even broadcasters doing this. But never about regular law enforcement...
Governments don't appear interested it dealing with this. Probably because it isn't the (alleged) profits of the entertainments industry being affected.

Fsck you slashdot...

I submitted this story on the 6th and it was deleted.

Now someone else posts it, and now it's up on the front page.

I'm never submitting a story again.

Proof-of-Work

[Agripa]

I have yet to see a proposed replacement for the existing email system that actually suggests anything that would make a bit of meaningful difference for spam issues.

What about sender proof-of-work systems?

Mailing lists and legitimate bulk emails would need to be white listed but individual emails could be either rejected or flagged as SPAM if they do not include proof-of-work authentication unless they were individually white listed. That in itself does not stop SPAM but it does slow the generation rate significantly and makes it easier to detect compromised systems since the rouge processes would be consuming significant computing resources if they chose satisfy proof-of-work requirements instead of just making use of the network.

Do more,.....do more!

[hesaigo999ca]

>more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control
It's not enough, those 264k IP adresses, should be sent out to a sort of ISP provider sanctuary where
they need to contact the people who have the infected pcs, and tell them to clean their machines, just
leaving the machines with a ongoing malware pinging back home, might still be able to get owned.

They need to take down those infected that they know is infected, and force those users to update or get fixed.
They are a threat to the internet, and need to be delt with...maybe cutting them off the internet for awhile would make them call in
their ISP and then they could be warned they had been owned, and need to clean their pcs.
Any further attempts on their machines parts to contact that same "hole" would force them again to be locked out...until such time
they fixed their machines, no?

And that differs how?

[Jay+L]

One botnet will get hit. Others will get the idea and hit other botnets.

And then somebody approaches the bored hacker and says "You're just doing this for fun... wouldn't you like to make a boatload of money for doing exactly the same thing?"

Isn't that exactly how this got started? People wrote viruses for lulz. Then someone offered them cash.

Re:WTF?

Amazing that this got through moderation...

Hmmmm... lesee... "let" the government take responsibility for "protecting" the National Information Infrastructure..... Hmmm lesee what happens when the government takes "responsibility" for anything like this.

we have gotten:

1) FBI's Carnivore (everything is secure, except to the FBI)
2) FBI's $25k fine to all telecom providers which will not provide individual phone line tapping capabilities to all new switched PBX, and other telecom equip.
3) NSA's Echelon (extra US cell phone tapping)
4) Cracked PGP (hounding Phill Zimmerman for over a decade), cracked DES, RSA, etc.
5) Known crackable AES as a "standard encryption" enforced by the government
6) Open FBI presentations at DEFCON exposing WEP cracking in seconds
7) Warrentless wiretapping which is exposed to have been occuring for over a decade
8) AT&T and other telecoms admit having provided open trunks to NSA for monitoring
9) Government involvement in ISO, etal. stds orgs fighting adoption of standards for trunk encryption and authentication (including CIX)
10) Goverment backs away from control/influence of ICANN and Network Solutions (etal) only to be besieged and then backtrack when it is found that without US govt involvement/leadership the entire net becomes something far beyond Wild Wild West.

Hey I'm only summarizing the huge stupidity of expecting a government run by vote fradusters to treat the net for the strategic resource that it is.

And this got an Insightful moderation (5 points)???

If any resource deserves/needs a benevolent dictatorship (or group [oligarchy]), it is the net, and certainly not the US government unchecked. The problem will always be that congress critters are (and I propose will always be) more motivated by re-election than by any desire or willingness to understand something with a life and value far beyond anything they can really do much more with than influence. They (congress) have an inherent need/desire to control everything they touch, and that is the inherent failure. Something so signficant should be controlled in their view. The idea that something like the net can be so influenced by non-ownable things/entities (like ICANN, NSI, etal) escapes them completely, and so... they retrench to "policies" and "funding" for policy enforcement. This ultimately means they are caught with limp efforts at best for dealing with creative anarchist crap like spam.

The best solutions to this have very little to do with government (except some notional secret squirrel sort of stuff dealing with direct counterthreat stuff), and much more to do with enlightened quasi-governmental influence. The government is most distinctly NOT equipped to deal with "protecting" the NET (less so than even healthcare).

Like the rumor game, but with numbers!

[GameboyRMH]

It's not okay to needlessly approximate an approximation. Numerator/denominator is the best way to represent any fraction, in general. It's short, doesn't use any unusual mathematical symbols, and allows you to calculate the value to as many decimal places as you want.

Muhahahahaha ...

[NotBornYesterday]

1) Make a list of all porn sites / web pharmacies / other dubious entities being "promoted" with the spam.
2) Use your new botnet to initiate DDoS against said entities.
3) ???
4) Profit!!! Or just laugh your ass off at the irony.

Re:WTF?

[Espressor]

Parent said:

And this got an Insightful moderation (5 points)???

Grand-parent said:

Governments don't appear interested it dealing with this.

I don't necessarily have confidence that the government could implement solutions to control spam, but at least different countries could cooperate to fight spam - maybe that's what GP mpe meant.

Instead, we have governments the world over (Europe, US,...) passing laws to limit file sharing, as if this was a more significant problem to society and the economy.

GP said:

Probably because it isn't the (alleged) profits of the entertainments industry being affected.

I share this opinion more and more. It's sad. Governments, who should be protecting us the little guys (we have the votes...but don't always use them), seem more interested in protecting the interests of corporations (which have the economic power).

I mean look at French president Nicolas Sarkozy. He's famous for exchanging favors with his friends CEOs of mega-companies. What has he been doing with his infamous Hadopi three strikes law for instance? Aren't there BIGGER problems to solve for a government than copyright infringement?

Dammit.