Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Take Down a Spam Botnet

Posted by kdawson on from the chalk-up-one-for-the-good-guys dept.

The Register is reporting on the takedown of a botnet once responsible for 1/3 of the world's spam. The deed was done by researchers from the security firm FireEye, who detailed the action in a series of blog posts. PC World's coverage estimates that lately the botnet has accounted for 4% of spam. From the Register: "After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. ... Almost immediately, the spam stopped, according to M86 Security blog. ... The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change. ... With [the] head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control..."

13 of 207 comments (clear)

  1. Re:Any more? by Binder · · Score: 2, Insightful

    Well... first you have to find their command and control channels. Then you have to figure out how they work. Many times the command and control is both distributed and encrypted so it is very hard to "chop the head off"

  2. Re:good work by calmofthestorm · · Score: 3, Insightful

    It'd be a great project, though you do want to be careful, some of these viri are designed to do harm if disabled improperly, and some of these computers could be in situations where their failure could cause the loss of lives.

    Again, not saying don't do it...saying do it carefully.

    --
    93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
  3. And meanwhile... by damn_registrars · · Score: 3, Insightful

    Another botnet is on the verge of picking up a good number of those systems. Within a very short while we'll see the spam levels right back where they were before. Anti-botnet activities are good when done in the name of anti-botnet activity, but they are weak efforts in the name of stopping spam. The way to stop spam is to fight it as the economic problem that it is; if people continue to go after the symptoms of spam like this they will continue to find themselves quickly thwarted.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:And meanwhile... by mcrbids · · Score: 4, Insightful

      The way to stop spam is to fight it as the economic problem that it is; if people continue to go after the symptoms of spam like this they will continue to find themselves quickly thwarted.

      Sure. Let's educate every farking idiot on the face of the earth. Just like we did with consumers the world over in every single city across the fruited plain. It's worked well for hundreds of years! "Buyer beware" and Heaven help you if you should get defrauded...

      What's that you say? We didn't do that? Instead, we instituted "consumer protection" laws that require vendors to adhere to minimal standards of conduct and safety? Laws that prevent manufacturers from making unsafe cars and selling poisoned food? You mean, I can go into pretty much any restaurant and be confident that I probably won't get some terrible disease from poorly cooked food and un-refrigerated meats?

      Yes, on the 'net, it's the wild, wild west, all over again. But now problems "over there" have become problems "over here", and suddenly, things like the sorry legal state of Nigeria and Somalia are in our face. Will we fix it overnight? No, but we will fix it. Sure, we'll never get rid of it completely - the Mafia still exists, and gangs still thrive in areas of the mostly controlled First World. (We can get greatly mitigate the gangs by legalizing their primary revenue stream, the drugs, but while related, that's another post)

      The thing is that by legally controlling the terms of commerce, we promote healthy commerce. Outlawing commerce altogether has roughly the same effect of not regulating it at all - fraud and crime sets in, legitimate business moves out. To control spam, we need to control commerce, world wide. And that's a big, big problem that will take at least a generation or two to handle.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    2. Re:And meanwhile... by damn_registrars · · Score: 5, Insightful

      Spam isn't so much an economics problem as a "some people are just dicks" problem

      That statement is accurate only for those who believe that spam is sent out to piss you off. Perhaps the spam you receive is somehow different from the spam that is sent to me? The spam that is sent to my addresses is sent to sell various products or services. And why is the spam sent to sell products? Because someone is paying the spammer to send it.

      Spam is a product that people are willing to pay for.

      Hence spam is a economic problem, because there is economic incentive to send it. Billions or trillions of spam messages can be sent at nearly no cost to the spammer; very little business needs to come from those spam messages to make them incredibly profitable.

      A lot of the problem with spam is the current system we use for email. It was never intended for such widespread use and has little-to-none in the way of authentication or security measures.

      I have yet to see a proposed replacement for the existing email system that actually suggests anything that would make a bit of meaningful difference for spam issues.

      You can encrypt emails for security sure, but it doesn't help get around the problem of spam..

      I agree with you on that. Encryption isn't worth squat in regards to spam.

      --
      Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    3. Re:And meanwhile... by pwilli · · Score: 1, Insightful

      If the spammer owned the email server, he wouldn't need much space to store spam mails. He could send out billions of notifications to potential receivers and create the spam mails on the fly when a receiver wants to download the mail.

      Not only would the spammer ultimately save bandwidth in this case by only sending the full mails to those who "requested" them by reacting to the notification, but he would get first class information about validity of email adresses. In addition, the receiver would have to do his own spam filtering, because his ISP likely can't decide if a notification is spam or not - and therefore will have to forward all notifications to the client (A notification may be completely unrelated to the actual mail that is waiting for delivery).

      If the mail server is not his own server, the spammer doesn't care for storage space requirements anyway and will keep on spamming as usual.

      Internet Mail 2000 would imho make most things even worse than they are, without providing any benefits besides "unlimited inbox size" - which is pretty much useless to most people.

  4. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  5. Re:good work by Fulcrum+of+Evil · · Score: 2, Insightful

    you are suggesting that someone hooked up a life critical system to the public internet? That in itself should be a felony.

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  6. Re:good work by Interoperable · · Score: 2, Insightful

    Right...because the botnet was measured to be producing precisely 1/3 of the world's spam. I suspect that the original estimate was sufficiently inaccurate that more than one significant figure would not really be justified, let alone an exact value.

    --
    So if this is the future...where's my jet pack?
  7. Re:Legality? by JohnFen · · Score: 3, Insightful

    From reading all the FireEye blog posts on the operation, I can't find any point where they broke the law or even behaved in a way that violated anybody's rights.

    What they did was to coordinate things so that ISPs and domain registrars followed existing procedures to shut down sites and revoke domain names. They also found some domain names that were programmed to be used as fallbacks but had not yet been registered, then registered those.

    It looks like at no time did they actually hack anybody or penetrate computers, either innocent bystanders or guilty people, nor did they use the botnet themselves, so there's no legal or ethical problem here -- assuming their reports are complete and correct, obviously.

  8. What to do with the zombies by mattr · · Score: 2, Insightful

    We really need an analysis done and report made to the public security community. This is a unique chance to discover what are the real vulnerabilities to the mass of computing power on which criminals prey.

    A federal or state level court needs to authorize the researchers to do such an analysis. Even a single state would be enough, if the zombie IPs can be reliably mapped to that state. I would envision the analysis to include:

    - Make a full study of many individual zombie PCs: What antivirus, firewall, OS, applications, etc. are installed, including version numbers and a fingerprint (to identify whether they are super-vulnerable copies from warez sites, infected OEMs, etc.).
    - Monitor usage of a small number of PCs to identify what user habits lead to zombification, based on the theory that these PCs will become zombies of another botnet soon probably. What should be monitored, and for how long?
    - Contact (with law enforcement assistance) a small number of individual users to interview them. Publish anonymized interviews for representative cases so the public can better learn what constitutes dangerous habits.
    - Report anonymized individual representative cases, trends and statistics.

    Discuss whether the defanged botnet should be used to destroy other botnets. Too much discussion would alert the other net owners. People could opt in based on a message sent to infected PCs, if the authorities support it, but unless those bots are hardened they might open the owners to retaliatory attacks.

    At least, let's find out if antivirus really doesn't work, what habits led to botnet creation, and how can we alert zombie owners so they adopt more secure practices.

  9. Re:good work by shentino · · Score: 2, Insightful

    How much of it actually passes an integrity/authorization check like dkim or spf?

    Maybe if those were made more widespread we could do a good bit better job tracing and jailing these bastards... ...or blacklisting accomplice ISPs that don't give a rat's arse about the spam they are sending.

    Forgery allows spammers to operate anonymously.

  10. Re:WTF? by mpe · · Score: 2, Insightful

    Why is some obscure security firm doing the job that governments should have done 10 years ago?

    Exactly we hear about "researchers" even broadcasters doing this. But never about regular law enforcement...
    Governments don't appear interested it dealing with this. Probably because it isn't the (alleged) profits of the entertainments industry being affected.