Slashdot Mirror
Researchers Take Down a Spam Botnet
The Register is reporting on the takedown of a botnet once responsible for 1/3 of the world's spam. The deed was done by researchers from the security firm FireEye, who detailed the action in a series of blog posts. PC World's coverage estimates that lately the botnet has accounted for 4% of spam. From the Register: "After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. ... Almost immediately, the spam stopped, according to M86 Security blog. ... The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change. ... With [the] head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control..."
I'd like that too. Although, my IPCOP firewall with CopFilter installed has been killing 99.92% of the spam coming into our network. Really pleased with it.
On a more related note, would this be classed as vigilante justice? Justified?
I think its a cool idea for universities with security classes to study this kind of thing and 'bring it down - safely' as a project. I know I'd enjoy it.
and
Error 001
Security Scan and Virus Detection do not work with your operating system.
What's the Windows OS percentage of that botnet?
Not to mention a lot of people would be seriously PISSED and you'd be in deep legal shit for messing with other people's computers.. I'm sure these guys could still face possible trouble even for just admitting they've brought down the head of the botnets, but IMO they're pretty justified to do that. Wiping people's machines, while tempting, is just a no-no. If we want vigilante justice to become more acceptable in these situations, then it's best to be 'nice' about it.
which is totally what she said
Eh, depends what you're looking at. Other Botnets have been taken down, usually by physically arresting the hacker who started it. I'm sure that they've tried to stop other Spam Botnets before. They didn't actually STOP Ozdok, they just dented it a bit.
It's difficult to track how these things start because essentially you've got about a million breadcrumbs to go through.
Lets say you've got 3 computers, A, B, and C. A infects B, B infects C. There is no direct correlation between A and C, so you have to work your way all the way up the chain. Now imagine you've got a million infected PC's. Who infected who? How do you work your way backwards? There's lots of ways to do this, most simple of which is to look at the contacts and determine which of the contacts is infected. Then determine the time and date of which the infection occured (Date Modified/Date Created on the file). Whoever was first was who infected the others.
The problem with killing it is that it has a "multi layered fallback mechanism" - which is a fancy way of saying it replicates itself. It can do this by either having a secondary program or script copy itself back onto the infected PC when it detects the original infection is gone, or it can do this by RE-infecting any of the computers it was sent to infect in the first place.
I hope thats enough to make you stagger and wonder exactly how much damage they could have possibly done to this botnet.
Spam isn't so much an economics problem as a "some people are just dicks" problem. A lot of the problem with spam is the current system we use for email. It was never intended for such widespread use and has little-to-none in the way of authentication or security measures. You can encrypt emails for security sure, but it doesn't help get around the problem of spam..
which is totally what she said
You obviously don't work for an ISP, we have to drop SMTP-connections on everything which looks to much like a bot just because of the large number of connection that we get, so we're able to have the legit connections and because scanning all the content would just be to much to handle.
You would be amazed at the volumes of e-mail ISP's get. More then 98% of it is crap you don't want to receive.
New things are always on the horizon
"You keep what you kill."
Now... what to do with this enormous botnet?
------ The best brain training is now totally free : )
I'm not against taking down a botnet. But I still think that basic laws are more important. If we don't apply the same rights on really everybody, those "rights" become meaningless.
FireEye isn't exactly a police or government agency. How exactly can they raid zombie computers of private people? I can't think of any way that this is legal. Which does not make them better than what they are "prosecuting" (A term, that when associated with a private company, usually makes a crime itself.)
Is it like Blackwater? A bunch of criminals who like to legally murder and beat up people? Just that here they like to raid computer systems?
If you take down a botnet, do it in a legal way!!
Any sufficiently advanced intelligence is indistinguishable from stupidity.
...the cynic in me wonders whether or not the researchers might be risking legal problems by doing this (at least in Illinois, Colorado, Delaware, Michigan, Oregon, Pennsylvania, and Wyoming and possibly Arkansas, Florida, Georgia, Massachusetts, Tennessee, and Texas as well).
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
If we want vigilante justice to become more acceptable in these situations, then it's best to be 'nice' about it.
Ever read Frank Herbert's The White Plague? It's about a scientist on a trip to Ireland who loses his family in an IRA bombing. He goes nuts and engineers a virus to kill every woman on the planet, figuring "if it has to happen to me, then I'm going to share my misery with the world."
Where am I going with this?
We have some pretty epic hackers on the planet. Guys who can disassemble code by looking at it. Guys who don't give one billionth of a crap about legality. Doubt me? Go check your local torrent tracker. There are groups of people out there who break commercial software all the time. They do it for breakfast.
How much harder could hacker-originated code like botnets be?
Eventually you're going to get some hacker who has simply had enough. And he's going to form the internet version of the Lincoln County Regulators, go rogue, figure out every botnet they can get their hands on, and wipe every single PC they can right through the bot's command channel.
It's not IF, it's WHEN.
Remember - you heard it here first. This is going to happen. Some holier-than-thou uberhacker is going to figure "fuck 'em if they can't handle basic security - they're fucking up MY INTERNET" and lay waste to them all, nuke-it-from-orbit style.
I'm honestly surprised it hasn't happened yet.
Weaselmancer
rediculous.
>more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control
It's not enough, those 264k IP adresses, should be sent out to a sort of ISP provider sanctuary where
they need to contact the people who have the infected pcs, and tell them to clean their machines, just
leaving the machines with a ongoing malware pinging back home, might still be able to get owned.
They need to take down those infected that they know is infected, and force those users to update or get fixed.
They are a threat to the internet, and need to be delt with...maybe cutting them off the internet for awhile would make them call in
their ISP and then they could be warned they had been owned, and need to clean their pcs.
Any further attempts on their machines parts to contact that same "hole" would force them again to be locked out...until such time
they fixed their machines, no?