Researchers Take Down a Spam Botnet

← Back to Stories (view on slashdot.org)

Researchers Take Down a Spam Botnet

Posted by kdawson on Tuesday November 10, 2009 @11:26AM from the chalk-up-one-for-the-good-guys dept.

The Register is reporting on the takedown of a botnet once responsible for 1/3 of the world's spam. The deed was done by researchers from the security firm FireEye, who detailed the action in a series of blog posts. PC World's coverage estimates that lately the botnet has accounted for 4% of spam. From the Register: "After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. ... Almost immediately, the spam stopped, according to M86 Security blog. ... The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change. ... With [the] head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control..."

163 of 207 comments (clear)

Min score:

Reason:

Sort:

good work by HalifaxRage · 2009-11-10 11:30 · Score: 1

now get going on the other 96%

--
bomb the us up set someone
1. Re:good work by Romancer · 2009-11-10 11:38 · Score: 1
  
  So it took them how long between the time it was generating 30% and now when it is generating 4%?
  That's a little too late guys.
  
  --
  
  ) Human Kind Vs Human Creation
  ) It'd be interesting to see how many humans would survive to serve us.
2. Re:good work by socceroos · 2009-11-10 11:41 · Score: 1, Interesting
  
  I'd like that too. Although, my IPCOP firewall with CopFilter installed has been killing 99.92% of the spam coming into our network. Really pleased with it.
  
  On a more related note, would this be classed as vigilante justice? Justified?
  
  I think its a cool idea for universities with security classes to study this kind of thing and 'bring it down - safely' as a project. I know I'd enjoy it.
3. Re:good work by calmofthestorm · 2009-11-10 11:44 · Score: 3, Insightful
  
  It'd be a great project, though you do want to be careful, some of these viri are designed to do harm if disabled improperly, and some of these computers could be in situations where their failure could cause the loss of lives.
  Again, not saying don't do it...saying do it carefully.
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
4. Re:good work by socceroos · 2009-11-10 11:49 · Score: 1
  
  I heartily agree. Hence the 'safely' part. =)
  
  Identifying exactly what is infected and where would be a colossal task. Especially when you consider that you have to identify 'mission critical' hardware.
5. Re:good work by Lennie · 2009-11-10 12:04 · Score: 4, Interesting
  
  You obviously don't work for an ISP, we have to drop SMTP-connections on everything which looks to much like a bot just because of the large number of connection that we get, so we're able to have the legit connections and because scanning all the content would just be to much to handle.
  
  You would be amazed at the volumes of e-mail ISP's get. More then 98% of it is crap you don't want to receive.
  
  --
  New things are always on the horizon
6. Re:good work by socceroos · 2009-11-10 12:10 · Score: 1
  
  Yeah, the Australian ISP that we go through (Telstra) actually forces everyone to use their SMTP servers to send email. According to a friend that works there, they do scan all these emails for spam content (can't confirm). I absolutely loath it. Although that doesn't stop anyone outside the country sending spam in.
7. Re:good work by jamesh · 2009-11-10 12:14 · Score: 1
  
  some of these viri are designed to do harm if disabled improperly, and some of these computers could be in situations where their failure could cause the loss of lives.
  If you have a computer that could fail in such a way that lives could be lost, and the computer is in a situation where it has enough connectivity to the internet to form part of a botnet, then all bets are off anyway.
  IMHO, the best way to resolve the botnet is to overwrite the bootsector (but not the partition table) and do a hard reboot. Easy to recover from and minimises the further damage that could be done. Also resolves the "lives could be list" problem.
8. Re:good work by sanso999 · 2009-11-10 12:15 · Score: 1
  
  I love how, in the midst of this tech talk, there is comparison being made between 1/3 and 4%. Reminds me of that problem with the space craft and metric.
9. Re:good work by Fulcrum+of+Evil · 2009-11-10 12:17 · Score: 2, Insightful
  
  you are suggesting that someone hooked up a life critical system to the public internet? That in itself should be a felony.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
10. Re:good work by MadnessASAP · 2009-11-10 12:19 · Score: 1
  
  Well 1/3 is hard to express as a percentage.
  
  --
  I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
11. Re:good work by Falconhell · 2009-11-10 12:22 · Score: 1
  
  Approximately 33.3% is SO difficult to write after all!
12. Re:good work by Ash+Vince · 2009-11-10 12:24 · Score: 1
  
  It'd be a great project, though you do want to be careful, some of these viri are designed to do harm if disabled improperly, and some of these computers could be in situations where their failure could cause the loss of lives.
  Well then hopefully harm will be done, and users whos machines have been sending me spem for the past three years will lose a shitload of data and learn to implement better security in future. Sorry, but I really do thing the only way people learn to adopt a more responsible attitude to IT security is when it is thumped into them why they should.
  
  --
  I dont read /. to RTFA, I read /. to offend people in ignorance.
13. Re:good work by techno-vampire · 2009-11-10 12:24 · Score: 1
  
  I have two questions: first, has what they're doing put a significant dent into the load of spam originating in Australia? Second, is the delay caused by scanning small enough not to be an issue? If the answers to both questions are "yes," I see no problem with it. If not, what problems do you find it causing?
  
  --
  Good, inexpensive web hosting
14. Re:good work by calmofthestorm · 2009-11-10 12:24 · Score: 1
  
  Oh indeed. But guess what: They are. Maybe in the obvious stupid way, maybe it's a computer that used to be an office machine and got repurposed (intentionally or accidentally) without a reimage. Maybe there's a firewall snafu.
  Although loss of life is the obvious example of oh-shit resulting from computer failure, there are many, MANY situations where it could lead to tremendous loss of capital (remember back when the LSE went down for a day due to using MS software a few months ago?
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
15. Re:good work by interkin3tic · 2009-11-10 12:30 · Score: 1
  
  some of these viri are designed to do harm if disabled improperly, and some of these computers could be in situations where their failure could cause the loss of lives.
  Wow. What is the motivation behind this? Hoping that people will be afraid to run cleanup on their infected computers, keeping the botnet from shrinking? Some bullshit like "my victims deserve to be screwed over so I'm going to make sure to do as much damage after I'm done with them?"
16. Re:good work by socceroos · 2009-11-10 12:32 · Score: 1
  
  But that's only approximate! Expressed as 1/3 ensures there is no room for error when calculating.
17. Re:good work by socceroos · 2009-11-10 12:37 · Score: 1
  
  The motivation? I've heard it described by some friendly 'hackers' as, and I quote, "for the lols".
18. Re:good work by calmofthestorm · 2009-11-10 12:39 · Score: 1
  
  Not always intentionally so designed, though that can be a cause. The crippling effects are just as often a result of the elaborate things viri do to hide themselves and prevent removal.
  For example, suppose a virus is designed to patch a system DLL so that it includes a copy of the virus. Now suppose that the patch basis it's using disagrees from thecurrent version of the DLL. GNU Patch would refuse to do the patch if it couldn't be done safely, but the viruses doing binary patches on DLLs may not be so concerned with data integrity.
  Similar nastiness in the registry, and you can have a system failure waiting to happen. And with Windows, even modern ones, many failure types are sufficient to crash the system.
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
19. Re:good work by Interoperable · 2009-11-10 12:40 · Score: 2, Insightful
  
  Right...because the botnet was measured to be producing precisely 1/3 of the world's spam. I suspect that the original estimate was sufficiently inaccurate that more than one significant figure would not really be justified, let alone an exact value.
  
  --
  So if this is the future...where's my jet pack?
20. Re:good work by socceroos · 2009-11-10 12:42 · Score: 1
  
  It has caused email systems to be slower, yes. Emails that would otherwise arrive instantly are actually taking minutes, and on some rare occasions, hours to traverse the tubes to their intended destination. Plus, personally I don't like ISP's grabbing control of my email and 'scanning for spam'. Paranoia? Maybe, but I'd rather be on the safe side.
21. Re:good work by sjames · 2009-11-10 12:46 · Score: 1
  
  I would argue that if the system is THAT critical, it should have been kept virus free. The fact that it's part of a botnet could be taken to mean the owner doesn't particularly care if it fails somehow. Those of us who actually bother to look in on our servers from time to time are really tired of "OMG the indoor dog potty" and such coming from those who don't.
22. Re:good work by socceroos · 2009-11-10 12:50 · Score: 1
  
  Check.
  
  I'm going to fall back to my backup argument: writing 1/3 is easier and quicker than writing 33.3%.
23. Re:good work by Tynin · 2009-11-10 13:23 · Score: 1
  
  Comically, not scanning for spam can cause spammers to recognize your servers are a safe haven, and the amount of spam can rise. As the amount of mail rises, the time it takes to process it goes up and delays occur. Putting in a spam filtering/scanning solution shouldn't increase the time it takes to get through the system by all that much and should decrease the levels of spam you get. Obviously it could have even bigger slow downs in the filtering/scan solution given a large enough amount of spam, but generally these solutions are setup in rather large clusters of servers to handle the load or at least that is my experience.
  
  Having worked at a major hosting provider and a few ISPs, it was simply staggering how much spam would come through. It is hard to make email instant at a company level, it is crazy hard to make email instant when you host hundreds of thousands of domains who use you for their MX. Staggering... is such an understatement.
  
  Anyhow, don't want your ISP's mail server logic screening through your email? Setup your own mail server, and welcome to the world of personally managing your own spam hell.
24. Re:good work by socceroos · 2009-11-10 13:33 · Score: 1
  
  They don't scan incoming mail, only outgoing mail from any client connected to their network.
  
  This is a key point.
  
  They don't actually filter all your incoming mail for you for spam content, they only check all the mail you send from your mail server or any of your mail clients.
  
  I do actually maintain an email server for the company I work for. The ammount of spam that is blocked daily from getting into our network (blocked at the perimeter by IPCop) is truly amazing. And that's only for an average SMB.
25. Re:good work by MadnessASAP · 2009-11-10 14:03 · Score: 1
  
  Ahhh... touche, at least someone else here is thinking.
  
  --
  I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
26. Re:good work by Kalriath · 2009-11-10 14:35 · Score: 1
  
  Because, dumbass, then we'd just have more OSX viruses. And we all know how fast Apple is at fixing flaws.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
27. Re:good work by Kalriath · 2009-11-10 14:39 · Score: 1
  
  For example, suppose a virus is designed to patch a system DLL so that it includes a copy of the virus. Now suppose that the patch basis it's using disagrees from thecurrent version of the DLL. GNU Patch would refuse to do the patch if it couldn't be done safely, but the viruses doing binary patches on DLLs may not be so concerned with data integrity.
  Funnily enough, that's exactly why Blaster resulted in so many crashes - it was written to patch the RPC Subsystem, and on virtually every copy of Windows current at that time it patched with the wrong addresses (as the library was updated between the time of the virus writing and its release), causing the service to crash. When it crashed, Windows would immediately initiate a reboot, as the RPC service is considered critical.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
28. Re:good work by Tynin · 2009-11-10 15:22 · Score: 1
  
  Ah, the bastards. Well, at least they are likely keeping their network from spewing spam out to the world. But I agree with your paranoia, they wouldn't need to scan your outgoing mail to determine spam, just monitoring network traffic patterns (although I guess a low intensity spammer could avoid detection). Thanks for the clarification.
29. Re:good work by Anonymous Coward · 2009-11-10 15:29 · Score: 1
  
  1/3 is 0.3 or (30%)
  1/3 + 1/3 + 1/3 = 3/3 or 1
  0.3 + 0.3 + 0.3 = 0.9.
  So... 1 = 0.9?
  Did I just fail?
30. Re:good work by fizzer06 · 2009-11-10 15:32 · Score: 1
  
  It's been a long time, but isn't it something like "33.33333%" with the last couple of 3's having a bar above them? (I don't know how to duplicate that on my keyboard).
31. Re:good work by Verdatum · 2009-11-10 15:37 · Score: 1
  
  I notice that the article is tagged with "vigilante". While we're at it, let's go the next step:
  "What are you!?!"
  "I'm Botman."
32. Re:good work by shentino · 2009-11-10 17:29 · Score: 1
  
  Whoopdedoo, now we have high tech learning how to take hostages.
  Don't negotiate with terrorists.
  I hear that abductions in china (by non government entities at least) are rare because the chinese authorities are ruthless and give no quarter, so the bad guys know they can't win just by taking a hostage.
33. Re:good work by shentino · 2009-11-10 17:33 · Score: 2, Insightful
  
  How much of it actually passes an integrity/authorization check like dkim or spf?
  Maybe if those were made more widespread we could do a good bit better job tracing and jailing these bastards... ...or blacklisting accomplice ISPs that don't give a rat's arse about the spam they are sending.
  Forgery allows spammers to operate anonymously.
34. Re:good work by socceroos · 2009-11-10 17:35 · Score: 1
  
  Thank you, sir, for clarifying my light hearted point.
35. Re:good work by Phroggy · 2009-11-10 17:53 · Score: 1
  
  Just on my tiny little server I run at home for a handful of friends and family, with one single domain, I block an average of 416 SMTP connections per day based solely on DNSRBLs plus another 876 per day based on a slew of custom rules I've developed. After that, SpamAssassin blocks 82 messages per day and quarantines 48 more.
  That's something in the neighborhood of one spam attempt EVERY MINUTE of every day, 24/7/365, on a tiny little personal server hosting only one domain for a small handful of users.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
36. Re:good work by simoncpu+was+here · 2009-11-10 19:36 · Score: 1
  
  Yes, that's correct. "For teh lulz."
37. Re:good work by mpe · 2009-11-10 19:40 · Score: 1
  
  Yeah, the Australian ISP that we go through (Telstra) actually forces everyone to use their SMTP servers to send email. According to a friend that works there, they do scan all these emails for spam content (can't confirm).
  
  Which means they also provide a service for spammers to find out what is likely to get through spam filters. (Or at least through Telstra's).
38. Re:good work by houghi · 2009-11-10 20:08 · Score: 1
  
  Not instantly, but minutes and sometimes hours? Kids these days. Look up the SMTP protocol. It is not intended to be an instant messenger. There are even almost standard responses after certain times. First it says NOT to re-send the message, but the system is still trying (which causes people to re-send the email immediately) then after 4 days of trying at different intervals, it will tell you it won't be able to send the message.
  That is if all seems to be well. Otherwise other messages arrive.
  Email is like electronic-mail. Mail is not intended to be instant. It needs to be processed. If you want messages instantly deliverd, you should use something that is intended to be used as for instant messaging.
  
  --
  Don't fight for your country, if your country does not fight for you.
39. Re:good work by Rick+the+Red · 2009-11-10 20:53 · Score: 1
  
  So, what happened? Did its volume drop from 33.3% to 4%, or did its volume stay the same and the total spam problem got that much larger?
  
  --
  If all this should have a reason, we would be the last to know.
40. Re:good work by Erik+Hensema · 2009-11-10 22:48 · Score: 1
  
  How do you determine an smtp connection to be 'too much like a bot'? I'm genuinely interested because I'd like to be able to do that too.
  
  --
  This is your sig. There are thousands more, but this one is yours.
41. Re:good work by CmdrGravy · 2009-11-11 00:20 · Score: 1
  
  No chance.
  Guess what, people designing systems on which peoples lives actually directly depend do not simply rip out some old box from an office when they need a new server.
  Likewise any system like the stock exchange, in situations like that companies don't care how much money they throw at stuff and since it's their money they're going to be losing if it goes wrong they are generally very careful indeed about randomly hooking up critical infrastructure to the internet.
42. Re:good work by Random5 · 2009-11-11 04:09 · Score: 1
  
  The problem is this is no longer consistent with how people use email. I'm well aware of how SMTP was designed, but these days people have an expectation of an email arriving within 5 minutes and it tends to disrupt business processes when it takes any longer than this.
43. Re:good work by Random5 · 2009-11-11 04:25 · Score: 1
  
  (oops).... and there is no good replacement for it that is instantaneous. If an email is not arriving in my experience most people will send a fax, because they know as they send it that within 5 minutes it will either be there or they'll get an error from the originating fax machine.
  
  No instant messaging services (at least none that I've heard of) provide easy sending of attachments (usually they require a direct connection between the PCs running the software which is difficult in the land of NAT and firewalls), they only support a couple of sentences of text and most importantly they do not allow you to communicate with someone who you have not communicated with before easily.
  
  Google Wave is close to what's needed here (it's very instantaneous, supports attachments, advanced formatting, communicating with anyone whose google wave address you know even if they haven't got you on their contacts list etc...
  
  We need an upgrade of the delivery and read verification use and handling - say light up emails blue in the 'sent items' folder once they've been received by the recipients server, then green once they've been read. Have a combination indicator where there are multiple recipients and highlight their names in these colours in the To field when you check the email. The current implementation in outlook is horrible and not very supported among other email providers.
44. Re:good work by Random5 · 2009-11-11 04:26 · Score: 1
  
  You don't think spammers are capable of doing this anyway? I guarantee you they're already doing this for every major webmail provider out there.
45. Re:good work by Alioth · 2009-11-11 04:27 · Score: 1
  
  Think yourself lucky. On my personal email address alone, I hit a new record on Tuesday - 1219 spam emails in just one day, to just one account. The amount of spam for the last few months has really started to climb rapidly, I expect that I'll be getting in excess of 2000 spam emails to this one account per day within 4 months.
  Fortunately, SpamAssassin catches all but a very small handful.
  
  --
  Oolite: Elite-like game. For Mac, Linux and Windows
46. Re:good work by NotBornYesterday · 2009-11-11 04:52 · Score: 1
  
  1 = 0.9 only for very small values of 1.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
47. Re:good work by sabt-pestnu · 2009-11-11 12:42 · Score: 1
  
  Sadly, it does happen that computers that are on critical care monitoring systems get infected.
  One example? A stand-alone system (or connected to internal LAN *only*). Someone brings their USB key in with the latest video from You-tube. Voila. If not the video itself, then the USB key.
48. Re:good work by Jared555 · 2009-11-11 20:19 · Score: 1
  
  Lots of hospital computers are not life critical but could significantly increase the risk of someone dying if they fail. The networked machines that an ICU has that show every person's vitals (I think some hospitals have this on big screens above the nurses station similar to how NOC employees monitor their networks) could fail without someone dying, but you now have to manually go and check every system every so many minutes taking time away from treating patients.
  I believe similar monitoring is done in normal hospital rooms anymore depending on the hospital. You may not hear the alarm on the heart monitor when the nurses station is 200 feet away and the door is closed. Many of these systems are networked so that those same nurses/doctors can pull up test information (even MRI or X-Ray results) sometimes even as the tests are being done. Not every facility has the budget to maintain 2 or more completely isolated networks.
  The system that was in my hospital room last time (surgical recovery) was a wireless networked laptop (windows xp) that they used to verify medications/patient arm bands/etc. If this would fail, do they have backup systems (paper), probably if they are up to date with the computers. Is it going to increase risk of human error, especially with staff who are used to relying on the computer systems, yes.
  The point of this massive post is, even if the system itself failing doesn't mean someone is going to die as a direct result, in a hospital there is a pretty good probability that it could significantly increase the risk of someone dying because they couldn't have an cat scan done because the computer crashed, etc.
49. Re:good work by Jared555 · 2009-11-11 20:24 · Score: 1
  
  The fun part is not just the people designing the medical equipment can be at fault. (Computers just running software that interacts with the equipment, etc. can be almost as life critical as the equipment itself.)
  I am almost positive the MRI machines at one nearby hospital are at least indirectly connected to the internet as they can send the results through the network to whoever ordered the test, even while the test is being done. I could see a plus as long as this is done correctly as the company that manufacturers or maintains the equipment could have their own monitoring in place to detect early warning signs of failure (or over irradiation in the case of x-ray and cat machines, from an earlier article)
50. Re:good work by Jared555 · 2009-11-11 20:26 · Score: 1
  
  The point isn't loss of data, it is loss of the lives of people who had nothing to do with the security of the systems.
51. Re:good work by Ash+Vince · 2009-11-12 01:19 · Score: 1
  
  If anyone responsible for machine that is crucial to keep someone alive lets the PC get infected with malware they are so inept I do not even want to think about it. This is just not a realistic situation apart from in a 1 in a million corner case of the utmost stupidity.
  
  --
  I dont read /. to RTFA, I read /. to offend people in ignorance.
52. Re:good work by sglines · 2009-11-12 01:23 · Score: 1
  
  I can attest to the volume of junk passed as email. I've had the same email address since the early 1990's. I get ~30 legitimate emails a day. My filters (Spamassassin, RTBL's and iptables - yes I run Linux) reject between 3,000 and 8,000 emails every day.
53. Re:good work by DaVince21 · 2009-11-12 10:58 · Score: 1
  
  But that's not 1/3rd, it's just an approximation!
  
  --
  I am not devoid of humor.
54. Re:good work by DaVince21 · 2009-11-12 11:25 · Score: 1
  
  Unfortunately, the reply from FireEye is that it would be illegal, even if there are "good" intentions behind it, so they won't be doing it.
  
  --
  I am not devoid of humor.
55. Re:good work by Lennie · 2009-11-17 08:14 · Score: 1
  
  The spammers were the first to adopt dkim/spf and put in DNS some of the IP-adddresses of the botnet.
  
  --
  New things are always on the horizon
56. Re:good work by Lennie · 2009-11-17 08:28 · Score: 1
  
  We use a scoring system, we have a number of checks on the systems which only mailservers should be talking to, like:
  - is the SMTP-client adhering to the standard. using an EHLO/HELO and is the hostname used with the HELO a FQDN
  - is the IP-address on a number of DNS-BL's
  - is the IP-address sending a lot of messages in a _very_ short time
  - does the FQDN match with the rev. DNS hostname of the IP-address
  - does the IP-address have a dynamic IP-address in the rev. DNS hostname, like 123.123.123.123.dyn.dsl.provider
  
  if the score is to high, trow it at greylisting, if everything seems mostly ok, let it try to deliver a message.
  
  have a look at: postfix, postfwd and postscreen
  
  We don't use postscreen yet, but we will add it later. Postscreen also checks what spamd from OpenBSD already can do for years: is the SMTP-client waiting for replies from the SMTP-server. And similair checks. If not, it's probably a spammer just trying to stream all the SMTP-commands as fast as possible.
  
  I think that's enough to get started. :-)
  
  --
  New things are always on the horizon
Any more? by SatanClauz · 2009-11-10 11:35 · Score: 1

Are there any more that have been taken down? This is honestly the first i've ever heard of!
Now, part two: I don't know how these things work, but, why does it seem so hard to track these things down and find the source?
1. Re:Any more? by Binder · 2009-11-10 11:42 · Score: 2, Insightful
  
  Well... first you have to find their command and control channels. Then you have to figure out how they work. Many times the command and control is both distributed and encrypted so it is very hard to "chop the head off"
2. Re:Any more? by socceroos · 2009-11-10 11:47 · Score: 1
  
  I'm not sure its so much about finding the source as it is figuring a fool-proof way of taking it down legitimately, legally and permanently.
3. Re:Any more? by Monkeedude1212 · 2009-11-10 11:55 · Score: 4, Interesting
  
  Eh, depends what you're looking at. Other Botnets have been taken down, usually by physically arresting the hacker who started it. I'm sure that they've tried to stop other Spam Botnets before. They didn't actually STOP Ozdok, they just dented it a bit.
  It's difficult to track how these things start because essentially you've got about a million breadcrumbs to go through.
  Lets say you've got 3 computers, A, B, and C. A infects B, B infects C. There is no direct correlation between A and C, so you have to work your way all the way up the chain. Now imagine you've got a million infected PC's. Who infected who? How do you work your way backwards? There's lots of ways to do this, most simple of which is to look at the contacts and determine which of the contacts is infected. Then determine the time and date of which the infection occured (Date Modified/Date Created on the file). Whoever was first was who infected the others.
  The problem with killing it is that it has a "multi layered fallback mechanism" - which is a fancy way of saying it replicates itself. It can do this by either having a secondary program or script copy itself back onto the infected PC when it detects the original infection is gone, or it can do this by RE-infecting any of the computers it was sent to infect in the first place.
  I hope thats enough to make you stagger and wonder exactly how much damage they could have possibly done to this botnet.
4. Re:Any more? by Entropius · 2009-11-10 12:22 · Score: 1
  
  Why does it have to be done legitimately and legally?
  When the law is habitually incapable of solving a problem, it should be solved extralegally.
5. Re:Any more? by socceroos · 2009-11-10 12:45 · Score: 1
  
  I tend to agree. But, this still excludes many institutions and agencies from actually being able to devote resources to such things without being fearful of the law.
6. Re:Any more? by shentino · 2009-11-10 17:35 · Score: 1
  
  Especially if they have a mccolo type back door to run away through.
7. Re:Any more? by physburn · 2009-11-10 18:17 · Score: 1
  
  Its a major reversing engineering effect to find out a botnet is controlled. First you'd need to a get access to a computer running the bot, and get the code, decompile it, and find out we're its reporting to, then you have to take down every controlling system. Not easy, and not something down for fun. ISP should club together and fund more security operations against botnets. Like the impressive effect in the article.
  ---
  Computer Security Feed @ Feed Distiller
8. Re:Any more? by mpe · 2009-11-10 19:54 · Score: 1
  
  Why does it have to be done legitimately and legally?
  When the law is habitually incapable of solving a problem, it should be solved extralegally.
  
  "The law" has plenty of weapons available. As well as being able to act "creativly" when it wants to.
  If the police can raid (and shut down) a business which might be using a few too many copies of some obscure piece of software they can most certainly do the same kind of thing to the likes of McColo.
9. Re:Any more? by LowTechSwede · 2009-11-10 21:33 · Score: 1
  
  It's just so sad that they don't. The cost of spam to the world must heavily outweigh the cost of copyright infringements, even if you don't happen to share my view that the true cost of most copyright infringements is zero for the owner and beneficial for the world at large. On top of that you have all the harm the botnetters cause to all those inadvertent botowners and all of us who try to protect ourselves from becoming one.
10. Re:Any more? by VisceralLogic · 2009-11-11 05:56 · Score: 1
  
  I hope thats enough to make you stagger and wonder exactly how much damage they could have possibly done to this botnet.
  If you read the actual FireEye blog, it seems like they've got a pretty good handle on it...
  
  --
  Stop! Dremel time!
11. Re:Any more? by GameboyRMH · 2009-11-11 06:06 · Score: 1
  
  physically arresting the hacker who started it.
  AKA Meatsnarfing
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
12. Re:Any more? by DaVince21 · 2009-11-12 11:28 · Score: 1
  
  Because FireEye doesn't want to get in legal trouble?
  
  --
  I am not devoid of humor.
Patches? by l0perb0y · 2009-11-10 11:37 · Score: 1

I hope they'll patch these machines. Otherwise, how long will it be before the bot wrangler just takes his net back?

Better yet, just wipe the hard drives. The users might think harder about security if something other than their net connection gets abused.
1. Re:Patches? by socceroos · 2009-11-10 11:43 · Score: 1
  
  Wiping their computers would slow things down, but it certainly wouldn't change anything. They'd be at it again as soon as they were back up and running with an OS.
2. Re:Patches? by somersault · 2009-11-10 11:51 · Score: 2, Interesting
  
  Not to mention a lot of people would be seriously PISSED and you'd be in deep legal shit for messing with other people's computers.. I'm sure these guys could still face possible trouble even for just admitting they've brought down the head of the botnets, but IMO they're pretty justified to do that. Wiping people's machines, while tempting, is just a no-no. If we want vigilante justice to become more acceptable in these situations, then it's best to be 'nice' about it.
  
  --
  which is totally what she said
3. Re:Patches? by SydShamino · 2009-11-10 12:21 · Score: 1
  
  I'm sure these guys could still face possible trouble even for just admitting they've brought down the head of the botnets
  And what exactly have they done that's illegal? They registered some domain names. They reported domain names used by spammers to their registrars, with documentation, and those registrars cut off the domains. They reported IP addresses used by spammers to their hosts, and those hosts cut off the IP addresses. They have received botnet requests at their sinkhole, but they are merely logging IP addresses, not returning commands to the botnet. They'll use the IP addresses to one-by-one have the ISPs notify their customers.
  There's no law that says you can't do any of the above things. If the botnet was written so that lack of command from a control server resulted in destruction, then the botnet creators are solely responsible. If you stopped a robber and, as a result, the robber's hostage at home died from dehydration, do you get charged with murder? No, they do.
  
  --
  It doesn't hurt to be nice.
4. Re:Patches? by nneonneo · 2009-11-10 13:27 · Score: 1
  
  In all likelihood, they couldn't send commands even if they wanted to: modern botnets typically check incoming data against an internally held digital signature, and so forging commands is extremely difficult (basically impossible) without the private key which corresponds to the signature.
5. Re:Patches? by Nefarious+Wheel · 2009-11-10 14:04 · Score: 1
  
  Not to mention a lot of people would be seriously PISSED and you'd be in deep legal shit for messing with other people's computers.. I'm sure these guys could still face possible trouble even for just admitting they've brought down the head of the botnets, but IMO they're pretty justified to do that. Wiping people's machines, while tempting, is just a no-no. If we want vigilante justice to become more acceptable in these situations, then it's best to be 'nice' about it.
  I was about to post a "yes, take the bots down, destroy them" comment -- then thought, hey - that sword cuts two ways. If one group gets away with vigilante destruction of targeted systems, then what's the difference if a group we don't agree with - say, the RIAA or MPAA - starts using this precedent as justification and starts taking down systems themselves? Slippery slope doesn't *begin* to describe it.
  The problem is - once you start bypassing the justice system for good reasons, it becomes easier to do it for bad ones. Take it to the courts with a winning strategy and let them take them down. That way at least you might get public funding for bringing the bastards under the gun.
  
  --
  Do not mock my vision of impractical footwear
6. Re:Patches? by Plekto · 2009-11-10 14:55 · Score: 1
  
  Better yet, just wipe the hard drives. The users might think harder about security if something other than their net connection gets abused.
  Easier yet would be to add those infected machines to the block lists. That would get people's attention just as well and keep them from infecting others.(as a side effect, most ISPs would find their entire cable modem DNS ranges blocked, but no big loss there... might actually prompt them to get serious about spam, even.)
7. Re:Patches? by somersault · 2009-11-10 22:23 · Score: 1
  
  It was the wording of the summary led me to believe they'd actively attacked the control channels rather than doing everything legally, my bad.
  
  --
  which is totally what she said
8. Re:Patches? by Erik+Hensema · 2009-11-10 23:05 · Score: 1
  
  Won't work at all. First of all they're using hotmail to send their mail. Everybody uses hotmail, right?
  Second, if they're using their ISP's smarthost, that smarthost will most likely happily accept any mail. And the smarthost won't be on a blacklist, since the botnet will just do direct-to-mx.
  The only solution which is centrally enforceable is blocking smtp connections going out of the ISP network. Force endusers to use the ISP's smarthost. The botnet won't be able to do direct-to-mx, and the ISP can easily scan outgoing mail and block spammers.
  95% (I made that number up) of all spam you receive originates from ISPs which don't block outgoing SMTP connections. The remaining 5% is sent from hacked webservers, corporate accounts, through smarthosts, etc.
  So *please* encourage your ISP to filter outgoing SMTP connections. It makes the world a better place. If you don't like your ISP's smarthost, then just do SMTP AUTH over tcp port 587 to connect to some other smarthost outside their network.
  
  --
  This is your sig. There are thousands more, but this one is yours.
9. Re:Patches? by Plekto · 2009-11-11 04:53 · Score: 1
  
  Perhaps a simpler solution, then, might be for companies to block all incoming traffic from ISPs that don't do filtering and authorization. I guarantee that if Comcast's or Earthlink's customers suddenly can't get to YouTube/Goolge or Itunes because they have blocked those companies' entire DNS ranges, that will get them to enforce stricter traffic filtering.
  While there is net neutrality in theory, the reality is that these large companies can de-facto enforce any scheme that they want in this manner. It's their hardware, after all, and they can decide what they want to accept and run on it, after all. Google could easily just decide that it will only accept connections from ISPs who are compliant with what they consider "normal" security measures. Get serious about spam and security or explain to your angry customers why it all stopped working suddenly. Just three companies alone would be enough (Google, Apple, and Microsoft) to make bad ISPs shape up their act. And the controlled/hijacked smaller ones who don't comply quickly get added to the block lists after a month or two.
10. Re:Patches? by Uzuri · 2009-11-17 06:43 · Score: 1
  
  Why the hell do botnets have better security than stuff that really needs it? O.o
  
  --
  I'm a she-slashdotter... but I make up for it by living with my folks.
11. Re:Patches? by nneonneo · 2009-11-20 02:31 · Score: 1
  
  Simple capitalism: these things make money for the operators, so they have incentive to protect their assets; in the case of a botnet, this means protecting their zombie machines from being controlled by someone else, and preventing the machines from being easily cleaned.
Mega-D 2.0 by tacarat · 2009-11-10 11:40 · Score: 1

1) Counter-attack researchers
2) Analysis and evaluation
3) Rebuild and redeploy
4) Profit

Hopefully those hacked machines get addressed quickly. While the botnet itself is down, there's probably a few ways to grab the zombies and make a new system.

--
"Common sense will be the death of us all"
1. Re:Mega-D 2.0 by socceroos · 2009-11-10 11:57 · Score: 1
  
  No way! All this time, the three question marks was referring to Rebuild and redeploy?
2. Re:Mega-D 2.0 by tacarat · 2009-11-10 12:10 · Score: 1
  
  Yep. Just make sure you uncheck the "hide answer" option. Tools > Options > ROFLCOPTOR Config
  
  --
  "Common sense will be the death of us all"
Re:Good! by amicusNYCL · 2009-11-10 11:40 · Score: 4, Funny

Now I don't have to worry about throttled torrent downloads.
Uh right, problem solved there. In other news, once you get an oil change in your car you no longer have to rotate the tires.

--
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Wrong title, not 'taken down' by RichardDeVries · 2009-11-10 11:41 · Score: 5, Interesting

From TFA:

Only two command server were found to be located outside the USA. So does it mean that shutting these servers down would result in a complete botnet shut down? Keeping in view Ozdok's multi layered fallback mechanism the answer here is 'no'.
and

After seeing all these fallback mechanisms, it doesn't look very easy to kill Ozdok in one go but hurting this beast might not be that difficult.

--
Error 001
Security Scan and Virus Detection do not work with your operating system.
1. Re:Wrong title, not 'taken down' by Meshach · 2009-11-10 11:49 · Score: 1
  
  I guess that the important this is that this process will make a dent in the spammers processes.
  
  Until now attempts to actually trace and shut down have not been fruitful. I think the face that something was done is very positive.
  
  --
  "Maybe this world is another planet's hell"
  Aldous Huxley
2. Re:Wrong title, not 'taken down' by RichardDeVries · 2009-11-10 12:01 · Score: 5, Funny
  
  I agree, of course. However, I was pointing out that the claim the title makes is false. A spam botnet has been taken down when it is permanently disabled. (And the spammers themselves at the least publicly taunted by John Cleese, but that is my personal opinion).
  
  --
  Error 001
  Security Scan and Virus Detection do not work with your operating system.
3. Re:Wrong title, not 'taken down' by shentino · 2009-11-10 17:40 · Score: 1
  
  Sounds also like a damn good reason why it's futile trying to rely solely on US law enforcement to take these bad boys down.
  I bet several of them are hosted in countries that don't give a flying fuck about the US.
  Iran being one of them.
  I wouldn't be surprised if some governments even look the other way on purpose just to spite the west.
4. Re:Wrong title, not 'taken down' by RealGrouchy · 2009-11-11 06:21 · Score: 1
  
  What? Why waste John Cleese on that?
  Use an impersonator. A bad one. That'll punish them.
  - RG>
  
  --
  Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
Re:Good! by Yvan256 · 2009-11-10 11:42 · Score: 1

I learned about that just in time! I'm calling right away to cancel that tire rotation appointment I had for tomorrow!
What OS? by Yvan256 · 2009-11-10 11:43 · Score: 1, Interesting

What's the Windows OS percentage of that botnet?
1. Re:What OS? by socceroos · 2009-11-10 12:20 · Score: 1
  
  As the clients they do. But as always, Linux servers hog the bot controller market share.
2. Re:What OS? by tokul · 2009-11-10 12:32 · Score: 4, Interesting
  
  What's the Windows OS percentage of that botnet?
  
  http://www.symantec.com/security_response/writeup.jsp?docid=2008-021215-0628-99
  100%, minus controllers, that might run on any OS
3. Re:What OS? by bigredradio · 2009-11-10 13:01 · Score: 2, Funny
  
  See, Bill Gates wants a monopoly everywhere! Anti-trust! Anti-trust, help help I'm being repressed.
  
  --
  Flexible bare-metal recovery for Linux/UNIX
4. Re:What OS? by socceroos · 2009-11-10 17:41 · Score: 1
  
  Mhm, you make good points.
  
  ....but, I was only making a parody to the current statistics for market share with Linux v Windows on desktop and server. Oh well, I'd say whoosh....but I'm going to give you this one since I didn't include my closing tag () - I could have been a legitimate troll.
5. Re:What OS? by socceroos · 2009-11-10 17:42 · Score: 1
  
  Agh, dumb filter - the sarcasm tag.
6. Re:What OS? by NotBornYesterday · 2009-11-11 05:24 · Score: 1
  
  Nope. Turns out that when you figure what Bill's time is worth, it's cheaper to have someone with a H1B visa do it.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
Re:Good! by socceroos · 2009-11-10 11:44 · Score: 1

You forgot to include your closing sarcasm tag.
Call of Duty - Modern Warfare 2 by Jetrel · 2009-11-10 11:45 · Score: 1

Great work! I would of done it but I was at home sick... *Cough*

--
If it isn't broke, tinker with it till it is!
And meanwhile... by damn_registrars · 2009-11-10 11:45 · Score: 3, Insightful

Another botnet is on the verge of picking up a good number of those systems. Within a very short while we'll see the spam levels right back where they were before. Anti-botnet activities are good when done in the name of anti-botnet activity, but they are weak efforts in the name of stopping spam. The way to stop spam is to fight it as the economic problem that it is; if people continue to go after the symptoms of spam like this they will continue to find themselves quickly thwarted.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:And meanwhile... by somersault · 2009-11-10 11:57 · Score: 4, Interesting
  
  Spam isn't so much an economics problem as a "some people are just dicks" problem. A lot of the problem with spam is the current system we use for email. It was never intended for such widespread use and has little-to-none in the way of authentication or security measures. You can encrypt emails for security sure, but it doesn't help get around the problem of spam..
  
  --
  which is totally what she said
2. Re:And meanwhile... by Capt.DrumkenBum · 2009-11-10 12:22 · Score: 1
  
  Another botnet is on the verge of picking up a good number of those systems.
  I wouldn't be so sure about that. I seem to remember a year or so ago reading about someones honeypot experiment. One of the first things done to the machine after the hacker got access was to close several common vulnerabilities.
  I don't know about this botnet, but if I were an evil bastard who managed to take over your computer, the first thing I would do would be to make sure your computer stayed mine.
  In fact from time to time I have considered the possibilities of a virus that would turn on automatic updates, turn on the firewall, and install an anti-virus product.
  
  --
  If I were God, wouldn't I protect my churches from acts of me?
3. Re:And meanwhile... by popo · 2009-11-10 12:29 · Score: 1
  
  How exactly does one fight the economic problem? And does it involve giving everyone a pony?
  
  --
  ------ The best brain training is now totally free : )
4. Re:And meanwhile... by mcrbids · 2009-11-10 12:31 · Score: 4, Insightful
  
  The way to stop spam is to fight it as the economic problem that it is; if people continue to go after the symptoms of spam like this they will continue to find themselves quickly thwarted.
  Sure. Let's educate every farking idiot on the face of the earth. Just like we did with consumers the world over in every single city across the fruited plain. It's worked well for hundreds of years! "Buyer beware" and Heaven help you if you should get defrauded...
  What's that you say? We didn't do that? Instead, we instituted "consumer protection" laws that require vendors to adhere to minimal standards of conduct and safety? Laws that prevent manufacturers from making unsafe cars and selling poisoned food? You mean, I can go into pretty much any restaurant and be confident that I probably won't get some terrible disease from poorly cooked food and un-refrigerated meats?
  Yes, on the 'net, it's the wild, wild west, all over again. But now problems "over there" have become problems "over here", and suddenly, things like the sorry legal state of Nigeria and Somalia are in our face. Will we fix it overnight? No, but we will fix it. Sure, we'll never get rid of it completely - the Mafia still exists, and gangs still thrive in areas of the mostly controlled First World. (We can get greatly mitigate the gangs by legalizing their primary revenue stream, the drugs, but while related, that's another post)
  The thing is that by legally controlling the terms of commerce, we promote healthy commerce. Outlawing commerce altogether has roughly the same effect of not regulating it at all - fraud and crime sets in, legitimate business moves out. To control spam, we need to control commerce, world wide. And that's a big, big problem that will take at least a generation or two to handle.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
5. Re:And meanwhile... by iris-n · 2009-11-10 12:32 · Score: 1
  
  In fact from time to time I have considered the possibilities of a virus that would format the hard disk.
  As a time bomb, you see.
  But I always think about the grannies losing the family photos and I give up.
  Or it could be distributed only through porn.
  Nothing against porn. But that would select out (most) grannies, leaving the stupid fucks who hunt for porn in IE6.
  Humm. I'm getting bitter. Better stop with the porn and get sex.
  
  --
  entropy happens
6. Re:And meanwhile... by damn_registrars · 2009-11-10 13:45 · Score: 1
  
  Sure. Let's educate every farking idiot on the face of the earth. Just like we did with consumers the world over in every single city across the fruited plain. It's worked well for hundreds of years! "Buyer beware" and Heaven help you if you should get defrauded
  If you somehow took what I said to mean that I wanted to do what you are suggesting, then I ask you to go back to read it again.
  
  To control spam, we need to control commerce, world wide. And that's a big, big problem that will take at least a generation or two to handle.
  That is a bit closer to what I was suggesting, but going from the opposing side of the same coin.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
7. Re:And meanwhile... by damn_registrars · 2009-11-10 14:00 · Score: 5, Insightful
  
  Spam isn't so much an economics problem as a "some people are just dicks" problem
  That statement is accurate only for those who believe that spam is sent out to piss you off. Perhaps the spam you receive is somehow different from the spam that is sent to me? The spam that is sent to my addresses is sent to sell various products or services. And why is the spam sent to sell products? Because someone is paying the spammer to send it.
  
  Spam is a product that people are willing to pay for.
  
  Hence spam is a economic problem, because there is economic incentive to send it. Billions or trillions of spam messages can be sent at nearly no cost to the spammer; very little business needs to come from those spam messages to make them incredibly profitable.
  
  A lot of the problem with spam is the current system we use for email. It was never intended for such widespread use and has little-to-none in the way of authentication or security measures.
  I have yet to see a proposed replacement for the existing email system that actually suggests anything that would make a bit of meaningful difference for spam issues.
  
  You can encrypt emails for security sure, but it doesn't help get around the problem of spam..
  I agree with you on that. Encryption isn't worth squat in regards to spam.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
8. Re:And meanwhile... by shentino · 2009-11-10 17:46 · Score: 1
  
  Joe jobs, for one. Sending spam advertising someone without their consent is a pretty damning smear tactic.
  I'd say to go after anyone that profits from spam. Considering how big a business it is (enough to have 95 percent of all emails be spam), there's probably quite a few stakeholders getting a piece of the pie.
  I say to give all those stakeholders some laxative and make them disgorge their ill-gotten dirty money.
  At the top of the list, ISPs that sign pink contracts and, in exchange for whopping payments, look the other way when their users spam.
  Also there's a jurisdictional challenge involved in dealing with spam outside the country you are policing.
9. Re:And meanwhile... by pwilli · 2009-11-10 18:16 · Score: 1, Insightful
  
  If the spammer owned the email server, he wouldn't need much space to store spam mails. He could send out billions of notifications to potential receivers and create the spam mails on the fly when a receiver wants to download the mail.
  
  Not only would the spammer ultimately save bandwidth in this case by only sending the full mails to those who "requested" them by reacting to the notification, but he would get first class information about validity of email adresses. In addition, the receiver would have to do his own spam filtering, because his ISP likely can't decide if a notification is spam or not - and therefore will have to forward all notifications to the client (A notification may be completely unrelated to the actual mail that is waiting for delivery).
  
  If the mail server is not his own server, the spammer doesn't care for storage space requirements anyway and will keep on spamming as usual.
  
  Internet Mail 2000 would imho make most things even worse than they are, without providing any benefits besides "unlimited inbox size" - which is pretty much useless to most people.
10. Re:And meanwhile... by KlaymenDK · 2009-11-10 22:42 · Score: 1
  
  Spam isn't so much an economics problem as a "some people are just dicks" problem
  That statement is accurate only for those who believe that spam is sent out to piss you off. [...] Spam is a product that people are willing to pay for.
  You and the GP are both correct -- the dicks are (also) to be found among those who are willing to pay. Yeah I know there's a double entendre there, but I'm just using the GP's wording here. What I mean is that spam wouldn't be so much of a problem if it wasn't profitable. Hence, part of the blame lies with the very, very few recipients who choose to become customers; they may not realise that in doing so they are pissing off the rest of us (on the other hand, if they do realise but just don't care, that's another issue and more difficult to deal with).
  
  --
  "Good news, everyone!"
11. Re:And meanwhile... by damn_registrars · 2009-11-11 00:20 · Score: 1
  
  Joe jobs are certainly one part of it.
  
  Another part is that a very significant share of the spamvertisements are for products that are being sold through countries that don't care at all about spam. Sure, your inbox may have thousands of emails from the "Canadian pharmacy", but that domain is likely registered in China and hosted in Russia. Hence there is nothing "Canadian" about (aboot?) it. And the people profiting from it are in countries where no authorities have any interest in stopping the spamming.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
12. Re:And meanwhile... by fritsd · 2009-11-11 09:01 · Score: 1
  
  What's the economic value of 500,000 messages that contains only the plain text "&GREETTEXT& hello Cynthia. we've got the best deals anywhere. time is money friend"?
  It poisons the Bayesian anti-spam filters, so that the real spam can get through more easily, and false positives (losing your real e-mail) becomes more likely, making you more likely to turn those anti-spam filters off.
  There's a strong bias in good spam filters; accidentally receiving some extra spam messages is perceived as much less harmful than accidentally destroying your legitimate e-mails.
  
  --
  To be, or not to be: isn't that quite logical, Slashdot Beta?
Jinx... by imaniack · 2009-11-10 11:47 · Score: 1

I just hope Netcraft does not jinx this by reporting premature death of botnets...
Re:Good! by MrNaz · 2009-11-10 11:49 · Score: 1

Yea I made that mistake. My car just stopped on the freeway, and when I called the roadside assist service for a jump start, they tried to upsell me a tank of gas.
Damn salespeople.

--
I hate printers.
A little known fact about security firm "FireEye" by turing_m · 2009-11-10 11:50 · Score: 2, Funny

At company picnics, employees are encouraged to take part in "Whack-a-mole" competitions during summertime, and ice sculpting during the winter.

--
If I have seen further it is by stealing the Intellectual Property of giants.
Stop talking sense man! by hellfire · 2009-11-10 11:51 · Score: 1

Next thing you know we'll take the same approach to murder, theft, gangs, drugs, etc and soon we'll end up with a utopia... then how will the billionaires get $100 bills to light their $500 cigars???

--
"All great wisdom is contained in .signature files"
1. Re:Stop talking sense man! by secolactico · 2009-11-10 12:10 · Score: 1
  
  Come on, it's not that hard to get one hundred pesos.
  
  --
  No sig
Re:All your SPAMbot are belong to us by socceroos · 2009-11-10 11:53 · Score: 2, Funny

What would you do with your newly acquired SPAMbot network? Would the power go to your head?

Since the bots all deserve to be botted, I might set up a beowulf cluster with them and distributed render Big Buck Bunny for the fun of it. =)
Re:Good! by tacarat · 2009-11-10 12:08 · Score: 1

I'll be happy when they start upselling items from their fully stocked mini-bar.

--
"Common sense will be the death of us all"
Re:Good! by value_added · 2009-11-10 12:11 · Score: 1

Uh right, problem solved there. In other news, once you get an oil change in your car you no longer have to rotate the tires.
Obviously you've never worked with Windows users.
Comment removed by account_deleted · 2009-11-10 12:13 · Score: 4, Insightful

Comment removed based on user account deletion
Er. by Velorium · 2009-11-10 12:19 · Score: 1

Since when does 1/3 equal 4%?
1. Re:Er. by Jeian · 2009-11-10 12:39 · Score: 2, Informative
  
  once responsible for an estimated third of the world's spam
  lately the botnet has accounted for 4% of spam
2. Re:Er. by greyhueofdoubt · 2009-11-10 12:40 · Score: 1
  
  The 'net used to account for 1/3, but since that time it has either shrunk due to patches or other 'nets have vastly outpaced it. That caught me off guard, too.
  -b
  
  --
  No offense, but I've stopped responding to AC's.
3. Re:Er. by Urza9814 · 2009-11-10 12:41 · Score: 1
  
  It was _once_ responsible for 1/3 of the spam. By the time the researchers got to it and took it out it had already dropped to only 4% for other reasons.
4. Re:Er. by Velorium · 2009-11-10 12:42 · Score: 1
  
  Ah, thank you.
Re:WTF? by socceroos · 2009-11-10 12:29 · Score: 2, Funny

Seriously. Can someone please give me a reasonable explanation that rogue CnC servers and registrars are allowed to continue operations?
Because its actually the government who creates and controls these 'botnets'. They're used to spy on us since they have a computer on each end of each router meaning they can reliably trace data streams in foreign countries to their true original source.

Ok, so that wasn't necessarily accurate. But, I've heard on the low-down that the fellows who were working on Titan Rain are currently trying to map the Chinese governments botnet across the world. Its funny that a growing proportion of our electronics are being sorced from China.

Nothing against the Chinese - great guys and I love mandarin. Just some actions of their leaders seem a bit 'off base' - outside my comfort zone.
In the words of Riddick... by popo · 2009-11-10 12:30 · Score: 2, Interesting

"You keep what you kill."
Now... what to do with this enormous botnet?

--
------ The best brain training is now totally free : )
Re:All your SPAMbot are belong to us by Interoperable · 2009-11-10 12:48 · Score: 1

I think all hijacked botnets should be made to run BOINC distributed computing projects. The users who can't keep their machines secure and contribute a huge volume of spam to the internet should be sentenced to community service. In form of having their machines dedicate most clock cycles to the advancement of esoteric scientific pursuits.

--
So if this is the future...where's my jet pack?
Legality? by Hurricane78 · 2009-11-10 13:04 · Score: 1, Interesting

I'm not against taking down a botnet. But I still think that basic laws are more important. If we don't apply the same rights on really everybody, those "rights" become meaningless.
FireEye isn't exactly a police or government agency. How exactly can they raid zombie computers of private people? I can't think of any way that this is legal. Which does not make them better than what they are "prosecuting" (A term, that when associated with a private company, usually makes a crime itself.)
Is it like Blackwater? A bunch of criminals who like to legally murder and beat up people? Just that here they like to raid computer systems?
If you take down a botnet, do it in a legal way!!

--
Any sufficiently advanced intelligence is indistinguishable from stupidity.
1. Re:Legality? by JohnFen · 2009-11-10 13:45 · Score: 3, Insightful
  
  From reading all the FireEye blog posts on the operation, I can't find any point where they broke the law or even behaved in a way that violated anybody's rights.
  What they did was to coordinate things so that ISPs and domain registrars followed existing procedures to shut down sites and revoke domain names. They also found some domain names that were programmed to be used as fallbacks but had not yet been registered, then registered those.
  It looks like at no time did they actually hack anybody or penetrate computers, either innocent bystanders or guilty people, nor did they use the botnet themselves, so there's no legal or ethical problem here -- assuming their reports are complete and correct, obviously.
2. Re:Legality? by ProfessionalCookie · 2009-11-10 14:03 · Score: 2, Informative
  
  Zombies aren't people.
3. Re:Legality? by cdrguru · 2009-11-10 14:32 · Score: 1
  
  So what laws do you think are being broken? And how would any government prosecute someone or even collect evidence to be used in a prosecution? They might have an IP address, but we have just spent a few years proving in courts that an IP address cannot be connected to an individual.
  In most of the places where the people who are running these things are located it simply isn't against the law to do so. You might be surprised at how many places it is legal to defraud and steal from US citizens when it is not legal to do the same things to their fellow countrymen. End result is, there really isn't any prosecution possible.
4. Re:Legality? by iceaxe · 2009-11-11 11:02 · Score: 1
  
  Zombies aren't people.
  Correct, Soylent Green is.
  
  --
  WALSTIB!
5. Re:Legality? by John+Hasler · 2009-11-11 13:35 · Score: 1
  
  > How exactly can they raid zombie computers of private people?
  No computers were "raided". Read the articles. Breach your contract with your ISP/hosting service/registrar and they can terminate service without notice.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I for one.... by countach · 2009-11-10 13:20 · Score: 1

I for one welcome our new botnet masters.
Re:Good! by nneonneo · 2009-11-10 13:28 · Score: 1

That is, until botnet operators start using BitTorrent (or a derivative of it) to transmit commands and Comcast gets a new excuse to throttle torrents.
That's great, but... by element-o.p. · 2009-11-10 13:42 · Score: 3, Interesting

...the cynic in me wonders whether or not the researchers might be risking legal problems by doing this (at least in Illinois, Colorado, Delaware, Michigan, Oregon, Pennsylvania, and Wyoming and possibly Arkansas, Florida, Georgia, Massachusetts, Tennessee, and Texas as well).

--
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
1. Re:That's great, but... by L4t3r4lu5 · 2009-11-10 22:10 · Score: 1
  
  FireEye employees have access computer systems they are not authorised to access, and have halted services and caused malicious damage. Bottom line.
  
  If any of those control servers were in the UK, I'd be writing to my MP to illustrate this point and calling for extradition of all employees which engaged in this activity. Garry McKinnon performed no such actions of damage, with no intent to deny access to any system whatsoever, unlike these "security researchers" (crackers).
  
  Troll? No, just looking for some consistency.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
2. Re:That's great, but... by John+Hasler · 2009-11-11 13:30 · Score: 1
  
  > FireEye employees have access computer systems they are not authorised to
  > access, and have halted services and caused malicious damage.
  They did no such thing. They coordinated actions by ISPs and registrars, none of who did anything illegal. Read the article.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
3. Re:That's great, but... by L4t3r4lu5 · 2009-11-11 22:57 · Score: 1
  
  You must be... Oh, you're not.
  
  Wow.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
Makes you wonder, doesn't it? by Weaselmancer · 2009-11-10 15:00 · Score: 3, Interesting

If we want vigilante justice to become more acceptable in these situations, then it's best to be 'nice' about it.
Ever read Frank Herbert's The White Plague? It's about a scientist on a trip to Ireland who loses his family in an IRA bombing. He goes nuts and engineers a virus to kill every woman on the planet, figuring "if it has to happen to me, then I'm going to share my misery with the world."
Where am I going with this?
We have some pretty epic hackers on the planet. Guys who can disassemble code by looking at it. Guys who don't give one billionth of a crap about legality. Doubt me? Go check your local torrent tracker. There are groups of people out there who break commercial software all the time. They do it for breakfast.
How much harder could hacker-originated code like botnets be?
Eventually you're going to get some hacker who has simply had enough. And he's going to form the internet version of the Lincoln County Regulators, go rogue, figure out every botnet they can get their hands on, and wipe every single PC they can right through the bot's command channel.
It's not IF, it's WHEN.
Remember - you heard it here first. This is going to happen. Some holier-than-thou uberhacker is going to figure "fuck 'em if they can't handle basic security - they're fucking up MY INTERNET" and lay waste to them all, nuke-it-from-orbit style.
I'm honestly surprised it hasn't happened yet.

--
Weaselmancer
rediculous.
1. Re:Makes you wonder, doesn't it? by Weaselmancer · 2009-11-10 15:59 · Score: 1
  
  I'm not debating the morality of any of it - just noting that the skill sets are the same. If you can break commercial software, breaking botnets is certainly within your ability. Both require patience, insight, and some skill with a disassembler.
  And some day some uberhacker (white hat or black hat - don't care which) is going to get fed up with all this spam. And do something...epic.
  
  --
  Weaselmancer
  rediculous.
2. Re:Makes you wonder, doesn't it? by onepoint · 2009-11-10 16:35 · Score: 1
  
  While I hope what you say comes true, the problem with your argument is diversity of operating systems. given we can do a basic split of end users OS's... say 80% windows based the rest UNIX based. but then it's broken down by flavor ( red-hat, win2000, winme...)
  so Mr. I-hate-the-internet-and-I-am-going-to-fix-it, please design it to be multi-flavored
  
  --
  if you see me, smile and say hello.
3. Re:Makes you wonder, doesn't it? by Weaselmancer · 2009-11-10 18:21 · Score: 3, Interesting
  
  No no no! You've missed my point. *I* won't be the one to do any of this. I am not Mr. I-am-going-to-fix-it. Holy crap no! I have a career and a family. I'm way too old for lulz. I'm just saying human nature being what it is, someone eventually will.
  And when that someone does, then it'll become a thing. Others will follow. Cowboy justice for anyone who can't secure their systems. It won't happen in a single stroke. One botnet will get hit. Others will get the idea and hit other botnets. It'll become the next new internet game. Used to be cracking DVD protections was enough sport to keep these guys busy. Now it's on to bigger game, so back up your data files everyone.
  What I'm saying is that right now, there is a teenaged kid somewhere. Probably in the Netherlands or some other hacker friendly country where if you do something like this you get a couple of years of community service. It's snowing, he's bored, and all the women are wearing parkas so there is nothing to do. And he keeps having to reconfigure his mail server. Whitelists, blacklists, pattern matching...it's pissing him off.
  Then he's gonna have an idea.
  A couple of weeks later some botnet is going to be completely in the hands of someone who has bigger ideas than spam. He's gonna nuke them. The whole thing.
  Honestly I really am surprised it hasn't happened yet. Botnets are a beautiful hack target.
  
  --
  Weaselmancer
  rediculous.
4. Re:Makes you wonder, doesn't it? by somersault · 2009-11-10 22:32 · Score: 1
  
  Well, I'm pretty sure I've read of botnets actaully attacking each other, but usually for their own gain rather than to actually reduce the spam load. I've always liked the idea of taking these down myself, but I've never really looked into security in a big way, especially from a blackhat perspective. The chances of someone being both skilled, motivated and altruistic enough to just take all the zombies down seems pretty low. Especially considering most of the motivation for this stuff is money. We'd need to have the online equivalent of Batman or Ironman. Someone who already has all the money they want, yet has a will to do good, and a lot of brainpower just sitting there wanting to be exercised. And is not scared of breaking a few laws to get things done. Heh.
  
  --
  which is totally what she said
5. Re:Makes you wonder, doesn't it? by Weaselmancer · 2009-11-11 04:38 · Score: 1
  
  He needn't be like Batman. He would probably be more like the Joker.
  "Some people just want to see the world burn."
  Just imagine a storm of "format c:" commands sent through a botnet. That'd cut down on your spam problem pretty quick, wouldn't it?
  I think it's more likely that my hypothetical teenager would be doing this for reasons that would be tough to describe as "good". A half a million formatted PCs aren't going to get this guy a hero label by any stretch.
  Although a greater good would come from it. Imagine how concerned about security your average Joe would be if every time he hooked his machine up to the net it would get formatted. He'd demand action, right now!
  
  --
  Weaselmancer
  rediculous.
6. Re:Makes you wonder, doesn't it? by RAMMS+EIN · 2009-11-11 05:09 · Score: 1
  
  Why, how did you know. I do live in the Netherlands. And I am pissed off that I have to spend effort on my mail servers to curb the spam. Can't tell if the women are wearing parkas, cause I can't see any from my basement.
  Lucky for the world, it's not snowing.
  
  --
  Please correct me if I got my facts wrong.
7. Re:Makes you wonder, doesn't it? by onepoint · 2009-11-11 05:44 · Score: 1
  
  back in my day's of phreaking, it was the challenge of the hack. In this case I am hoping that the hacker will see that he's taken out the entire spam bot networks, make himself popular (and makes himself a target), then he get's a call from the NSA saying they are going to hire him for 400K a year.
  Bank! Bank! Bank!
  
  --
  if you see me, smile and say hello.
8. Re:Makes you wonder, doesn't it? by RealGrouchy · 2009-11-11 06:32 · Score: 1
  
  Remember - you heard it here first. This is going to happen. Some holier-than-thou uberhacker is going to figure "fuck 'em if they can't handle basic security - they're fucking up MY INTERNET" and lay waste to them all, nuke-it-from-orbit style.
  Actually, I heard it on Slashdot from someone else, yesterday. Someone was sick of people not changing some default passwords on their jailbroken iPhones, so he designed a virus to RickRoll them.
  And nobody had to nuke anybody.
  - RG>
  
  --
  Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
9. Re:Makes you wonder, doesn't it? by Weaselmancer · 2009-11-11 07:01 · Score: 1
  
  back in my day's of phreaking, it was the challenge of the hack.
  Exactly. It's one thing to place hackers against software companies or the ??AA's protection scheme of the day. But those are chump change. This ups the ante. This would be hackers against other hackers. Far better sport.
  The person who does this need not be a superhero or a villain. Just bored and looking for a few laughs. I have to admit, if I were younger...I might be tempted. Botnets are a sweet target. It would be fun breaking one.
  
  --
  Weaselmancer
  rediculous.
10. Re:Makes you wonder, doesn't it? by IonOtter · 2009-11-11 14:18 · Score: 1
  
  There's an extremely important flaw in your theory?
  The owners of those botnets have no problems with putting a bullet in people's heads.
  Perhaps not all of the botnets are owned by such groups, but not that many are going to be willing to play a real-world version of Minesweeper. At least not for long, anyway.
  
  --
  [End Of Line]
11. Re:Makes you wonder, doesn't it? by onepoint · 2009-11-13 04:08 · Score: 1
  
  your younger days, Ha. hacking is fun for all ages.
  this really seems like a fun challenge, now where can i find some code....
  oh let me open up a honey pot. that should get me something...
  looks like I am going to have to learn a few things ...
  I'm too old to code till 5am, I'll code till 1am
  
  --
  if you see me, smile and say hello.
What to do with the zombies by mattr · 2009-11-10 15:30 · Score: 2, Insightful

We really need an analysis done and report made to the public security community. This is a unique chance to discover what are the real vulnerabilities to the mass of computing power on which criminals prey.
A federal or state level court needs to authorize the researchers to do such an analysis. Even a single state would be enough, if the zombie IPs can be reliably mapped to that state. I would envision the analysis to include:
- Make a full study of many individual zombie PCs: What antivirus, firewall, OS, applications, etc. are installed, including version numbers and a fingerprint (to identify whether they are super-vulnerable copies from warez sites, infected OEMs, etc.).
- Monitor usage of a small number of PCs to identify what user habits lead to zombification, based on the theory that these PCs will become zombies of another botnet soon probably. What should be monitored, and for how long?
- Contact (with law enforcement assistance) a small number of individual users to interview them. Publish anonymized interviews for representative cases so the public can better learn what constitutes dangerous habits.
- Report anonymized individual representative cases, trends and statistics.
Discuss whether the defanged botnet should be used to destroy other botnets. Too much discussion would alert the other net owners. People could opt in based on a message sent to infected PCs, if the authorities support it, but unless those bots are hardened they might open the owners to retaliatory attacks.
At least, let's find out if antivirus really doesn't work, what habits led to botnet creation, and how can we alert zombie owners so they adopt more secure practices.
Re:WTF? by mpe · 2009-11-10 19:28 · Score: 2, Insightful

Why is some obscure security firm doing the job that governments should have done 10 years ago?

Exactly we hear about "researchers" even broadcasters doing this. But never about regular law enforcement...
Governments don't appear interested it dealing with this. Probably because it isn't the (alleged) profits of the entertainments industry being affected.
Proof-of-Work by Agripa · 2009-11-11 01:59 · Score: 1

I have yet to see a proposed replacement for the existing email system that actually suggests anything that would make a bit of meaningful difference for spam issues.
What about sender proof-of-work systems?
Mailing lists and legitimate bulk emails would need to be white listed but individual emails could be either rejected or flagged as SPAM if they do not include proof-of-work authentication unless they were individually white listed. That in itself does not stop SPAM but it does slow the generation rate significantly and makes it easier to detect compromised systems since the rouge processes would be consuming significant computing resources if they chose satisfy proof-of-work requirements instead of just making use of the network.
Do more,.....do more! by hesaigo999ca · 2009-11-11 02:52 · Score: 2, Interesting

>more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control
It's not enough, those 264k IP adresses, should be sent out to a sort of ISP provider sanctuary where
they need to contact the people who have the infected pcs, and tell them to clean their machines, just
leaving the machines with a ongoing malware pinging back home, might still be able to get owned.
They need to take down those infected that they know is infected, and force those users to update or get fixed.
They are a threat to the internet, and need to be delt with...maybe cutting them off the internet for awhile would make them call in
their ISP and then they could be warned they had been owned, and need to clean their pcs.
Any further attempts on their machines parts to contact that same "hole" would force them again to be locked out...until such time
they fixed their machines, no?
And that differs how? by Jay+L · 2009-11-11 03:16 · Score: 1

One botnet will get hit. Others will get the idea and hit other botnets.
And then somebody approaches the bored hacker and says "You're just doing this for fun... wouldn't you like to make a boatload of money for doing exactly the same thing?"
Isn't that exactly how this got started? People wrote viruses for lulz. Then someone offered them cash.
Like the rumor game, but with numbers! by GameboyRMH · 2009-11-11 04:09 · Score: 1

It's not okay to needlessly approximate an approximation. Numerator/denominator is the best way to represent any fraction, in general. It's short, doesn't use any unusual mathematical symbols, and allows you to calculate the value to as many decimal places as you want.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Muhahahahaha ... by NotBornYesterday · 2009-11-11 05:10 · Score: 1

1) Make a list of all porn sites / web pharmacies / other dubious entities being "promoted" with the spam.
2) Use your new botnet to initiate DDoS against said entities.
3) ???
4) Profit!!! Or just laugh your ass off at the irony.

--
I prefer rogues to imbeciles because they sometimes take a rest.
Re:WTF? by Espressor · 2009-11-12 02:57 · Score: 1

Parent said:

And this got an Insightful moderation (5 points)???
Grand-parent said:

Governments don't appear interested it dealing with this.

I don't necessarily have confidence that the government could implement solutions to control spam, but at least different countries could cooperate to fight spam - maybe that's what GP mpe meant.
Instead, we have governments the world over (Europe, US,...) passing laws to limit file sharing, as if this was a more significant problem to society and the economy.
GP said:

Probably because it isn't the (alleged) profits of the entertainments industry being affected.
I share this opinion more and more. It's sad. Governments, who should be protecting us the little guys (we have the votes...but don't always use them), seem more interested in protecting the interests of corporations (which have the economic power).
I mean look at French president Nicolas Sarkozy. He's famous for exchanging favors with his friends CEOs of mega-companies. What has he been doing with his infamous Hadopi three strikes law for instance? Aren't there BIGGER problems to solve for a government than copyright infringement?
Dammit.