Slashdot Mirror
Man Challenges 250,000 Strong Botnet and Succeeds
nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."
For some value of "Stuff".
Yeah. He succeeded in eradicating the mega-D botnet. For about 2 weeks anyway.
From MessageLabs Intelligence: 2009 Annual Security Report "Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.
Obviously this was a temporary solution.
It sounds like Ghost in the Shell-like tactics. Did he do it manually or from his cyberbrain?
... ants that is...
All of the effort associated with this, and other endeavors to thwart botnets, would really be better served isolating the primary reason why these botnets continue to be successful and create new ways to thwart them before they occur. The machines that are infected are still vulnerable. All the original botnet owner is going to do is modify a new botnet to use different domains or IP's and back to life it comes.
Sure, cutting off botnet access to C&C machines works now, but what happens when they adopt a true peer-to-peer control structure, rather than the primitive centralized control structure they are using now?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
i should of guessed really, a site that has 80% of screenspace dedicated to advertising or "partners" isnt safe let alone one that distributes trojans and adware
http://www.siteadvisor.com/sites/pcworld.com/downloads/
Only the really strong, and the ones that managed to evolve will survive. And without the competition of the "weak" ones, they will prevail, and leaving you with no tool to get rid of them. Darwin have precedence over Moore.
Now, if RIAA were to say that the ISPs used by ipredator should not be allowed to access the internet backbone, you would probably immediatelly see the problems in that statement.
1 guy, in 2 weeks, trashed a botnet. Why again can't major ISPs do this? Oh wait, they're getting paid to look the other way by their colocation clients (the spammers).
I want to delete my account but Slashdot doesn't allow it.
All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.
Obviously this was a temporary solution.
Yeah, it sort of seems like they could have done a better job. If they could get cooperation from the primary ISP of the main C&C controller, and they could even set up honeypots that would accept connections to count the number of computers in the botnet - why not do more than simply remove the command servers?
Why not set up a bogus C&C server to have the botnet erase itself?
I'm not promoting a "format c:" option here (although that would work, obviously) - but why not have the botnet destroy itself once you breach it's command structure? Have the botnet pass around a binary that erases the botnet binaries from the infected PC on the next reboot, then force a reboot? The researchers certainly know enough to create such a binary. And they obviously know enough about command parsing if they can make honeypots. Why not go that extra 2% and kill the thing?
The hard work was already done it seems. This botnet could be completely dead, not just disconnected and waiting.
Weaselmancer
rediculous.
I'm only asking, because, as much as we hate botnets and trojans and malware, that, any sort of world capable of rapidly sniffing out and squelching "bad" content is a world that is capable of sniffing out and squelching out "any" content. Perhaps in this case, just as many of us accept some combination of deaths from gun violence, abortions, incendiary speech, and family breakdowns and other things, that come as a consequence of the misuse of freedom, might accept spam as a misuse of freedom too, rather than try and trade it all for a world that has no freedom at all.
This is my sig.
Let's use this botnet as an example. 250,000 zombies. What is the likelihood of finding another zombie with random scanning? Not to mention that not everyone leaves their machines on all the time. And even the machines that are on all the time don't always keep the same IP address. Comcast seemed to change my IP address every month.
Somehow, somewhere, the new code has to be uploaded to the zombies. New spam messages. New address to send the spam to. Patches to the zombie code. No matter how you phrase it, that's Command and Control.
Propagating those updates is simple if all the zombies know them. It becomes very slow if it is random chance that propagates the updates.
Of course, you can speed up the process by having the zombie increase the scans. But then you run the risk of the person complaining that their machine is "slow" and having someone wipe it and re-install it.
A layered approach would be the best for the zombie master. Centralized C&C for speedy deployments with P2P for a fall-back in case the original C&C is unavailable. At least then he could regain control of the zombies.
BUT!!!!!
Why isn't anyone focusing on the domain names? Implement a 1 week wait for new domain name deployments so that the payment has time to clear the bank. That way you'll be able to identify the guy paying for the domain names.
As always, follow the money.
It isn't the content. It's the volume (number of messages in this case).
You can say whatever you want. But when you start flooding mail servers with your messages, you've lost the moral high ground.
Now as to whether blocking zombies is the same a sorting through the content of email messages ... if you're worried about that I recommend encryption. There are lots of forms of encryption available.
That's a rather extreme jump. So far I haven't seen anyone proposing that we surrender all of our Freedoms.
The USOC once gave max due process to suspected drug cheats. Dopers would get off for the stupidest reasons. Now, the focus has shifted to a 'you are responsible for the content of your own body.' This has been good for sport.
Just like a polluted athlete pollutes his sport, so does a bot pollute the internet. Suspending access is not a question of right or wrong, it is a question of ensuring the integrity of the network.
The world will get to that place sooner or later.
http://en.wikipedia.org/wiki/Welchia
Ah, the good old days.
Comment removed based on user account deletion
Because most of them depend upon digitally signed updates now. So you cannot use the zombie code to remove the zombie code unless you first have the key.
Which makes it rather difficult.
On the other hand ... writing a removal routine should be a LOT easier. A clean removal. Removing just the zombie code and ALL of the zombie code.
The problem then would be getting it to run on the zombies.
This is where the ISP's come in. It's easy enough for them to redirect all your traffic to a web page with the removal code available there. And since it is easy enough to identify the zombies, their IP addresses and their ISP's ... that should be easy, right?
Except it would cost the ISP's some money and they won't do that unless someone forces them to spend the money. So it will take a new law requiring them to do so.
Is this a botnet made of men or mice?
Given that the majority of zombies are on home ISP networks (such as Comcast), all that would take to defeat would be for Comcast and other to rotate the IP addresses by 1 whenever the zombie traffic becomes problematic.
So the list of IP addresses becomes useless and the zombies have to fall back to random scanning.
Last week your IP address was 10.10.10.10? This week it is 10.10.10.11. So none of the other zombies can find you at the old address.
... botnet sends android back in time to kill researcher's mother.
Have gnu, will travel.
I wonder if fines could be an effective solution to botnets. Certainly the only way to treat the problem is to make people responsible for what their computers are up to. If people were held accountable for spam sent from their machines and were fined appropriately they may be more inclined to watch what ends up on their machines.
Of course, there's a theme among the non-"tech-savvy" public to utterly refuse to understand how the technology they use works. Fines on bots would likely be a boon for virus scan companies but other efforts may be required to convince the general public to care. What's needed is less focus on ill-defined "threats" and more on general understanding.
So if this is the future...where's my jet pack?
Given that the majority of zombies are on home ISP networks (such as Comcast), all that would take to defeat would be for Comcast and other to rotate the IP addresses by 1 whenever the zombie traffic becomes problematic.
Yuhuh. So since most guns are owned by law-abiding citizens, all it would take to stop murder-by-shooting is to make it illegal, right?
I'm not trying to be a smartass ... actually, yeah, I am, but seriously ... even if 99% of bots were on Comcast, and even if you could rotate all 99% of addresses all at once ... that still leaves 2,500 bots out there whose addresses will remain the same. The botnet could restructure itself in a matter of hours.
I see nothing here about what I see to be one of the primary culprits. Microsoft have consistently produced easily exploited, vulnerable software. And they run services and programs with full system access. Sure, they have improved somewhat lately, but they continue to include legacy code in SMB and probably in Office and IE - the whole code base is no doubt riddled with it. No way you should be able to compromise a system with a just a document or a web page.
There are enough vulnerabilities in Linux and MacOS, no doubt, but not such easy meat as Windows.
I am not a robot. I am a unicorn.
If the botnet client runs on your own computer... then by definition, your own CPU interprets the list of commands that it resembles.
So nothing can stop you from modifying that program in-place, so it infects all other clients too, until the whole botnet in yours. At least if the clients have some update mechanism.
With a bit of luck, you could even trick the original “owner” into getting infected by your own trojan horse, find out all contact / address data on his system, where he lives, and either send him the cops, or beat him up.
I’d choose: Gay child porn with dead animals on his computer, and then the cops beating him up. ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I still don't see why the company that makes the penis pills isn't arrested. Why do I hear ads for e-mail marketing services on NPR? A non-governmental approach would be to convince 'legitimate' businesse' that their profits are at risk from spam. Trillion dollar multi-nationals might not be averse to extra-judicial means.
Fifty years of Yippie! 1968-2018
How does that work when IPV6 becomes the reality?
Which makes it even easier because then all you need is a honey net and some virtual machines to be continually "re-infected" and load that file with over a billion fake IP addresses. Or 2 billion.
So when the IP address rotation happens, the zombies have to dig through billions of fake addresses to find the other machines to download the newest patc-another rotation happens and the zombies have to dig through billions of fake addresses to find the other machines to download the newest pat-another rotation happens ... and so on and so forth.
Your claim about 2,500 addresses is simply centralized C&C under a different name. And it is defeated in the exact same way.
You lost. If you cannot admit that, that's fine. Right now all you are doing is demonstrating how badly you've lost.
Why wouldn't they be active? They're in a honey net. The machine communicating with the external zombies has already validated them.
So in your mind, having all the zombies validate all of the IP address before accepting them is rational?
They'd die just from the traffic of 250,000 connection attempts each.
After 4 IP address rotations, they'd EACH be validating a MILLION address.
And with a simple filter at the ISP level, they'd UNLEARN the 2,500 address you claimed would re-start the zombies after the IP swaps.
250,000 machines validating 1,000,000 addresses = 250,000,000,000 connection attempts.
Looks like you failed math big time.
Dude...we are all spammers on some level. Just not always using computers.
We have a limited number of effective antibiotics. Once a bacteria is immune to an antibiotic, there are fewer effective antibiotics you can treat it with, and if you can't find an effective antibiotic for the next infection, the patient dies.
I don't know much about computer security, but you can't convince me that there are a limited number of ways to fight botnets.
Furthermore, the way to prevent antibiotic resistance is to reserve antibiotics for when they're necessary AND use them in a way that is effective.
This seems about as necessary as fighting botnets come, this was a big botnet that was actually doing damage. This sounds like it was used as effectively as it could have been.
fall-back to scanning that subnet, etc.
Slashdot has a huge following. The should attack thsi ISP that do not support the take down. The word "attack" should be legal, I do not condone illegal activity.
Fighting spammers is like fighting against a guerilla army. Constant vigilance, swift response times, and, eventually, wholesale destruction of the people supporting the guerrillas will be necessary to win the war.
Is your use of "wholesale destruction" metaphorical, or do you really think guerilla warfare works that way? Because we tried that in Vietnam, and it didn't work. Which is why U.S. counterinsurgency doctrine got revised to exclude the myth that you can win a guerrilla war just by killing people. You also have to change the environment on the ground so that supporting your side instead of the guerrillas is a realistic option for the general population.
Now, if the war against malware is like a guerrilla war, then it's never going to be over. There will always be some place for the other side to run and hide. We can't order other countries to not host services we don't like, if only because we don't want them to do the same to us.
Fortunately, the analogy with guerrilla warfare only goes so far. The Internet is something people invented, not a foreign country with a complicated history and obscure customs. We can rework the thing so that the Bad Guys have a less friendly environment.
Per my subject-line above: WE have the freedom to judge, for ourselves, 1 way or another. Nicest part about being online & understanding how the IP stack works (BSD based ones), is that you can control it yourself, vs. things you know are not "for the good" in your or others' estimation (most importantly your own though):
For me though, well... on that note above? The NICEST part about catching this @ 4 a.m. for me personally while having a cup of coffee is that they provided 3 new records of bogus servers/systems used by this thing, for my HOSTS file to blockout, in:
io7grec9merhpzga.org
g8nolnusu5tveruo.org
b7znmw6skpsorjkp.org
I chose HOSTS files to do the job, & they work... across ALL of my webbound apps, not just a particular browser (which is a limitation of browser addons that also eat CPU, where HOSTS don't (just a filter really), or browser blocklists too).
Heck, because of doing this in a HOSTS file? Hey - I could "suck in" a malware or botnet client program & it too, just like me? CANNOT GO & CALL OUT FOR ORDERS FROM THE COMMAND & CONTROL SERVERS BLOCKED IN MY HOSTS FILE... period.
(LOL... it works on that note too)
So, per my subject-line above?
Well - This article here on /. only made my HOSTS file, that much stronger!
(Just by reading this article, & of course, thus, my "hat's off" to those that nuked this botnet of course, those who printed their news, & those that put it up here too - thanks all of those just mentioned, from me)
APK
P.S.=> All in all - A good article &, actually useful to me!
I state that, because of my statements above, about using HOSTS files to blockout known bad servers & this extends to any and all webbound apps unless they use static IP addressed systems inside their code or in a table it uses.
I.E.-> I'm actually GLAD that there are people that do what they did get noticed & printed about, because for me & how I use a HOSTS file to secure myself online, basically via the simplest principal there is in "if you can't go near the fire you can't get burned" blacklisting (and - which works)?
Well, just by reading this & editing my HOSTS file, my protective method in HOSTS got that much stronger for my reading of this article - by the 3 botnet C&C servers (or other types of botnet constituent machines) being blocked in it as of 4:24 a.m. this A.M. here today over a cup of coffee.
Actually "GOOD NEWS" that was useful news to me as well to me personally, & to my friends + family and other users online that I give my HOSTS file to for the same gains (more speed, better security)... apk
Just make ISPs accountable for what is done with their IP range.
Then they'll be forced to check their traffic and shut botnet victims away from the outside world.
Of course, it will make full internet access hugely expensive and impossible to do anonymously, but limited access (surfing and emails) can still be free for the masses.
The internet is too powerful to not be policed.
And yet the math doesn't add up. Looks like your "work" hasn't been of much value.
What was that about the "work" you did? It's addresses. Since I control the routing, it would appear to the infected machines that there are billions of addresses with machines at those addresses.
So what is this "work" you do that you fail basic math AND you fail basic routing?
Yeah. So you'd start a list of addresses and when the zombies no longer worked, you'd fix the list of addresses.
So, how are you going to fix the list of addresses when you cannot connect to the zombie anymore because it has the wrong addresses in it?
Again, nice "work" there.
LMAO.
You're talking about caching 100K addresses on a botnet that has 250K members.
Remember that part where I told you that you failed math? You just failed again. This "math" thing is kicking your ass.
What is this "once in a while". It needs to occur more frequently than the ISP's rotation of IP addresses. Again, you fail.
Which means that those 10,000 connection attempts (I won't even go into how you have no idea what the size of a packet is) need to happen before the next rotation or they're useless. Again, routing and math. You fail them both.
You might want to review how file sharing clients work. Because you seem to have missed the part where they INITIALLY connect to a centralized server for a list of clients sharing a file.
But in your "work" you probably knew that already, right?
Looks like you failed file sharing, also.
Wouldn't that information be easily available by watching what one of the boxes in the honey net does after the IP address rotation?
Like I said, you fail routing. Big time.
Seriously. You need me to point out each of the basic flaws? And only then do you try another flawed work around. Why is that when you claim to have so much "work" experience?
Since I keep pointing out the flaws in your "work", this must be some new definition of "think" that means "make errors".
Yeah, you might want to work on that "think" thing again.
I've already explained how to I would approach the problem. YOU are the one claiming that it wouldn't work and offering up all the flawed approaches (and math failures) trying to show that it wouldn't work.
You don't even know how LimeWire works. I mean, really. It's not magic.
Whoa there, son.
You might want to add "reading with comprehension" to the list of things you've failed. No where did I say that. Feel free to re-read and post a link if you can find that.
Yep! You might also want to add "honey net" to the list of your failures. That is one of the properties of it.
Yeah, you might want to address the points that you keep failing at before making statements like that. It only seems "godlike" because your understanding is so limited.
Once you address the flaws in your understanding, you'll be better able to hold a discussion.
You were the one suggesting that scanning 100K IP addresses was viable.
Yes you were. :)
Well then you shouldn't have a problem linking to it, right?
Right?
Oh, you can't.
Is it because you don't know how to post a link a here?
Is that it?
Do you want me to tell you how to do that? I can.
Tell me that you want me to teach you how to post a link.
So you are saying that I do not control the routing in a honey net? Is that it?
Or that I don't control the IP addresses? Maybe that is it?
Or that I don't control the machines on it? Is that what you think?
Just tell me that you want me to teach you how to post a link. It's okay if you don't know how to do that. You don't have to feel bad about it. It's okay. Ha ha hahahahahahaha
So you agree that on a honey net I do control the routing.
And the IP addresses and the machines.
Yet you seemed to be claiming that it isn't possible for me to:
And now you admit that I can do that. :)
I am such a great teacher! I have taught you that. It probably gives you a very warm feeling in your heart to have me teach you things that you did not know.
One day you will realize how much I have taught you and you will thank me.
So, shall we review what I have taught you? On a honey net, I control the routing and the machines and the IP addresses. Can you say that with me?