Slashdot Mirror

← Back to Stories (view on slashdot.org)

Man Challenges 250,000 Strong Botnet and Succeeds

Posted by CmdrTaco on from the i-fought-the-law-and-the-law-one dept.

nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."

8 of 206 comments (clear)

  1. PR "Stuff" from Fireeye by winkydink · · Score: 4, Informative

    For some value of "Stuff".

    Yeah. He succeeded in eradicating the mega-D botnet. For about 2 weeks anyway.

    From MessageLabs Intelligence: 2009 Annual Security Report "Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:PR "Stuff" from Fireeye by Anonymusing · · Score: 2, Informative

      Also, FTA: "Mushtaq and two FireEye colleagues..." -- not just one guy.

      --
      Liberal? Conservative? Compare perspectives at Left-Right
  2. Command & Control by phantomcircuit · · Score: 5, Informative

    All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.

    Obviously this was a temporary solution.

    1. Re:Command & Control by interval1066 · · Score: 2, Informative

      The first being the famous Morris Worm from the 80's; http://en.wikipedia.org/wiki/Morris_worm/.

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    2. Re:Command & Control by ArsenneLupin · · Score: 2, Informative

      This was not an attempt to remove malware, but rather malware itself, so not really the same thing.

  3. Re:shows its possible by mysidia · · Score: 2, Informative

    Plotting traffic, and destinations, in the aggregate is standard practice, get over it.

    Ever hear of IPFIX, Netflow? If you send 100 gigs a day over port 25, to umpteen thousand destinations, you bet your ISP should consider looking into that, if the traffic is unusual/anomolous.

    Looking at specific packets, or capturing sessions, I think is unlikely for ISPs to do in most cases, unless nefarious activity is already strongly suspected in those packets.

    It's not realistic due to the amount of bits most ISPs transferred, they would need massive storage capacity to hold even a few hours of traffic.

    The only way I think ISPs ever do take detailed looks into your packets, or some connections' packets is using automated tools: deep packet inspection, primarily, to detect and throttle Peer to Peer traffic (such as BitTorrent).

    It is conceivable that some day, someone might make a "Botnet CnC detector" appliance, however.

  4. Re:Signed software. by the_enigma_1983 · · Score: 2, Informative

    They just eavesdrop on communications between bots and the C&C. Trying to "compromise" the key exchange is as easy as breaking the asymmetric encryption algorithm. Aka, not very easy at all.

  5. Re:Yeah that's how I read it too by Anonymous Coward · · Score: 1, Informative

    Except the botnet's client software verifies commands with against a public key. Official commands are signed by the private key and only executed if they have the proper signature. Botnet authors are getting better :)