Man Challenges 250,000 Strong Botnet and Succeeds

← Back to Stories (view on slashdot.org)

Man Challenges 250,000 Strong Botnet and Succeeds

Posted by CmdrTaco on Monday December 28, 2009 @10:16AM from the i-fought-the-law-and-the-law-one dept.

nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."

33 of 206 comments (clear)

Min score:

Reason:

Sort:

PR "Stuff" from Fireeye by winkydink · 2009-12-28 10:17 · Score: 4, Informative

For some value of "Stuff".
Yeah. He succeeded in eradicating the mega-D botnet. For about 2 weeks anyway.
From MessageLabs Intelligence: 2009 Annual Security Report "Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."

--
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
1. Re:PR "Stuff" from Fireeye by Anonymusing · 2009-12-28 10:19 · Score: 2, Informative
  
  Also, FTA: "Mushtaq and two FireEye colleagues..." -- not just one guy.
  
  --
  Liberal? Conservative? Compare perspectives at Left-Right
2. Re:PR "Stuff" from Fireeye by Red+Flayer · 2009-12-28 10:35 · Score: 5, Interesting
  
  Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."
  So now there can be coordinated effort against the new botnet, he'll come back with new bots, community response to kill that one off...
  
  Fighting spammers is like fighting against a guerilla army. Constant vigilance, swift response times, and, eventually, wholesale destruction of the people supporting the guerillas will be necessary to win the war. Impact of spammers can be reduced by constant counter-attacks, but the only way to eliminate spam networks hosted on compromised machines is to remove compromised machines from the network (and as many compromisable machines as possible).
  
  The cost of this may be too high to be worth it... but if you take away someone's internet access for a while when they get hosed, then maybe they'll stop getting hosed.
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
3. Re:PR "Stuff" from Fireeye by Anonymous Coward · 2009-12-28 12:23 · Score: 2, Funny
  
  I wrote it on the fly. Sometimes it all just comes to you when you're "in the zone". The community as a whole benefits when the trolls are somewhat literate and original. Like most Slashdot trolls, I used to copy and edit dirty stories from online before posting them, but that method is much more obvious and unfulfilling.
  
  Slashdot is the foremost science and technology website and so its trolls should also held to higher standards of, um, trolling.
4. Re:PR "Stuff" from Fireeye by RobertM1968 · 2009-12-28 12:39 · Score: 2, Interesting
  
  Exactly. The only way for the US to have won in Nam would have been to destroy everything (which was humanely and politically unpalatable). The only way to win in Iraq is to turn it into a glass parking lot (which would also be humanely and politically unpalatable).
  But with spam... that may be a bit more palatable, if we can get people to accept responsibility for getting hosed.
  Since such a solution in the computer world would NOT be unpalatable, then, this is the answer...
  "Zero-Zero-Zero Destruct Zero"
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
5. Re:PR "Stuff" from Fireeye by aedil · 2009-12-28 14:33 · Score: 2, Insightful
  
  I think you miss another important aspect of this "war"... As in fighting a guerilla army, you usually end up being on the less effective side of the conflict due to rules and regulations that one tends to be bound by, whereas a guerilla army usually couldn't care less about the rules. Spammers do not care about breaking rules, regulations, and protocols, so they can play very dirty whenever they want (and botnets are a clear example of that). Offensive action against them is usually still bound by some rules, and thus they have a natural advantage. Spammers do not care about any collateral damage... System administrators and othe people fighting the spammers usually do have to care about collateral damage.
6. Re:PR "Stuff" from Fireeye by TheCarp · 2009-12-29 03:06 · Score: 2, Insightful
  
  No, a guerrilla army still has a command and control structure. While an individual botnet, or individual criminal enterprise would have such a structure, "botnets" don't. Its more like crime fighting. Anyone could choose to commit a crime at any time. Most wont (mostly) and some will. Some criminals you will put a stop to, some you wont.
  You are never going to win a war against "crime" any more than the war against "botnets". The best you can ever hope to do is raise the perception of how hard it is to create, maintain, and control botnets higher than the percieved value of doing so. The same way the cost and probability of getting caught shoplifting in a store with cameras stops a certain number of people who might otherwise shoplift.
  -Steve
  
  --
  "I opened my eyes, and everything went dark again"
Command & Control by phantomcircuit · 2009-12-28 10:33 · Score: 5, Informative

All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.
Obviously this was a temporary solution.
1. Re:Command & Control by bragr · 2009-12-28 10:43 · Score: 2, Interesting
  
  It is, from what I read it seams that the botnet generates a random domain every hour or day to fall back on, and all they did was knock out the existing C&C and register all the fall back domains for the next 2 weeks. Surely the botnet will have taken a hit, and the information gathered will possible help reduce the number of infections, but it wasn't shut down permanently.
  
  What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.
2. Re:Command & Control by abulafia · 2009-12-28 10:52 · Score: 4, Insightful
  
  What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.
  Funny you concentrate on a claimed conflict of commercial interest.
  It also would have opened them up to a potentially huge legal problem. No matter how carefully coded an uninstaller, the likelihood of some number of machines having problems after being infected by a remover, when talking about .25M machines, is high. Such an action also is criminal computer intrusion in its own right.
  No person in their right mind would do such a thing.
  
  --
  I forget what 8 was for.
3. Re:Command & Control by vlm · 2009-12-28 10:56 · Score: 4, Funny
  
  No person in their right mind would do such a thing.
  Which makes me all the more surprised that no one has tried.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
4. Re:Command & Control by bragr · 2009-12-28 11:11 · Score: 2, Insightful
  
  Legal implications aside, this is an interesting ethics question. Is it more ethical to interfere with another's property, without permission, to solve a larger problem, or is it more ethical to respect private property and privacy? Surely there are cases for both.
  
  If I remember correctly, sometime in the last year, a security research team from UCSD (I think) hijacked a portion of a botnet to research the success of spam and how botnets operate. I believe that after they finished, they caused the bots under their control to self destruct, and the BBC rented a botnet for an article, both bringing up similar ethical questions.
5. Re:Command & Control by interval1066 · 2009-12-28 11:41 · Score: 2, Informative
  
  The first being the famous Morris Worm from the 80's; http://en.wikipedia.org/wiki/Morris_worm/.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
6. Re:Command & Control by c6gunner · 2009-12-28 11:58 · Score: 2, Interesting
  
  Which makes me all the more surprised that no one has tried.
  It's been done on a smaller scale. Back when botnets were still mostly communicating via IRC, I took down a few myself. The difference it that I didn't document the process and then blab about it to the media in order to advertise my security products/services.
7. Re:Command & Control by c6gunner · 2009-12-28 12:03 · Score: 2, Interesting
  
  Legal implications aside, this is an interesting ethics question. Is it more ethical to interfere with another's property, without permission, to solve a larger problem, or is it more ethical to respect private property and privacy? Surely there are cases for both.
  I don't really see an ethical issue. If someone stole your car, would you be upset if an anonymous stranger stole it back without your permission and delivered it to your door? Maybe some people would, but they have to be insanely rare. The only issue here is the legal one, and it's not one that can be easily resolved.
8. Re:Command & Control by whoever57 · 2009-12-28 12:32 · Score: 2, Interesting
  
  I don't really see an ethical issue. If someone stole your car, would you be upset if an anonymous stranger stole it back without your permission and delivered it to your door?
  
  What if they got into an accident and wrecked your car on the way to your house? The risk is that any bot removal might have side effects.
  
  --
  The real "Libtards" are the Libertarians!
9. Re:Command & Control by c6gunner · 2009-12-28 12:41 · Score: 2, Insightful
  
  What if they got into an accident and wrecked your car on the way to your house? The risk is that any bot removal might have side effects.
  That's a legal issue, not an ethical one. If someone t-bones me at an intersection tomorrow I won't think of them as an evil person, but I will hold them legally accountable.
10. Re:Command & Control by ArsenneLupin · 2009-12-28 23:16 · Score: 2, Informative
  
  This was not an attempt to remove malware, but rather malware itself, so not really the same thing.
Arms race by Locke2005 · 2009-12-28 10:43 · Score: 2, Interesting

Sure, cutting off botnet access to C&C machines works now, but what happens when they adopt a true peer-to-peer control structure, rather than the primitive centralized control structure they are using now?

--
I've abandoned my search for truth; now I'm just looking for some useful delusions.
1. Re:Arms race by winkydink · 2009-12-28 10:49 · Score: 2, Interesting
  
  The p2p C&C infrastructure has been talked about since at least 2005. Not much has been seen "in the wild". It has been speculated that this is because a p2p botnet infrastructure has, by its very nature, a much lower efficacy.
  
  --
  "I'd rather be a lightning rod than a seismometer." -Ken Kesey
2. Re:Arms race by mysidia · 2009-12-28 14:05 · Score: 2, Insightful
  
  I think it's so hard to develop good peer-to-peer network structure that it might not happen.
  There aren't that many truly peer-to-peer networks that have ever succeeded.
  I'd say the Internet itself, but even the Internet has to have DNS...
  Something central has to give you a starting point, at least.
  I've yet to see any peer to peer network technologies that don't require a "seed list" of some central nodes to initially connect to the network.
shows its possible by Gothmolly · 2009-12-28 11:05 · Score: 4, Interesting

1 guy, in 2 weeks, trashed a botnet. Why again can't major ISPs do this? Oh wait, they're getting paid to look the other way by their colocation clients (the spammers).

--
I want to delete my account but Slashdot doesn't allow it.
1. Re:shows its possible by mysidia · 2009-12-28 14:15 · Score: 2, Informative
  
  Plotting traffic, and destinations, in the aggregate is standard practice, get over it.
  Ever hear of IPFIX, Netflow? If you send 100 gigs a day over port 25, to umpteen thousand destinations, you bet your ISP should consider looking into that, if the traffic is unusual/anomolous.
  Looking at specific packets, or capturing sessions, I think is unlikely for ISPs to do in most cases, unless nefarious activity is already strongly suspected in those packets.
  It's not realistic due to the amount of bits most ISPs transferred, they would need massive storage capacity to hold even a few hours of traffic.
  The only way I think ISPs ever do take detailed looks into your packets, or some connections' packets is using automated tools: deep packet inspection, primarily, to detect and throttle Peer to Peer traffic (such as BitTorrent).
  It is conceivable that some day, someone might make a "Botnet CnC detector" appliance, however.
Yeah that's how I read it too by Weaselmancer · 2009-12-28 11:10 · Score: 2, Interesting

All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.
Obviously this was a temporary solution.
Yeah, it sort of seems like they could have done a better job. If they could get cooperation from the primary ISP of the main C&C controller, and they could even set up honeypots that would accept connections to count the number of computers in the botnet - why not do more than simply remove the command servers?
Why not set up a bogus C&C server to have the botnet erase itself?
I'm not promoting a "format c:" option here (although that would work, obviously) - but why not have the botnet destroy itself once you breach it's command structure? Have the botnet pass around a binary that erases the botnet binaries from the infected PC on the next reboot, then force a reboot? The researchers certainly know enough to create such a binary. And they obviously know enough about command parsing if they can make honeypots. Why not go that extra 2% and kill the thing?
The hard work was already done it seems. This botnet could be completely dead, not just disconnected and waiting.

--
Weaselmancer
rediculous.
Is Spam really that evil? by tjstork · 2009-12-28 11:22 · Score: 3, Insightful

I'm only asking, because, as much as we hate botnets and trojans and malware, that, any sort of world capable of rapidly sniffing out and squelching "bad" content is a world that is capable of sniffing out and squelching out "any" content. Perhaps in this case, just as many of us accept some combination of deaths from gun violence, abortions, incendiary speech, and family breakdowns and other things, that come as a consequence of the misuse of freedom, might accept spam as a misuse of freedom too, rather than try and trade it all for a world that has no freedom at all.

--
This is my sig.
What is "evil"? by khasim · 2009-12-28 11:35 · Score: 2, Insightful

I'm only asking, because, as much as we hate botnets and trojans and malware, that, any sort of world capable of rapidly sniffing out and squelching "bad" content is a world that is capable of sniffing out and squelching out "any" content.
It isn't the content. It's the volume (number of messages in this case).
You can say whatever you want. But when you start flooding mail servers with your messages, you've lost the moral high ground.
Now as to whether blocking zombies is the same a sorting through the content of email messages ... if you're worried about that I recommend encryption. There are lots of forms of encryption available.

Perhaps in this case, just as many of us accept some combination of deaths from gun violence, abortions, incendiary speech, and family breakdowns and other things, that come as a consequence of the misuse of freedom, might accept spam as a misuse of freedom too, rather than try and trade it all for a world that has no freedom at all.
That's a rather extreme jump. So far I haven't seen anyone proposing that we surrender all of our Freedoms.
Re:Treat the illness, not the symptoms... by Paradigm_Complex · 2009-12-28 11:37 · Score: 2, Insightful

I'm usually not trying for "insightful" when I quote comedians, but: "You can't fix stupid." - Ron White

As long as there are stupid people out there using computers which are connected to the internet, they'll find a way to get their machines pwned. Unless you're proposing the anti-botnet efforts be directed towards keeping stupid people off internet-connected computers, I don't see a viable way to "treat the illness."

--
"A witty saying proves nothing." - Voltaire
Comment removed by account_deleted · 2009-12-28 11:45 · Score: 2, Insightful

Comment removed based on user account deletion
Re:Treat the illness, not the symptoms... by Requiem18th · 2009-12-28 11:49 · Score: 3, Interesting

What illness Windows? The Windows ecosystem security is hopelessly broken.
Lot's of outdated machines won't upgrade because the upgrades are expensive, and even if they were free they might brake software OR compatibility, and even if they are free and don't break compatibility many of these systems use pirate copies of Windows and they aren't going to expose themselves to unexpected lockouts.
No, the solution is implementing a counter-spaming initiative at the ISP level. With counter spaming I mean spaming the spamers, NO, I don't mean naively counter-spaming their email addresses, I mean spaming their honey pot channels, there was a thunderbird extension for this, basically they follow the links in the spam message and sign up/buy whatever they ask for, credit card numbers, friend email addresses, SSN, etc, all fake of course. Unlike their source email addresses they use to spam, they DO pay attention to information sent this way, because it is the way they make money, it's their biggest weak point, spam that and you take them out of business.

--
But... the future refused to change.
Signed software. by khasim · 2009-12-28 11:55 · Score: 2, Interesting

Have the botnet pass around a binary that erases the botnet binaries from the infected PC on the next reboot, then force a reboot?
Because most of them depend upon digitally signed updates now. So you cannot use the zombie code to remove the zombie code unless you first have the key.
Which makes it rather difficult.
On the other hand ... writing a removal routine should be a LOT easier. A clean removal. Removing just the zombie code and ALL of the zombie code.
The problem then would be getting it to run on the zombies.
This is where the ISP's come in. It's easy enough for them to redirect all your traffic to a web page with the removal code available there. And since it is easy enough to identify the zombies, their IP addresses and their ISP's ... that should be easy, right?
Except it would cost the ISP's some money and they won't do that unless someone forces them to spend the money. So it will take a new law requiring them to do so.
1. Re:Signed software. by the_enigma_1983 · 2009-12-28 18:13 · Score: 2, Informative
  
  They just eavesdrop on communications between bots and the C&C. Trying to "compromise" the key exchange is as easy as breaking the asymmetric encryption algorithm. Aka, not very easy at all.
In related news .... by PPH · 2009-12-28 12:58 · Score: 4, Funny

... botnet sends android back in time to kill researcher's mother.

--
Have gnu, will travel.
Guerrilla Gorilla by fm6 · 2009-12-28 20:14 · Score: 2, Insightful

Fighting spammers is like fighting against a guerilla army. Constant vigilance, swift response times, and, eventually, wholesale destruction of the people supporting the guerrillas will be necessary to win the war.
Is your use of "wholesale destruction" metaphorical, or do you really think guerilla warfare works that way? Because we tried that in Vietnam, and it didn't work. Which is why U.S. counterinsurgency doctrine got revised to exclude the myth that you can win a guerrilla war just by killing people. You also have to change the environment on the ground so that supporting your side instead of the guerrillas is a realistic option for the general population.
Now, if the war against malware is like a guerrilla war, then it's never going to be over. There will always be some place for the other side to run and hide. We can't order other countries to not host services we don't like, if only because we don't want them to do the same to us.
Fortunately, the analogy with guerrilla warfare only goes so far. The Internet is something people invented, not a foreign country with a complicated history and obscure customs. We can rework the thing so that the Bad Guys have a less friendly environment.