Man Challenges 250,000 Strong Botnet and Succeeds

nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."

PR "Stuff" from Fireeye

[winkydink]

For some value of "Stuff".

Yeah. He succeeded in eradicating the mega-D botnet. For about 2 weeks anyway.

From MessageLabs Intelligence: 2009 Annual Security Report "Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."

Re:PR "Stuff" from Fireeye

[Red+Flayer]

Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."

So now there can be coordinated effort against the new botnet, he'll come back with new bots, community response to kill that one off...

Fighting spammers is like fighting against a guerilla army. Constant vigilance, swift response times, and, eventually, wholesale destruction of the people supporting the guerillas will be necessary to win the war. Impact of spammers can be reduced by constant counter-attacks, but the only way to eliminate spam networks hosted on compromised machines is to remove compromised machines from the network (and as many compromisable machines as possible).

The cost of this may be too high to be worth it... but if you take away someone's internet access for a while when they get hosed, then maybe they'll stop getting hosed.

Command & Control

[phantomcircuit]

All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.

Obviously this was a temporary solution.

Re:Command & Control

[abulafia]

What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.

Funny you concentrate on a claimed conflict of commercial interest.

It also would have opened them up to a potentially huge legal problem. No matter how carefully coded an uninstaller, the likelihood of some number of machines having problems after being infected by a remover, when talking about .25M machines, is high. Such an action also is criminal computer intrusion in its own right.

No person in their right mind would do such a thing.

Re:Command & Control

[vlm]

No person in their right mind would do such a thing.

Which makes me all the more surprised that no one has tried.

shows its possible

[Gothmolly]

1 guy, in 2 weeks, trashed a botnet. Why again can't major ISPs do this? Oh wait, they're getting paid to look the other way by their colocation clients (the spammers).

Is Spam really that evil?

[tjstork]

I'm only asking, because, as much as we hate botnets and trojans and malware, that, any sort of world capable of rapidly sniffing out and squelching "bad" content is a world that is capable of sniffing out and squelching out "any" content. Perhaps in this case, just as many of us accept some combination of deaths from gun violence, abortions, incendiary speech, and family breakdowns and other things, that come as a consequence of the misuse of freedom, might accept spam as a misuse of freedom too, rather than try and trade it all for a world that has no freedom at all.

Re:Treat the illness, not the symptoms...

[Requiem18th]

What illness Windows? The Windows ecosystem security is hopelessly broken.

Lot's of outdated machines won't upgrade because the upgrades are expensive, and even if they were free they might brake software OR compatibility, and even if they are free and don't break compatibility many of these systems use pirate copies of Windows and they aren't going to expose themselves to unexpected lockouts.

No, the solution is implementing a counter-spaming initiative at the ISP level. With counter spaming I mean spaming the spamers, NO, I don't mean naively counter-spaming their email addresses, I mean spaming their honey pot channels, there was a thunderbird extension for this, basically they follow the links in the spam message and sign up/buy whatever they ask for, credit card numbers, friend email addresses, SSN, etc, all fake of course. Unlike their source email addresses they use to spam, they DO pay attention to information sent this way, because it is the way they make money, it's their biggest weak point, spam that and you take them out of business.

In related news ....

[PPH]

... botnet sends android back in time to kill researcher's mother.