Slashdot Mirror

← Back to Stories (view on slashdot.org)

Man Challenges 250,000 Strong Botnet and Succeeds

Posted by CmdrTaco on from the i-fought-the-law-and-the-law-one dept.

nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."

7 of 206 comments (clear)

  1. PR "Stuff" from Fireeye by winkydink · · Score: 4, Informative

    For some value of "Stuff".

    Yeah. He succeeded in eradicating the mega-D botnet. For about 2 weeks anyway.

    From MessageLabs Intelligence: 2009 Annual Security Report "Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:PR "Stuff" from Fireeye by Red+Flayer · · Score: 5, Interesting

      Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."

      So now there can be coordinated effort against the new botnet, he'll come back with new bots, community response to kill that one off...

      Fighting spammers is like fighting against a guerilla army. Constant vigilance, swift response times, and, eventually, wholesale destruction of the people supporting the guerillas will be necessary to win the war. Impact of spammers can be reduced by constant counter-attacks, but the only way to eliminate spam networks hosted on compromised machines is to remove compromised machines from the network (and as many compromisable machines as possible).

      The cost of this may be too high to be worth it... but if you take away someone's internet access for a while when they get hosed, then maybe they'll stop getting hosed.

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  2. Command & Control by phantomcircuit · · Score: 5, Informative

    All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.

    Obviously this was a temporary solution.

    1. Re:Command & Control by abulafia · · Score: 4, Insightful

      What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.

      Funny you concentrate on a claimed conflict of commercial interest.

      It also would have opened them up to a potentially huge legal problem. No matter how carefully coded an uninstaller, the likelihood of some number of machines having problems after being infected by a remover, when talking about .25M machines, is high. Such an action also is criminal computer intrusion in its own right.

      No person in their right mind would do such a thing.

      --
      I forget what 8 was for.
    2. Re:Command & Control by vlm · · Score: 4, Funny

      No person in their right mind would do such a thing.

      Which makes me all the more surprised that no one has tried.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  3. shows its possible by Gothmolly · · Score: 4, Interesting

    1 guy, in 2 weeks, trashed a botnet. Why again can't major ISPs do this? Oh wait, they're getting paid to look the other way by their colocation clients (the spammers).

    --
    I want to delete my account but Slashdot doesn't allow it.
  4. In related news .... by PPH · · Score: 4, Funny

    ... botnet sends android back in time to kill researcher's mother.

    --
    Have gnu, will travel.