Botnets Using Ubiquity For Security

← Back to Stories (view on slashdot.org)

Botnets Using Ubiquity For Security

Posted by kdawson on Monday June 7, 2010 @03:28PM from the whack-a-c-and-c dept.

Trailrunner7 sends in this excerpt from Threatpost: "As major botnet operators have moved from top-down C&C infrastructures, like those employed throughout the 1990s and most of the last decade, to more flexible peer-to-peer designs, they also have found it much easier to keep their networks up and running once they're discovered. When an attacker at just one, or at most two, C&C servers was doling out commands to compromised machines, evading detection and keeping the command server online were vitally important. But that's all changed now. With many botnet operators maintaining dozens or sometimes hundreds of C&C servers around the world at any one time, the effect of taking a handful of them offline is negligible, experts say, making takedown operations increasingly complicated and time-consuming. It's security through ubiquity. Security researchers say this change, which has been occurring gradually in the last couple of years, has made life much more difficult for them. ... Researchers in recent months have identified and cleaned hundreds of domains being used by the Gumblar botnet, but that's had little effect on the botnet's overall operation."

18 of 95 comments (clear)

Min score:

Reason:

Sort:

Some news from Australia on this by AHuxley · 2010-06-07 15:46 · Score: 3, Interesting

http://www.acma.gov.au/WEB/STANDARD..PC/pc=PC_310317
"The AISI collects data from various sources on computers exhibiting 'bot' behaviour on the Australian internet.
Using this data, the ACMA provides daily reports to ISPs identifying IP addresses on their networks that have been
reported in the previous 24-hour period.
ISPs can then inform their customer that their computer appears to be compromised and provide advice on how they can fix it."

The only question seems to be when will p2p be seen as a botnet, limewire ect. Will the Anti-Counterfeiting Trade Agreement (ACTA) alter 'bot' behaviour to new areas isp use and account 'fixing'?
Will isp's get powers to pop packets to note 'bot' behaviour early on, rather than seeing their ip's reported back days later?

--
Domestic spying is now "Benign Information Gathering"
ISP accountability by drDugan · 2010-06-07 15:55 · Score: 2, Interesting

It seems to me there is an accountability gap for ISPs. Those providing network connections are not held accountable for machines on their network. Yet another example of prices and business practices not matching the real costs of activities.
To me, I would think the real solution, long term, to fixing botnets is creating a tight loop with internal scanning, reporting, warnings, verification, and then turning off Internet connection to machines that are infected. ISPs will need to be "motivated" to take responsibility for actions taken on their network, and they will have to have fully automated systems that take infected machines offline.
It doesn't seem like this is a priority for ISPs yet. Its easier and cheaper to simply ignore the problem.
1. Re:ISP accountability by Muggins+the+Mad · 2010-06-07 16:01 · Score: 2, Insightful
  
  how would the ISP inform the customer that they've been infected?
  obviously web or email would just open them up to the usual phishing.
2. Re:ISP accountability by Cylix · 2010-06-07 16:07 · Score: 3, Insightful
  
  The cost to the ISPs would be fairly significant. It's not simply the potential lost revenue from disabling unwitting users, but forcing the issue will also generate a good deal of customer interaction. Talking with customers will generally result in additional costs as well as dealing with potential infections.
  It's not an act of benevolence, but rather it is assuming responsibility. If you don't treat the issue for the customer then they may simply take the path of least resistance. ie, they may ultimately simply find another provider. Conversely, attempting to correct the problem will also result in issues as you now have the responsibility of restoring the customers computer to working order.
  Ultimately, all of these risks and more would have to outweigh the costs of fixing the problem. I'm glad I don't have to deal with these kinds of issues anymore because trying to pitch an act of altruism to the company owner probably would not have worked.
  With that said there are basically a few ways to approach the issue. Tighter regulation which states ISP's have to shepard their flock, fines on non-compliance or grants to award certain infection threshold reductions. In the end it really is about making one choice more expensive then the other.
  
  --
  "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
3. Re:ISP accountability by girlintraining · 2010-06-07 16:19 · Score: 5, Insightful
  
  It seems to me there is an accountability gap for ISPs. Those providing network connections are not held accountable for machines on their network.
  And the moment they do that, they'll be expected to police for other illegal or immoral activity, like video and music downloading, content monitoring, deep packet inspection, and more. The operating costs go up as well, making them less competitive compared to other ISPs that do not monitor their customer's habits.
  No, security needs to be managed by the owner of the machine. The ISP only has the responsibility to ensure that the customer has reasonable access through its networks, and perhaps a measure of QoS filtering/rate limiting/etc., to manage a shared (and limited) resource. Unless the bot is commanding the machine to use lots of network resources, its impact to other users is negligible from the ISPs perspective.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
4. Re:ISP accountability by Splab · 2010-06-07 16:21 · Score: 3, Interesting
  
  BS, ISPs are just lazy. Here in Denmark at least a couple of the ISPs will actively block your connection if they detect botnet-like activity from your machine. When flagged any requests will be directed to a homepage where they tell you that you probably are infected and asks you to contact support for further assitance.
5. Re:ISP accountability by Anonymous Coward · 2010-06-07 16:29 · Score: 2, Insightful
  
  "...fines [fining ISPs] on non-compliance..."
  Why not fine the actual owner of the computer that's causing the problem? That would generate more motivation both to ISPs and end users. The user would seek an ISP that has excellent and quick detection and alerting facilities to protect him/her from fines. The user would be motivated to keep his/her machine more up-to-date. The user would have monetary motivation to purchase help if he/she can't administer his/her own computer effectively from someone competent.
  Targeting the ISP only will just raise rates and make users hate their ISPs more. And why should the ISP (who doesn't own the computer that's infected, who didn't click on the phishing link, who didn't install that trojan toolbar, but only provided, at the END USER'S REQUEST, a connection that allowed the user to accomplish this) bear responsibility and not the end user?
  I think too many end-user slashdotters are lazy and want someone else to nanny-state-take-care-of-them instead of bearing personal responsibility. *sigh* That's pretty much the state of modern society... Mama/papa government will take care of us!
6. Re:ISP accountability by Anonymous Coward · 2010-06-07 16:34 · Score: 3, Interesting
  
  It's a very dangerous route to go down. If all isps did that, I'm pretty sure that botnets would start encrypting their c&c data. Then what? If you just block all data you can't understand, say good-bye to vpn, legit p2p applications, and private communications between actual people.
  Of course, if you detect that your customers are ddosing some server, that's a different story.
7. Re:ISP accountability by Urza9814 · 2010-06-07 16:37 · Score: 3, Insightful
  
  It seems to me there is an accountability gap for ISPs. Those providing network connections are not held accountable for machines on their network.
  And why should they be? If I sell you a fishing line, it isn't my job to ensure you don't choke somebody with it. Or for an even better analogy, look at the phone networks. Generally, if someone is calling you on the phone and harassing you, the phone company will not disconnect that person. They'll offer to change your number. It takes a _lot_ of complaints for them to cut off service to an offender. Same thing goes on the internet. Yes, botnets _will_ eventually be cut off, but it takes a lot of complaints. Otherwise, who decides what's malware?
8. Re:ISP accountability by FrankieBaby1986 · 2010-06-07 16:38 · Score: 3, Informative
  
  They do exactly that at my University. Students get disconnected from the network when a bot or worm or rootkit is detected. I'm not sure what methods they use to detect, but when this happens, the user is REQUIRED to bring their computer to the Residential Computing Desk and have it reformatted. (They are allowed to and assisted with make(ing) backups of their personal files.)
  The users are sent an email informing them of the situation, but usually they never get it, and just visit or call the desk when their internet won't work.
  It's always pretty funny (but rare) when a Mac needs to be reformatted, the user is almost always blown away that they can be infected.
  
  --
  ERROR: SIG NOT FOUND (A)bort, (R)etry, (F)ail?:
9. Re:ISP accountability by JWSmythe · 2010-06-07 16:41 · Score: 3, Insightful
  
  You know, that's very true. Residential customers may stick with their provider (how many AOL users are still out there), but hosting customers will jump ship if they get disconnected. I had a friend who's SQL server got unplugged when a MSSQL worm was going around. It wasn't infected, but for the "safety of the datacenter" one of the techs walked around and pulled the power cord on any machine labeled "SQL". He called, and they couldn't resolve the problem. They said "we don't see anything wrong." When he got there, he found his machine was unplugged, just like quite a few other customers SQL boxes. Two days later, his equipment was in another datacenter.
  
  --
  Serious? Seriousness is well above my pay grade.
They seem to throttle their "attacks" as well. by RobertSeattle · 2010-06-07 15:55 · Score: 5, Interesting

My small 16 person company gets an average of 300K Directory Harvesting emails a day - everyday - day in day out. All I have to say is I appreciate the jerks running the botnets for not killing my domain with 30 Million of these a day. They throttle their crap to a certain level somehow so they are annoying but not crippling. Gee, thanks, I guess.
1. Re:They seem to throttle their "attacks" as well. by noz · 2010-06-07 16:34 · Score: 4, Insightful
  
  There's no point sending any spam, if not your estimated 30 million messages, only to collapse the server and not relay the messages to the recipients.
  The botnet operators probably think of this as an optimization problem and not good manners.
2. Re:They seem to throttle their "attacks" as well. by JWSmythe · 2010-06-07 16:44 · Score: 2, Interesting
  
  Tie your spam filtering software into your firewall. Nothing says loving like dropping their inbound traffic. :) We only receive about 20k spams/day now (versus more than 300k before), just by having rolling blacklists based on spammy inbound traffic. You'll get a handful through, but nothing else will come in for days.
  
  --
  Serious? Seriousness is well above my pay grade.
3. Re:They seem to throttle their "attacks" as well. by timmarhy · 2010-06-07 17:31 · Score: 2, Insightful
  
  you can go one better and implement a tarpit which actually costs the spammer money by delaying their emails. every second they are delayed is a second they can't spam another mail server frustrating their efforts. http://en.wikipedia.org/wiki/Tarpit_(networking)
  
  --
  If you mod me down, I will become more powerful than you can imagine....
Efficiency by w00tsauce · 2010-06-07 16:26 · Score: 3, Interesting

I for one think botnets are uber cool, a testament to the efficiency of the internet. Using computers that would normally sit idle to do something, even if it's detrimental is just plain cool. I also think botnets foreshadow the future of the internet, where most applications work by p2p instead of the normal client-server relationship.
DAAA DA DAAA DA DA DAAA DA DA DA DAAA DAAA by identity0 · 2010-06-07 16:39 · Score: 3, Funny

top-down C&C infrastructures, like those employed throughout the 1990s
My C&C keeps going down because the &*#$ing Harvester goes after Tiberium next to the enemy tanks :(
With many botnet operators maintaining dozens or sometimes hundreds of C&C servers around the world at any one time
Oh I wish.
Bring back the biff! by Puff_Of_Hot_Air · 2010-06-07 20:56 · Score: 2, Informative

Years ago, virii held more fear to the average punter as they would literally trash your o/s, data, everything. The thing is, these viruses did far less real damage than the trojans and botnets of today. We need some well meaning black hats to write some old school virii. Viruses that knock those old unpatched boxes right of the web. It's time we brought back the biff!