Slashdot Mirror
Researchers Cripple Pushdo Botnet
Trailrunner7 writes with this from ThreatPost: "Researchers have made a huge dent in the Pushdo botnet, virtually crippling the network, by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet. Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet's spam operations. After doing an analysis of Pushdo's command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said."
I wonder if the courts would issue an order that would legalize hacking of unstoppable network computers to prevent ongoing attacks?
Other normally illegal tactics can be utilized legally, if a judge deems them necessary or in a court of law. You know, 1st degree murder vs E-Chair?
I would love to see stories like this publishing a full list of the providers who didn't take down a server.
Wait, so I wont be getting any more exciting opportunities to add inches to my penis? What about all that steady income I was getting helping out Nigerian bankers!?!? How am I going to feed my family and satisfy my wife?
Seriously, guys, why does nobody ever link to the original source? ThreatPost got it from M86 Security got it from TLLOD. Would it kill the submitters to link to the original, or the editors to fix it?
Unresponsive providers might be more likely to respond if responsive parties who controlled upstream routers were to stop routing traffic from them.
All traffic.
I say we take off and nuke the entire site from orbit. It's the only way to be sure.
What one fool can do, another can. (Ancient Simian Proverb)
If you bother to RTFS, you'll note that they worked with the content providers - they shut the servers down themselves. No hacking involved.
I seem to be missing something here. Somebody please remind me what Windows Malicious software remover and all those antivirus programs are supposed to be doing.
No sig today...
They have been studying this since 2007 and now, three years later, have only managed to take 20 of the 30 control servers offline. Good work, to be sure, but it's not even a dent in terms of amount of malware stopped. How many other worms/viruses have been created in the past three years that are still running? And how much work would it take to bring Pushdo back to full force? Put some other C&C servers online and push out an updated list through the current C&C servers.
The only reason this was got crippled was because it was the focus of a particular bit of research. There's no way in hell that the same amount of effort could possibly be put towards stopping even a majority of other, equally dangerous, malware.
A small victory in a huge war.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
All of those crimes should be punishable by firing squad, drinking or smoking. (possibly taxes)
I know which one I'll pick, but a few will likely make a poor choice.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
I read that as RTS and had questioned the initial benefits.
I eventually realized that I would never understand your comment until I played a few rounds of starcraft.
Which brings me to my next realization....
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Bystanders report the ten were nuked by a BGP attack from orbit.
Unfortunately, the rumors were greatly exagerated. The nukes didn't find their targets, because the folks who identified the servers were so unkind that they didn't publish the IP addresses^H^H^H^H^H^H^H^H^H^H^H^H coordinates
It takes ONE (1) command/control server to keep the botnet functioning.
TEN (10) were left up.
NOTHING was "seriously crippled" nor was the botnet affected. This is a perfect example of a non-story about a good attempt that failed.
They've been "Trying since 2007" and can't take down 30 servers. Fair enough. There are lots of countries that don't cooperate with self-styled "authorities". How is this a story?
Did some widdle person need to publish something to get their widdle higher degree?
This is not a success.
There was nothing "crippled" here nor "seriously crippled" nor "partially crippled."
This is an example of a non-story about an abject failure.
It's like Bruce Willis taking out 2/3 of the asteroids about to blow up the Earth.
E
So they take down 2/3rds of the C&C servers and by tomorrow the entire net will be redirected to 30 brand new C&C servers.
Does this mean Firefox can now climb a glass surface...?
I think we need to start having more of a "you play nice or don't play on the net" kind of system going on. Providers are not expected to be perfect, nobody is perfect, just to be responsive to complaints/problems. If you aren't you get warned and if you keep ignoring it you just get shut out by all major networks. You then have to prove you took care of the problem and will play nice before you get let back in.
That's how we do it at work, actually. I work at a university and we have a lot of research labs, some of which are totally independent of our central control. When a system in there gets infected, we see if we can track someone down who can deal with it, if nobody is there or everyone claims ignorance, we shut down all network access. When that happens people get a hold of us surprisingly fast and the person who needs to deal with the system is found. Once they take it offline to be dealt with and promise to behave, network access is restored.
I think the big network providers need to work out a system like this, where if a given company is unresponsive, you can file a complaint with them. They then warn the company and if they are still unresponsive, cut access. After all the crap causes them problems as well.
I take your multiple ^Hs and raise you a ^W
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
They circumvented a protection measure... Someone should slap them with a DMCA lawsuit.
Damm researchers.. always screwing up the internet.
"Cripple" sounds entirely too optimistic. Maybe "somewhat inconvenience" is the right term here. C&C servers can be added easily, if the design is right. In fact, if the operators know their business, they will have standby-servers that can be activated within minutes.
And again some "security researchers" vastly overstate their success. I find that highly unethical.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Two ^W, please.
The Tao of math: The numbers you can count are not the real numbers.
Which brings me to my next realization....
... You can only win by zerg rushing the botnet?
Seriously, guys, why is this the only +5 post in the article?
Has the news media finally surpassed Slashdot in news-related facts to such an extent that there is no meaningful commentary which is attached to a story?
WTF?
Should I re-up my subscription to the local dead-trees rag?
Kid-proof tablet..
researchers
No, you aren't. I don't know why people working in IT security have the ego to always add the word "researcher" to their title. Just because your job involves problem solving it doesn't mean you're a "researcher" as the term is understood everywhere else. Anyway, where does your R&D budget come from for this team of "researchers", and what do you get back?
at Last Line of Defense
Who? So many overgrown hax0rs slapping a stupid name on their activities and calling themselves a business, using inflated claims of leet-sounding achievements for PR then pushing security "solutions" to idiots.
a security intelligence firm
lol. k guise. security intelligence. security intelligence. yuo.
Look, it's cool what you've done. But would you kindly put yourself into context and stop adopting a pompous vocabulary unique to your trade? Perhaps the state of PC security wouldn't be so dire if it wasn't such a mixture of AV vendors enjoying protection money and ADHD-crippled scene d00ds lacking formal grounding and in a permanent state of 14 year old.
Posting AC because the kid has a water pistol and it's too early in the morning to get wet.
I wonder why the police did not just add spying logging equipments, kept silent and followed wires (IP addresses ) and money transfers. (obviously, someone paid for the servers, even with stolen cards). Shutting down 2/3rd of C&C is like 2/3rd done job. The organized crime behind this is still runing fine.
Léa Gris
Look at their graph: from a high of 1,400 on 3 Aug to 0 on 26 Aug. -- that ranks as both a "seriously crippled" and "success" in my book.
So while you chose to belittle their achievements, I for one chose to say a silent "Thank you! Well done!" for their years of persistence in fighting this war.
I did. Color me unimpressed. This isn't the first time that this botnet's servers have had their numbers reduced.
I didn't see any analysis of what is going on server side and that is where all the interesting code is.
Their client/server protocol is self-repairing in that servers can propagate new IP lists of servers to clients. According to the various articles, (some of) the servers have been taken down before.
Apparently nothing is known about what is going on server side.
This botnet puts a high priority on not being detected (according to TFAs).
All that is happening now is a reconfiguration. Lay low, infect new servers, then it's business as usual.
Oh and my threat estimate of this botnet is very high. It's MS Windows only at the moment, of course, but the analysis seems to indicate that with not much additional work, could function in a heterogeneous network.
I'm proposing that people deal with their own dirty laundry, and if they won't, that the people above them do. For example if I am causing a problem, my ISP will call me and say "Hey fix your shit." Happened many years ago, a roommate got a virus on his computer. They called me, I turned it off, life was good. Should I refuse, however, the ISP would have shut down my line. They were not interested in sending out viruses all over the place.
What I'm proposing is that the big bandwidth providers take the same attitude. If some hosting provider has systems doing evil, you contact them. However if they refuse to deal with it, you can then contact the big providers. They can check, if evil is going on they warn the company. If it doesn't stop, they shut down the links.
I fail to see a problem here. Such a thing wouldn't be done capriciously because it is against a business's best interest. If a customer is paying money and not causing problems of course they want to keep the connection active. They don't want to turn it off for fun (and probably break the contract).
All lines have AUPs, even big ones. I just think they need a mechanism to allow for complaints and enforcement, and something that is less severe than a total disconnection. Rather than something having to get to the "You cause so much trouble you are in violation of the contract and we stop selling service to you," point instead they can say "You've refused to deal with complaints so you are blocked, fix your shit and promise to listen in the future and we turn you back on."
The reason I want to see this is first because I want less shit on the net, but also because with many things you find you either self regulate or the government will regulate you. What happens if instead the US government, or a council at the UN gains complete regulatory power and can tell providers who to shut down? I'd much rather have it as a self regulating system.
It works well for ISPs, and most ISPs do it. As I said, as a university we are an ISP and we do just that. We investigate and respond to claims of malicious network activity. However, we need a higher level to deal with the ISPs that won't respond to the complaints.
Editors? I don't think that word means what the editors think it means.
Don't fight for your country, if your country does not fight for you.
What about "gently tickle"
http://www.microsoft.com/security_essentials/
(when promoting being up to date, linking to an out of date version was a pretty ironic screw-up.. :)
If you'd like to see better submissions perhaps you could improve the quality of submissions by submitting more stories yourself?
These aren't the editors you're looking for.
Firstly, your retort isn't relevant because it's the editor's JOB to curate the submissions, not just to pick a few a day and post them verbatim. If all they wanted to do was pick the top few stories of the day, a simple voting system like digg or reddit would do that more efficiently.
Secondly, if you'd bothered to look at the GP's user page, you'd see that he/she has submitted several stories and had many of them accepted.
It's certainly better to block the server by having the ISP take it down, but there are other ways to do it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
What about "gently tickle"
Hehehehehe ;=)
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Instead of getting the ISPs to identify the servers and take them offline, get them to identify the humans issuing the commands to them so that the rest of us can work to insure that they don't just fire up another server.
PAK CHOOIE
Pushdo, botnet. A network barely alive. Gentlemen, we can rebuild him. We have the technology.
Or in other words; if you can't kill it off in one strike, it's just going to evolve into a better, stronger botnet..
Shutting down, isolating, or disabling Command and Control (C&C) servers is an ineffective approach. Others have pointed out that shutting down a part of the C&C server network will likely only result in the next update push including a new C&C server list. Even if you succeed in shutting down the entire C&C server network, the botnet operator can simply point one of the C&C server hostnames to a new server, on a new provider, and push a new server list. You can jail the perpetrator, and the network continues to operate - probably under the control of one of the previous botnet operator's associates. You can pull all of his domain names, and he will still probably have a few C&C servers that are addressed by IP address. You can completely stop all traffic to these servers, yank his domain names, and throw him in jail - and what you now have is a "sleeper" botnet, that comes to life as soon as someone figures out that it's there, registers one of the domain names, and sets up a C&C server on the appropriate hostname - and don't think for a second that someone won't try it. The news story serves as an advertisement for a free, in-place botnet, looking for an operator. Being the suspicious sort, I'd expect some shadowy governmental entity from some shadowy nation, to absorb such a resource, perhaps for later use in some sort of cyberwarfare. Or maybe one of these shadowy "security intelligence firms" that someone mentioned... :)
The only effective way to make a real dent in a botnet, is to shut down, disable, or isolate the bots themselves. And the solution requires some permanence. I like the cluster-bomb idea, but I suspect that the collateral damage might serve as a deterrent to that sort of action. Perhaps a better approach would have been to take control of the botnet, and then instruct it to remove itself. If not that, then perhaps a C&C server list update, containing no servers? A directive to stop trying to contact servers, or to make a contact attempt only once every hundred years?
Law enforcement would probably be prohibited from such action, on the premise that it is invasive in the same manner as the original intrusion, and might therefore constitute a violation of law. But a nice shadowy "security intelligence firm" is probably under no such constraints... :)