Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Cripple Pushdo Botnet

Posted by timothy on from the nothing-wrong-with-the-word-cripple dept.

Trailrunner7 writes with this from ThreatPost: "Researchers have made a huge dent in the Pushdo botnet, virtually crippling the network, by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet. Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet's spam operations. After doing an analysis of Pushdo's command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said."

22 of 129 comments (clear)

  1. Legal hacking? by Creepy+Crawler · · Score: 4, Interesting

    I wonder if the courts would issue an order that would legalize hacking of unstoppable network computers to prevent ongoing attacks?

    Other normally illegal tactics can be utilized legally, if a judge deems them necessary or in a court of law. You know, 1st degree murder vs E-Chair?

    --
    1. Re:Legal hacking? by Ethanol-fueled · · Score: 5, Insightful

      Don't know if you got the memo, but the feds pay others to do the dirty work for them.

      Fed: "Wanna work with the FBI, Fido? Wanna help us catch bad guys?"
      Snitch: "Yeahyeahyeahyeahyeahyeah!
      Fed: "There's an athiest group that looks suspicious. I think they're laundering money to fund their picnics. You need to infiltrate them, earn their trust, and if you don't find anything make something up so we have a good excuse to raid their headquarters. You will get a pat on the head and a nice, big doggy bone if we get convictions. Snitch: "Yeahyeahyeahyeahyeah!

      [ Months later, a number of the atheist group's members are arrested for child pornography for unwittingly having nude pics of their 17 year-old sons and daughters who kept them stored "privately" in facebook ]

      Fed: "Bad news, Fido. The D.A. wants to charge you with computer crimes. You're expected to do 5 years in the pen."
      Snitch: *whimper*
      Fed: "It's okay, you helped us save the children. Just suck it up and don't drop the soap."

    2. Re:Legal hacking? by Martin+Blank · · Score: 5, Insightful

      There's no legal authority for the courts to order such actions. Even execution orders are authorized by the legislative body, approved by the chief executive, and carried out by subordinates to the executive (subject to the lack of intervention by the judicial body). Any offensive action against spammers/hackers would require a similar path.

      --
      You can never go home again... but I guess you can shop there.
    3. Re:Legal hacking? by FriendlyLurker · · Score: 4, Interesting

      If it hasn't happened already - how long before they control the biggest botnets on the block (they being "security intelligence firm's"), to meet the Cyber-defense budget laid down by American taxpayers. Personally I prefer to setup a few spam filters on my servers over having Goverments use their shady "security intelligence firm's" to take websites like wikileaks offline.

    4. Re:Legal hacking? by WrongSizeGlass · · Score: 3, Interesting

      I'm sorry to be the one to tell you this, but your little 'story' is very reminiscent of the ABC After School Special "When Good Dogs Do Bad Things (And Hard Time) For Good Reasons". Be on the look out for a little 'invitation' to a court party being held in your honor thrown by the ASSAA and their affiliated legal teams. ;-)

    5. Re:Legal hacking? by WrongSizeGlass · · Score: 4, Funny

      What you're looking for is the B-Team, a team of anti-botnet soldiers of fortune on the run from the RIAA after being branded as criminals for a "download they didn't commit."

  2. I would love to see... by ysth · · Score: 5, Interesting

    I would love to see stories like this publishing a full list of the providers who didn't take down a server.

    1. Re:I would love to see... by Anonymous Coward · · Score: 3, Informative

      Read the f**king article:

      Unfortunately, not all providers were responsive and thus several Command & Control servers are still online at this point," researcher Thorsten Holz wrote.

    2. Re:I would love to see... by mysidia · · Score: 3, Interesting

      So would I like to see that.

      So I could switch to those providers, and know they wouldn't be messing with my server without talking to me just because some er "researcher" decided they thought the server might be some sort of C&C

      I imagine there could be some legal concerns of the researchers were to publish such a list... it might seem like extortion "Take down that server, or we'll publish your name!"

      Or it might attract more business to those providers.. the, er, bad guys, would also know some go-to providers [not that they don't already]

    3. Re:I would love to see... by rastos1 · · Score: 5, Informative

      So I could switch to those providers, and know they wouldn't be messing with my server without talking to me just because some er "researcher" decided they thought the server might be some sort of C&C

      I assume that the providers were just notified by the researcher and were able to see for themselves whether the server is doing something malicious or not. In addition every ISP I've dealt with, has a contract clause that allows them to cancel the service if you use it to violate the laws of the country - which is often the case when sending SPAM. You are then free to sue them if you believe that terminating the service was not justified.

    4. Re:I would love to see... by nacturation · · Score: 4, Insightful

      I assume that the providers were just notified by the researcher and were able to see for themselves whether the server is doing something malicious or not.

      And when they look into it, they'll probably see a bunch of SSL-secured HTTP requests.

      In addition every ISP I've dealt with, has a contract clause that allows them to cancel the service if you use it to violate the laws of the country - which is often the case when sending SPAM. You are then free to sue them if you believe that terminating the service was not justified.

      A command and control server doesn't send out spam. It only acts as a server for the bots that do all the spam sending.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  3. sadface! by bwayne314 · · Score: 5, Funny

    Wait, so I wont be getting any more exciting opportunities to add inches to my penis? What about all that steady income I was getting helping out Nigerian bankers!?!? How am I going to feed my family and satisfy my wife?

  4. And they never link to the original source...why? by SheeEttin · · Score: 4, Informative

    Seriously, guys, why does nobody ever link to the original source? ThreatPost got it from M86 Security got it from TLLOD. Would it kill the submitters to link to the original, or the editors to fix it?

  5. Unresponsive providers might be more likely... by paper+tape · · Score: 5, Insightful

    Unresponsive providers might be more likely to respond if responsive parties who controlled upstream routers were to stop routing traffic from them.

    All traffic.

    1. Re:Unresponsive providers might be more likely... by FlyingGuy · · Score: 4, Interesting

      This reminds of a story that may be more tech myth and legend and if it is not true it should be and it goes something like this:

      Back in the early days of the net when the major interconnects were MAE East and MAE West and other interconnect points had not been established almost everything routed through these two points.

      So the story goes that there was a tech who dutifully monitored the system during his shift. He had noticed that someone from another country was trying to get access to files on a certain server at major university. Now he was curious because he saw the same attempts over and over again over a rather long period of time. Now since we all forget password or thing we know them and then try and try without success this is not that unusual and normally after fumbling around we will just contact the machines owner and ask for the correct password. Now in those days it was still a relatively small group of folks so there were not a whole lot of questions asked.

      But the tech in question started noticing the pattern was limited to times when the people attending these machines would not be there.

      So he sent off an e-mail to the admins he knew and they had not been requested to change or provide any passwords.

      So our intrepid tech sent off an e-mail to the administrators of the location of the seeming intruder and asked that they have him stop. Well the admins said that it was really none of their business anyway and being in a foreign country our admin had no say over what anyone there did. The long and short of it was that the apparent intruder kept it up.

      So one night our intrepid admin had had enough, so he did what he thought might get peoples attention. He simply unplugged the cable that was the source of the problem and effectively disconnecting an entire country from MAE West!

      Well in a few hours phones started ringing into MAE West asking questions and trying to figure out what was wrong? He told them he had asked, many time for the admins of the network that the rude behavior was originating from to kindly ask the owner of the machine to stop and had been rudely rebuffed to say the least.. He also said when the attempted intrusions stop, he would plug them back in. To say the least they stopped in fairly short order and he plugged them back in.

      Now that is a bit far flung because I doubt there is any one cable that could disconnect an entire country but I am pretty sure you could simply route class A's to /dev/null. Perhaps that what it will take to get ISP's to get serious. Just pull their plug until they behave. Everyone peers in someplace so it should not be that hard to go and find that Ethernet cable and simply unplug it and leave it dangling until their behavior changes/

      --
      Hey KID! Yeah you, get the fuck off my lawn!
  6. Re:Cyberterrorism is ok, huh? by Xiroth · · Score: 4, Informative

    If you bother to RTFS, you'll note that they worked with the content providers - they shut the servers down themselves. No hacking involved.

  7. Re:"For years..." by rudy_wayne · · Score: 4, Informative

    Somebody please remind me what Windows Malicious software remover and all those antivirus programs are supposed to be doing.

    They don't do anything if you don't use them.

  8. Pretty much by Sycraft-fu · · Score: 4, Informative

    I think we need to start having more of a "you play nice or don't play on the net" kind of system going on. Providers are not expected to be perfect, nobody is perfect, just to be responsive to complaints/problems. If you aren't you get warned and if you keep ignoring it you just get shut out by all major networks. You then have to prove you took care of the problem and will play nice before you get let back in.

    That's how we do it at work, actually. I work at a university and we have a lot of research labs, some of which are totally independent of our central control. When a system in there gets infected, we see if we can track someone down who can deal with it, if nobody is there or everyone claims ignorance, we shut down all network access. When that happens people get a hold of us surprisingly fast and the person who needs to deal with the system is found. Once they take it offline to be dealt with and promise to behave, network access is restored.

    I think the big network providers need to work out a system like this, where if a given company is unresponsive, you can file a complaint with them. They then warn the company and if they are still unresponsive, cut access. After all the crap causes them problems as well.

  9. Re:Slashdot editors will approve anything... by PatPending · · Score: 4, Informative

    NOTHING was "seriously crippled" nor was the botnet affected. This is a perfect example of a non-story about a good attempt that failed.

    "Nothing?" "Attempt that failed?"

    Look at their graph: from a high of 1,400 on 3 Aug to 0 on 26 Aug. -- that ranks as both a "seriously crippled" and "success" in my book.

    So while you chose to belittle their achievements, I for one chose to say a silent "Thank you! Well done!" for their years of persistence in fighting this war.

    --
    What one fool can do, another can. (Ancient Simian Proverb)
  10. Surveillance and tracking instead of shut down by La+Gris · · Score: 3, Insightful

    I wonder why the police did not just add spying logging equipments, kept silent and followed wires (IP addresses ) and money transfers. (obviously, someone paid for the servers, even with stolen cards). Shutting down 2/3rd of C&C is like 2/3rd done job. The organized crime behind this is still runing fine.

    --
    Léa Gris
  11. That's not what I'm proposing by Sycraft-fu · · Score: 5, Insightful

    I'm proposing that people deal with their own dirty laundry, and if they won't, that the people above them do. For example if I am causing a problem, my ISP will call me and say "Hey fix your shit." Happened many years ago, a roommate got a virus on his computer. They called me, I turned it off, life was good. Should I refuse, however, the ISP would have shut down my line. They were not interested in sending out viruses all over the place.

    What I'm proposing is that the big bandwidth providers take the same attitude. If some hosting provider has systems doing evil, you contact them. However if they refuse to deal with it, you can then contact the big providers. They can check, if evil is going on they warn the company. If it doesn't stop, they shut down the links.

    I fail to see a problem here. Such a thing wouldn't be done capriciously because it is against a business's best interest. If a customer is paying money and not causing problems of course they want to keep the connection active. They don't want to turn it off for fun (and probably break the contract).

    All lines have AUPs, even big ones. I just think they need a mechanism to allow for complaints and enforcement, and something that is less severe than a total disconnection. Rather than something having to get to the "You cause so much trouble you are in violation of the contract and we stop selling service to you," point instead they can say "You've refused to deal with complaints so you are blocked, fix your shit and promise to listen in the future and we turn you back on."

    The reason I want to see this is first because I want less shit on the net, but also because with many things you find you either self regulate or the government will regulate you. What happens if instead the US government, or a council at the UN gains complete regulatory power and can tell providers who to shut down? I'd much rather have it as a self regulating system.

    It works well for ISPs, and most ISPs do it. As I said, as a university we are an ISP and we do just that. We investigate and respond to claims of malicious network activity. However, we need a higher level to deal with the ISPs that won't respond to the complaints.

  12. Re:And they never link to the original source...wh by houghi · · Score: 3, Insightful

    Editors? I don't think that word means what the editors think it means.

    --
    Don't fight for your country, if your country does not fight for you.