DOJ Gets Court Permission To Attack Botnet

itwbennett writes "In an unprecedented move, the Department of Justice (DOJ) and the FBI have been issued a temporary restraining order that will allow the FBI and the US Marshal for the District of Connecticut to set up servers at the Internet Systems Consortium or other ISPs that would stop infected computers from continuing to spread the Coreflood virus, according to court records. This week, the DOJ and FBI seized five servers that controlled Coreflood-infected computers, the DOJ said in a press release. The agencies also seized 29 domain names used by the Coreflood botnet to communicate with the servers."

unprecedented?

[countertrolling]

Not anymore...

What is the price of one piano compared to the terrible crime that's been committed here?

Re:unprecedented?

[mysidia]

What is the price of one piano compared to the terrible crime that's been committed here?

Negligible. I say it's fine as long as the feds 'return it' expeditiously when they are done and make certain the owner is fully compensated (erring on the side of overcompensated) for any loss incurred.

For example, if the servers were required to generate $1 million in revenue a day; I would expect the owner to be paid $1 million + 10% for every day the revenue cannot be generated because servers are impounded by law enforcement or not returned to the owner, and repaid any lost long-term revenue caused by the outage.

Re:unprecedented?

[WrongSizeGlass]

unprecedented?

The problem is that the existence of a large botnet stealing banking information is not unprecedented.

Re:unprecedented?

[hydrofix]

But you are the one who neglected computer security. I don't think you deserve a penny.

Re:unprecedented?

[mysidia]

But you are the one who neglected computer security. I don't think you deserve a penny.

No. You are the one whose security was defeated by a criminal. You can fix the server, just like you can fix a building's Window after a break-in.

That doesn't give police the right to seize your office pending another burglary attempt (without providing you fair compensation as required by the 5th amendment in order to take/hold your private property for public use.), even if it is suspected the burglar might be using your office as a rendezvous point with his other criminal buddies.

Re:unprecedented?

[FatLittleMonkey]

That doesn't give police the right to seize your office

Actually it does. Police routinely cordon off crime-scenes during an investigation.

pending another burglary attempt [...] even if it is suspected the burglar might be using your office as a rendezvous point with his other criminal buddies.

And police can certainly act to prevent a crime. For an IRL situation, I doubt they would even need the court-order if they had a "reasonable belief" that a crime was being committed within a building.

Re:unprecedented?

another BS reason why IT workers need to be unionized and have their right protected. There is no way to predict another break-in unless we have something similar in "Minority Report".

Re:unprecedented?

[mysidia]

Actually it does. Police routinely cordon off crime-scenes during an investigation.

Cordoning off the scene of a crime != Seizing innocent people's property.

Last I checked, the police don't come by with a heavy loader, pack up the building/office, and ship it to HQ; leaving the owner with a piece of bare land and no shelter, for months/years, until they are done with their investigation.

Governet

[cosm]

The Connecticut criminal complaint said a Michigan real estate company lost more than $115,000 to fraudulent wire transfers because of the Coreflood virus. A South Carolina law firm lost more than $78,000, and a North Carolina investment company lost more than $151,000, the complaint said. A defense contractor in Tennessee lost more than $241,000 due to the botnet, the complaint said.

Emphasis mine. I wouldn't expect any less out of firms like this first of all. They really need to change the keyboarding classes in high-school to teach basic do-not-download-stupid-shit classes. And second of all, FTA:

"Botnets and the cyber criminals who deploy them jeopardize the economic security of the United States and the dependability of the nation's information infrastructure," Shawn Henry...said in a statement.

Obviously, the internet is now truly Serious Business. DHS, Ice-Raids, I hate to say it but as other /.ers have said in the past, we are entering the downward slope of the golden age of the internet, the gub'ment is now all up in our intertubes for good. Hide yo pron hide yo second life.

Re:Governet

[ktappe]

"Botnets and the cyber criminals who deploy them jeopardize the economic security of the United States and the dependability of the nation's information infrastructure," Shawn Henry...said in a statement.

Obviously, the internet is now truly Serious Business. DHS, Ice-Raids, I hate to say it but as other /.ers have said in the past, we are entering the downward slope of the golden age of the internet, the gub'ment is now all up in our intertubes for good. Hide yo pron hide yo second life.

The internet has been serious business for a while, in case you've not been paying attention. The "gub'ment" is in the intertubes by necessity. Let's not blame this on the gov't.....it's those stealing hundreds of thousands of dollars who ruined it, not Washington.

Re:Governet

[cosm]

Best slant rhyme I could come up with at the time, maybe

hide yo pron hide yo russian wife

Re:Governet

[cosm]

I was being a bit satirical, I do understand the important global ramifications of our great communication medium, but I still split the blame equally between evil botnet operators and poor IT practices. I would agree that the necessity for government intervention is there, albeit with things like the Patriot Act and aforementioned ICE-raids I get leary when things like this start to set precedents.

Re:Governet

[Gordo_1]

OMG, the gub'ment is taking down botnet servers illegally controlling millions of PCs!

Seriously, I'm all for hating on government control, but is what they're doing in this instance so egregious?

Re:Governet

[afidel]

When even RSA can be spearfished I'm not so sure I would go all holier than thou on those companies. We do a fairly good job of security at my work but the more idiotproof I make the protections the more they improve the idiots =)

Re:Governet

[phantomfive]

So what? As long as it is done according to the rule of law, and with proper oversight.....the ones who are going to be hurt here are the ones who are downloading stupid shit and the people who made the stupid shit. Win-win-win for the rest of us.

Re:Governet

[hairyfeet]

Yes in a way we CAN blame it on the government, because it ultimately comes down to "can you baby proof the world?". Because as someone who cleans these things for a living I can tell you a good 90% of infections are from users being dumbasses and NOTHING else. Example follows:

Last week a customer needed to pay me for a cleaning on a machine I built him nearly a month ago. Did I leave him unprotected? did I not harden the machine? NOPE, total PEBKAC. When the AV practically threw itself in front of him trying to install the "new Limewire" a hacked Limewire ripoff he uninstalled it so it would "shut up" and let him have his bugs. Well he got it alright, more than 60 bugs running.

Now the ONLY way the government can have ANY effect on that level of stupid is to take away all our rights to run what we want and give us basically "approved disc images" or locked down OSes with app store style "choice" as to what you run.

Because lets be honest folks: the government can shut down botnets until the cows come home, but from THAT level of stupid, as shown above? Hell they might as well be pissin in the wind for all the good it will do. I mean how can you even attempt to stop something that all they have to do is print the equivalent of "free candy" on the side to get morons to ignore their AV and everything else just so they can install malware onto their own machines? Short of baby proofing the world how can you stop super stupidity without taking choice?

Re:Governet

[zach_the_lizard]

I've dealt with the same thing. I clean off computers for clients with dozens of toolbars and spyware that they installed themselves. When they say they didn't do it, I download a simple program and ask them to install it. The program will have a checkbox for "Would you also like to install this (toolbar | spyware)? They are simply amazed and stunned when I point that out, but worst of all they continue doing it. Simply reading the plain English would prevent most of this crap.

I remain convinced that most people cannot or will not read anything present on a computer screen.

Re:Governet

[AlienIntelligence]

OMG, the gub'ment is taking down botnet servers illegally controlling millions of PCs!

Seriously, I'm all for hating on government control, but is what they're doing in this instance so egregious?

I suppose you didn't rtfa or the summary?

They seized servers and domain names.

Seized means, they didn't ask permission.

It wouldn't be sensible to ass-u-me that the
ONLY thing running on those servers was
botnet controls. As well, it wouldn't be the
same to assume the domains were specific
to the botnet.

ie, someone may be suffering financially for
the broad seizure of tangible and intangible
items. THAT would be egregious.

-AI

Re:Governet

[c6gunner]

Yes in a way we CAN blame it on the government, because it ultimately comes down to "can you baby proof the world?". Because as someone who cleans these things for a living I can tell you a good 90% of infections are from users being dumbasses and NOTHING else.

Frankly, so what? The question isn't "whose fault is it", the question is "how do we stop it". If you answer is "stop people from being stupid", then you obviously don't live in the real world.

It's equally valid to say that 90% of people who fall for pyramid schemes or various other types of fraud are also being stupid. We still do our best to stop fraudsters from victimizing people, or punish them when they do. Whether you like it or not, we as a society have decided that pursuing criminals is a worthwhile endeavor. If you can't live with that, I hear Somalia is much more lax about such things ...

Re:Governet

[TENTH+SHOW+JAM]

I remain convinced that most people cannot or will not read anything present on a computer screen.

This is because of the too easy use of the modal popup. A popup is very easy for a programmer to create and deploy, but it gets in the way of what I am doing now. So the question asked by the user is not "What options should I select on this pane to achieve optimal results for me?" but "How do I get rid of this and back to what I want to be doing?"

I would love to see installers/programs in general avoid using them. Even if it means users are staring at a"broken program" that needs configuring the first time it is opened. Not with a helpful wizard, but with appropriate preference dialogs. This would mean an install would be

1. Run Executable.

2. Be informed by some scrolly that installation was successful.

3. Open program and start configuring.

Re:Governet

[TapeCutter]

It not about "baby proofing the world" it's about justice; ie: holding fraudsters to account for their crimes no matter how dumb/greedy/ignorant their victims are.

Re:Governet

Asset seizure, both permanent and temporary, is a power granted by both judicial and municipal civil institutions all the fucking time. If you own property on which a crime has been committed, it sucks to be you, but you lose some control over that property while the crime is being investigated. Cities can and do seize and destroy property on grounds of being hazards to the public: environmental, health, criminal, etc. This action is trivially defensible on similar grounds.

Certainly procedures should be established, adhered to, and audited to help ensure this power isn't wielded indiscriminately. But pretending that it has no precedent is either naive or disingenuous.

Re:Governet

[halowolf]

I logged into that to have a look and it took about 30 seconds before I had some fed pretending to be a teenage girl to start cracking onto me. I logged out and deleted it and never looked back.

Re:Governet

[monkyyy]

"he uninstalled it so it would "shut up" and let him have his bugs"
the botnets love him, so dont pick on him or they will come to protect their flock

Re:Governet

[monkyyy]

also as a side note, never give idiots control should have given him a limited account

Re:Governet

[AlienIntelligence]

Asset seizure, both permanent and temporary, is a power granted by both judicial and municipal civil institutions all the fucking time. If you own property on which a crime has been committed, it sucks to be you, but you lose some control over that property while the crime is being investigated. Cities can and do seize and destroy property on grounds of being hazards to the public: environmental, health, criminal, etc. This action is trivially defensible on similar grounds.

Certainly procedures should be established, adhered to, and audited to help ensure this power isn't wielded indiscriminately. But pretending that it has no precedent is either naive or disingenuous.

Don't you think seizing a server is a bit MORE than
seizing a car, or a house or just about any "single"
thing.

A server is rarely a "single" thing, it's more akin to
a city. So, seizing a CITY to catch ONE criminal is
a BIT much.

You have to understand, I'm not saying that they
were not within rights that they granted themselves.
I'm just saying, it's not really fair, just or however
you want to term it, to have someone else's stuff
taken, when their stuff might be making them a
living. It's not their fault their website was hosted
on the same server that someone was committing
a crime on. But is there really insurance against
that?

-AI

Re:Governet

[orange47]

I'm not sure if slashdot crowd would agree with your point of view if that AV was Norton, for eg. I'd advice that user to do 'format c:' After reinstalling everything himself, he'll think twice before running unknown .exe again.

Re:Governet

[ColdFury]

There's been a lot of metaphors drawn between the web and the Wild West.... As the West became more settled, by necessity it became more regulated, less 'Wild'. So has the Internet, as more people 'plug in' and start to embrace it, the more the law enforcement efforts we see aimed at the criminals running rampant on it.

Re:Governet

[Angostura]

Seized means, they didn't ask permission.

Yes they did - that's what 'getting a court order' means.

Re:Governet

[Zironic]

I think you're serverely overvaluing the value of a server, by possibly over half a dozen magnitudes.

Re:Governet

[hellop2]

How do you illegally "wire transfer" money without being caught? It always seemed to me that it would be easily traceable.

Re:Governet

[symbolset]

"If you make your software idiot-proof, only an idiot will want to use it." - Anon

Re:Governet

[mikelieman]

Dumb users should have dumb terminals.

Re:Governet

[bipedalhominid]

Free Candy, where? I clicked on all those warnings and still got no candy, Waaah Waaaah.

Re:Governet

[bipedalhominid]

You know, that's exactly what we used to give them. Old IBM 3270s, if I remember correctly. They really could not mess up anything but their own Cobol or Pascal assignments. Let's face it, most folks dont want or need or can even handle a real computer. Too much responsibility. Give em all Iphones and Ipads, leave em in the walled garden of Apple apps and these bot nets might be eliminated.

Re:Governet

[Even+on+Slashdot+FOE]

They charge extra to record the wrong information on their end.

Re:Governet

[cavreader]

The existing criminal code was written before the arrival of the Internet. When those codes were written I doubt anyone was thinking ahead about needing to police a world wide computer network. I think law enforcement agencies are scrambling to decide if the existing laws and prohibitions are capable of inhibiting criminal actions online.

Re:Governet

[Runaway1956]

"can you baby proof the world?".

Obviously not. But - those people who permit and/or place their baby in harm's way out of negligence can be fined, or even imprisoned.

I say, if your computer is part of a botnet, you should be fined. It isn't that difficult for your ISP to figure out that 5, 10, or maybe even 50% of your traffic goes to a botnet. (It should have been blatantly obvious to the ISP of the server, not merely detectable!) So, the ISP sends you freindly warning that it appears you have been compromised - and after a week or two, you're STILL actively participating in the botnet.

Turn it over to the cops, they confiscate your computer as evidence, you get a summons, and are charged with a misdemeanor, public nuisance type. I see revenue here - the courts should jump on this!

Re:Governet

[Runaway1956]

To which I say - tough titty. That someone who may be suffering financially is guilty of aiding and abetting, even if only by negligence.

Re:Governet

[Jiro]

I say, if your computer is part of a botnet, you should be fined. It isn't that difficult for your ISP to figure out that 5, 10, or maybe even 50% of your traffic goes to a botnet. (It should have been blatantly obvious to the ISP of the server, not merely detectable!) So, the ISP sends you freindly warning that it appears you have been compromised - and after a week or two, you're STILL actively participating in the botnet.

This fails because it requires that ISPs be competent and don't mess up when a customer has anything slightly unusual (such as a Linux system). It's too easy for an ISP to say "you're compromised" when you're not, with no way to appeal.

Re:Governet

[CCarrot]

Yes in a way we CAN blame it on the government, because it ultimately comes down to "can you baby proof the world?". Because as someone who cleans these things for a living I can tell you a good 90% of infections are from users being dumbasses and NOTHING else.

Frankly, so what? The question isn't "whose fault is it", the question is "how do we stop it".

But the granddaddy question of them all is "how do we stop it without penalizing the other 90% of the world who are not dumbasses."

I believe that's what the GP was getting at.

(and I know, 90% is a pretty optimistic number, but anything else is just depressing...)

Re:Governet

[c6gunner]

Yeah, it's probably more like 20%.

But, regardless, I've never been "penalized" by any such measures. The real question is "how do we stop it without everyone wetting their pants over it despite the fact that the vast majority of them will never be negatively impacted". I agree that it's important to keep their power in check, but it's ridiculous to start pulling the Chicken Little act because the government is targeting some botnets, and it's even more ridiculous to claim that it will "penalize 90% of the world".

Re:Governet

[AlienIntelligence]

To which I say - tough titty. That someone who may be suffering financially is guilty of aiding and abetting, even if only by negligence.

I get the vague impression that those replying
about the servers going bye-bye... really don't
have the slightest clue about how virtual hosting
works.

In the late 90s, we had Pentium 100 boxes with
HUNDREDS of web sites on them. I'm certain
that has scaled a bit now.

So, ONE seized asset, ie, one seized server
that may have been compromised will have as
my prior analogy... a "city's worth" of potential
commerce. And those people depending on
that commerce, have no connection whatsoever
to the malcontents doing the damage to the
server.

And it is on that point that I am saying, the
sweeping take down of servers, is way overkill.

Literally like carpet bombing from WWII.

-AI

i see, a national problem.

ok, being a u.s. national issue, is this an all-american botnet?

.~.

Re:i see, a national problem.

[symbolset]

Of course. It runs Windows.

Seizing Domain names

[icebike]

This is a total waste of time.
Half the ones they seize are innocent bystanders. The rest are replaced for $16 bucks at some sleezey registrar. Probably most are simply
decoys and the ones of real importance are out of country.

Perhaps the Defense contractor whined, and that finally got the Fed's attention, but it seems to me that various private initiatives (like those by Microsoft and others) have been way out ahead of this.

Why not audit that Defense Contractor's IT procedures and practices. A bot net owning one of their boxes? Seriously?

Re:Seizing Domain names

[icebike]

You don't need to seize domain names to do that. The ISP wants the sniffers rooted out just as much as the victims.
Don't kid yourself into believing the DOJ/FBI have enough people to actually run a Domain so that no one would notice
its been taken over.

Seizing the domain name has been totally ineffective to date, serving more as a club to beat hapless ISPs than anything else.
Its one thing when you have a pirate warz site. But seizures are now used when ever there is a case with anything to do
with the internet. Even entire hosting companies can be seized with nothing but a bit of paper work.

http://www.zeropaid.com/news/91460/law-professor-points-out-flaws-in-us-domain-seizure-campaign/
http://www.techdirt.com/articles/20110314/01204913484/more-reasons-why-homeland-security-seizing-domain-names-is-unconstitutional.shtml

Re:Seizing Domain names

[PRMan]

This isn't seizing mooo.com with 86,000 bystanders. These botnets have algorithms which predict the next 1000 domain names they will try. By calculating ahead and seizing them all, the FBI can then control the botnet and issue commands to clean all the infected computers.

Since everything is well-specified, this is EXACTLY what the government should be doing, and how they should be doing it. Bravo! (For once)

Possibly a non-jackbooted response

[russotto]

I haven't found the order itself, but the request is here

If that's what they were granted, it looks remarkably restrained. It actually specifies the servers in question (it's not just a blanket "We get to grab anything we claim is a C&C server, now or in the future").

The part the article seems to be going on about is "A permanent injunction that requires the Defendants to uninstall Coreflood on any computers not owned by the Defendants and authorizes the operation of a substitute command and control server to give effect to the Court's orders;" This is pretty radical, in that it lets the FBI operate the botnet at least in so far as to shut it down. But it doesn't give them any authority over computers which aren't already infected.

Targetting the Symptom only

[atuk_daud]

Seriously. This is like taking aspirin for a cold. Doesn't cure anything but makes everyone feel better (except for the side effects, of course). Since they know about it, why not take the step to track down and arrest the 'money' behind it? Seems to me this is grandstanding rather than serious crime busting. And... if they want to do it properly, don't be stupid! Don't tell them you are coming!

Re:Targetting the Symptom only

[jonwil]

The money likely flows to places where the US cant touch it like China or Russia.

What they are doing makes a lot of sense in this case.
They are seizing all the domain names all the known variants of the bot are programmed to look for and will be pointing them at a command and control server run by the US government. This server will direct the bot to shut itself off, stop stealing peoples private information
and to stop spreading to other machines.

The ISC is an ISP?

[blacklint]

Internet Systems Consortium or other ISPs

Since when is the ISC an internet service provider?

"Internet Systems Consortium, Inc. (ISC) is a non-profit 501(c)(3) public benefit corporation dedicated to supporting the infrastructure of the universal connected self-organizing Internet—and the autonomy of its participants—by developing and maintaining core production quality software, protocols, and operations." Other than hosting a few Open Source projects, the ISC doesn't act as an ISP to the best of my knowledge.

I guess they mean something to do with the F-root server at ISC and redirecting DNS requests for the control servers? Color me confused, and TFA isn't helping.

For THAT the exectutive branch seeks approval

[mapkinase]

For THAT the executive branch seeks approval of one of the other two branches, yet when it comes to real physical war, that, you know, kills people, they do not feel the need.

Tracking the money

[symbolset]

Apparently the defective software that permitted the viruses to run is sold out of Ireland (through the Netherlands and Dutch Antilles in an accounting blind called the "Irish Double-Dutch") by a company headquartered in Redmond, Washington, USA. Many Bothans died to bring you this information.

Oh God

[symbolset]

Next you'll say the Internet itself was a DoD skunkworks project from ARPA. Who would believe that? Time to loosen the tinfoil hat.

No such thing as

[Cartman's+Mom]

District of Connecticut?.......Wha? Is that near the general vicinity of New Yorkland?

Re:Send in the drones!

[linuxwebadmin]

I agree.