Slashdot Mirror
Feds To Remotely Uninstall Bot From Some PCs
CWmike writes "Federal authorities will remotely uninstall the Coreflood botnet Trojan from some infected Windows PCs over the next four weeks. Coreflood will be removed from infected computers only when the owners have been identified by the DOJ and they have submitted an authorization form to the FBI. The DOJ's plan to uninstall Coreflood is the latest step in a coordinated campaign to cripple the botnet, which controls more than 2 million compromised computers. The remote wipe move will require consent, and the action does come with warnings from the court that provided the injunction against the botnet, however. 'While the 'uninstall' command has been tested by the FBI and appears to work, it is nevertheless possible that the execution of the 'uninstall' command may produce unanticipated consequences, including damage to the infected computers,' the authorization form reads. FBI Special Agent Briana Neumiller said, 'The process does not affect any user files on an infected computer, nor does it ... access any data on the infected computer.' The DOJ and FBI did not say how many machines it has identified as candidates for its uninstall strategy, but told the judge that FBI field offices would be notifying affected people, companies and organizations."
they're going to send a email, right? Click this link to authorize the FBI to remove an infection from your computer?
As always, all IMO. Insert "I think" everywhere grammatically possible.
I'd be more worried about, you know, the owners of the botnet reading this article and taking preventative action? I mean, if it's already too late for that (which past articles assert, it is), then it's not really "crippling", is it?
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
The botnet owners can't take preventative action against the uninstall because they don't have valid Command and Control servers running. Since the FBI is controlling those at the moment, the individual bots are hanging in limbo doing nothing. If however the malware is actively looking for new C&C servers to be spun up to receive commands again, there is the potential that the FBI could lose control again. Hence why it is necessary to remove the infection while they maintain control, and only one step in their strategy to cripple the botnet.
Supposedly Microsoft is pushing out the 'Malicious Software Removal Tool' as part of Windows Update that will actually remove Coreflood if the user machine has already recieved the 'halt' command from the FBI servers. I guess that counts...
How does it feel to be a liar with pants constantly on fire?
Which operating system was this again?
EvolutionSoft PEBCAC 2011
'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
You know the first thing they're going to push is the big red button marked "Fire".
If I have been able to see further than others, it is because I bought a pair of binoculars.
since most of the machines I'm guessing are running a Microsoft product, maybe they should be the ones carrying this out on infected machines. Lets face it they are probably better situated to see this through. the feds should go back to being the agents of the RIAA and MPAA and leave the computer work to the professionals
no matter how good it is, it is human nature always wants to make things better
You know the first thing they're going to push is the big red button marked "Fire".
The tank driver can't reach that button. It's for the back seat driver.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
any notifications yet from the FBI about the botnet and my computer, has anyone else?
also, do i need to disable selinux before they uninstall the bot on my computer? or can they do it from a regular user account with limited sudo?
Good people go to bed earlier.
Well what would you think if the government or any other people would mess with your computer without your consent? What if they decided "utorrent.exe" was harmful and decided to remove it without asking you?
Well, at least somebody is making an effort to stop all the fucking spam. Slippery slopes are nice and all, but that kind of thing can already be done legally via the courts, the PATRIOT act, etc.. at least what they are doing here is beneficial to the world.
which is totally what she said
As much as I would love the Feds to just run a complete vulnerability scan of the US (not unlike the Internet Auditing Project) and then remotely uninstall every instance without telling a damn person (if the virus doesn't de-install cleanly, that's a bug in the virus so go sue the authors), I get the impression there'd be a few complaints. In part, because the Feds have shown themselves to be ethically-challenged from time to time.
If you want - really, truly want - bots and spyware to be gone forever, it's going to take a Federal agency vulnerability scanning your machine and installing nagware when your machine is shown as both infected and insecure. (Insecure alone might just be a honeypot, it doesn't prove there's a real vulnerability present.)
Nobody is going to trust an agency to do this. Doesn't matter if that's just or unjust, the only just that matters is that it's just not going to happen. In consequence, corporations will fail to secure products, users will fail to secure their machines and the problem will miraculously fail to vanish all on its own. Things won't change without pressure and the only sources of pressure big enough won't and/or can't.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Is this like those messages emailed from Microsoft about virus detected on my system? Those things never seemed to make my machine run better. You'd think Microsoft would test their fixes better... ;=)
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
FWIW, they are stating at this point that they will be asking for consent. Personally I don't like it, I would prefer to take care of it myself, but then again I (like most slashdotters) don't represent the majority of computer users. Someone has to take this seriously and deal with these botnets, and if the government is the only entity willing to step up and handle it, then that's who is supposed to do it. I'd prefer to see this in the public domain, but security is simply not valued in the public sector until something goes wrong.
you are in a twisty maze of different passages.
They shouldn't be helping to uninstall it for people. They should be getting their internet connections shut off to teach them a damn lesson about computer security.
But, the federal government is held to a higher standard aren't they?
Uninstall Windows.
Or don't uninstall Windows but make computer owners legally responsible for their computers in the same way they are legally responsible for a swimming pool. The resulting fines would either stop botnets entirely or eliminate the national deficit. In short, a tax on the stupid.
Have you got your LWN subscription yet?
Why is it that Americans as so paranoid about their government's motives? No other country in the first world has this level of paranoia about their government.
Why cannot they just ask the ISP to disconnect infected computers from the network? It should be responsibility of each owner to connect with uninfected computer. The company responsible for this whole mess - Microsoft - will likely not be held accountable, but the users should. And when the OS they use start to be liability in their lives, then maybe they will choose based on that as well.
YACA: If someone installed randomly firing machine guns in the trunk of your car, I doubt FBI response would be a letter asking you if they could please uninstall those for you.
If programs would be read like poetry, most programmers would be Vogons.
Someone has to take this seriously and deal with these botnets,
i totally agree, but it should be by cutting off access to infected computers and keep them off-line until they are 'clean'. ISP's can detect 'bad things' and do this automatically.
---- Booth was a patriot ----
A bit draconian, are you?
Maybe. Apparently you aren't one of the guys they send massive amounts of unwanted spam to?
So sure. Let's say you render a couple hundred thousand machines unbootable by wiping their partition tables, MBR, or whatever. They wake up the next morning, and do they love you? Can they do business? Can they read x-rays? Will their their stuff work?
The problem is the malware/rootkit leaves their stuff seeming to work; and it's invisible to them, so they don't even bring someone in to look at it, let alone repair it.
Your average organization with malware crawling around has no IT management, there's no active directory, group policy, or technical restrictions against employees running software -- everyone runs as admin, any anti-malware/antivirus software is hopelessly out of date, and they're probably still running Windows XP at the moment.
You're not going to be able to "turn off the port", because there are way too many of them, they don't have static IPs, and WHOIS is basically useless. Their ISP won't even tell you (or law enforcement) who their technical contact is (if they have one) without subpoenas.
The most expeditious way for anyone to handle this is to nuke from orbit by reversing the behavior of the malware author's backdoor. Make the software shout about its presence instead of hiding.
Make the breakage of the machine VISIBLE so the repair company has to be called, and money has to be spent, so the SMB cannot continue to ignore their workstation infection, even when informed of it.
Right now, there's no precedent that a government organisation could effectively deal with a situation like this without breaking everything. Is it ok if they do a drug bust, and 1 out of 23 innocent people die? Collateral damage by the government has to be mitigated as much as possible.
I'm not saying that we can't trust the government to do anything. I think the FBI is doing a good job so far, and I'm looking forward to their results. But caution on the part of commentators, I think, is a good idea. It's far from a simple, surefire action. It is likely it will be, but there are variables that they can't control for.
Oversight of government actions is what is critical - not avoiding government action or permitting excessive government action.
Guns don't kill people, "with glowing hearts" kills people.
it's very, very easy to check offline (from a separate host) that a hard drive with a Windows partition on it has legitimate files as released by MS. Digital signatures and all that jazz.
No. The System filechecker is trivially defeated, even when checking offline.
The trouble with 'digital signatures' is there are multiple valid signers, and you can't enumerate a priori which ones are valid. The tampering of tampered with files does not even necessarily occur on the files you see on the physical medium offline while rootkit is not loaded.
Lots of Windows systems have a boatload of legitimate non-Microsoft application files and non-Microsoft system drivers for hardware are almost universally present. And what the registry contains is really quite important, especially when malware involves loading a program that contains a rootkit.
The loader may be found as an application, small file, or binary blob in the registry somewhere. The actual payload activated by the malware loader, may not even reside as files on the NTFS volume; as anything running as system user may be able to read code from raw disk sectors (even NTFS disk sectors that are not actually linked to files you can scan/access).
Try as you might, it is basically impossible to enumerate every possible registry content that will cause malware hooks to load into memory and run payload at system boot.
Verification of the content of all known system files does not verify the integrity of the system.
Not if it leaves the machine in an unclean or unusable state. If you thought anti-American attitudes are bad now, imagine the FBI disabling a couple hundred thousand key machines abroad-- just to get rid of a virus.
Disabling is the normal course of action taken on an infected machine. In fact, the only method certain to work.
SOP when discovering a backdoored machine spewing spam, participating in a DDoS, running a backdoor, or botnet node, should be: to if possible, use the malware's infiltrated command and control or the published backdoor to render the backdoor or the system useless to further the attack as quickly as possible.
Easy... easy... You know, I wonder how the situation would be seen if China would start to disable US computers only because they are used for serving content that don't fit their policies. I mean, for them that content might be as "aggressive" and "dangerous" as a botnet.
Questions raise, answers kill. Raise questions to stay alive.
C'mon, this is Slashdot. You left your garage unlocked, somebody stole your car and ran down some pedestrians.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)