Slashdot Mirror
Feds To Remotely Uninstall Bot From Some PCs
CWmike writes "Federal authorities will remotely uninstall the Coreflood botnet Trojan from some infected Windows PCs over the next four weeks. Coreflood will be removed from infected computers only when the owners have been identified by the DOJ and they have submitted an authorization form to the FBI. The DOJ's plan to uninstall Coreflood is the latest step in a coordinated campaign to cripple the botnet, which controls more than 2 million compromised computers. The remote wipe move will require consent, and the action does come with warnings from the court that provided the injunction against the botnet, however. 'While the 'uninstall' command has been tested by the FBI and appears to work, it is nevertheless possible that the execution of the 'uninstall' command may produce unanticipated consequences, including damage to the infected computers,' the authorization form reads. FBI Special Agent Briana Neumiller said, 'The process does not affect any user files on an infected computer, nor does it ... access any data on the infected computer.' The DOJ and FBI did not say how many machines it has identified as candidates for its uninstall strategy, but told the judge that FBI field offices would be notifying affected people, companies and organizations."
they're going to send a email, right? Click this link to authorize the FBI to remove an infection from your computer?
As always, all IMO. Insert "I think" everywhere grammatically possible.
The botnet owners can't take preventative action against the uninstall because they don't have valid Command and Control servers running. Since the FBI is controlling those at the moment, the individual bots are hanging in limbo doing nothing. If however the malware is actively looking for new C&C servers to be spun up to receive commands again, there is the potential that the FBI could lose control again. Hence why it is necessary to remove the infection while they maintain control, and only one step in their strategy to cripple the botnet.
As much as I would love the Feds to just run a complete vulnerability scan of the US (not unlike the Internet Auditing Project) and then remotely uninstall every instance without telling a damn person (if the virus doesn't de-install cleanly, that's a bug in the virus so go sue the authors), I get the impression there'd be a few complaints. In part, because the Feds have shown themselves to be ethically-challenged from time to time.
If you want - really, truly want - bots and spyware to be gone forever, it's going to take a Federal agency vulnerability scanning your machine and installing nagware when your machine is shown as both infected and insecure. (Insecure alone might just be a honeypot, it doesn't prove there's a real vulnerability present.)
Nobody is going to trust an agency to do this. Doesn't matter if that's just or unjust, the only just that matters is that it's just not going to happen. In consequence, corporations will fail to secure products, users will fail to secure their machines and the problem will miraculously fail to vanish all on its own. Things won't change without pressure and the only sources of pressure big enough won't and/or can't.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Uninstall Windows.
Or don't uninstall Windows but make computer owners legally responsible for their computers in the same way they are legally responsible for a swimming pool. The resulting fines would either stop botnets entirely or eliminate the national deficit. In short, a tax on the stupid.
Have you got your LWN subscription yet?
Why cannot they just ask the ISP to disconnect infected computers from the network? It should be responsibility of each owner to connect with uninfected computer. The company responsible for this whole mess - Microsoft - will likely not be held accountable, but the users should. And when the OS they use start to be liability in their lives, then maybe they will choose based on that as well.
YACA: If someone installed randomly firing machine guns in the trunk of your car, I doubt FBI response would be a letter asking you if they could please uninstall those for you.
If programs would be read like poetry, most programmers would be Vogons.
A bit draconian, are you?
Maybe. Apparently you aren't one of the guys they send massive amounts of unwanted spam to?
So sure. Let's say you render a couple hundred thousand machines unbootable by wiping their partition tables, MBR, or whatever. They wake up the next morning, and do they love you? Can they do business? Can they read x-rays? Will their their stuff work?
The problem is the malware/rootkit leaves their stuff seeming to work; and it's invisible to them, so they don't even bring someone in to look at it, let alone repair it.
Your average organization with malware crawling around has no IT management, there's no active directory, group policy, or technical restrictions against employees running software -- everyone runs as admin, any anti-malware/antivirus software is hopelessly out of date, and they're probably still running Windows XP at the moment.
You're not going to be able to "turn off the port", because there are way too many of them, they don't have static IPs, and WHOIS is basically useless. Their ISP won't even tell you (or law enforcement) who their technical contact is (if they have one) without subpoenas.
The most expeditious way for anyone to handle this is to nuke from orbit by reversing the behavior of the malware author's backdoor. Make the software shout about its presence instead of hiding.
Make the breakage of the machine VISIBLE so the repair company has to be called, and money has to be spent, so the SMB cannot continue to ignore their workstation infection, even when informed of it.
it's very, very easy to check offline (from a separate host) that a hard drive with a Windows partition on it has legitimate files as released by MS. Digital signatures and all that jazz.
No. The System filechecker is trivially defeated, even when checking offline.
The trouble with 'digital signatures' is there are multiple valid signers, and you can't enumerate a priori which ones are valid. The tampering of tampered with files does not even necessarily occur on the files you see on the physical medium offline while rootkit is not loaded.
Lots of Windows systems have a boatload of legitimate non-Microsoft application files and non-Microsoft system drivers for hardware are almost universally present. And what the registry contains is really quite important, especially when malware involves loading a program that contains a rootkit.
The loader may be found as an application, small file, or binary blob in the registry somewhere. The actual payload activated by the malware loader, may not even reside as files on the NTFS volume; as anything running as system user may be able to read code from raw disk sectors (even NTFS disk sectors that are not actually linked to files you can scan/access).
Try as you might, it is basically impossible to enumerate every possible registry content that will cause malware hooks to load into memory and run payload at system boot.
Verification of the content of all known system files does not verify the integrity of the system.