Microsoft: No Botnet Is Indestructible

CWmike writes "No botnet is invulnerable, a Microsoft lawyer involved with the Rustock take-down said Tuesday, countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically. Nothing is impossible. That's a pretty high standard.' Instrumental in the effort that led to the seizure of Rustock's command-and-control servers in March, Boscovich said Microsoft's experience in take-downs of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated. 'To say that it can't be done underestimates the ability of the good guys,' Boscovich said. 'People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"

Windows 7 checks in with M$ so he thinks yes

[NSN+A392-99-964-5927]

Let me start by saying every time you boot your system on Windows 7, data is sent to Microsoft to check whether your are online and for internet connectivity.

Now although you probably never gave it a second thought. NCSI is an active tool used by Microsoft to lead Boscovich to these comments.

I am not sure if this has been posted on /. before however this url http://blog.superuser.com/2011/05/16/windows-7-network-awareness maybe makes Boscovich feel all warm and fuzzy inside as they can do more with NCSI and cut out botnets. This can be defeated as in the URL above.

Whilst I am on a roll, http://www.microsoft.com/industry/government/solutions/cofee/default.aspx is nothing special the commands in COFEE with some extra switches are;

arp.exe -a
at.exe
autorunsc.exe
getmac.exe
handle.exe -a
hostname.exe
ipconfig.exe /all
msinfo32.exe /report %OUTFILE%
nbtstat.exe -n
nbtstat.exe -A 127.0.0.1
nbtstat.exe -S
nbtstat.exe -c
net.exe share
net.exe use
net.exe file
net.exe user
net.exe accounts
net.exe view
net.exe start
net.exe Session
net.exe localgroup administrators /domain
net.exe localgroup
net.exe localgroup administrators
net.exe group
netdom.exe query DC
netstat.exe -ao
netstat.exe -no
openfiles.exe /query/v
psfile.exe
pslist.exe
pslist.exe -t
psloggedon.exe
psservice.exe
pstat.exe
psuptime.exe
quser.exe
route.exe print
sc.exe query
sc.exe queryex
sclist.exe
showgrps.exe
srvcheck \127.0.0.1
tasklist.exe /svc
whoami.exe

Awww how 31337 M$

Re:LOL - the silver bullet!

[hairyfeet]

WTF? Nobody said anything about Ballmer and what was said is common logic. if a machine isn't bricked it can be fixed, end of story. As someone that cleans PCs 6 days a week I can tell you this is a fact and while it is often faster to nuke it isn't the only way to get the job done.

For those that are infected, or are having to clean a friend or relative that is infected MSFT has a nice new free tool to help you out, I tripped over it a couple of weeks back on one of my favorite freeware sites and after giving it a go on a couple of infected boxes I must say they passed multiple subsequent virus scans totally clean. Kinda slow, but for a deep scan that is to be expected. the nice thing is it creates a bootable CD or USB stick so even if the machine is pwned so bad it won't boot you can get in there and clean it up.

It is called Microsoft standalone system sweeper and is a really nice tool to add to your toolbox and is 100% free to those with a legal copy of Windows. it has a 32bit and a 64bit but one can burn both CDs on either OS, the bit refers to the infected system not the clean machine. It updates itself when you make the CD/USB, it cleans rootkits and bootbugs, and it don't cost a cent. MSFT should advertise it better but other than that after several uses I have no complaints.