Slashdot Mirror
Microsoft: No Botnet Is Indestructible
CWmike writes "No botnet is invulnerable, a Microsoft lawyer involved with the Rustock take-down said Tuesday, countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically. Nothing is impossible. That's a pretty high standard.' Instrumental in the effort that led to the seizure of Rustock's command-and-control servers in March, Boscovich said Microsoft's experience in take-downs of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated. 'To say that it can't be done underestimates the ability of the good guys,' Boscovich said. 'People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"
For the record, nowhere is Balmer even mentioned. At all. Give credit where credit is due: lawyers work very hard to make outrageous and asinine claims. How dare you give the credit to someone else?!
Consistency is only a virtue if you're not a screw-up.
Alternate title:
"Microsoft Says: My Botnet is Bigger Than Yours"
"First they came for the slanderers and i said nothing."
While I believe that it's quite easy to remove individual nodes of the 'indestructible' botnet, I can't see a good way it could really be shut down other than by wiping it out node by node. And that's a losing strategy for the 'good guys'.
So, while I agree in principle that the word 'indestructible' is pretty strong, and likely not actually the case, that theoretical fact is useless without a concrete strategy for defeating it.
Need a Python, C++, Unix, Linux develop
Another question, does anyone know when and why Microsoft decided to start taking on hackers? Do they get something out of it?
"First they came for the slanderers and i said nothing."
Damn, you more or less beat me to the obvious parody / analogy: "We can exterminate all cockroaches".
It's not just a question of intellect if one party is on the easy side of the trap door function, and their adversary isn't.
Given Microsoft's traditional shortcomings in mental subtlety, I'm not eager to concede they've properly thought this position through.
Just wait until bitcoin merges with the global ad hoc network. Even Microsoft will gulp at the rental fees on a fully commissioned Death Star.
Brilliant, Microsoft, just brilliant. Fight bot nets by patent trolling them. That will *totally* work.
Microsoft and bot net operators... sorry, I am lost. Where are the good guys that were mentioned?
They're characters of the legends and folklore... the mention was ""To say that it can't be done underestimates the ability of the good guys," (like in "the abilities of the good guys must never be underestimated" they are demi- or full-time Gods or at least Spiderman).
Questions raise, answers kill. Raise questions to stay alive.
Since malware is currently a Microsoft only problem there is a direct benefit to them to deal with it. Various fanboys will pretend they are unable to read the word "currently" so I'll add it again and pre-empt the crap about Apple, Linux, Solaris, Irix, AIX, BeOS, Amiga, Plan 9 or Atari being potentially vunerable sometime by saying the malware that is rampant NOW is more imporant than theoretical or historical threats.
Taking increased measures against malware doesn't really require a lot of resources and is definitely to their benefit.
Great, you're giving the MAFIAA ideas!
"People don't want to learn linux" hasn't been a valid excuse since '03.
As long as we control the IT desktop monoculture it will be always a better investment for botnet operators in searching new holes than in hardening their botnets.
Oh I want to know more about these guys...lol /popcorn
Take the Red Pill.
Microsoft Windows et al IS the botnet.
rewriting history since 2109
"bricked for internet usage"
WTF does that even mean?
Stasis is death. Embrace change.
Let me start by saying every time you boot your system on Windows 7, data is sent to Microsoft to check whether your are online and for internet connectivity.
Now although you probably never gave it a second thought. NCSI is an active tool used by Microsoft to lead Boscovich to these comments.
I am not sure if this has been posted on /. before however this url http://blog.superuser.com/2011/05/16/windows-7-network-awareness maybe makes Boscovich feel all warm and fuzzy inside as they can do more with NCSI and cut out botnets. This can be defeated as in the URL above.
Whilst I am on a roll, http://www.microsoft.com/industry/government/solutions/cofee/default.aspx is nothing special the commands in COFEE with some extra switches are;
arp.exe -a /all /report %OUTFILE% /domain /query/v /svc
at.exe
autorunsc.exe
getmac.exe
handle.exe -a
hostname.exe
ipconfig.exe
msinfo32.exe
nbtstat.exe -n
nbtstat.exe -A 127.0.0.1
nbtstat.exe -S
nbtstat.exe -c
net.exe share
net.exe use
net.exe file
net.exe user
net.exe accounts
net.exe view
net.exe start
net.exe Session
net.exe localgroup administrators
net.exe localgroup
net.exe localgroup administrators
net.exe group
netdom.exe query DC
netstat.exe -ao
netstat.exe -no
openfiles.exe
psfile.exe
pslist.exe
pslist.exe -t
psloggedon.exe
psservice.exe
pstat.exe
psuptime.exe
quser.exe
route.exe print
sc.exe query
sc.exe queryex
sclist.exe
showgrps.exe
srvcheck \127.0.0.1
tasklist.exe
whoami.exe
Awww how 31337 M$
All cows eat grass!
Then creating an indestructible botnet is possible, right?
Yes, but under that premise destructing an indestructible botnet is possible, too.
The Tao of math: The numbers you can count are not the real numbers.
I suppose much like there's no 100% secure server there's no 100% invincible botnet. It's almost always easier to destroy than to create/build something.
Deltron 3030 - Virus (music video)
Botnet shuts-down You!
But seriously, this is scary stuff. I like the idea of a big IT house using the best and brightest to shut-down malware, but who decides what malware is? How are they making money from this?
-Matt
--- Need web hosting?
Stop trying to bait APK/HOSTS file guy. You're not any good at it.
Non impediti ratione cogitationus.
Botnets, like most criminal enterprises, have a distinct advantage in that the perpetrators consider themselves above the law.
Their biggest strength is their willingness to exploit weaknesses and perform actions not available to law abiding citizens. The are not, for example, averse to hijacking PCs, hooking up with shady providers, or even flaunting international borders and strongholding in countries like Iran that are outright hostile to US interests and could actually be anywhere from indifferent to outright supportive of their actions.
They are also able to move faster than law enforcement in many cases since they are not fettered by the courts or other bureaucratic machinations. If they want to relocate their CC servers, pass their holdings to someone else, or even shut down completely, they just do it, and they don't have to wait around for a court order or a subpoena to do it either.
Zaphod-AVA essentially summed it up @ http://it.slashdot.org/comments.pl?sid=2282088&cid=36618244 on June 30.
And Ram Herkanaidu, a Kaspersky Lab Expert confirmed it @ http://www.securelist.com/en/blog/516/TDL_4_Indestructible_or_not on July 4 that they do not believe the botnet is indestructible. Ram tried to downplay the sensationalist headline of it being indestructible by pointing out that they had used inverted comas around the word.
But almost anybody even remotely interested in computing can probably guess and those who are into encryption can state for a fact that nothing in this "virtual world" is indestructible --- things only get a little difficult.
So this is pretty much a lot of noise over the intended wit of an analyst.
Theoretically, we could nuke the earth from orbit, destroying all botnets. (and life) It's always a question whether it's worth it not.
The claim made is that "no botnet is indestructible, any botnet can be taken down". You appear to have misread that as "we can take down all botnets, eliminating them so that there are no botnets in existence. These are very different claims.
http://marriedmansexlife.com/
The recent media hyperventilation over "indestructible" malware that hides in the master boot record and requires a wipe and reload of the OS to fix - who writes this stuff, and did they ask anyone who knows anything about it? Apparently not.
:
Oh noes; I've got a bad thing in my MBR; what shall I do? Tip: boot to command line (F8 at boot time) and a quick FDISK /MBR will take care of it. So much for that indestructible bullshit...
I think the meme of the "indestructible botnet" is just marketing, and people trying to make them or their research more important than it is. The sad thing is that the public seems to believe this nonsense.
In practice, there are problems and killing a large botnet can be difficult. However, once you throw enough resources at the problem. it becomes entirely feasible.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
'To say that it can't be done underestimates the ability of the "good" guys,' Boscovich said.
There, fixed that for Boscovich.
Microsoft just put a challenge up to every botnet maker on the planet.
Thanks Balmer.
A challenge they have already resoundingly lost.
They should just be honest about it and give users a choose to botnets to subscribe to like they were forced to do with web browsers.
Hey, I have the entire public IPV4 address space in my hosts file you insensitive clod!
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
If the "good guys" in Redmond really were so smart, there wouldn't be botnets in the first place.
The best way to kill a botnet is to kill the botmasters. Follow the money trail to them and get rid of them extrajudically.
You are clearly insane. The best way to fix a problem is to prevent it from happening in the first place by fixing the dodgy software that some people insist on using.
Going on a killing spree is just going to get the wrong people murdered and not even fix the problem in the process.
If someone make a self replicating botnet w/o C&C it could be indestructible. Make it look at chat streams from victms for domains to DDoS, then distribute that via a p2p network using port 443 (and 22) and self signed certs. Every node then attacks the most common one in a 2 hour period, and then ignores that domain for up to one month.
It's more like the good guys are handicapped in that they have to follow the law, whereas the bad guys have no such restraints.
Botnets would be much easier to take down if white hats were allowed to hijack them and make them self destruct.
Exactly this. The botnet makers don't care what some lawyer says, but you can bet your last dollar that they're already trying to make their botnets as bullet proof as possible. Why wouldn't they? It's their source of revenue and the longer a botnet can evade takedown the more money it generates. The real issue the "good guys" face is that a lot of the time they're having to be reactive instead of proactive (and this is where better OS security, better education of users and good, free, easy to use security tools can help) so of course it feels like they're always a step behind.
I'm surprised the botnet makers haven't gotten rid of the central command&control systems. There has to be some botnet builders that can pay some smart russian to come up with code for that.
Some P2P solution.
Maybe this is because of NAT ? They don't have a simple way of connecting to every node because of it.
New things are always on the horizon
I'd like to meet these lawyers who work hard. Having worked with many and known several personally, they generally don't know anything about "hard word." Don't confuse long days of web browsing, bullshitting, lunching, and boozing it up with anything close to "hard work."
TV shows and movies have painted a very wrong picture of lawyers at work.
MicroSoft: A networked system with no vulnerabilities is inconceivable!
The sad truth: it's actually quite conceivable that with decentralized C&C and proper crypto that there are no central vulnerabilities and the only way to clean up the mess is by hunting down nodes one at a time, or possibly one ISP at a time. I'm eager to hear MS's "legally and technically creative" way to take that on.
The botnet they are talking about here, TDL-4 actually does use an open p2p network for command and control, you take out one and another jumps in.
"The space elevator will be built about 50 years after everyone stops laughing." - Arthur C. Clarke ~1980
While ever it couldn't be used to secure the hardware against you, we'd never see the end of botnets - so no, TCP is not the answer if you want the squishy meatbag behind the keyboard to be able to override it. The second you give the user autonomy, no matter how secure your system is, you've lost. The malware writers will focus their energies on "socially engineering" the user into installing stuff for them, instead. Personally I'd rather live in an imperfect world where we have botnets but aren't lumbered with TCP than an imperfect world where we have TCP and we still have botnets.
That's not true. I'm no Microsoft apologist (I run OpenBSD and Linux) but Microsoft has some of the smartest people out there. The problem is, those people are neatly compartmentalized, in the form of Microsoft Research. Much of their work is highly regarded in the compsci community. But Microsoft-the-software-company often fails to see the potential of their work. I suspect that Microsoft's "don't rock the boat" approach is an official business strategy.
I was with him until he said "People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no'." Until then, it was an obvious "Duh", similar to saying there is no 100% secure real system. And kind of sad that he had to actually tell the media that... how far the media has fallen.
But back to the point, the bad guys are smarter, and better than the good guys. History has proven that over and over again. Just cause you came in after the fact and cleaned up the mess doesn't mean you are better. If you prevented it in the first place, then you are better. But that is not the case. The bad guys have totally ripped apart in weeks what the good guys have created in months, sometimes years.
Good guys stick their head in the sand till something they can't ignore comes along. Then they try to solve it. If they can't do it technically (many cases), they fall back to legal means. This doesn't make the good guys better, but just competent enough. Thinking otherwise is just more sticking your head in the sand.
Shutting down a botnet can be rather straightforward, although not necessarily easy. As far as I know, all current botnets are designed to make money for their controllers. This means that shutting them down can be done in the same manner that most organized crime organizations get shutdown, by following the money. What makes this difficult is that many botnets will cross jurisdictional boundaries, at least some of which will not be inclined to be cooperative.
The truth is that all men having power ought to be mistrusted. James Madison
Instead of just saying no, show us no...!!!
Show us that it is indestructible by shutting another one down...each time they shut one down through their "special techniques" brings us closer to a spam free world.....so do it already and stop talking about it. Show us you mean business by taking down another botnet....then we can all look at M$ and think , wow...they were right....instead I read the post and thought....so what if they "SAY" no.....show me, was my first thought!!
about Technical stuff?
No offense there Boscovich, but um, do you know programming/computer science? Why are we listening to you?
Sigh, I gave up Moderator points for this?
It depends on the lawyer. Your view seems rather jaded. From my experience, most PEOPLE don't know anything about hard work (by your definition) at least in the professional sector or anything outside a factory job. Retail and office work, it seems rampant to have excessive down time. That said, I also know some very hard working lawyers. A lot of succeeding in life has to do with luck and who you know, but a lot of it also has to do with just actually working hard.
AJ Henderson
Of course not. I highly doubt any of them will survive the heat death of the universe.
I think the original article was just saying that they're highly resilient to attack damage. Which is a reasonable statement.
Help! I'm a slashdot refugee.
I beg to differ. A good friend of mine went to law school and is now in his third year as an associate at a major law firm. He works something like 60 hours a week on average to make sure that he hits his goal of 40 billable hours a week. During three years of law school, I saw him a grand total of about four times and when I DID see him, he was studying (at all hours, Saturday, Sunday, late at night, you name it). I feel sorry for the guy. He's very well paid, but he never has any time to spend it. He just recently told me that he'd gladly cut his salary in half to work a normal 40 hours.
Now, when he gets a few more years in, I'm sure he'll be raking in even MORE cash and working less, but I'll never say he didn't earn it.
For the record, nowhere is Balmer even mentioned. At all. Give credit where credit is due: lawyers work very hard to make outrageous and asinine claims. How dare you give the credit to someone else?!
I can't believe you used the words "lawyers" and "hard work" together in the same sentence like that.
I am pretty sure that the article didn't say that it was impossible, and only that it was "practically" indestructible or something like that.
The intent being that this would be a very tough nut to crack and that to beat it will take a lot of resources or some very smart people or both.
In fact if he only read his own sentence before uttering another, he would have seen his mistake.
Heck someone called the Titanic "unsinkable" and guess where its current location is? That wasn't even a "practically" unsinkable.
Any software program more complicated than "Hello World" have exploitable weaknesses. If you were to demand that no software should be released until it is 100% exploit free there would be no software to release. While killing the bot masters is a little extreme to say the least the suggestion of following the money is a good strategy. Analyze the behavior of the bot and try to define the purpose of the bot, which is undoubtedly to make money for someone for something. Attacking the beneficiaries of the bot can be just as effective as attacking the bot itself.
People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"
If the good guys ever catch up with the bad guys, then the good guys have nothing more to do, because there will be no more plots to foil... until the bad guys get going again. But the bad guys never stop moving, so the good guys are always playing catch up, and so of course it looks like the bad guys are always winning.
But really, the bad guys only win when the good guys can't play catch up anymore. And that hasn't happened. In fact, that's why the bad guys keep moving.
Of course, we could try to pre-empt the bad guys by developing bug free designs and code in the first place. Heh, yeah that's pretty tough. But when a product does appear too hard to break, then you go around that brick wall. That's why we have trojans and phishing.
Sure, Microsoft has a pretty poor reputation for security (and too often deservedly so). But the statement holds. Bad guys, good guys... we're just people on different sides of the fence. Bad guys are clever enough to find new holes, and good guys are clever enough to plug them.
So sure, it's a big and tough botnet. But for some that just makes the challenge of breaking it all the more interesting.
I mentioned Balmer because he is the main head of the Hydra that Microsoft is. I'm sorry for laying the blame squarely at the feet of the CEO, in future I'll lay the blame a the feet of the guys working in the call centre. Or maybe the lawyers they buy for a dime a dozen.
You're very confused. You're confusing school work with a professional life.
Established layers is what I'm talking about. Non-lawyers do 80% of the work in the legal profession. Most lawyers do little actual work. What work they claim to do is largely done but wanna-be lawyers, students, so on and so on.
As for the work 60-hours to bill 40-hours - he's absolutely doing something wrong. Most lawyers will bill you if they think about your case while they are taking a crap. If he worked 60-hours and didn't bill 60-hours, he's incompetent or at the very least, doing it wrong.
Now observation and discussion means one is jaded? Likely you're just uninformed. Very, very uninformed. My opinion exists specifically because that's the opinion TOLD to me be actual lawyers. It was re-enforced by observing their work day while I was working.
Really people, get off your high horses. The world does not exist in utopia. In the real world, lots and lots of people are paid shit loads of money for doing very little - and frequently while doing a shit job of that. That's the REAL world. Obviously there are exceptions and yes, the world is full of hard working people, but the intersection is pretty small when we're talking about the majority of lawyers.
I posted this the day it was announced, & yes, vs. this "blended threat" tech rootkit/botnet's CURRENT DESIGN (driver + bootsector originated) ? This works to NON-DESTRUCTIVELY REMOVE IT (and any designed like it):
STEPS TO TAKE TO ERADICATE THIS ROOTKIT/BOTNET "blended-threat" tech one, NON-DESTRUCTIVELY:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver (hello_tt.sys)
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* Which works against ANY rootkit, both bootsector originating type, or driver driven type (or like this one, a combination of BOTH), 100% guaranteed - NO QUESTIONS ASKED, period...
(IN FACT, the DAY this rootkit/botnet was announced? I had the way to "nuke it", 100% guaranteed, here http://it.slashdot.org/comments.pl?sid=2282088&cid=36621818 )
APK
P.S.=> Then, IF this thing "hauls in" any more malware, which it CAN do? Even IF an "unknown one" to antivirus/antispyware signatures DB's??
Then - You "mop it up" using Process Explorer completely once the rootkit is destroyed!
(ProcessExplorer.exe works vs. ANY malware, even hidden ones beneath other std. processes hooked by libs/dlls, or services even)
I.E./E.G. -> You use its "suspend" feature to send HLT instructions to the offending malware, & then? Then, you can delete it on disk & it's "Gone With The Dawn"...
This works too, when other "std. tools" fail miserably (such as antivirus/antispyware IF their signatures are not present to ID said malware, and if their removal process won't work vs. said malware also).
"Here endeth the lesson"... ... apk
I work with some university professors on research projects regularly.
I don't want to use too many 'buzz-words' or anything, but I also don't want to give away our research before we publish it.
One of our projects (we have developed a patentable method) involves a method of distributing control messages of X length to N computers by using only X bandwidth on the sender side, with built-in error recovery and automatic redundancy by virtue of a propagating message source. Combine that with public-key crypto and you have a super-resilient propagating message with no 'source point'.
We make use of the DNS protocol to accomplish this.
You can see when we publish the paper, I will make it available to slashdot at that time. We've found that there is no clear way to stop the messages from reaching the destinations, and no way of impersonating the sender. There is also no way to detect the true source of the message.
Essentially, an alternative to P2P transmissions which is probably just as good.
There might be a flaw somewhere that we haven't noticed though, but at the moment it seems to be that we will finish the paper soon.
my ISP made the transition to IPv6, if yours did, time to update your HOSTS file...
Non impediti ratione cogitationus.
The Lawyer has a point... I mean, with the botnets relying on Windows machines it is highly likely that they are destructible. It also explains why they require so many machines...
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
I mentioned Balmer because he is the main head of the Hydra that Microsoft is. I'm sorry for laying the blame squarely at the feet of the CEO, in future I'll lay the blame a the feet of the guys working in the call centre. Or maybe the lawyers they buy for a dime a dozen.
If you have an issue with the statement, you could mention the statement and the lawyer who it is attributed to, Richard Boscovich. That would suffice. You did not even have to read the article, the name was right there in the (inflammatory) summary.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Microsoft has been ownin in the news lately. Still hate using Windows XP and will not ever upgrade to anything else, but still, this and what Gates said about nuclear being the only feasibly sustainable core energy source is pretty win.
Now, do I think that Microsoft is a bit responsible for some of these botnets? Yes. And no. But I tend to take their "nothing is impossible" approach to pretty much anything I do.
The eternal struggle of good vs. evil begins within one's self.
No one said TDL4 can't be cleaned from a single PC. Cleaning it from all of them near-simultaneously is what you would have to do to destroy this botnet. The MSRT tool is not capable of performing the steps you described.
BTW your steps could still leave malware on the system unless you are a forensic/malware expert and can tell good processes from bad in ProcessExplorer. It's not so easy as you make it seem. Even if you are that experienced in process analysis, there could still be other kernel-level rootkits hiding malicious processes from ProcessExplorer. It could take days to truly disinfect a TDL-4-infected system that had been downloading payloads for a while. That's why reformat/reinstall has become the best-practice for dealing with malware, even though it is anathema to most Windows users/admins.
Another thing to note is that Microsoft hasn't destroyed the Rustock botnet, they are merely suppressing it. They will never be able to clean all the infected Rustock PCs, because countless thousands of them don't get Windows updates (either because they are pirated copies of Windows or updates have been disabled by other malware) and thus will never run the MSRT tool. If MS ceases their efforts before every last machine is sitting in a dump somewhere, the botnet could return, however unlikely that the author would bother to restore control.
I concur, MS just said "Come at me, Bro." :D
Come on...read the Computerworld article. No he didn't.
He's worked on the legal side. And, there, I'll listen to him. But arguing that "TECHNICALLY" he knows what he's talking about - well, that's like me arguing I know what law is about. (Hint: it's a bad idea)
But I will listen to what Alex Lanstein has to say.
....countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically.
And how is it intellectually creative to reply to the phrase "practically indestructible" with that? They said PRACTICALLY, not "COMPLETELY INDESTRUCTIBLE" or anything like that. Way to miss the important quantifier in the statement they claim to be countering.
Reading comprehension FTW!
If you believe in privacy, and believe you have "nothing to hide" at the same time, you're a goddammed idiot
Lol, outrageous claim? What outrageous claim? The laughable claim is that there exist botnets which can't be taken down. The very idea is silly.
I have multiple family members who are lawyers or work closely with them. How many different firms did you have experience with? Business culture tends to make fairly unified conditions within an organization. I'm also 100% agreeing with you on your last paragraph. My point was mostly that a) it isn't just lawyers that get paid for wasting a lot of their time and b) the bad eggs always stand out and c) just because there may even be a lot of bad eggs doesn't mean there are not good ones or that the entire profession deserves to be thrown under the bus.
I was saying that many people regardless of industry will waste time if they can and still get paid for it. Those who actually do work hard tend to excel ahead of the rest. Just look at how active slashdot is during the workday.
AJ Henderson
Well if that part were easy I would imagine grey hats/vigilantes would have done that by now. Though it would depend largely on what self destructing would entail. Self destructing as in the botnet removes itself from the infected computers, or self destructing as in having the botnet completely format infected systems.
Yes, let's have a LAWYER tell us about how all botnets can be taken down. The phrase "If someone says that a botnet is indestructible, they are not being very creative legally" has got to be the goddamn funniest quote of the month! It's a botnet, not an ordinance. I don't give a damn how "legally creative" you get. You can't apply human laws as if they were universal laws of physics. Some young adult in China running a headless botnet via P2P C&C using anonymizing routers is beyond your insignificant "legal creativity".
IF you know who and where they are THEN you can use legal means to shut them down. But the point is you DONT know who they are OR where they are.
I8-D
I wish you weren't posting AC so that I could friend you.
You missed the point. Yes, TDL4 malware can be cleaned manually, no one is disputing that. The entire system could be forensically sanitized - manually - using the recovery console or a liveCD. It could take a long time depending on how many payloads had been downloaded and how well they hide. But this is not enough to kill the botnet unless you do this to 4.5 million PCs all at once. I never said your TDL-4 removal steps were incorrect, I just said they would not "kill the botnet", which is what Microsoft is suggesting they can do.
While nothing is impossible in theory, trying to destroy this botnet "one rig at a time" as you suggest would take decades even if you had an army tracking them down and cleaning them. The botnet would die on its own by then because the hard drives of those systems would fail first. Again though, I am reply to Microsoft's claims here, not yours.
The part you are wrong about is being able to use ProcessExplorer to fully sanitize the PC of the remaining malware. The only thing that truly separates malware from non-malware is intent. That's it. A P2P filesharing client and a P2P bot could share 99.999% of the same code, with only a single hidden malicious function. Tell me where in ProcessExplorer you would see the difference.
I'm not sure if you truly understand rootkits if you think they can't hide from ProcessExplorer. Even the simpler kernel-mode rootkits can do this, removing the hidden process from the kernel's linked list of objects - the same list that ProcessExplorer has to request from the OS to show you that tree of parent/child processes.
Making a determination on whether or not a program is malware is very hard to do programatically and even for a human often takes hours poring over the code in a debugger trying to understand the program's intent. If it were so easy, antivirus programs would still be adequate protection in this day and age.
a Microsoft lawyer
There, on the very first line.
in all seriousness I see no problem in MS saying: "Our product quite suck in security, we pretty much can't do much about it since rewriting the whole thing would be like kicking our lunch box... so we will just have hordes of lawyers to LEVERAGE our influence in governments around the world to help us butfuck botnet creators IRL (in real life)"
I don't care how they do it, if they can do it, go for it and since you're there.. WHY NOT go after spammers?.
You have a chicken-and-the-egg problem. You said: "1.) Recovery Console bootup 2.) listsvc command to spot offending bogus MBR protecting driver (hello_tt.sys)" - in this case you have prior knowledge. You knew there was a rootkit in play, and you knew what it was named.
What if it has borrowed the name of another legit third-party driver? What if the rootkit code is just a stub inside another legit driver? This technique has been used by malware for years now. Now, how do you tell which is the malicious driver and which is not? How do you even tell if there is a rootkit in play at all? The answer is: other tools and techniques and most importantly, a lot of time spent.
Every wondered what OS is in a lot of those ADSL modems in people's home that are on 24/7? Vast numbers of little linux boxes set up by the same people that get their MS Windows machines infected just by browsing with internet explorer to the wrong parts of the net. Now there's a juicy target for malware - but it's not so easy as getting crap onto unpatched XP boxes so it doesn't happen.
Then there's all those web servers out there. Last time I looked not a lot of them were MS boxes.
The market share argument of malware infection proved to be far too simplistic for reality probably about a decade ago. Why are you wasting everyone's time by pushing it now?
I hope you cut and pasted that pile of childish crap instead of wasted time typing it in. Even with that avalanche of bullshit there was nothing about your simplistic "malware is a sign of popularity" idea which I questioned above.
If you were serious about your bug counts above and had any form of cross-platform background in the computer industry you would know that comparing those numbers is sheer numerology and no more accurate than guesses as to when the world is going to end.
Pre-emptive strike by accusing others of what you are doing I see, in fact it's so transparent I don't understand why you would possibly think anyone with the reading skill to read those words would be taken it by it.
Give it up kid - find something you are good at and do that instead. You couldn't possibly be bored enough to justify wasting time writing the stuff above.
Why not devote some of that wasted time to getting a login for this site?
So you are about the same age if you are telling the truth this time. What's your excuse for all the childish drivel then? Why do you even assume I've been "blown away" instead of merely ignoring a pile of crap which can not by any stretch of the imagination be elevated to the status of "debate"? Why can't you tell the difference between a suggestion and an "order"?
Give it up kid. You are not fooling anybody since you write like a current teenager and not one caught in a mental time warp stuck at twelve for thirty-five years. Why you would ever bother to pretend to be that when there are far more interesting things to do is really beyond me unless you are being paid for some bizzare "grass roots" PR scheme and badly failing at it. You really must be one incredibly bored teenager or somebody pretending to be one for entertainment or misearned profit.
That would include Microsoft.
No. I'm a real engineer instead. Back in the day what you call CSC was called applied mathematics in some places anyway.
I can barely understand any of your "points" due to them not being in English and instead being in some teenage gamer dialect I assume is called 10s3r or similar. I accept that the language of the net is broken English but you could at least make some attempt to communicate instead of the deliberately obfiscated pile of crap you've unloaded in the posts above. It really is a weird and pointless game you are playing where the topic really doesn't appear to matter in any way at all, and yes, it's really obvious it's a game but I'm bored enough to push back a little bit at your bullshit.
It's easy enough to just indicate the malware swamp that infests the Microsoft platform you are raving about to show how little value your "points" have.