Slashdot Mirror
Microsoft: No Botnet Is Indestructible
CWmike writes "No botnet is invulnerable, a Microsoft lawyer involved with the Rustock take-down said Tuesday, countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically. Nothing is impossible. That's a pretty high standard.' Instrumental in the effort that led to the seizure of Rustock's command-and-control servers in March, Boscovich said Microsoft's experience in take-downs of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated. 'To say that it can't be done underestimates the ability of the good guys,' Boscovich said. 'People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"
Alternate title:
"Microsoft Says: My Botnet is Bigger Than Yours"
"First they came for the slanderers and i said nothing."
While I believe that it's quite easy to remove individual nodes of the 'indestructible' botnet, I can't see a good way it could really be shut down other than by wiping it out node by node. And that's a losing strategy for the 'good guys'.
So, while I agree in principle that the word 'indestructible' is pretty strong, and likely not actually the case, that theoretical fact is useless without a concrete strategy for defeating it.
Need a Python, C++, Unix, Linux develop
It's not just a question of intellect if one party is on the easy side of the trap door function, and their adversary isn't.
Given Microsoft's traditional shortcomings in mental subtlety, I'm not eager to concede they've properly thought this position through.
Just wait until bitcoin merges with the global ad hoc network. Even Microsoft will gulp at the rental fees on a fully commissioned Death Star.
Let me start by saying every time you boot your system on Windows 7, data is sent to Microsoft to check whether your are online and for internet connectivity.
Now although you probably never gave it a second thought. NCSI is an active tool used by Microsoft to lead Boscovich to these comments.
I am not sure if this has been posted on /. before however this url http://blog.superuser.com/2011/05/16/windows-7-network-awareness maybe makes Boscovich feel all warm and fuzzy inside as they can do more with NCSI and cut out botnets. This can be defeated as in the URL above.
Whilst I am on a roll, http://www.microsoft.com/industry/government/solutions/cofee/default.aspx is nothing special the commands in COFEE with some extra switches are;
arp.exe -a /all /report %OUTFILE% /domain /query/v /svc
at.exe
autorunsc.exe
getmac.exe
handle.exe -a
hostname.exe
ipconfig.exe
msinfo32.exe
nbtstat.exe -n
nbtstat.exe -A 127.0.0.1
nbtstat.exe -S
nbtstat.exe -c
net.exe share
net.exe use
net.exe file
net.exe user
net.exe accounts
net.exe view
net.exe start
net.exe Session
net.exe localgroup administrators
net.exe localgroup
net.exe localgroup administrators
net.exe group
netdom.exe query DC
netstat.exe -ao
netstat.exe -no
openfiles.exe
psfile.exe
pslist.exe
pslist.exe -t
psloggedon.exe
psservice.exe
pstat.exe
psuptime.exe
quser.exe
route.exe print
sc.exe query
sc.exe queryex
sclist.exe
showgrps.exe
srvcheck \127.0.0.1
tasklist.exe
whoami.exe
Awww how 31337 M$
All cows eat grass!
Botnet shuts-down You!
But seriously, this is scary stuff. I like the idea of a big IT house using the best and brightest to shut-down malware, but who decides what malware is? How are they making money from this?
-Matt
--- Need web hosting?
I'm still waiting for it to finish shutting down.
rewriting history since 2109
WTF? Nobody said anything about Ballmer and what was said is common logic. if a machine isn't bricked it can be fixed, end of story. As someone that cleans PCs 6 days a week I can tell you this is a fact and while it is often faster to nuke it isn't the only way to get the job done.
For those that are infected, or are having to clean a friend or relative that is infected MSFT has a nice new free tool to help you out, I tripped over it a couple of weeks back on one of my favorite freeware sites and after giving it a go on a couple of infected boxes I must say they passed multiple subsequent virus scans totally clean. Kinda slow, but for a deep scan that is to be expected. the nice thing is it creates a bootable CD or USB stick so even if the machine is pwned so bad it won't boot you can get in there and clean it up.
It is called Microsoft standalone system sweeper and is a really nice tool to add to your toolbox and is 100% free to those with a legal copy of Windows. it has a 32bit and a 64bit but one can burn both CDs on either OS, the bit refers to the infected system not the clean machine. It updates itself when you make the CD/USB, it cleans rootkits and bootbugs, and it don't cost a cent. MSFT should advertise it better but other than that after several uses I have no complaints.
ACs don't waste your time replying, your posts are never seen by me.
I think the meme of the "indestructible botnet" is just marketing, and people trying to make them or their research more important than it is. The sad thing is that the public seems to believe this nonsense.
In practice, there are problems and killing a large botnet can be difficult. However, once you throw enough resources at the problem. it becomes entirely feasible.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Microsoft just put a challenge up to every botnet maker on the planet.
Thanks Balmer.
A challenge they have already resoundingly lost.
They should just be honest about it and give users a choose to botnets to subscribe to like they were forced to do with web browsers.
Are inverted comas states of unusually intense consciousness? :-)
The Tao of math: The numbers you can count are not the real numbers.
Shutting down a botnet can be rather straightforward, although not necessarily easy. As far as I know, all current botnets are designed to make money for their controllers. This means that shutting them down can be done in the same manner that most organized crime organizations get shutdown, by following the money. What makes this difficult is that many botnets will cross jurisdictional boundaries, at least some of which will not be inclined to be cooperative.
The truth is that all men having power ought to be mistrusted. James Madison
I mentioned Balmer because he is the main head of the Hydra that Microsoft is. I'm sorry for laying the blame squarely at the feet of the CEO, in future I'll lay the blame a the feet of the guys working in the call centre. Or maybe the lawyers they buy for a dime a dozen.
No one said TDL4 can't be cleaned from a single PC. Cleaning it from all of them near-simultaneously is what you would have to do to destroy this botnet. The MSRT tool is not capable of performing the steps you described.
BTW your steps could still leave malware on the system unless you are a forensic/malware expert and can tell good processes from bad in ProcessExplorer. It's not so easy as you make it seem. Even if you are that experienced in process analysis, there could still be other kernel-level rootkits hiding malicious processes from ProcessExplorer. It could take days to truly disinfect a TDL-4-infected system that had been downloading payloads for a while. That's why reformat/reinstall has become the best-practice for dealing with malware, even though it is anathema to most Windows users/admins.
Another thing to note is that Microsoft hasn't destroyed the Rustock botnet, they are merely suppressing it. They will never be able to clean all the infected Rustock PCs, because countless thousands of them don't get Windows updates (either because they are pirated copies of Windows or updates have been disabled by other malware) and thus will never run the MSRT tool. If MS ceases their efforts before every last machine is sitting in a dump somewhere, the botnet could return, however unlikely that the author would bother to restore control.