Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Inside Story of the Kelihos Takedown

Posted by samzenpus on from the with-a-little-help-from-my-friends dept.

Trailrunner7 writes "Earlier this week, Microsoft released an announcement about the disruption of the Kelihos botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams, and distributed denial-of-service attacks. The botnet had a complex, multi-tiered architecture as well as a custom communication protocol and three-level encryption. Kaspersky Lab researchers did the heavy lifting, reversing the protocol and cracking the encryption and then sink-holing the botnet. The company worked closely with Microsoft's Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system."

83 comments

  1. Uhm... by Black+Parrot · · Score: 0, Offtopic

    I think if I were Kapersky Labs, I wouldn't be advertising the fact that I was in on this kind of thing.

    --
    Sheesh, evil *and* a jerk. -- Jade
    1. Re:Uhm... by joelleo · · Score: 1

      Thankfully you're not Kaspersky Labs. I like the details they've provided.

      out of curiosity, why wouldn't you advertise the fact that you, a security team, were involved in the takedown of a security threat?

      --
      "In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
    2. Re:Uhm... by Anonymous Coward · · Score: 2, Interesting

      Because these botnets are run by, or closely work with, organised crime organisations.

      If the become a big enough problem and cause enough damage then said organisations will probably have no qualms bringing the fight into meatspace.

      Would Kapersky continue doing this if one of their employees was murdered in retaliation?

    3. Re:Uhm... by Fluffeh · · Score: 2

      Because the owners of these things are rather shady criminal types at best and you taking away their shiny thing that makes them tons of money is a great way of attracting attention of their underlings who come visit you and do shady criminal things to your knees at best.

      --
      Moved to http://soylentnews.org/. You are invited to join us too!
    4. Re:Uhm... by mkiwi · · Score: 1

      So in other words, we have large corporations vs. organized crime. I fail to see how Kapersky and Microsoft lose.

    5. Re:Uhm... by boxxertrumps · · Score: 1

      They probably would continue. Otherwise, the terrorists win.

    6. Re:Uhm... by Anonymous Coward · · Score: 0

      "large corporations vs. organized crime"
      I fail to see your distinction.
      That's like saying politicians VS corrupt politicians...one and the same.

    7. Re:Uhm... by Anonymous Coward · · Score: 2, Funny

      So in other words, we have large corporations vs. organized crime. I fail to see how Kapersky and Microsoft lose.

      Um.. probably because large corporations always win.

      Going to get down modded for WOOSH. Just watch.

    8. Re:Uhm... by LordLimecat · · Score: 1, Insightful

      Such a sentiment kind of falls flat on its face when the 2 big corps in question are kind of undeniably the good guys in this story. Possibly save your bile for the next time a MS anti-trust issue comes up, but in this article kindly keep your trap shut.

      Good actions should be lauded, not condemned by ignorant slashdotters.

    9. Re:Uhm... by PopeRatzo · · Score: 2

      Because the owners of these things are rather shady criminal types at best and you taking away their shiny thing that makes them tons of money is a great way of attracting attention of their underlings who come visit you and do shady criminal things to your knees at best.

      There's so much money to be made that I doubt they've got time to be out breaking knees of corporate types. That just brings unwanted attention and heat.

      They'll move on to something else, something probably more lucrative. They know that the Kaspersky's of the world can only play catch-up. For now. I believe one of the big changes we're going to see in the near to mid-future is the removal of the "organized crime" types from computer crime and their replacement by "legitimate" businesses. That's how all these things work. Look at Facebook. Who has to break the law when people will line up to give you all their information? The data that the maffiya types are stealing today will be collected legally tomorrow (or later today).

      --
      You are welcome on my lawn.
    10. Re:Uhm... by Hylandr · · Score: 0, Troll

      Good actions lauded yes, but scant praise can be found for a rapist that has just helped a granny across the street. Nor does a few acts of benevolence outweigh a lifetime of ill-deeds.

      These items are all debatable and often subject to public opinion, but one thing is certain; for the time being we all have the right to express ourselves, being a free country and all. You have no authority to tell anyone to keep their trap shut.

      - Dan.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    11. Re:Uhm... by ozmanjusri · · Score: 0

      Good actions should be lauded, not condemned by ignorant slashdotters.

      I like your thinking:

      1. Create huge problem
      2. Fix tiny part of huge problem
      3. Receive accolades from intelligent Slashdotters
      4. ???
      5. Profit. (actually, this was concurrent with Step One)
      --
      "I've got more toys than Teruhisa Kitahara."
    12. Re:Uhm... by Anonymous Coward · · Score: 1

      The companies don't lose, but the employees can.

    13. Re:Uhm... by ozmanjusri · · Score: 2

      Because the owners of these things are rather shady criminal types at best

      Microsoft is a publicly listed company, Ballmer's not the owner, he's just the CEO.

      --
      "I've got more toys than Teruhisa Kitahara."
    14. Re:Uhm... by RMH101 · · Score: 1

      Contrast to Stuxnet. Langner Communications, who are a small outfit of a few people, first started analysing it.
      "Langner also realized after analyzing the Stuxnet code that it was designed to disable a particular nuclear facility in Iran. That's serious business, he figured. Some Iranian nuclear scientists, he remembered, had been mysteriously killed. Langner published his findings anyway."

      If someone (let's just say for example the US Government) were to devote years of work to creating a worm so advanced that researchers said it looked "like alien technology" and I was a small firm who first noticed it, I'm not sure I'd be as brave...

    15. Re:Uhm... by PopeRatzo · · Score: 1

      Some Iranian nuclear scientists, he remembered, had been mysteriously killed.

      Wait, Iranian killing someone is hardly an argument. He might have seen someone's wife without her veil or missed afternoon prayers or driven 38 in a 40 mph zone. Maybe he dropped a centrifuge on his foot and hollered "Allah damn it!" Come on, they just gave a woman 40 lashes for updating her Facebook page.

      If someone (let's just say for example the US Government) were to devote years of work to creating a worm so advanced that researchers said it looked "like alien technology" and I was a small firm who first noticed it, I'm not sure I'd be as brave...

      And if Superman and Green Lantern had a fight over who was more ripped, and Green Lantern used his ring to make a giant hammer and he swung it at Superman and then Superman dodged and the giant hammer hit the Sears Tower and I was on the Blue Line train just leaving the Halsted Street Station with hot supermodel on my lap and saw the Sears Tower crash down along the Eisenhower Expressway just feet from the train I would so have a boner. So what's your point?

      --
      You are welcome on my lawn.
    16. Re:Uhm... by LordLimecat · · Score: 1

      Fix tiny part of huge problem

      So in your opinion, none of the security fixes in Vista / Seven count for anything?

      As long as flash and java continue to have terrible security flaws, Microsoft is liable for the consequences?

    17. Re:Uhm... by Hylandr · · Score: 1

      I have said it before, and I will say it again. Slashdot needs an astroturf rating.

      - Dan.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
  2. Microsoft Digital Crimes Unit by uufnord · · Score: 2, Funny

    ... what, do they arrest themselves?

    1. Re:Microsoft Digital Crimes Unit by Megaweapon · · Score: 3, Funny

      I wonder if they ever caught the guy responsible for Windows ME.

      --
      I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
    2. Re:Microsoft Digital Crimes Unit by Ihmhi · · Score: 1

      No, sadly he died. He was coding with a BAC of 0.21 and ran his desk into a tree.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    3. Re:Microsoft Digital Crimes Unit by jamiesan · · Score: 1

      I hear NBC has a new show about these guys. Law and Order DCU.

  3. Created by Dick Wolf by MobileTatsu-NJG · · Score: 4, Funny

    "The company worked closely with Microsoft's Digital Crimes Unit (DCU)...."

    These are their stories.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    1. Re:Created by Dick Wolf by maxume · · Score: 1

      No, it's like the CTU, where they commit righteous atrocities in the name of justice.

      --
      Nerd rage is the funniest rage.
    2. Re:Created by Dick Wolf by gijoel · · Score: 2

      Doink Doink

  4. you sunk my botnet! by cheeks5965 · · Score: 1

    fsck, man, do you know how long it took me to set up that botnet? get it just how I wanted it? now i gotta start all over.

    --
    -- Flame me and I will happily flame you back. Bring it!
    1. Re:you sunk my botnet! by cheeks5965 · · Score: 1

      go back to russia, you mafioso!

      --
      -- Flame me and I will happily flame you back. Bring it!
    2. Re:you sunk my botnet! by John+Hasler · · Score: 1

      > now i gotta start all over.

      No you don't. In the next phase of the operation (it won't be publicized) they will work with a different, less well-known Russian "security" organization. In that phase it won't be the botnet that gets "taken down".

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  5. Encryption cracking? by Anonymous Coward · · Score: 1

    Isn't that in violation of the DMCA?

    1. Re:Encryption cracking? by arthurpaliden · · Score: 1

      So sue me.

      --
      Undetectable Steganography? Yep, there's an app fo
  6. They sound like the good guys for once. by ludomancer · · Score: 2

    I don't think I have EVER read a story about internet security where they weren't attacking some kid on a college campus for sharing music, or blaming someones grandfather of childporn. This is actually a refreshing story for a change.

    1. Re:They sound like the good guys for once. by Anonymous Coward · · Score: 1

      Don't read much, do you...

    2. Re:They sound like the good guys for once. by Anonymous Coward · · Score: 0

      I don't think I have EVER read a story about internet security where they weren't attacking some kid on a college campus for sharing music, or blaming someones grandfather of childporn. This is actually a refreshing story for a change.

      You clearly don't read enough internet security stories. That aside, "sharing" music i.e. downloading it for free and/or making it freely available to millions of other people is illegal, whether you're a college kid or not. Childporn is also illegal, whether you're someone's grandfather or not.

  7. Microsoft cleans up the mess it created. by QuietLagoon · · Score: 0
    It is nice to see Microsoft clean up the malware mess that is endemic in the Windows world. Microsoft Windows has always looked to me as if it were designed with a features are more important than security attitude. Now that the ramifications of that design strategy are coming home to roost, Microsoft is participating in the fight against the very criminal element that Microsoft allowed to blossom.

    .
    Thank-you Microsoft. It is about time.

    1. Re:Microsoft cleans up the mess it created. by Anonymous Coward · · Score: 3, Insightful

      Yeah because nobody else has a security problem with their software or setup.

      http://kernel.org/ (How long has it been now?)

      Wake me up when everyone grows up and realizes how hard our jobs truly are.

    2. Re:Microsoft cleans up the mess it created. by Anonymous Coward · · Score: 1, Insightful

      I can't even believe this type of garbage is still posted here. Here, let me enlighten you a bit. Windows is target of choice *because it is popular* and it has a *stable* API. The second tends to be a requirement for the former.

      If another OS had cracked the 20% market share, you better believe it you would see it targeted too. OS X only recently is getting some attention here, but only by very minor group of criminals, after all, 7% does not constitute a large userbase.

      Finally, ALL the exploits on desktop start off as exploits vs. one of the apps running, like Firefox or Office or Acrobat or whatever is popular.

      I guess success is MS's fault, while "secure" OS X enjoys unpatched PDF exploits for years or iOS "handy" remote rooting, I mean jailbreaking, by simply visiting a website.

    3. Re:Microsoft cleans up the mess it created. by Anonymous Coward · · Score: 1

      It's not simply API stability that counts here. ABI is far far more useful. Microsoft's is so homogeneous that you can even count on being able to hot-patch library binaries.

    4. Re:Microsoft cleans up the mess it created. by cheater512 · · Score: 1

      How does kernel.org being down affect me or my servers? It doesn't really.

      How does Windows affect me and my servers? Yup. A hell of a lot more.

    5. Re:Microsoft cleans up the mess it created. by Artifakt · · Score: 1

      It's not simply a matter of popularity, but go on posting anonymously and making it personal if you really think you need to enlighten me.
      Here's why:
        1. UNIX based systems are used on a lot of business and banking facilities, which are much more valuable targets for some purposes than the typical home machine. If you want a botnet, yeah, you're going to prioritize having large numbers above many other considerations, but that would mean other types of cracking would not necessarily follow the same pattern, yet they generally do, within a few percent.
                  If you can explain why, for example, the servers that hold data on 10,000+ clients get subjected to successful attacks in almost exactly the same proportions as home machines, heavily 'favoring' Microsoft, yet the various UNIX related operating systems are much, much more common there, then you can claim popularity makes all, or even much of, the difference.
                    For another example, why didn't Apple cracking go up when i-tunes was first introduced, or when any other Apple product showed a big spike in popularity? Why, knowing Apples get a lot of use in Hollywood for film editing and art, don't the people who bootleg video workprints and such target Apples more there - a place where they are quite popular?
                    For another, certain brands of routers and networking gear are much more common than others and actually have a market share similar to MS vrs. their competition - why doesn't popularity there translate into anything like proportionately more exploits?
      2. Microsoft set its own standards for API access, and several other things, and Microsoft chose to allow certain third party corporations such as Norton to do things in non-standard ways (again, non-standard and SUB-STANDARD to MS's own internally written rules, not to some other standards MS didn't really want to deal with anyway). Microsoft chose to give some third party software its "Windows Compatible" and higher seals of approval and let them use those in their advertising and packaging without vetting their code at all first, instead of insisting they first write to the specs to get them, and this opened up some specific holes for intrusion, simply because the best fixes for those attacks would have made third party product X also non-compatible. Microsoft's marketing, wanting to be able to boast of how much software ran on Windows, overrode the engineering department repeatedly to create that vulnerability. Even if it were true that ALL desktop exploits start off as exploits against apps, the way Microsoft dealt with some apps contributed to the problem. Just the the choice way back in the Win 95 days, to allow putting all sorts of third party app data in the registry instead of individual .ini's in the same directory as the third party owners, contributed to the system vulnerability. That this kept happening at least through XP, and by some accounts into the Vista years, has created a lot of momentum for Windows crackers.

      --
      Who is John Cabal?
    6. Re:Microsoft cleans up the mess it created. by Gadget_Guy · · Score: 1

      If you can explain why, for example, the servers that hold data on 10,000+ clients get subjected to successful attacks in almost exactly the same proportions as home machines, heavily 'favoring' Microsoft, yet the various UNIX related operating systems are much, much more common there, then you can claim popularity makes all, or even much of, the difference.

      What is the difference between a large server and a home user? It is the person sitting behind the keyboard. On one hand you have a highly qualified person who knows that they have a valuable system and who spends a lot if time locking down and testing the system.

      On the other hand you have an average Joe who thinks their system would never be targeted by hackers, and who downloads and runs any random screensaver or funny program that gets sent to them without a second thought.

      The biggest obstacle to security is not the operating system, but the people who don't care about it; the people who run as an administrator account (which they haven't needed to do for a decade), with security turned off (like UAC) because they do not want to be inconvenienced, and with lots of programs installed instead of the bare minimum needed to get the job done.

      All of this also explains why routers are not as compromised as desktop systems. Once again they are setup by professionals with an eye to security. They also have a limited number of apps on them. Finally they do not have the market share of Windows. You cannot compare their marketshare vs their competition because that is meaningless.

      Why, knowing Apples get a lot of use in Hollywood for film editing and art, don't the people who bootleg video workprints and such target Apples more there - a place where they are quite popular?

      Because they are not connected to the Internet. Because getting the timing right to luck onto the tiny window of opportunity to find a finished copy on one of these machines (and not just the unedited footage) would be impossible. Because the file size of the movies made for cinema release would be unfeasible to transfer over the Internet without being noticed. Because it is easier to get it other ways, like the discs distributed around the company or to awards judges. There is no point wasting time trying to hack those systems when there are too many variables, too many other easier options and too much chance that any security hole would be found and patched before you managed to transfer a single movie.

      As for all you rubbish about Microsoft's APIs, can you name a product that received the official "Windows Compatable" logo whilst using non-standard APIs that caused a security hole. How many people here think that Microsoft should have had veto control over all the third party apps made for Windows? Imagine the outcry if Mcrosoft had refused to allow a competitor's software to be run on their OS. There are still enough people citing the time that a beta version of Windows would not run on DR-DOS!

    7. Re:Microsoft cleans up the mess it created. by ozmanjusri · · Score: 0

      What is the difference between a large server and a home user? It is the person sitting behind the keyboard.

      Ah, Microsoft apologists. As hilarious as they are delusional...

      --
      "I've got more toys than Teruhisa Kitahara."
    8. Re:Microsoft cleans up the mess it created. by Gadget_Guy · · Score: 1

      Ah, Microsoft apologists. As hilarious as they are delusional...

      Wow, you are really not aiming for an insightful mod there! You can't actually come up with any valid discussion points, so you just go for insults. You might think that you are being anti-Microsoft, but in fact you are being anti-IT professional.

      Do you seriously suggest that a system that is carefully put together with security in mind by a trained professional will be equally secure as one run by a person with no training and no interest doing anything but the bare minimum default installation? If so, then we might as well sack all the IT staff and let the clueless managers run the computers!

      If your entire thought process in regards to computer security is just to avoid Microsoft and you will be fine, then you are doing your users a major disservice. Non-Microsoft systems do get hacked - even the original poster agrees with that. A lot of the time that you hear about those hacks, it turns out it is due to some entirely silly and preventable reason like using a default password for something (or none at all). Who is more likely to make that sort of mistake: someone who is a dedicated system administrator who has a security plan, or someone who just wants to quickly get their OS installation out of the way so they can start downloading porn?

    9. Re:Microsoft cleans up the mess it created. by mikerubin · · Score: 2

      "Microsoft is participating in the fight against the very criminal element that Microsoft allowed to blossom"

      Microsoft is Iron Man?

      --
      I sat down to write a new sig tonight and all I did was make the chair warm.
    10. Re:Microsoft cleans up the mess it created. by m50d · · Score: 1

      Finally, ALL the exploits on desktop start off as exploits vs. one of the apps running, like Firefox or Office or Acrobat or whatever is popular.

      Nope. Some of them start off as exploits vs. the OS TCP stack, or OS-provided libraries or programs.

      --
      I am trolling
    11. Re:Microsoft cleans up the mess it created. by Richard_at_work · · Score: 1

      I will take it as selective memory that you make no mention of the hugely popular Sendmail and BIND daemons, and their historically similarly hugely popular security issues...? UNIX had its problems in its day as well.

    12. Re:Microsoft cleans up the mess it created. by Anonymous Coward · · Score: 0

      It does and let me explain.

      Microsoft is installed on millions and millions of computers and they obviously can't keep basic security things in check sometimes but if you can't take the most secure operating system on the planet (or close) and secure one server or set of servers then how can it be any safer?

  8. soo what about the dictator of Tunisia by decora · · Score: 1

    when he was running around stealing people's personal information?

    oh wait. that was a business opportunity for Microsoft.

    1. Re:soo what about the dictator of Tunisia by Anonymous Coward · · Score: 0

      PROTIP: We are talking about information! Not matter/energy.
      It is physically impossible to own, steal or sell information.
      You can steal a matter/energy that happens to contain information. But for information alone, all you can do is make a copy. Which means the original is still in place. Hence it's not stolen.

      So please don't use those distortions of the meanings of words that the organized crime uses for their racketeering scheme.

      Thanks.

  9. all totally legal! by decora · · Score: 1

    no vigilantism here. doo de doo. nope. not a bit.

    1. Re:all totally legal! by Anonymous Coward · · Score: 1

      The term vigilante comes from what again?

      Oh yeah, committees of vigilance who were concerned citizens dealing with the problem of a lack of effective law enforcement.

      But really, do you think that Microsoft and Kaspersky aren't working with the FBI, Secret Service, and everybody else concerned?

  10. The last paragraph is priceless by edremy · · Score: 1
    "Interestingly, there is one other theoretical option to ultimately get rid of Hlux: we know how the bot's update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries and will thus remain theory."

    How nice that this will only remain theoretical. Why, it would be awful if they experimented with this method of killing botnets. But I'm sure they're completely honest when they say they'd never do that, ever.

    --
    "Seven Deadly Sins? I thought it was a to-do list!"
    1. Re:The last paragraph is priceless by Amouth · · Score: 2

      remember code red? remember code Green?

      but they are correct - it would be illegal and would also be wrong. best to take down the C&C and let the lifeless and there for useless net slowly get formatted into non existence.

      although i'm waiting for the creative bot net that puts a self destruct in - wiping the box if it can't contact the C&C for an extended time (say 2 weeks) so that the security people get stuck with the possibility of destroying peoples data.

      maybe i shouldn't give them any ideas.

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
    2. Re:The last paragraph is priceless by bloodhawk · · Score: 1

      although i'm waiting for the creative bot net that puts a self destruct in - wiping the box if it can't contact the C&C for an extended time (say 2 weeks) so that the security people get stuck with the possibility of destroying peoples data.

      maybe i shouldn't give them any ideas.

      If that did that I think it would be a blessing, the people infected with these bots have become that way due to their own irresponsible or uneducated behaviour and are a danger to themselves and others, it is far better they are forced to do something about their machine than continue to live in ignorance, perhaps it might teach them that downloading untrustworthy shit is a stupid idea (I doubt it, but one can hope)

    3. Re:The last paragraph is priceless by UnresolvedExternal · · Score: 2

      Deary me... so every plumber and psychologist should read the kernel mailing list?

      People (generally) care even less about more important stuff (read: general imploision of global economic finance) than there computer being "kinda wierd when I go on facebook and stuff"

      So anyway, you get around to fixing that leaky tap in the bathroom lately?

  11. Re:Fuck fuck fuck fuck shut up yo! Serially! by Anonymous Coward · · Score: 2, Funny

    Was it 867-5309?

  12. And Microsoft did... by Alex+Belits · · Score: 0

    ...what exactly?

    Other than writing a vulnerable OS, I mean.

    --
    Contrary to the popular belief, there indeed is no God.
    1. Re:And Microsoft did... by garyebickford · · Score: 2

      ...what exactly?

      Other than writing a vulnerable OS, I mean.

      In all fairness, there ain't no other kind. Anyone who thinks otherwise is whistling past the graveyard. True, some are better than others, but that's comparing nearly-completely-immune-compromised with not-quite-completely-immune-compromised. In both cases it doesn't take much exposure to make you very sick - but some are not exposed as often. Running an obscure OS that nobody else runs, which is merely a form of security by obscurity, is still probably helping more than the particulars of the OS itself.

      The human genome is a pretty good example. As much as 10% and maybe a lot more of it is comprised of various bits of old viruses, transposons (there are about 300,000 copies of just one particular transposon) and other parasitic or predatory genetic bits. That's the result of eons of genetic system wars. Similarly, OS security wars are going to be with us forever - or at least as long as there are still entities that find benefit in exploitation of others.

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
    2. Re:And Microsoft did... by Anonymous Coward · · Score: 0

      Rather have a vulnerable OS that does something than an invulnerable OS that does nothing.

    3. Re:And Microsoft did... by Alex+Belits · · Score: 2

      I mean, what exactly did Microsoft do that is in any way related to bringing down this botnet? From the description it looks like Kaspersky Labs did everything, and Microsoft just beaten its chest really hard.

      --
      Contrary to the popular belief, there indeed is no God.
    4. Re:And Microsoft did... by Travelsonic · · Score: 1

      #ifndef nothing_h #define nothing_h
      PROTIP: Not doing what you want, or not doing what you want YET =/= doing nothing.

      --
      If you believe in privacy, and believe you have "nothing to hide" at the same time, you're a goddammed idiot
  13. Apple? by Anonymous Coward · · Score: 0

    Where was apple during all of this?

    1. Re:Apple? by postbigbang · · Score: 2

      Uh, they were not involved as they weren't a target. Note the keyword in the post regarding the word: registry, which Apple currently doesn't have. It has things that are similar, but their security architecture is vastly different than that of Windows.

      --
      ---- Teach Peace. It's Cheaper Than War.
  14. Re:Microsoft cleans up the mess it created .. by CalcuttaWala · · Score: 0

    "Microsoft is participating in the fight against the very criminal element that Microsoft allowed to blossom." Just as the United States is now fighting against the Taliban and the Islamist terrorists in Afghanistan and Pakistan whom it once allowed, encouraged and paid money to, to blossom !

    --
    Insight into much, Influence over nothing !
  15. Messes from 8+ years ago, maybe. by SexyKellyOsbourne · · Score: 2, Interesting

    I would agree with this if this was posted sometime circa 2005 or before, but that really isn't the case now.

    This malware and others like it can only take over if you open an e-mail, go to a bad website, download a bad executable, and run it. Let's break that down.

    E-Mail: Any credible ISP and any web-based e-mail service (Yahoo/Gmail/Hotmail) will filter botnet spam. Even if you find said botnet e-mail in your spam folder and try to go to it, any modern web or desktop e-mail client will still warn you like hell.

    Browser: Internet Explorer 8 has a malware filter enabled by default (SmartScreen). You get a horrible warning if you try to access malware, and an even worse one if you try to download an executable flagged as malware. IE8 is freely available for XP users, and every mainstream website in the world (including MSFT's) will nag you to upgrade, as most (Youtube/Facebook/Google) don't even support XP's default of IE6 anymore.

    OS/User Access: Windows Vista is nearly 5 years old now and included proper user-mode access to the system (UAC) by default. Try to run something that will do something horrible like Kelihos will, and it will also flag a less dangerous-looking, but existent "do not run this" warning. That was improved with Windows 7, which is now 2 years old.

    Patches on XP: Anything since XP SP2 (August 2004?) will not only nag for Windows update, but even forcibly reboot your system after enough idle time if what needs to be patched could open the door for botnets. Like with any of the years before listed, any retail PC sold since then will have that. Patches on XP won't fix everything, but the patches (Malicious Software Removal Tool) will typically circumvent well-known botnets.

    Conclusion: I would say almost the entirety of the 41,000 systems affected had somehow went ridiculously unpatched for years. We're probably talking Windows 2000 systems. And Linux/BSD was always better as a baseline, but run it unpatched at any such similar level as described, and it will have even worse SSH server vulnerabilities for starters.

  16. Self Destruct = Forced Upgrade by SexyKellyOsbourne · · Score: 1

    And remember, Code Red/Green are 10 years old. :)

    Wikipedia: The Code Red worm was a computer worm observed on the Internet on July 13, 2001.
    Securelist: Net-Worm.Win32.CodeGreen.a, Detected: Sep 14 2001 09:23 GMT
    Microsoft: Patch Q300972, [fix] Originally posted: June 18, 2001

    1. Re:Self Destruct = Forced Upgrade by Amouth · · Score: 2

      yes - Code green was a work that used the exact same exploit as code red except it patch the hole and then spread it's self in the same manner as code red. but if the box was rebooted then code green would be gone and the box would be patched.

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  17. But MSFT destroying industrial systems? by SexyKellyOsbourne · · Score: 1

    As for legality, extreme legacy software and hardware is still often used in industrial plants. The claims against MSFT for purposefully wiping one of those systems and shutting down the lines for weeks would be huge.

    Whoever wrote that is probably smarter than thinking doing that will just wipe some old Pentium 2's still out in the wild that'll get replaced with a Win7 laptop the next time a social security check is cashed.

  18. That's how many now? by jthill · · Score: 1

    I haven't been paying enough attention to count them any more. How many botnets have Microsoft been in on the kill for now?

    --
    As always, all IMO. Insert "I think" everywhere grammatically possible.
  19. No information about cracking the encryption by Mattpw · · Score: 1

    I see they made some tools to analyze the traffic but no information about actually cracking any encryption. Seems to me this was mostly about hijacking and sinkholing contact peer domain lists. Perhaps they left out pertinant bits for their own safety but from reading this the controllers could bypass the sinkhole if their backup list was implemented correctly.

    1. Re:No information about cracking the encryption by Anonymous Coward · · Score: 0

      It's not all that hard since Kasperski had full access to the receiving node of the encrypted traffic. In other words, their challenge was more comparable to cracking DRM than to breaking encryption of an intercepted data stream. And as has been demonstrated so many times in history: breaking DRM is not all that hard, even if a lot of effort is invested in the DRM scheme.

    2. Re:No information about cracking the encryption by Anonymous Coward · · Score: 1

      It's simple really. Measure the traffic of an infected machine through wireshark. Once you've isolated an address and protocol that appears to be the one the bot is communicating with, then set up a dns entry, or host file entry to resolve that suspicious address to the local machine you redirected to. Depending on the protocol, you set up http, FTP or irc services on that sinkhole machine. Let the infected machine talk to the sinkhole machine at that point, while running ollydebug, and set break points. These bots authenticate themselves, and with ollydebug capturing hex values live, you can intercept the expected password or token. Once you have that token or password, you have control of the bot. Since you now control the bot, you can use it to poison the update and backup lists of servers and move them to your own sinkhole.

    3. Re:No information about cracking the encryption by Mattpw · · Score: 1

      Thanks so much for the reply, I am relatively clueless abou the nuts and bolts. So from what you are saying they are using a sync crypto scheme where the password can be intercepted? I read in a bot master Q&A they use AES however why couldnt they just switch to async RSA or some kind of PKI based system?

  20. Re:Uhm... You've been missled by Anonymous Coward · · Score: 0

    Microsoft has signatures of every file on a windows user computer since the release of ‘service pack 3 for xp’, and this information is upload to be processed. maybe its sold to law-enforcement to catch people who collect pornography, or to the entertainment industry to find out how many people are distributing ‘loose-change’ illegally. windows defender will protect you, yea right so i’m going to install software that will scan all my files and upload this information to a server somewhere. And what is really funny is how some people will use free virus scanners.

  21. What is with the vigilante approach? by Anonymous Coward · · Score: 0

    Why do two privately owned companies hack so many computers and brag about it. Yea, they were already infected with a botnet, but pick up the phone and call the ISP and have them contact the user of the IP. That is how no ones rights get violated.

  22. First rule of cryptography by Anonymous Coward · · Score: 0

    Don't roll your own.

    Three-level cryptography sounds pretty impressive.

  23. Explain this then (Linux vs. Windows) by Anonymous Coward · · Score: 0

    Linux's kernel ALONE has 4x the # of unpatched bugs the ENTIRE SUITE/ARRAY OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH! Here's your proof(s):

    ---

    Vulnerability Report: Microsoft SQL Server 2008: (09/30/2011)

    http://secunia.com/advisories/product/21744/

    Unpatched 0% (0 of 1 Secunia advisories)

    Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (09/30/2011)

    http://secunia.com/advisories/product/17543/

    Unpatched 0% (0 of 6 Secunia advisories)

    Vulnerability Report: Microsoft Exchange Server 2010: (09/30/2011)

    http://secunia.com/advisories/product/28234/

    Unpatched 0% (0 of 0 Secunia advisories)

    Vulnerability Report: Microsoft SharePoint Server 2010: (09/30/2011)

    http://secunia.com/advisories/product/29809/

    Unpatched 0% (0 of 3 Secunia advisories)

    Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (09/30/2011)

    http://secunia.com/advisories/product/34343/

    Unpatched 0% (0 of 1 Secunia advisories)

    Vulnerability Report: Microsoft Baseline Security Analyzer 2.x: (09/30/2011):

    http://secunia.com/advisories/product/6436/

    Unpatched 0% (0 of 0 Secunia advisories)

    Vulnerability Report: Microsoft Office 2010: (09/30/2011)

    http://secunia.com/advisories/product/30529/?task=advisories

    Unpatched 0% (0 of 9 Secunia advisories)

    Vulnerability Report: Microsoft Project 2010: (09/30/2011)

    http://secunia.com/advisories/product/31177/

    Unpatched 0% (0 of 0 Secunia advisories)

    Vulnerability Report: Microsoft Windows Services for UNIX 3.x: (09/30/2011)

    http://secunia.com/advisories/product/5244/

    Unpatched 0% (0 of 3 Secunia advisories)

    Vulnerability Report: Microsoft Internet Explorer 9.x: (09/30/2011)

    http://secunia.com/advisories/product/34591/

    Unpatched 0% (0 of 3 Secunia advisories)

    Vulnerability Report: Microsoft Virtual PC 2007: (09/30/2011)

    http://secunia.com/advisories/product/14315/

    Unpatched 0% (0 of 1 Secunia advisories)

    Vulnerability Report: Microsoft Visual Studio 2010: (09/30/2011)

    http://secunia.com/advisories/product/30853/?task=advisories

    Unpatched 0% (0 of 2 Secunia advisories)

    Vulnerability Report: Microsoft DirectX 10.x:
    (08/02/2011)

    http://secunia.com/advisories/product/16896/

    Unpatched 0% (0 of 3 Secunia advisories)

    Vulnerability Report: Microsoft .NET Framework 4.x
    (08/02/2011)

    http://secunia.com/advisories/product/29592/

    Unpatched 0% (0 of 7 Secunia advisories)

    Vulnerability Report: Microsoft Silverlight 4.x: (09/30/2011)

    http://secunia.com/advisories/product/28947/

    Unpatched 0% (0 of 1 Secunia advisories)

    Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (09/30/2011)

    http://s

  24. There is a better way to do this ... by bd580slashdot · · Score: 1

    Some software already does this. But better ... two types of C&C's one that causes kill if it can be contacted (left silent until needed) and one that causes kill if it can't.

  25. Re:Fuck fuck fuck fuck shut up yo! Serially! by stewbee · · Score: 1

    I got it! I got,got it. I got the number off the wall...

  26. vigilantes: criminals who by decora · · Score: 1

    operate without a judge, a jury, or a set of laws. no due process, no checks and balances. just a bunch of megacorporations, unaccountable to anyone, going out there and 'hunting down' people they dont like.

    i.e. barbarianism.

    1. Re:vigilantes: criminals who by rocket+rancher · · Score: 1

      operate without a judge, a jury, or a set of laws. no due process, no checks and balances. just a bunch of megacorporations, unaccountable to anyone, going out there and 'hunting down' people they dont like.

      i.e. barbarianism.

      operate without a judge, a jury, or a set of laws. no due process, no checks and balances. just a bunch of megacorporations, unaccountable to anyone, going out there and 'hunting down' people they dont like.

      i.e. barbarianism.

      I don't think it is that dire. Megacorporations actually are accountable, in ways that politicians can never be. You can't get accountability from somebody who has to woo the public to stay in office. Megacorps are accountable to their board of directors and to their stock holders, a far more important and influential constituency than fickle voters. I trust the CEOs of megacorporations to keep my best interest at heart far more than I trust politicians from any party, because CEOs can't hide from the bottom line. Politicians can change like the weather, reflecting the mood of their constituents, but a CEO has a come-to-Jesus moment every quarter. Accountability (and it's enabler, transparency) are anathema to political leadership for this very reason. It's taken a couple hundred years for it to become apparent in the American experiment, but the writing is on the wall. What is emerging in America is an oligarchy, where accountability and transparency are woven into the economic fabric of the society, and aren't merely tacked on by easily loopholed legislation which is then weakly (if at all) enforced by politically-appointed judges.

    2. Re:vigilantes: criminals who by rocket+rancher · · Score: 1

      rats...I really didn't need to include the parent twice. :(