Slashdot Mirror
The Inside Story of the Kelihos Takedown
Trailrunner7 writes "Earlier this week, Microsoft released an announcement about the disruption of the Kelihos botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams, and distributed denial-of-service attacks. The botnet had a complex, multi-tiered architecture as well as a custom communication protocol and three-level encryption. Kaspersky Lab researchers did the heavy lifting, reversing the protocol and cracking the encryption and then sink-holing the botnet. The company worked closely with Microsoft's Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system."
Thankfully you're not Kaspersky Labs. I like the details they've provided.
out of curiosity, why wouldn't you advertise the fact that you, a security team, were involved in the takedown of a security threat?
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
... what, do they arrest themselves?
"The company worked closely with Microsoft's Digital Crimes Unit (DCU)...."
These are their stories.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
fsck, man, do you know how long it took me to set up that botnet? get it just how I wanted it? now i gotta start all over.
-- Flame me and I will happily flame you back. Bring it!
Because these botnets are run by, or closely work with, organised crime organisations.
If the become a big enough problem and cause enough damage then said organisations will probably have no qualms bringing the fight into meatspace.
Would Kapersky continue doing this if one of their employees was murdered in retaliation?
Because the owners of these things are rather shady criminal types at best and you taking away their shiny thing that makes them tons of money is a great way of attracting attention of their underlings who come visit you and do shady criminal things to your knees at best.
Moved to http://soylentnews.org/. You are invited to join us too!
Isn't that in violation of the DMCA?
So in other words, we have large corporations vs. organized crime. I fail to see how Kapersky and Microsoft lose.
I don't think I have EVER read a story about internet security where they weren't attacking some kid on a college campus for sharing music, or blaming someones grandfather of childporn. This is actually a refreshing story for a change.
They probably would continue. Otherwise, the terrorists win.
So in other words, we have large corporations vs. organized crime. I fail to see how Kapersky and Microsoft lose.
Um.. probably because large corporations always win.
Going to get down modded for WOOSH. Just watch.
when he was running around stealing people's personal information?
oh wait. that was a business opportunity for Microsoft.
no vigilantism here. doo de doo. nope. not a bit.
How nice that this will only remain theoretical. Why, it would be awful if they experimented with this method of killing botnets. But I'm sure they're completely honest when they say they'd never do that, ever.
"Seven Deadly Sins? I thought it was a to-do list!"
Such a sentiment kind of falls flat on its face when the 2 big corps in question are kind of undeniably the good guys in this story. Possibly save your bile for the next time a MS anti-trust issue comes up, but in this article kindly keep your trap shut.
Good actions should be lauded, not condemned by ignorant slashdotters.
Was it 867-5309?
Yeah because nobody else has a security problem with their software or setup.
http://kernel.org/ (How long has it been now?)
Wake me up when everyone grows up and realizes how hard our jobs truly are.
Uh, they were not involved as they weren't a target. Note the keyword in the post regarding the word: registry, which Apple currently doesn't have. It has things that are similar, but their security architecture is vastly different than that of Windows.
---- Teach Peace. It's Cheaper Than War.
There's so much money to be made that I doubt they've got time to be out breaking knees of corporate types. That just brings unwanted attention and heat.
They'll move on to something else, something probably more lucrative. They know that the Kaspersky's of the world can only play catch-up. For now. I believe one of the big changes we're going to see in the near to mid-future is the removal of the "organized crime" types from computer crime and their replacement by "legitimate" businesses. That's how all these things work. Look at Facebook. Who has to break the law when people will line up to give you all their information? The data that the maffiya types are stealing today will be collected legally tomorrow (or later today).
You are welcome on my lawn.
I would agree with this if this was posted sometime circa 2005 or before, but that really isn't the case now.
This malware and others like it can only take over if you open an e-mail, go to a bad website, download a bad executable, and run it. Let's break that down.
E-Mail: Any credible ISP and any web-based e-mail service (Yahoo/Gmail/Hotmail) will filter botnet spam. Even if you find said botnet e-mail in your spam folder and try to go to it, any modern web or desktop e-mail client will still warn you like hell.
Browser: Internet Explorer 8 has a malware filter enabled by default (SmartScreen). You get a horrible warning if you try to access malware, and an even worse one if you try to download an executable flagged as malware. IE8 is freely available for XP users, and every mainstream website in the world (including MSFT's) will nag you to upgrade, as most (Youtube/Facebook/Google) don't even support XP's default of IE6 anymore.
OS/User Access: Windows Vista is nearly 5 years old now and included proper user-mode access to the system (UAC) by default. Try to run something that will do something horrible like Kelihos will, and it will also flag a less dangerous-looking, but existent "do not run this" warning. That was improved with Windows 7, which is now 2 years old.
Patches on XP: Anything since XP SP2 (August 2004?) will not only nag for Windows update, but even forcibly reboot your system after enough idle time if what needs to be patched could open the door for botnets. Like with any of the years before listed, any retail PC sold since then will have that. Patches on XP won't fix everything, but the patches (Malicious Software Removal Tool) will typically circumvent well-known botnets.
Conclusion: I would say almost the entirety of the 41,000 systems affected had somehow went ridiculously unpatched for years. We're probably talking Windows 2000 systems. And Linux/BSD was always better as a baseline, but run it unpatched at any such similar level as described, and it will have even worse SSH server vulnerabilities for starters.
I can't even believe this type of garbage is still posted here. Here, let me enlighten you a bit. Windows is target of choice *because it is popular* and it has a *stable* API. The second tends to be a requirement for the former.
If another OS had cracked the 20% market share, you better believe it you would see it targeted too. OS X only recently is getting some attention here, but only by very minor group of criminals, after all, 7% does not constitute a large userbase.
Finally, ALL the exploits on desktop start off as exploits vs. one of the apps running, like Firefox or Office or Acrobat or whatever is popular.
I guess success is MS's fault, while "secure" OS X enjoys unpatched PDF exploits for years or iOS "handy" remote rooting, I mean jailbreaking, by simply visiting a website.
It's not simply API stability that counts here. ABI is far far more useful. Microsoft's is so homogeneous that you can even count on being able to hot-patch library binaries.
How does kernel.org being down affect me or my servers? It doesn't really.
How does Windows affect me and my servers? Yup. A hell of a lot more.
And remember, Code Red/Green are 10 years old. :)
Wikipedia: The Code Red worm was a computer worm observed on the Internet on July 13, 2001.
Securelist: Net-Worm.Win32.CodeGreen.a, Detected: Sep 14 2001 09:23 GMT
Microsoft: Patch Q300972, [fix] Originally posted: June 18, 2001
As for legality, extreme legacy software and hardware is still often used in industrial plants. The claims against MSFT for purposefully wiping one of those systems and shutting down the lines for weeks would be huge.
Whoever wrote that is probably smarter than thinking doing that will just wipe some old Pentium 2's still out in the wild that'll get replaced with a Win7 laptop the next time a social security check is cashed.
...what exactly?
Other than writing a vulnerable OS, I mean.
In all fairness, there ain't no other kind. Anyone who thinks otherwise is whistling past the graveyard. True, some are better than others, but that's comparing nearly-completely-immune-compromised with not-quite-completely-immune-compromised. In both cases it doesn't take much exposure to make you very sick - but some are not exposed as often. Running an obscure OS that nobody else runs, which is merely a form of security by obscurity, is still probably helping more than the particulars of the OS itself.
The human genome is a pretty good example. As much as 10% and maybe a lot more of it is comprised of various bits of old viruses, transposons (there are about 300,000 copies of just one particular transposon) and other parasitic or predatory genetic bits. That's the result of eons of genetic system wars. Similarly, OS security wars are going to be with us forever - or at least as long as there are still entities that find benefit in exploitation of others.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
It's not simply a matter of popularity, but go on posting anonymously and making it personal if you really think you need to enlighten me. .ini's in the same directory as the third party owners, contributed to the system vulnerability. That this kept happening at least through XP, and by some accounts into the Vista years, has created a lot of momentum for Windows crackers.
Here's why:
1. UNIX based systems are used on a lot of business and banking facilities, which are much more valuable targets for some purposes than the typical home machine. If you want a botnet, yeah, you're going to prioritize having large numbers above many other considerations, but that would mean other types of cracking would not necessarily follow the same pattern, yet they generally do, within a few percent.
If you can explain why, for example, the servers that hold data on 10,000+ clients get subjected to successful attacks in almost exactly the same proportions as home machines, heavily 'favoring' Microsoft, yet the various UNIX related operating systems are much, much more common there, then you can claim popularity makes all, or even much of, the difference.
For another example, why didn't Apple cracking go up when i-tunes was first introduced, or when any other Apple product showed a big spike in popularity? Why, knowing Apples get a lot of use in Hollywood for film editing and art, don't the people who bootleg video workprints and such target Apples more there - a place where they are quite popular?
For another, certain brands of routers and networking gear are much more common than others and actually have a market share similar to MS vrs. their competition - why doesn't popularity there translate into anything like proportionately more exploits?
2. Microsoft set its own standards for API access, and several other things, and Microsoft chose to allow certain third party corporations such as Norton to do things in non-standard ways (again, non-standard and SUB-STANDARD to MS's own internally written rules, not to some other standards MS didn't really want to deal with anyway). Microsoft chose to give some third party software its "Windows Compatible" and higher seals of approval and let them use those in their advertising and packaging without vetting their code at all first, instead of insisting they first write to the specs to get them, and this opened up some specific holes for intrusion, simply because the best fixes for those attacks would have made third party product X also non-compatible. Microsoft's marketing, wanting to be able to boast of how much software ran on Windows, overrode the engineering department repeatedly to create that vulnerability. Even if it were true that ALL desktop exploits start off as exploits against apps, the way Microsoft dealt with some apps contributed to the problem. Just the the choice way back in the Win 95 days, to allow putting all sorts of third party app data in the registry instead of individual
Who is John Cabal?
The companies don't lose, but the employees can.
I haven't been paying enough attention to count them any more. How many botnets have Microsoft been in on the kill for now?
As always, all IMO. Insert "I think" everywhere grammatically possible.
I see they made some tools to analyze the traffic but no information about actually cracking any encryption. Seems to me this was mostly about hijacking and sinkholing contact peer domain lists. Perhaps they left out pertinant bits for their own safety but from reading this the controllers could bypass the sinkhole if their backup list was implemented correctly.
If you can explain why, for example, the servers that hold data on 10,000+ clients get subjected to successful attacks in almost exactly the same proportions as home machines, heavily 'favoring' Microsoft, yet the various UNIX related operating systems are much, much more common there, then you can claim popularity makes all, or even much of, the difference.
What is the difference between a large server and a home user? It is the person sitting behind the keyboard. On one hand you have a highly qualified person who knows that they have a valuable system and who spends a lot if time locking down and testing the system.
On the other hand you have an average Joe who thinks their system would never be targeted by hackers, and who downloads and runs any random screensaver or funny program that gets sent to them without a second thought.
The biggest obstacle to security is not the operating system, but the people who don't care about it; the people who run as an administrator account (which they haven't needed to do for a decade), with security turned off (like UAC) because they do not want to be inconvenienced, and with lots of programs installed instead of the bare minimum needed to get the job done.
All of this also explains why routers are not as compromised as desktop systems. Once again they are setup by professionals with an eye to security. They also have a limited number of apps on them. Finally they do not have the market share of Windows. You cannot compare their marketshare vs their competition because that is meaningless.
Why, knowing Apples get a lot of use in Hollywood for film editing and art, don't the people who bootleg video workprints and such target Apples more there - a place where they are quite popular?
Because they are not connected to the Internet. Because getting the timing right to luck onto the tiny window of opportunity to find a finished copy on one of these machines (and not just the unedited footage) would be impossible. Because the file size of the movies made for cinema release would be unfeasible to transfer over the Internet without being noticed. Because it is easier to get it other ways, like the discs distributed around the company or to awards judges. There is no point wasting time trying to hack those systems when there are too many variables, too many other easier options and too much chance that any security hole would be found and patched before you managed to transfer a single movie.
As for all you rubbish about Microsoft's APIs, can you name a product that received the official "Windows Compatable" logo whilst using non-standard APIs that caused a security hole. How many people here think that Microsoft should have had veto control over all the third party apps made for Windows? Imagine the outcry if Mcrosoft had refused to allow a competitor's software to be run on their OS. There are still enough people citing the time that a beta version of Windows would not run on DR-DOS!
Because the owners of these things are rather shady criminal types at best
Microsoft is a publicly listed company, Ballmer's not the owner, he's just the CEO.
"I've got more toys than Teruhisa Kitahara."
Ah, Microsoft apologists. As hilarious as they are delusional...
Wow, you are really not aiming for an insightful mod there! You can't actually come up with any valid discussion points, so you just go for insults. You might think that you are being anti-Microsoft, but in fact you are being anti-IT professional.
Do you seriously suggest that a system that is carefully put together with security in mind by a trained professional will be equally secure as one run by a person with no training and no interest doing anything but the bare minimum default installation? If so, then we might as well sack all the IT staff and let the clueless managers run the computers!
If your entire thought process in regards to computer security is just to avoid Microsoft and you will be fine, then you are doing your users a major disservice. Non-Microsoft systems do get hacked - even the original poster agrees with that. A lot of the time that you hear about those hacks, it turns out it is due to some entirely silly and preventable reason like using a default password for something (or none at all). Who is more likely to make that sort of mistake: someone who is a dedicated system administrator who has a security plan, or someone who just wants to quickly get their OS installation out of the way so they can start downloading porn?
"Microsoft is participating in the fight against the very criminal element that Microsoft allowed to blossom"
Microsoft is Iron Man?
I sat down to write a new sig tonight and all I did was make the chair warm.
Contrast to Stuxnet. Langner Communications, who are a small outfit of a few people, first started analysing it.
"Langner also realized after analyzing the Stuxnet code that it was designed to disable a particular nuclear facility in Iran. That's serious business, he figured. Some Iranian nuclear scientists, he remembered, had been mysteriously killed. Langner published his findings anyway."
If someone (let's just say for example the US Government) were to devote years of work to creating a worm so advanced that researchers said it looked "like alien technology" and I was a small firm who first noticed it, I'm not sure I'd be as brave...
Finally, ALL the exploits on desktop start off as exploits vs. one of the apps running, like Firefox or Office or Acrobat or whatever is popular.
Nope. Some of them start off as exploits vs. the OS TCP stack, or OS-provided libraries or programs.
I am trolling
Wait, Iranian killing someone is hardly an argument. He might have seen someone's wife without her veil or missed afternoon prayers or driven 38 in a 40 mph zone. Maybe he dropped a centrifuge on his foot and hollered "Allah damn it!" Come on, they just gave a woman 40 lashes for updating her Facebook page.
And if Superman and Green Lantern had a fight over who was more ripped, and Green Lantern used his ring to make a giant hammer and he swung it at Superman and then Superman dodged and the giant hammer hit the Sears Tower and I was on the Blue Line train just leaving the Halsted Street Station with hot supermodel on my lap and saw the Sears Tower crash down along the Eisenhower Expressway just feet from the train I would so have a boner. So what's your point?
You are welcome on my lawn.
I will take it as selective memory that you make no mention of the hugely popular Sendmail and BIND daemons, and their historically similarly hugely popular security issues...? UNIX had its problems in its day as well.
Fix tiny part of huge problem
So in your opinion, none of the security fixes in Vista / Seven count for anything?
As long as flash and java continue to have terrible security flaws, Microsoft is liable for the consequences?
Some software already does this. But better ... two types of C&C's one that causes kill if it can be contacted (left silent until needed) and one that causes kill if it can't.
I mean, what exactly did Microsoft do that is in any way related to bringing down this botnet? From the description it looks like Kaspersky Labs did everything, and Microsoft just beaten its chest really hard.
Contrary to the popular belief, there indeed is no God.
I got it! I got,got it. I got the number off the wall...
#ifndef nothing_h #define nothing_h
PROTIP: Not doing what you want, or not doing what you want YET =/= doing nothing.
If you believe in privacy, and believe you have "nothing to hide" at the same time, you're a goddammed idiot
operate without a judge, a jury, or a set of laws. no due process, no checks and balances. just a bunch of megacorporations, unaccountable to anyone, going out there and 'hunting down' people they dont like.
i.e. barbarianism.
I have said it before, and I will say it again. Slashdot needs an astroturf rating.
- Dan.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.