Slashdot Mirror
The Inside Story of the Kelihos Takedown
Trailrunner7 writes "Earlier this week, Microsoft released an announcement about the disruption of the Kelihos botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams, and distributed denial-of-service attacks. The botnet had a complex, multi-tiered architecture as well as a custom communication protocol and three-level encryption. Kaspersky Lab researchers did the heavy lifting, reversing the protocol and cracking the encryption and then sink-holing the botnet. The company worked closely with Microsoft's Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system."
... what, do they arrest themselves?
"The company worked closely with Microsoft's Digital Crimes Unit (DCU)...."
These are their stories.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Because these botnets are run by, or closely work with, organised crime organisations.
If the become a big enough problem and cause enough damage then said organisations will probably have no qualms bringing the fight into meatspace.
Would Kapersky continue doing this if one of their employees was murdered in retaliation?
Because the owners of these things are rather shady criminal types at best and you taking away their shiny thing that makes them tons of money is a great way of attracting attention of their underlings who come visit you and do shady criminal things to your knees at best.
Moved to http://soylentnews.org/. You are invited to join us too!
I don't think I have EVER read a story about internet security where they weren't attacking some kid on a college campus for sharing music, or blaming someones grandfather of childporn. This is actually a refreshing story for a change.
So in other words, we have large corporations vs. organized crime. I fail to see how Kapersky and Microsoft lose.
Um.. probably because large corporations always win.
Going to get down modded for WOOSH. Just watch.
Was it 867-5309?
Yeah because nobody else has a security problem with their software or setup.
http://kernel.org/ (How long has it been now?)
Wake me up when everyone grows up and realizes how hard our jobs truly are.
Uh, they were not involved as they weren't a target. Note the keyword in the post regarding the word: registry, which Apple currently doesn't have. It has things that are similar, but their security architecture is vastly different than that of Windows.
---- Teach Peace. It's Cheaper Than War.
There's so much money to be made that I doubt they've got time to be out breaking knees of corporate types. That just brings unwanted attention and heat.
They'll move on to something else, something probably more lucrative. They know that the Kaspersky's of the world can only play catch-up. For now. I believe one of the big changes we're going to see in the near to mid-future is the removal of the "organized crime" types from computer crime and their replacement by "legitimate" businesses. That's how all these things work. Look at Facebook. Who has to break the law when people will line up to give you all their information? The data that the maffiya types are stealing today will be collected legally tomorrow (or later today).
You are welcome on my lawn.
I would agree with this if this was posted sometime circa 2005 or before, but that really isn't the case now.
This malware and others like it can only take over if you open an e-mail, go to a bad website, download a bad executable, and run it. Let's break that down.
E-Mail: Any credible ISP and any web-based e-mail service (Yahoo/Gmail/Hotmail) will filter botnet spam. Even if you find said botnet e-mail in your spam folder and try to go to it, any modern web or desktop e-mail client will still warn you like hell.
Browser: Internet Explorer 8 has a malware filter enabled by default (SmartScreen). You get a horrible warning if you try to access malware, and an even worse one if you try to download an executable flagged as malware. IE8 is freely available for XP users, and every mainstream website in the world (including MSFT's) will nag you to upgrade, as most (Youtube/Facebook/Google) don't even support XP's default of IE6 anymore.
OS/User Access: Windows Vista is nearly 5 years old now and included proper user-mode access to the system (UAC) by default. Try to run something that will do something horrible like Kelihos will, and it will also flag a less dangerous-looking, but existent "do not run this" warning. That was improved with Windows 7, which is now 2 years old.
Patches on XP: Anything since XP SP2 (August 2004?) will not only nag for Windows update, but even forcibly reboot your system after enough idle time if what needs to be patched could open the door for botnets. Like with any of the years before listed, any retail PC sold since then will have that. Patches on XP won't fix everything, but the patches (Malicious Software Removal Tool) will typically circumvent well-known botnets.
Conclusion: I would say almost the entirety of the 41,000 systems affected had somehow went ridiculously unpatched for years. We're probably talking Windows 2000 systems. And Linux/BSD was always better as a baseline, but run it unpatched at any such similar level as described, and it will have even worse SSH server vulnerabilities for starters.
remember code red? remember code Green?
but they are correct - it would be illegal and would also be wrong. best to take down the C&C and let the lifeless and there for useless net slowly get formatted into non existence.
although i'm waiting for the creative bot net that puts a self destruct in - wiping the box if it can't contact the C&C for an extended time (say 2 weeks) so that the security people get stuck with the possibility of destroying peoples data.
maybe i shouldn't give them any ideas.
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
...what exactly?
Other than writing a vulnerable OS, I mean.
In all fairness, there ain't no other kind. Anyone who thinks otherwise is whistling past the graveyard. True, some are better than others, but that's comparing nearly-completely-immune-compromised with not-quite-completely-immune-compromised. In both cases it doesn't take much exposure to make you very sick - but some are not exposed as often. Running an obscure OS that nobody else runs, which is merely a form of security by obscurity, is still probably helping more than the particulars of the OS itself.
The human genome is a pretty good example. As much as 10% and maybe a lot more of it is comprised of various bits of old viruses, transposons (there are about 300,000 copies of just one particular transposon) and other parasitic or predatory genetic bits. That's the result of eons of genetic system wars. Similarly, OS security wars are going to be with us forever - or at least as long as there are still entities that find benefit in exploitation of others.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
yes - Code green was a work that used the exact same exploit as code red except it patch the hole and then spread it's self in the same manner as code red. but if the box was rebooted then code green would be gone and the box would be patched.
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
Because the owners of these things are rather shady criminal types at best
Microsoft is a publicly listed company, Ballmer's not the owner, he's just the CEO.
"I've got more toys than Teruhisa Kitahara."
"Microsoft is participating in the fight against the very criminal element that Microsoft allowed to blossom"
Microsoft is Iron Man?
I sat down to write a new sig tonight and all I did was make the chair warm.
Deary me... so every plumber and psychologist should read the kernel mailing list?
People (generally) care even less about more important stuff (read: general imploision of global economic finance) than there computer being "kinda wierd when I go on facebook and stuff"
So anyway, you get around to fixing that leaky tap in the bathroom lately?
I mean, what exactly did Microsoft do that is in any way related to bringing down this botnet? From the description it looks like Kaspersky Labs did everything, and Microsoft just beaten its chest really hard.
Contrary to the popular belief, there indeed is no God.