Slashdot Mirror
Microsoft Leads Sting Operation Against Zeus Botnets
wiredmikey writes "Microsoft, in what it called its 'most complex effort to disrupt botnets to date,' and in collaboration with partners from the financial services industry, has successfully taken down operations that fuel a number of botnets that make up the notorious Zeus family of malware. In what Microsoft is calling 'Operation b71,' Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois. The move was to seize and preserve data and evidence from the botnets for the case. In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus."
It seems that Microsoft has become a good guy while Apple is rapidly becoming a goat. ... Or have I spoken too soon?
Keep tearing these asshats apart, DCU!
Microsoft has conducted physical seizures
Since when can a CORPORATION perform seizures of private property???
As a linux fanboi it sticks in my throat but well done Microsoft.
"co-plaintiffs" implies the courts being involved
Finally we know why DOS and Windows security was left wide open! It was a decades-long sting operation!
First
Your botnet proxy was surely seized for your post to be so not first.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
.. now Microsoft takes the servers down completely. As if I haven't got enough problems to get C&C:Generals to play on-line as it is.
If there is one thing to be learned on slashdot, it has to be sarcasm.
Remember, these botnets are using the hacked PCs against the owners will, without their knowledge. I don't have a problem with the police seizing the controllers.
Scranton PA? Surely those guys over at Dunder Mifflin didn't have anything to do with it!
www.youtube.com/watch?v=szhJzX0UgDM
...old news? http://yro.slashdot.org/story/11/03/18/1228227/microsoft-conducts-massive-botnet-takedown-action
Mostly harmless.
Have to remain vague to be in accordance of NDAs, but I've been part of such a sting before. On the "good" side, don't get your panties in a knot. It's not as glamorous as it may look at first (it's decidedly NOT like on TV to raid a server hoster). We went in, we cashed in the servers, we went back out, all with the aid of the hoster who, in turn, didn't do anything wrong but was required to cooperate, and did so quite easily. You wave that warrant in front of their nose and they do whatever you want (as long as it's in the warrant, of course).
Before we had the servers dissected and analyzed, the bot herders rerouted to other controlling servers. It's like playing whack-a-mole. The time wasted to get every kind of evidence collected so everything's in order and you get the necessary paperwork ready is a billion times what's needed for the other side to switch over to new servers. And they know that bloody well.
Before you get the wrong idea, the solution is NOT to eliminate due process and let me go nuts on every server hoster in the country, seizing servers as I please. This is not going to do any good. Or rather, do more ill than good. The solution is on the client's side. It's trivial to come up with something that can analyze network traffic and identify bot traffic. Of course, such a device has to be under the control of the customer. Not the ISP. The field for abuse is even wider there. Require people to monitor their traffic. Net access is no more a right than the right to drive a car, and here you have to make sure that your car does not cause trouble to other participants in traffic, why should that not apply for the internet?
This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Paul Newman would be turning in his grave. A sting is a con. Microsoft didn't con the bot operators into handing over their servers, they got a bunch of marshalls to storm the hosting outfit and seize them. That's a raid, not a sting.
Yes, I'm commenting here rather than on TFA because I couldn't be bothered to sign up for their commenting system.
I had a linux server owned (rootkitted, had to reinstall completely), and it became part of a spam sending botnet.
So, fuck you.
I agree that Microsoft causes botnets, but I don't think backwards compatibility has anything to do with it.
Obviously you've never tried to run DOS apps on Vista or W7. DOSBox does a much, much better job.
Your ideas of backwards compatibility are misinformed.
The slang term 'sting' means a swindle or fraud. This article doesn't mention any of that - just that Microsoft again seized C&C servers for the botnet. They likely determined which servers were providing C&C for the botnet by good old fashioned detective work, not some elaborate con perpetrated against the operators of the botnet.
Anyone with some sense knows that Microsoft's flawed operating systems are the largest contributor to Botnets.
That's a peculiar sentiment, since most of the instances I see are the result of Java or Flash vulnerabilities.
That's a peculiar sentiment, since most of the instances I see are the result of Java or Flash vulnerabilities.
Java or Flash vulnerabilities that provide a pathway directly into the elevated privileges of the underlying Windows operating system. A hole in Java or Flash only goes so far. After that you need a way to embed code in the OS level that will run after the computer reboots, and runs with the ability to hide itself as a system service. Windows makes that sort of thing relatively easy as far as exploiting operating systems goes. Ones based on unix/linux are significantly more difficult, which is a big part of the reason why these vulnerabilities aren't exploited in the same way on those platforms.
You should've updated your system, check logfiles, run chkrootkit on a regular basis etc. Else, you're no better than people running unpatched Windows desktops.
Instead of everyone traveling to collect the boxen, why didn't they hire a *Nix geek to take care of it remotely?
"Hey, WindBlows hosting services! Here is a copy of the court order. By the time you read this the deed is already done."
Really! There is a reason why there is always a cot in the same room with WindBlows servers. Where was the 'Administrator'?
I think the only reason the boxes were taken or cached was so M$ could figure out how to incorporate this new 'Feature'.
I've already LONG been @ a "client-side" solution, since 1997 in fact - It's called a custom hosts file, and I've built & rebuilt (recently in fact) an easy to use POINT & CLICK GUI app for it that does all you state (inclusive of autoupdating).
It allows COMPLETE "client-side/end-user" level control.
( & yes, it works (on the simplest principle there is of "you can't get burned if you don't go into the malware fire")).
"The solution is on the client's side. It's trivial to come up with something that can analyze network traffic and identify bot traffic. Of course, such a device has to be under the control of the customer. Not the ISP. The field for abuse is even wider there. Require people to monitor their traffic. Net access is no more a right than the right to drive a car, and here you have to make sure that your car does not cause trouble to other participants in traffic, why should that not apply for the internet?" - by Opportunist (166417) on Monday March 26, @10:24AM (#39473929)
Right on, 110% agreement... & per that? See next below... I've done EXACTLY that, & in both 32-bit + 64-bit form:
"This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic" - by Opportunist (166417) on Monday March 26, @10:24AM (#39473929)
I just finished up an app I've been "perfecting" for that very thing since 2004, & have started "putting it out" for others to use (just got hosting from a widely used respected source for this in hpHOSTS/malwarebytes.org)...
It does ALL you speak of, plus it does the following:
---
1.) Makes hosts file entries UNIFORM (which is a problem amongst hosts file makers - nobody structures theirs the same as the next guy, per the list below... this creates duplicate entries, & ones less efficient than they ought to be as well)
2.) Alphabetizes/sorts entries for easier hosts file mgt.
3.) Removes bloating useless comments (which slows down the hosts file AND creates duplicates too, further slowing it down if the comments 'trail' an entry record).
4.) Changes from the larger/slower 127.0.0.1 to the smaller/faster 0.0.0.0 (just as "universal" too) blocking ip address vs. known bad hosts-domains (and adbanners too which rob a users speed/bandwidth they pay for, increasing screen real-estate on view too by removing them)
5.) Allows a user to "hardcode in" a list of their fav. sites so they resolve to ip address faster (using reverse DNS against the arpa TLD that maintains this), & so they will reach said sites faster by 100's of times no less/many orders of magnitude, PLUS, be assured they are in fact reaching the right place (vs. DNS poisoned redirected dns servers OR even downed ones)
6.) Checks on each hosts file record entry vs. the known 281++ TLD's so that bogus bloating useless entries are NOT present in the custom hosts file.
7.) Filtering vs. sites that should NOT be in a custom hosts file
8.) It "automagically" updates from 6 of the sources I list below (the better ones, some are not as frequently updated, & a couple have 'troublesome entries' that ought NOT to be in the hosts file since they block valid portals (& the app "filters" those out during processing too).
---
& far more (like write protecting the hosts file vs. attack & UAC does the rest in Windows, & write protecting + byte size checks of the app itself, every 1/2 second, vs. viral infestation of itself).
* Mr. Steven Burn of hpHOSTS tested it & said "it's excellent" & yes, it does the job, per the above
(Again, & I just got hosting space from malwarebytes/hphosts & will soon be releasing it for others to use. Very soon... couple of days hopefully, tops!)
APK
P.S.=> Lastly/Also - Congratulations to you, because it's folks like yourself (which I did not know this about you, & ye
Whoossshh...
See here -> http://it.slashdot.org/comments.pl?sid=2747153&cid=39474939
APK
P.S.=> It's already been submitted to the security community @ large in regards to that which you speak of in fact (and yes, they've seen the "active ingredient" in the sourcecode too, Mr. Steven Burn of hpHOSTS/malwarebytes has)... and yes, it works (does all you requested & MORE)... apk
Read here, see how (much like UAC works) -> http://it.slashdot.org/comments.pl?sid=2747153&cid=39474939
In fact, it compliments existing security solutions like firewalls &/or DNS servers (or browser side ones like AdBlock + NoScript) with an IP Stack level solution (as fast as it gets in rpl 0/ring 0/kernelmode vs. usermode/ring 3/ rpl 3 based ones, via the PnP design of the Windows IP stack itself & a filter it has you already have no less but is largely unused by many, much like the human appendix (the hosts file)).
* It automatically updates for users, & doesn't allow them to enter KNOWN bad hosts-domains + is populated from 6 reputable/reliable sources for this (including vs. the ZEUS/SpyEye one in this article)).
APK
P.S.=> Yes, it works, and has worked for myself, family, & friends + testers for decades now (since 1997)... apk
Give us the IP address of a public internet-facing server that you administer. Let's see if you're as good as you think you are!
...domains that Microsoft is now monitoring and using to help identify computers infected by Zeus.
No, really, that's all they're doing. They're not looking at anything else on those computers. They're not using Zeus as a backdoor to access anything else. I promise.
You never really know how close to the edge you can go until you fall off.
instead of allowing amazon ec2 bots to go click crazy on parked domain names and then google cancels your adsense account while they accuse YOU of clicking on your own ads.
Microsoft and Apple should team together to destroy google. worthless pos evil company
"Now, this does not mean giving up any freedom, except the freedom to act irresponsibly" - KLAATU from the 1951 film "The Day the Earth Stood Still"
* I'd strongly wager that's where the man was coming from whom you replied to in fact, I certainly am...
(I mean, because EVERY DAMN TIME I hear "you're cutting into my freedom of speech" b.s.? Well, fine - that is, UNTIL you start messing with my freedom to surf without hassles! that is!)
For anyone that has not seen the original film, it is much the same concept here vs. the "you're cutting into my private property in my server with its malware & malicious script it serves up!"
Same, same, same...
That is, except the film was more on how since we have acquired "nuke power" that we have become a threat to all other galactic citizenry, & that's where ANY freedoms we may enjoy, are null & void (when these things, used irresponsibly, become a threat to others)).
APK
P.S.=> So, I.E.?
The "freedom of speech" b.s. ends when you start harming others by it... & when you harbor malware that robs the monies of others? You "crossed the line" of private property of your servers OR your malware OR your words even, being 'sacrosanct' & 'private' @ that point, which IS what malware makers/botnet herders violate, clearly...
Especially here in "cyberspace" (for lack of a better term, AND, to keep it 'analogously in-line' w/ using the words of KLAATU conceptually here)
...apk
Stops THAT "dead" too, with ease -> http://it.slashdot.org/comments.pl?sid=2747153&cid=39475099
* Take a read... because, it really works!
(Per what "the Opportunist" our parent poster here stated in essence & my KLAATU posts here as well in response to those seemingly attempting to use "freedom of speech" & "invasion of privacy" b.s. when their servers or systems that serve up malware or malicious script get cut off... mainly, since it is "cyberspace", hence my analogy on that account here, as well)...
SO... IF anyone doubts me, I can produce loads of testimonials to that effect, while this tool's used in combination with other good security practices I've been outlining to others since 1997 online, here -> http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Search&gbv=1&sei=p8FwT-6VCaXz0gGH-9TzBg )
The BEST THING we have going currently, is "layered-security"/"defense-in-depth"... & that is what that guide above is ALL about, & especially for Windows folks (the most used & therefore most abused, though ANDROID is showing the same on smartphones, illustrating that Linux is no more secure than Windows is once it gets "concentrated on" by the bogus out there online (botnet herders &/or malware makers)).
Fact is, & I've seen it around here like NO OTHER PLACE ONLINE?
I find it utterly ASTOUNDING & ASTONISHING that the MacOS X camp, like the Linux crowd, actually thought they could FOOL others with that crap (Linux = Secure OR MacOS X = Secure vs. Windows != Secure stuff (PURE FUD))...
Too bad it's turning up lies, eh?
As to proofs of that assertion by myself here? Ask... I will provide it by the TRUCKLOADS (been archiving it since 2003 in fact).
APK
P.S.=> "Here endeth the lesson", ala KLAATU & "The Day the Earth Stood Still" (giving up NO freedoms, except the freedom to act irresponsibly, even if via ignorance)... apk
I had to recently, with the very app I speak of here no less!
http://it.slashdot.org/comments.pl?sid=2747153&cid=39474939
When COMODO &/or ARCAVIR (run from their LINUX versions no less via the JOTTI online scanner) said my app was "bad"!
19/21 scanners there said I was fine, but NOT theirs on my compressed version of my executable (a compressed exe, I use them for performance AND security reasons, see below)... 3 more here (MS Sec Essentials, Spybot S&D, & AdAware) also cleared me as OK here too.
The "odds were with me" and I know I am NOT a malware maker... so, what happened? Well...
I proved BOTH wrong, both have rescinded it.
I.E.-> They did not understand the executable compression engine I use for making the app in BOTH 32-bit & 64-bit a compressed Win32/64 PE, which allows:
1.) Smaller & FASTER to load (today's CPU's make up for in-memory compression & smaller files load faster than larger ones)
&
2.) Protection vs. disassembly and yes, even viral infestation (to a TINY extent here, because one can peer into it in memory via dissassemblers, ProcessExplorer, & other like tools' means)...
* In the end (after 2 days work to them as proof my app is 100% clean & THEN SOME, since it protects itself vs. viral infestation (byte level size check @ startup & during operations, impossible to infect, because it will cut itself off from running if it changes even 1 byte)?
COMODO's offered me "preferred vendor status" & ArcaBit (makers of ArcaVir) have since offered it exemption status...
(As good as those guys are? They make mistakes... as I have clearly proven, time & again & that is NOT a first, I did the same to Computer Associates YEARS ago as well!)
APK
P.S.=> It's doable, but you HAVE to be honest, correct, & dead-on "better" than your accusers - it's that simple. If you're not pulling crap?
Then, "the truth shall set you free", as the saying goes, along with being sharp @ whatever it is you're up to & doing... apk
Klaatu: "I am leaving soon, and you will forgive me if I speak bluntly. The universe (cyberspace) grows smaller every day, and the threat of aggression by any group (malware makers, botnet herders or even infested users), anywhere, can no longer be tolerated. There must be security for all, or no one is secure (TRUTH). Now, this does not mean giving up any freedom, except the freedom to act irresponsibly (amen). Your ancestors knew this when they made laws to govern themselves and hired policemen to enforce them. We, of the other planets, have long accepted this principle. We have an organization for the mutual protection of all planets and for the complete elimination of aggression. The test of any such higher authority is, of course, the police force that supports it. For our policemen, we created a race of robots. Their function is to patrol the planets in spaceships like this one and preserve the peace. In matters of aggression, we have given them absolute power over us. This power cannot be revoked. At the first sign of violence, they act automatically against the aggressor. The penalty for provoking their action is too terrible to risk. The result is, we live in peace, without arms or armies, secure in the knowledge that we are free from aggression and war. Free to pursue more... profitable enterprises. Now, we do not pretend to have achieved perfection, but we do have a system, and it works. I came here to give you these facts. It is no concern of ours how you run your own planet, but if you threaten to extend your violence, this Earth of yours will be reduced to a burned-out cinder. Your choice is simple: join us and live in peace, or pursue your present course and face obliteration. We shall be waiting for your answer. The decision rests with you." - KLAATU from the 1951 Sci-Fi classic "The Day the Earth Stood Still"...
* AMEN TO THAT, especially vs. those crying "they're MY servers/it's MY PRIVATE SYSTEM" well, not if you're burning others with it/them...
APK
P.S.=> Great film, a classic... & the concept holds true here too, in "cyberspace" imo @ least by analogy, as to ANYONE who serves up malware/botnets/exploits, OR who has an infected system:
Your freedom to act irresponsibly is what is in question, & that is the ONLY freedom you deserve to lose, in other words... apk
Not elevated at all - bots only need to get in at the user level, and a moron can just as easily infect a Linux machine in the same way. The problem is the users, not the OS.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".