Four Years Jail For Bredolab Botnet Author

angry tapir writes "The creator of the Bredolab malware has received a four-year prison sentence in Armenia for using his botnet to launch DDoS attacks that damaged multiple computer systems owned by private individuals and organizations. G. Avanesov was sentenced by the Court of First Instance of Armenia's Arabkir and Kanaker-Zeytun administrative districts for offenses under Part 3 of the Article 253 of the country's Criminal Code — intentionally causing damage to a computer system with severe consequences."

Re:Always clean...

[Trilkin]

That's because it's a scam. That isn't the first time that story's been posted as a first post. Funny how a story about a botnet has a first post from someone probably using a botnet.

What were the consequences

[buchner.johannes]

for the staff in charge of security? (Since there was damage to multiple computer systems, not just unavailability)

Re:What were the consequences

[gweihir]

Nothing. After all, even if you have glass windows, if somebody throws a stone at them you do not share responsibility. Vandalism (and that is what was effectively done) is always 100% the fault of the vandal.

Now, having inadequate security is something else. But the respective laws are still in their infancy.

Re:What were the consequences

[Alex+Belits]

If it was possible to prevent glass windows from being broken by properly maintaining them, having a window broken would indicate professional neglect (what translated into various crimes and civil actions for at least some professions).

There is no excuse for having an insecure system operating in an insecure manner while there are cheaper ways of having a secure system operating in a secure manner. Just because Microsoft taught people to accept glaring flaws and deficiencies as facts of life, doesn't mean that there should be no responsibility for having them.

Re:What were the consequences

Let me give you a more valid window glass analogy. If you had invested in better glass, the kids rock would not have smashed your window.

Plus we're talking about DDoS here. That is not trivial to protect against. Your jab at Microsoft is silly.

Re:What were the consequences

If it was possible to prevent glass windows from being broken by properly maintaining them, having a window broken would indicate professional neglect (what translated into various crimes and civil actions for at least some professions).

I would have just said that breaking window is a bad anology. What you said makes no sense.

There is no excuse for having an insecure system operating in an insecure manner while there are cheaper ways of having a secure system operating in a secure manner.

Pretty much. Unless the hacker has found some security flaw that was missed by every other security expert and academic out there, I'm with you.

Just because Microsoft taught people to accept glaring flaws and deficiencies as facts of life, doesn't mean that there should be no responsibility for having them.

You tell'em!

I'm still pissed that the goddman Japanese bomber Pearl Harbor, too! And don't get me started about the South firing on Fort Sumter and then having the GAUL to call the Civil War the "War of Northern Agression"! Plah-ease! Who fired upon whom?!? And then the fucking Gemans for causing ALL of the European wars from the mid 19th century till the mid 20th! Fucking Krauts! And NOW they're fucking with the European economy!

Re:What were the consequences

If you leave your doors unlocked and get robbed and the thief gets caught. We should just slap them on the wrist?

Re:What were the consequences

There is no excuse for having an insecure system operating in an insecure manner while there are cheaper ways of having a secure system operating in a secure manner.

Those computers shouldn't be dressing so provocatively, they had it coming. And, given that there are self defence classes one can take, there's no excuse for not fending off an attacker.

Re:What were the consequences

[flonker]

How would you "secure" a system against a DDoS? The only solution is to throw money at the problem. Yes, you can mitigate to some degree, but the numbers get very big very fast regardless.

Quick google turns up "DDoS attack size broke 100 Gbps for first time" from Feb 2011. The only way to prevent 100 Gbps of traffic from drowning your site is to have *significantly* more than 100 Gbps of bandwidth available to you, or to hire someone who does. And even then, someone must pay for that bandwidth.

Another hurdle to overcome is if someone is attacking your application layer, you have to throw CPU cycles (and possibly RAM) at the problem to solve it. If you assume a typical HTTP request of 1k, handling or filtering 100M (or even 1M @ 1Gbps) http requests per second is going to require some hefty hardware. A quick google gives the number 3k requests per second for a typical apache server serving blank pages. You would need 300 web servers to handle 1M requests, and 30,000 to handle 100M requests. Numbers are just ballpark figures, and may be off by an order of magnitude or two, but you get the idea.

In short, protecting against a DDoS is hardly professional neglect. It's a financial decision. Even if you hire someone else to handle it for you, someone eventually pays the price.

Re:What were the consequences

[michelcolman]

But they didn't throw a stone at the glass, they merely picked the lock and opened the window, and this somehow caused the glass to break even though they didn't even touch it.

How do you damage a server merely by sending it too many requests? Surely it should just shut down if it overheats?

Re:What were the consequences

[gweihir]

That is nonsense. It is possible to have unbreakable windows, but it is generally recognized that properly designed windows break only due to accidents or malicious intent. Liability comes into play for example for windows that break too easily, or, for car-glass, windows that break into large shards.

Now, what exactly the standards are that are acceptable in IT security is still in flux, but just because an attack was easy does not make the action of attacking any less malicious. Well, maybe lower in criminal energy, which can result in a lighter sentence.

Re:What were the consequences

[gweihir]

Indeed. Easy DDoS is a consequence of the design of the Internet. Defense is expensive, but entirely possible. Just talk to Akamai, they can tolerate basically anything that can be thrown at them with only local outages.

That said, even if the target could easily tolerate the DDoS done, the criminal doing it should still be punished.

Re:What were the consequences

[Billly+Gates]

If it was possible to prevent glass windows from being broken by properly maintaining them, having a window broken would indicate professional neglect (what translated into various crimes and civil actions for at least some professions).

There is no excuse for having an insecure system operating in an insecure manner while there are cheaper ways of having a secure system operating in a secure manner. Just because Microsoft taught people to accept glaring flaws and deficiencies as facts of life, doesn't mean that there should be no responsibility for having them.

I take it you never had to work for enterprise customers before? Try supporting 300 apps in 10 countries with different configurations for each tree in the forest on the AD? Now imagine a single piece of software in that configuration that requires all XP SP 2 desktops to have time frozen on March 2008 on a Tuesday or else megaCrap wont support the product?

You have over 120 updates for Windows 7 according to my desktop which includes the early 2009 version of Windows 7 if I rebuild it to make it modern to 2012? If I were to do this in a client site above I would have to do regression testing for all 120 updates for all 300 apps! How do I know that security update wont break something? What if it does?

I am fired and sued into an oblivion! Cost accountants love to have the system work only if no one ever calls in sick or goes on vacation and the IT team just puts out fires rather than prevents them. It helps raise the client's share price so the CEO can get his bonus.

IT does not have time for these tests and its impossible without tens of millions of dollars of wasted shareholder money. This was the drive for intranet apps originally to leave this nightmare, but guess what. Slashdotters are now whinning how horrible IE 6 is. Now they do not want to go the intranet route again after having this nightmare now with IE 6 thanks to everyone whinning about it.

Home users have it easy. Maybe this will change when intranet apps are HTML 5 based in the future and will work on every browser/machine? Pfft yeah right. No vendor wants to certify anything outside IE on the desktop and have it in the contracts not to support any security updates with its products. For this reason alone I did a PC Refresh project for a hospital and all the new Desktops had the unpatched XP SP 2 with IE 6 on them for this reason. The vendors wont support us otherwise.

Re:What were the consequences

[Joce640k]

How do you damage a server merely by sending it too many requests? Surely it should just shut down if it overheats?

People set up servers for a reason - because they want visitors. Shutting them down isn't really a 'cure'.

Re:What were the consequences

[michelcolman]

No, but the article said equipment was "damaged". Surely a shut down server is better than a damaged one? Isn't that a mandatory safety measure?

Re:What were the consequences

[mcgrew]

Your jab at Microsoft is silly.

No, he raises a good point. Way too many people just shrug and say "you can't write a bug-free program". It's like being brought up in a leaky shack, you'll have the attitude that a poorly constructed shack is "just the way it is." Without all those poorly constructed shacks, and all the people using them who have the attitude "there's nothing we can do about it" DDoSes would be much harder to pull off id Windows wasn't so easy to break into. Remember, the botnet is made up of Windows PCs.

Re:What were the consequences

[Frank+T.+Lofaro+Jr.]

How do you damage a server merely by sending it too many requests? Surely it should just shut down if it overheats?

What if it has an AMD CPU?

http://www.tomshardware.com/reviews/hot-spot,365.html

Re:What were the consequences

[tomhath]

No, but the article said equipment was "damaged"

Nope, the article said the *system* was damaged. That would cover more than physical damage to the hardware. I assume it would include denying the use of the system by attacking it with a botnet.

Re:What were the consequences

[serialband]

And the command and control IRC servers are typically running on linux.

Re:What were the consequences

[mcgrew]

Of course they are. The C&C operators don't want someone else to take over their botnets!

Re:Always clean...

Yes, but if they made an example of them by cutting off their hands, we'd have less spam. Balls too just in case they could still breed.
Botnet enthusiasts, spammers and scammers. Start lopping parts off them in direct ratio to their crime. Cruel and unusual? No, cruelty is allowing them to continue, not unusual either as this has been a punishment probably dating back to pre history. Cures chronic masturbation as well.

Re:I can see the future of your ass...

Wait, what's with the headline? The future of your ass?

Re:Help beating the Axis!

Wrong thread, dude.

Spam Flood

[MRe_nl]

"Never in the history of Slashdot have so many spam posts been posted by so few in such a short time".

Winston Smith.

(Perhaps triggered by "botnet author" in the articles title?)

damaged multiple computer systems ?

[nurb432]

How does one *damage* a system via a DoS?

Sure, it's uncool and he needs to be in jail, but propagation of false concepts is just as dangerous, if not more...

( reminds me of the 'copyright infringement is theft' propaganda )

Re:damaged multiple computer systems ?

[Mashiki]

By making it shit electrons all over itself. I hear that's quite a mess.

Re:damaged multiple computer systems ?

[tehcyder]

How does one *damage* a system via a DoS?

Sure, it's uncool and he needs to be in jail, but propagation of false concepts is just as dangerous, if not more...

If my entire system becomes unusable because some fuckwits are DoSing it, then it has been damaged..If it is a business, there will be direct, real monetary losses You are just thinking about physical damage to the hardware, which is irrelevant.

( reminds me of the 'copyright infringement is theft' propaganda )

It reminds me of a drooling retard with a one track mind, but hey ho.

Re:I can see the future of your ass...

I was wondering the same thing. Don't leave us hangin'!

Jailtime: Addware 15 years, DDOS 4 years

Wow there are some F***ed up laws in the US. 15 years for Russians for a botnet click scan. Meanwhile a DDOS botnet attack gets 4 years.

WTF, It goes to show you nobody who makes any laws in the US has any clue about the big tubes on the internet. Because they only look at the big boobs on the internet.

Re:Jailtime: Addware 15 years, DDOS 4 years

[sed+quid+in+infernos]

You do know Armenia isn't actually in the U.S., right?

Interesting note from the article

[Zontar_Thing_From_Ve]

I am not claiming to personally be the greatest expert on Slashdot of the ex-USSR. However, I do speak Russian reasonably well and I have traveled in the ex-USSR so I do think it's fair to say that I'm more familiar with the CIS countries and the people that live there than most people. I admit to being a bit puzzled to read that Armenia jailed someone. Armenia is seemingly uninterested in joining NATO and the EU and as far as I know they get along pretty well with Mother Russia. Outside of the Baltic Countries (Estonia, Lithuania, Latvia) who are fully integrated into the EU and NATO, laws are weak and corruption is high. I was wondering "Why would Armenia bother to prosecute this guy and jail him, given that in the past the entire CIS has basically never been interested in such?". There doesn't seem to be any political reason (ie. no sucking up to the EU or NATO) at work here. Surely this guy would have been smart enough to just bribe his way out of trouble. Then I noticed this in the article:

One of the attacks that Avanesov was found guilty of instrumenting took place on Oct. 1, 2010, and targeted a Russian telecommunication company called Macomnet.

Ah. He foolishly attacked Mother Russia. Now I understand why he was convicted.

Well, that's good.

I'm sure this computer criminal will pick up a bunch of new polite habits while rotting in Armenian prison. I can't wait to see him released and reformed!

Re:Well, that's good.

[tehcyder]

I'm sure this computer criminal will pick up a bunch of new polite habits while rotting in Armenian prison. I can't wait to see him released and reformed!

Well, by that logic you wouldn't put anyone in jail in case they gotmore criminally hardened. Just remember that not all criminals are greedy geeks like this dweeb, there are also rapists, murderers and child molesters in prison too.

Re:Jailtime: Addware 15 years, DDOS 4 years

[KhabaLox]

It is if you're in Glendale, CA.

Re:Always clean...

Suck my penis for Jesus little boy. Suck my cock good. Jesus Christ demands it.

What a ruse

[ourlovecanlastforeve]

That's right, you give him four years of free room and board, three square meals a day, free access to health and dental and psychiatric care. That'll show him who's boss.

Re:Always clean...

[tehcyder]

It's not as brilliantly bathetic as the one about the guy dying of cancer, his family abandoning him and his puppy committing suicide (or whatever).