Botnet Flaw Lets Researchers Disrupt Attacks

Trailrunner7 writes "A team of researchers has discovered a weakness in the command-and-control infrastructure of one of the major DDoS toolkits, Dirt Jumper, that enables them to stop attacks that are in progress. The discovery gives the researchers the ability to access the back-end servers that control the attack tool, as well as the configuration server, and key insights into the way that the tool works and how attackers are using it. Dirt Jumper is not among the more well-known of the DDoS attack toolkits, but it's been in use for some time now and has a number of separate iterations. The bot evolved from the older RussKill bot over time, and various versions of the tool's binary code and back end configuration files have been made public. Researchers have watched as the bot has been used in attacks around the world against a variety of targets, and now they've been able to find a crack in the malware's control infrastructure."

crack in the malware's control infrastructure

[fustakrakich]

Yet another example of country coming apart at the seams.

Re:crack in the malware's control infrastructure

[Razgorov+Prikazka]

Well, the first crack of course is getting rid of M$ and use a proper OS instead.
After that one could go after the baddies...

Re:crack in the malware's control infrastructure

[Krojack]

Correction, The proper fix would be to not let click happy stupid people use the internet.

It's already been proven that Linux & Mac OS's can also be infected so it really doesn't have anything to do with MS. It all comes down to the end user and installing every little stupid thing and clicking on anything that jumps in front of them.

Re:crack in the malware's control infrastructure

[tlhIngan]

It's already been proven that Linux & Mac OS's can also be infected so it really doesn't have anything to do with MS. It all comes down to the end user and installing every little stupid thing and clicking on anything that jumps in front of them.

Not to mention it seems a lot of malware these days are usermode based. They're not trying to hide from users anymore, other than being plausibly-sounding processes with plausible paths. Everything they need to do the user can do - they don't need admin anymore (admin was required because they wanted to hide).

Getting admin these days often requires a dialog box popping up on the user for admin priviledges. Which is a great way to announce your presence to the user. But just being an innoculous sounding process that can hide amongst the other processes is often good enough. After all, if the malware decided it would be called "init" on Linux or "launchd" on OS X, most users wouldn't know that something is wrong (other than it not being PID 0). Or perhaps the malware can see the user runs GNOME, and call itself gnome-terminal. Or on OS X, Safari.app.

Re:crack in the malware's control infrastructure

[tlhIngan]

The proper fix would be to not let click happy stupid people use the internet.

Then we might as well bottle the internet back up as a DARPA research curiousity then.

Generally speaking, the security model assumes people know what they're doing, which is patently false. The computer and the internet are essential tools these days for many occupations, whether or not the people want it. A mechanic probably has to use a computer to diagnose a modern car, but he certainly doesn't need to know how to reinstall Windows or compile a kernel or other crap (to him). He just wants to see what errors there are, use his experience and then find the mystical place to do the $1000 tap to fix the problem.

Ditto the internet - the sales guy is wheeling and dealing and sending specs to customers trying to make money for the company over the 'net. He doesn't need to know the details of TCP/IP or Ethernet or how the packet gets from here to there - he just makes the sales.

Basically these days, the security model should include the fact that people who do not know better have a necessity to use the computer and the internet. We don't train the mechanic how to type and install Windows/Linux/blah and admin it, we train the mechanic how to most effectively extract the data the ECU provides to solve the problem.

It's time security models take note that Dancing Pigs are here to stay. Which may explain the rise of locked down tablets and walled gardens.

Re:crack in the malware's control infrastructure

[jones_supa]

Hmm, seems that you could actually create some sort of protection against this by writing a program which checks for spurious duplicates of system files.

Re:crack in the malware's control infrastructure

[somersault]

I'm pretty sure we'd still have plenty of online gaming too.

Re:crack in the malware's control infrastructure

[mcgrew]

It's already been proven that Linux & Mac OS's can also be infected

I don't think "infected" is the right word for a trojan. However, Windows is the only OS that one could get infected by a virus (not trojan) by simply opening an email or visiting a web page.

That said, Windows is a lot more secure than it used to be. I doubt anyone but the click-happy who are dumb enough to answer "would you like to let this program change your computer?" would say "yes" if they thought they were going to a linked web page.

binary code

[GuldKalle]

The bot evolved from the older RussKill bot over time, and various versions of the tool's binary code and back end configuration files have been made public.

What does that mean? Was some of the code stored in another numeral system? And why was the code so hard to get hold of?

Re:binary code

[X0563511]

Work with me here...

What do you get out of a compiler? A binary.

Re:binary code

[GuldKalle]

Yeah, OK. But why was it so hard to get hold of? Couldn't they just pull it from any infected machine?

Not bricked yet?

[tomhath]

I'm surprised some company or country hasn't gotten PO'd enough to write a counterattack that just bricks all the infected machines in a botnet.

Re:Not bricked yet?

[GuldKalle]

Does it spoof the IP? Wouldn't ISPs spot IP packets originating in their own network, but not looking like they did?

Security Flaw in the Security Flaw!

[fm6]

Really, how could the editor overlook such a cute headline?

If the botnet was open source....

.... the researchers would be able to submit a patch.

Why are they telling us?

[mdfst13]

I wonder why they are announcing the security flaw in the malware. Shouldn't they try to exploit the security flaw to find the malware users first?

What's the benefit of reporting the flaw? Usually, people report security flaws so that the application writer can close them. Do they actually want the DDOS kit to close its security flaw? Does that make the world better in some way?

The only possible advantage that I can see is that it might make other malware users more careful about using similar software. And of course, smart malware users will no longer use Dirt Jumper. However, if they just switch from Dirt Jumper to another DDOS kit, it seems that we are worse off (DDOSed by a kit without a security flaw to exploit).

The optimal time to make this kind of announcement would be after it becomes common knowledge in the malware community, preferably by publication of the proceedings of some prosecutions. At that time, it gives minimal benefit to existing malware users while still scaring potential malware users from jumping on the bandwagon. I wouldn't expect the scare benefits to be that large, so the benefit from an early announcement is small.

Re:Why are they telling us?

[SomeJoel]

If they don't report any progress, they'll lose their funding.