Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet Flaw Lets Researchers Disrupt Attacks

Posted by Soulskill on from the perhaps-should-have-hidden-the-on/off-switch dept.

Trailrunner7 writes "A team of researchers has discovered a weakness in the command-and-control infrastructure of one of the major DDoS toolkits, Dirt Jumper, that enables them to stop attacks that are in progress. The discovery gives the researchers the ability to access the back-end servers that control the attack tool, as well as the configuration server, and key insights into the way that the tool works and how attackers are using it. Dirt Jumper is not among the more well-known of the DDoS attack toolkits, but it's been in use for some time now and has a number of separate iterations. The bot evolved from the older RussKill bot over time, and various versions of the tool's binary code and back end configuration files have been made public. Researchers have watched as the bot has been used in attacks around the world against a variety of targets, and now they've been able to find a crack in the malware's control infrastructure."

2 of 26 comments (clear)

  1. Re:crack in the malware's control infrastructure by Krojack · · Score: 3, Insightful

    Correction, The proper fix would be to not let click happy stupid people use the internet.

    It's already been proven that Linux & Mac OS's can also be infected so it really doesn't have anything to do with MS. It all comes down to the end user and installing every little stupid thing and clicking on anything that jumps in front of them.

  2. Re:crack in the malware's control infrastructure by tlhIngan · · Score: 2

    It's already been proven that Linux & Mac OS's can also be infected so it really doesn't have anything to do with MS. It all comes down to the end user and installing every little stupid thing and clicking on anything that jumps in front of them.

    Not to mention it seems a lot of malware these days are usermode based. They're not trying to hide from users anymore, other than being plausibly-sounding processes with plausible paths. Everything they need to do the user can do - they don't need admin anymore (admin was required because they wanted to hide).

    Getting admin these days often requires a dialog box popping up on the user for admin priviledges. Which is a great way to announce your presence to the user. But just being an innoculous sounding process that can hide amongst the other processes is often good enough. After all, if the malware decided it would be called "init" on Linux or "launchd" on OS X, most users wouldn't know that something is wrong (other than it not being PID 0). Or perhaps the malware can see the user runs GNOME, and call itself gnome-terminal. Or on OS X, Safari.app.