Cleaning Up Botnets Takes Years, May Never Be Completed

Once a botnet has taken root in a large pool of computers, truly expunging it from them may be a forlorn hope. That, writes itwbennett, is: the finding of researchers in the Netherlands who analyzed the efforts of the Conficker Working Group to stop the botnet and find its creators. Seven years later, there are still about 1 million computers around the world infected with the Conficker malware despite the years-long cleanup effort. 'These people that remain infected — they might remain infected forever,' said Hadi Asghari, assistant professor at Delft University of Technology in the Netherlands. The research paper will be presented next week at the 24th USENIX Security Symposium in Washington, D.C. (And "Post-Mortem of a Zombie" is an exciting way to title a paper.)

Never be completed

[fustakrakich]

Golly Gee! Neither will garbage collection... Let's just let it pile up, eventually it will collapse by its own mass.

Re:Never be completed

[Penguinisto]

I think it would be easier to simply take command/control of those bots and start flushing hard drives (or whatever else will ensure it never reboots), then shut it down remotely.

Or, if you don't feel that destructive? Drop a small executable that removes all networking/modem/etc capabilities upon boot, then remotely restart the machine. They keep their cat pictures, and we don't have to deal with it being on the public network.

Yes it's completely unethical, etc... but maybe that's the one thing that will give the botted machine owners the hint that maybe they should take their boxes down to Geek Squad (or wherever) to get fixed?

Re:Never be completed

[Alok]

I've long thought of this (removing networking from the bots) as being the best actual solution, too bad that there is no way to do so legally. Maybe use the bots to scan for 0-day vulnerabilities, and forcibly upgrade or configure security FW/AV etc. to deal with it :D

Well, I also wondered why no black hat ever tried it, but I guess all of them are busy making a lot of $$ selling exploits to various agencies rather than disrupting other black hats.

The final cleanup

Eventually each one of these computers will be powered down.

Hopefully before the end of human civilization.

Re:The final cleanup

Apoptosis - "The weariness of the cell is the vigour of the organism." - George Orwell.

Deny access

Deny internet access to infected units, will clean up faster than you think.

Re:Deny access

Doing this would set a dangerous precedent. Imagine malware which downloads porn, and you deny internet access to everyone who downloads porn because they must be "infected".

Re:Deny access

[fuzzyfuzzyfungus]

Denial arguably creates a problematic perverse incentive because it provides a DoS-like extra 'for free' if you can manage to make the target act enough like it has been botted.

For people who aren't exactly up to the task of running their own IDS, though, information would certainly be helpful. There probably are people who don't care about running a festering worm farm; but there are definitely people who don't know that they are doing so.

Re:Deny access

[ShaunC]

The precedent was set long ago. ISPs regularly disconnect customers whose systems are spewing out spam email, participating in DDoS attacks, etc. The approach varies a bit depending upon the provider and the client's service level; consumers will usually be cut off without warning and enterprise connections might get a phone call or email first, but responsible providers act quickly on abuse complaints. Irresponsible providers often find themselves losing various bits of connectivity to the rest of the world.

Imagine malware which downloads porn, and you deny internet access to everyone who downloads porn because they must be "infected"

Maybe in the UK or Iran, but that isn't a net abuse issue, it's an issue of oppressive government.

Re: Deny access

India is already classifying porn as an infection.

A good virus is no different than an idea, it appears, it spreads, it permeates - permutates... swype :) and lastly lobbies for uefi to secure its foothold.

Re: Deny access

A background task that keeps your porn stash up to date would probably violate kickstarters TOS, but for what it's worth, I would back you.

Re:Deny access

So if I happen to be visiting a website while it's being DDoS attacked, I'll be disconnected because I "participated" in the attack? Instead of ISPs having to decide what's abuse and what's not, how about we design an infrastructure such that no ISP customer can do any harm, whatever the packets their system is sending?

Re:Deny access

[bev_tech_rob]

So if I happen to be visiting a website while it's being DDoS attacked, I'll be disconnected because I "participated" in the attack? Instead of ISPs having to decide what's abuse and what's not, how about we design an infrastructure such that no ISP customer can do any harm, whatever the packets their system is sending?

Basically eliminate the Internet as it is and start from scratch. You better get cracking.....

Re:Deny access

[Penguinisto]

So if I happen to be visiting a website while it's being DDoS attacked, I'll be disconnected because I "participated" in the attack?

Pretty sure they're going to know if you sent just a few packets a minute or several million in the same time space...

Re:However,

So your solution is just to get rid of all personal computers.

Re:However,

Maybe it would go faster if the people running these things were hunted down and killed.

Vast majority will be in landfill...

[Gordo_1]

well before 10 years is up.

Re:Vast majority will be in landfill...

[swb]

I wonder how many infected systems either were originally VMs or physical systems turned into VMs that will live on in VM farms far longer because they support some obsolete or unupgradeable system or because nobody wants to turn them off.

It's not hard to see systems that should eventually die off live on far longer thanks to virtualization.

Does this matter?

Not much of a problem to be infected after the C&C servers are down?

Re: Does this matter?

Many bot nets connect to time based algorithm generated domains. Take the servers down and someone who knows the future domains would happily pick up where they left off.

Re: However,

Reading comprehension, bro. Read it again.

Re:However,

[gstoddart]

Honestly, if this is a problem ... let ISPs basically block anybody who is still sending out packets with this crap.

If your machine is a threat to the rest of us, cutting you off from the the internet might get your attention.

This way when you call your ISP and say the intertubes are broken they can see the flag on your account which says "banished" and tell you to fix your PC, or stay off the internet.

But let's not pretend Linux, Android, or Apple haven't had similar problems.

The problem with botnets is people might not even know they're infected. Aggressively disconnecting from the internet might actually achieve something.

Re:However,

[RobinH]

Yeah, but half those infected machines/networks are probably critical infrastructure like dams and nuclear plants. You know, the kind of software from vendors that won't warranty it if you install antivirus... I'm looking at you Rockwell Automation.

Re:However,

[fustakrakich]

Sorry, too many false positives would result, and on top of that, anybody with 'undesirable' content will be accused of being a 'threat'.

Durability

[Hydrated+Wombat]

I'm really impressed that so many modern computers are lasting so long and that so many people are using them. Use it up, make it do, or do without is a good policy for things that aren't mission critical

Re: However,

[Falos]

If your reading comprehension can't mature past literal face value, implied equivalents and other subtleties will elude you.

Not that I necessarily endorse GP's snark or not.

Re:However,

[gstoddart]

If your critical infrastructure for your dam and nuclear plant is sending stuff out to the internet, you likely have bigger problems.

However, I won't disagree with your point about vendors being impediments to security.

Re:However,

Honestly, if this is a problem ... let ISPs basically block anybody who is still sending out packets with this crap.

Botnet wranglers will just update the binaries to change the signature of packets or addresses of CC servers. Shutting out botted devices in a piecemeal manner won't have an impact on the attempted eradication.

"Forever"?

[zarmanto]

... they might remain infected forever ...

Nothing lasts forever: The infected computers will eventually cease to function. It would have been more accurate (and less of an inflammatory panic reaction) to suggest that the infected computers might remain infected for the remainder of their active life.

Re:"Forever"?

[Jumunquo]

Diamonds are... ;)

Even if some component of the computer, say the power supply, ceases to function, the hard drive or flash chip is still technically infected. Rather than making a more accurate statement, what you have done is make a different but also accurate statement that we don't care if it's infected but not in use currently.

Re:"Forever"?

There you go, mark it in your notes: zarmanto, puerile slashdot pedant.

Re:"Forever"?

[zarmanto]

... say the power supply, ceases to function, the hard drive or flash chip is still technically infected. Rather than making a more accurate statement, what you have done is make a different but also accurate statement that we don't care if it's infected but not in use currently.

I stand by my previous statement: the hard drive (or flash drive) will eventually fail. That said... I agree with your conclusion, even if I'm inclined to nitpick the details: an infection which is contained -- ergo, can no longer spread nor do anything harmful -- is really not worth worrying about.

Re:However,

[IamTheRealMike]

In fairness, many AV engines are total crap and are notorious for interfering and breaking all kinds of software.

Re:However,

Good. Antivirus is a tiger repellent rock. Too many fools in this industry following ineffective "best practices" to mitigate insecure architecture decisions instead of designing procedures/systems which are inherently secure.

If your workflow depends on poking holes in the firewall that is a failure of capital investment in infrastructure. The bean counters won't appropriate the $$$ to buy the necessary equipment to do things properly so people end up forced to co-mingle their high-risk activities with their high-value infrastructure. The results are as predictable as putting the condoms next to the insulin needles at the pharmacy, banning socks and shoes, and then giving away methadone at the front door.

Don't act surprised when someone steps on an HIV infected needle. Having a "Sharps" container only reduces the frequency of the occurrence.

not correct

There is a band around the model - the difference between actual and model. I suspect when that band overlaps with zero, not the model overlaps with zero, then the physics of the infection might transition to zero. This gives a way to estimate a "expected horizon" for nations and infections when the model fundamentally excludes zero.

Re:However,

[houghi]

What I tghink is a shame is that we do not go after the REAL resposible people.
These systems have all a systemn admin that maintains them. These all used to read /. and now they don't anymore. So the real reason is Digg. Why do they want to blow up nuclear plants? I don't know, but that is the question we should REALLY ask Digg: have they stopping wanting to blow up nuclear plants?

Re:However,

Actually, there are billions more Linux machines than Windows - mostly cell phones and routers. Most every Windows desktop machine has a dinky little Linux router on the floor amongst the dust bunnies and most of those billions of Linux machines are not infected with crapware. The crapware problem really is due to the bad design of Windows.

Re:However,

A future in which everyone has a mobile botstick infected with hundreds if not thousands of pieces of malware that they will never know about because they are just going to buy another phone in a year or two.

Botnet takeover

[craighansen]

The news article claimed that researchers had control over the botnet, but the research paper implies otherwise, simply that the control network was rendered inaccessible.

Did Conficker have something to prevent a takeover, such as using a public key signature to verify update code?

If they were able to inject a popup window informing the user of the infection, surely disinfection rates would have been much higher. The research paper says that millions of users bought phony security software via Conficker, so they'd likely respond to a popup invitation.

Re:Botnet takeover

[Zocalo]

They have control over the Bot*Net*, but the actual bots are continuing to operate on autopilot searching for and attempting to infect other hosts. Short of sending a "shutdown" command - assuming Conficker has one - and potentially assuming liability for any PCs that might be in life-safety applications (common sense says there shouldn't be any, however reality says otherwise) there's not a lot else they can do but wait for their owners to replace them. Given how long PCs tend to stay in use outside the Home/Office environments (I can personally cite an example of over 20 years for a SparcStation in a manufacturing environment), that might take quite some time...

Re:Botnet takeover

I can cite about 200-odd 13+ year old Windows XP systems still in use in a major printing environment. IT do their best to lock them down, but to be honest they're a bunch of underskilled boobs who think they're awesome because they work in IT.

Re:Botnet takeover

If they were able to inject a popup window informing the user of the infection, surely disinfection rates would have been much higher.

This would be an unauthorized use of computing resources. Basically the only thing you can do after ceasing control of the cc servers is to acknowledge the data packets that the infected hosts send to you. And even that might get challenged in some jurisdictions.

Duh...

... well if bennett says its true, then we should all believe it.

Oh! *Bot*nets!

I thought it said "Cleaning Up Bennetts Takes Years, May Never Be Completed". I chuckled for a moment, then I thought, wait "Bennetts"? There's more than one? Cue the horror movie scream.

Re:Oh! *Bot*nets!

There is One, and only One Bennett!

BURN THE HERETIC!!

Re:However,

Honestly, if this is a problem ... let ISPs basically block anybody who is still sending out packets with this crap

You haven't thought through the slippery slope of handing Comcast this power. Your idea is bad.

Re:However,

I hate when people use the term "Slippery slope" WHILE COMMITTING the 'slippery-slope fallacy'

I'm confused

[Minwee]

Isn't this why we have Internet Cleanup Day?

Really, why is it so hard for everybody in the world to just take one day out of the year to shut down all of their systems, wipe the hard drives and re-install everything from the installation media?

Re:I'm confused

This is a joke right? I don't have a single piece of installation media. My OS was loaded via an ISO (which I no longer have) over a flash drive.

Re:I'm confused

[ThatAblaze]

Anyone who has a 8 year old computer has probably lost the installation media for it. Many of them might be running POS systems that don't work past win95. We're not talking about office or home computers here, those have all been changed out long ago. These are mostly old computers in a back room that have been plugging away at a single task for years.

Re:I'm confused

[Jumunquo]

A lot of these might be embedded devices as well. Windows XP embedded was quite popular among manufacturers for all kinds of devices, before the Android age.

Re:I'm confused

One day. Being conservative, 1 billion people to service the 2 (?) billion computers in use. (According to Cisco, there are 25 billion connected devices to the Internet).

Some wont need a full day, for others it will turn into a nightmare week. So we'll stick with 8 hours (i.e., one day out of the year) for this exercise.

1 billion people * 8 hours = 8 billion hours or 3.92 million man-years.

How much money are botnets costing the world? More than that?

Re:However,

[Joce640k]

Um, how will they do that without Internet access?

Re:However,

Shocking that someone reading a tech news website could actually sustain this belief. Go look up the percentage of Webs servers that are Windows, and reformulate your argument. We can wait.

Who is really infected?

[Stan92057]

So the only ones infected are the ones who don't run or keep their PCs up to date correct? Just like the Yahoo Flash exploit, wouldn't antivirus software be blocking that exploit as it is not a new exploit? what about people who don't run Flash with the default setting? i don't allow flash to save any data i don't let sites save data in it and so on.

Naaa, hardware failure will do it eventually...

[gweihir]

Hyperbole like "forever" has no place in a professional treatment of the situation. May take a decade or two though.

ISPs should disconnect the infected

[Gravis+Zero]

it's pretty simple, if you are coughing up blood, you dont go to work and then infect your coworkers with ebola. why should we allow computers that are doing the same thing to come to the internet? people mostly dont know they are infected, so injecting a little HTML into served pages that will help them disinfect their computer would be a good start. if it's been a week and they are still infected, it's time to serve them pages only on how to disinfect their machine and close any unrelated ports.

there is no need for this bullshit to continue.

Re: However,

Zzz, so says the guy that is oblivious to the fact that said routers were just vulnerable to shellshock++ and can easily be corralled into dosnets etc.

Re:However,

[Penguinisto]

If your SCADA machinery is plugged into the Public Internet, you got way bigger problems than whether or not it's a bot...

Re:However,

Unless the ISP is going to disconnect every single compromised device on their network at once, which will lead to a bunch of angry customers, they will have no hope of eradicating the botnet.

36 times!

[Jumunquo]

ROFL, from the article:
Sometimes, it was hard for ISPs to help consumers clean up their infected computers. Asghari said he spoke to one ISP that contacted the same customer 36 times in an effort to get rid of Conficker.
“Every time the customer would say I’ve cleaned it up, but the infection would return,” he said.

Re:36 times!

That's in part because customers lie. They only want to get rid of the malware because they want you to turn their internet connection back on. So they get a friend's computer, plug that in and call you. Or they do reinstall their computer, but not before they backup everything including the malware, so they can restore it when their internet connection works again.

You're attacking the wrong part.

[argStyopa]

...instead of "going after" the infection, you go after the humans that deployed it.
Recognize the MASSIVE damage/vulnerability these people are exploiting, and the threat it poses to our modern society. Act accordingly.

When you have them arrested, randomly decimate them.

If they are arrested a 2nd time for the same offense, they will be the first in line to be decimated.

I suspect that botnet attacks would decrease.

Re:You're attacking the wrong part.

You would be wrong: the death penalty doesn't discourage violent crime, either.

Re:You're attacking the wrong part.

[htomc42]

How about simply putting them in a jail cell with a computer terminal. Their task is to use their own network to go in and disinfect each and every last machine. They don't see the light of day again until they accomplish this task, and if it's longer than their lifetimes, so be it.

Re:However,

Calm down Rush!

Block botnets via something you have natively

APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community!

* :)

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

---

"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

PERTINENT QUOTE/EXCERPT:

"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!

(Accept NO substitutes!)

...apk

Re:However,

However, I won't disagree with your point about vendors being impediments to security.

It's not just vendors, unfortunately. We very recently had to deal with a customer using outsourced IT. A particular computer could connect to our SSL web site because of an "Untrusted certificate" error in MS-IE. After spending some time diagnosing the problem we came to realize that the machine had been installed from the Windows XP Service Pack 1 CD and Windows Updates had been disabled so it hadn't been getting Root Certificate Updates or anything else since at least 2004. Their outsourced IT department refused to allow Windows Updates to be run on it.

solved.

distrowatch.com

have a great day.

Re: However,

This is not about "implied equivalents" because there is no way you could possibly conclude that getting rid of Windows means getting rid of all computers running Windows. My best guess is that if GGP was a technically literate person, he would not make such attempt at joking because he'd know it would not be funny because it has no connection to reality. The only conclusion you could possibly come to is that GGP was serious and his erroneous views needed to be corrected.

Big talk from gweihir the trolling pussy

"Run, Forrest: RUN!!!" vs. a fair challenge http://news.slashdot.org/comme...

APK

P.S.=> Keep on shooting your blowhard done nothing in computing mouth off gweihir - I'll be RIGHT THERE AGAIN to expose your crap yet again (have fun with the shame you'll have to publicly endure here & YOU STARTED IT WITH ME YOU USELESS TROLLING LOSER WITH NO SKILLS BUT LOTS OF MERE "TALK", lmao)... apk