Slashdot Mirror


Cleaning Up Botnets Takes Years, May Never Be Completed

Once a botnet has taken root in a large pool of computers, truly expunging it from them may be a forlorn hope. That, writes itwbennett, is: the finding of researchers in the Netherlands who analyzed the efforts of the Conficker Working Group to stop the botnet and find its creators. Seven years later, there are still about 1 million computers around the world infected with the Conficker malware despite the years-long cleanup effort. 'These people that remain infected — they might remain infected forever,' said Hadi Asghari, assistant professor at Delft University of Technology in the Netherlands. The research paper will be presented next week at the 24th USENIX Security Symposium in Washington, D.C. (And "Post-Mortem of a Zombie" is an exciting way to title a paper.)

35 of 74 comments (clear)

  1. Never be completed by fustakrakich · · Score: 2

    Golly Gee! Neither will garbage collection... Let's just let it pile up, eventually it will collapse by its own mass.

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Never be completed by Penguinisto · · Score: 1

      I think it would be easier to simply take command/control of those bots and start flushing hard drives (or whatever else will ensure it never reboots), then shut it down remotely.

      Or, if you don't feel that destructive? Drop a small executable that removes all networking/modem/etc capabilities upon boot, then remotely restart the machine. They keep their cat pictures, and we don't have to deal with it being on the public network.

      Yes it's completely unethical, etc... but maybe that's the one thing that will give the botted machine owners the hint that maybe they should take their boxes down to Geek Squad (or wherever) to get fixed?

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    2. Re:Never be completed by Alok · · Score: 1

      I've long thought of this (removing networking from the bots) as being the best actual solution, too bad that there is no way to do so legally. Maybe use the bots to scan for 0-day vulnerabilities, and forcibly upgrade or configure security FW/AV etc. to deal with it :D

      Well, I also wondered why no black hat ever tried it, but I guess all of them are busy making a lot of $$ selling exploits to various agencies rather than disrupting other black hats.

  2. Re:However, by Anonymous Coward · · Score: 1

    So your solution is just to get rid of all personal computers.

  3. Vast majority will be in landfill... by Gordo_1 · · Score: 3, Insightful

    well before 10 years is up.

    1. Re:Vast majority will be in landfill... by swb · · Score: 4, Insightful

      I wonder how many infected systems either were originally VMs or physical systems turned into VMs that will live on in VM farms far longer because they support some obsolete or unupgradeable system or because nobody wants to turn them off.

      It's not hard to see systems that should eventually die off live on far longer thanks to virtualization.

  4. Re:The final cleanup by Anonymous Coward · · Score: 1

    Apoptosis - "The weariness of the cell is the vigour of the organism." - George Orwell.

  5. Re:However, by gstoddart · · Score: 1

    Honestly, if this is a problem ... let ISPs basically block anybody who is still sending out packets with this crap.

    If your machine is a threat to the rest of us, cutting you off from the the internet might get your attention.

    This way when you call your ISP and say the intertubes are broken they can see the flag on your account which says "banished" and tell you to fix your PC, or stay off the internet.

    But let's not pretend Linux, Android, or Apple haven't had similar problems.

    The problem with botnets is people might not even know they're infected. Aggressively disconnecting from the internet might actually achieve something.

    --
    Lost at C:>. Found at C.
  6. Re:Deny access by fuzzyfuzzyfungus · · Score: 1

    Denial arguably creates a problematic perverse incentive because it provides a DoS-like extra 'for free' if you can manage to make the target act enough like it has been botted.

    For people who aren't exactly up to the task of running their own IDS, though, information would certainly be helpful. There probably are people who don't care about running a festering worm farm; but there are definitely people who don't know that they are doing so.

  7. Re:However, by RobinH · · Score: 4, Interesting

    Yeah, but half those infected machines/networks are probably critical infrastructure like dams and nuclear plants. You know, the kind of software from vendors that won't warranty it if you install antivirus... I'm looking at you Rockwell Automation.

    --
    "I have never let my schooling interfere with my education." - Mark Twain
  8. Re:However, by fustakrakich · · Score: 1

    Sorry, too many false positives would result, and on top of that, anybody with 'undesirable' content will be accused of being a 'threat'.

    --
    “He’s not deformed, he’s just drunk!”
  9. Durability by Hydrated+Wombat · · Score: 1

    I'm really impressed that so many modern computers are lasting so long and that so many people are using them. Use it up, make it do, or do without is a good policy for things that aren't mission critical

  10. Re: However, by Falos · · Score: 1

    If your reading comprehension can't mature past literal face value, implied equivalents and other subtleties will elude you.

    Not that I necessarily endorse GP's snark or not.

  11. Re:However, by gstoddart · · Score: 4, Insightful

    If your critical infrastructure for your dam and nuclear plant is sending stuff out to the internet, you likely have bigger problems.

    However, I won't disagree with your point about vendors being impediments to security.

    --
    Lost at C:>. Found at C.
  12. Re:Deny access by ShaunC · · Score: 1

    The precedent was set long ago. ISPs regularly disconnect customers whose systems are spewing out spam email, participating in DDoS attacks, etc. The approach varies a bit depending upon the provider and the client's service level; consumers will usually be cut off without warning and enterprise connections might get a phone call or email first, but responsible providers act quickly on abuse complaints. Irresponsible providers often find themselves losing various bits of connectivity to the rest of the world.

    Imagine malware which downloads porn, and you deny internet access to everyone who downloads porn because they must be "infected"

    Maybe in the UK or Iran, but that isn't a net abuse issue, it's an issue of oppressive government.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  13. "Forever"? by zarmanto · · Score: 1

    ... they might remain infected forever ...

    Nothing lasts forever: The infected computers will eventually cease to function. It would have been more accurate (and less of an inflammatory panic reaction) to suggest that the infected computers might remain infected for the remainder of their active life.

    1. Re:"Forever"? by Jumunquo · · Score: 1

      Diamonds are... ;)

      Even if some component of the computer, say the power supply, ceases to function, the hard drive or flash chip is still technically infected. Rather than making a more accurate statement, what you have done is make a different but also accurate statement that we don't care if it's infected but not in use currently.

    2. Re:"Forever"? by zarmanto · · Score: 1

      ... say the power supply, ceases to function, the hard drive or flash chip is still technically infected. Rather than making a more accurate statement, what you have done is make a different but also accurate statement that we don't care if it's infected but not in use currently.

      I stand by my previous statement: the hard drive (or flash drive) will eventually fail. That said... I agree with your conclusion, even if I'm inclined to nitpick the details: an infection which is contained -- ergo, can no longer spread nor do anything harmful -- is really not worth worrying about.

  14. Re:However, by IamTheRealMike · · Score: 2

    In fairness, many AV engines are total crap and are notorious for interfering and breaking all kinds of software.

  15. Re:However, by houghi · · Score: 2

    What I tghink is a shame is that we do not go after the REAL resposible people.
    These systems have all a systemn admin that maintains them. These all used to read /. and now they don't anymore. So the real reason is Digg. Why do they want to blow up nuclear plants? I don't know, but that is the question we should REALLY ask Digg: have they stopping wanting to blow up nuclear plants?

    --
    Don't fight for your country, if your country does not fight for you.
  16. Botnet takeover by craighansen · · Score: 1

    The news article claimed that researchers had control over the botnet, but the research paper implies otherwise, simply that the control network was rendered inaccessible.

    Did Conficker have something to prevent a takeover, such as using a public key signature to verify update code?

    If they were able to inject a popup window informing the user of the infection, surely disinfection rates would have been much higher. The research paper says that millions of users bought phony security software via Conficker, so they'd likely respond to a popup invitation.

    1. Re:Botnet takeover by Zocalo · · Score: 1

      They have control over the Bot*Net*, but the actual bots are continuing to operate on autopilot searching for and attempting to infect other hosts. Short of sending a "shutdown" command - assuming Conficker has one - and potentially assuming liability for any PCs that might be in life-safety applications (common sense says there shouldn't be any, however reality says otherwise) there's not a lot else they can do but wait for their owners to replace them. Given how long PCs tend to stay in use outside the Home/Office environments (I can personally cite an example of over 20 years for a SparcStation in a manufacturing environment), that might take quite some time...

      --
      UNIX? They're not even circumcised! Savages!
  17. Re:Deny access by bev_tech_rob · · Score: 1

    So if I happen to be visiting a website while it's being DDoS attacked, I'll be disconnected because I "participated" in the attack? Instead of ISPs having to decide what's abuse and what's not, how about we design an infrastructure such that no ISP customer can do any harm, whatever the packets their system is sending?

    Basically eliminate the Internet as it is and start from scratch. You better get cracking.....

    --
    You're messin' with my Zen Thing, man.....
  18. I'm confused by Minwee · · Score: 2

    Isn't this why we have Internet Cleanup Day?

    Really, why is it so hard for everybody in the world to just take one day out of the year to shut down all of their systems, wipe the hard drives and re-install everything from the installation media?

    1. Re:I'm confused by ThatAblaze · · Score: 3, Insightful

      Anyone who has a 8 year old computer has probably lost the installation media for it. Many of them might be running POS systems that don't work past win95. We're not talking about office or home computers here, those have all been changed out long ago. These are mostly old computers in a back room that have been plugging away at a single task for years.

    2. Re:I'm confused by Jumunquo · · Score: 1

      A lot of these might be embedded devices as well. Windows XP embedded was quite popular among manufacturers for all kinds of devices, before the Android age.

  19. Re:However, by Joce640k · · Score: 1

    Um, how will they do that without Internet access?

    --
    No sig today...
  20. Who is really infected? by Stan92057 · · Score: 1

    So the only ones infected are the ones who don't run or keep their PCs up to date correct? Just like the Yahoo Flash exploit, wouldn't antivirus software be blocking that exploit as it is not a new exploit? what about people who don't run Flash with the default setting? i don't allow flash to save any data i don't let sites save data in it and so on.

    --
    Jack of all trades,master of none
  21. Naaa, hardware failure will do it eventually... by gweihir · · Score: 1

    Hyperbole like "forever" has no place in a professional treatment of the situation. May take a decade or two though.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  22. ISPs should disconnect the infected by Gravis+Zero · · Score: 1

    it's pretty simple, if you are coughing up blood, you dont go to work and then infect your coworkers with ebola. why should we allow computers that are doing the same thing to come to the internet? people mostly dont know they are infected, so injecting a little HTML into served pages that will help them disinfect their computer would be a good start. if it's been a week and they are still infected, it's time to serve them pages only on how to disinfect their machine and close any unrelated ports.

    there is no need for this bullshit to continue.

    --
    Anons need not reply. Questions end with a question mark.
  23. Re:However, by Penguinisto · · Score: 1

    If your SCADA machinery is plugged into the Public Internet, you got way bigger problems than whether or not it's a bot...

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  24. Re:Deny access by Penguinisto · · Score: 1

    So if I happen to be visiting a website while it's being DDoS attacked, I'll be disconnected because I "participated" in the attack?

    Pretty sure they're going to know if you sent just a few packets a minute or several million in the same time space...

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  25. 36 times! by Jumunquo · · Score: 1

    ROFL, from the article:
    Sometimes, it was hard for ISPs to help consumers clean up their infected computers. Asghari said he spoke to one ISP that contacted the same customer 36 times in an effort to get rid of Conficker.
    “Every time the customer would say I’ve cleaned it up, but the infection would return,” he said.

  26. Re:You're attacking the wrong part. by Anonymous Coward · · Score: 1

    You would be wrong: the death penalty doesn't discourage violent crime, either.

  27. Re:You're attacking the wrong part. by htomc42 · · Score: 2

    How about simply putting them in a jail cell with a computer terminal. Their task is to use their own network to go in and disinfect each and every last machine. They don't see the light of day again until they accomplish this task, and if it's longer than their lifetimes, so be it.