Police Reveal Tactics For Fighting Botnets (databreachtoday.com)

← Back to Stories (view on slashdot.org)

Police Reveal Tactics For Fighting Botnets (databreachtoday.com)

Posted by EditorDavid on Saturday May 14, 2016 @06:30AM from the busting-bitcoin-botnets dept.

Botnet herders have sophisticated "disaster recovery" plans, according to speakers at a recent cybersecurity conference, with many splitting their botnets into smaller herds, making them more resilient. In addition, kierny writes: Researchers say these backup botnets are tough to detect, until gangs have already spooled them up and put them to use in major campaigns... "What we're seeing is the bad guys are starting to learn from this," said Steven Wilson, head of the European Cybercrime Center at Europol -- the EU's law enforcement agency...
Wilson said authorities are now gathering tremendous amounts of data by "sink-holing" -- forcibly redirecting the infected endpoints onto servers controlled by law enforcement. And he also reports that authorities have also successfully mined the blockchains of bitcoin transactions for information. Eamonn Keane, A detective from a cybercrime unit with the Scotland Police, added that authorities are also infiltrating dark net forums to bust bitcoin-using criminals. "Are law enforcement in there? Absolutely... We have a mandate to protect you in the real world; increasingly it's moving into the online environment."

38 comments

Min score:

Reason:

Sort:

BLIMEY! by Anonymous Coward · 2016-05-14 06:33 · Score: 0

Blimey bitcoin points to the bad man like nothing else!
Serious Felony by Anonymous Coward · 2016-05-14 06:34 · Score: 0

Possession of the command and control apparatus of a botnet (so to speak) should be a felony with an automatic 20 year sentence.
1. Re:Serious Felony by Anonymous Coward · 2016-05-14 06:41 · Score: 0
  
  We should have automatic sentencing for every crime. Who needs judges? Think of the money we'd save by eliminating an entire branch of government.
2. Re:Serious Felony by Anonymous Coward · 2016-05-14 07:17 · Score: 0
  
  The internet is built for serious use, you should consider everything on it a joke. Using the internet for real world tasks should be considered a felony.
3. Re:Serious Felony by Anonymous Coward · 2016-05-14 07:20 · Score: 0
  
  We should have automatic sentencing for every crime. Who needs judges? Think of the money we'd save by eliminating an entire branch of government.
  Mandatory sentencing and adjudication are two different things.
4. Re:Serious Felony by superwiz · 2016-05-14 10:42 · Score: 1
  
  That's silly. There is no practical distinction between federated access to resources you own and resources to which you acquired access without owners' consent (until you are discovered). Not to mention the fact that even if the distinction did exist, it would be virtually impossible to tell the difference between those who deploy it willingly and those who host and deploy them without their own knowledge of it. Eliminating legitimate technical tools would only hamper industry and hamper security research. In fact, the only reason police have access to tools like these is that people can learn how to use them by using them on their own hardware and researching it.
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
5. Re:Serious Felony by superwiz · 2016-05-14 10:45 · Score: 2
  
  You are mixing two concepts. This should not be a crime at all. Mandatory sentencing is a Good Thing (TM) because it acts as a check on judicial system. And judges, as all people, may err. We have mechanisms for fixing their errors when they are overly zealous (appeals, pardons, etc.) We should have mechanisms to fix their judgement when they err on the side of being too lenient.
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
6. Re:Serious Felony by Plus1Entropy · 2016-05-14 13:19 · Score: 1
  
  We should have mechanisms to fix their judgement when they err on the side of being too lenient./quote.
  No, we shouldn't. This is why our legal system is innocent until proven guilty, and why we have double jeopardy laws. It is specifically designed to err on the side of too lenient.
  
  --
  Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
7. Re:Serious Felony by myowntrueself · 2016-05-14 15:14 · Score: 1
  
  Possession of the command and control apparatus of a botnet (so to speak) should be a felony with an automatic 20 year sentence.
  Yeah I can see Putin and Xi Jinping totally going along with that.
  
  --
  In the free world the media isn't government run; the government is media run.
8. Re:Serious Felony by superwiz · 2016-05-15 13:41 · Score: 2
  
  No, we shouldn't. This is why our legal system is innocent until proven guilty, and why we have double jeopardy laws. It is specifically designed to err on the side of too lenient.
  I was waiting for this argument. Sentencing happens after you are proven guilty. It's ok to err on the side of finding someone innocent if they are guilty. But once guilt is legally established, erring on the of being lenient (in sentencing) undermines legislative intent to treat certain activities as crimes. It takes away the power from the legislature to make certain activities crimes. Let's take this example to an extreme. Let's say there are no minimal sentences. Then someone found guilty of murder could be sentenced to serve 1 day. I am not saying this is what would ever happen. But I am saying that this is what a system without minimal sentences would allow to happen.
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
DDOS absolutely a scourge atm by Anonymous Coward · 2016-05-14 06:54 · Score: 0

Right now, DDOS attacks are an absolute scourge. ANY site that discusses politics has this happen to it IMMEDIATELY. All quickly buy cloudflare service.
If these botnets went away, cloudflare would probably just be limited to larger websites again.
1. Re:DDOS absolutely a scourge atm by Anonymous Coward · 2016-05-14 13:04 · Score: 0
  
  All quickly buy cloudflare service.
  Makes you wonder, doesn't it? Every now and then, a fire chief gets busted for arson...
2. Re:DDOS absolutely a scourge atm by Plus1Entropy · 2016-05-14 13:24 · Score: 1
  
  ANY site that discusses politics has this happen to it IMMEDIATELY.
  Really? I've never seen it happen here, and we discuss politics all the fucking time. In fact, That mountain is clearly a mole hill.
  
  --
  Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
3. Re:DDOS absolutely a scourge atm by myowntrueself · 2016-05-14 15:15 · Score: 1
  
  ANY site that discusses politics has this happen to it IMMEDIATELY.
  Really? I've never seen it happen here, and we discuss politics all the fucking time. In fact, That mountain is clearly a mole hill.
  Lets amend that;
  Any site that discusses politics unfriendly to SJW's has this happen to it immediately
  
  --
  In the free world the media isn't government run; the government is media run.
gathering tremendous amounts of data by Anonymous Coward · 2016-05-14 07:05 · Score: 0

'..Wilson said authorities are now gathering tremendous amounts of data by "sink-holing"..'
Yes, and most of it belongs to the victims, still...
nothing to hide, nothing to fear eh?
1. Re:gathering tremendous amounts of data by Anonymous Coward · 2016-05-14 08:29 · Score: 0
  
  But then how do you explain all those gag orders?
"To Protect You" by axewolf · 2016-05-14 07:15 · Score: 2

Now we can have long boisterous drawn-out laugh
1. Re:"To Protect You" by Anonymous Coward · 2016-05-14 08:04 · Score: 0
  
  They protect someone for sure. If that's not you, it is your fault.
2. Re:"To Protect You" by Anonymous Coward · 2016-05-14 08:37 · Score: 1
  
  they protect themselves and whoever's bri... sorry, lobbied the local politician. So really it's whoever they are protecting s fault
Police IQ by Anonymous Coward · 2016-05-14 08:49 · Score: 0

If you have a high IQ you can't be a police officer.
These must be really smart idiots
Am I the only one.... by Anonymous Coward · 2016-05-14 09:04 · Score: 0

...who read the title as "Police Reveal Tactics for Fighting Blondenets"?
Why So Hard? by ytene · 2016-05-14 09:20 · Score: 3, Interesting

Maybe I have misunderstood the practicalities of running a botnet, or perhaps there is something not quite "right" about what we're being told here.

If you deploy a piece of malware that turns a PC into a zombie, that unit can only be useful after it has been programmed to do something for the botnet ringmaster. Typically, or so we're told, zombie's are used to send spam, maybe compute bitcoins, that sort of thing...

But, since we know that in a large part of the western world [certainly in the UK] that ISPs are now required to keep extensive logs and copies of things like web searches, pages visited, emails received and so on, surely if law enforcement agencies are determined to stamp out botnets, then we should expect to see much greater successes than those reported...

1. Flag any end-user PC that is originating SMTP port calls - workstations should be using IMAP or POP...
2. Flag any end-user device that calls or polls known botnet "master" servers...
3. Once a piece of malware is identified [for example emails with suspicious attachments] then work "out" from the point of detection - i.e. trace back to the originator of the email; look into any other emails sent with similarly sized attachments, etc, etc.

We know, thanks to Snowden, that our governments easily have the capability to do all this and more. However, despite the fact that they certainly have plenty of evidence to know where all this criminal activity is coming from, nothing seems to be happening to crack down on it. I've always been a bit suspicious of the conspiracy theory that says the reason for the inaction is that had the authorities run round closing down gangs of cyber criminals quickly and easily, word would have gotten out about how powerful the security monitoring really was.

But the curious thing is that we now know just how intrusive all the monitoring has become, yet we don't see any benefits from all the supposed safeguards being put into place. Maybe - just maybe - people would actually be less suspicious of authorities who made a demonstrable positive change in the on-line security of the general public...?
1. Re:Why So Hard? by Anonymous Coward · 2016-05-14 10:09 · Score: 0
  
  but then you'd be less afraid, won't feel the need to be 'kept safe' and would probably be less likely to shut up and do as you told. It's the same reason you not allowed job security or a shot at a pension you can live on by retirement age.
2. Re:Why So Hard? by superwiz · 2016-05-14 10:51 · Score: 1
  
  But, since we know that in a large part of the western world [certainly in the UK] that ISPs are now required to keep extensive logs and copies of things like web searches, pages visited, emails received and so on
  They may require it all they want, but as long as there is point-to-point encryption (as there with, for example, Google), ISPs can't see what your searches are or what you do on your encrypted web-mail servers. They can't record what they can't see.
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
3. Re:Why So Hard? by Anonymous Coward · 2016-05-15 05:31 · Score: 0
  
  1. Flag any end-user PC that is originating SMTP port calls - workstations should be using IMAP or POP...
  How do you expect end-user PC's to send mail? IMAP and POP are not for sending mail to someone else, just retrieving (and in the case of IMAP storing) emails
  in agreement with the rest of your post, just that one section does not work. Please educate me If I'm wrong, but I don't think I am
4. Re:Why So Hard? by ytene · 2016-05-15 19:00 · Score: 1
  
  You ask a good question, but the answer is pretty straightforward. If you have a PC with a regular email client (i.e. Outlook, KMail, Thunderbird, etc) then, as you quite rightly point out, all email traffic between your PC and the internet will be between your client and your nominated mail server[s], using ports such as 110 [POP] and 143 [IMAP].
  
  However, if you computer has been infected by malware and is being used to send SPAM, then the spammer likely would not want you to know that they were doing that. So one effective way to do this would be to download some code on to your PC that emulates a mail gateway - i.e. a device that sends email using the Simple Mail Transfer Protocol (SMTP) on TCP Port 25. SMTP is the protocol used for forwarding email from one mail server to another. Using SMTP in the malware means that the infected code on your PC can hide it's activities from you.
  
  However, the activity can be detected, simply by having ISPs to (1), block all Port 25 traffic from "regular clients" unless specifically requested, and/or (2) pay much more attention (archive) mail traffic send by "regular clients"...
  
  Hope I'm explaining myself clearly...
5. Re:Why So Hard? by ytene · 2016-05-15 19:03 · Score: 1
  
  You are quite right to point out the widespread use of encryption. However, SMTP is not encrypted by default, so ISPs would have the ability to grab unencrypted copies of email if they wanted to. Yes, there are solutions for secure email (S/MIME) but these are not yet widely implemented and (in my personal experience) are not implemented in an entirely transparent, consistent manner. In other words, S/MIME may not work if you're using a different email client to your mail counter-party... In other words, KMail KMail might be fine, but Outlook KMail might not...
good by superwiz · 2016-05-14 10:33 · Score: 1

Police doing actual police work is a Good Thing (TM). Listening-in on private communications has always been a crutch which only dulled down policing skills. Engaging with the community instead of trying to demonize people who make good locks is what police should be doing.

--
Any guest worker system is indistinguishable from indentured servitude.
1. Re:good by Anonymous Coward · 2016-05-15 09:09 · Score: 0
  
  You imbecile, you CAN? You WILL. Period, see you in the future, eh?
We can ALL block badguys via hosts by Anonymous Coward · 2016-05-14 12:01 · Score: 0

See subject: Vs. bad ads/sites w/ APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...
Less power/cpu/ram + IO use vs. DNS/routers/antivir/addons + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load). Gets data via 10 security sites.
Ads rob bandwidth/speed paid for, security (adnetwork abuse), privacy in tracking + anonymity.
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogtrackers) natively. Hosts != blockable by ClarityRay (vs. souled-out to admen inferior wasteful redundant slow usermode browser addons)
Works vs. caps & HTTP PUSH ads w/ firewalls.
Avg. webpage = big as Doom http://www.theregister.co.uk/2...
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "Seen the code & yes it is safe" http://forum.hosts-file.net/vi... )
Looking for trouble by Anonymous Coward · 2016-05-14 15:15 · Score: 0

The recent shift from dealing with reported crime, to what is effectively an espionage role is rather disturbing. If we treat botnets like burglers, then what we have here is gov wandering the streets, randomly intercepting call phones, mail, reading financial info and tailing people. We need Police to focus on reported crime, let the military deal with threats to critical infrastructure.
1. Re:Looking for trouble by Anonymous Coward · 2016-05-15 01:54 · Score: 0
  
  '..We need Police to focus on reported crime, let the military deal with threats to critical infrastructure.'
  one lot oink, one lot grunt..apart from that, what's the practical difference betwixt the two (especially in the US)?
Re:The rest of us can block badguys via hosts by myowntrueself · 2016-05-14 15:17 · Score: 1

Cool, so this works for protecting websites from DDOS too?

--
In the free world the media isn't government run; the government is media run.
Police tactics for fighting Microsoft Botnets .. by tetraverse · 2016-05-15 05:47 · Score: 1

Have the Police considered prosecuting people for allowing their Microsoft Windows desktop computer being hijacked to be used in such botnets.
Nomenclature by Anonymous Coward · 2016-05-15 06:52 · Score: 0

Small point; this is 'business continuity', not 'disaster recovery'.
Prevents YOU from becoming part of a DDoS by Anonymous Coward · 2016-05-15 09:51 · Score: 0

See subject: By keeping you from being enslaved into a botnet for DDoS'ing others as it helps vs. CryptXXX https://it.slashdot.org/commen... for example - blocking out C&C servers etc. OR sources online from where they infect you to become part of a botnet or be otherwise infested for other malicious purposes.
APK
P.S.=> "And, 'there ya go'"... apk