Researchers Infiltrate and 'Pollute' Storm Botnet

ancientribe writes "Dark Reading reports that a group of European researchers has found a way to disrupt the massive Storm botnet by infiltrating it and injecting "polluted" content into it to disrupt communication among the bots and their controlling hosts. Other researchers have historically shied way from this controversial method because they don't "want to mess with other peoples' PCs by injecting commands," said one botnet expert quoted in the article.

It's not Really...

It's not really messing with other people so much as preventing them from messing with tons of other infected hosts. Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.

Re:It's not Really...

Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.

Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.

It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.

Re:It's not Really...

Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.

an OS shouldn't allow that, then again it shouldn't allow you to get pwned by visiting malicious web pages or opening emails either. The problem is that you're talking about a hypothetical problem that may or may not exist. Storm is real and doing real damage to the world. sitting back and watching the fireworks just because you're afraid to break something is in my opinion irresponsible.

Re:It's not Really...

Is it wrong to do something to an out of control car rolling down a hill on fire towards a school full of people? This is a lot like a computer being part of a botnet. It is possible you could cause some damage to the car which is not yours by directing it out of the way, but if you don't something bad will certainly happen.

Re:It's not Really...

You can be sued for anything. Being sued for something doesn't mean that act is: illegal, immoral, unethical, or mean.

That said, many many jurisdictions in the United States have a so-called "Good Samaritan" law. This is a law that protects you from criminal charges and--depending on the state--lawsuits. For instance, the law in Texas is quite broad and protects anyone who acts in good faith from any civil damages. On the other hand, California's law is much more strict, and protects only licensed EMTs, Doctors, Nurses, etc. at the actual scene of an emergency.

Know the law in your state! http://www.cprinstructor.com/legal.htm [cprinstructor.com]

Re:It's not Really...

Sure, in general that is a valid concern. However,

The pollution attack... "overwrites" the P2P botnet's key, an identifier that's used to get command information to the bots. Storm generates keys to find other bots, the researchers noted.

So there really isn't a risk, in this case, of executing maleficent code or overwriting large portions of anything. The Storm operators might modify the peers to self-destruct the host or something, though I doubt they will given that Storm needs the host to be at all useful.

Re:It's not Really...

If you RTFA, they are not sending any commands to the end computer. They are just disrupting communications between the nodes.

Effectively, fracturing the net into multiple pieces; not taking control o the computers and doing something.

This is not a counter-attack to the infection or anything like that. They're just jamming the comm system that the bots use. They're not actively doing anything to the bot or computer.

Re:It's not Really...

Actually, the paper presented at the conference

http://www.usenix.org/event/leet08/tech/full_papers/holz/holz_html/ [usenix.org]

mentions that the fracturing attack does not work. The Storm botnet currently only 2 things.

1. It sends spam e-mails if it receives a file in a spam template format with another file containing a list of addresses.

2. It commits a denial-of-service attack against a host if it receives a different templated file.

What the researchers are proposing is to become a sender and to send out floods of blank files faster than the actual operators can send out their real files. As a result, the hosts are too busy downloading the 2200 phony files to get around to the 1 real one.

The time it takes for all the network nodes to get around to the real file eliminates the power of the botnet, reducing its effectiveness to that of a few machines even if it contains tens of thousands.

Re:It's not Really...

Since your /. ID is under the millions, and you aren't new here, then you should know that nobody on /. Reads The Fucking Articles.

Re:It's not Really...

Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.

True, but who's to say the resident malware isn't already doing that? Although I'm sure the bot manufacturer will take quite strong measures to stop this from happening, as it would really result in a non-productive bot. So the anti-bot programmer would just have to take similar steps I suppose.

It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection.

TFA says the researchers "saw between 5,000 and 40,000 machines online at a time."
Who, other than a NATO-type international task force, would have the resources to reach out to those 40k users and help them clean their machines? All you IT admins and helpdesk staff are already cringing at the thought of handling tens or hundreds of users -- can you even begin to imagine trying to explain to thousands of clueless users what's happened to their PC, and what steps to take to clean it?

Re:It's not Really...

Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.

Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.

You're comparing a concentrated loss to a distributed loss. The correct assessment in that case is to sum up the losses on both sides. Say "poisoning" Storm results in 1000 users with wiped hard drives losing $10,000 worth of data and productivity (being very generous here). OTOH say letting Storm continue to operate results in 100 million users losing $1 each worth of productivity (spam) and data (compromised systems). That's a $10 million to $100 million balance in favor of poisoning Storm. Obviously the numbers here are made up and I honestly don't know if poisoning Storm is a good idea. But the point is that you just can't look at the losses on one side and say a course of action is unacceptable due to those losses. You have to compare the losses that might happen if you take action, to what losses will happen if you don't take action.

It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.

Do you maintain any computers for friends or family? No it won't be more effective in the long run. You help them clean their system, and they'll go right back to using it as always. In 6-12 months they'll call you back to help them clean it again. It's just an individual equivalent of a cost of doing business for them. Why should they bother to change their habits when they can pay you a hundred bucks or so every year to clean their system?

In that light, losing all their data might be just what's needed to get them to take computer security seriously. However, I'd consider it a last resort since it's a punitive action rather than a preventative action. The long-term solution is to accept that casual users are going to run their computers like this, and to come up with mechanisms which blunt or dilute the impact of compromised systems. We're already doing this with anti-virus and anti-spyware software, as well as flaming Microsoft so they fix all the security holes in Windows. But it may or may not also involve poisoning botnets.

Off the top of my head, I don't think you need to remove the botnet software. It's probably already secured the box against further infection. So all you need to do is scramble its communication and/or encryption so it doesn't/can't contact the bot master again. It could be as simple as changing one bit in an otherwise unused registry key. So "poisoning" a botnet may be much more benign than your worst case scenario.

Re:It's not Really...

Actually, it would be better to wipe their hard drive clean since then they would be directly impacted and see the loss caused by their stupidity. I already heard from users: yeah, I know I have a virus/trojan but it doesn't really do anything bad to my computer and that virus scanner makes my computer slower so I'll leave it there.

Also, it would give us geeks some extra income and we would have the opportunity to load Ubuntu on their machines.

Re:It's not Really...

"It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run."

It would also be prohibitively complex and expensive. The idea that morality obligates us to do things that are wildly unlikely to work is questionable.

Consider "help them clean their computer and prevent another infection" for what it REALLY means. That can be anything from a complete reinstall of the OS and all apps to replacing the computer with a more secure (and securED) OS because the original machine isn't suitable. There is no reasonable guarantee afterwards that the machine won't get 0wn3 again by the same or a new threat.

Re:It's not Really...

"Your version of Microsoft XP has expired. Please buy a version of Microsoft Vista at your nearest authorized Microsoft dealer. If your computer does not support Vista you will be required to upgrade your computer.

Thank you for supporting Microsoft".

How's that?

Re:It's not Really...

It's not particularly illegitimate to use them in that fashion, though. It's a matter of allocating limited resources, really. While I'll mod up posts I disagree with, but are insightful, if there are no posts I agree with available... I'd rather spend those mod points giving karma to people I agree with. Is it fair? Not entirely, but with only 5 or 10 points, there's only so much good you can do.

The real moderation bias which is a cause for concern is modding with negative mods as a substitute for "disagree". That's bullshit, and there's no excuse for it.

Re:It's not Really...

I understand what you're saying, but I am not sure I agree in full.

There is no question that biased moderations occur - this is a large part of why meta-moderation is important - it is a way to "moderate the moderations."

Certainly I am sure that even when people are being responsible that personal opinions can come into play. I am sure we all may have made blunders in this way before.

"INSIGHTFUL" is supposed to mean exactly that, that the comment is insightful, interesting is supposed to mean interesting, etc.

If people are truly abusive as a pattern, the meta moderation system should catch them. Labelling comments as "Agree" or "Disagree" has no relative value because such comments are so subjective and (other than turning an issue into a popularity contest) doesn't serve the community but providing useful feedback that can be used to determine who is elligable to moderate, etc.

Re:It's not Really...

You are right, it isn't necessarily a moral question. Obviously, the researchers are trying to do a good thing, and their good intentions are good and correct.

It is more of a legal/tehcnical question. Are you legally allowed to do this? And the major problem for researchers is that they have no cloak of anonymity like the bad guys do: they are easily linked/traced to all their actions by the mere fact that they publish their work and share their results. If anything goes wrong, or even if an overzealous user just wants to sue/go to court for the sake of suing, then the researchers are SOL.

It IS a gray area, even if you are morally correct.

Re:It's not Really...

Yeah, It's the botnet equivalent of counter-espionage. Really one for the good guys here.

Well, possibly, but I think the moral conundrum isn't about attacking the botnet itself, but about the owners of the computers the botnet is unwittingly hosted on. All this "poisoning" activity affects the zombied PCs, after all.

To use a (non-car) analogy: Germany invaded Belgium in WWII. That was morally bad. Later, the allies counter-invaded Belgium. That was morally good. But the battles involved in both invasions weren't particularly great for Belgians.

Wow, Godwin in 2 posts...

That's got to be some sort of record...

It was morally "good" -- from our perspective...

..because we won. History is written by the victors of course. Don't misunderstand me -- nothing could make me defend the German army's actions (or those of many of its citizens at the time). I'm only saying that had we lost that war, a different history might look upon the "re-invasion" of Belgium as a war crime.

Fair Play

I submit that it's inherently fair and perfectly ethical to disrupt those who invade and steal from others. Even if the theft is one of compute cycles. Usually, we call those who disrupt invaders and thieves "heroes."

Public Key Cryptography and Message Signing.

I predict that the botnet authors will respond with the following counter-measures:

1) Command messages sent to the botnet by the operator will employ public key cryptography and message signing so that bots can determine real commands from headquarters (i.e. the bot net operator) from fake ones.

2) The bots themselves will use encryption to communicate amongst themselves and employ secret handshakes once the encrypted channel has been established to detect imposters. It would not be difficult to arrange for the botnet to automatically coordinate and begin punative attacks against hosts which attempt to inject false commands into the botnet.

when you are fighting people

who have no regard for morals or ethics, scrupulously conforming to morals and ethics hampers your ability to fight

the danger of course, is not to become what you fight by doing that

so you slightly bend the rules, all the time, without making the sort of flat out trangression of major moral issues that constitutes what criminals do

but you will still get flak from people who expect moral certitude from those who fight criminals, and criticize you like no tomorrow, all the while completely ignoring and not criticizing the criminals themselves

The terminology is confused

Computers in a botnet are not "peoples' PCs" anymore. They are not under control of the owner. This needs to be clarified again and again. When you see a Borg drone, you (try to) kill it. And Picard was right - you'll be doing it a favor.

Re:Who is liable in the event of retaliation?

TFA states that they are changing the hash values that the bots use to talk to one another. They aren't issuing commands, they're interrupting the communication of the bots.