Creators of Massive Botnet Arrested

DigitumDei writes "Dutch police has nabbed 3 men (aged 19,22, & 27) who alledgedly used the toxbot trojan to create a botnet of over 100000 machines. The trio conducted a DDOS attack against an unnamed US company in an extortion attempt, as well as using phishing tactics to hijack PayPal and eBay accounts. From the article: 'Police seized computers, cash, a sports car, and bank accounts at the three men's residences, and additional arrests are expected. The three were to be taken before a magistrate in Breda, a city approximately 25 miles south of Rotterdam, on Friday. The botnet was dismantled, prosecutors said, with help from the Dutch National High Tech Crime Center; GOVCERT.NL, the Netherlands' Computer Emergency Response Team; and several Internet service providers, including the Amsterdam-based XS4ALL.'"

How do you dismantle a botnet?

[Anonymous Coward]

Surely those computers are still vulnerable to the toxbot trojan at best, or just waiting for somebody to give the right commands at worst.
Unless you use the trojan to patch the system of course, but that would be illegal.

Re:Good, but...

[seti]

When I was in uni, we had a guy from the Belgian Computer Crime Unit (CCU) come and talk to us about computer criminality. We asked a load of questions, including whether they actually actively went after casual downloaders. Basically they said they were so swamped going after child pornography sites, they did not have any resources at all for those kind of activities.

Most police "cybercrime" units are still very underfunded.

Limited time

[squoozer]

I forsee the day when bot nets are a thing of the past. While I admit that currently most police forces couldn't catch a virus by opening infected email things seem to be changing.

The scale of setting up a useful botnet is such that there are thousands of tiny ways that you could screw up and leave a drity great big flag pointing out your location / identity. Even the most carefully created botnet will contain some useful information to track down it's owner. In fact the very nature of the beast means that at some point you will have to contact it which potentially gives away your location. Ok you can run through proxies and use other methods to hide you identity but it only takes one slip up which someone technical is watching. Of course you also have the problem of collecting you payments. While you might be able to hide in the online world hiding from the banking world is much harder. At some point you have to collect you money.

All in all I think it would be easier to just go into kidnapping or drug dealing. The profit margin has got to be higher.

Oh crap. Here they come...

[joey_knisch]

Zombie Master

(SCARY PIC HERE)

Creature - Lord
All Zombies gain "(1b): Regenerate this creature" and swampwalk. (They're unblockable if defending player controls a swamp.

He controlled the zombies even before his own death; now nothing can make them betray him.

2/3

Linux not being used enough?

[Tominva1045]

...or use Linux.

Are Linux boxes invulnerable? Is the gauntlet being thrown at our feet? (lol)

I'm happy they did get nabbed though. There are plenty of fun things to do in life instead of extortion.

Re:Limited time

[patio11]

Kidnapping for money (in the US, at least) is completely dead, for a couple of reasons. First, the FBI has long considered every incident of kidnapping to be a personal vendetta against them and they play for keeps -- unless you're the pedophile who kidnaps a kid and kills them within 24 hours, they WILL catch you. And they will, likely as not, kill you in the attempt and when the guy who does gets back to the office his hand will be sore from all the high-fives. We're not nearly so effective at taking care of drug dealers, but drug dealers are -- they've got a mortality rate of about 10-25% a year in some cities, and most of them only clear minimum wage (see Freakonomics -- excellent book, by the way). Computer crimes, by contrast, are punished relatively leniently, investigated seldomly, have zero physical risk, and pay better. Whats not to like for the unscrupulous type, aside from having a higher barrier to entry than kidnapping/drug dealing?

RE: How to dismantle a botnet!!

[A.K.A_Magnet]

OK I'm a bit late on this story, but maybe some mods will be late too ;)

As an IRC admin for few years, I saw many botnet channels. The botnet masters enjoy putting their bots on IRC (on a secret channel) because it's a third party who provides the communication support, IRC is a good message demultiplexer, and they think it's safe since they only log on IRC with a proxy.

They can identify themselves with a given bot by going private (PRIVMSG .ident ) or just on the channel, the PRIVMSG will be sent to every bot. Now 100k bots in a channel is a lot but I have seen 30k already.

The bots had random nicks so we just put a bot of ours with a random nick in the channel, logged everything and then get the login/pass (I guess in this case Dutch police had the login/pass pair from the PCs they seized). Then we looked out for the bot version, looked on the web for commands (usually, the bot masters are script kiddies and just build the bot from an "automatic" builder they download on the web... they wouldn't even build from the sources).

All of the bots I encountered disposed of attacks commands et al, but also a clean removal command. That's what we used.

Now I don't know about the bot in this story, but most likely the botnet masters HAD a mean to contact them all (now is it IRC-like with a big channel, or distributed among the bots à la DNS, I don't know... But even if the removal command isn't here, there's still a way to tell the bot to execute a given binary they download from a given URL).

And I don't think that would really be illegal, remember, the PC owners rarely know they are infected or don't care. They won't know or won't care either if someone removes the bot for them. And if they say something, just sue them since it means they were part of the attack knowingly ;). Who would want to be part of the botnet ? :)

Anyway I hope we could shut down more of these networks (and MS should pay for their dismantle since nearly all zombies networks are running Windows).

Suddenly, the botnet ads are gone

[Animats]

SpecialHam [specialham.com], the spammer forum, usually is full of ads for botnets. But not today. There are far fewer ads for "proxies" today. And there are notes like "hey, watch yourself" and worries about "spamhaus honeypots".

So there's been some effect. The spammers are becoming afraid. Not very afraid. Yet. But afraid. It's becoming hard to spam without committing multiple felonies. Those felonies are leading to a few arrests and jail sentences. Not many, but enough to scare off many spammers. The remaining spammers look more and more like traditional crooks.

There's plenty of stuff on SpecialHam for law enforcement to go after. "Special Hurricane Katrina Promotions". "Offshore bank accounts for sale". Anyone active against spam should be looking there.

The New Yorker: Zombie Hunters

[blueZhift]

The October 10 New Yorker magazine has a nice companion piece to this story, "The Zombie Hunters: On the trail of cyberextortionists" by Evan Ratliff. The article describes the tactics of the extortionists and those who track them down or thwart their attacks. Probably nothing new to the /. crowd, but a good read nonetheless. Here's a link.

http://www.newyorker.com/fact/content/articles/051 010fa_fact [newyorker.com]