Forgot your password?
typodupeerror
Security

Creators of Massive Botnet Arrested 243

Posted by CmdrTaco
from the well-maybe-don't-do-that dept.
DigitumDei writes "Dutch police has nabbed 3 men (aged 19,22, & 27) who alledgedly used the toxbot trojan to create a botnet of over 100000 machines. The trio conducted a DDOS attack against an unnamed US company in an extortion attempt, as well as using phishing tactics to hijack PayPal and eBay accounts. From the article: 'Police seized computers, cash, a sports car, and bank accounts at the three men's residences, and additional arrests are expected. The three were to be taken before a magistrate in Breda, a city approximately 25 miles south of Rotterdam, on Friday. The botnet was dismantled, prosecutors said, with help from the Dutch National High Tech Crime Center; GOVCERT.NL, the Netherlands' Computer Emergency Response Team; and several Internet service providers, including the Amsterdam-based XS4ALL.'"
This discussion has been archived. No new comments can be posted.

Creators of Massive Botnet Arrested

Comments Filter:
  • Extortion? (Score:5, Funny)

    by Anonymous Coward on Tuesday October 11, 2005 @08:44AM (#13763827)
    Dat's a nice website ya got dere. SHAME if sumtin happened to it.

    /Godfather music in background

    • Sad but true...DDoS extortion is actually pretty common. Not really much other use for a botnet that big...'cept maybe to crunch an unholy large number of SETI packets.

      Maybe if they put all those computers together to type up story submissions, occasionally I wouldn't have to see one with a glaring gramatical error in the first three words.
      • They could use them to help find Mersenne Primes [mersenne.org]. Just a thought.
  • by wiredog (43288) on Tuesday October 11, 2005 @08:45AM (#13763831) Journal
    I hereby declare a new metric for measuring the size of botnets: The MegaBot. 1 MegaBot==10E6 Bots.
  • Wow. (Score:5, Funny)

    by Black Parrot (19622) on Tuesday October 11, 2005 @08:46AM (#13763840)
    A city-wide Thieves Guild is understandable, but a National Crime Center is just going too far.
  • mmm (Score:5, Funny)

    by Anonymous Coward on Tuesday October 11, 2005 @08:47AM (#13763851)
    the creators of the slashdot network are still at large tho :)

    • Pay me money or I'll submit a story to slashdot about your company every day.

      Of course, this shouldn't scare you because of all the stories I've submitted to slashdot in the past (11-15) none were ever approved ;-) But as long as I don't tell you that I'm ok, right?

  • Good! (Score:5, Insightful)

    by RedNovember (887384) on Tuesday October 11, 2005 @08:50AM (#13763864)
    I'm happy these guys were arrested. Things like this scare companies and people away from technology. Not to imply that modern companies will survive without computers, but will your boss think long and hard before approving tech budgets? You bet. I've never heard of a bunch of crackers extorting a company.

    This will also give them pause when hiring former hackers. They might think "Is this guy going to give extortionists inside info?"

    On the other hand, security folks may have a budget windfall thrown their way. Considering '"Each time the Trojan was stopped by anti-virus defenses, they made a new version," he said. "This was not just a one-off. The sheer number of variants shows this wasn't a crime they committed just once."' Those security people better get to it.

    • Re:Good! (Score:5, Informative)

      by liquidpele (663430) on Tuesday October 11, 2005 @09:03AM (#13763958) Journal
      "I've never heard of a bunch of crackers extorting a company."

      You serious? That's the whole problem. These guys will email a company demanding $30,000 USD, or they will DOS their website business and make them loose even more. Most companies pay. Here is a glorified story [csoonline.com] about some company that refused to pay. Ended up costing them a lot more, but they got through it.
      • Re:Good! (Score:2, Insightful)

        by LiquidCoooled (634315)
        the problem with most DOS attacks that hit the news is once it hits the news, thousands of individual web users from around the world all click the link just to see if the site is still down.

        Each person doing that is unwittingly taking part in the DOS attack.
        If you think slashdot effect is bad, think about the slashdot AND routers/yahoo/NYT/humble news sties all ganging up on one site.

        This is how googlewent down recently, not because of the worms activity, but because of peoples curiosity.
        Sure, the worm had
        • What news stories? I have never seen a news story of a site being under attack, only post incident announcements.

          And when did google go down recently? Are you talking about the RSS reader Beta from last week? That did not affect any other google service at all. In the least.

          Your post is short on supporting details.
    • I'm happy these guys were arrested. Things like this scare companies and people away from technology.


      Agree 100%!! Things like this are black eyes in technology, and especially in areas where they're still transitioning. And considering how many people/companies/schools hold back from the cost of technology alone, we really didn't need problems like this lingering any longer. Very glad to see these guys apprehended.
  • About time (Score:5, Funny)

    by dow (7718) on Tuesday October 11, 2005 @08:50AM (#13763865)
    I get so many of these zombie machines trying things everyday and never hear about anyone getting caught. Hope they get sentenced to ten years of Windows XP.
  • Why? (Score:5, Funny)

    by AAeyers (857625) on Tuesday October 11, 2005 @08:51AM (#13763871) Journal
    ...who alledgedly used the toxbot trojan to create a botnet of over 100000 machines.

    It seems a little harsh to get arrested for only infecting 32 machines.....
    • Re:Why? (Score:5, Funny)

      by Filip22012005 (852281) on Tuesday October 11, 2005 @10:23AM (#13764575)
      You're thinking of a bitnet.

      Related concepts: the batnet and the butnet.

      And then, there's also the botnut (three of which got arrested), the bitnut (such as yourself), the butnut (erm...), the botknit (a network of 100000 computers strung together by my grandma), the botNAT, and the bitenight (Buffy the movie).
    • Re:Why? (Score:3, Funny)

      by flosofl (626809)
      ...who alledgedly used the toxbot trojan to create a botnet of over 100000 machines.

      It seems a little harsh to get arrested for only infecting 32 machines.....


      Ha!

      Judging from the replies, there's only 10 types of people who understood the post.

      Those who got the joke and those who didn't.*

      *-Shamelessly ripped off a ThinkGeek T-Shirt...
  • So should it's resistance be.

    My hat's off to them that they nabbed 3 guys, but there must be other botnets out there. And I think an effective way to stop it would be at the user level. It would be like taking away all the soil and water from coca farmers. Sure, have your plants, but can you grow them?

    Disclaimer: I am not equating botnets to drugs.

  • by Anonymous Coward on Tuesday October 11, 2005 @08:53AM (#13763888)
    Surely those computers are still vulnerable to the toxbot trojan at best, or just waiting for somebody to give the right commands at worst.
    Unless you use the trojan to patch the system of course, but that would be illegal.
    • It is possible that they notified the users, since they had the cooperation of the ISPs. Even normal users can understand a letter telling them that criminals have been using their computers to perform illegal activities, and here are some guidelines for preventing it from happening in the future. Sure, it doesn't get everyone, but it can be enough to weaken the network for sure.
      • You could send 100,000 pieces of snail mail, but that woudl be pretty expensive, and you'd have the problem of getting the right snail mail addresses to start with.

        You could send email, but that would be dropped by white lists, spam filters, and human rejection of email from strangers.

        You could pop up an alert, but most people would just close it as more spamming.
        • Their ISPs could redirect every page they went to to an explanation in bold print. It would get noticed.
          • So now you don't have the problem of finding 100,000 snail mail addresses. Instead you have to find their ISPs and get them to set up filters for just a few specific customers.

            Yes, that sounds like a workable solution :-)
    • by A.K.A_Magnet (860822) on Tuesday October 11, 2005 @10:54AM (#13764861) Homepage
      OK I'm a bit late on this story, but maybe some mods will be late too ;)

      As an IRC admin for few years, I saw many botnet channels. The botnet masters enjoy putting their bots on IRC (on a secret channel) because it's a third party who provides the communication support, IRC is a good message demultiplexer, and they think it's safe since they only log on IRC with a proxy.

      They can identify themselves with a given bot by going private (PRIVMSG .ident ) or just on the channel, the PRIVMSG will be sent to every bot. Now 100k bots in a channel is a lot but I have seen 30k already.

      The bots had random nicks so we just put a bot of ours with a random nick in the channel, logged everything and then get the login/pass (I guess in this case Dutch police had the login/pass pair from the PCs they seized). Then we looked out for the bot version, looked on the web for commands (usually, the bot masters are script kiddies and just build the bot from an "automatic" builder they download on the web... they wouldn't even build from the sources).

      All of the bots I encountered disposed of attacks commands et al, but also a clean removal command. That's what we used.

      Now I don't know about the bot in this story, but most likely the botnet masters HAD a mean to contact them all (now is it IRC-like with a big channel, or distributed among the bots à la DNS, I don't know... But even if the removal command isn't here, there's still a way to tell the bot to execute a given binary they download from a given URL).

      And I don't think that would really be illegal, remember, the PC owners rarely know they are infected or don't care. They won't know or won't care either if someone removes the bot for them. And if they say something, just sue them since it means they were part of the attack knowingly ;). Who would want to be part of the botnet ? :)

      Anyway I hope we could shut down more of these networks (and MS should pay for their dismantle since nearly all zombies networks are running Windows).
  • by dachshund (300733) on Tuesday October 11, 2005 @08:54AM (#13763895)
    The lesson for these guys is: next time you try to profit off of your computer crime, make sure that you have strong connections with organized crime, or live in a country with lax computer crime laws and have a tight financial relationship with the police. I'm glad to hear about this sort of thing, but I don't think it's going to do anything to actually reduce the number of bots out there. Rather, it'll just ensure that future botnets are run by nastier, better-protected individuals and organizations.

    I wonder what it would take to convince the world that these unsecured machines are an actual security threat, rather than an annoyance?

    • Wow.

      You got it.
      Now we should stop arresting burglers and muggers, because that would only teach them to never attempt crime without being backed by the mob, right?
      • Now we should stop arresting burglers and muggers, because that would only teach them to never attempt crime without being backed by the mob, right?

        No, but we should encouraging people not to leave their wallets lying around where anyone can take them. Dollar for dollar that's going to be a lot more effective than a doomed enforcement policy that ultimately has no effect on crime rates. In fact, this is one of those problems where if we deal with the root causes now, we could actually reduce the number

  • by MarkusQ (450076) on Tuesday October 11, 2005 @08:55AM (#13763900) Journal

    The botnet was dismantled, prosecutors said, with help from...

    Why didn't I think of that! That's 100,000 lusers that won't be getting infected again soon, unless they learn enough to reassemble their boxen, by which point...*sigh* What am I thinking? They'll probably just buy new systems and throw the piles of parts out. They'll be back on bot nets by this weekend.

    What they need to do is dismantal the owners!

    --MarkusQ

    • Just the net was dismantled. The actual bots are now bot-Ronin, who will prove their loyalty by DDoSing the appropriate law enforcement websites into oblivion, before wiping their BIOS en masse.
    • What they need to do is dismantal the owners!

      Did you mean dismantle ?
      Or dismental ?

      Both seem rather apt :)
  • Police seized computers, cash, a sports car, and bank accounts at the three men's residences, and additional arrests are expected. The three were to be taken before a magistrate in Breda, a city approximately 25 miles south of Rotterdam, on Friday.

    What kind of computers? How much cash? What kind of car? What were the residences like?
    Come on, we need better details for the upcoming movie & tv special.

    These guys had to know they were going to get busted, someone probably was bragging about h
  • by rbanffy (584143) on Tuesday October 11, 2005 @09:07AM (#13763983) Homepage Journal
    It seems to me that unpatched Windows boxes are becoming an environmental problem ;-)
    • What I would like to see is all those machines patched up, I would guess that it could be possible to slide a patching program via the bot-net.

      Onepoint

      p.s. In thinking about this, I find that most likely it would be illegal
  • Limited time (Score:5, Interesting)

    by squoozer (730327) on Tuesday October 11, 2005 @09:08AM (#13763986)

    I forsee the day when bot nets are a thing of the past. While I admit that currently most police forces couldn't catch a virus by opening infected email things seem to be changing.

    The scale of setting up a useful botnet is such that there are thousands of tiny ways that you could screw up and leave a drity great big flag pointing out your location / identity. Even the most carefully created botnet will contain some useful information to track down it's owner. In fact the very nature of the beast means that at some point you will have to contact it which potentially gives away your location. Ok you can run through proxies and use other methods to hide you identity but it only takes one slip up which someone technical is watching. Of course you also have the problem of collecting you payments. While you might be able to hide in the online world hiding from the banking world is much harder. At some point you have to collect you money.

    All in all I think it would be easier to just go into kidnapping or drug dealing. The profit margin has got to be higher.

    • The problem with this is the same as the problem we always point out in anti-piracy schemes- as soon as *one* botnetter figures out a better automated method, it's distributed over the net and they all have access to it. It's like evolution, only the selection criteria are whose creator gets arrested and whose keeps "innovating".
      • Isn't the truly fundamental flaw in the system here the design of the Internet as it now stands? What has now become a global network was originally designed for use in a closed network where every machine attached was trusted. IE a fault tolerant communication system for the US military in case of massive attack.

        When Internet standards change to the point where every machine attached has an un-spoofable address then DDOS attacks will disappear. Try setting up a radio jammer to block 802.11x transmissio
      • The analogy of evolution certainly works but evolution can't find a solution to every problem. Take for example the deserts. Yes, there is life in even the most arid desert but there isn't much of it. If we end up with a network that is the equivalent of a desert for crackers there will be very few of them. I doubt that there are many animals adapting to live in the desert because it's already supporting as many animals as it can.

        To use an example a bit closer to the situation we are talking about think a

    • Re:Limited time (Score:5, Interesting)

      by patio11 (857072) on Tuesday October 11, 2005 @10:47AM (#13764787)
      Kidnapping for money (in the US, at least) is completely dead, for a couple of reasons. First, the FBI has long considered every incident of kidnapping to be a personal vendetta against them and they play for keeps -- unless you're the pedophile who kidnaps a kid and kills them within 24 hours, they WILL catch you. And they will, likely as not, kill you in the attempt and when the guy who does gets back to the office his hand will be sore from all the high-fives. We're not nearly so effective at taking care of drug dealers, but drug dealers are -- they've got a mortality rate of about 10-25% a year in some cities, and most of them only clear minimum wage (see Freakonomics -- excellent book, by the way). Computer crimes, by contrast, are punished relatively leniently, investigated seldomly, have zero physical risk, and pay better. Whats not to like for the unscrupulous type, aside from having a higher barrier to entry than kidnapping/drug dealing?
      • Some good points. I disagree with the zero physical risk part - your forgetting that skinny white boys in prison don't do so well ;o).

        Anyway, it's a little different on this side of the pond - people don't get killed quite so often by the police (unless they are Brazilian of course) and the punishment for kidnapping is fairly low as long as you don't harm the captive. I would guess you would only get 10 years tops for a first offence. If you can get enough money from it it might be worth it.

        Of course th

  • If past history is anything to go by, they'll probably all end up getting highly paid security jobs.
  • by horza (87255) on Tuesday October 11, 2005 @11:21AM (#13765119) Homepage
    What is the real identity of this Dutch ISP XS4ALL? Fighting spammers [slashdot.org] (though losing appeal [slashdot.org]), defending the rights [slashdot.org] of clients to hyperlink [slashdot.org] and refusing to be bullied by court orders, and now taking down BotNets. Apparently the founders sold out for millions [slashdot.org], but they seem to go well beyond the Google "do no evil" philosophy to pro-actively defending the rights of their customers at considerable risk to themselves. It's the kind of company the deserves to win an awful lot of business.

    Phillip.
    • by AlXtreme (223728) on Tuesday October 11, 2005 @11:51AM (#13765413) Homepage Journal
      XS4ALL [xs4all.nl] was founded in '93 as the Dutch version of Demon [demon.net], the UK ISP. In spite of the KPN (ex government-controlled/monopoly telco) buy-out, they have maintained their philosophy of protecting the interests of their customers and doing the Right Thing(tm).

      Strong ties with Bits for Freedom [www.bof.nl] (our version of the EFF), best Dutch ISP year after year, support for *nix systems, frequent new experimental services. Only pain is that they're also one of the more expensive ISP's. You get what you pay for, and with XS4ALL they give you the works.

      (for the record, I'm a long-time customer so I am rather biased. But these guys aren't your average ISP)

      • Hmm, not entirely accurate I believe..

        This (ad at the bottom of the page) [hacktic.nl] is where XS4ALL started. They were basicly the first public ISP in the Netherlands (tho I am not entirely sure, 'stichting Simplex' was there at around the same time from what I recall)

        Demon and XS4ALL definitely have things in common, but I think that has more to do with both having started in the very early days of public internet access, and still believing that they connect computers to a big network (as opposed to the content foc
  • Should have read :'potnet dismantled'. After all, it's Holland, right?
  • Just as I was getting ready to use it to mailbomb Congress in opposition to the Broadcast Flag.
  • by Animats (122034) on Tuesday October 11, 2005 @01:08PM (#13766173) Homepage
    SpecialHam [specialham.com], the spammer forum, usually is full of ads for botnets. But not today. There are far fewer ads for "proxies" today. And there are notes like "hey, watch yourself" and worries about "spamhaus honeypots".

    So there's been some effect. The spammers are becoming afraid. Not very afraid. Yet. But afraid. It's becoming hard to spam without committing multiple felonies. Those felonies are leading to a few arrests and jail sentences. Not many, but enough to scare off many spammers. The remaining spammers look more and more like traditional crooks.

    There's plenty of stuff on SpecialHam for law enforcement to go after. "Special Hurricane Katrina Promotions". "Offshore bank accounts for sale". Anyone active against spam should be looking there.

  • Police seized computers, cash, a sports car, and bank accounts at the three men's residences.

    I want to know whose bank accounts they seized.

  • Of course it was!

    Er, wouldn't that involve uninstalling the bots from the computers of 100,000 clueless people?

    Reminds me of the sequal-ready ending to a cheesy horror flick.
  • The T1 line at a place I admin got saturated once with upstream traffic. Took a bit of poking.

    Turns out:

    1) It was a script that infected a vulnerability in a well-known image manipulation system written in perl CGI.

    2) User never got root, and didn't seem to care.

    3) System was participating in a botnet of about 200 systems, (if I remember this correctly) all managed via an IRC chat.

    4) All the exploits were downloaded from a web server located somewhere in Brazil. Telnets that happened were also from another
  • by blueZhift (652272) on Tuesday October 11, 2005 @03:50PM (#13767582) Homepage Journal
    The October 10 New Yorker magazine has a nice companion piece to this story, "The Zombie Hunters: On the trail of cyberextortionists" by Evan Ratliff. The article describes the tactics of the extortionists and those who track them down or thwart their attacks. Probably nothing new to the /. crowd, but a good read nonetheless. Here's a link.

    http://www.newyorker.com/fact/content/articles/051 010fa_fact [newyorker.com]

The amount of weight an evangelist carries with the almighty is measured in billigrahams.

Working...