Researchers Infiltrate and 'Pollute' Storm Botnet 261
ancientribe writes "Dark Reading reports that a group of European researchers has found a way to disrupt the massive Storm botnet by infiltrating it and injecting "polluted" content into it to disrupt communication among the bots and their controlling hosts. Other researchers have historically shied way from this controversial method because they don't "want to mess with other peoples' PCs by injecting commands," said one botnet expert quoted in the article.
It's not Really... (Score:5, Insightful)
Re:It's not Really... (Score:2, Insightful)
Re:It's not Really... (Score:5, Insightful)
It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.
Re:too much time on their hands? (Score:1, Insightful)
...like maybe perhaps research methods of disrupting botnets and see what results that type of research produces?
Re:It's not Really... (Score:5, Insightful)
Re:It's not Really... (Score:4, Insightful)
It is more of a legal/tehcnical question. Are you legally allowed to do this? And the major problem for researchers is that they have no cloak of anonymity like the bad guys do: they are easily linked/traced to all their actions by the mere fact that they publish their work and share their results. If anything goes wrong, or even if an overzealous user just wants to sue/go to court for the sake of suing, then the researchers are SOL.
It IS a gray area, even if you are morally correct.
Armageddon (Score:3, Insightful)
Seriously I'm personally excited by the fact that this essentially seems to offer a great draw to people with security skills to try being offensive where most of their efforts would be used defensively before.
Public Key Cryptography and Message Signing. (Score:5, Insightful)
I predict that the botnet authors will respond with the following counter-measures:
1) Command messages sent to the botnet by the operator will employ public key cryptography and message signing so that bots can determine real commands from headquarters (i.e. the bot net operator) from fake ones.
2) The bots themselves will use encryption to communicate amongst themselves and employ secret handshakes once the encrypted channel has been established to detect imposters. It would not be difficult to arrange for the botnet to automatically coordinate and begin punative attacks against hosts which attempt to inject false commands into the botnet.
Re:I blame the ISP's (Score:3, Insightful)
Re:It's not Really... (Score:4, Insightful)
when you are fighting people (Score:5, Insightful)
the danger of course, is not to become what you fight by doing that
so you slightly bend the rules, all the time, without making the sort of flat out trangression of major moral issues that constitutes what criminals do
but you will still get flak from people who expect moral certitude from those who fight criminals, and criticize you like no tomorrow, all the while completely ignoring and not criticizing the criminals themselves
Re:It's not Really... (Score:2, Insightful)
Re:It's not Really... (Score:5, Insightful)
In that light, losing all their data might be just what's needed to get them to take computer security seriously. However, I'd consider it a last resort since it's a punitive action rather than a preventative action. The long-term solution is to accept that casual users are going to run their computers like this, and to come up with mechanisms which blunt or dilute the impact of compromised systems. We're already doing this with anti-virus and anti-spyware software, as well as flaming Microsoft so they fix all the security holes in Windows. But it may or may not also involve poisoning botnets.
Off the top of my head, I don't think you need to remove the botnet software. It's probably already secured the box against further infection. So all you need to do is scramble its communication and/or encryption so it doesn't/can't contact the bot master again. It could be as simple as changing one bit in an otherwise unused registry key. So "poisoning" a botnet may be much more benign than your worst case scenario.
Reaction to this paper? (Score:3, Insightful)
Plus, if you read their published work, they readily admit that they are always one step behind the worm, and have to react whenever the attacker changes his tactics. The work mentions that "the attacker can easily change [a function of the Stormnet communication technique]... and then we need to analyze [our] binary again."
Criminals usually work faster than the good guys because they have more to lose.
Re:It's not Really... (Score:2, Insightful)
I would argue that it is a computer owner's moral responsibility to make sure it's not doing any harm to others.
If someone leaves their bag unattended at a train station, they should expect it to be destroyed in order to protect the public. If someone doesn't secure their PC and it becomes a hazard to others, shouldn't it be taken out too, by any means?
The terminology is confused (Score:5, Insightful)
Re:It's not Really... (Score:2, Insightful)
Re:Who is liable in the event of retaliation? (Score:3, Insightful)
Re:It's not Really... (Score:5, Insightful)
Re:It's not Really... (Score:2, Insightful)
Should I not be held (somewhat) responsible if my unprotected gun is used in a crime? A computer with an internet connection has inherent risks, it's the users responsibility to secure and protect their own goods against damage, as well as malicious uses.
If your computer is damaged in an effort to mitigate a large-scale botnet causing massive infrastructure problems and costing people money, then perhaps you could at least learn something from the process.
I don't feel sympathy for their (speculated, potential) loss/damage, I feel pity for their ignorance. My dad always told me not to use tools without understanding how to use them properly and safely, there's no reason this logic can't apply to computers.
Re:It's not Really... (Score:5, Insightful)
Yeah, It's the botnet equivalent of counter-espionage. Really one for the good guys here.
Well, possibly, but I think the moral conundrum isn't about attacking the botnet itself, but about the owners of the computers the botnet is unwittingly hosted on. All this "poisoning" activity affects the zombied PCs, after all.
To use a (non-car) analogy: Germany invaded Belgium in WWII. That was morally bad. Later, the allies counter-invaded Belgium. That was morally good. But the battles involved in both invasions weren't particularly great for Belgians.
Re:SPY v. (nothing) (Score:4, Insightful)
bad bad idea
I'd love to be required to have antivirus software on my linux/FreeBSD/Solaris machines. If you don't have a locked down box those systems can be just as bad as a botnet windows machine.
Or requiring comcast to have a rootkit on every machine you have to ensure that it's not infected. Sony computers would love that!
Re:SPY v. (nothing) (Score:3, Insightful)
Re:It's not Really... (Score:2, Insightful)
And in all dilemmas between morals and ethics the "right" thing to do must be weighed very carefully, there are no hard and fast rules that can be applied carte-blanche.
It was morally "good" -- from our perspective... (Score:5, Insightful)
Re:It's not Really... (Score:5, Insightful)
The real moderation bias which is a cause for concern is modding with negative mods as a substitute for "disagree". That's bullshit, and there's no excuse for it.
Re:It's not Really... (Score:2, Insightful)
Re:It's not Really... (Score:5, Insightful)
It would also be prohibitively complex and expensive. The idea that morality obligates us to do things that are wildly unlikely to work is questionable.
Consider "help them clean their computer and prevent another infection" for what it REALLY means. That can be anything from a complete reinstall of the OS and all apps to replacing the computer with a more secure (and securED) OS because the original machine isn't suitable. There is no reasonable guarantee afterwards that the machine won't get 0wn3 again by the same or a new threat.
Re:It's not Really... (Score:4, Insightful)
That was also the line of thinking by Robbert Morris when he released "the great worm" back in 1988. We know how that turned out. There is ALWAYS some risk.
Re:It's not Really... (Score:5, Insightful)
There is no question that biased moderations occur - this is a large part of why meta-moderation is important - it is a way to "moderate the moderations."
Certainly I am sure that even when people are being responsible that personal opinions can come into play. I am sure we all may have made blunders in this way before.
"INSIGHTFUL" is supposed to mean exactly that, that the comment is insightful, interesting is supposed to mean interesting, etc.
If people are truly abusive as a pattern, the meta moderation system should catch them. Labelling comments as "Agree" or "Disagree" has no relative value because such comments are so subjective and (other than turning an issue into a popularity contest) doesn't serve the community but providing useful feedback that can be used to determine who is elligable to moderate, etc.
Re:It's not Really... (Score:3, Insightful)
While I think that poisoning Storm is a gray area, I don't think that these researchers are going to be able to lead the charge to clean up end-users PCs.
Re:It's not Really... (Score:3, Insightful)
I say all this because I'm tracking a botnet right now and it's a pain in the ass. The last thing I need to for my Internet to go off. This would take down our phones as well since we have hosted VOIP and would banckrupt our company. I don't think an ISP wants that lawsuit on it's hands. I already have Trend Micro's Client/Server security agent installed on all of the computers here. Still the problem persists.
Re:It's not Really... (Score:2, Insightful)
I think his point was that they can sue you and they can win. Are there any good samaritan laws for hacking into someone's computer? Rather the opposite, i think.
Re:It's not Really... (Score:3, Insightful)
Re:Public Key Cryptography and Message Signing. (Score:3, Insightful)