Researchers Infiltrate and 'Pollute' Storm Botnet 261
ancientribe writes "Dark Reading reports that a group of European researchers has found a way to disrupt the massive Storm botnet by infiltrating it and injecting "polluted" content into it to disrupt communication among the bots and their controlling hosts. Other researchers have historically shied way from this controversial method because they don't "want to mess with other peoples' PCs by injecting commands," said one botnet expert quoted in the article.
Fair Play (Score:4, Interesting)
Who is liable in the event of retaliation? (Score:3, Interesting)
Are the researchers liable since they technically issued the offending command while logged in as a remote user without the owner's permission?
Re:It's not Really... (Score:5, Interesting)
Who, other than a NATO-type international task force, would have the resources to reach out to those 40k users and help them clean their machines? All you IT admins and helpdesk staff are already cringing at the thought of handling tens or hundreds of users -- can you even begin to imagine trying to explain to thousands of clueless users what's happened to their PC, and what steps to take to clean it?
Re:It's not Really... (Score:2, Interesting)
How active is storm currently? (Score:3, Interesting)
However, there hasn't been as much spam from Mr. Kuvayev - either in my own boxes, or mentioned recently on line. This leaves me to wonder if perhaps he isn't utilizing it as much as he used to?
While certainly the botnet has been used for more than just spam propagation, and Kuvayev has sent spam to a lot more people that just me, I still can't help but wonder if it either isn't as large or as active as it once was.
Re:It's not Really... (Score:4, Interesting)
Re:How active is storm currently? (Score:3, Interesting)
So it's great that they came up with this but too bad it's pointless, at least for Storm. However, I'm sure they'll continue patting themselves on the back for fixing something that was already fixed.
Re:It's not Really... (Score:2, Interesting)
I do agree that the system of moderating on slashdot is HIGHLY overused by those who use them for their opinions. I've been guilty of this at times too, though I try not to.
Maybe we do need a "+1 I agree, good thinking!" and a "-1 I disagree, that's stupid!" that count as a different class of points. Dunno.
Re:Public Key Cryptography and Message Signing. (Score:3, Interesting)
The encryption itself will only be partly effective, since the bot needs to have the decryption key available, it would simply be a matter of analysis to locate the key. This would allow researchers to intercept messages headed to the bots.
Messages to the Command and Control will still be protected if public-key crypto is used.
The signatures will not be able to be faked, so your approach is correct in that it would prevent the researchers from injecting commands.
And for point (2):
The bots can use PKI to talk among themselves, but because each bot will have its own keys (and how will they negotiate keys to encrypt?) the process should be at least observable at a much deeper level unless the programmers are very careful to have considered a man-in-the-middle attack and, for example, used signed keys. This would prevent forgery of signatures, but would still allow the researchers to intercept any communications for a bot which the researchers can control. A small percentage, but in a lab this could allow the researchers to decode at least some of the "Secret Handshakes" used, those being the ones for bot to bot communication.
Communication TO the Command and Control, however, would remain inaccessible.
However, public key encryption is notoriously hard on the CPU, requiring many more cycles when compared to a similar (equal protection from brute force attack) symmetric algorithm.
I guess your approach will work partially, but enough to make life difficult for "the good guys".
Re:It's not Really... (Score:2, Interesting)
Re:It's not Really... (Score:3, Interesting)
What the bad guys are doing(to use your gun analogy) is breaking into your house, finding your firearm and picking its trigger lock, then loading it with their own magazine and ammo and then using it for evil. Would that be your fault? No. Now envision the same scenario except that you left your door open and the perp walked right through it. It still wouldn't be your fault, and you wouldn't be criminally charged as long as you had no idea that the perp was going to use your gun. You may, however, be sued for negligence.
Re:It's not Really... (Score:4, Interesting)
One ugly thing malicious software can do is a "retaliation" strategy (a cooler name is welcome). If you try to destroy or render it ineffective, then it attempts to do the same to the computer that it's on. If I can't have your computer, then you can't have it either. Maybe tit for tat. So if the user stops trying to fix things, then the bot stops retaliating. This would be interesting on a collective level since the bot network might start destroying data, if it detects poisoning attempts.
Re:Public Key Cryptography and Message Signing. (Score:3, Interesting)
The diffie-hellman key exchange [wikipedia.org] algorithm does not require PKI to work, although the addition of PKI can make it more secure. If PKI is not employed as part of the key exchange then it is vulnerable to man-in-the-middle (MITM is usually difficult to do in practice over TCP/IP due to timing and network latency issues among other difficulties).
Re:It's not Really... (Score:3, Interesting)
Informative means providing information. In the context of Slashdot, it should be information pertaining to the topic. This is not highly subjective, until you start talking about tangents.
Interesting is highly subjective. What's interesting to one person may be flat out boring to another. It's probably a bad moderation, but it's always going to be biased.
Insightful is somewhere between the two. Realistically, it ought to be reserved for times when a poster comes up with new and unique information--an insight, if you will--into the current thread.
I don't think there's really a place for "I agree" or "I disagree" moderation. If you disagree, rebut the post. If you agree, post an agreement that adds to the discussion or just keep on reading. Leave agreement and disagreement to the slums of Digg.
legal angle (Score:2, Interesting)
Re:It's not Really... (Score:2, Interesting)