Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security IT

Researchers Infiltrate and 'Pollute' Storm Botnet 261

Posted by CmdrTaco from the i'm-infiltrating-see-yeah dept.
ancientribe writes "Dark Reading reports that a group of European researchers has found a way to disrupt the massive Storm botnet by infiltrating it and injecting "polluted" content into it to disrupt communication among the bots and their controlling hosts. Other researchers have historically shied way from this controversial method because they don't "want to mess with other peoples' PCs by injecting commands," said one botnet expert quoted in the article.
This discussion has been archived. No new comments can be posted.

Researchers Infiltrate and 'Pollute' Storm Botnet More

Researchers Infiltrate and 'Pollute' Storm Botnet

Comments Filter:

  • It's not Really... (Score:5, Insightful)

    by cromar ( 1103585 ) on Thursday April 24, 2008 @12:18PM (#23184714)
    It's not really messing with other people so much as preventing them from messing with tons of other infected hosts. Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.

    • Re: (Score:2, Insightful)

      by Charred Shaman ( 1162963 )
      Yeah, It's the botnet equivalent of counter-espionage. Really one for the good guys here.

    • Re:It's not Really... (Score:5, Insightful)

      by moderatorrater ( 1095745 ) on Thursday April 24, 2008 @12:23PM (#23184812)

      Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.
      Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.

      It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.

      • Re:It's not Really... (Score:5, Insightful)

        by wizardforce ( 1005805 ) on Thursday April 24, 2008 @12:34PM (#23185046) Journal

        Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.
        an OS shouldn't allow that, then again it shouldn't allow you to get pwned by visiting malicious web pages or opening emails either. The problem is that you're talking about a hypothetical problem that may or may not exist. Storm is real and doing real damage to the world. sitting back and watching the fireworks just because you're afraid to break something is in my opinion irresponsible.

        • Re:It's not Really... (Score:5, Insightful)

          by Anonymous Coward on Thursday April 24, 2008 @01:14PM (#23185790)
          Is it wrong to do something to an out of control car rolling down a hill on fire towards a school full of people? This is a lot like a computer being part of a botnet. It is possible you could cause some damage to the car which is not yours by directing it out of the way, but if you don't something bad will certainly happen.

          • Re: (Score:3, Informative)

            by Hadlock ( 143607 )
            In many states you can be sued for improperly providing CPR. In fact, it happens quite a lot.

            • Re:It's not Really... (Score:5, Informative)

              by geekboy642 ( 799087 ) on Thursday April 24, 2008 @03:03PM (#23187624) Journal
              You can be sued for anything. Being sued for something doesn't mean that act is: illegal, immoral, unethical, or mean.

              That said, many many jurisdictions in the United States have a so-called "Good Samaritan" law. This is a law that protects you from criminal charges and--depending on the state--lawsuits. For instance, the law in Texas is quite broad and protects anyone who acts in good faith from any civil damages. On the other hand, California's law is much more strict, and protects only licensed EMTs, Doctors, Nurses, etc. at the actual scene of an emergency.

              Know the law in your state! http://www.cprinstructor.com/legal.htm [cprinstructor.com]
        • What is the difference between you remotely controlling someone's PC in an unauthorized manner, and the people running the botnets doing the same? Intent? That is a really lousy ruler in which to measure actions, and is opening a large can of worms....
      • From your point of view, it's more moral. Others might think that allowing known destruction to continue is not. Add to that just how "effective" monitoring, locating computers and helping the owners clean them has been to date and their disagreement isn't baseless.

      • Re: (Score:2, Informative)

        by peachstealingmonkeys ( 1268936 )
        Even though I agree with you on the second half of the comment I still think you are spreading FUD with the first part.. 1) "Researchers" don't "just" send the polluted hashes to the bots in hopes of it to disrupt communications. 2) They aren't "fuzzing" the bots looking for a vulnerability, that will disrupt a command channel and possibly crash a bot completely. That would be extremely irresponsible. 3) "Researchers" analyze the bot software localy in order to determine the correct hash strings to figur

      • Re:It's not Really... (Score:5, Informative)

        by cromar ( 1103585 ) on Thursday April 24, 2008 @12:38PM (#23185136)
        Sure, in general that is a valid concern. However,

        The pollution attack... "overwrites" the P2P botnet's key, an identifier that's used to get command information to the bots. Storm generates keys to find other bots, the researchers noted.
        So there really isn't a risk, in this case, of executing maleficent code or overwriting large portions of anything. The Storm operators might modify the peers to self-destruct the host or something, though I doubt they will given that Storm needs the host to be at all useful.

      • Re:It's not Really... (Score:5, Informative)

        by kaiser423 ( 828989 ) on Thursday April 24, 2008 @12:40PM (#23185174)
        If you RTFA, they are not sending any commands to the end computer. They are just disrupting communications between the nodes.

        Effectively, fracturing the net into multiple pieces; not taking control o the computers and doing something.

        This is not a counter-attack to the infection or anything like that. They're just jamming the comm system that the bots use. They're not actively doing anything to the bot or computer.

        • Re:It's not Really... (Score:5, Informative)

          by PRMan ( 959735 ) on Thursday April 24, 2008 @02:27PM (#23187086)

          Actually, the paper presented at the conference

          http://www.usenix.org/event/leet08/tech/full_papers/holz/holz_html/ [usenix.org]

          mentions that the fracturing attack does not work. The Storm botnet currently only 2 things.

          1. It sends spam e-mails if it receives a file in a spam template format with another file containing a list of addresses.

          2. It commits a denial-of-service attack against a host if it receives a different templated file.

          What the researchers are proposing is to become a sender and to send out floods of blank files faster than the actual operators can send out their real files. As a result, the hosts are too busy downloading the 2200 phony files to get around to the 1 real one.

          The time it takes for all the network nodes to get around to the real file eliminates the power of the botnet, reducing its effectiveness to that of a few machines even if it contains tens of thousands.

        • Re: (Score:2, Informative)

          by ruin20 ( 1242396 )
          No, they're changing the key. Essentially you're decoupling the node. Everything is there, it's just the password for that particular node of the botnet is reset. That doesn't change the fact that the ability to execute malicious code is still there and if anyone tracked the keys that were used to overwrite that of the botnets, they could set up their own network.

      • Re:It's not Really... (Score:5, Interesting)

        by el_flynn ( 1279 ) on Thursday April 24, 2008 @12:42PM (#23185236) Homepage

        Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.
        True, but who's to say the resident malware isn't already doing that? Although I'm sure the bot manufacturer will take quite strong measures to stop this from happening, as it would really result in a non-productive bot. So the anti-bot programmer would just have to take similar steps I suppose.

        It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection.
        TFA says the researchers "saw between 5,000 and 40,000 machines online at a time."
        Who, other than a NATO-type international task force, would have the resources to reach out to those 40k users and help them clean their machines? All you IT admins and helpdesk staff are already cringing at the thought of handling tens or hundreds of users -- can you even begin to imagine trying to explain to thousands of clueless users what's happened to their PC, and what steps to take to clean it?

        • Re:It's not Really... (Score:4, Interesting)

          by graphicsguy ( 710710 ) on Thursday April 24, 2008 @01:19PM (#23185896)

          Who, other than a NATO-type international task force, would have the resources to reach out to those 40k users and help them clean their machines?
          If it's easy to detect the traffic to/from a botnet computer, they should be cut off by their ISP. The ISP can then offer them both instructions and to sell them PC cleaning as a service before allowing them to re-activate their connection.

          • Re: (Score:3, Insightful)

            by Bryansix ( 761547 )
            I'm sorry but while this idea looks good on paper it is bullshit in real life. Most people with home Internet service have more then one computer on their network. Then you have business customers who have 5-100 computers on their network. They can't just walk up to the infected computer and take it offline because they don't know which one it is. Most Anti-Virus programs can't fully detect things like the storm worm and some even get eaten alive by it. A much better thing would be an automated service that

      • Re:It's not Really... (Score:4, Insightful)

        by msimm ( 580077 ) on Thursday April 24, 2008 @12:43PM (#23185260) Homepage
        Running an infected bot is inherently risky, just like the virus or worm that caused it. Moral concerns should be moderated appropriately.

      • Re: (Score:2, Interesting)

        by hilather ( 1079603 )
        You know, wiping out a bot infected computer of any personal information or even all information might actually be doing that person a favour. It is better then having that information falling into the wrong hands. I could go either way on this, its the computer equivalent of vigilantes. But what happens when bot net controllers star to realize identity theft is a pretty lucrative business too?
      • Maybe then the end user would be more careful in the future and it would take them off of the bot net.

        I guess I've got my Evil bit set because if I had the know how I would send a low level format command out. The bot net would collapse, people profiting from it would stop and maybe people would start putting pressure on Microsoft to actually do something. Maybe even install a bootloader to display Apple, Ubuntu, & FreeBSD's websites.

        Sure it's not nice, but if it gets people to actually take action then
        • The bot net would collapse, people profiting from it would stop and maybe people would start putting pressure on Microsoft to actually do something. Maybe even install a bootloader to display Apple, Ubuntu, & FreeBSD's websites.

          One problem i see with this is that the proverbial grandmother, whose infected machine has slowed or stopped working altogether, then associates Apple, Ubuntu, and FreeBSD with the reason why her computer stopped working. To her, and thousands like her, their machine stopped w

        • Maybe even install a bootloader to display Apple, Ubuntu, & FreeBSD's websites.
          It's been said before, but apparently needs to be repeated: users are a bigger security risk than the OS could ever aspire to be. To quote the wikipedia entry on Storm:

          When an attachment is opened, the malware installs the wincom32 service, and injects a payload...
          How do you propose to stop stupid users from manually opening malware, just by giving them a new OS?

          • Re: (Score:3, Informative)

            by Actually, I do RTFA ( 1058596 )

            How do you propose to stop stupid users from manually opening malware, just by giving them a new OS?

            By making data clearly different from executables? I mean, how about "The attachment you are trying to open is NOT a movie/picture/sound/etc. It is a program that has unlimited access to your machine."

            • Re: (Score:3, Funny)

              by Sancho ( 17056 ) *
              And years of training will cause the users to just click "Yes" so that they can see their naked picture of Natalie Portman petrified in hot grits.

              The damage has already been done.

      • Re: (Score:2, Insightful)

        by EncryptedSoldier ( 1278816 )
        LAWL! Yeah, that's a great idea. Lets go ringing doorbells! "Hi! Are you Mrs. Smith?" "Yes, I am. And who might you be?" "I'm John, and your computer is infected with a bot-net called Storm. You and millions of other users are infected and are constantly infecting other computers without your knowledge. I can fix your computer for $200, what do you say?" And even if that worked, it won't work for everyone. Too much time needed to fix it, too much money for it to be possible. Poisoning the botnet is the way

      • Re:It's not Really... (Score:5, Insightful)

        by Solandri ( 704621 ) on Thursday April 24, 2008 @12:58PM (#23185510)

        Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.
        Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.
        You're comparing a concentrated loss to a distributed loss. The correct assessment in that case is to sum up the losses on both sides. Say "poisoning" Storm results in 1000 users with wiped hard drives losing $10,000 worth of data and productivity (being very generous here). OTOH say letting Storm continue to operate results in 100 million users losing $1 each worth of productivity (spam) and data (compromised systems). That's a $10 million to $100 million balance in favor of poisoning Storm. Obviously the numbers here are made up and I honestly don't know if poisoning Storm is a good idea. But the point is that you just can't look at the losses on one side and say a course of action is unacceptable due to those losses. You have to compare the losses that might happen if you take action, to what losses will happen if you don't take action.

        It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.
        Do you maintain any computers for friends or family? No it won't be more effective in the long run. You help them clean their system, and they'll go right back to using it as always. In 6-12 months they'll call you back to help them clean it again. It's just an individual equivalent of a cost of doing business for them. Why should they bother to change their habits when they can pay you a hundred bucks or so every year to clean their system?

        In that light, losing all their data might be just what's needed to get them to take computer security seriously. However, I'd consider it a last resort since it's a punitive action rather than a preventative action. The long-term solution is to accept that casual users are going to run their computers like this, and to come up with mechanisms which blunt or dilute the impact of compromised systems. We're already doing this with anti-virus and anti-spyware software, as well as flaming Microsoft so they fix all the security holes in Windows. But it may or may not also involve poisoning botnets.

        Off the top of my head, I don't think you need to remove the botnet software. It's probably already secured the box against further infection. So all you need to do is scramble its communication and/or encryption so it doesn't/can't contact the bot master again. It could be as simple as changing one bit in an otherwise unused registry key. So "poisoning" a botnet may be much more benign than your worst case scenario.

        • Re: (Score:2)

          by geekoid ( 135745 )
          Well, maybe your family are a bunch of idiots, but my family, and others I have dealt with have learned and developed better computer habits.

          I hate that excuse so much. It's no different then any excuse any a fascist uses to 'fix' a problem.

          This is an OS problem, and should be fixed as such.

        • >You have to compare the losses that might happen if you take action, to what losses will happen if you don't take action.

          I like your argument, but I think it's based on a flawed premise. If I know my neighbor's going to take a gun and go shoot a bunch of people, so instead I shoot him first, I have done exactly what you're advising -- but I still will get charged with murder.
          If they're doing things to a botnet that can modify infected computers, that's illegal, even if their intentions are good. You c

        • Re:It's not Really... (Score:4, Interesting)

          by khallow ( 566160 ) on Thursday April 24, 2008 @03:35PM (#23188074)

          You're comparing a concentrated loss to a distributed loss.

          One ugly thing malicious software can do is a "retaliation" strategy (a cooler name is welcome). If you try to destroy or render it ineffective, then it attempts to do the same to the computer that it's on. If I can't have your computer, then you can't have it either. Maybe tit for tat. So if the user stops trying to fix things, then the bot stops retaliating. This would be interesting on a collective level since the bot network might start destroying data, if it detects poisoning attempts.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.

        And if I were a botnet author, I'd make absolutely sure that signs of such tampering would result in this (the DISABLE_ZOMBIE command in version 1.00 effects the WIPE_WHOLE_DRIVE command in update 1.01). Watch as the self-appointed saviour destroys the data (bla bla backups) on half a million computers world wide.

        The road to Hell...

      • Re:It's not Really... (Score:5, Funny)

        by guruevi ( 827432 ) on Thursday April 24, 2008 @12:59PM (#23185530)
        Actually, it would be better to wipe their hard drive clean since then they would be directly impacted and see the loss caused by their stupidity. I already heard from users: yeah, I know I have a virus/trojan but it doesn't really do anything bad to my computer and that virus scanner makes my computer slower so I'll leave it there.

        Also, it would give us geeks some extra income and we would have the opportunity to load Ubuntu on their machines.

      • Re: (Score:2, Insightful)

        by MagdJTK ( 1275470 )

        I would argue that it is a computer owner's moral responsibility to make sure it's not doing any harm to others.

        If someone leaves their bag unattended at a train station, they should expect it to be destroyed in order to protect the public. If someone doesn't secure their PC and it becomes a hazard to others, shouldn't it be taken out too, by any means?

      • Re: (Score:2, Insightful)

        by ohtani ( 154270 )
        Since when would saying something along the lines of "del infectedprogram.exe" be the same as "format c:"?

      • Re: (Score:2, Insightful)

        by rocketPack ( 1255456 )

        Should I not be held (somewhat) responsible if my unprotected gun is used in a crime? A computer with an internet connection has inherent risks, it's the users responsibility to secure and protect their own goods against damage, as well as malicious uses.

        If your computer is damaged in an effort to mitigate a large-scale botnet causing massive infrastructure problems and costing people money, then perhaps you could at least learn something from the process.

        I don't feel sympathy for their (speculated, pot

        • Re: (Score:3, Interesting)

          by Ethanol-fueled ( 1125189 ) *
          Note that you said unprotected gun. I'll assume that you meant to imply that if you give your gun to some schmo and he uses it for evil then you should be responsible.

          What the bad guys are doing(to use your gun analogy) is breaking into your house, finding your firearm and picking its trigger lock, then loading it with their own magazine and ammo and then using it for evil. Would that be your fault? No. Now envision the same scenario except that you left your door open and the perp walked right through it
      • its a pain to provide technical support for even uninfected computers, and you are telling us to help people clean their infected computers.

      • Re: (Score:2, Insightful)

        by Esc7 ( 996317 )
        I think the wording here should be that poisoning the botnet would be the MORAL thing to do (Stopping the botnet is a good thing for all!) But it would not be the ETHICAL thing to do (Respecting people's privacy is the rule that we hold to).

        And in all dilemmas between morals and ethics the "right" thing to do must be weighed very carefully, there are no hard and fast rules that can be applied carte-blanche.

      • Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.

        Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.

        Which the original bot might easily have done.

        By the time a user is participating in a botnet, they are a lost cause. If you want to help them, fine, but do it before they get infected.

        And anyone who doesn't do backups WILL lose data, it's only a question of when.

        • And anyone who doesn't do backups WILL lose data, it's only a question of when.

          Just out of curiosity: how the heck do you backup a 500 GB hard disk ?

          • Onto another 500gb disk. Or two 250gb disks.

            I do both, albeit with 320gb drives. My main system has mirrored 320s, and once a month or so when I think of it, I back those up to two 160gb drives on another system.

            In another few years when my storage needs expand, the 320s will go in the backup computer, and I'll mirror a couple of 600gb drives in the main computer, and off-line backup onto the 320s.

      • Re: (Score:2, Insightful)

        by Anonymous Coward
        Due to technical realities actively commanding a person's PC without permission may be the only way to counter these bot nets. If you fail to secure your system properly and ISPs are unwilling to block these comprimised systems then the law should allow it. If you suffer data loss then that was no different then damage caused by fire fighters trying to stop a fire from spreading.

      • Re:It's not Really... (Score:5, Insightful)

        by couchslug ( 175151 ) on Thursday April 24, 2008 @02:20PM (#23186990)
        "It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run."

        It would also be prohibitively complex and expensive. The idea that morality obligates us to do things that are wildly unlikely to work is questionable.

        Consider "help them clean their computer and prevent another infection" for what it REALLY means. That can be anything from a complete reinstall of the OS and all apps to replacing the computer with a more secure (and securED) OS because the original machine isn't suitable. There is no reasonable guarantee afterwards that the machine won't get 0wn3 again by the same or a new threat.

      • Re: (Score:3, Insightful)

        by ScentCone ( 795499 )
        I like dogs, and would never hurt one for no reason. But I'd still kill a rabid one, especially if I thought it was about to hurt someone else. Finding its owner, and thoughtfully explaining the history and mitigation strategies related to rabies - as the dog is chewing some kid's arm off, or killing someone else's pet - might feel more politically correct, but it's absurd, too. Poisoning the botnet is a good thing.
    • I agree. If they're unaware the bot is running they'll also be unaware of the anti-bot.

    • Re:It's not Really... (Score:4, Insightful)

      by ChoppedBroccoli ( 988942 ) on Thursday April 24, 2008 @12:37PM (#23185088)
      You are right, it isn't necessarily a moral question. Obviously, the researchers are trying to do a good thing, and their good intentions are good and correct.

      It is more of a legal/tehcnical question. Are you legally allowed to do this? And the major problem for researchers is that they have no cloak of anonymity like the bad guys do: they are easily linked/traced to all their actions by the mere fact that they publish their work and share their results. If anything goes wrong, or even if an overzealous user just wants to sue/go to court for the sake of suing, then the researchers are SOL.

      It IS a gray area, even if you are morally correct.
    • I was going to add that once your pc is part of a bot net its not really your machine anymore anyway. Its some one else's machine that you pay the electricity for and occasionally it will allow you to use if albeit at degraded performance.
    • this is no moral question

      Think of the other Strormbot researchers they've potentially messed up ... this could be an ethical problem if they're preventing other people from working on the worm. ;-)

  • Fair Play (Score:4, Interesting)

    by FurtiveGlancer ( 1274746 ) <AdHocTechGuy@@@aol...com> on Thursday April 24, 2008 @12:29PM (#23184926) Journal
    I submit that it's inherently fair and perfectly ethical to disrupt those who invade and steal from others. Even if the theft is one of compute cycles. Usually, we call those who disrupt invaders and thieves "heroes."

  • Add free article. (Score:2, Informative)

    by AltGrendel ( 175092 )
    Add free article here. [darkreading.com]

  • Who is liable in the event of retaliation? (Score:3, Interesting)

    by Tanman ( 90298 ) on Thursday April 24, 2008 @12:33PM (#23185006)
    Ok, so here's a fun question: Lets say the botnet creators get pissed off and send out a code change that makes one of the standard commands change to be something like, oh, "wipe hard drive." The botnet creators then use different commands, but the researchers come along and issue the old command, thus wiping the users' hard drives.

    Are the researchers liable since they technically issued the offending command while logged in as a remote user without the owner's permission?

    • Re:Who is liable in the event of retaliation? (Score:5, Informative)

      by drrck ( 959788 ) on Thursday April 24, 2008 @12:39PM (#23185158)
      TFA states that they are changing the hash values that the bots use to talk to one another. They aren't issuing commands, they're interrupting the communication of the bots.

    • Re: (Score:3, Insightful)

      by WK2 ( 1072560 )
      I thought of that too. It might be a good way for the botnet operators to keep security researchers of their backs. Fortunately, the botnet operators don't want to damage the computers any more than the security researchers do. Less, in fact, because the botnet operators think they "own" said computer.
  • It would be nice if the researchers could find a way to inject a "cure" and disable the malware on the target computer. I wouldn't have any moral/ethical problem with that. Of course, I guess it all depends on who is defining "malware." The RIAA might convince a judge that it is "OK" to innoculate pc's against P2P (pick your favorite client).

    Cheers,
    • You would have to be careful not to repeat the mistakes of the Welchia worm. [symantec.com] This is a worm destroying worm which attempts to remove the MS Blaster worm and download and install the patch for the vulnerability which MS Blaster (and Welchia itself) uses to infect computers. The problem is that Welchia disrupted network activity and caused PCs to reboot a unexpected times to complete instillation of the security patch. It is, therefore, considered to be malware and is removed by all the major antivirus pr

  • Actually Reading the Article (Score:4, Informative)

    by Kiralan ( 765796 ) * on Thursday April 24, 2008 @12:40PM (#23185190) Journal
    To the ones worried about the ethics, at least in this case: What the researchers did, in a sense, is change the 'name' and/or 'password' the bot uses to call the bot master and authenticate itself. In short, they removed the ability of the 'bot to get more commands.

    • Re: (Score:2)

      by geekoid ( 135745 )
      Yes, but did they need to access a computer they weren't authorized to access in order to do it.
      That's the question.

  • Armageddon (Score:3, Insightful)

    by spleen_blender ( 949762 ) on Thursday April 24, 2008 @12:41PM (#23185202)
    The war. IT BEGINS.


    Seriously I'm personally excited by the fact that this essentially seems to offer a great draw to people with security skills to try being offensive where most of their efforts would be used defensively before.

  • Public Key Cryptography and Message Signing. (Score:5, Insightful)

    by CodeBuster ( 516420 ) on Thursday April 24, 2008 @12:41PM (#23185210)

    I predict that the botnet authors will respond with the following counter-measures:

    1) Command messages sent to the botnet by the operator will employ public key cryptography and message signing so that bots can determine real commands from headquarters (i.e. the bot net operator) from fake ones.

    2) The bots themselves will use encryption to communicate amongst themselves and employ secret handshakes once the encrypted channel has been established to detect imposters. It would not be difficult to arrange for the botnet to automatically coordinate and begin punative attacks against hosts which attempt to inject false commands into the botnet.

    • Re: (Score:3, Informative)

      by Uncle Focker ( 1277658 )

      2) The bots themselves will use encryption to communicate amongst themselves
      They already do that now. That's one of the major issues with tracking down the whole extent of the botnet.

      • Re: (Score:2)

        by jandrese ( 485 )
        The good news is that it's so damn hard to implement a crypto system properly that the botnet authors have probably screwed something up, especially since they can't just rely on a single host (or pool of hosts) to store the crypto keys (those would be an easy target for the anti-botnet folks). Key management is the #1 area where people screw up their crypto systems.

    • Re: (Score:3, Funny)

      by el_flynn ( 1279 )
      And I would like to add my prediction: the botnet will implement captchas or kittens to detect the fake bots.

    • Re: (Score:3, Informative)

      by Captain Spam ( 66120 )
      Actually, if I'm not mistaken, TFA claims that the researchers are using those exact vectors to do their counterattacks. As in, they mess with the encryption key so that any data that comes in from the controllers or other bots will be reported as bogus due to the controller/bot keys not matching. This, in a large way, renders the bot harmless, as it will now ignore all orders, expecting something signed by a key that will never arrive.

      It's honestly a clever way to pull it off, though it does open the doo

      • As in, they mess with the encryption key so that any data that comes in from the controllers or other bots will be reported as bogus due to the controller/bot keys not matching.

        This is probably due to a flaw in the bot implementation which allows input data to smash the stack [wikipedia.org] and overwrite the stored public keys which are being used for cryptography operations (the session keys are presumably negotiated online with Diffie-Hellman exchange). If the bot authors patch this vulnerability allowing key overwrites then the cryptography approach would still be sound.

    • Re: (Score:3, Interesting)

      by querist ( 97166 )
      For your first point (1), there are some issues:

      The encryption itself will only be partly effective, since the bot needs to have the decryption key available, it would simply be a matter of analysis to locate the key. This would allow researchers to intercept messages headed to the bots.

      Messages to the Command and Control will still be protected if public-key crypto is used.

      The signatures will not be able to be faked, so your approach is correct in that it would prevent the researchers from injecting comman

      • Re: (Score:3, Interesting)

        by CodeBuster ( 516420 )

        it would simply be a matter of analysis to locate the key.

        Allow me to be more clear: the key stored in the bot code would be the public key of the botnet operator so even if the researches found it it would not help them to sign false messages. For that they would need the private key which, of course, would be retained by the botnet operator and never distributed. If the correct signature cannot be forged without the private key then the command messages would be safe, even if analysis recovered the public key from the bot binary.

        Messages to the Command and Control will still be protected if public-key crypto is used...The signatures will not be able to be faked, so your approach is correct in that it would prevent the researchers from injecting commands.

        Right and right again. I should

  • in order to save it.
  • who have no regard for morals or ethics, scrupulously conforming to morals and ethics hampers your ability to fight

    the danger of course, is not to become what you fight by doing that

    so you slightly bend the rules, all the time, without making the sort of flat out trangression of major moral issues that constitutes what criminals do

    but you will still get flak from people who expect moral certitude from those who fight criminals, and criticize you like no tomorrow, all the while completely ignoring and not criticizing the criminals themselves

    • Re: (Score:2)

      by geekoid ( 135745 )
      The criminals aren't criticized because we know they are wrong, they're criminals.

      "scrupulously conforming to morals and ethics hampers your ability to fight"

      Yes, like needing warrants, or seeing that the innocent people you arrest have an 'accident'.
      Innocent until proven guilty, and all that pesky stuff, really who needs it~

  • Reaction to this paper? (Score:3, Insightful)

    by el_flynn ( 1279 ) on Thursday April 24, 2008 @01:01PM (#23185580) Homepage
    Since the researchers have already published their work [honeyblog.org] on the infiltration process, I'm sure by the time you read this piece of news the botnet owners and/or authors have already put an action plan in place to mitigate, or at least lessen, the effect.

    Plus, if you read their published work, they readily admit that they are always one step behind the worm, and have to react whenever the attacker changes his tactics. The work mentions that "the attacker can easily change [a function of the Stormnet communication technique]... and then we need to analyze [our] binary again."

    Criminals usually work faster than the good guys because they have more to lose.

  • The terminology is confused (Score:5, Insightful)

    by Yurka ( 468420 ) on Thursday April 24, 2008 @01:04PM (#23185630) Homepage
    Computers in a botnet are not "peoples' PCs" anymore. They are not under control of the owner. This needs to be clarified again and again. When you see a Borg drone, you (try to) kill it. And Picard was right - you'll be doing it a favor.

    • Re: (Score:3, Funny)

      by geekoid ( 135745 )
      Of course they are, don't be stupid.
      There is a program running on their computer.
        You also assume they don't want it there.

  • How active is storm currently? (Score:3, Interesting)

    by damn_registrars ( 1103043 ) <damn.registrars@gmail.com> on Thursday April 24, 2008 @01:19PM (#23185874) Homepage Journal
    I've seen previous allegations that Leo Kuvayev [wikipedia.org] has ties to the storm botnet. It of course is known that Mr. Kuvayev is a prolific spammer.

    However, there hasn't been as much spam from Mr. Kuvayev - either in my own boxes, or mentioned recently on line. This leaves me to wonder if perhaps he isn't utilizing it as much as he used to?

    While certainly the botnet has been used for more than just spam propagation, and Kuvayev has sent spam to a lot more people that just me, I still can't help but wonder if it either isn't as large or as active as it once was.

    • Re: (Score:3, Interesting)

      by ahabswhale ( 1189519 )
      It's a shadow of its former self. Microsoft actually took them out, believe it or not. The Msft malicious software removal tool has taken care of it and the maintainers of the storm botnet got tired of dealing with it and let it go. See here for more info: http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx [technet.com]

      So it's great that they came up with this but too bad it's pointless, at least for Storm. However, I'm sure they'll continue patting themselves on the back for fixing something th
    • How much money do you really need?

      If I was doing illegal botnets, I'd make a cool billion dollars or so, then retire to a tropical island.

      • If I was doing illegal botnets, I'd make a cool billion dollars or so, then retire to a tropical island.

        Interesting idea, with an interesting correlation to Kuvayev. I've seen him alternate between claiming his residence to be in either Finland or Tahiti. Perhaps he's entered a state of semi-retirement?

  • Fools! (Score:4, Funny)

    by Kingrames ( 858416 ) on Thursday April 24, 2008 @01:25PM (#23185990)
    Nuke the sites from orbit, it's the only way to be sure!
  • ... at the Usenix leet conference [usenix.org] covered by slashdot. [slashdot.org]

    Go look through the articles... some of them rock. The technical knowledge of these guys, how they dismantled storm, etc is amazing.

  • And by "other peoples' PCs" they of course mean the people who control Storm. The physical possessors of the computers have already given up ownership.

    It's a real shame that this is being done by researchers and not security forces. The researchers are correct, it ain't their job. It should be done by people who we have already given the authority to trespass with cause.

    Not going to happen. Sadly. I live in a place where violent crime is incredibly rare, but property crime is common. The most valuable
  • Cant be used the botnet itself to do something more useful, like self destruct, uninstall self or display a warning to the zombie pc user?

    Maybe that borg^H^Htnet have some sort of "sleep" command to make it inactive in most part.
  • Just have it do:


    > net send <logged in username> "your machine is infected with the Storm rootkit, go here for the fix URL:..."

    and scare them into fixing it! Just a little tough love and education is what is needed, not hosing up their machine. Anything that has the potential to damage the machine is a very bad idea, but the owner really needs to know its hacked, and then how to fix it.

Slashdot Top Deals

Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"

Close