wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."
...that in two weeks this is going to be back up somewhere else in the world? Heck, we could turn it into a game, guessing which country it is being run from next.
Ok, am I being thick here, but why can't some enterprising soul (or organisation), use the algorhythm to take control of the bots and then gets them to purge or go inactive?
I'd love to see that too. Spoofing traffic on IRC is easy. But the problem is the commands must be signed using the bot herder's private key. It's apparently a very large key, (1024 BYTE iirc) and no one has managed to break it yet.
I bet there are several groups working on them though. Problem is, each time the herder pushes an update, they could rekey it, placing everyone's break attempts back on square 1.
My PERSONAL preference here is that the command sent should cause the participating computers to post a notice on the user's screen telling them they've been owned, that their computers have been being used to harm the public, and that they (the computers) have been rendered inactive and they'll have to take the computer into the shop for repair. (because no doubt they're infested with more than just this botnet) Some may say that's going too far, but imho, it's completely reasonable. They should share some of the responsibility for the actions of their computer after allowing it to be hijacked and being used to abuse ME. How about it just delete their NIC drivers and post the message?
> How about it just delete their NIC drivers and post the message?
Formating hard disks and writing a message to the boot sector will be a bit more efficient than this. Remember, a clean install in case of an infection is recommended even by Microsoft.
The fact is, these people play by their own rules (no rules at all). As long as the "good guys" insist on dealing with them on the ethical high road, the problem will never go away.
Either way the reality is play dirty or accept boatloads of spam and quit bitching about it.
"The fact is, these people play by their own rules (no rules at all). As long as the "good guys" insist on dealing with them on the ethical high road, the problem will never go away."
The same argument could be made about the police and the anti-terrorists. I don't know about you, but I prefer that they have to follow rules.
Yes, but a good 90% of the public doesn't have the skills to do this. And while as a PC repairman I wouldn't mind the extra business, in this shitty economy there are going to be plenty that can't afford to take it in, especially if all they have in their area is the ID10Ts at Worst Buy.
My solution would be this: Since most of us believe in OSS, and I am sure that many FLOSS guys read Slashdot, why can't we get together to help those infected Windows users and thus help us all?(And no, I don't mean by sending them a link to Ubuntu). Here is what we need: We need a small Linux based DOSbox that will autorun an antivirus cleaner and delete or quarantine any infections it finds. It needs to be small, so we can send the file or the link even to those with crappy connections, and should have a freeware burner software built in so they can simply double click they file and it will burn the ISO. Then they can simply reboot and let the tool do its job.
You see it is nearly impossible to remove an infection from a running OS, and most users simply don't have the skills required to run the complicated Linux security CDs which is the only thing I have even found which comes close. And we could even use it to promote FOSS by having links to FOSS like FF, OO.o, GNUCash, etc in a simple "more free software" link which the virus cleaner could drop on their desktop. This could help spread the word to those unfamiliar with FOSS while at the same time helping to cut down the slowdown from infected machines puking all over the net. It could be updated every week with the latest definitions to whichever free AV scanner was used, and if you wanted to get fancy you could even have it install a free AV like ClamWin with the scans and updates scheduled via Scheduled Tasks.
I have looked all over the web and have yet to find anything like that which I just described, and sadly programming is a skill I don't have so I can't build it myself. But it seems to me like this would be a great way to not only help clean up the net but spread the word about FOSS(and yes, you could have links to Ubuntu on the free software page) to those who may have never heard of it before. And if it is small and easy I'm sure that sites all over the net would be happy to promote it, as nobody likes all the spam and botnet traffic. The authors could even accept donations on their website for maintaining it and make a little scratch while they help to clean up the garbage. Sounds like a win/win to me.
Thanks for trying to help, but I'm afraid the authors of that project made the giant blunder that destroys any chance when it comes to most Linux solutions. Can you guess what the worst words any Linux user can possibly say to an average Windows user? The one that will cause fear and panic every time?
The third line says "Once fully booted into the CD, you will be met with a bash prompt." SORRY but you have LOST sir. Good day. The second the words CLI become connected to anything you expect a Windows user to touch you have lost. No further discussion, it is in the trash. I would be willing to bet a good 85-90% of Windows users don't even know Windows HAS a CLI, and they sure as hell aren't going to be comfortable trying to use one in Linux.
This is one of the reasons I quit even bothering to suggest Linux to home customers anymore, even though many could surely use its better security model. With Windows I can count the number of times I have HAD to go CLI in the past 10 years on one hand with fingers left over. Sure I use it to save time but I never HAVE to touch the CLI if I don't feel like it. Linux developers are such CLI heads that often the ONLY way to get a job done(as with this project) is with the CLI. And I don't know how many times I was researching a problem when I first tried Linux on my laptop and the first words were always "open Bash" which made me think "good luck ever converting Windows users". Because I can tell you from way too many years with Windows users as customers that their answer would be "it's broken" and into the dumpster or back to the store it would go.
If the FLOSS movement ever wants to make even a dent in that 90% Windows desktop monopoly, then they MUST follow this rule above ALL: You MUST design everything as if there is NO CLI. No Bash, no Corn, no shells at all. Period. If you design the OS to where there isn't a single thing they need CLI for, then you have a real shot at converting Windows users to FLOSS. But as long as the first answer to EVERY question starts with "open Bash" then folks will stick with Windows no matter how shitty a version Ballmer puts out. Because CLI is something that most Windows users simply don't want to know exists, and no amount of extolling its virtues will ever change their minds. But thanks anyway, it was a good idea until they blew it on the dismount. A real shame as it met every one of the earlier requirements except for the easy to use part, which is unfortunately the most important part of all.
It really wouldn't have to do much if you think about it. Once rebooted you could have it begin scanning automatically and on detection of first virus have it ask "Do you wish to delete or quarantine this virus?" and it would have a button for each choice along with cancel and a small checkbox below that said "remember my answer and repeat on every virus" so they wouldn't have to keep hitting the button if they didn't want to. And if you wanted to get fancy you could have a box at the end display the number
Formating hard disks and writing a message to the boot sector will be a bit more efficient than this. Remember, a clean install in case of an infection is recommended even by Microsoft.
You're modded funny, but I hope you're not serious. Yes, yes, I know that people should be performing backups (how many grandmothers do you know who do?).
How livid, or depressed would you be to loose a few years worth of photographs because somebody who was too annoyed with getting spam decided that you didn't deserve to have your data anymore?
Do something totally harmless like changing their default gateway to 0.0.0.0, then setting the background image on their desktop to a message with instructions on ho
Like you have the right to decide that it's appropriate to fuck them up, or that anyone have the rights to do it. Just disable it / change key / whatever. I doubt sending a message would help to, as if the user would care?
The problem there is that unless you force them to take it in for service and get it cleaned up properly, it's still going to be infected with other nasty stuff (maybe another botnet) and it's still going to have all the holes in it that let in the bot to begin with, so it's just going to get reinfected again shortly.
I don't endorse something like formatting, but it should be sufficiently disabled to either lose networking capability, or require a windows reinstall. Maybe screw up their network stack. Tha
Why should I (and others) waste ~$100 dragging our computers to Best Buy or some other service center? Your proposal violates multiple individual rights (right of property, right of labor, right of money). It's my damn computer, my damn money, and *I* will decide whether or not to take it to the service center.
Stay the hell away from both my computer and my wallet. (I'm not angry, just flabbergasted that you think it's acceptable behavior to hijack other people's personal property and money.)
Disabling someone else's machine is immoral, no matter what your goal might be.
Does "disabling" include cutting off network connectivity? In today's environment of cloud computing and web2.0 apps, being cut off from the net is arguably the same as disabling a machine entirely.
And to extend the logic a bit further, it is immoral for an ISP to cut off somebody's account if that account is being used to spew spam. Or to extend things a bit further, it's immoral for an upstream to cut off a downstream spam sewer... or for anything like RBL or SBL to exist since it can be used to facilitate disruption of network service.
I'm not trying to explicitly condone an approach where zombies are vandalized to render them inoperable, but I'm trying to point out how this entire argument is shades of grey - at some point, action against criminal networks involves infringement on people's "right" to do whatever they want with their money, their computer, their internet connection, etc.
... and one other thing to keep in mind: when the day comes (becuase it's a when not an if) that terrorist organizations hire a botnet to attack the computers that control the electric grid, or to perform supercomputing nuclear simulations, or any number of other things... you are going to see some serious shit being done to botnets and zombies, and it will be done by governments not by random vigilantes.
Stay the hell away from both my computer and my wallet. (I'm not angry, just flabbergasted that you think it's acceptable behavior to hijack other people's personal property and money.)
THIS, from a person whose computer is already hijacked and being used for illegal activities? If you hold your moral ground here, I'm doing you a favor by hijacking your already hijacked computer, and alerting you to its presence (without causing serious damage) so you can put an end to it.
Or would you prefer to continue to wallow in ignorant bliss as your computer spews forth tens of thousands of spam each day to the rest of the world? People that take THAT attitude, I have no problem with seeing them get their drives formatted.
by Anonymous Coward
on Friday November 28 2008, @10:52AM (#25916335)
Stay the hell away from both my computer and my wallet.
THIS, from a person whose computer is already hijacked and being used for illegal activities?
Using evil methods to accomplish noble goals is still evil. Once you accept computer hijacking under some circumstances, how do you define the motives for which it's ok? Would it be ok to create or use a zombie net to process SETI or protein folding data? To scan for other zombies? How about DB indexing for your job?
If you're going to try to claim the moral high ground, you need to stick to the high ground and not compromise your ethics for the sake of expediency.
This is the case where some dick has managed to file down your brake lines such that the next time you try to stop before hitting a pedestrian, your car will sail right through them. The/. solution is to take your spark plugs out and hand them to your mechanic with a note: "Check brake lines."
Your PC is already compromised. All the suggestion does is alert you to it. So you have to bring it in for repair - you had to do that before the vigilantes got a hold of your system, you just didn'
The road to tyranny is paved with good intentions. Most of the men who we study in history class as "evil" would have repeated the exact same phrase: "I'm doing you a favor" as they burned books, or raided homes, or whatever other anti-human rights crime they committed.
>>>Or would you prefer to continue to wallow in ignorant bliss as your computer spews forth tens of thousands of spam each day to the rest of the world? People that take THAT attitude, I have no problem with seeing them get their drives formatted. >>>
Spammail merely makes you delete a few messages per day. Annoying? Yes absolutely, but not that bad. BUT formatting my hard drive is going to cost me a few hundred dollars in (a) lost music, movies that I purchased and (b) time to re
Though it will be a pain when my wife asks me what that message means, and can't I get it off the screen so she can finish the I.Q. test she's taking... this is important stuff she does, you know, so interruptions should be kept to a minimum...
Then I can teach her what she needs to know about Unbuntu. Should take about 15 minutes.
They should share some of the responsibility for the actions of their computer after allowing it to be hijacked and being used to abuse ME
I was with you all the way up to that point, but no, I'm sorry, it is just arrogant to say that the owner of the machine is in any way responsible for this. It is purely and simply Microsoft's fault that they do not take security seriously enough. Why have they not been taken to task about this?
If a car manufacturer sells a model that exhibits a problem with the steerin
Ok, am I being thick here, but why can't some enterprising soul (or organisation), use the algorhythm to take control of the bots and then gets them to purge or go inactive?
I would guess because of public key cryptography. If these bots were made smartly, they will only accept signed commands, so you need the private key.
I guess the algorithm is linked in a way or another to a clock (time)...If they point to a atomic clock sync, isn't possible to spoof the IP (or change locally domain name config) and then to trace the next domain name?
I dont know how much money these people are making but having to move locations every two weeks surely is n't free. Plus whilst you're moving and the bot net is down you're not generating money (from the spaming).
If this is the case then I would n't mind this going on for ever until they run out of money.
The Russian authorities have an attitude problem, and don't give a tinker's damn about the crime being committed from their soil, as long as it isn't Russian citizens being targeted. Which goes part-way to explain why cybercriminals NEVER target people in their own countries.
Uh... or get White Hat control servers in place that NUKE THE ZOMBIES FROM ORBIT?
Enough with the defence. Don't the NSA and DOD have people whose job this is? If they can't deal with Srizbi, how are they going to deal with a real attack?
I was sure I read somewhere that they [the intelligence services] were registering domains ahead of them but they just didn't have the funds to keep doing this.
You don't need funds to register the domains. You simply lean on the domain registrar. Presumably the registrations follow an algorithm and bump to the next one if that domain doesn't issue proper ACKs or what-have-you.
Simply get the registrars to hold issuing those domains and put sniffers on to track the source of the bot command-request traffic... then nuke the zombies from orbit!...
According to a disassembly [fireeye.com] of the bot, there are more than a hundred domain names tried each day. (4 per bot variant, but at least 55 different seeds aka magic numbers.)
Still, it might be worth registering all those domains until someone determines the private key, so a 'good guy' can give the bots a suicide pill.
If someone publishes the list of all the domains that Srizbi will go to for instructions for the next few years, we can all buy one each and stop the spammers from ever regaining control.
Good, but I'd be happier if the people involved had been arrested. Surely there must be enough information out there to trace the controllers of this bot net by now.
Pre-paid credit cards and proxy servers would make it 'difficult', to say the least, for tracking down who is paying for the hosting. Pay for the pre-paid in cash and you're untraceable.
But they're paying someone for the hosting. If that corp/person is irresponsible enough to let them use their servers then they should be shut down from upstream - cut off their electric if they won't comply.
Unnecessary car analogy: You may not trace the owner of an unlicensed vehicle but you can trace the driver and the vehicle. Fine/Lock-up the driver and impound the vehicle.
To all the people who are saying "just take the botnet down with that control system", this isn't always possible.
Think, for instance, of a virus that not only has this sort of "find my controller" system but that, when it finds instructions, checks an attached PGP public key to ensure their integrity and that they came from the original author. If this particular virus doesn't have it, the next breed will. That makes it completely immune to "false" updates, in the same way that Linux repositories and Windows Update are... unless you have the private key associated with that virus' creation, you can't issue an update that it will take notice off.
You can't stop things like this by just intercepting the botnets... you can slow them, hinder them, give you time, but there are ways around everything. The way to stop it is to SHUT OFF USERS who have those botnets, who have allowed their computers to be compromised. Permanantly. Give them the incentive to actually keep their systems clean. They can move to another ISP etc. but the only way to stop them is to show them that leaving their PC open to infection is the problem here, along with an OS that allows that sort of compromise to be so easy, and not that some kid in Russia is somehow smarter or more resourceful than the entire world's IT experts.
I don't know if this worm actually does have a signed update system, but it's a very easy thing to do, with tons of well-audited, open-source, freely available code to do it for you. I would be very surprised if some malware somewhere wasn't already doing it.
I remember recently that they accused Russians or Chinese or whatever for attacking their government sites and kind of they created some serious cyberforce after these attacks? Kind of makes me wonder. How is this possible to have some serious cyberforce and not able to shut botnet which originates from your own country. Smelling bullshit somewhere.
I remember recently that they accused Russians or Chinese or whatever for attacking their government sites and kind of they created some serious cyberforce after these attacks? Kind of makes me wonder. How is this possible to have some serious cyberforce and not able to shut botnet which originates from your own country. Smelling bullshit somewhere.
How do you fund your "Cyberforce"(!) if you don't spam other countries from your international botnet?
Wouldn't it be possible to go after the individual bots? It can't be hard to figure out which IP's (machines) are used and then just contact the ISP that deliver network connection to them and tell them to deal with the situation. Have them contact the subscriber and give them a some time to fix their computer, if they don't then cut them off. The ISP that doesn't do this would get a warning and some time to deal with the situation, and after that the ones who deliver connectivity to them should cut them off.
Sounds like a good idea at first, but when you consider that the people who wrote the root kit already know how the algorithm works, you can be pretty sure they'll always be one step ahead of you on that front.
Speculating wildly here since I haven't read the code, but the herders probably use a technique similar to GeoHashing. GeoHashing uses the closing DOW average iirc, to generate coordinates somewhere in the world for that week. The point is you don't know where it's going to be in advance.
If the zombie can't connect to the C&C server, it looks up last night's DOW closing, generates the new domain name, and tries to connect there instead. It tries this for the last week's DOW averages, since DNS takes
Assuming they're dot-coms being registered then can't ICANN simply not allow registration for domains fitting the algorithm except for to the director of a proven established and registered business (ie traceable and suable). If it really was a 32-digit hex then wouldn't they stand out like a sore thumb?
What they're more likely to go for is simply increasing the minimum charge for such domains to $1Million USD... business as usual.
Who wants to bet... (Score:2, Redundant)
Re:Who wants to bet... (Score:5, Interesting)
Parent
Re:Who wants to bet... (Score:5, Interesting)
I'd love to see that too. Spoofing traffic on IRC is easy. But the problem is the commands must be signed using the bot herder's private key. It's apparently a very large key, (1024 BYTE iirc) and no one has managed to break it yet.
I bet there are several groups working on them though. Problem is, each time the herder pushes an update, they could rekey it, placing everyone's break attempts back on square 1.
My PERSONAL preference here is that the command sent should cause the participating computers to post a notice on the user's screen telling them they've been owned, that their computers have been being used to harm the public, and that they (the computers) have been rendered inactive and they'll have to take the computer into the shop for repair. (because no doubt they're infested with more than just this botnet) Some may say that's going too far, but imho, it's completely reasonable. They should share some of the responsibility for the actions of their computer after allowing it to be hijacked and being used to abuse ME. How about it just delete their NIC drivers and post the message?
Parent
Re:Who wants to bet... (Score:5, Funny)
> How about it just delete their NIC drivers and post the message?
Formating hard disks and writing a message to the boot sector will be a bit more efficient than this. Remember, a clean install in case of an infection is recommended even by Microsoft.
Parent
Re: (Score:3, Insightful)
But there is truth to it.
The fact is, these people play by their own rules (no rules at all). As long as the "good guys" insist on dealing with them on the ethical high road, the problem will never go away.
Either way the reality is play dirty or accept boatloads of spam and quit bitching about it.
Re:Who wants to bet... (Score:4, Insightful)
"The fact is, these people play by their own rules (no rules at all). As long as the "good guys" insist on dealing with them on the ethical high road, the problem will never go away."
The same argument could be made about the police and the anti-terrorists. I don't know about you, but I prefer that they have to follow rules.
Parent
Re:Who wants to bet... (Score:5, Insightful)
Yes, but a good 90% of the public doesn't have the skills to do this. And while as a PC repairman I wouldn't mind the extra business, in this shitty economy there are going to be plenty that can't afford to take it in, especially if all they have in their area is the ID10Ts at Worst Buy.
My solution would be this: Since most of us believe in OSS, and I am sure that many FLOSS guys read Slashdot, why can't we get together to help those infected Windows users and thus help us all?(And no, I don't mean by sending them a link to Ubuntu). Here is what we need: We need a small Linux based DOSbox that will autorun an antivirus cleaner and delete or quarantine any infections it finds. It needs to be small, so we can send the file or the link even to those with crappy connections, and should have a freeware burner software built in so they can simply double click they file and it will burn the ISO. Then they can simply reboot and let the tool do its job.
You see it is nearly impossible to remove an infection from a running OS, and most users simply don't have the skills required to run the complicated Linux security CDs which is the only thing I have even found which comes close. And we could even use it to promote FOSS by having links to FOSS like FF, OO.o, GNUCash, etc in a simple "more free software" link which the virus cleaner could drop on their desktop. This could help spread the word to those unfamiliar with FOSS while at the same time helping to cut down the slowdown from infected machines puking all over the net. It could be updated every week with the latest definitions to whichever free AV scanner was used, and if you wanted to get fancy you could even have it install a free AV like ClamWin with the scans and updates scheduled via Scheduled Tasks.
I have looked all over the web and have yet to find anything like that which I just described, and sadly programming is a skill I don't have so I can't build it myself. But it seems to me like this would be a great way to not only help clean up the net but spread the word about FOSS(and yes, you could have links to Ubuntu on the free software page) to those who may have never heard of it before. And if it is small and easy I'm sure that sites all over the net would be happy to promote it, as nobody likes all the spam and botnet traffic. The authors could even accept donations on their website for maintaining it and make a little scratch while they help to clean up the garbage. Sounds like a win/win to me.
Parent
Re:Who wants to bet... (Score:4, Insightful)
Thanks for trying to help, but I'm afraid the authors of that project made the giant blunder that destroys any chance when it comes to most Linux solutions. Can you guess what the worst words any Linux user can possibly say to an average Windows user? The one that will cause fear and panic every time?
The third line says "Once fully booted into the CD, you will be met with a bash prompt." SORRY but you have LOST sir. Good day. The second the words CLI become connected to anything you expect a Windows user to touch you have lost. No further discussion, it is in the trash. I would be willing to bet a good 85-90% of Windows users don't even know Windows HAS a CLI, and they sure as hell aren't going to be comfortable trying to use one in Linux.
This is one of the reasons I quit even bothering to suggest Linux to home customers anymore, even though many could surely use its better security model. With Windows I can count the number of times I have HAD to go CLI in the past 10 years on one hand with fingers left over. Sure I use it to save time but I never HAVE to touch the CLI if I don't feel like it. Linux developers are such CLI heads that often the ONLY way to get a job done(as with this project) is with the CLI. And I don't know how many times I was researching a problem when I first tried Linux on my laptop and the first words were always "open Bash" which made me think "good luck ever converting Windows users". Because I can tell you from way too many years with Windows users as customers that their answer would be "it's broken" and into the dumpster or back to the store it would go.
If the FLOSS movement ever wants to make even a dent in that 90% Windows desktop monopoly, then they MUST follow this rule above ALL: You MUST design everything as if there is NO CLI. No Bash, no Corn, no shells at all. Period. If you design the OS to where there isn't a single thing they need CLI for, then you have a real shot at converting Windows users to FLOSS. But as long as the first answer to EVERY question starts with "open Bash" then folks will stick with Windows no matter how shitty a version Ballmer puts out. Because CLI is something that most Windows users simply don't want to know exists, and no amount of extolling its virtues will ever change their minds. But thanks anyway, it was a good idea until they blew it on the dismount. A real shame as it met every one of the earlier requirements except for the easy to use part, which is unfortunately the most important part of all.
Parent
Re: (Score:3, Informative)
It really wouldn't have to do much if you think about it. Once rebooted you could have it begin scanning automatically and on detection of first virus have it ask "Do you wish to delete or quarantine this virus?" and it would have a button for each choice along with cancel and a small checkbox below that said "remember my answer and repeat on every virus" so they wouldn't have to keep hitting the button if they didn't want to. And if you wanted to get fancy you could have a box at the end display the number
Re: (Score:3, Insightful)
Formating hard disks and writing a message to the boot sector will be a bit more efficient than this. Remember, a clean install in case of an infection is recommended even by Microsoft.
You're modded funny, but I hope you're not serious. Yes, yes, I know that people should be performing backups (how many grandmothers do you know who do?).
How livid, or depressed would you be to loose a few years worth of photographs because somebody who was too annoyed with getting spam decided that you didn't deserve to have your data anymore?
Do something totally harmless like changing their default gateway to 0.0.0.0, then setting the background image on their desktop to a message with instructions on ho
Re: (Score:2)
Like you have the right to decide that it's appropriate to fuck them up, or that anyone have the rights to do it. Just disable it / change key / whatever. I doubt sending a message would help to, as if the user would care?
Re: (Score:2)
The problem there is that unless you force them to take it in for service and get it cleaned up properly, it's still going to be infected with other nasty stuff (maybe another botnet) and it's still going to have all the holes in it that let in the bot to begin with, so it's just going to get reinfected again shortly.
I don't endorse something like formatting, but it should be sufficiently disabled to either lose networking capability, or require a windows reinstall. Maybe screw up their network stack. Tha
Re:Who wants to bet... (Score:4, Funny)
I object.
Why should I (and others) waste ~$100 dragging our computers to Best Buy or some other service center? Your proposal violates multiple individual rights (right of property, right of labor, right of money). It's my damn computer, my damn money, and *I* will decide whether or not to take it to the service center.
Stay the hell away from both my computer and my wallet. (I'm not angry, just flabbergasted that you think it's acceptable behavior to hijack other people's personal property and money.)
Parent
Re:Who wants to bet... (Score:4, Insightful)
(I'm not angry, just flabbergasted that you think it's acceptable behavior to hijack other people's personal property and money.)
You mean like the way botnet owners do in the first place?
Parent
Re:Who wants to bet... (Score:5, Insightful)
Disabling someone else's machine is immoral, no matter what your goal might be.
Does "disabling" include cutting off network connectivity? In today's environment of cloud computing and web2.0 apps, being cut off from the net is arguably the same as disabling a machine entirely.
And to extend the logic a bit further, it is immoral for an ISP to cut off somebody's account if that account is being used to spew spam. Or to extend things a bit further, it's immoral for an upstream to cut off a downstream spam sewer ... or for anything like RBL or SBL to exist since it can be used to facilitate disruption of network service.
I'm not trying to explicitly condone an approach where zombies are vandalized to render them inoperable, but I'm trying to point out how this entire argument is shades of grey - at some point, action against criminal networks involves infringement on people's "right" to do whatever they want with their money, their computer, their internet connection, etc.
... and one other thing to keep in mind: when the day comes (becuase it's a when not an if) that terrorist organizations hire a botnet to attack the computers that control the electric grid, or to perform supercomputing nuclear simulations, or any number of other things ... you are going to see some serious shit being done to botnets and zombies, and it will be done by governments not by random vigilantes.
Parent
Re:Who wants to bet... (Score:4, Insightful)
Stay the hell away from both my computer and my wallet. (I'm not angry, just flabbergasted that you think it's acceptable behavior to hijack other people's personal property and money.)
THIS, from a person whose computer is already hijacked and being used for illegal activities? If you hold your moral ground here, I'm doing you a favor by hijacking your already hijacked computer, and alerting you to its presence (without causing serious damage) so you can put an end to it.
Or would you prefer to continue to wallow in ignorant bliss as your computer spews forth tens of thousands of spam each day to the rest of the world? People that take THAT attitude, I have no problem with seeing them get their drives formatted.
Parent
Re:Who wants to bet... (Score:5, Insightful)
Stay the hell away from both my computer and my wallet.
THIS, from a person whose computer is already hijacked and being used for illegal activities?
Using evil methods to accomplish noble goals is still evil. Once you accept computer hijacking under some circumstances, how do you define the motives for which it's ok? Would it be ok to create or use a zombie net to process SETI or protein folding data? To scan for other zombies? How about DB indexing for your job?
If you're going to try to claim the moral high ground, you need to stick to the high ground and not compromise your ethics for the sake of expediency.
Parent
Re: (Score:3, Insightful)
Bad car analogy.
This is the case where some dick has managed to file down your brake lines such that the next time you try to stop before hitting a pedestrian, your car will sail right through them. The /. solution is to take your spark plugs out and hand them to your mechanic with a note: "Check brake lines."
Your PC is already compromised. All the suggestion does is alert you to it. So you have to bring it in for repair - you had to do that before the vigilantes got a hold of your system, you just didn'
Re:Who wants to bet... (Score:5, Insightful)
>>>I'm doing you a favor
The road to tyranny is paved with good intentions. Most of the men who we study in history class as "evil" would have repeated the exact same phrase: "I'm doing you a favor" as they burned books, or raided homes, or whatever other anti-human rights crime they committed.
Parent
Re: (Score:3, Insightful)
>>>Or would you prefer to continue to wallow in ignorant bliss as your computer spews forth tens of thousands of spam each day to the rest of the world? People that take THAT attitude, I have no problem with seeing them get their drives formatted.
>>>
Spammail merely makes you delete a few messages per day. Annoying? Yes absolutely, but not that bad. BUT formatting my hard drive is going to cost me a few hundred dollars in (a) lost music, movies that I purchased and (b) time to re
Works for me... (Score:2)
Though it will be a pain when my wife asks me what that message means, and can't I get it off the screen so she can finish the I.Q. test she's taking... this is important stuff she does, you know, so interruptions should be kept to a minimum...
Then I can teach her what she needs to know about Unbuntu. Should take about 15 minutes.
Shakespeare didn't know about the Internet, or he would have written 'first, we kill all the spammers' [spectacle.org].
Re: (Score:2)
They should share some of the responsibility for the actions of their computer after allowing it to be hijacked and being used to abuse ME
I was with you all the way up to that point, but no, I'm sorry, it is just arrogant to say that the owner of the machine is in any way responsible for this. It is purely and simply Microsoft's fault that they do not take security seriously enough. Why have they not been taken to task about this?
If a car manufacturer sells a model that exhibits a problem with the steerin
Re: (Score:2)
Isn't that why they sell sports cars and suvs and tractor trailers from different parts of the lot ?
Re: (Score:3, Insightful)
I would guess because of public key cryptography. If these bots were made smartly, they will only accept signed commands, so you need the private key.
Re: (Score:3, Interesting)
Re: (Score:2)
I guess that at least some of the domain names are already taken.
Now each of these could have been parked by the spammers to prepare for this situation, or they could belong to someone innocent.
How do you decide which it is?
Down every couple of weeks is great (Score:2)
I dont know how much money these people are making but having to move locations every two weeks surely is n't free. Plus whilst you're moving and the bot net is down you're not generating money (from the spaming).
If this is the case then I would n't mind this going on for ever until they run out of money.
Re:Who wants to bet... (Score:5, Funny)
The Russian authorities have an attitude problem, and don't give a tinker's damn about the crime being committed from their soil, as long as it isn't Russian citizens being targeted. Which goes part-way to explain why cybercriminals NEVER target people in their own countries.
You misspelled 'American' in your post. Twice.
Parent
Algorithm (Score:5, Interesting)
However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions . . .
Couldn't the registrars run that algorithm ahead of time and ban (or track down) new registrations for those domains?
Re:Algorithm (Score:5, Insightful)
Uh... or get White Hat control servers in place that NUKE THE ZOMBIES FROM ORBIT?
Enough with the defence. Don't the NSA and DOD have people whose job this is? If they can't deal with Srizbi, how are they going to deal with a real attack?
Parent
Re: (Score:2)
I was sure I read somewhere that they were registering domains ahead of them but they just didn't have the funds to keep doing this.
Re: (Score:2)
I was sure I read somewhere that they [the intelligence services] were registering domains ahead of them but they just didn't have the funds to keep doing this.
You don't need funds to register the domains. You simply lean on the domain registrar. Presumably the registrations follow an algorithm and bump to the next one if that domain doesn't issue proper ACKs or what-have-you.
Simply get the registrars to hold issuing those domains and put sniffers on to track the source of the bot command-request traffic ... then nuke the zombies from orbit! ...
Profit.
Re:Algorithm (Score:4, Informative)
Still, it might be worth registering all those domains until someone determines the private key, so a 'good guy' can give the bots a suicide pill.
-David
Parent
Re:Algorithm (Score:5, Informative)
Feasible, algo is described here:
http://blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html [fireeye.com]
Parent
How about we work together on this? (Score:4, Insightful)
If someone publishes the list of all the domains that Srizbi will go to for instructions for the next few years, we can all buy one each and stop the spammers from ever regaining control.
Re:How about we work together on this? (Score:5, Insightful)
Yeah coz no-one here would take control of a hugely profitable bot-net given the chance???
Parent
Re: (Score:3, Funny)
I wouldn't, but then again I have an extremely rare terminal case of the principles.
Arrest them ... (Score:3, Insightful)
Good, but I'd be happier if the people involved had been arrested. Surely there must be enough information out there to trace the controllers of this bot net by now.
Rich.
Re: (Score:2)
Re: (Score:2)
But they're paying someone for the hosting. If that corp/person is irresponsible enough to let them use their servers then they should be shut down from upstream - cut off their electric if they won't comply.
Unnecessary car analogy: You may not trace the owner of an unlicensed vehicle but you can trace the driver and the vehicle. Fine/Lock-up the driver and impound the vehicle.
Think (Score:5, Insightful)
To all the people who are saying "just take the botnet down with that control system", this isn't always possible.
Think, for instance, of a virus that not only has this sort of "find my controller" system but that, when it finds instructions, checks an attached PGP public key to ensure their integrity and that they came from the original author. If this particular virus doesn't have it, the next breed will. That makes it completely immune to "false" updates, in the same way that Linux repositories and Windows Update are... unless you have the private key associated with that virus' creation, you can't issue an update that it will take notice off.
You can't stop things like this by just intercepting the botnets... you can slow them, hinder them, give you time, but there are ways around everything. The way to stop it is to SHUT OFF USERS who have those botnets, who have allowed their computers to be compromised. Permanantly. Give them the incentive to actually keep their systems clean. They can move to another ISP etc. but the only way to stop them is to show them that leaving their PC open to infection is the problem here, along with an OS that allows that sort of compromise to be so easy, and not that some kid in Russia is somehow smarter or more resourceful than the entire world's IT experts.
I don't know if this worm actually does have a signed update system, but it's a very easy thing to do, with tons of well-audited, open-source, freely available code to do it for you. I would be very surprised if some malware somewhere wasn't already doing it.
Re: (Score:2)
"In hand-coded ASM."
And the author managed to survive the resulting mental breakdown?
Is this that Estonia? (Score:3, Insightful)
I remember recently that they accused Russians or Chinese or whatever for attacking their government sites and kind of they created some serious cyberforce after these attacks?
Kind of makes me wonder. How is this possible to have some serious cyberforce and not able to shut botnet which originates from your own country. Smelling bullshit somewhere.
Re: (Score:2)
I remember recently that they accused Russians or Chinese or whatever for attacking their government sites and kind of they created some serious cyberforce after these attacks?
Kind of makes me wonder. How is this possible to have some serious cyberforce and not able to shut botnet which originates from your own country. Smelling bullshit somewhere.
How do you fund your "Cyberforce"(!) if you don't spam other countries from your international botnet?
Re: (Score:2)
Funny that you mention originating ips in the botnet thread. Controller could be as well in silicon valley.
And keep your voice down.
Cut the bots off? (Score:2)
Wouldn't it be possible to go after the individual bots? It can't be hard to figure out which IP's (machines) are used and then just contact the ISP that deliver network connection to them and tell them to deal with the situation.
Have them contact the subscriber and give them a some time to fix their computer, if they don't then cut them off.
The ISP that doesn't do this would get a warning and some time to deal with the situation, and after that the ones who deliver connectivity to them should cut them off.
Guinness World Record? (Score:4, Funny)
In essence this is the largest game of Wack-A-Mole ever played.
Re: (Score:2, Insightful)
Re: (Score:2)
Speculating wildly here since I haven't read the code, but the herders probably use a technique similar to GeoHashing. GeoHashing uses the closing DOW average iirc, to generate coordinates somewhere in the world for that week. The point is you don't know where it's going to be in advance.
If the zombie can't connect to the C&C server, it looks up last night's DOW closing, generates the new domain name, and tries to connect there instead. It tries this for the last week's DOW averages, since DNS takes
Re: (Score:2)
Assuming they're dot-coms being registered then can't ICANN simply not allow registration for domains fitting the algorithm except for to the director of a proven established and registered business (ie traceable and suable). If it really was a 32-digit hex then wouldn't they stand out like a sore thumb?
What they're more likely to go for is simply increasing the minimum charge for such domains to $1Million USD ... business as usual.