Forgot your password?
typodupeerror
Botnet Security IT

Man Challenges 250,000 Strong Botnet and Succeeds 206

Posted by CmdrTaco
from the i-fought-the-law-and-the-law-one dept.
nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."
This discussion has been archived. No new comments can be posted.

Man Challenges 250,000 Strong Botnet and Succeeds

Comments Filter:
  • by winkydink (650484) * <sv.dude@gmail.com> on Monday December 28, 2009 @06:17PM (#30576474) Homepage Journal

    For some value of "Stuff".

    Yeah. He succeeded in eradicating the mega-D botnet. For about 2 weeks anyway.

    From MessageLabs Intelligence: 2009 Annual Security Report "Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."

    • Re: (Score:3, Informative)

      by Anonymusing (1450747)

      Also, FTA: "Mushtaq and two FireEye colleagues..." -- not just one guy.

      • by Loopy (41728)

        That's like saying Einstein had 2 lab assistants, not just Einstein. Troll.

    • by Red Flayer (890720) on Monday December 28, 2009 @06:35PM (#30576612) Journal

      Almost eradicated on 4 November 2009 as the result of community action to disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-D returned on 13 November using a different collection of bots, sending between 4-5% of spam."

      So now there can be coordinated effort against the new botnet, he'll come back with new bots, community response to kill that one off...

      Fighting spammers is like fighting against a guerilla army. Constant vigilance, swift response times, and, eventually, wholesale destruction of the people supporting the guerillas will be necessary to win the war. Impact of spammers can be reduced by constant counter-attacks, but the only way to eliminate spam networks hosted on compromised machines is to remove compromised machines from the network (and as many compromisable machines as possible).

      The cost of this may be too high to be worth it... but if you take away someone's internet access for a while when they get hosed, then maybe they'll stop getting hosed.

      • So, Mega-D is going to be his Vietnam (Or Iraq)?
      • by shentino (1139071)

        I'd call it electronic quarantine.

      • Re: (Score:3, Insightful)

        by aedil (68993)

        I think you miss another important aspect of this "war"... As in fighting a guerilla army, you usually end up being on the less effective side of the conflict due to rules and regulations that one tends to be bound by, whereas a guerilla army usually couldn't care less about the rules. Spammers do not care about breaking rules, regulations, and protocols, so they can play very dirty whenever they want (and botnets are a clear example of that). Offensive action against them is usually still bound by some

      • by vegiVamp (518171)
        > The cost of this may be too high to be worth it... but if you take away someone's internet access for a while when they get hosed, then maybe they'll stop getting hosed.

        The trouble with this, is that the people who are prone to get hosed, are the people who have no real clue as to how or why they get hosed, let alone how to prevent it.

        Had this practice started way back when eternal september was barely more than a witticism, we probably wouldn't have been where we are now; and while my gut says that it
      • Guerrilla Gorilla (Score:3, Insightful)

        by fm6 (162816)

        Fighting spammers is like fighting against a guerilla army. Constant vigilance, swift response times, and, eventually, wholesale destruction of the people supporting the guerrillas will be necessary to win the war.

        Is your use of "wholesale destruction" metaphorical, or do you really think guerilla warfare works that way? Because we tried that in Vietnam, and it didn't work. Which is why U.S. counterinsurgency doctrine [army.mil] got revised to exclude the myth that you can win a guerrilla war just by killing people. You also have to change the environment on the ground so that supporting your side instead of the guerrillas is a realistic option for the general population.

        Now, if the war against malware is like a guerrilla war,

      • Re: (Score:3, Insightful)

        by TheCarp (96830)

        No, a guerrilla army still has a command and control structure. While an individual botnet, or individual criminal enterprise would have such a structure, "botnets" don't. Its more like crime fighting. Anyone could choose to commit a crime at any time. Most wont (mostly) and some will. Some criminals you will put a stop to, some you wont.

        You are never going to win a war against "crime" any more than the war against "botnets". The best you can ever hope to do is raise the perception of how hard it is to crea

    • by shentino (1139071)

      Finally, someone treats the army of compromised computers like what it really is, an army.

  • Command & Control (Score:5, Informative)

    by phantomcircuit (938963) on Monday December 28, 2009 @06:33PM (#30576604) Homepage

    All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.

    Obviously this was a temporary solution.

    • Re: (Score:2, Interesting)

      by bragr (1612015)
      It is, from what I read it seams that the botnet generates a random domain every hour or day to fall back on, and all they did was knock out the existing C&C and register all the fall back domains for the next 2 weeks. Surely the botnet will have taken a hit, and the information gathered will possible help reduce the number of infections, but it wasn't shut down permanently.

      What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, o
      • by abulafia (7826) on Monday December 28, 2009 @06:52PM (#30576782)

        What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.

        Funny you concentrate on a claimed conflict of commercial interest.

        It also would have opened them up to a potentially huge legal problem. No matter how carefully coded an uninstaller, the likelihood of some number of machines having problems after being infected by a remover, when talking about .25M machines, is high. Such an action also is criminal computer intrusion in its own right.

        No person in their right mind would do such a thing.

        • by vlm (69642) on Monday December 28, 2009 @06:56PM (#30576826)

          No person in their right mind would do such a thing.

          Which makes me all the more surprised that no one has tried.

          • by ceoyoyo (59147)

            There have been several cases of people trying the "helpful malware" trick. The most recent widely publicized incident I remember was the guy who wrote some code to exploit jailbroken iphones with default passwords and replace the wallpaper with a warning to change the password.

          • Re: (Score:3, Interesting)

            by c6gunner (950153)

            Which makes me all the more surprised that no one has tried.

            It's been done on a smaller scale. Back when botnets were still mostly communicating via IRC, I took down a few myself. The difference it that I didn't document the process and then blab about it to the media in order to advertise my security products/services.

            • Back in my younger days, I tried to shut down nazi spammers by alt.test-subscribing them to zillions of listservs. Kinda worked, but triggered lots of collateral damage :-)

              With this stunt, I might have unintentionally contributed to the phasing out of alt.test functionality.

              Another favorite pastime was goatsing spammers' servers via SQL injection, or dropping their entire subscriber list. Unfortunately, nowadays, spammers no longer use unsecured ASP as much as they used to.

              And, like you, I never bragged

          • by spydum (828400)

            This has been done to a degree. Not with a C&C style bot that I know of, but back in the self-proliferating worm/virus days, one of the big nasty virii had come out, and someone wrote the "anti-virus" that basically infected using the same exploit, and started trying to "infect" the virus host with the cleanup virus, then self-destructing. It had some flaws and turned out to be just as aggressive as the original bot, which caused yet additional DoS's on providers and hosts. The name of the virus and the

        • Re: (Score:2, Insightful)

          by bragr (1612015)
          Legal implications aside, this is an interesting ethics question. Is it more ethical to interfere with another's property, without permission, to solve a larger problem, or is it more ethical to respect private property and privacy? Surely there are cases for both.

          If I remember correctly, sometime in the last year, a security research team from UCSD (I think) hijacked a portion of a botnet to research the success of spam and how botnets operate. I believe that after they finished, they caused the bots unde
          • Re: (Score:3, Insightful)

            by MikeURL (890801)
            The question that I raise when I read stories like this is why does the US Government allow these botnets to operate. Clearly the ability exists to shut them down and it is easy enough to understand why some private group does not want the liability for 250,000 PCs. But one of the sprawling alphabet soup of federal government agencies surely could take on this task.
            • by Rich0 (548339)

              Yup, I'd certainly have no qualms about the FBI cutting down the waste that is spam by killing botnets. The really big ones don't just sprout overnight, and they are probably easier to take down than they are to build. Most likely the US already has sufficient survailence on its border routers to trace this sort of thing, and if nothing else they can easily shut out the bot operator and poison the bots DNS so that they phone home to the FBI.

              Liability isn't an issue for the US government. At most you migh

          • Re: (Score:3, Interesting)

            by c6gunner (950153)

            Legal implications aside, this is an interesting ethics question. Is it more ethical to interfere with another's property, without permission, to solve a larger problem, or is it more ethical to respect private property and privacy? Surely there are cases for both.

            I don't really see an ethical issue. If someone stole your car, would you be upset if an anonymous stranger stole it back without your permission and delivered it to your door? Maybe some people would, but they have to be insanely rare. The only issue here is the legal one, and it's not one that can be easily resolved.

            • Re: (Score:3, Interesting)

              by whoever57 (658626)

              I don't really see an ethical issue. If someone stole your car, would you be upset if an anonymous stranger stole it back without your permission and delivered it to your door?

              What if they got into an accident and wrecked your car on the way to your house? The risk is that any bot removal might have side effects.

              • Re: (Score:3, Insightful)

                by c6gunner (950153)

                What if they got into an accident and wrecked your car on the way to your house? The risk is that any bot removal might have side effects.

                That's a legal issue, not an ethical one. If someone t-bones me at an intersection tomorrow I won't think of them as an evil person, but I will hold them legally accountable.

              • by Moridin42 (219670)

                You probably say "thanks" and update your insurance claim. Since they have less wiggle room to not pay. The car is wrecked, now. Not stolen and potentially recoverable.

                Are you BadAnalogyGuy in disguise or something?

            • by psnyder (1326089)

              If someone stole your car, would you be upset if an anonymous stranger stole it back without your permission and delivered it to your door?

              Nobody stole the computer. They just infected it. The majority of computers are still usable and the owners don't know they've been infected.

              Car analogies break down.

            • by wisty (1335733)

              No, it's more like if somebody was hiding in your trunk (and jumping to rob people at intersections), could you also sneak into their trunk and wrestle him out?

          • by couchslug (175151)

            "Is it more ethical to interfere with another's property, without permission, to solve a larger problem, or is it more ethical to respect private property and privacy? Surely there are cases for both."

            One may make such a decision from preference, and not ethics.

        • by khasim (1285)

          http://en.wikipedia.org/wiki/Welchia [wikipedia.org]

          Ah, the good old days.

        • by hardburn (141468)

          Not so much being out of your right mind, but rather, having sufficiently flexible ethics and keeping a clear image of your goal in mind. Kind of like what Lelouch vi Britannia would do if he ran a security company rather than trying to take over the world.

        • by sjames (1099)

          The big problem is that even if you do it perfectly so that you do no harm whatsoever, the odds are a number of those machines will have unrelated problems that you'll be blamed for.

          • by dissy (172727)

            The big problem is that even if you do it perfectly so that you do no harm whatsoever, the odds are a number of those machines will have unrelated problems that you'll be blamed for.

            On the other hand, perhaps my hackable-but-on-the-internet machine is that critical system that will kill hundreds of bunnies if it goes offline, and the system you just complained about the cleaning action is the one that automatically hacked mine.

            With that logic, you should have the same amount of sympathy for me and my total disregard for those bunnies lives as you do about the other system.

            So to keep the bunnies from dying, we must remove the other system from the Internet, to prevent it from potentiall

            • by sjames (1099)

              Personally, I agree, but I doubt the courts will ask me for my opinion.

        • How many people would even notice. If they have a botnet node running on their machine do you really think they are going to notice if you screw it up more?

        • I've thought for years now that the only thing that can fight the botmasters effectively would be a handful of deeply paranoid grey hat vigilantes willing to wipe out the botnets via pushing innoculants to the bots themselves and being invisible enough to pull it off without getting hauled off by the law or gunned down by the mobsters behind the botnets.

        • No person in their right mind would do such a thing.

          Wrong. A person in their right mind might very well do such a thing, but the smart way. Namely, anonymously, without bragging about it.

          So, in the improbable event that some of the .25M got more fubarred than they were before, the lusers would not know whom to sue.

      • by Fnord666 (889225)

        What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.

        No, what they should have done was hijacked the botnet using the fallback domains and nuked the offending bots from orbit. It's the only way to be sure. Seriously. Distribute a payload that reformats the primary boot partition.

        • by BronsCon (927697)

          And you're sure to be flamed for your comment. That's sad, as you make a very valid point. If people valued their data, their systems, and their time, they would take precautions to prevent infection in the first place.

          If the cure truly is worse than the infection, they really can only avoid that cure until it is forced on them. That will happen, one day, I hope.

          Me? I keep online backups across multiple operating systems, as well as weekly-updated offline backups. If I ever do get infected, only a portion o

          • by BronsCon (927697)

            In my hurry to support the post I was replying to, I forgot to add the following:

            Maybe after losing their irreplaceable photos of little Timmie a few times, people will wise up and take security a bit more seriously.

      • It is, from what I read it seams that the botnet generates a random domain every hour or day to fall back on, and all they did was knock out the existing C&C and register all the fall back domains for the next 2 weeks. Surely the botnet will have taken a hit, and the information gathered will possible help reduce the number of infections, but it wasn't shut down permanently.

        And in 2 weeks, they'll simply patch the algo so it checks an order of magnitude more domains, making pre-purchasing them uneconomical for these guys from the article.

    • All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.

      Obviously this was a temporary solution.

      Yeah, it sort of seems like they could have done a better job. If they could get cooperation from the primary ISP of the main C&C controller, and they could even set up honeypots that would accept connections to count the number of computers in the botnet - why not do more than simply remove the command servers?

      Why not set up a bogus C

      • Signed software. (Score:3, Interesting)

        by khasim (1285)

        Have the botnet pass around a binary that erases the botnet binaries from the infected PC on the next reboot, then force a reboot?

        Because most of them depend upon digitally signed updates now. So you cannot use the zombie code to remove the zombie code unless you first have the key.

        Which makes it rather difficult.

        On the other hand ... writing a removal routine should be a LOT easier. A clean removal. Removing just the zombie code and ALL of the zombie code.

        The problem then would be getting it to run on the

        • It's easy enough for them to redirect all your traffic to a web page with the removal code available there. And since it is easy enough to identify the zombies, their IP addresses and their ISP's ... that should be easy, right?

          Hah! That's brilliant.

          If these machines are infected with the bot, that means they are probably unpatched machines. Maybe the bot installed by drive by. [wikipedia.org]

          Have ISPs (who are controlling the local machines DNS) identify bot infected machines, and redirect them to a drive by webpa

        • If you have a few infected honeypots and can eavesdrop on the C&C, shouldn't you be able to compromise the key exchange as well? Not trivial but doable when the stakes high. Or are the botmasters using a sequence of one-time-pads for their updates similar to their domain name fallbacks?

          • Re: (Score:2, Informative)

            They just eavesdrop on communications between bots and the C&C. Trying to "compromise" the key exchange is as easy as breaking the asymmetric encryption algorithm. Aka, not very easy at all.
  • All of the effort associated with this, and other endeavors to thwart botnets, would really be better served isolating the primary reason why these botnets continue to be successful and create new ways to thwart them before they occur. The machines that are infected are still vulnerable. All the original botnet owner is going to do is modify a new botnet to use different domains or IP's and back to life it comes.
    • Re: (Score:3, Insightful)

      I'm usually not trying for "insightful" when I quote comedians, but: "You can't fix stupid." - Ron White

      As long as there are stupid people out there using computers which are connected to the internet, they'll find a way to get their machines pwned. Unless you're proposing the anti-botnet efforts be directed towards keeping stupid people off internet-connected computers, I don't see a viable way to "treat the illness."
      • Perhaps "You can't fix stupid" but sometimes you can replace it. The Internet protocols and infrastructure just weren't designed with security in mind. Well designed products/services for consumers don't rely on sophisticated knowledge for safety and efficacy.

      • As long as people are willing to execute programs with administrative privileges to get free wallpapers there will be botnets. People should be held accountable for damages caused by their machines, wittingly or unwittingly. Unsafe conditions on property are certainly grounds for a negligence charge and municipalities often compel unsafe or even unsightly conditions to be remedied. Electronic conditions should be handled similarly.
    • by Requiem18th (742389) on Monday December 28, 2009 @07:49PM (#30577240)

      What illness Windows? The Windows ecosystem security is hopelessly broken.

      Lot's of outdated machines won't upgrade because the upgrades are expensive, and even if they were free they might brake software OR compatibility, and even if they are free and don't break compatibility many of these systems use pirate copies of Windows and they aren't going to expose themselves to unexpected lockouts.

      No, the solution is implementing a counter-spaming initiative at the ISP level. With counter spaming I mean spaming the spamers, NO, I don't mean naively counter-spaming their email addresses, I mean spaming their honey pot channels, there was a thunderbird extension for this, basically they follow the links in the spam message and sign up/buy whatever they ask for, credit card numbers, friend email addresses, SSN, etc, all fake of course. Unlike their source email addresses they use to spam, they DO pay attention to information sent this way, because it is the way they make money, it's their biggest weak point, spam that and you take them out of business.

    • The machines that are infected are still vulnerable. All the original botnet owner is going to do is modify a new botnet to use different domains or IP's and back to life it comes.

      I've long thought that one way to deal a deadly blow to spammers would be for Microsoft to announce a "Windows amnesty" where people could carry in their computers to volunteer geeks and get a legit fully patched version of whatever (pirated and probably infected) Windows is on their system. It would generated a lot of positive press too but it's probably too costly.

      • by spongman (182339)

        expensive? upgrading from XP to Win7? that's $200 for ~9 years, less than $2 a month.

  • Arms race (Score:3, Interesting)

    by Locke2005 (849178) on Monday December 28, 2009 @06:43PM (#30576686)
    Sure, cutting off botnet access to C&C machines works now, but what happens when they adopt a true peer-to-peer control structure, rather than the primitive centralized control structure they are using now?
    • Re: (Score:3, Interesting)

      by winkydink (650484) *

      The p2p C&C infrastructure has been talked about since at least 2005. Not much has been seen "in the wild". It has been speculated that this is because a p2p botnet infrastructure has, by its very nature, a much lower efficacy.

      • Let's use this botnet as an example. 250,000 zombies. What is the likelihood of finding another zombie with random scanning? Not to mention that not everyone leaves their machines on all the time. And even the machines that are on all the time don't always keep the same IP address. Comcast seemed to change my IP address every month.

        Somehow, somewhere, the new code has to be uploaded to the zombies. New spam messages. New address to send the spam to. Patches to the zombie code. No matter how you phrase it, t

        • by c6gunner (950153)

          Let's use this botnet as an example. 250,000 zombies. What is the likelihood of finding another zombie with random scanning?

          Yah, I know! Although we're really going to be in trouble if someone figures out a way to store IP addresses in some sort of file. Why, if that were to happen, they might even be able to pass the IP lists from one computer to another! I hope that nobody ever comes up with something like that ....

          • Yah, I know! Although we're really going to be in trouble if someone figures out a way to store IP addresses in some sort of file. Why, if that were to happen, they might even be able to pass the IP lists from one computer to another!

            Given that the majority of zombies are on home ISP networks (such as Comcast), all that would take to defeat would be for Comcast and other to rotate the IP addresses by 1 whenever the zombie traffic becomes problematic.

            So the list of IP addresses becomes useless and the zombie

            • by c6gunner (950153)

              Given that the majority of zombies are on home ISP networks (such as Comcast), all that would take to defeat would be for Comcast and other to rotate the IP addresses by 1 whenever the zombie traffic becomes problematic.

              Yuhuh. So since most guns are owned by law-abiding citizens, all it would take to stop murder-by-shooting is to make it illegal, right?

              I'm not trying to be a smartass ... actually, yeah, I am, but seriously ... even if 99% of bots were on Comcast, and even if you could rotate all 99% of addresses all at once ... that still leaves 2,500 bots out there whose addresses will remain the same. The botnet could restructure itself in a matter of hours.

            • How does that work when IPV6 becomes the reality?
        • by rdebath (884132)

          A p2p communication could be done in about 20 minutes to 250,000 machines without a full list. It's the same problem as an initial 'flash worm' infection except the botherder is the only person who can send out a valid update because of the worm's use of public keys. This assumes you know of a couple of thousand machines to start the update, if you only know of one it will take a bit longer to find those first thousand.

          See Warhol worm [wikipedia.org]

      • It's been discussed since 2002, with the curious yellow whitepaper [blanu.net]. As discussed there it can actually be more efficent in some ways than a centralized worm.
    • Then we are all truly fucked.

      Or alternatively the internet becomes a whole lot more fun as we learn to take control of parts of the botnet by hijacking these p2p links.

    • Re: (Score:2, Insightful)

      by mysidia (191772)

      I think it's so hard to develop good peer-to-peer network structure that it might not happen.

      There aren't that many truly peer-to-peer networks that have ever succeeded.

      I'd say the Internet itself, but even the Internet has to have DNS...

      Something central has to give you a starting point, at least.

      I've yet to see any peer to peer network technologies that don't require a "seed list" of some central nodes to initially connect to the network.

  • Only the really strong, and the ones that managed to evolve will survive. And without the competition of the "weak" ones, they will prevail, and leaving you with no tool to get rid of them. Darwin have precedence over Moore.
    • by TubeSteak (669689)

      Only the really strong, and the ones that managed to evolve will survive. And without the competition of the "weak" ones, they will prevail, and leaving you with no tool to get rid of them. Darwin have precedence over Moore.

      The only problem with your analogy is that, generally speaking, the good guys own the middleground.
      We may not control the hardware that is getting botted, but we do control the DNS and we do control the ISPs.
      The blackhats have no choice but to go through hardware we control in order to reach their target.
      It's just a matter of marshalling the resources we have in order to close down (domestic) botnets.
      Unfortunately, it'll still be just a game of whack-a-mole until all version of Windows in use have robust se

      • until all version of Windows in use have robust security

        That's from some verse in the Book of Revelation, isn't it?

    • by PRMan (959735)
      The most intelligent design will prevail...
      • by gmuslera (3436)
        Define intelligent. Sometimes brute force is the only viable design, sometimes the ingenuos approach is the successful one. The smartest way is also the dumbest one in a lot of cases.
    • by taustin (171655)

      Are you referring to the criminals running the botnets, or to the crusaders who combat them? Because if your evolutionary pressure applies to one, it certainly must apply to the other.

      • by gmuslera (3436)
        You can enhance the crusader, till it start having undesirable side effects. Taking away internet freedom and privacy and doing full inspection of everything could end with botnets, but probably noone want that.
    • We have a limited number of effective antibiotics. Once a bacteria is immune to an antibiotic, there are fewer effective antibiotics you can treat it with, and if you can't find an effective antibiotic for the next infection, the patient dies.

      I don't know much about computer security, but you can't convince me that there are a limited number of ways to fight botnets.

      Furthermore, the way to prevent antibiotic resistance is to reserve antibiotics for when they're necessary AND use them in a way that is effec

  • shows its possible (Score:4, Interesting)

    by Gothmolly (148874) on Monday December 28, 2009 @07:05PM (#30576892)

    1 guy, in 2 weeks, trashed a botnet. Why again can't major ISPs do this? Oh wait, they're getting paid to look the other way by their colocation clients (the spammers).

    • by emilper (826945)

      yeah, right, the ISPs are greedy bastards ... now, please, tell me, how would an ISP know that one of the dedicated servers it sold, or one of the collocated servers it hosts, is a C&C server for a botnet ? Please, ton't tell me they should look inside the packets, or plot traffic, destinations etc. ... that's invasion of privacy at best, industrial espionage at worst, and I would not want to host my servers with an ISP that does that on a regular basis.

      Until C&C data bounced around by botnets will

      • Re: (Score:2, Informative)

        by mysidia (191772)

        Plotting traffic, and destinations, in the aggregate is standard practice, get over it.

        Ever hear of IPFIX, Netflow? If you send 100 gigs a day over port 25, to umpteen thousand destinations, you bet your ISP should consider looking into that, if the traffic is unusual/anomolous.

        Looking at specific packets, or capturing sessions, I think is unlikely for ISPs to do in most cases, unless nefarious activity is already strongly suspected in those packets.

        It's not realistic due to the amount of bits most IS

        • by emilper (826945)

          a C&C server won't send "100 gigs a day over port 25", most likely will send 100 megs a day over some random port.

          My ISP checks manually every domain registered through them or hosted on a DS or VPS: for funny names, fake street addresses etc.

          How do you define "unusual/anomalous" traffic ? Like when I host an online shop, and I get a lot of traffic on the 9494 (no, it's not that port, only an example) port where I keep my jsonrpc server ?

          Plotting traffic and plotting destinations is fine with me ... plo

    • Seconded.

      I used to work at an ISP with a rather...ummm...rabid...abuse administrator. The dude literally had a zero tolerance policy towards spam from our network. I saw him shut down a number of Internet customers who probably had no intention of violating our AUP's, and (IMHO, at least) had no idea why what they were doing might be frowned upon.

      Then we got a several-thousand dollar a month customer who claimed that he wanted to build a VoIP network, but either 1) did not understand anything at all
    • by owlstead (636356)

      Bollocks, a botnet costs them way more than they could deliver because of colocation. One of the things mostly hit by botnets are mail servers and many ISP's run a large set of those. What about the number of MB that these botnets generate? In the end, data capacity is not free.

  • by tjstork (137384) <todd.bandrowsky@nosPAm.gmail.com> on Monday December 28, 2009 @07:22PM (#30577018) Homepage Journal

    I'm only asking, because, as much as we hate botnets and trojans and malware, that, any sort of world capable of rapidly sniffing out and squelching "bad" content is a world that is capable of sniffing out and squelching out "any" content. Perhaps in this case, just as many of us accept some combination of deaths from gun violence, abortions, incendiary speech, and family breakdowns and other things, that come as a consequence of the misuse of freedom, might accept spam as a misuse of freedom too, rather than try and trade it all for a world that has no freedom at all.

    • What is "evil"? (Score:3, Insightful)

      by khasim (1285)

      I'm only asking, because, as much as we hate botnets and trojans and malware, that, any sort of world capable of rapidly sniffing out and squelching "bad" content is a world that is capable of sniffing out and squelching out "any" content.

      It isn't the content. It's the volume (number of messages in this case).

      You can say whatever you want. But when you start flooding mail servers with your messages, you've lost the moral high ground.

      Now as to whether blocking zombies is the same a sorting through the conten

    • Abortion is complicated, but the aspects of the other things you've mentioned, such as gun violence, which make them evil is that they (unjustly) hurts others. The reasons the possibility is allowed is because there are justified uses for these actions/tools that don't (unjustly) harm others. For example, guns: target shooting doesn't hurt anyone, and self-defense is justified. There is no aspect of spam which makes the possibility of spam acceptable. It actively harms others... and that's it.

      You're r
    • by hardburn (141468)

      In the office, every spam message that pops up has to be checked by the worker and deleted. This is a small cost for each individual message, but when you receive thousands per day (which you easily can) it all adds up to a whole lot of people-hours.

      Plus, there's the administrative and hardware cost of the extra traffic, which is a significant percentage IP traffic these days.

      • I'm surprised spam is really still an issue. I have not seen a spam message in m personal or work email accounts in at least a year.

        It all stopped once we moved our mail to google.

        • Granted, my spambox has hundreds of messages in it, but I never see them. I haven't had a false positive either.

          if no one ever sees the spam, what is the point of sending it?

  • The USOC once gave max due process to suspected drug cheats. Dopers would get off for the stupidest reasons. Now, the focus has shifted to a 'you are responsible for the content of your own body.' This has been good for sport.

    Just like a polluted athlete pollutes his sport, so does a bot pollute the internet. Suspending access is not a question of right or wrong, it is a question of ensuring the integrity of the network.

    The world will get to that place sooner or later.

  • by PPH (736903) on Monday December 28, 2009 @08:58PM (#30577746)

    ... botnet sends android back in time to kill researcher's mother.

  • I wonder if fines could be an effective solution to botnets. Certainly the only way to treat the problem is to make people responsible for what their computers are up to. If people were held accountable for spam sent from their machines and were fined appropriately they may be more inclined to watch what ends up on their machines.

    Of course, there's a theme among the non-"tech-savvy" public to utterly refuse to understand how the technology they use works. Fines on bots would likely be a boon for virus scan

How many NASA managers does it take to screw in a lightbulb? "That's a known problem... don't worry about it."

Working...