Man Challenges 250,000 Strong Botnet and Succeeds 206
nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."
Re:Command & Control (Score:5, Insightful)
What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.
Funny you concentrate on a claimed conflict of commercial interest.
It also would have opened them up to a potentially huge legal problem. No matter how carefully coded an uninstaller, the likelihood of some number of machines having problems after being infected by a remover, when talking about .25M machines, is high. Such an action also is criminal computer intrusion in its own right.
No person in their right mind would do such a thing.
Re:Command & Control (Score:2, Insightful)
If I remember correctly, sometime in the last year, a security research team from UCSD (I think) hijacked a portion of a botnet to research the success of spam and how botnets operate. I believe that after they finished, they caused the bots under their control to self destruct, and the BBC rented a botnet for an article, both bringing up similar ethical questions.
Is Spam really that evil? (Score:3, Insightful)
I'm only asking, because, as much as we hate botnets and trojans and malware, that, any sort of world capable of rapidly sniffing out and squelching "bad" content is a world that is capable of sniffing out and squelching out "any" content. Perhaps in this case, just as many of us accept some combination of deaths from gun violence, abortions, incendiary speech, and family breakdowns and other things, that come as a consequence of the misuse of freedom, might accept spam as a misuse of freedom too, rather than try and trade it all for a world that has no freedom at all.
What is "evil"? (Score:3, Insightful)
It isn't the content. It's the volume (number of messages in this case).
You can say whatever you want. But when you start flooding mail servers with your messages, you've lost the moral high ground.
Now as to whether blocking zombies is the same a sorting through the content of email messages ... if you're worried about that I recommend encryption. There are lots of forms of encryption available.
That's a rather extreme jump. So far I haven't seen anyone proposing that we surrender all of our Freedoms.
Re:Treat the illness, not the symptoms... (Score:3, Insightful)
As long as there are stupid people out there using computers which are connected to the internet, they'll find a way to get their machines pwned. Unless you're proposing the anti-botnet efforts be directed towards keeping stupid people off internet-connected computers, I don't see a viable way to "treat the illness."
Comment removed (Score:3, Insightful)
Re:shows its possible (Score:1, Insightful)
At least one professional security researcher, with the resources of a professional computer security firm spent two years studying the way a particular botnet worked. At the end of that, he and two professional security colleagues, along with however many people at various ISPs and domain registrars, worked to suppress the activities of the botnet. The continued suppression effort is planned to be handed off to a group of volunteer computer security professionals.
One guy in two weeks did not trash a botnet.
Re:Command & Control (Score:3, Insightful)
What if they got into an accident and wrecked your car on the way to your house? The risk is that any bot removal might have side effects.
That's a legal issue, not an ethical one. If someone t-bones me at an intersection tomorrow I won't think of them as an evil person, but I will hold them legally accountable.
Re:Arms race (Score:2, Insightful)
I think it's so hard to develop good peer-to-peer network structure that it might not happen.
There aren't that many truly peer-to-peer networks that have ever succeeded.
I'd say the Internet itself, but even the Internet has to have DNS...
Something central has to give you a starting point, at least.
I've yet to see any peer to peer network technologies that don't require a "seed list" of some central nodes to initially connect to the network.
Re:PR "Stuff" from Fireeye (Score:3, Insightful)
I think you miss another important aspect of this "war"... As in fighting a guerilla army, you usually end up being on the less effective side of the conflict due to rules and regulations that one tends to be bound by, whereas a guerilla army usually couldn't care less about the rules. Spammers do not care about breaking rules, regulations, and protocols, so they can play very dirty whenever they want (and botnets are a clear example of that). Offensive action against them is usually still bound by some rules, and thus they have a natural advantage. Spammers do not care about any collateral damage... System administrators and othe people fighting the spammers usually do have to care about collateral damage.
Guerrilla Gorilla (Score:3, Insightful)
Fighting spammers is like fighting against a guerilla army. Constant vigilance, swift response times, and, eventually, wholesale destruction of the people supporting the guerrillas will be necessary to win the war.
Is your use of "wholesale destruction" metaphorical, or do you really think guerilla warfare works that way? Because we tried that in Vietnam, and it didn't work. Which is why U.S. counterinsurgency doctrine [army.mil] got revised to exclude the myth that you can win a guerrilla war just by killing people. You also have to change the environment on the ground so that supporting your side instead of the guerrillas is a realistic option for the general population.
Now, if the war against malware is like a guerrilla war, then it's never going to be over. There will always be some place for the other side to run and hide. We can't order other countries to not host services we don't like, if only because we don't want them to do the same to us [fas.org].
Fortunately, the analogy with guerrilla warfare only goes so far. The Internet is something people invented, not a foreign country with a complicated history and obscure customs. We can rework the thing so that the Bad Guys have a less friendly environment.
Re:PR "Stuff" from Fireeye (Score:3, Insightful)
No, a guerrilla army still has a command and control structure. While an individual botnet, or individual criminal enterprise would have such a structure, "botnets" don't. Its more like crime fighting. Anyone could choose to commit a crime at any time. Most wont (mostly) and some will. Some criminals you will put a stop to, some you wont.
You are never going to win a war against "crime" any more than the war against "botnets". The best you can ever hope to do is raise the perception of how hard it is to create, maintain, and control botnets higher than the percieved value of doing so. The same way the cost and probability of getting caught shoplifting in a store with cameras stops a certain number of people who might otherwise shoplift.
-Steve