Man Challenges 250,000 Strong Botnet and Succeeds 206
nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."
Re:PR "Stuff" from Fireeye (Score:5, Interesting)
So now there can be coordinated effort against the new botnet, he'll come back with new bots, community response to kill that one off...
Fighting spammers is like fighting against a guerilla army. Constant vigilance, swift response times, and, eventually, wholesale destruction of the people supporting the guerillas will be necessary to win the war. Impact of spammers can be reduced by constant counter-attacks, but the only way to eliminate spam networks hosted on compromised machines is to remove compromised machines from the network (and as many compromisable machines as possible).
The cost of this may be too high to be worth it... but if you take away someone's internet access for a while when they get hosed, then maybe they'll stop getting hosed.
Re:Command & Control (Score:2, Interesting)
What they should have done is hijacked the botnet using the fall back domains, and either run a self destruct if there is one, or uploaded a new "version" that effects an uninstall. Of course, that would make their business, selling security appliances, less necessary.
Arms race (Score:3, Interesting)
Re:Command & Control (Score:1, Interesting)
Sophisticated botnets use encryption to verify that the payloads and instructions from the C&C server are genuine. Plus there's the possibility that you'd get in trouble for essentially breaking into people's computers.
Re:Arms race (Score:3, Interesting)
The p2p C&C infrastructure has been talked about since at least 2005. Not much has been seen "in the wild". It has been speculated that this is because a p2p botnet infrastructure has, by its very nature, a much lower efficacy.
shows its possible (Score:4, Interesting)
1 guy, in 2 weeks, trashed a botnet. Why again can't major ISPs do this? Oh wait, they're getting paid to look the other way by their colocation clients (the spammers).
Yeah that's how I read it too (Score:3, Interesting)
All they did was get the DCs hosting the command and control servers to shut them down and register the spare domain names.
Obviously this was a temporary solution.
Yeah, it sort of seems like they could have done a better job. If they could get cooperation from the primary ISP of the main C&C controller, and they could even set up honeypots that would accept connections to count the number of computers in the botnet - why not do more than simply remove the command servers?
Why not set up a bogus C&C server to have the botnet erase itself?
I'm not promoting a "format c:" option here (although that would work, obviously) - but why not have the botnet destroy itself once you breach it's command structure? Have the botnet pass around a binary that erases the botnet binaries from the infected PC on the next reboot, then force a reboot? The researchers certainly know enough to create such a binary. And they obviously know enough about command parsing if they can make honeypots. Why not go that extra 2% and kill the thing?
The hard work was already done it seems. This botnet could be completely dead, not just disconnected and waiting.
Re:Treat the illness, not the symptoms... (Score:4, Interesting)
What illness Windows? The Windows ecosystem security is hopelessly broken.
Lot's of outdated machines won't upgrade because the upgrades are expensive, and even if they were free they might brake software OR compatibility, and even if they are free and don't break compatibility many of these systems use pirate copies of Windows and they aren't going to expose themselves to unexpected lockouts.
No, the solution is implementing a counter-spaming initiative at the ISP level. With counter spaming I mean spaming the spamers, NO, I don't mean naively counter-spaming their email addresses, I mean spaming their honey pot channels, there was a thunderbird extension for this, basically they follow the links in the spam message and sign up/buy whatever they ask for, credit card numbers, friend email addresses, SSN, etc, all fake of course. Unlike their source email addresses they use to spam, they DO pay attention to information sent this way, because it is the way they make money, it's their biggest weak point, spam that and you take them out of business.
Signed software. (Score:3, Interesting)
Because most of them depend upon digitally signed updates now. So you cannot use the zombie code to remove the zombie code unless you first have the key.
Which makes it rather difficult.
On the other hand ... writing a removal routine should be a LOT easier. A clean removal. Removing just the zombie code and ALL of the zombie code.
The problem then would be getting it to run on the zombies.
This is where the ISP's come in. It's easy enough for them to redirect all your traffic to a web page with the removal code available there. And since it is easy enough to identify the zombies, their IP addresses and their ISP's ... that should be easy, right?
Except it would cost the ISP's some money and they won't do that unless someone forces them to spend the money. So it will take a new law requiring them to do so.
Re:Command & Control (Score:3, Interesting)
Which makes me all the more surprised that no one has tried.
It's been done on a smaller scale. Back when botnets were still mostly communicating via IRC, I took down a few myself. The difference it that I didn't document the process and then blab about it to the media in order to advertise my security products/services.
Re:Command & Control (Score:3, Interesting)
Legal implications aside, this is an interesting ethics question. Is it more ethical to interfere with another's property, without permission, to solve a larger problem, or is it more ethical to respect private property and privacy? Surely there are cases for both.
I don't really see an ethical issue. If someone stole your car, would you be upset if an anonymous stranger stole it back without your permission and delivered it to your door? Maybe some people would, but they have to be insanely rare. The only issue here is the legal one, and it's not one that can be easily resolved.
Re:Command & Control (Score:3, Interesting)
What if they got into an accident and wrecked your car on the way to your house? The risk is that any bot removal might have side effects.
Re:PR "Stuff" from Fireeye (Score:3, Interesting)
Exactly. The only way for the US to have won in Nam would have been to destroy everything (which was humanely and politically unpalatable). The only way to win in Iraq is to turn it into a glass parking lot (which would also be humanely and politically unpalatable).
But with spam... that may be a bit more palatable, if we can get people to accept responsibility for getting hosed.
Since such a solution in the computer world would NOT be unpalatable, then, this is the answer...
"Zero-Zero-Zero Destruct Zero" [wikia.com]