Forgot your password?
typodupeerror
Botnet Microsoft IT

Microsoft: No Botnet Is Indestructible 245

Posted by timothy
from the when-st-peter-calls-us-all-out dept.
CWmike writes "No botnet is invulnerable, a Microsoft lawyer involved with the Rustock take-down said Tuesday, countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically. Nothing is impossible. That's a pretty high standard.' Instrumental in the effort that led to the seizure of Rustock's command-and-control servers in March, Boscovich said Microsoft's experience in take-downs of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated. 'To say that it can't be done underestimates the ability of the good guys,' Boscovich said. 'People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"
This discussion has been archived. No new comments can be posted.

Microsoft: No Botnet Is Indestructible

Comments Filter:
  • by phantomfive (622387) on Friday July 08, 2011 @02:54AM (#36691542) Journal
    Alternate title:
    "Microsoft Says: My Botnet is Bigger Than Yours"
    • by monkyyy (1901940)

      well i do believe everyone who uses linux has a duty to dismantle the mircosoft botnet

      after all it isnt indestructible

    • by Anonymous Coward on Friday July 08, 2011 @03:21AM (#36691662)

      I could root you, but i'd have to charge.

    • MicroSoft: A networked system with no vulnerabilities is inconceivable!

      The sad truth: it's actually quite conceivable that with decentralized C&C and proper crypto that there are no central vulnerabilities and the only way to clean up the mess is by hunting down nodes one at a time, or possibly one ISP at a time. I'm eager to hear MS's "legally and technically creative" way to take that on.

      • by drinkypoo (153816)

        I'm eager to hear MS's "legally and technically creative" way to take that on.

        they can use the many security holes and back doors they know about in Windows, of course.

  • While I believe that it's quite easy to remove individual nodes of the 'indestructible' botnet, I can't see a good way it could really be shut down other than by wiping it out node by node. And that's a losing strategy for the 'good guys'.

    So, while I agree in principle that the word 'indestructible' is pretty strong, and likely not actually the case, that theoretical fact is useless without a concrete strategy for defeating it.

    • What Microsoft is saying is that it isn't hard, and that they can do it. They are basically mocking the guys who said it was indestructible, and, to put it kindly, saying that "they suck". This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.
      • by Jah-Wren Ryel (80510) on Friday July 08, 2011 @03:31AM (#36691720)

        What Microsoft is saying is that it isn't hard, and that they can do it. They are basically mocking the guys who said it was indestructible, and, to put it kindly, saying that "they suck". This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.

        The proof's in the pudding. Until they actually do take it down, its all just trash talk.

        It doesn't help that its a lawyer doing the trash talking either, it seems all too common for people with law-centric world views to be completely out of sync with a world that operates on the principles of physics.

        • by artor3 (1344997) on Friday July 08, 2011 @03:54AM (#36691822)

          Personally, I think that the fact that it's coming from a lawyer makes it more convincing (and frightening). Note that he's saying you need to get legally creative. That sounds like not-so-subtle code for no-knock raids and extraordinary rendition. I don't care how well written your malware is. It's not gonna help you one bit if when a multibillion dollar corporation convinces the Russian police to disappear you and your buddies.

          • Botnet shuts-down You!

            But seriously, this is scary stuff. I like the idea of a big IT house using the best and brightest to shut-down malware, but who decides what malware is? How are they making money from this?

            -Matt

            • by bkaul01 (619795)

              How are they making money from this?

              Indirectly, as it affects their flagship product's reputation for security. If botnets spread unchecked, with most targeting Windows machines almost exclusively, that looks bad for Windows' reputation (even if it's due to moronic users who could manage to infect any given system). Declaring war on the botnets and actively taking them down both helps avoid negative reputation issues for Windows, and build Microsoft's reputation as a company that does the right thing for security, which is especially importan

          • The thing is you can't realistically go doing no-knock raids on every node in a significant botnet and without a huge level of network monitoring across the globe it's virtually impossible to figure out where a message was initially injected into the network.

            So it would appear to me that taking down a competently designed (communication by broadcast messages signed using public key crypto) botnet would be practically impossible.

            • by Zironic (1112127)

              The thing is, even if your botnet is written perfectly. Are you perfect? Have you never told -anyone- about your malware and where you live? Are you -completely- sure that no one is monitoring your proxy?

              It's really hard to answer yes to all of those questions, and that's why microsoft can be successful when they have the resources to throw around that they do.

          • by Geminii (954348)

            Which is why you write your botnet clients and infrastructure as if they were created by a coalition of the US government, Microsoft, the RIAA, 4chan, Anonymous, fifteen televangelists, and Steve Jobs.

            Then, while it's wreaking havoc and distracting all the wannabe reverse engineers, you steal their socks.

        • by Creepy (93888)

          Still, I think they're right - if you can find a control node of some kind, you should be able to shut down any botnet. Botnets are (nearly?) always set up to execute arbitrary code (I don't know of any that aren't) - in fact, most inject more malware while they operate, so injecting a self destruct that plugs whatever security hole(s) the botnet was exploiting should theoretically shut down the net, but it won't remove the malware, which may reinstall a botnet - it may need to be a 2-tier injection - one t

      • Who knows, maybe they are.

        Please can I have one of your flying pigs.

      • by Nikker (749551)
        What difference does it make both operate using the same tool set. Microsoft sends out updates via untrusted networks to verify system files and attempts to rectify compromised files. Bot-nets will get you through security issues, 0-day attacks and click happy users.

        Neither of them will win.
      • by 1s44c (552956)

        What Microsoft is saying is that it isn't hard, and that they can do it. They are basically mocking the guys who said it was indestructible, and, to put it kindly, saying that "they suck". This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.

        If Microsoft were better than the botnet people the botnets would not exist in the first place.

      • This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.

        Are you saying Microsoft is going exploit an un-patched security hole in Windows and infect the infected computers with the antidote? Hmm ...

        Balmer: I've got your antidote right here, and that antidote is more cowbell! [youtube.com]

      • by mark-t (151149)

        First of all, they used the term "virtually indestructable", as opposed to claiming it was wholly or literally indestructable.

        Second of all, Microsoft is certainly free to prove them wrong.

        My money would be on Microsoft not being willing to spend the time or the resources to make a significant difference... which means that their "throwing down the gauntlet" as it were is just so much hot air.

    • by wvmarle (1070040)

      Indeed, in this case I have to agree fully with Microsoft. That doesn't happen so often.

      Of course no botnet is indestructible. Nothing is indestructible. Microsoft themselves are not indestructible, our planet is not indestructible. They're just really strong. Same accounts apparently for this new botnet. It's strong: hides itself really well, uses decentralised command and control, etc. Probably it doesn't even incorporate all weapons botnet makers have at their disposal, and their arsenal is growing. Lik

      • by Angostura (703910)

        Not only that. I find myself in full agreement with a Microsoft lawyer. Oh what a world!

      • by scdeimos (632778)

        Probably it doesn't even incorporate all weapons botnet makers have at their disposal, and their arsenal is growing. Like the arsenal of the anti-malware makers as well, of course.

        True, but anti-malware makers are always going to be behind the eight-ball for two reasons: (1) they will always be reactionary, and (2) they can't break a computer to "save it" whereas the malware makers don't mind a few casualties.

        • by amn108 (1231606)

          Let's hope then that in time, users will understand that the only thing that will save them from one botnet is ... another, hopefully legitimate botnet operated by the good guys.

          Begun the botnet war has.

      • by digitig (1056110)
        Oh, what Microsoft said was right -- just irrelevant. The claim wasn't that the botnet was indestructible, it's that it was practically indestructible. That word makes a lot of difference.
      • by Lennie (16154)

        Is the Internet indestructible ? Or the planet ?

        Well, in a way yes.

        Because you'd need a pretty big disaster to destroy the earth.

        And if there is no planet, who cares ? I mean we'll probably not survive either.

        Anything which can 'destroy' the Internet is probably so big an advancement in technology that the Internet became useless or the above mentioned disaster and then not much survived either.

        So if the solution is to create a version of Windows which doesn't allow you to install any applications, kinda li

    • by Tasha26 (1613349)
      Haha, if Microsoft was a biotech, the title would read "No Cancer is Indestructible." Maybe they should learn from the past, how arrogance has cost them a lot.
      • by shentino (1139071)

        What can be done to stop cancer, and what is practical, are two separate things. And it's not all biology and chemistry, either.

        Consider also that a real cure for cancer would ruin the market for chemotherapy, among other things, and I have to ask.

        Besides lucrative one time sales, what incentive do pharmaceutical companies have to actually cure cancer? Once someone is cured, they are no longer a patient.

        • by delinear (991444)

          That's a pretty short term view. People are always patients eventually. The thing with cancer is that it often kills (relatively) quickly compared to the raft of illnesses and disabilities that plague old age. If big pharma could keep people alive for another 30 years on average (not unfeasible in the absence of cancer) they could milk them for all kinds of other ailments. And besides all that - how much do you think people would pay for that one time cure? They could pretty much make up a price, triple it

        • by Rockoon (1252108)
          ..the incentive is that if company A doesnt market the cure, then they run the risk of company B doing so first. Unless you presume unilateral collusion (either consciously or unconsciously) then you must presume that no company will hold back a cure (for very long) if they have one.

          This is the prisoners dilemma. All parties win the most as long as there is no known cure, but if someone defects and reveals the cure then only the defector wins.
        • by mark-t (151149)

          Besides lucrative one-time sales, what incentive do pharmaceutical companies have to actually cure Typhoid? Leprosy? Malaria? Tetanus? Diphtheria? What incenttve is there to offer a one-time cure when they can just lucratively siphon money from people who could suffer from the symptoms of these illnesses until they (possibly) die?

          I trust my sarcasm is evident... Smallpox has been wiped off of the planet (outside of contained samples in medical labs for study) thanks entirely to medical cures and tec

    • by 1s44c (552956)

      And that's a losing strategy for the 'good guys'.

      Microsoft? Lawyers? Botnet herders? Windows users who don't care about the imact of their lack of security?

      There are no good guys in this story.

  • Another question, does anyone know when and why Microsoft decided to start taking on hackers? Do they get something out of it?
    • Since malware is currently a Microsoft only problem there is a direct benefit to them to deal with it. Various fanboys will pretend they are unable to read the word "currently" so I'll add it again and pre-empt the crap about Apple, Linux, Solaris, Irix, AIX, BeOS, Amiga, Plan 9 or Atari being potentially vunerable sometime by saying the malware that is rampant NOW is more imporant than theoretical or historical threats.
      Taking increased measures against malware doesn't really require a lot of resources and
  • by epine (68316) on Friday July 08, 2011 @03:05AM (#36691608)

    It's not just a question of intellect if one party is on the easy side of the trap door function, and their adversary isn't.

    Given Microsoft's traditional shortcomings in mental subtlety, I'm not eager to concede they've properly thought this position through.

    Just wait until bitcoin merges with the global ad hoc network. Even Microsoft will gulp at the rental fees on a fully commissioned Death Star.

  • As long as we control the IT desktop monoculture it will be always a better investment for botnet operators in searching new holes than in hardening their botnets.

  • Oh I want to know more about these guys...lol /popcorn

  • And it is (Score:2, Insightful)

    by JustOK (667959)

    Microsoft Windows et al IS the botnet.

  • by NSN A392-99-964-5927 (1559367) on Friday July 08, 2011 @03:48AM (#36691802) Homepage

    Let me start by saying every time you boot your system on Windows 7, data is sent to Microsoft to check whether your are online and for internet connectivity.

    Now although you probably never gave it a second thought. NCSI is an active tool used by Microsoft to lead Boscovich to these comments.

    I am not sure if this has been posted on /. before however this url http://blog.superuser.com/2011/05/16/windows-7-network-awareness [superuser.com] maybe makes Boscovich feel all warm and fuzzy inside as they can do more with NCSI and cut out botnets. This can be defeated as in the URL above.

    Whilst I am on a roll, http://www.microsoft.com/industry/government/solutions/cofee/default.aspx [microsoft.com] is nothing special the commands in COFEE with some extra switches are;

    arp.exe -a
    at.exe
    autorunsc.exe
    getmac.exe
    handle.exe -a
    hostname.exe
    ipconfig.exe /all
    msinfo32.exe /report %OUTFILE%
    nbtstat.exe -n
    nbtstat.exe -A 127.0.0.1
    nbtstat.exe -S
    nbtstat.exe -c
    net.exe share
    net.exe use
    net.exe file
    net.exe user
    net.exe accounts
    net.exe view
    net.exe start
    net.exe Session
    net.exe localgroup administrators /domain
    net.exe localgroup
    net.exe localgroup administrators
    net.exe group
    netdom.exe query DC
    netstat.exe -ao
    netstat.exe -no
    openfiles.exe /query/v
    psfile.exe
    pslist.exe
    pslist.exe -t
    psloggedon.exe
    psservice.exe
    pstat.exe
    psuptime.exe
    quser.exe
    route.exe print
    sc.exe query
    sc.exe queryex
    sclist.exe
    showgrps.exe
    srvcheck \127.0.0.1
    tasklist.exe /svc
    whoami.exe

    Awww how 31337 M$

  • I suppose much like there's no 100% secure server there's no 100% invincible botnet. It's almost always easier to destroy than to create/build something.
  • by shentino (1139071)

    Botnets, like most criminal enterprises, have a distinct advantage in that the perpetrators consider themselves above the law.

    Their biggest strength is their willingness to exploit weaknesses and perform actions not available to law abiding citizens. The are not, for example, averse to hijacking PCs, hooking up with shady providers, or even flaunting international borders and strongholding in countries like Iran that are outright hostile to US interests and could actually be anywhere from indifferent to ou

  • The recent media hyperventilation over "indestructible" malware that hides in the master boot record and requires a wipe and reload of the OS to fix - who writes this stuff, and did they ask anyone who knows anything about it? Apparently not.

    :

    Oh noes; I've got a bad thing in my MBR; what shall I do? Tip: boot to command line (F8 at boot time) and a quick FDISK /MBR will take care of it. So much for that indestructible bullshit...

    • by 1s44c (552956)

      Oh noes; I've got a bad thing in my MBR; what shall I do? Tip: boot to command line (F8 at boot time) and a quick FDISK /MBR will take care of it. So much for that indestructible bullshit...

      You can't trust fdisk to do the right thing if your machine has already loaded who knows what malware. You need to boot off a clean CD.

      • by Rockoon (1252108)
        You really cant fully trust the CD either, and then on top of that there is the far worse firmware issue (both disk and bios firmware can be targeted) which really puts you up shits creek with regards to that whole trust thing.
    • Yes, you know that. But Joe Average doesn't. Any strategy aimed at defeating botnets that use rootkit techniques has to be aimed at the net itself. Fighting against individual infections is too inefficient and is a losing strategy.
  • by gweihir (88907) on Friday July 08, 2011 @05:06AM (#36692074)

    I think the meme of the "indestructible botnet" is just marketing, and people trying to make them or their research more important than it is. The sad thing is that the public seems to believe this nonsense.

    In practice, there are problems and killing a large botnet can be difficult. However, once you throw enough resources at the problem. it becomes entirely feasible.

  • 'To say that it can't be done underestimates the ability of the "good" guys,' Boscovich said.

    There, fixed that for Boscovich.

  • If the "good guys" in Redmond really were so smart, there wouldn't be botnets in the first place.

    • by Geminii (954348)

      The engineers are smart, but their intellect is being redirected towards more profitable activities.

      The managers are smart enough to direct the engineers' activities away from preventing botnets when doing so is less profitable for the managers than other things the engineers could be doing.

      The smart thing is not always the right thing, the good thing, or even the nice thing.

  • I was with him until he said "People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no'." Until then, it was an obvious "Duh", similar to saying there is no 100% secure real system. And kind of sad that he had to actually tell the media that... how far the media has fallen.

    But back to the point, the bad guys are smarter, and better than the good guys. History has proven that over and over again. Just cause you came in after the fact and cleaned up the mess doesn't m

    • by Zironic (1112127)

      Are you drunk? The fact you can destroy something someone created doesn't mean you're better or smarter. It's just a fact of life that it's easier to destroy then create.

  • Shutting down a botnet can be rather straightforward, although not necessarily easy. As far as I know, all current botnets are designed to make money for their controllers. This means that shutting them down can be done in the same manner that most organized crime organizations get shutdown, by following the money. What makes this difficult is that many botnets will cross jurisdictional boundaries, at least some of which will not be inclined to be cooperative.
  • Instead of just saying no, show us no...!!!
    Show us that it is indestructible by shutting another one down...each time they shut one down through their "special techniques" brings us closer to a spam free world.....so do it already and stop talking about it. Show us you mean business by taking down another botnet....then we can all look at M$ and think , wow...they were right....instead I read the post and thought....so what if they "SAY" no.....show me, was my first thought!!

  • Of course not. I highly doubt any of them will survive the heat death of the universe.

    I think the original article was just saying that they're highly resilient to attack damage. Which is a reasonable statement.

  • I am pretty sure that the article didn't say that it was impossible, and only that it was "practically" indestructible or something like that.

    The intent being that this would be a very tough nut to crack and that to beat it will take a lot of resources or some very smart people or both.

    In fact if he only read his own sentence before uttering another, he would have seen his mistake.

    Heck someone called the Titanic "unsinkable" and guess where its current location is? That wasn't even a "practically" unsinkabl

  • People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"

    If the good guys ever catch up with the bad guys, then the good guys have nothing more to do, because there will be no more plots to foil... until the bad guys get going again. But the bad guys never stop moving, so the good guys are always playing catch up, and so of course it looks like the bad guys are always winning.

    But really, the bad guys only win when the good guys can't play catch up anymore. And that hasn't happened. In fact, that's why the bad guys keep moving.

    Of course, we could try to pre-emp

  • The Lawyer has a point... I mean, with the botnets relying on Windows machines it is highly likely that they are destructible. It also explains why they require so many machines...

  • Microsoft has been ownin in the news lately. Still hate using Windows XP and will not ever upgrade to anything else, but still, this and what Gates said about nuclear being the only feasibly sustainable core energy source is pretty win.

    Now, do I think that Microsoft is a bit responsible for some of these botnets? Yes. And no. But I tend to take their "nothing is impossible" approach to pretty much anything I do.
  • ....countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically.

    And how is it intellectually creative to reply to the phrase "practically indestructible" with that? They said PRACTICALLY, not "COMPLETELY INDESTRUCTIBLE" or anything like that. Way to miss the important quantifier in the statement they claim to be countering.

    Reading comprehension FTW!

  • Yes, let's have a LAWYER tell us about how all botnets can be taken down. The phrase "If someone says that a botnet is indestructible, they are not being very creative legally" has got to be the goddamn funniest quote of the month! It's a botnet, not an ordinance. I don't give a damn how "legally creative" you get. You can't apply human laws as if they were universal laws of physics. Some young adult in China running a headless botnet via P2P C&C using anonymizing routers is beyond your insignifica

If money can't buy happiness, I guess you'll just have to rent it.

Working...