Creators of Massive Botnet Arrested 243
DigitumDei writes "Dutch police has nabbed 3 men (aged 19,22, & 27) who alledgedly used the toxbot trojan to create a botnet of over 100000 machines. The trio conducted a DDOS attack against an unnamed US company in an extortion attempt, as well as using phishing tactics to hijack PayPal and eBay accounts.
From the article: 'Police seized computers, cash, a sports car, and bank accounts at the three men's residences, and additional arrests are expected. The three were to be taken before a magistrate in Breda, a city approximately 25 miles south of Rotterdam, on Friday.
The botnet was dismantled, prosecutors said, with help from the Dutch National High Tech Crime Center; GOVCERT.NL, the Netherlands' Computer Emergency Response Team; and several Internet service providers, including the Amsterdam-based XS4ALL.'"
Extortion? (Score:5, Funny)
/Godfather music in background
Re:Extortion? (Score:2, Funny)
Maybe if they put all those computers together to type up story submissions, occasionally I wouldn't have to see one with a glaring gramatical error in the first three words.
Re:Extortion? (Score:2)
Re:glaring gramatical error (Score:3, Funny)
Blushing profusly right now; amazing how previewing twice just meant I read "has" as "have" in my mind twice.
Re:glaring gramatical error (Score:3, Informative)
Re:glaring gramatical error (Score:2, Insightful)
That being said, you're probably right. The most common mistake people make in foreign languages is subject/verb agreement.
Re:Extortion? (Score:3, Insightful)
Re:Extortion? (Score:5, Insightful)
You greatly underestimate the trouble an extremely large DDOS network can cause via sheer packet volume. It might make you reboot your server or pay more in bandwidth for the month? First off the targets of these things are using pretty substantial server farms, not your debian server you have your cat's pictures on. The servers may or may not crash but they certainly wont handle the load. And neither will your load balancers, database servers, routers, firewalls, IDS's, the list goes on and on. Not only that but your ISP won;t handle the load either, all of their stuff starts to break. And depending on how far down the food chain you are maybe your ISP's ISP. All the way up to the tier 1 who can handle it but certainly doesnt want to.
The short answer is is even if all of your technology works flawlessly and isn't crashing left and right (which it most certainly will be), you've never bought a pipe nearly big enough to handle the traffic you're getting so your real customer's traffic is taking forever or just getting dropped on the floor. After 6-24 hours of your DDOS problems impacting all their other customers, your ISP gets their providers to null route your IP space, putting you in the dead calm of the eye of the storm. Everything works again now, except your customers can't reach you. If you measure your earnings based on people connecting to your shop or services that is obviously a very big deal.
If you fight, the fight is going to be very tough. First you need a sympathetic ISP that will let you fight and help you fight - that probably isn't your existing ISP and ones that will are in short supply. Basically a tier 1 or major colos that are very undersold so they have the bandwidth to burn without taking out the rest of their customers. Next you need someone who understands what needs to be done and fast and will work around the clock to do it - realistically you're probably looking at maybe hundreds of people total in the US that have a very strong background in such things and would be available - and maybe dozens of people that have actual direct experience (on that scale). They will obviously cost money. So will building a completely brand new intelligent filtering network over night - in addition to the hardware costs of the new boxes and the connection costs for the new ISP - this isnt off the shelf software either, at least probably not.
Maybe you can start seeing why it's a bit more of a big deal than maybe rebooting your software - why people choose to pay - and that's why it's profitable.
Re:Extortion? (Score:2, Informative)
Re: (Score:2)
a botnet of over 100000 machines (Score:5, Funny)
Re:a botnet of over 100000 machines (Score:5, Informative)
Comment removed (Score:5, Funny)
Re:a botnet of over 100000 machines (Score:2)
=Smidge=
Re:a botnet of over 100000 machines (Score:2)
Re:a botnet of over 100000 machines (Score:5, Funny)
No no no no no. How many times to we have to tell you?
1MegaBot == 1024*1024 bots.
Dammed marketing bots.
Re:a botnet of over 100000 machines (Score:5, Funny)
1MegaBot == 1024*1024 bots.
No!! You're talking about a MebiBot!
Re:Ah so. (Score:2)
It means 2^20 bytes or 10^6 bytes. Neither definition is wrong, although 2^20 is inconsistent with SI. Mebi- is not ambiguous, mega- is, is the point.
Damn. (Score:3, Informative)
Re:Damn. (Score:2)
Re:a botnet of over 100000 machines (Score:2)
Wow. (Score:5, Funny)
mmm (Score:5, Funny)
Re:mmm (Score:2)
Pay me money or I'll submit a story to slashdot about your company every day.
Of course, this shouldn't scare you because of all the stories I've submitted to slashdot in the past (11-15) none were ever approved ;-) But as long as I don't tell you that I'm ok, right?
Good! (Score:5, Insightful)
This will also give them pause when hiring former hackers. They might think "Is this guy going to give extortionists inside info?"
On the other hand, security folks may have a budget windfall thrown their way. Considering '"Each time the Trojan was stopped by anti-virus defenses, they made a new version," he said. "This was not just a one-off. The sheer number of variants shows this wasn't a crime they committed just once."' Those security people better get to it.
Comment removed (Score:5, Informative)
Re:Good! (Score:2, Insightful)
Each person doing that is unwittingly taking part in the DOS attack.
If you think slashdot effect is bad, think about the slashdot AND routers/yahoo/NYT/humble news sties all ganging up on one site.
This is how googlewent down recently, not because of the worms activity, but because of peoples curiosity.
Sure, the worm had
Re:Good! (Score:2)
And when did google go down recently? Are you talking about the RSS reader Beta from last week? That did not affect any other google service at all. In the least.
Your post is short on supporting details.
Re:Good! (Score:2)
Agree 100%!! Things like this are black eyes in technology, and especially in areas where they're still transitioning. And considering how many people/companies/schools hold back from the cost of technology alone, we really didn't need problems like this lingering any longer. Very glad to see these guys apprehended.
About time (Score:5, Funny)
Re:About time (Score:5, Funny)
Re:About time (Score:2, Funny)
Why? (Score:5, Funny)
It seems a little harsh to get arrested for only infecting 32 machines.....
Re:Why? (Score:5, Funny)
Related concepts: the batnet and the butnet.
And then, there's also the botnut (three of which got arrested), the bitnut (such as yourself), the butnut (erm...), the botknit (a network of 100000 computers strung together by my grandma), the botNAT, and the bitenight (Buffy the movie).
Re:Why? (Score:3, Funny)
It seems a little harsh to get arrested for only infecting 32 machines.....
Ha!
Judging from the replies, there's only 10 types of people who understood the post.
Those who got the joke and those who didn't.*
*-Shamelessly ripped off a ThinkGeek T-Shirt...
Crime is organized (Score:2)
My hat's off to them that they nabbed 3 guys, but there must be other botnets out there. And I think an effective way to stop it would be at the user level. It would be like taking away all the soil and water from coca farmers. Sure, have your plants, but can you grow them?
Disclaimer: I am not equating botnets to drugs.
Re:stop it at the user level (Score:2)
*Namely windows computers.
How do you dismantle a botnet? (Score:5, Interesting)
Unless you use the trojan to patch the system of course, but that would be illegal.
Notify the users (Score:2)
How? (Score:2)
You could send email, but that would be dropped by white lists, spam filters, and human rejection of email from strangers.
You could pop up an alert, but most people would just close it as more spamming.
Re:How? (Score:2)
Re:How? (Score:2)
Yes, that sounds like a workable solution
RE: How to dismantle a botnet!! (Score:5, Interesting)
As an IRC admin for few years, I saw many botnet channels. The botnet masters enjoy putting their bots on IRC (on a secret channel) because it's a third party who provides the communication support, IRC is a good message demultiplexer, and they think it's safe since they only log on IRC with a proxy.
They can identify themselves with a given bot by going private (PRIVMSG
The bots had random nicks so we just put a bot of ours with a random nick in the channel, logged everything and then get the login/pass (I guess in this case Dutch police had the login/pass pair from the PCs they seized). Then we looked out for the bot version, looked on the web for commands (usually, the bot masters are script kiddies and just build the bot from an "automatic" builder they download on the web... they wouldn't even build from the sources).
All of the bots I encountered disposed of attacks commands et al, but also a clean removal command. That's what we used.
Now I don't know about the bot in this story, but most likely the botnet masters HAD a mean to contact them all (now is it IRC-like with a big channel, or distributed among the bots à la DNS, I don't know... But even if the removal command isn't here, there's still a way to tell the bot to execute a given binary they download from a given URL).
And I don't think that would really be illegal, remember, the PC owners rarely know they are infected or don't care. They won't know or won't care either if someone removes the bot for them. And if they say something, just sue them since it means they were part of the attack knowingly
Anyway I hope we could shut down more of these networks (and MS should pay for their dismantle since nearly all zombies networks are running Windows).
Sure, this will solve the problem... (Score:5, Insightful)
I wonder what it would take to convince the world that these unsecured machines are an actual security threat, rather than an annoyance?
Re:Sure, this will solve the problem... (Score:2)
You got it.
Now we should stop arresting burglers and muggers, because that would only teach them to never attempt crime without being backed by the mob, right?
Re:Sure, this will solve the problem... (Score:2)
No, but we should encouraging people not to leave their wallets lying around where anyone can take them. Dollar for dollar that's going to be a lot more effective than a doomed enforcement policy that ultimately has no effect on crime rates. In fact, this is one of those problems where if we deal with the root causes now, we could actually reduce the number
What a great idea... (Score:5, Insightful)
The botnet was dismantled, prosecutors said, with help from...
Why didn't I think of that! That's 100,000 lusers that won't be getting infected again soon, unless they learn enough to reassemble their boxen, by which point...*sigh* What am I thinking? They'll probably just buy new systems and throw the piles of parts out. They'll be back on bot nets by this weekend.
What they need to do is dismantal the owners!
--MarkusQ
Re:What a great idea... (Score:2, Funny)
Re:What a great idea... (Score:2)
Did you mean dismantle ?
Or dismental ?
Both seem rather apt
Responsible net use (Score:2)
What are you going to say about yourself when your machine is zombied by someone that finds a hack that you and your antivirus company doesn't know about yet.
Re:Responsible net use (Score:2)
You might say that the manufactures of the systems have fallen down on the job in provi
And, eventually, they got caught... (Score:2)
What kind of computers? How much cash? What kind of car? What were the residences like?
Come on, we need better details for the upcoming movie & tv special.
These guys had to know they were going to get busted, someone probably was bragging about h
Re:And, eventually, they got caught... (Score:2, Funny)
Environmental problem (Score:3, Funny)
Re:Environmental problem (Score:2, Insightful)
Onepoint
p.s. In thinking about this, I find that most likely it would be illegal
Limited time (Score:5, Interesting)
I forsee the day when bot nets are a thing of the past. While I admit that currently most police forces couldn't catch a virus by opening infected email things seem to be changing.
The scale of setting up a useful botnet is such that there are thousands of tiny ways that you could screw up and leave a drity great big flag pointing out your location / identity. Even the most carefully created botnet will contain some useful information to track down it's owner. In fact the very nature of the beast means that at some point you will have to contact it which potentially gives away your location. Ok you can run through proxies and use other methods to hide you identity but it only takes one slip up which someone technical is watching. Of course you also have the problem of collecting you payments. While you might be able to hide in the online world hiding from the banking world is much harder. At some point you have to collect you money.
All in all I think it would be easier to just go into kidnapping or drug dealing. The profit margin has got to be higher.
Re:Limited time (Score:2)
Re:Limited time (Score:2)
When Internet standards change to the point where every machine attached has an un-spoofable address then DDOS attacks will disappear. Try setting up a radio jammer to block 802.11x transmissio
Re:Limited time (Score:2)
The analogy of evolution certainly works but evolution can't find a solution to every problem. Take for example the deserts. Yes, there is life in even the most arid desert but there isn't much of it. If we end up with a network that is the equivalent of a desert for crackers there will be very few of them. I doubt that there are many animals adapting to live in the desert because it's already supporting as many animals as it can.
To use an example a bit closer to the situation we are talking about think a
Re:Limited time (Score:5, Interesting)
Re:Limited time (Score:2)
Some good points. I disagree with the zero physical risk part - your forgetting that skinny white boys in prison don't do so well ;o).
Anyway, it's a little different on this side of the pond - people don't get killed quite so often by the police (unless they are Brazilian of course) and the punishment for kidnapping is fairly low as long as you don't harm the captive. I would guess you would only get 10 years tops for a first offence. If you can get enough money from it it might be worth it.
Of course th
Better the Devil you know (Score:2)
Who is this XS4ALL? (Score:5, Insightful)
Phillip.
Re:Who is this XS4ALL? (Score:5, Insightful)
Strong ties with Bits for Freedom [www.bof.nl] (our version of the EFF), best Dutch ISP year after year, support for *nix systems, frequent new experimental services. Only pain is that they're also one of the more expensive ISP's. You get what you pay for, and with XS4ALL they give you the works.
(for the record, I'm a long-time customer so I am rather biased. But these guys aren't your average ISP)
Re:Who is this XS4ALL? (Score:3, Informative)
This (ad at the bottom of the page) [hacktic.nl] is where XS4ALL started. They were basicly the first public ISP in the Netherlands (tho I am not entirely sure, 'stichting Simplex' was there at around the same time from what I recall)
Demon and XS4ALL definitely have things in common, but I think that has more to do with both having started in the very early days of public internet access, and still believing that they connect computers to a big network (as opposed to the content foc
Mistake in headline (Score:2)
Darn (Score:2)
Suddenly, the botnet ads are gone (Score:3, Interesting)
So there's been some effect. The spammers are becoming afraid. Not very afraid. Yet. But afraid. It's becoming hard to spam without committing multiple felonies. Those felonies are leading to a few arrests and jail sentences. Not many, but enough to scare off many spammers. The remaining spammers look more and more like traditional crooks.
There's plenty of stuff on SpecialHam for law enforcement to go after. "Special Hurricane Katrina Promotions". "Offshore bank accounts for sale". Anyone active against spam should be looking there.
they were legitimate bankers! (Score:2)
I want to know whose bank accounts they seized.
The botnet was dismantled, prosecutors said... (Score:2)
Er, wouldn't that involve uninstalling the bots from the computers of 100,000 clueless people?
Reminds me of the sequal-ready ending to a cheesy horror flick.
I caught one, once (Score:2)
Turns out:
1) It was a script that infected a vulnerability in a well-known image manipulation system written in perl CGI.
2) User never got root, and didn't seem to care.
3) System was participating in a botnet of about 200 systems, (if I remember this correctly) all managed via an IRC chat.
4) All the exploits were downloaded from a web server located somewhere in Brazil. Telnets that happened were also from another
The New Yorker: Zombie Hunters (Score:3, Interesting)
http://www.newyorker.com/fact/content/articles/05
Re:If only i had my own 100k computer matrix... (Score:4, Insightful)
Re:If only i had my own 100k computer matrix... (Score:3, Informative)
Because bidding on an item calls attention to it. If bidding activity on an item is fierce and heavy, sniping has no benefit. But imagine a situation where you are vying for an item with only one other person. You do not want to set your maximum bid right away, because the other guy's valuation of the item is probably similar to yours -- he'll bid up right away. The other person, of course,
Re:If only i had my own 100k computer matrix... (Score:2)
I think any strategy which achieves results is a legitimate one. Unfortunately it's hard to do a controlled test to see whether closing prices on the average are higher or lower in a system which allows sniping. It depends on the makeup of the bidding crowd, for sure.
esnipe! (Score:2)
If everybody would learn to bid properly there'd be no need for a sniping service.
Re:Good, but... (Score:5, Interesting)
Most police "cybercrime" units are still very underfunded.
Re:Good, but... (Score:2)
I think this is due to the fact that cybercrime is still pretty new, compared to other criminal means.
Most people in charge of police departments and people (often politicians) in charge of budget allocations are older and aren't used to dealing with cybercrime.
Once cybercrime goes past the critical boiling point, I predict a huge swing of the enforcement pendulum.
It wont be necessarily pleasant for everyone, especially people who enjoy their current
Re:Good, but... (Score:2)
Re:Good, but... (Score:2)
Re:Good, but... (Score:2, Funny)
Ah, I see you have never visited Detroit.
Re:Good, but... (Score:5, Insightful)
The government said themselves that making file sharing a criminal offence just turns a large portion of the population into criminals for no real benefit. This is similar to the drugs policy. From Wikipedia [wikipedia.org]:
So no, the government tends to go after real criminals, rather than waste time on teenagers with too much free time.Re:Good, but... (Score:3, Funny)
Re:Good, but... (Score:2, Insightful)
Re: (Score:2)
Re:So stupid... (Score:2)
Instead of thinking they are not good enough they think they are simply smarter and more important than anyone else.
I would guess they never dreamed they would be caught.
Re:25 miles south of Rotterdam? (Score:5, Insightful)
Re:25 miles south of Rotterdam? (Score:2, Informative)
Re:25 miles south of Rotterdam? (Score:2)
The correct unit to use when explaining the size of countries is the size of wales [simonkelk.co.uk]
Re:Honestly curious... (Score:2)
From what I've heard, most American units are the same size as ours, except that their pints are smaller. That's because we drink beer by the pint, and we're thirstier than they are.
Re:25 miles south of Rotterdam? (Score:3, Funny)
It's more like 240 * Holland = Canada.
Re:25 miles south of Rotterdam? (Score:3, Funny)
Rotterdamn....that sounds vaguely familar.. Oh yeah now I remember it was one of my options for music in Ridge Racer for Play Station.
As to not be marked off-topic, the question really becomes not what to do with those behind the botnet, but what to do with the botnet itself. One could patch the entire network via the use of the very trojan that created it (which we know is illegal), but I think this might be a good change to get some extr
Re:Let the punishment fit the crime (Score:3, Insightful)
Re:Let the punishment fit the crime (Score:3, Insightful)
Like amputating a hand after stealing, very scary but does it actually make crime rates go down?
If one isn't afraid of getting caught the sentence doesn't matter.
Re:Let the punishment fit the crime (Score:2)
However, harsh penalties probably do reduce the recidivism [wikipedia.org] rate, which would have some effect on the overall crime rate. A one-handed thief will probably not be as effective as a two handed thief. An excecuted murderer is not likely to kill anyone else a
Re:Let the punishment fit the crime (Score:2)
Re:Let the punishment fit the crime (Score:2)
Linux not being used enough? (Score:2, Interesting)
Are Linux boxes invulnerable? Is the gauntlet being thrown at our feet? (lol)
I'm happy they did get nabbed though. There are plenty of fun things to do in life instead of extortion.
Re:Why Europe? (Score:2)
Try to DDOS one of those mafia-owned gambling sites from an IP address in Jersey and see what happens to ya... much safer to have a big ocean in the way.
Re:Awesome, Totally Awesome! (Score:2)
It has happened before that gangs of computer criminals were arrested and then later let go because of "lack of evidence".
(e.g. it was proven that the offense was made via an internet connection in a certain house, the inhabitants were arrested, but there was no way to prove that those inhabitants, and which of them, made the offense)