Microsoft's Vigilante Investigation of Zombies 341
Morgalyn writes "According to an article at Information Week, Microsoft has decided to fight zombie-launched spam in their own way. In conjunction with the FTC and consumer rights groups, Microsoft set up a clean computer and then infected it. They monitored the 'zombie' over the course of 20 days - 'In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages'. This whole operation has led to the (partial) identification of 13 different spamming groups, some of which reside in the US and may be prosecuted under the CAN-SPAM act."
Steve Ballmer on Zombies (Score:5, Funny)
Re:Steve Ballmer on Zombies (Score:5, Funny)
Gives new meaning to "i've burried them before and i'll burry them again" eh?
Re:Steve Ballmer on Zombies (Score:2, Funny)
I understand a new measure of punishment available in Washington State is to stand a man up before a wall, offer him a last cigarette, blindfold him and then have Steve Ballmer throw a chair at him.
Sounds unusual, if not cruel, to me.
Re:Steve Ballmer on Zombies (Score:4, Funny)
Re:Steve Ballmer on Zombies (Score:3, Informative)
I will give $10,000 to charity... (Score:3, Funny)
(Disclaimer: I won't really donate the money because I'm a poor college student)
Re:Steve Ballmer on Zombies (Score:4, Insightful)
Microsoft takes a pro-active step toward curbing spam, something that we universally hate, and for some reason MS is taking insult left and right.
If you're going to deride them at least do it when it's appropriate... not when they're taking a legit step toward finding a solution.
Microsoft fighting zombies? (Score:5, Funny)
Re:Microsoft fighting zombies? (Score:2)
I can imagine the costumes! (Score:5, Funny)
Costume 2: A fat guy carrying a chair, with a Google T-Shirt (and the handwritten letters above: "I'll F**ing Kill". Obviously his secondary target would be the guy wearing costume 1.
Now the following may be off-topic, but what the heck, I got started!
Costume 3: Just put on a Bill Gates mask, and wear a Microsoft T-Shirt. And instead of "Trick or treat", you say: "End User License Agreement".
Costume 4: Disguise yourself as a Lawyer and stick the logos of BMG, Sony, Time Warner (did I miss any?) on the back. Instead of "Trick or treat", say "Court or Settlement"
Costume 5: Disguise yourself as Zombie, but instead of wearing the cardboard monitor, just put an AOL sticker on your shirt. You're an official "AOL user". Instead of moaning "brainssss" you'll say: "Me, tooooo!"
Costume 6: Disguise yourself as a monitor, and paint the front in blue.
Costume 7: Paint your face black and buy fake jewelry. Pretend you're the relative of a Nigerian prince who just died.
Oops! Forgot the scariest one! (Score:2, Funny)
In other words... (Score:5, Funny)
So they switched it on and connected it to the net?
Re:In other words... (Score:2)
So they switched it on and connected it to the net?
Yes, exactly. The article isn't especially well written.
Re:In other words... (Score:2, Troll)
Re:In other words... (Score:2, Insightful)
So can't they be fined for knowingly allowing this machine to send spam?
Re:In other words... (Score:2, Interesting)
Re:In other words... (Score:2)
Only if they allowed the spam to reach the destination.
It would be trivial to set up a non-delivering SMTP server and then transparently proxy all the emails to it.
Even if not (Score:5, Insightful)
If I'm incorrect on this, please point out the relivant part of the law.
Re:Even if not (Score:3, Insightful)
We're not talking about a positive duty to stop spam - we're talking about aiding and abetting.
If you set up a device specifically to allow spam to pass through it, and the spammer is breaking the law by sending the spam, then you're breaking the law. You know that a law is being broken, and you know that your property is being used to do it (in fact, you've made a positive step to ensure the spam is sent.)
I don't
Re:Even if not (Score:3, Interesting)
You haven't heard? All American corporations, and most others (even the ones that have been convicted of serious crimes) are now agents of the government. Ask your Congress-persons-- if you can reach them, because they're awfully busy sucking up to the corporate types in their districts. Many are out with their lobbyists, getting briefed on the new trends in how laws should be drafted, and can't come to the phone. Keep calling... someone from their office will eventually confirm it.
Re:Even if not (Score:3, Insightful)
I'd think they'd be able to more than sue. Access to entities like these zombies is a federal offense, and punishable by years in a federal penitentiary (as i
Re:Even if not (Score:2)
Bush them gives them a Medal of Freedom, since he has a few lying around. Kerry salutes them and later villifies them.
Re:In other words... (Score:2, Insightful)
So I would presume that they had all this ok'ed ahead of time and will not be fined.
Re:In other words... (Score:4, Informative)
http://www.microsoft.com/presspass/press/2005/oct
Re:In other words... (Score:2)
-matthew
Re:In other words... (Score:3, Insightful)
Yes but sent to where? Maybe all outgoing emails from this machine were re-directed to a local dummy mail server configured to just blindly accept these mails as a function of both evidence collection and prevention of actually sending SPAM to the intended recipients.
These stories are usually light on those sorts of details.
Re:In other words... (Score:5, Interesting)
Think about that for a moment... and then ask yourself why we actually take this for granted instead of suing Microsoft into oblivion. Would a car company get away with cars breaking down on real-life roads an average 26 minutes after they're purchased? The thought is totally ridiculous, yet we accept the same from Microsoft. Why?
Re:In other words... (Score:5, Informative)
The Internet is like Baghdad for computers but 10000 times more intense.
The operating system doesn't merely fall apart - it's broken apart by the equivalent of roaming street thugs.
I agree that microsoft it partially responsible (does rpc really need to be accessible by default?) - but on the other hand, until very recently your average linux install didn't take long to get 0wn3d either.
Re:In other words... (Score:2)
Re:In other words... (Score:2)
However even when they do ship with anti-virus sofware say like a Toshiba Tecra laptop that arrived today. Plugged into my firewalled and NAT private lan, run Windows update only for a whole pile of critical updates some of which have exploits in the wild needed installing.
Re:In other words... (Score:2)
Re:In other words... (Score:5, Interesting)
I strongly agree with this. I'm not pro or anti-MS, I just happen to be a SysAdmin that uses their stuff every day, and manages 120 desktops. It's just a fact that there are a lot of shady monkeys that are trying 24/7 to find exploits, holes, and other crap for nefarious deeds.
Call it civic duty, but once a week I spend an hour going thru my spam-logs, and pick a couple (that are obviously being sent from 0wn3d boxen), trace their IP, look up which provider owns the range. I then call their NOC (Which is almost always listed in their WhoIs record), and report the IP (if they're a U.S. provider).
I honestly get a call-back one out of every three times from a provider, saying they've found the hostile traffic coming from that address, and they temporarily block access, or alerted the sysadmin managing the address.
It may be little, but it's sorta civic duty to do something about this from time to time. Kudos to Cavalier and Verizon especially for following up on my calls.
Re:In other words... (Score:2)
Now that people are starting to ship with XP-PL2, enough services are turned off by default that a machine may have a bit of a chance at being able to download the latest patches before getting infected, but it's been far too much of a fight to get it there.
Re:In other words... (Score:2, Insightful)
This will happen with nearly any O/S. I've heard the same story about any unpatched O/S whether it be RH, SUSE, OS/2 yadda yadda.
Putting any unpatched system on the net is dumb. This is not unique to MS software
I've seen some other posters mention car analogies. I think a good analogy for my point is: Would you drive a car that has had 26 factory recalls on it ?
Re:In other words... (Score:2)
Re:In other words... (Score:3, Funny)
-matthew
Re:In other words... (Score:2)
The answer is that traditionally, people have always viewed computer software as Magical -- we stand in awe at the fact that it functions at all, much less perfectly. In the past, when computers were new, scary, powerful, and incomprehensible, this viewpoint may have made sense. But in today's world, I think ou
How long do you think it would take... (Score:2)
Re:In other words... (Score:2, Interesting)
Yeah, but most of us don't steal our cars
Also, it's not a question of breaking down at this point (that was Windows ME's job) It's all about security.
You didn't see car man
If my car had millions of people throwing bricks (Score:5, Insightful)
When you get right down to it, cars are shitty in reliability compared to software. Off the top of my head, here are some major problems my car has, at least when looked at from a software standpoint:
1) My car is very venurable to break ins. You can smash a window, jimmy the locks and so on. It's easy, requries no knowledge to do.
2) My car doesn't deal with faulty input. If I set it in neutral and floor it, the engine will overheat and seize up. There's no system to deal with faulty operation like that.
3) My car has problems with user error. If I drive it in to a wall on accident, it'll stop functioning. Same if a user of another car makes a mistake and hits it.
Worse yet, the manufacturer will not fix ANY of these faults, even for a price. Even worse they KNEW about ALL of them when they sold the car.
Now compare that to software where we expect that it be essentially faultless and when a fault is found, that it be fixed quickly and for free.
Something tells me that if someone put a brick through your window, it would be them that you wanted busted, not the maker of your car. Yet if someone hacks your OS, you are mad at the OS maker, not that hacker.
Only on Slashdot
Re:If my car had millions of people throwing brick (Score:3, Insightful)
Something tells me that if someone put a brick through your window, it would be them that you wanted busted, not the maker of your car. Yet if someone hacks your OS, you are mad at the OS maker, not that hacker.
A delightful analogy but totally and absolutely bogus.
Just activate your cerebrum for a few minutes.
Is it reasonable to expect a car to be resistant to effort
Re:My three cars... (Score:3, Informative)
The market share argument is BS FUD. Always has been. Always will be. Microsoft just doesn't have a corporate culture that encourages good coding practices over eye candy and feature bloat.
Re:In other words... (Score:3, Interesting)
This is one of the worst analogies I've ever seen.
Let's say GM makes a car. You buy it. You drive into a high crime area and don't have your doors locked. You get car jacked 26 mi
Re:In other words... (Score:2)
http://www.eweek.com/article2/0,1895,1841266,00.a
http://www.phrack.org/show.php?p=63&a=8 [phrack.org]
Re:In other words... (Score:2, Informative)
Re:In other words... (Score:3, Funny)
I
Why waste a grenade? Its a Ford. Just leave it for a while, and it will fall apart on its own.Re:In other words... (Score:4, Funny)
So they switched it on and connected it to the net?
They were far too impatient to wait 30 minutes, so they infected it themselves. Remember these are the guys who do code reviews every twenty years.
Own...? (Score:2, Interesting)
In Fairness (Score:2)
It's still erroneous terminology (Score:3, Insightful)
Well, it's their own way... (Score:2)
How is this fighting this in thier own way? Don't lots of other orgs do this same thing...?
Well, it's their own way in that other organizations [honeynet.org] are not so irresponsible as to allow the machine to send 18 million &#$% spam messages while they ooh and aahh over their creation. Microsoft "embraces and extends" yet again...
From The Fine Article:
"In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages," said Cranton.
That amount
Re:Well, it's their own way... (Score:5, Insightful)
How nice: they allowed 18M junk messages to go through, but could be bothered to look at only 10% of the data. Unbelievable.
Do you want the job of analyzing all 18 million messages? If they are only analyzing 10% its probably because they figure that the other 90% probably have the same source. Even if the other 90% don't, sure you would want them to start somewhere, than put off affirmative action for a few years? One way of confirming whether the 90% do come from the same source is prosecuting the spammers responsible for the 10% and then dealing with the reduced amount of spam in the next cycle.
Re:Well, it's their own way... (Score:3, Insightful)
Do you want the job of analyzing all 18 million messages? If they are only analyzing 10% its probably because they figure that the other 90% probably have the same source.
Fair enough, but if they are doing the analysis manually then they have already lost.
Re:Well, it's their own way... (Score:2)
The reason they would let
Re:Well, it's their own way... (Score:2)
It does seem odd that they wouldn't keep working all the data they have to find more spammers, or why they couldn't have shut it down after it had "caught on" with the botnet operators (ten days.) I'm guessing the people behind the experiment had no idea how successful it would be and so arbitrarily chose 20 days
Probably because they intended to go after the few big fish, then try again once some more big fish had appeared. Wash, rinse, repeat.
Vigilante? (Score:5, Insightful)
Re:Vigilante? (Score:5, Funny)
Since someone wants Microsoft to sound like a tough SOB out to wreak havoc on those who would do us harm.
Would you go see a movie that is described [imdb.com] as "A New York City architect becomes a one-man honeypot after his wife is murdered..."?
Re:Vigilante? (Score:2)
That would be newsworthy.
Vigilante? (Score:5, Insightful)
That's like a considering a car company working with a police forensics department to determine why a car did what it did 'vigilante'.
It takes.. (Score:4, Insightful)
It takes 20 days to collect data which may be used to convict the scumbags, but it takes years for Microsoft to realize there was a problem and do something about it. To be fair, this should be law enforcement, but someone has to file those John Does in a complaint.
"At the same press conference, Dan Salsburg, the assistant director of the FTC's Bureau of Consumer Protection, urged all computer users to do their part to stymie zombies. "The FTC is taking aggressive steps to stop zombies and protect consumers, but consumers also need to insure that zombies aren't on their computers," Salsburg said."
I'm sure they're shuffling paper like they've never quite shuffled before.
I just don't want to see, a couple years from now, Microsoft being awarded patents on the invention of the Honeypot.
takes years for Microsoft... (Score:4, Insightful)
Or we could, I suppose, get mad at the people who developed SMTP, a system so insecure in and as of itself that anyone can pretend to be anyone else and get away with it.
Of course, that was done in a kinder, gentler time when "spam" was unknown, so I guess they can be forgiven. Then again, much of the Windows code was created long before the terms "DoS" or "buffer overflow attack" came into existence.
Naw. Much easier to hate MS. Somehow, they should have known better...
Re:takes years for Microsoft... (Score:2)
Nothing like totally missing the point. It's easy to say now that we'd have been much better off with things locked down. However, much like early internet protocols, early versions of Windows and NT were design to facilitate networking and interoperability. We (the public) wanted easy file and printer sharing and email and all those other
Re:Here's what we should do! (Score:2)
Let's get together and file for patents on the SPAM process. Then we need to file papers on creating an OS that enables the above process. Then we need to patent the process of patenting the above.
It takes a spammer... (Score:2)
Right. (Score:5, Funny)
and sent 18 million spam messages (Score:4, Funny)
So I guess, Microsoft being above the law, it's OK when they do that. The end justifies the means, after all.
Re:and sent 18 million spam messages (Score:4, Informative)
The computer was quarantined to prevent it from actually sending the messages
But...whatever...
Won't work. (Score:5, Funny)
Common. We all know the only way to deal with zombies is massive head trauma.
Oracle to the rescue? (Score:5, Funny)
"In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages," said Cranton.
That amount of data was impossible to analyze, so..."
So, seems 18 million records is too much for poor little SQL Server, hmm? I bet Oracle could help, or maybe MySQL/PostgreSQL.
Re:Oracle to the rescue? (Score:2)
18 million records is a lot for mysql too.
Re:Oracle to the rescue? (Score:3, Insightful)
I know for a fact that SQL Server can handle 18 million records easily, it's the transactions per a day that kills a server.
HOORAY FOR MICROSOFT! (Score:3, Funny)
I've always wanted a reason to say that.
Let FPS Doug at 'em! (Score:2)
Boom! Head shot!
Prosecution (Score:3, Insightful)
I'd think there were more serious charges. Did the e-mail have forged headers? Does that make it wire fraud? Is unauthorized use of one's computers not a major crime?
Zombies are entirely different from a company putting you on its mailing list without your consent. These people aren't annoying marketers, they're criminals.
Re:Prosecution (Score:2)
I believe that they can prosecute under the CAN-SPAM act even without proving that the
So why is the FCC working with THEM... (Score:5, Insightful)
Re:So why is the FCC working with THEM... (Score:4, Interesting)
1. Standard
2. Microsoft's promise to sue the people responsable into oblivion. (Admittedly, the 'into oblivion' is implied rather than explicit.) This means that MICROSOFT PAYS FOR THE LITIGATION. The FCC gets Microsoft's honed attack lawyers for free.
Microsoft has opted to do something where the FCC gets credit and Microsoft pays most the costs (litigation is expensive, especially when the people you're suing probably don't have money to pay the judgements). Why would the FCC choose them? It's a conspiracy, I tell you.
Sorry, I'm a law student*, so I tend to believe in the glory and pragmatism of having someone else paying legal fees.
*If I were an actual lawyer, this message would be three times as long and contain the same information. I'm working on it.
Zombies (Score:3, Funny)
On the otherhand imagine Paperclip... It looks like you're trying to fight off a zombie attack. Would you like me to (A) Shoot some of them in the head (B) Open the main gates and let some more in?
New meaning to Blue Screen of Death.
Bastards... (Score:2, Funny)
I did the same thing once! Only slightly different (Score:2)
A couple friends and I set up a computer to measure our own security practices for hosting our own website before brining it online and live and then continually tried hacking into it. One night after we had connected it to the Internet while we were attempting access, someone else gained access through a hole we hadn't patched and turned our machine into a zombie. We set up a bunch of monitoring software and watched it. It attempted, or rather participated in, three DDoS attacks on various websites, it was
why can't our law enforcement agencies (Score:2)
What took so long? (Score:2)
Why not just close the holes? (Score:2, Insightful)
Couple questions (Score:2)
b) Did it scare them how easily the system was compromised? Yes, the articles says "they infected it". I'm sure they didn't, they put windos on it and let it run for a while.
c) Will the spammers get off easily because of entrapment?
d) Who is putting pressure on M$ to be suddenly so interested in spam after they ignored the problem completely for years? Something big is happening behind the scenes
They blocked the outgoing spam (Score:3, Informative)
Please tell me... (Score:4, Insightful)
Yay MS! Now, make Stevie B kill them (as other posters suggested:-)
Been asking this since CAN-SPAM was passed. (Score:2)
It isn't like it would even be difficult to do. You wouldn't even need to setup your own machine. You could find any one of the hundreds of thousands of existing zombies out there just by asking your email admin to get you the IP addresses.
If you do this for a couple dozen boxes (it shouldn't be that difficult to find people who would cooperate) you can get a LOT more info than with just one box.
US 'bot net "admins
Re:Been asking this since CAN-SPAM was passed. (Score:2)
I know that's done, and the criminals are convicted. This setup seems essentially identical to me.
IANAL ... (Score:2)
It comes down to whether the cops/feds took any action on their own to connect that box to that 'bot-net.
Which is why I would prefer the "clean hands" version of simply picking a few dozen boxes that are already infected. This is all about making the case as solid and complete as possible with no way for the "admin" to weasel out on technicalities.
And if any of the cops/feds are interested in a long list of IP addr
Re:Been asking this since CAN-SPAM was passed. (Score:2)
would there really be an entrapment issue? I mean, "i'll sell you this x-box for fifteen bucks" is one thing, leaving an unsecured computer where you can watch it is another.
it's not entrapment if the security guard at the bank arrests somebody who's robbing the bank. what's the dude going to say? "it's entrapment, they were totally waiting there to catch me!" right.
Re:Been asking this since CAN-SPAM was passed. (Score:2)
Re:Cut em some slack (Score:2)
Re:Wheeee (Score:2)
WE HATE SPAM! Geeze... this is only going to get worse before it gets better... and it's been getting worse for 10 years...
You still get spam? My mail program checks four accounts every day, three of which have never, ever had a spam message show up. The fourth used to get spam occasionally, but my filters got better. Between the server side filtering and the bayesian filtering in my client, I thought spam was a solved problem. Of course I always give a one-time address to web sites for registration a
Re:How it was infected. (Score:2)
Re:How it was infected. (Score:3, Funny)
And what does connecting it to the net have to do with the infection? Once you install XP, you're doomed. Period.
Re:How it was infected. (Score:2)
And on the flip side, they're also vilified if they fail to deliver "fast" and "timely" patches to problems.
And of course, somehow we're supposed to have our cake, and eat it too...
Re:How it was infected. (Score:2)
Re:Sue Bill (Score:2)
Re:Vigilante? (Score:3, Funny)
Yeah... And it's even MORE vigilante if they do it in cooperation with a Federal agency!
Sheesh.
Re:Double standard. (Score:2)