Microsoft: No Botnet Is Indestructible

CWmike writes "No botnet is invulnerable, a Microsoft lawyer involved with the Rustock take-down said Tuesday, countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically. Nothing is impossible. That's a pretty high standard.' Instrumental in the effort that led to the seizure of Rustock's command-and-control servers in March, Boscovich said Microsoft's experience in take-downs of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated. 'To say that it can't be done underestimates the ability of the good guys,' Boscovich said. 'People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"

Alternate Title

[phantomfive]

Alternate title:
"Microsoft Says: My Botnet is Bigger Than Yours"

Re:

[monkyyy]

well i do believe everyone who uses linux has a duty to dismantle the mircosoft botnet

after all it isnt indestructible

Re:Alternate Title

[Anonymous Coward]

I could root you, but i'd have to charge.

Re:

[geekprime]

fuck, if only I had mod points!

Re:

[cvtan]

Bitcoin?

Alternate Title 2

[subreality]

MicroSoft: A networked system with no vulnerabilities is inconceivable!

The sad truth: it's actually quite conceivable that with decentralized C&C and proper crypto that there are no central vulnerabilities and the only way to clean up the mess is by hunting down nodes one at a time, or possibly one ISP at a time. I'm eager to hear MS's "legally and technically creative" way to take that on.

Re:

[drinkypoo]

I'm eager to hear MS's "legally and technically creative" way to take that on.

they can use the many security holes and back doors they know about in Windows, of course.

Impossible really means nobody knows how

[Omnifarious]

While I believe that it's quite easy to remove individual nodes of the 'indestructible' botnet, I can't see a good way it could really be shut down other than by wiping it out node by node. And that's a losing strategy for the 'good guys'.

So, while I agree in principle that the word 'indestructible' is pretty strong, and likely not actually the case, that theoretical fact is useless without a concrete strategy for defeating it.

Re:

[phantomfive]

What Microsoft is saying is that it isn't hard, and that they can do it. They are basically mocking the guys who said it was indestructible, and, to put it kindly, saying that "they suck". This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.

Re:Impossible really means nobody knows how

[Jah-Wren Ryel]

What Microsoft is saying is that it isn't hard, and that they can do it. They are basically mocking the guys who said it was indestructible, and, to put it kindly, saying that "they suck". This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.

The proof's in the pudding. Until they actually do take it down, its all just trash talk.

It doesn't help that its a lawyer doing the trash talking either, it seems all too common for people with law-centric world views to be completely out of sync with a world that operates on the principles of physics.

Re:Impossible really means nobody knows how

[artor3]

Personally, I think that the fact that it's coming from a lawyer makes it more convincing (and frightening). Note that he's saying you need to get legally creative. That sounds like not-so-subtle code for no-knock raids and extraordinary rendition. I don't care how well written your malware is. It's not gonna help you one bit if when a multibillion dollar corporation convinces the Russian police to disappear you and your buddies.

In Soviet Russia

[Wrexs0ul]

Botnet shuts-down You!

But seriously, this is scary stuff. I like the idea of a big IT house using the best and brightest to shut-down malware, but who decides what malware is? How are they making money from this?

-Matt

Re:

[bkaul01]

How are they making money from this?

Indirectly, as it affects their flagship product's reputation for security. If botnets spread unchecked, with most targeting Windows machines almost exclusively, that looks bad for Windows' reputation (even if it's due to moronic users who could manage to infect any given system). Declaring war on the botnets and actively taking them down both helps avoid negative reputation issues for Windows, and build Microsoft's reputation as a company that does the right thing for security, which is especially importan

Re:

[petermgreen]

The thing is you can't realistically go doing no-knock raids on every node in a significant botnet and without a huge level of network monitoring across the globe it's virtually impossible to figure out where a message was initially injected into the network.

So it would appear to me that taking down a competently designed (communication by broadcast messages signed using public key crypto) botnet would be practically impossible.

Re:

[Zironic]

The thing is, even if your botnet is written perfectly. Are you perfect? Have you never told -anyone- about your malware and where you live? Are you -completely- sure that no one is monitoring your proxy?

It's really hard to answer yes to all of those questions, and that's why microsoft can be successful when they have the resources to throw around that they do.

Re:

[Geminii]

Which is why you write your botnet clients and infrastructure as if they were created by a coalition of the US government, Microsoft, the RIAA, 4chan, Anonymous, fifteen televangelists, and Steve Jobs.

Then, while it's wreaking havoc and distracting all the wannabe reverse engineers, you steal their socks.

Re:

[Creepy]

Still, I think they're right - if you can find a control node of some kind, you should be able to shut down any botnet. Botnets are (nearly?) always set up to execute arbitrary code (I don't know of any that aren't) - in fact, most inject more malware while they operate, so injecting a self destruct that plugs whatever security hole(s) the botnet was exploiting should theoretically shut down the net, but it won't remove the malware, which may reinstall a botnet - it may need to be a 2-tier injection - one t

Re:

[Anne Thwacks]

Who knows, maybe they are.

Please can I have one of your flying pigs.

Re:

[Nikker]

What difference does it make both operate using the same tool set. Microsoft sends out updates via untrusted networks to verify system files and attempts to rectify compromised files. Bot-nets will get you through security issues, 0-day attacks and click happy users.

Neither of them will win.

Re:

[1s44c]

What Microsoft is saying is that it isn't hard, and that they can do it. They are basically mocking the guys who said it was indestructible, and, to put it kindly, saying that "they suck". This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.

If Microsoft were better than the botnet people the botnets would not exist in the first place.

Re:

[WrongSizeGlass]

This is Microsoft throwing down the gauntlet and saying, "we are better than you." Who knows, maybe they are.

Are you saying Microsoft is going exploit an un-patched security hole in Windows and infect the infected computers with the antidote? Hmm ...

Balmer: I've got your antidote right here, and that antidote is more cowbell! [youtube.com]

Re:

[mark-t]

First of all, they used the term "virtually indestructable", as opposed to claiming it was wholly or literally indestructable.

Second of all, Microsoft is certainly free to prove them wrong.

My money would be on Microsoft not being willing to spend the time or the resources to make a significant difference... which means that their "throwing down the gauntlet" as it were is just so much hot air.

Re:

[wvmarle]

Indeed, in this case I have to agree fully with Microsoft. That doesn't happen so often.

Of course no botnet is indestructible. Nothing is indestructible. Microsoft themselves are not indestructible, our planet is not indestructible. They're just really strong. Same accounts apparently for this new botnet. It's strong: hides itself really well, uses decentralised command and control, etc. Probably it doesn't even incorporate all weapons botnet makers have at their disposal, and their arsenal is growing. Lik

Re:

[Angostura]

Not only that. I find myself in full agreement with a Microsoft lawyer. Oh what a world!

Re:

[scdeimos]

Probably it doesn't even incorporate all weapons botnet makers have at their disposal, and their arsenal is growing. Like the arsenal of the anti-malware makers as well, of course.

True, but anti-malware makers are always going to be behind the eight-ball for two reasons: (1) they will always be reactionary, and (2) they can't break a computer to "save it" whereas the malware makers don't mind a few casualties.

Re:

[amn108]

Let's hope then that in time, users will understand that the only thing that will save them from one botnet is ... another, hopefully legitimate botnet operated by the good guys.

Begun the botnet war has.

Re:

[digitig]

Oh, what Microsoft said was right -- just irrelevant. The claim wasn't that the botnet was indestructible, it's that it was practically indestructible. That word makes a lot of difference.

Re:

[Lennie]

Is the Internet indestructible ? Or the planet ?

Well, in a way yes.

Because you'd need a pretty big disaster to destroy the earth.

And if there is no planet, who cares ? I mean we'll probably not survive either.

Anything which can 'destroy' the Internet is probably so big an advancement in technology that the Internet became useless or the above mentioned disaster and then not much survived either.

So if the solution is to create a version of Windows which doesn't allow you to install any applications, kinda li

Re:

[Tasha26]

Haha, if Microsoft was a biotech, the title would read "No Cancer is Indestructible." Maybe they should learn from the past, how arrogance has cost them a lot.

Re:

[shentino]

What can be done to stop cancer, and what is practical, are two separate things. And it's not all biology and chemistry, either.

Consider also that a real cure for cancer would ruin the market for chemotherapy, among other things, and I have to ask.

Besides lucrative one time sales, what incentive do pharmaceutical companies have to actually cure cancer? Once someone is cured, they are no longer a patient.

Re:

[delinear]

That's a pretty short term view. People are always patients eventually. The thing with cancer is that it often kills (relatively) quickly compared to the raft of illnesses and disabilities that plague old age. If big pharma could keep people alive for another 30 years on average (not unfeasible in the absence of cancer) they could milk them for all kinds of other ailments. And besides all that - how much do you think people would pay for that one time cure? They could pretty much make up a price, triple it

Re:

[Rockoon]

..the incentive is that if company A doesnt market the cure, then they run the risk of company B doing so first. Unless you presume unilateral collusion (either consciously or unconsciously) then you must presume that no company will hold back a cure (for very long) if they have one.

This is the prisoners dilemma. All parties win the most as long as there is no known cure, but if someone defects and reveals the cure then only the defector wins.

Re:

[mark-t]

Besides lucrative one-time sales, what incentive do pharmaceutical companies have to actually cure Typhoid? Leprosy? Malaria? Tetanus? Diphtheria? What incenttve is there to offer a one-time cure when they can just lucratively siphon money from people who could suffer from the symptoms of these illnesses until they (possibly) die?

I trust my sarcasm is evident... Smallpox has been wiped off of the planet (outside of contained samples in medical labs for study) thanks entirely to medical cures and tec

Re:

[1s44c]

And that's a losing strategy for the 'good guys'.

Microsoft? Lawyers? Botnet herders? Windows users who don't care about the imact of their lack of security?

There are no good guys in this story.

Re:

[Biff Stu]

That's more-or-less how I see it. On the security side, no matter how good the encryption and overall infrastructure, you always need to worry about the dumbass in the middle attack, i.e., social networking. In the case or organized crime, they are vulnerable to the same tactics that are used to dismantle "brick and mortar" crime organizations. Do some good detective work, catch someone in the organization who knows enough and is ready to rat everyone else out for some leniency, and you can take the botnet

Does anyone know

[phantomfive]

Another question, does anyone know when and why Microsoft decided to start taking on hackers? Do they get something out of it?

They will get an even worse reputation otherwise

[dbIII]

Since malware is currently a Microsoft only problem there is a direct benefit to them to deal with it. Various fanboys will pretend they are unable to read the word "currently" so I'll add it again and pre-empt the crap about Apple, Linux, Solaris, Irix, AIX, BeOS, Amiga, Plan 9 or Atari being potentially vunerable sometime by saying the malware that is rampant NOW is more imporant than theoretical or historical threats.
Taking increased measures against malware doesn't really require a lot of resources and

trapdoor function

[epine]

It's not just a question of intellect if one party is on the easy side of the trap door function, and their adversary isn't.

Given Microsoft's traditional shortcomings in mental subtlety, I'm not eager to concede they've properly thought this position through.

Just wait until bitcoin merges with the global ad hoc network. Even Microsoft will gulp at the rental fees on a fully commissioned Death Star.

What they really want to say

[drolli]

As long as we control the IT desktop monoculture it will be always a better investment for botnet operators in searching new holes than in hardening their botnets.

lolwut? Microsoft Digital Crime Unit what?

[lexsird]

Oh I want to know more about these guys...lol /popcorn

And it is

[JustOK]

Microsoft Windows et al IS the botnet.

Re:And it is

[JustOK]

I'm still waiting for it to finish shutting down.

Re:

[melikamp]

HAHAHA According to Micro$oft, your new and shiny Windows 7 is three times less likely to be botted than old and crufty XP, with infection rate still above 1%. In the real world, however, the infection rate is certainly above this estimate. Also, unlike 7, 98 was kind enough not to spy on you and phone home every day. The reason GP's comment goes well with this crowd is the fact that Windows 7 is a botnet by any sensible definition, made legal via EULA.

Windows 7 checks in with M$ so he thinks yes

[NSN A392-99-964-5927]

Let me start by saying every time you boot your system on Windows 7, data is sent to Microsoft to check whether your are online and for internet connectivity.

Now although you probably never gave it a second thought. NCSI is an active tool used by Microsoft to lead Boscovich to these comments.

I am not sure if this has been posted on /. before however this url http://blog.superuser.com/2011/05/16/windows-7-network-awareness [superuser.com] maybe makes Boscovich feel all warm and fuzzy inside as they can do more with NCSI and cut out botnets. This can be defeated as in the URL above.

Whilst I am on a roll, http://www.microsoft.com/industry/government/solutions/cofee/default.aspx [microsoft.com] is nothing special the commands in COFEE with some extra switches are;

arp.exe -a
at.exe
autorunsc.exe
getmac.exe
handle.exe -a
hostname.exe
ipconfig.exe /all
msinfo32.exe /report %OUTFILE%
nbtstat.exe -n
nbtstat.exe -A 127.0.0.1
nbtstat.exe -S
nbtstat.exe -c
net.exe share
net.exe use
net.exe file
net.exe user
net.exe accounts
net.exe view
net.exe start
net.exe Session
net.exe localgroup administrators /domain
net.exe localgroup
net.exe localgroup administrators
net.exe group
netdom.exe query DC
netstat.exe -ao
netstat.exe -no
openfiles.exe /query/v
psfile.exe
pslist.exe
pslist.exe -t
psloggedon.exe
psservice.exe
pstat.exe
psuptime.exe
quser.exe
route.exe print
sc.exe query
sc.exe queryex
sclist.exe
showgrps.exe
srvcheck \127.0.0.1
tasklist.exe /svc
whoami.exe

Awww how 31337 M$

It's always easier to destroy than to build...

[FauxReal]

I suppose much like there's no 100% secure server there's no 100% invincible botnet. It's almost always easier to destroy than to create/build something.

nt

[shentino]

Botnets, like most criminal enterprises, have a distinct advantage in that the perpetrators consider themselves above the law.

Their biggest strength is their willingness to exploit weaknesses and perform actions not available to law abiding citizens. The are not, for example, averse to hijacking PCs, hooking up with shady providers, or even flaunting international borders and strongholding in countries like Iran that are outright hostile to US interests and could actually be anywhere from indifferent to ou

Surprisingly senisble, unexpected source

[Whuffo]

The recent media hyperventilation over "indestructible" malware that hides in the master boot record and requires a wipe and reload of the OS to fix - who writes this stuff, and did they ask anyone who knows anything about it? Apparently not.

:

Oh noes; I've got a bad thing in my MBR; what shall I do? Tip: boot to command line (F8 at boot time) and a quick FDISK /MBR will take care of it. So much for that indestructible bullshit...

Re:

[1s44c]

Oh noes; I've got a bad thing in my MBR; what shall I do? Tip: boot to command line (F8 at boot time) and a quick FDISK /MBR will take care of it. So much for that indestructible bullshit...

You can't trust fdisk to do the right thing if your machine has already loaded who knows what malware. You need to boot off a clean CD.

Re:

[Rockoon]

You really cant fully trust the CD either, and then on top of that there is the far worse firmware issue (both disk and bios firmware can be targeted) which really puts you up shits creek with regards to that whole trust thing.

Re:

[Inf0phreak]

Yes, you know that. But Joe Average doesn't. Any strategy aimed at defeating botnets that use rootkit techniques has to be aimed at the net itself. Fighting against individual infections is too inefficient and is a losing strategy.

They are right, but why do they need to say it?

[gweihir]

I think the meme of the "indestructible botnet" is just marketing, and people trying to make them or their research more important than it is. The sad thing is that the public seems to believe this nonsense.

In practice, there are problems and killing a large botnet can be difficult. However, once you throw enough resources at the problem. it becomes entirely feasible.

Correction

[aaaaaaargh!]

'To say that it can't be done underestimates the ability of the "good" guys,' Boscovich said.

There, fixed that for Boscovich.

Good Guys

[Dracos]

If the "good guys" in Redmond really were so smart, there wouldn't be botnets in the first place.

Re:

[Geminii]

The engineers are smart, but their intellect is being redirected towards more profitable activities.

The managers are smart enough to direct the engineers' activities away from preventing botnets when doing so is less profitable for the managers than other things the engineers could be doing.

The smart thing is not always the right thing, the good thing, or even the nice thing.

Whatever

[orlanz]

I was with him until he said "People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no'." Until then, it was an obvious "Duh", similar to saying there is no 100% secure real system. And kind of sad that he had to actually tell the media that... how far the media has fallen.

But back to the point, the bad guys are smarter, and better than the good guys. History has proven that over and over again. Just cause you came in after the fact and cleaned up the mess doesn't m

Re:

[Zironic]

Are you drunk? The fact you can destroy something someone created doesn't mean you're better or smarter. It's just a fact of life that it's easier to destroy then create.

Destroying a botnet can be rather straightforward

[Attila Dimedici]

Shutting down a botnet can be rather straightforward, although not necessarily easy. As far as I know, all current botnets are designed to make money for their controllers. This means that shutting them down can be done in the same manner that most organized crime organizations get shutdown, by following the money. What makes this difficult is that many botnets will cross jurisdictional boundaries, at least some of which will not be inclined to be cooperative.

M$ sucks

[hesaigo999ca]

Instead of just saying no, show us no...!!!
Show us that it is indestructible by shutting another one down...each time they shut one down through their "special techniques" brings us closer to a spam free world.....so do it already and stop talking about it. Show us you mean business by taking down another botnet....then we can all look at M$ and think , wow...they were right....instead I read the post and thought....so what if they "SAY" no.....show me, was my first thought!!

No botnet is indestrictible.

[MMC Monster]

Of course not. I highly doubt any of them will survive the heat death of the universe.

I think the original article was just saying that they're highly resilient to attack damage. Which is a reasonable statement.

Richard Boscovich needs to RTFA!

[DarthVain]

I am pretty sure that the article didn't say that it was impossible, and only that it was "practically" indestructible or something like that.

The intent being that this would be a very tough nut to crack and that to beat it will take a lot of resources or some very smart people or both.

In fact if he only read his own sentence before uttering another, he would have seen his mistake.

Heck someone called the Titanic "unsinkable" and guess where its current location is? That wasn't even a "practically" unsinkabl

He does have a point

[LongearedBat]

People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"

If the good guys ever catch up with the bad guys, then the good guys have nothing more to do, because there will be no more plots to foil... until the bad guys get going again. But the bad guys never stop moving, so the good guys are always playing catch up, and so of course it looks like the bad guys are always winning.

But really, the bad guys only win when the good guys can't play catch up anymore. And that hasn't happened. In fact, that's why the bad guys keep moving.

Of course, we could try to pre-emp

The Lawyer has a point...

[Sfing_ter]

The Lawyer has a point... I mean, with the botnets relying on Windows machines it is highly likely that they are destructible. It also explains why they require so many machines...

Hate to say it, but...

[Datamonstar]

Microsoft has been ownin in the news lately. Still hate using Windows XP and will not ever upgrade to anything else, but still, this and what Gates said about nuclear being the only feasibly sustainable core energy source is pretty win.

Now, do I think that Microsoft is a bit responsible for some of these botnets? Yes. And no. But I tend to take their "nothing is impossible" approach to pretty much anything I do.

Derp

[Travelsonic]

....countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically.

And how is it intellectually creative to reply to the phrase "practically indestructible" with that? They said PRACTICALLY, not "COMPLETELY INDESTRUCTIBLE" or anything like that. Way to miss the important quantifier in the statement they claim to be countering.

Reading comprehension FTW!

Hillarious!

[Kamiza Ikioi]

Yes, let's have a LAWYER tell us about how all botnets can be taken down. The phrase "If someone says that a botnet is indestructible, they are not being very creative legally" has got to be the goddamn funniest quote of the month! It's a botnet, not an ordinance. I don't give a damn how "legally creative" you get. You can't apply human laws as if they were universal laws of physics. Some young adult in China running a headless botnet via P2P C&C using anonymizing routers is beyond your insignifica

Re:

[c0lo]

Microsoft and bot net operators... sorry, I am lost. Where are the good guys that were mentioned?

They're characters of the legends and folklore... the mention was ""To say that it can't be done underestimates the ability of the good guys," (like in "the abilities of the good guys must never be underestimated" they are demi- or full-time Gods or at least Spiderman).

Re:

[Lanteran]

Great, you're giving the MAFIAA ideas!

Re:

[RyuuzakiTetsuya]

Stop trying to bait APK/HOSTS file guy. You're not any good at it.

Re:

[Nikker]

Hey, I have the entire public IPV4 address space in my hosts file you insensitive clod!

Re:

[RyuuzakiTetsuya]

my ISP made the transition to IPv6, if yours did, time to update your HOSTS file...

Re:

[1s44c]

Microsoft just put a challenge up to every botnet maker on the planet.

Thanks Balmer.

A challenge they have already resoundingly lost.

They should just be honest about it and give users a choose to botnets to subscribe to like they were forced to do with web browsers.

Re:

[ElizabethGreene]

I concur, MS just said "Come at me, Bro." :D

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[1s44c]

Reinstalling the infected machine is the only way to get the job done and be 100% sure it has been done. Even if you boot from a clean CD you can't be sure MS's tool with clean everything. Windows doesn't even have a package manager that will let you checksum all files provided by a package so it's all a big mess.

You might get 90% coverage with MSSS on the day it is released but that will go down fast once the bad guys adapt to it.

Reinstall it, put a real firewall in front of it not the MS firewall nonsense

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Riceballsan]

Removing the botnets from individual systems was never the quote or discussion to begin with. It's a known fact that with enough time an energy any infected system can be cleaned, though it is very difficult to be positive of when everything has been found. The greater issue is behind the quote however, the discussion was never about taking out individual machines on a one at a time basis, but if they can do like they did to similar botnets as far as decapitating the controller to stop the botnet from sprea

Re:

[1s44c]

If you have a PXE environment you can reinstall fast.

Why would you want 80% coverage when you could have 100%?

Re:

[delinear]

Exactly this. The botnet makers don't care what some lawyer says, but you can bet your last dollar that they're already trying to make their botnets as bullet proof as possible. Why wouldn't they? It's their source of revenue and the longer a botnet can evade takedown the more money it generates. The real issue the "good guys" face is that a lot of the time they're having to be reactive instead of proactive (and this is where better OS security, better education of users and good, free, easy to use security

Re:

[Lennie]

I'm surprised the botnet makers haven't gotten rid of the central command&control systems. There has to be some botnet builders that can pay some smart russian to come up with code for that.

Some P2P solution.

Maybe this is because of NAT ? They don't have a simple way of connecting to every node because of it.

Re:

[f()rK()_Bomb]

The botnet they are talking about here, TDL-4 actually does use an open p2p network for command and control, you take out one and another jumps in.

Re:

[GooberToo]

I'd like to meet these lawyers who work hard. Having worked with many and known several personally, they generally don't know anything about "hard word." Don't confuse long days of web browsing, bullshitting, lunching, and boozing it up with anything close to "hard work."

TV shows and movies have painted a very wrong picture of lawyers at work.

Re:

[AJH16]

It depends on the lawyer. Your view seems rather jaded. From my experience, most PEOPLE don't know anything about hard work (by your definition) at least in the professional sector or anything outside a factory job. Retail and office work, it seems rampant to have excessive down time. That said, I also know some very hard working lawyers. A lot of succeeding in life has to do with luck and who you know, but a lot of it also has to do with just actually working hard.

Re:

[GooberToo]

Now observation and discussion means one is jaded? Likely you're just uninformed. Very, very uninformed. My opinion exists specifically because that's the opinion TOLD to me be actual lawyers. It was re-enforced by observing their work day while I was working.

Really people, get off your high horses. The world does not exist in utopia. In the real world, lots and lots of people are paid shit loads of money for doing very little - and frequently while doing a shit job of that. That's the REAL world. Obviously

Re:

[AJH16]

I have multiple family members who are lawyers or work closely with them. How many different firms did you have experience with? Business culture tends to make fairly unified conditions within an organization. I'm also 100% agreeing with you on your last paragraph. My point was mostly that a) it isn't just lawyers that get paid for wasting a lot of their time and b) the bad eggs always stand out and c) just because there may even be a lot of bad eggs doesn't mean there are not good ones or that the enti

Re:

[SniperJoe]

I beg to differ. A good friend of mine went to law school and is now in his third year as an associate at a major law firm. He works something like 60 hours a week on average to make sure that he hits his goal of 40 billable hours a week. During three years of law school, I saw him a grand total of about four times and when I DID see him, he was studying (at all hours, Saturday, Sunday, late at night, you name it). I feel sorry for the guy. He's very well paid, but he never has any time to spend it. H

Re:

[GooberToo]

You're very confused. You're confusing school work with a professional life.

Established layers is what I'm talking about. Non-lawyers do 80% of the work in the legal profession. Most lawyers do little actual work. What work they claim to do is largely done but wanna-be lawyers, students, so on and so on.

As for the work 60-hours to bill 40-hours - he's absolutely doing something wrong. Most lawyers will bill you if they think about your case while they are taking a crap. If he worked 60-hours and didn't bill

Re:

[sortius_nod]

I mentioned Balmer because he is the main head of the Hydra that Microsoft is. I'm sorry for laying the blame squarely at the feet of the CEO, in future I'll lay the blame a the feet of the guys working in the call centre. Or maybe the lawyers they buy for a dime a dozen.

Re:

[benjymouse]

I mentioned Balmer because he is the main head of the Hydra that Microsoft is. I'm sorry for laying the blame squarely at the feet of the CEO, in future I'll lay the blame a the feet of the guys working in the call centre. Or maybe the lawyers they buy for a dime a dozen.

If you have an issue with the statement, you could mention the statement and the lawyer who it is attributed to, Richard Boscovich. That would suffice. You did not even have to read the article, the name was right there in the (inflammatory) summary.

Re:

[httptech]

No one said TDL4 can't be cleaned from a single PC. Cleaning it from all of them near-simultaneously is what you would have to do to destroy this botnet. The MSRT tool is not capable of performing the steps you described.

BTW your steps could still leave malware on the system unless you are a forensic/malware expert and can tell good processes from bad in ProcessExplorer. It's not so easy as you make it seem. Even if you are that experienced in process analysis, there could still be other kernel-level rootki

Re:

[naoursla]

I wish you weren't posting AC so that I could friend you.

Re:

[httptech]

You missed the point. Yes, TDL4 malware can be cleaned manually, no one is disputing that. The entire system could be forensically sanitized - manually - using the recovery console or a liveCD. It could take a long time depending on how many payloads had been downloaded and how well they hide. But this is not enough to kill the botnet unless you do this to 4.5 million PCs all at once. I never said your TDL-4 removal steps were incorrect, I just said they would not "kill the botnet", which is what Microsoft

Re:

[1s44c]

The best way to kill a botnet is to kill the botmasters. Follow the money trail to them and get rid of them extrajudically.

You are clearly insane. The best way to fix a problem is to prevent it from happening in the first place by fixing the dodgy software that some people insist on using.

Going on a killing spree is just going to get the wrong people murdered and not even fix the problem in the process.

Re:

[cavreader]

Any software program more complicated than "Hello World" have exploitable weaknesses. If you were to demand that no software should be released until it is 100% exploit free there would be no software to release. While killing the bot masters is a little extreme to say the least the suggestion of following the money is a good strategy. Analyze the behavior of the bot and try to define the purpose of the bot, which is undoubtedly to make money for someone for something. Attacking the beneficiaries of the bot

Re:

[tagno25]

If someone make a self replicating botnet w/o C&C it could be indestructible. Make it look at chat streams from victms for domains to DDoS, then distribute that via a p2p network using port 443 (and 22) and self signed certs. Every node then attacks the most common one in a 2 hour period, and then ignores that domain for up to one month.

Re:

[shentino]

It's more like the good guys are handicapped in that they have to follow the law, whereas the bad guys have no such restraints.

Botnets would be much easier to take down if white hats were allowed to hijack them and make them self destruct.

Re:

[Riceballsan]

Well if that part were easy I would imagine grey hats/vigilantes would have done that by now. Though it would depend largely on what self destructing would entail. Self destructing as in the botnet removes itself from the infected computers, or self destructing as in having the botnet completely format infected systems.

Re:

[maxwell demon]

they had used inverted comas

Are inverted comas states of unusually intense consciousness? :-)

Re:

[delinear]

While ever it couldn't be used to secure the hardware against you, we'd never see the end of botnets - so no, TCP is not the answer if you want the squishy meatbag behind the keyboard to be able to override it. The second you give the user autonomy, no matter how secure your system is, you've lost. The malware writers will focus their energies on "socially engineering" the user into installing stuff for them, instead. Personally I'd rather live in an imperfect world where we have botnets but aren't lumbered

Re:

[raddan]

That's not true. I'm no Microsoft apologist (I run OpenBSD and Linux) but Microsoft has some of the smartest people out there. The problem is, those people are neatly compartmentalized, in the form of Microsoft Research. Much of their work is highly regarded in the compsci community. But Microsoft-the-software-company often fails to see the potential of their work. I suspect that Microsoft's "don't rock the boat" approach is an official business strategy.

Re:

[Zironic]

You're listening to him because he has infact dismantled botnets before.

Notice how he says 'legally creative', this means stuff like sending the Russian Police after your ass to use rubber-hose cryptography until you shut down your 'invulnerable' botnet.