Cleaning Up Botnets Takes Years, May Never Be Completed

Once a botnet has taken root in a large pool of computers, truly expunging it from them may be a forlorn hope. That, writes itwbennett, is: the finding of researchers in the Netherlands who analyzed the efforts of the Conficker Working Group to stop the botnet and find its creators. Seven years later, there are still about 1 million computers around the world infected with the Conficker malware despite the years-long cleanup effort. 'These people that remain infected — they might remain infected forever,' said Hadi Asghari, assistant professor at Delft University of Technology in the Netherlands. The research paper will be presented next week at the 24th USENIX Security Symposium in Washington, D.C. (And "Post-Mortem of a Zombie" is an exciting way to title a paper.)

Never be completed

[fustakrakich]

Golly Gee! Neither will garbage collection... Let's just let it pile up, eventually it will collapse by its own mass.

Re:

[Penguinisto]

I think it would be easier to simply take command/control of those bots and start flushing hard drives (or whatever else will ensure it never reboots), then shut it down remotely.

Or, if you don't feel that destructive? Drop a small executable that removes all networking/modem/etc capabilities upon boot, then remotely restart the machine. They keep their cat pictures, and we don't have to deal with it being on the public network.

Yes it's completely unethical, etc... but maybe that's the one thing that will g

Re:

[Alok]

I've long thought of this (removing networking from the bots) as being the best actual solution, too bad that there is no way to do so legally. Maybe use the bots to scan for 0-day vulnerabilities, and forcibly upgrade or configure security FW/AV etc. to deal with it :D

Well, I also wondered why no black hat ever tried it, but I guess all of them are busy making a lot of $$ selling exploits to various agencies rather than disrupting other black hats.

Re:

[Anonymous Coward]

So your solution is just to get rid of all personal computers.

Re:

[Falos]

If your reading comprehension can't mature past literal face value, implied equivalents and other subtleties will elude you.

Not that I necessarily endorse GP's snark or not.

Re:

[gstoddart]

Honestly, if this is a problem ... let ISPs basically block anybody who is still sending out packets with this crap.

If your machine is a threat to the rest of us, cutting you off from the the internet might get your attention.

This way when you call your ISP and say the intertubes are broken they can see the flag on your account which says "banished" and tell you to fix your PC, or stay off the internet.

But let's not pretend Linux, Android, or Apple haven't had similar problems.

The problem with botnets is pe

Re:However,

[RobinH]

Yeah, but half those infected machines/networks are probably critical infrastructure like dams and nuclear plants. You know, the kind of software from vendors that won't warranty it if you install antivirus... I'm looking at you Rockwell Automation.

Re:However,

[gstoddart]

If your critical infrastructure for your dam and nuclear plant is sending stuff out to the internet, you likely have bigger problems.

However, I won't disagree with your point about vendors being impediments to security.

Re:

[IamTheRealMike]

In fairness, many AV engines are total crap and are notorious for interfering and breaking all kinds of software.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Penguinisto]

If your SCADA machinery is plugged into the Public Internet, you got way bigger problems than whether or not it's a bot...

Re:

[fustakrakich]

Sorry, too many false positives would result, and on top of that, anybody with 'undesirable' content will be accused of being a 'threat'.

Re:

[Joce640k]

Um, how will they do that without Internet access?

Re:

[Anonymous Coward]

Apoptosis - "The weariness of the cell is the vigour of the organism." - George Orwell.

Re:

[ShaunC]

The precedent was set long ago. ISPs regularly disconnect customers whose systems are spewing out spam email, participating in DDoS attacks, etc. The approach varies a bit depending upon the provider and the client's service level; consumers will usually be cut off without warning and enterprise connections might get a phone call or email first, but responsible providers act quickly on abuse complaints. Irresponsible providers often find themselves losing various bits of connectivity to the rest of the worl

Re:

[bev_tech_rob]

So if I happen to be visiting a website while it's being DDoS attacked, I'll be disconnected because I "participated" in the attack? Instead of ISPs having to decide what's abuse and what's not, how about we design an infrastructure such that no ISP customer can do any harm, whatever the packets their system is sending?

Basically eliminate the Internet as it is and start from scratch. You better get cracking.....

Re:

[Penguinisto]

So if I happen to be visiting a website while it's being DDoS attacked, I'll be disconnected because I "participated" in the attack?

Pretty sure they're going to know if you sent just a few packets a minute or several million in the same time space...

Re:

[fuzzyfuzzyfungus]

Denial arguably creates a problematic perverse incentive because it provides a DoS-like extra 'for free' if you can manage to make the target act enough like it has been botted.

For people who aren't exactly up to the task of running their own IDS, though, information would certainly be helpful. There probably are people who don't care about running a festering worm farm; but there are definitely people who don't know that they are doing so.

Vast majority will be in landfill...

[Gordo_1]

well before 10 years is up.

Re:Vast majority will be in landfill...

[swb]

I wonder how many infected systems either were originally VMs or physical systems turned into VMs that will live on in VM farms far longer because they support some obsolete or unupgradeable system or because nobody wants to turn them off.

It's not hard to see systems that should eventually die off live on far longer thanks to virtualization.

Durability

[Hydrated Wombat]

I'm really impressed that so many modern computers are lasting so long and that so many people are using them. Use it up, make it do, or do without is a good policy for things that aren't mission critical

"Forever"?

[zarmanto]

... they might remain infected forever ...

Nothing lasts forever: The infected computers will eventually cease to function. It would have been more accurate (and less of an inflammatory panic reaction) to suggest that the infected computers might remain infected for the remainder of their active life.

Re:

[Jumunquo]

Diamonds are... ;)

Even if some component of the computer, say the power supply, ceases to function, the hard drive or flash chip is still technically infected. Rather than making a more accurate statement, what you have done is make a different but also accurate statement that we don't care if it's infected but not in use currently.

Re:

[zarmanto]

... say the power supply, ceases to function, the hard drive or flash chip is still technically infected. Rather than making a more accurate statement, what you have done is make a different but also accurate statement that we don't care if it's infected but not in use currently.

I stand by my previous statement: the hard drive (or flash drive) will eventually fail. That said... I agree with your conclusion, even if I'm inclined to nitpick the details: an infection which is contained -- ergo, can no longer spread nor do anything harmful -- is really not worth worrying about.

Botnet takeover

[craighansen]

The news article claimed that researchers had control over the botnet, but the research paper implies otherwise, simply that the control network was rendered inaccessible.

Did Conficker have something to prevent a takeover, such as using a public key signature to verify update code?

If they were able to inject a popup window informing the user of the infection, surely disinfection rates would have been much higher. The research paper says that millions of users bought phony security software via Conficker, so

Re:

[Zocalo]

They have control over the Bot*Net*, but the actual bots are continuing to operate on autopilot searching for and attempting to infect other hosts. Short of sending a "shutdown" command - assuming Conficker has one - and potentially assuming liability for any PCs that might be in life-safety applications (common sense says there shouldn't be any, however reality says otherwise) there's not a lot else they can do but wait for their owners to replace them. Given how long PCs tend to stay in use outside the

I'm confused

[Minwee]

Isn't this why we have Internet Cleanup Day?

Really, why is it so hard for everybody in the world to just take one day out of the year to shut down all of their systems, wipe the hard drives and re-install everything from the installation media?

Re:I'm confused

[ThatAblaze]

Anyone who has a 8 year old computer has probably lost the installation media for it. Many of them might be running POS systems that don't work past win95. We're not talking about office or home computers here, those have all been changed out long ago. These are mostly old computers in a back room that have been plugging away at a single task for years.

Re:

[Jumunquo]

A lot of these might be embedded devices as well. Windows XP embedded was quite popular among manufacturers for all kinds of devices, before the Android age.

Who is really infected?

[Stan92057]

So the only ones infected are the ones who don't run or keep their PCs up to date correct? Just like the Yahoo Flash exploit, wouldn't antivirus software be blocking that exploit as it is not a new exploit? what about people who don't run Flash with the default setting? i don't allow flash to save any data i don't let sites save data in it and so on.

Naaa, hardware failure will do it eventually...

[gweihir]

Hyperbole like "forever" has no place in a professional treatment of the situation. May take a decade or two though.

ISPs should disconnect the infected

[Gravis Zero]

it's pretty simple, if you are coughing up blood, you dont go to work and then infect your coworkers with ebola. why should we allow computers that are doing the same thing to come to the internet? people mostly dont know they are infected, so injecting a little HTML into served pages that will help them disinfect their computer would be a good start. if it's been a week and they are still infected, it's time to serve them pages only on how to disinfect their machine and close any unrelated ports.

there i

36 times!

[Jumunquo]

ROFL, from the article:
Sometimes, it was hard for ISPs to help consumers clean up their infected computers. Asghari said he spoke to one ISP that contacted the same customer 36 times in an effort to get rid of Conficker.
“Every time the customer would say I’ve cleaned it up, but the infection would return,” he said.

You're attacking the wrong part.

[argStyopa]

...instead of "going after" the infection, you go after the humans that deployed it.
Recognize the MASSIVE damage/vulnerability these people are exploiting, and the threat it poses to our modern society. Act accordingly.

When you have them arrested, randomly decimate them.

If they are arrested a 2nd time for the same offense, they will be the first in line to be decimated.

I suspect that botnet attacks would decrease.

Re:

[Anonymous Coward]

You would be wrong: the death penalty doesn't discourage violent crime, either.

Re:

[htomc42]

How about simply putting them in a jail cell with a computer terminal. Their task is to use their own network to go in and disinfect each and every last machine. They don't see the light of day again until they accomplish this task, and if it's longer than their lifetimes, so be it.