Police Reveal Tactics For Fighting Botnets

Botnet herders have sophisticated "disaster recovery" plans, according to speakers at a recent cybersecurity conference, with many splitting their botnets into smaller herds, making them more resilient. In addition, kierny writes: Researchers say these backup botnets are tough to detect, until gangs have already spooled them up and put them to use in major campaigns... "What we're seeing is the bad guys are starting to learn from this," said Steven Wilson, head of the European Cybercrime Center at Europol -- the EU's law enforcement agency...
Wilson said authorities are now gathering tremendous amounts of data by "sink-holing" -- forcibly redirecting the infected endpoints onto servers controlled by law enforcement. And he also reports that authorities have also successfully mined the blockchains of bitcoin transactions for information. Eamonn Keane, A detective from a cybercrime unit with the Scotland Police, added that authorities are also infiltrating dark net forums to bust bitcoin-using criminals. "Are law enforcement in there? Absolutely... We have a mandate to protect you in the real world; increasingly it's moving into the online environment."

Re:

[superwiz]

You are mixing two concepts. This should not be a crime at all. Mandatory sentencing is a Good Thing (TM) because it acts as a check on judicial system. And judges, as all people, may err. We have mechanisms for fixing their errors when they are overly zealous (appeals, pardons, etc.) We should have mechanisms to fix their judgement when they err on the side of being too lenient.

Re:

[Plus1Entropy]

We should have mechanisms to fix their judgement when they err on the side of being too lenient./quote.

No, we shouldn't. This is why our legal system is innocent until proven guilty, and why we have double jeopardy laws. It is specifically designed to err on the side of too lenient.

Re:

[superwiz]

No, we shouldn't. This is why our legal system is innocent until proven guilty, and why we have double jeopardy laws. It is specifically designed to err on the side of too lenient.

I was waiting for this argument. Sentencing happens after you are proven guilty. It's ok to err on the side of finding someone innocent if they are guilty. But once guilt is legally established, erring on the of being lenient (in sentencing) undermines legislative intent to treat certain activities as crimes. It takes away the power from the legislature to make certain activities crimes. Let's take this example to an extreme. Let's say there are no minimal sentences. Then someone found guilty of murd

Re:

[superwiz]

That's silly. There is no practical distinction between federated access to resources you own and resources to which you acquired access without owners' consent (until you are discovered). Not to mention the fact that even if the distinction did exist, it would be virtually impossible to tell the difference between those who deploy it willingly and those who host and deploy them without their own knowledge of it. Eliminating legitimate technical tools would only hamper industry and hamper security resear

Re:

[myowntrueself]

Possession of the command and control apparatus of a botnet (so to speak) should be a felony with an automatic 20 year sentence.

Yeah I can see Putin and Xi Jinping totally going along with that.

Re:

[Plus1Entropy]

ANY site that discusses politics has this happen to it IMMEDIATELY.

Really? I've never seen it happen here, and we discuss politics all the fucking time. In fact, That mountain is clearly a mole hill.

Re:

[myowntrueself]

ANY site that discusses politics has this happen to it IMMEDIATELY.

Really? I've never seen it happen here, and we discuss politics all the fucking time. In fact, That mountain is clearly a mole hill.

Lets amend that;
Any site that discusses politics unfriendly to SJW's has this happen to it immediately

"To Protect You"

[axewolf]

Now we can have long boisterous drawn-out laugh

Re:

[Anonymous Coward]

they protect themselves and whoever's bri... sorry, lobbied the local politician. So really it's whoever they are protecting s fault

Re:

[myowntrueself]

Cool, so this works for protecting websites from DDOS too?

Why So Hard?

[ytene]

Maybe I have misunderstood the practicalities of running a botnet, or perhaps there is something not quite "right" about what we're being told here.

If you deploy a piece of malware that turns a PC into a zombie, that unit can only be useful after it has been programmed to do something for the botnet ringmaster. Typically, or so we're told, zombie's are used to send spam, maybe compute bitcoins, that sort of thing...

But, since we know that in a large part of the western world [certainly in the UK] that ISPs are now required to keep extensive logs and copies of things like web searches, pages visited, emails received and so on, surely if law enforcement agencies are determined to stamp out botnets, then we should expect to see much greater successes than those reported...

1. Flag any end-user PC that is originating SMTP port calls - workstations should be using IMAP or POP...
2. Flag any end-user device that calls or polls known botnet "master" servers...
3. Once a piece of malware is identified [for example emails with suspicious attachments] then work "out" from the point of detection - i.e. trace back to the originator of the email; look into any other emails sent with similarly sized attachments, etc, etc.


We know, thanks to Snowden, that our governments easily have the capability to do all this and more. However, despite the fact that they certainly have plenty of evidence to know where all this criminal activity is coming from, nothing seems to be happening to crack down on it. I've always been a bit suspicious of the conspiracy theory that says the reason for the inaction is that had the authorities run round closing down gangs of cyber criminals quickly and easily, word would have gotten out about how powerful the security monitoring really was.

But the curious thing is that we now know just how intrusive all the monitoring has become, yet we don't see any benefits from all the supposed safeguards being put into place. Maybe - just maybe - people would actually be less suspicious of authorities who made a demonstrable positive change in the on-line security of the general public...?

Re:

[superwiz]

But, since we know that in a large part of the western world [certainly in the UK] that ISPs are now required to keep extensive logs and copies of things like web searches, pages visited, emails received and so on

They may require it all they want, but as long as there is point-to-point encryption (as there with, for example, Google), ISPs can't see what your searches are or what you do on your encrypted web-mail servers. They can't record what they can't see.

Re:

[ytene]

You are quite right to point out the widespread use of encryption. However, SMTP is not encrypted by default, so ISPs would have the ability to grab unencrypted copies of email if they wanted to. Yes, there are solutions for secure email (S/MIME) but these are not yet widely implemented and (in my personal experience) are not implemented in an entirely transparent, consistent manner. In other words, S/MIME may not work if you're using a different email client to your mail counter-party... In other words,

Re:

[ytene]

You ask a good question, but the answer is pretty straightforward. If you have a PC with a regular email client (i.e. Outlook, KMail, Thunderbird, etc) then, as you quite rightly point out, all email traffic between your PC and the internet will be between your client and your nominated mail server[s], using ports such as 110 [POP] and 143 [IMAP].

However, if you computer has been infected by malware and is being used to send SPAM, then the spammer likely would not want you to know that they were doing t

good

[superwiz]

Police doing actual police work is a Good Thing (TM). Listening-in on private communications has always been a crutch which only dulled down policing skills. Engaging with the community instead of trying to demonize people who make good locks is what police should be doing.

Police tactics for fighting Microsoft Botnets ..

[tetraverse]

Have the Police considered prosecuting people for allowing their Microsoft Windows desktop computer being hijacked to be used in such botnets.