[Now we've got experimenters, spam-suppliers, financial fraudsters
*and* US government agencies messing around inside people's devices]
DoJ, FBI set up command-and-control servers, take down botnet
By Peter Bright |
Last updated about 10 hours ago - Twerps. 14 April 2011
http://arstechnica.com/security/news/2011/04/doj-fbi-set-up-command-and-control-servers-take-down-botnet.ars
Past efforts at killing botnets-the large networks of computers
running malicious software to send spam, flood websites with traffic,
and steal personal data-have managed to disable the networks by
taking down important servers, but they've always stopped short of
actually killing the botnet software itself. That's because the
companies behind these efforts have no more legal authority to run
unauthorized software on users' machines than the botnet owners do-to
remove the botnet software would make them just as guilty of hacking
as the bad guys are.
The result is that while efforts such as Microsoft's disruption of
the Waledac and Rustock botnets were successful, they were far from
perfect. These efforts left the malicious software running on the
infected PCs-they just removed the command and control servers, the
centralized machines that tell the botnet what to do. Should the bot
herders regain control of the domain names or IP addresses used by
the command-and-control servers, the infected machines will be able
to successfully connect to them, and the networks will once again
spring into life.
A new Justice Department attack will go some way towards solving that
problem, at least for the botnet known as "Coreflood." A federal
judge has authorized the non-profit Internet Systems Consortium,
working in conjunction with the FBI, to go beyond taking down the
command-and-control servers: the ISC has installed its own
command-and-control servers. The command the servers are sending?
Kill the botnet malware. The servers were swapped out on Tuesday
evening, and the kill command was duly sent.
The kill command still stops short of removing the malware
altogether-each time an infected PC is rebooted it will try to
restart the botnet software. But every time, the new command and
control servers will tell the software to shut down, preventing it
from causing any more harm.
In tandem with this effort, Microsoft has updated its Malicious
Software Removal Tool to enable it to remove the Coreflood malware
itself. Some users will likely receive this tool through Windows
Update, but to ensure greater reach, the new command and control
servers will record every IP address that tries to reach the command
and control servers. This IP address information will be used to
inform ISPs that machines are infected. In turn, the ISPs will inform
their end users, and provide information on where to get the MSRT.
Users will also be able to opt out of the entire process, if they
would prefer to let the malware continue to run on their PCs.
Coreflood was a particularly nasty botnet. Rather than merely sending
spam, it stole banking and other financial information from infected
systems. This harvested information was then sent to the
command-and-control servers, and according to court filings, allowed
criminals to steal hundreds of thousands of dollars from victims. The
Coreflood software has been around since 2003, receiving regular
updates in an effort to keep one step ahead of anti-malware software.
It started out as a regular trojan-a program that masquerades as
something useful but which actually does something harmful-before
gaining botnet capabilities in 2009. Over the course of its life,
more than two million machines were infected.
Though this aggressive move is likely to be effective in combatting
the botnet, not everyone is convinced that it's an appropriate path
to go down. Speaking to Wired, Electronic Frontier Foundation
technology director Chris Palmer described it as an "extremely
sketchy action to take," warning that "you don't know what's going to
happen for sure. You might blow up some important machine."
Aggressive as it was, other nations have gone further to fight the
botnet menace. Last year, Dutch and Armenian law enforcement made a
joint effort to kill off the Bredolab botnet. In this case, the Dutch
authorities installed their own command-and-control servers, using
them to distribute a program to infected computers that would
redirect users to a website giving specific information on how to
disinfect their computers. This seemed to work well, with authorities
reporting more than 100,000 visits to the site.
There's no word yet on how effective the Justice Department's plan
has been. If manual outreach proves effective then there may be no
need to go one step further as the Dutch did. But if persistent
infections continue to be an issue-as they are with Rustock and
Waledac-then American law enforcement may well be tempted to take
more proactive measures against the botnets, in spite of the concerns
this raises.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University