Researchers Cripple Pushdo Botnet 129
Posted
by
timothy
from the nothing-wrong-with-the-word-cripple dept.
from the nothing-wrong-with-the-word-cripple dept.
Trailrunner7 writes with this from ThreatPost: "Researchers have made a huge dent in the Pushdo botnet, virtually crippling the network, by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet. Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet's spam operations. After doing an analysis of Pushdo's command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said."
Legal hacking? (Score:5, Interesting)
I wonder if the courts would issue an order that would legalize hacking of unstoppable network computers to prevent ongoing attacks?
Other normally illegal tactics can be utilized legally, if a judge deems them necessary or in a court of law. You know, 1st degree murder vs E-Chair?
I would love to see... (Score:5, Interesting)
Re:I would love to see... (Score:3, Interesting)
So would I like to see that.
So I could switch to those providers, and know they wouldn't be messing with my server without talking to me just because some er "researcher" decided they thought the server might be some sort of C&C
I imagine there could be some legal concerns of the researchers were to publish such a list... it might seem like extortion "Take down that server, or we'll publish your name!"
Or it might attract more business to those providers.. the, er, bad guys, would also know some go-to providers [not that they don't already]
Re:Pretty much (Score:2, Interesting)
Re:Is this really a big deal (Score:3, Interesting)
Stupid people would be stupid on any OS. There is no reason in the world to suspect that if Windows disappeared that virus/malware creators would shrug and go "Oh well, we're fucked, guess we find real jobs," or that stupid people would suddenly go "Gee, that document my friend sent me is asking to install a program, that doesn't seem right." As long as you insist on "It's a Windows problem" rather than "It's a user education problem" the battle will never be won.
Re:Is this really a big deal (Score:3, Interesting)
Correct me if I'm wrong, but wouldn't adding new C&C servers be as simple as pushing an update to the bots? If there are still remaining C&C servers to update with (let alone still a third), that should be pretty routine for them.
Not in this case. This botnet apparently can spread other client side malware, but doesn't attempt to infect new servers.
That's a very hard problem and I guess that's good.
New servers can be added manually though. Part of their protocol involves the client receiving updated lists of servers. That's why even though this was first detected in 2007, had the servers attacked repeatedly over the years as in this article, the botnet is still around.
The associated articles only discuss how the client side works. All the fascinating code is on the server side and apparently has not been broken.
If you need to get all 30 at once, all that has been achieved is that they're back to square one.
True. The loss of 2/3 is a minor setback and one that's happened before. This isn't the Black Knight. Servers can be added to this botnet, while limbs cannot be regrown.
In case it isn't obvious by now, this botnet was done by someone who has some experience in (Soviet) military network programming (C3I). What will happen when (laid off, down on their luck, etc. etc.) US C3I experts turn to the dark side?
sure, sure (Score:1, Interesting)
researchers
No, you aren't. I don't know why people working in IT security have the ego to always add the word "researcher" to their title. Just because your job involves problem solving it doesn't mean you're a "researcher" as the term is understood everywhere else. Anyway, where does your R&D budget come from for this team of "researchers", and what do you get back?
at Last Line of Defense
Who? So many overgrown hax0rs slapping a stupid name on their activities and calling themselves a business, using inflated claims of leet-sounding achievements for PR then pushing security "solutions" to idiots.
a security intelligence firm
lol. k guise. security intelligence [swcp.com]. security intelligence [nsa.gov]. yuo [rajuabju.com].
Look, it's cool what you've done. But would you kindly put yourself into context and stop adopting a pompous vocabulary unique to your trade? Perhaps the state of PC security wouldn't be so dire if it wasn't such a mixture of AV vendors enjoying protection money and ADHD-crippled scene d00ds lacking formal grounding and in a permanent state of 14 year old.
Posting AC because the kid has a water pistol and it's too early in the morning to get wet.
Re:Legal hacking? (Score:5, Interesting)
It's not dead yet, it's getting better (Score:3, Interesting)
Look at their graph: from a high of 1,400 on 3 Aug to 0 on 26 Aug. -- that ranks as both a "seriously crippled" and "success" in my book.
So while you chose to belittle their achievements, I for one chose to say a silent "Thank you! Well done!" for their years of persistence in fighting this war.
I did. Color me unimpressed. This isn't the first time that this botnet's servers have had their numbers reduced.
I didn't see any analysis of what is going on server side and that is where all the interesting code is.
Their client/server protocol is self-repairing in that servers can propagate new IP lists of servers to clients. According to the various articles, (some of) the servers have been taken down before.
Apparently nothing is known about what is going on server side.
This botnet puts a high priority on not being detected (according to TFAs).
All that is happening now is a reconfiguration. Lay low, infect new servers, then it's business as usual.
Oh and my threat estimate of this botnet is very high. It's MS Windows only at the moment, of course, but the analysis seems to indicate that with not much additional work, could function in a heterogeneous network.
Re:Unresponsive providers might be more likely... (Score:5, Interesting)
This reminds of a story that may be more tech myth and legend and if it is not true it should be and it goes something like this:
Back in the early days of the net when the major interconnects were MAE East and MAE West and other interconnect points had not been established almost everything routed through these two points.
So the story goes that there was a tech who dutifully monitored the system during his shift. He had noticed that someone from another country was trying to get access to files on a certain server at major university. Now he was curious because he saw the same attempts over and over again over a rather long period of time. Now since we all forget password or thing we know them and then try and try without success this is not that unusual and normally after fumbling around we will just contact the machines owner and ask for the correct password. Now in those days it was still a relatively small group of folks so there were not a whole lot of questions asked.
But the tech in question started noticing the pattern was limited to times when the people attending these machines would not be there.
So he sent off an e-mail to the admins he knew and they had not been requested to change or provide any passwords.
So our intrepid tech sent off an e-mail to the administrators of the location of the seeming intruder and asked that they have him stop. Well the admins said that it was really none of their business anyway and being in a foreign country our admin had no say over what anyone there did. The long and short of it was that the apparent intruder kept it up.
So one night our intrepid admin had had enough, so he did what he thought might get peoples attention. He simply unplugged the cable that was the source of the problem and effectively disconnecting an entire country from MAE West!
Well in a few hours phones started ringing into MAE West asking questions and trying to figure out what was wrong? He told them he had asked, many time for the admins of the network that the rude behavior was originating from to kindly ask the owner of the machine to stop and had been rudely rebuffed to say the least.. He also said when the attempted intrusions stop, he would plug them back in. To say the least they stopped in fairly short order and he plugged them back in.
Now that is a bit far flung because I doubt there is any one cable that could disconnect an entire country but I am pretty sure you could simply route class A's to /dev/null. Perhaps that what it will take to get ISP's to get serious. Just pull their plug until they behave. Everyone peers in someplace so it should not be that hard to go and find that Ethernet cable and simply unplug it and leave it dangling until their behavior changes/
Re:I would love to see... (Score:3, Interesting)
A command and control server doesn't send out spam. It only acts as a server for the bots that do all the spam sending.
Replace "send out spam" with "store pirated media" and "command and control server" with "torrent-indexing website", and you essentially have the same argument for not interfering with their operations.
Re:Legal hacking? (Score:4, Interesting)
Re:That's not what I'm proposing (Score:3, Interesting)
I don' t think that will work so well. The C&C machines are on ISP's who are peered with major ISP's that are much more interested in money than the small amount of traffic coming from C&C. The individual zombie nodes are so distributed that the labor costs of properly determining whether a down stream client is infected, or is not being dealt with fast enough far outweighs the costs of shutting down the network to that client's ISP/owner.
If they shutdown some site for sending spam or a virus or what not that site is much more likely to just find a new ISP.
If this was costing ISP's money and there was a cost effective way to deal with it they would. It doesn't and there isn't so they don't.
It's doable in your environment precisely because your down stream clients have no alternative. If you cut their line they can't go to on-campus network company B and link up.