back to article Microsoft takes down ZeuS botnets

A Microsoft-led operation resulted in the takedown of key servers associated with the infamous ZeuS and SpyEye banking Trojan botnets on Friday. Months of investigation culminated in the coordinated seizure of command-and-control servers associated with the botnets and hosted in Scranton, Pennsylvania, and Lombard, Illinois. …

COMMENTS

This topic is closed for new posts.
Pint

I'd buy them a drink.

It's rare having any appreciation for Microsoft's efforts, but checking the bin in my gmail account, there's no spam whatsoever, where normally there'd be a few dozen items.

18
1
Go

Re: I'd buy them a drink.

Agreed. I'd love to see a similar initiative from Google* - given the reach of Gmail, and their server resources.

* Not holding my breath.

3
2
Silver badge
Thumb Up

Re: "I'd buy them a drink." I agree.

Whilst one can of course say (with justice) that they should have begun this a long time ago it is indisputably true that in recent years they have been devoting increasing efforts and considerable resources (=a great deal of wonga and man-hours) to making a significant dent in the problem. Good to see.

2
1
Anonymous Coward

Re: I'd buy them a drink.

... but it was Microsoft's crappy OS that gave them the ability to do their naughty deeds in the first place!

2
11
Thumb Down

And you wonder why I go a little mad...

Read this and this before you blame Microsoft for a botnet team's actions.

3
0

Re: I'd buy them a drink.

Whilst I am glad to see them helping the authorities and taking some responsibility for what they have wrought, it still seems odd to me that it is MS and not some government body leading the action.

it is as though cyberpolicing has been privatised.

but any take down is a good takedown. Send in the sherrif!

2
0

This post has been deleted by its author

Re: I'd buy them a drink.

Wait so if I download some thing, intentionally install it, my OS should stop me ? Explain how that works.

0
2
Bronze badge
Thumb Up

@Gordon Fecyk Still in 2001?

>>Wednesday, 4 April 2001 DO YOU USE...

Gordon, where have you been in 2004 when I switched to Linux Sorry, too late I did not know about a "The Lion worm — yet another variant of the Ramen worm" back then. Spooky indeed.

"If youth only knew: if age only could"

Your post is most anti-Microsofty today.

0
0

This post has been deleted by its author

Bronze badge

Save this drink for the spam filter

>>the bin in my gmail account, there's no spam whatsoever

So you expect it in the spam box not your inbox? Thanks should be addressed to the spamfilter (supposedly based on spamassassin). My spam mostly lands there, unlike some of my friends with hotmail and others.

Or buy them some cheap ... lemonade, my older gmail account spambox does seem to receive less spam though this month. :)

0
0
Silver badge

@Kain

No, the point is it should ONLY install things you intentionally install, not just any damn thing sitting on a website. Websites should only be able to display content unless explicit action is taken to cause something else to occur, and I'll even go so far as to include automatically starting an embedded media stream.

0
0
kb
Facepalm

Re: I'd buy them a drink.

What is sad is as someone who fixes and sells Windows PCs frankly it isn't Windows fault, its PEBKAC. you see the malware guys have figured out the "dancing bunnies' tactic, whereby you offer the victim something they REALLY want, be that pron, free software, even something as unlikely as a chance to win an iPod, and then the user will happily disable their own security and infect their own machines!

The only time I ever had to throw someone out of my shop was over a dancing bunny, where this person refused to listen to me when i told him that Limewire had been dead for years, so instead he takes his brand new PC and when he finds some malware listed as "the new limewire' he first tries to disable and then when that doesn't work REMOVES the AV AND UAC protections and then had the gall to complain because "The machine shouldn't have gotten infected like that" and demand i repair it for free. When i threw him out of my shop he was yelling "It says right there it is the new Limewire so you MAKE IT WORK!"

Sad that Windows so often gets blamed when I'd say a good 99% of the infections I see are just from mind numbing stupidity. I've seen users give up their passwords, lower their security, do whatever the malware writers ask them to, all to get some "prize' which of course only is a trojan package. You can design the most secure OS on the planet and when you have the user actively trying to dismantle your security you're as good as doomed.

0
0

This post has been deleted by its author

Silver badge
Coat

Interesting...

"The operations resulted in the dismantling of two IP addresses behind the ZeuS ‘command-and-control’ structure."

So... how do you dismantle an IP address?

Tear off each octet and hammer it into submission?

Or just forcibly remove the dots so it all falls apart...

6
1
Black Helicopters

Re: Interesting...

I rather like the idea of a Microsoft assassin walking up behind the server with a pair of gardening shears, cutting the Ethernet cables and then bundling the server into a black van with a cloth over it's diagnostic panel so that it may be waterboarded for information in a dark room in the basement of the Redmond campus 200ft underground shielded from the world's eyes.

8
0
Stop

Re: Interesting...

"how do you dismantle an IP address?"

Null route it on all core routers.

But seriously, what needs to happen IMHO is:

thread collect_ips

while true

collect IPs connecting to botnet Command and Control

store in infected computer database

wend

end thread

thread enforcement

while true

For all national governments

for all ips in infected computer database

look up owner of IP block containing IP

if owner is in government's country

if owner not contacted yet

snailmail owner "this machine is infected. See it gets cleaned up. You have 2 weeks to comply." --signature=required

owner contacted

else if time of contact > 2 weeks

disconnect owner from network.

end if

else

look up owner's peering partners in country

for all peering partners

if partner not contacted yet

snailmail partner "this machine is infected. Either compel owners of netblock to fix it or de-peer owners. You have 2 weeks to comply." --signature=required

parnter contacted

else if time of contact > 2 weeks

disconnect partner from network.

end if

end for

end if

end for

end for

end while

end thread

Harsh, but it would put a big dent in the botnet problem: ISPs would either have to bestir themselves to contact their lusers and get them ot fix the machines, disconnect the lusers machines from the network, or face disconnection themselves. Even if an ISP is in a country that doesn't help enforce the rules of the road, that ISP eventually gets de-peered from enough countries that do enforce the rules that they cease to be an issue.

(Now I await the masses of "how dare you ask anybody to be responsible for the consequences of their actions you fascist bastard!' to downvote me.)

3
1
Silver badge

@David D. Hagood

Given the requirement for snailmail, I'd quibble with the specific time interval. Even in Western nations I think I'd want 3, though nor more than 4 weeks. For third world areas it would probably take significantly more in order to allow time to actually contact them and for them to have time to clean the machine.

But the overall algorithm looks good, and even with longer lead times would still get to the desired result.

0
0
Anonymous Coward

it was indented

It was more readable when indented, but the Reg undid that....

0
0
Anonymous Coward

Re: Interesting...

if I recieved a letter telling me my pc was infected, it would be binned straight away.

0
0
Anonymous Coward

Act on the infected machines

So, have they added appropriate legal terms to their EULA yet, so they could use botnet command channels to tell infected machines to warn the user / disinfect / do something useful?

0
0

Why not secure the hosts (as the police / authorities would make a burgled house safe, then bill the owner) by adding an anti-virus / bot software on the host.

0
0
Holmes

Mustn't ever mention Windows ..

"A Microsoft-led operation resulted in the takedown of key servers associated with the infamous ZeuS and SpyEye banking Trojan botnets on Friday".

0
0

Re: Mustn't ever mention Windows ..

Don't have to - it's understood.

1
0
Bronze badge

"such and such recommends Windows 7!"

>>Microsoft has detected more than 13 million suspected infections of ZeuS and SpyEye-related malware worldwide, with more than 3 million in the United States alone.

When a PC maker suggests something like "We recommend Microsoft Windows Vista/7/8" it should really add "and Microsoft may detect you to be among the millions of malware infected worldwide!" In the US specifically, the slogan can finish with "Isn't it cool?"

1
1
Thumb Up

Nice work Microsoft!

0
1
Bronze badge
Linux

Meh

All they [Microsoft] did was stub their [the criminals] toe.

Switch to Linux already and M$ will go away. And so will the script kiddies.

1
1
Mushroom

Alternative

The airforce would have done a better job.

0
0
This topic is closed for new posts.

Forums