back to article Microsoft botnet smackdown 'caused collateral damage, failed to kill target'

Microsoft is attracting fresh criticism for its handling of the Citadel botnet takedown, with some security researchers pointing to signs that the zombie network is already rising from the grave again. Redmond worked with financial service organisations, other technology firms and the Federal Bureau of Investigation to disrupt …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Given the problems these botnets cause to everyone, and not just the suckers who have an infected computer, I f think remotely neutering them may be the best option.

Sure it is going to upset the owners, but disabling internet access and forcing them to take it to someone who knows enough to fix it is a kindness in the long run. Yes, it might be an act of questionable legality in some places, but the last time I read a Windows EULA it allows them to 'break' it for DRM reasons so I can't see much reason they can't do it for reasons of it causing trouble world-wide.

Now if said computers are doing something safety-critical there is a problem but:

1) Windows is not certified for that by the EULA

2) Whoever is in charge of the system should be getting a kicking for not having cleaned it up already.

Discuss...

23
5

This post has been deleted by a moderator

Anonymous Coward

err

Yum install today's-trendy-distro

5
1
Silver badge
Linux

'apt-get' is not recognized as an interal or external command, operable program or batch file......

16
0

I agree, while there is bound to be collateral issues taking down whatever you can is the way to go. Monitoring is one thing but monitoring is not helping anyone except for the security researcher doing the work....

3
0
Anonymous Coward

"I f think remotely neutering them may be the best option."

They are thinking seriously about this. But I suspect they are holding off as there's more complexity and unintended consequences than we realize. They fear A. making false positives / outright mistakes, B. Counter attacks by hackers who make legitimate systems appear compromised. Think Syrian Electronic Army, China, Iran etc...

2
0
Silver badge
Boffin

There's a point...

Now if said computers are doing something safety-critical there is a problem but:

1) Windows is not certified for that by the EULA

Maybe security researchers & honeypots should simply send the kill switch to these botnets. Anyone stupid enough to use Windows for real-time things or actual mission-critical stuff shouldn't be doing so in the first place, and even MS can claim its a violation of the EULA. In most of these cases, only the botnet zombie client is removed.

7
5
Silver badge
Linux

There's only one thing to do...

FTFY

3
0
Silver badge

'apt-get' is not recognized as an interal or external command, operable program or batch file......

I think you found the problem.

1
0
Silver badge

@Khaptain

I still think the short old one is better:

Abort, Retry, Fail?

1
0
Angel

apt-get' is not recognized as an interal or external command, operable program or batch file......

I think you found the problem.

it only works on already installed linux systems, for one thing... Eadon's original wouldn't work anyway... not even on a working linux system... he can't even get that right :rolleyes:

@Ole Juul: PS: haven't seen you around in a while... 1:3634/12 ;)

0
0
Silver badge
Stop

"Yes, it might be an act of questionable legality in some places, but the last time I read a Windows EULA it allows them to 'break' it for DRM reasons "

It doesn't matter - no EULA can override local laws. Period.

1
0

This post has been deleted by a moderator

Anonymous Coward

Re: A HORRIFIC investation of Malware

" ...though the numbers of Windows Phones (there may be as many as hundreds) .. "

Now credit where credit's due...THAT was funny!

4
3
Anonymous Coward

Eadon...people are stil waiting over here for your insightful comments

----->

http://forums.theregister.co.uk/forum/2/2013/06/07/android_obad_trojan/

5
5

This post has been deleted by a moderator

Anonymous Coward

Re: Trojans

@Eadon demonstrates his utter lack of knowledge of Windows, once again...

The overwhelming majority of malware on a Windows system these days, if not all, is installed because the user installed it. The days of random drive-by installs are long gone. (I've no doubt you'll find a random exception, as I've no doubt that I could find one for Linux).

Windows has ACLs, one of the ACLs is "Read and Execute", so no, Windows will not just execute anything ending .exe. Likewise, if you download something from the Internet, it will stop a general user from loading/executing it by default.

Then again, I don't expect you to listen, learn or do anything other than shout about how Windows was rubbish twenty years ago and therefore is rubbish now. Remind me how good Linux was twenty years ago?

7
8
Bronze badge

Re: Trojans

No operating system that is useful can always defend against Trojans. You can only solve trojans by locking down systems until they are appliances, not computers, or by educating the users.

You can come pretty close with some of the more security aware operating systems. Ringfenced trusted computing bases require administrative action to circumvent if they can be bypassed at all. It's a whole different world on the truly secure platforms that make most systems look like toys.

Or do these things not count if Linux doesn't support them?

4
3
Boffin

Re: Trojans

Granted, the majority of malware infections are on Windows, but that's just a weight of numbers thing....most prolific OS = greatest number of victims = most efficient way for malware authors to target the most people.

The same thing would have happened if Linux ever became the mass desktop OS of choice...but of course that's never happened, has it?

2013 - year of Linux on the desktop? Nah...probably not....

2
7
Silver badge

Re: Trojans

...but that's just a weight of numbers thing...

It's not JUST a weight of numbers thing. Eadon is partially right in that there are a number of measures in place in Linux systems that make it much harder for them to be infected (though, to be fair Eadon, your argument about hiding extensions is just plain stupid given that a file in Linux can carry any extension, even .txt, and still be executable). Even user incompetence is mitigated somewhat because nothing downloaded gets execution rights (and there's no 'run anyway' button for the user to mindlessly click), though this is easily avoided by simply stuffing the malicious file into a .tar.gz file. Simply put even if Linux were the dominant desktop OS it would probably not be infected as often as Windows currently is.

However, Eadon is still wrong about the state of things. He operates under the sadly mistaken impression that Windows is still riddled with security holes and that Linux is completely bulletproof. Neither is true. No OS, with the possible exception of BSD with an absolutely paranoid (in other words, unusable) configuration, is bulletproof, and Windows no longer has the security holes of yesteryear that gave Microsoft a bad reputation for security.

3
3
Anonymous Coward

@the spectacularly refined chap - Re: Trojans

Actually that's what he said, in case you paid attention of course. Ringfenced, trusted computing bases you are mentioning means exactly that : a locked down system close to an appliance that no longer trusts you and you can no longer trust.

Now from a pure technical point of view Linux can very well do that but it would violate the GPL because whenever a system is locked down, you the user are always holding the key. Linux is an OS that trusts the end-user and the end-user can safely trust. In case you didn't notice, it's not the software that is free, it's the end-user.

1
2
Anonymous Coward

@Eponymous Cow Turd - Re: Trojans

Microsoft standard "Get the facts" play book.

Also, can you please define this year of the Linux nonsense ? What exactly in your opinion should be like ? To be precise, just give us a metric that should be used and the threshold you believe should be clearly significant.

Don't jump to Microsoft site to find the info, it will not help.

3
0
Bronze badge

Re: Trojans

Then obviously you have'nt been keeping yourself up to date.

http://www.theregister.co.uk/2013/06/13/cross_platform_browser_flaw_in_wild/

0
0

Re: Trojans

"Windows has ACLs, one of the ACLs is "Read and Execute", so no, Windows will not just execute anything ending .exe. Likewise, if you download something from the Internet, it will stop a general user from loading/executing it by default."

New->Text Document -> Save As x.txt.

ren x.txt x.exe

x.exe

..oo-er, it tried to run it. Why? Windoze (2003 server) created it with FULL permissions.

1
0
Thumb Down

Re: Trojans

@swampdog

"New->Text Document -> Save As x.txt.

ren x.txt x.exe

x.exe

..oo-er, it tried to run it. Why? Windoze (2003 server) created it with FULL permissions."

No, it didn't. It created it with NO permissions. All permissions were inherited from the parent folder. This is an excellent feature Linux doesn't have. In my opionion, the default permission system on Unix/Linux is years behind Windows or even Netware

Let's see what happens on windows if you try to do that shit inside a directory without "Read and execute" permissions:

c:\Users\Vladimir\Documents\dgp\deploy\test>copy con test.exe

test

1 file(s) copied.

c:\Users\Vladimir\Documents\dgp\deploy\test>test.exe

Access is denied.

1
0
Anonymous Coward

Re: Trojans

@Swampdog: If you don't understand ACLs and how Windows uses then (you obviously don't) it's probably best not to comment.

Herein lies the problem that we see on The Reg quite a lot, Linux users think they know Windows because they know Linux and Windows users vice versa. I wish people would learn about the systems they're commenting about or stick to the ones which they know. The better would be learning about other systems.

0
0
Silver badge
FAIL

Re: is installed because the user installed it.

No, most of it is the result of MS obscuring the way things work because it makes it easier for the uneducated user to do things. And those critical patches that are going out are frequently for privilege escalation issues.

ACLs won't fix crap when vendors release software that requires administrative privileges to run. While it is true that right now Adobe is the lead culprit on that front with their CS suites, MS isn't far behind with their crap like .Net Studio.

0
0
Bronze badge

Re: @the spectacularly refined chap - Trojans

Actually that's what he said, in case you paid attention of course. Ringfenced, trusted computing bases you are mentioning means exactly that : a locked down system close to an appliance that no longer trusts you and you can no longer trust.

Have you ever actually used an enhanced security platform? It certainly doesn't sound like it. 15 years ago I was operating a SCO OpenServer system in B2 certified mode so this kind of thing is hardly cutting edge. The TCB was strictly ringfenced. On top of that you could run anything you wanted. For the most part the only practical implication in everyday use was the mandatory password policy. How is that "a locked down system close to an appliance"?

Now from a pure technical point of view Linux can very well do that but it would violate the GPL because whenever a system is locked down, you the user are always holding the key. Linux is an OS that trusts the end-user and the end-user can safely trust. In case you didn't notice, it's not the software that is free, it's the end-user.

Wrong again. I take it you completely missed the Tivoisation controversy? Or how NetBSD for example allows you to do exactly the same thing with the GPL'ed critical components (albeit under the administrator's control) with the verified exec subsystem?

2
0

Re: Trojans

" Windows no longer has the security holes of yesteryear" ... because they've copied more and more of the unix/linux way of doing things, which was properly thought through and designed in the beginning, unlike Windows, which was not. Heck, MS even stole the networking code for Win3 from unix. Then they went on to add multiple users, 'execute' permissions, etc... but being MS, dumbed things down to the point somewhere between annoying and unusable.

I'm fully expecting Windows 10 to be Windows X ... for the same reason Apple used the X: unix.

1
0

Re: @the spectacularly refined chap - Trojans

<i>Ringfenced, trusted computing bases you are mentioning means exactly that : a locked down system close to an appliance that no longer trusts you and you can no longer trust....</i>

Take a look a VMS or any of the other secure platforms out there. I'd go as far to say that there is <i>less</i> restrictive security in the userland areas than your average desktop system. It's the kind of attitude and ignorance that an overly peecee-centric view often brings. There are some <i>very</i> secure systems out there that are actually very flexible and even pleasant to work on.

1
0
Silver badge
Stop

Re: Trojans

"given that a file in Linux can carry any extension, even .txt, and still be executable"

More accurately, unix and unix-like systems don't use file extensions.

The nearest I've seen to it is from third parties (e.g. apache maps file 'extensions' to mime types)

0
0
Silver badge
Meh

Microsoft's Digital Crimes Unit

Like watching kittens swimming in treacle.

4
4
Bronze badge

Re: Microsoft's Digital Crimes Unit

"kittens swimming in treacle"

Is that on YouTube yet? Pretty much everything else kitten-related is there.

5
0
Silver badge
Windows

Re: Microsoft's Digital Crimes Unit

~~~~Nyan ~~~~Nyan ~~~~ Nyan ~~~~ Nyan ~~~~ Nyan ~~~~

Ok, Microsoft, this was pretty much "mission failure". How are you guys doing this? Is Gaius Baltar one of your brainboxes or what?

2
0
Anonymous Coward

Not so sure

I'm not so sure about the alleged collateral damage but I do know that all hackers and those who perpetuate bots, should be shot dead.

5
4

This post has been deleted by a moderator

Silver badge

Re: Not so sure

A little walk down memory lane, just for the lolz

http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/

5
5
Silver badge

Re: Not so sure

As you previously stated Trojans are platform independent. They are also independent of the security of the system when the user of that system is a consumer, not technically competent and allowed by the OS to install or execute code. Doesn't matter how secure the device is, if the user can run/install and grant privilege to software they will.

Security begins and ends with the user and most users these days are consumers, technically incompetent and would indeed be better suited to an appliance. And this is the direction Apple took, their products are more akin to appliances and are indeed more secure than they would be otherwise.

Microsoft are hoping they are not too late to the party, they want to lock Windows down and control the user experience/cash flow much in the way Apple farms its sheep now.

I don't have a solution that includes both security and user freedom. It seems the two are mutually exclusive. The consumer has to be technically competent to some extent or devices should really be appliances over which the consumer has little to no control over what is installed or where it is installed from.

7
0
Silver badge

Re: Not so sure @khaptain

The article you reference does not indicate a Linux fault, but suggests that the servers may have either been compromised by Apache (not part of GNU/Linux) or through poor administration. All that shows is the weakest part

of any system is the wet-ware.

2
0
Bronze badge

Re: Not so sure

So you wanna kill 10,000 people employed by Microsoft, Adobe and others? This is too blood thirsty, amigo. Please see a doctor!!

0
0
Bronze badge

Damaging the competition

Damaging security companies abilities to do what they do could be seen as an anti-competitive action to make Microsoft the only business in town.

2
8
Anonymous Coward

Lol, here is your 2 step plan for the day:

1. Get a clue

2. Remove post, repost with information that makes sense.

Ohh and 3. Have a nice one on idkwtf island!!

2
6
Anonymous Coward

Microsoft patented botnets ..

Microsoft should patent botnets, that way they can generate revenue from them ...

2
3
Silver badge
Stop

Since "hacking" is considered worthy of a 30-year prison sentence int he US, I hope to see several Microsoft execs behind bars for this. There's no question that what they did was illegal. If they had only sent the malware instructions to cease operating or uninstall itself, that would have been justifiable IMHO. But they chose to interfere with access to a legitimate website (or Facebook anyway), which regardless of their intentions is, not a reasonable thing to do to somebody's computer without their permission.

Is there some technical detail I'm missing as to why this is supposedly okay?

3
2
Anonymous Coward

The bit where Microsoft did this in cooperation with the FBI is probably enough to shield them from any legal action.

By the way, what sentence do you think is appropriate for the person responsible for a PC that is infected with a Botnet agent? They're running a machine that is being used to attack other machines, or to generate spam. Complete disconnection from the Internet until they fix the problem seems like a perfectly reasonable penalty as far as I'm concerned.

2
0
Bronze badge
Linux

@sisk

Eadon, your argument about hiding extensions is just plain stupid given that a file in Linux can carry any extension, even .txt, and still be executable).

Eadon's suggestion was not about hiding or not the file extensions but the outrageous fact that Windows OS (at least, up until Windows 7) would base its file recognition on the extension solely. NTFS fs might support the POSIX file permissions, this is irrelevant when you are in Windows Explorer.

Funny thing, I so many times seen a sight of a "Windows geek" changing the file extension (to .txt) to view it in the Notepad.

On a *nix system, mailcap or the file, test utilities etc help automate the process of file recognition. Even though, if I change the file extension of a file, most GUI file managers (like caja/nautilus or kde-thingy) won't be fooled.

As far as *BSD is concerned, why do you generalize? OpenBSD is what you prehaps mean.

Microsoft have not yet come to neither secure repositories/BSD ports nor to a sophisticated apps uid isolation and permissions transparency similar to Android's Microsoft have nevertheless amended the Windows EULA to withhold the users of their right to decline it.

Hence, Redmond FAILS once again in security!

1
2
Anonymous Coward

Go read the EULA

again, if you think MicroSloth is doing anything remotely illegal by unilaterally uploading mods to Zombies or their masters which happen to be running on MS product.

Fubar (anon cuz I dig the mask)

2
2
Silver badge
FAIL

Re: Go read the EULA

ARRRRGH.

Why do so many people blindly accept the terms of any EULA to be binding?

EULA's cannot override laws

0
0
Bronze badge

What I see here is an objection to national sovereignty. Some seem to wish to do their own thing, re-invent the wheel, ignore it of bribed, heaven knows what else.

In reality, Microsoft, for a change, is behaving like a comic book superhero, Ironman, if you will (Sorry, my wife is hooked on part of that franchise, probably also due to Hulk being present, as Incredible Hulk and Incredible Bulk are trivially confused).

Microsoft is playing Ironman. Some nations seem to object to someone not from their land enforcing laws that they refuse to enforce or at least get credit for enforcing.

Others benefit from non-enforcement.

0
1
This topic is closed for new posts.

Forums