Correction?
"common-and-control" should be command-and-control?
Also, SHOOT IT IN THE HEAD!!!!111
The spam-spewing Kelihos botnet has returned from the dead. Microsoft collaborated with Kaspersky Lab to run a successful takedown operation last September. The takedown decapitated the botnet by shutting down command-and-control server nodes, directing the bots on infected computers to contact a server under the control of …
This post has been deleted by its author
"A deliberate decision was taken NOT to patch infected machines, a problematic process that's illegal in some countries. Instead it was left to users to fix the security on their compromised machines."
You can't put a Bandaid on a huge gaping wound and expect it to heal. Seriously I don't care what the ramifications may be (Like it causing the infected computers to crash and if so good riddance to them). They should just fucking do it!
That is a law enforcement job, not that of a commercial software company. Not only would they be exposing themselves to prosecution (it is vigilantism, effectively) but I've no doubt that some entireprising individuals could arrange civil suits too.
What is needed is sensible, coordinated support by national law enforcement agencies. Now all we need are senisble law enforcement agencies who actually understand what a botnet is...
From an old copy of the EULA:
"You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer."
This is precisely the sort of thing that would be a valid use of this clause.
And how is telling the machines to look elsewhere for commands any different, other than the size of change?
I might be running a 'botnet' that has perfectly legitimate and essential uses (such as monitoring and controlling medical equipment for home care patients) and uses similar techniques to the spam code. If my application code is a commercial secret (of course it is), then how do Microsoft know that a specialised patch to stop the spam botnet wouldn't disrupt my application and screw up many people in a bad way?
(Before anyone says it, I know it should be running on a specialised Linux appliance.)
1. EULA's have been proven pretty much usless in court. Also they can patch their software, they cannot alter other software, i.e. forcibly remove the "program". By using AV, you are giving that explit consent.
2. "And how is telling the machines to look elsewhere for commands any different, other than the size of change?"....
The didn't connect to the pc's. They interupted the C&C servers, for whih they had court orders for.
Most people probebrly haven't patched as they are proberbly dodgy copies.
There does appear to be a bit of a difference between "provid[ing] upgrades and fixes to the Product" and "ramming upgrades and fixes to the Product down the unsuspecting Throat of the User without his/her Consent". While I would welcome the former, I'm basically not interested in the latter.
Warning dialogs are of no use, as that is how the fake anti-virus scams get onto the computer in the first place.
Fake AV comes in via some unpatched product like Java, Acrobat or Windows. It then deletes the legitimate anti-virus product and pops up convincing looking windows of its own. Those windows will look like Microsoft's own Security Centre and will include an "anti-virus" warning which guides you to pay up $50 to have your PC "cleaned". These even include UK Call Centres now!!
I am constantly dealing with this stuff. Speedily mutating products which keep finding ways round many legit anti-virus products. Good fun to kill though - I enjoy the challenge of tracking their tricks. And dumb users keep me in work
The fact that people fall for this sort of trick is exactly the reason why it should have been used to clean the machines. Remember these people have got their machines infected (probably by following a dodgy popup instruction) so it is absolutely correct to aim a legitimate popup at them as they obviously follow these sorts of instructions.
Yes, we tell them every day that it's a ruse and should never be trusted but have they listened?