back to article Whitehats tackle The Great Botnet Dilemma

After infiltrating one of the biggest and most abusive known botnets, security researchers are wrestling with a thorny ethical dilemma: should they exorcise tens of thousands of possessed machines or simply leave them be? Pedram Amini and Cody Pierce, of security provider TippingPoint, reverse engineered the executable behind …

COMMENTS

This topic is closed for new posts.
  1. Pete

    Let the owner of the machine decide

    Send them a message, or instructions on how to remove themselves.

  2. vincent himpe

    simple

    use the bot to display a text that those peoples machines is infected...

    and then a box : click here to remove for free.

    most of those bozo's will click on it anyway. itr will also give us a good indication on how many people click on anything they see pop up ...

  3. Anonymous Coward
    Flame

    Windows Life Support?

    IIRC the standard Windows EULA specifically states that it's not for use in life supporting situations - medical devices or nuclear power stations. So downing those infected machines, even as a deliberate act of 'self-defense' by the internet, would be warranted.

    It's bad enough that these unpatched machines are spewing spam at a prodigious rate, that someone would hook their poorly little snowflake up to a Win XP-powered heart machine is tantermount to child cruelty.

  4. JimC Silver badge
    Thumb Up

    Reluctantly I think they're right...

    As soon as you access other peoples machines without permission, no matter how good the reasons, you're heading down the same ethical route as the bad guys. If its right to use the botnet tools to take the software off does it then become right to access machiones to take out viruses, and so on and so on... Best to draw the line where its black and whte rather than gray... Now if you can generate an automated script that contacts those responsible for the PCs by publicly available info, reverse lookup say, that's OK I think...

  5. adnim Silver badge

    Obvious to me

    Where's the dilemma in reporting the IP addresses found and time of connection to the respective ISP owners of those IP ranges, who can then inturn email the customer and provide a link to some form of disinfectant?

    Like the title says this is obvious to me, or am I missing something here?

  6. Col
    Thumb Up

    [insert title here]

    What about modifying the code to continue trapping infected machines, but with a timer, at the end of which the user is presented with the fact that their 'puter is infected along with a link to the details of how to remove it (with some security mechanism to ensure this isn't hijacked by the bad guys) and the option to immediately disinfect the machine? Win all around.

    If it were me, I'd attempt to further infiltrate the net with a view to using it to shut itself down from within. But IANA expert in these things. Still, nice work.

  7. Ed
    Coat

    Can't they tell the ISP's

    which IP addresses are infected and then have the ISP's inform the user. Then if the user wants it removed give a thumbs up. I bet ISP's would love to have some of that bandwidth back.

    Or why don't they just post some form of tool to remove it. If it exists, then it says you were part of the army and now you are not. If you were not, then it says that nothing was found.

    Mine's the simple...obvious coat over there

  8. Anonymous Coward
    Anonymous Coward

    Who'd do this?

    > is anyone foolhardy enough to rely on a Windows PC for life support?

    Cough - Microsoft Windows for Warships - cough.

  9. M. Burns Silver badge
    Flame

    What a great scam TippingPoint is running!!!

    They claim they've performed this great technical feat, and then create a fake ethical dilemma so that they never have to prove their claim! Brilliant!

  10. James Smith
    Stop

    I agree

    I don't like the idea of an extended tit for tat exchange between the bot masters and the bot exterminators played out on my machine. This could get messy. Expecially when the next logical step in the arms race is to deliberately make attempted removal of the bot more damaging than leaving it be.

    Best to contact the users concerned. They'll need to get involved in order to patch the vunerability that got them infected in the first place.

  11. This post has been deleted by a moderator

  12. Dan Goodin (Written by Reg staff)

    Contact them???

    James Smith, et al.

    Ever notice how slow ISPs are to deal with anything? Now multiply the delay by 25,000. I'm pretty sure TippingPoint has better things to do. As for popups and other types of notification: anytime you're running code on an infected machine, you're likely to get unintended consequences. Bottom line, contacting the infected users isn't practical. Anyone who believes otherwise should go ahead and contact each user himself (a list of the infected IP addresses is at http://dvlabs.tippingpoint.com/pub/pamini/kraken_uniq_ips.txt)

    M. Burns, if you'd bother to look, you'd notice TippingPoint documented infected IPs and gave a deep dive analysis into their infiltration. What kind of proof do you want?

  13. Simpson
    Coat

    Mr Ed

    "which IP addresses are infected and then have the ISP's inform the user"?

    Take your coat off, it's not that simple...

    The ISP's do not care. Wait... I mean they do "care", but they decided long ago that it is too expensive to notify users. Notification leads to tech support calls, which cost money, which reduces executive bonuses.

    Many of these users would call multiple times, which would cost even more. Then the user will get infected by something else and call the ISP tech support, because they are now conditioned to do so.

    It is not their business model.

  14. Gordon Jahn

    "Click here to remove"...

    I love the comments saying the researchers should display a message getting the user to remove. These people have obviously been enjoying safe, pop-up free browsing for a while - every time I end up on an ancient PC that I can't update (it happens from time to time...) I see messages exactly like that that are part of web pages - and _all_ the education says "you never click 'em".

    Go down the road of putting a message on screens and you're playing right into the botnet controller's hands.. a valid reason to run a program presented to you against your will or knowledge.

    The only answer is to go via the ISPs - they might not be able to contact everyone and probably wouldn't want to spend money calling people, but it's the best answer without opening up a social engineering attack vector.

  15. Gordon Fecyk
    Pirate

    Cure for the Common Cold found: film at 11

    That alone should stir up enough postings. Imagine if a cure for the common cold were really, really found, as in a broad spectrum anti-virus medication for human beings. Such a discovery would risk putting much of the pharmaceutical (sp?) industry out of business, in theory.

    Now do a word swap of "common cold" for "kraken." Or, for that matter, for "storm worm."

    I'm anxious to see the responses.

  16. Pete Spicer
    Coat

    Actually...

    Here's a thought - what would happen if the details were passed onto the ISPs with the following note attached:

    "Here is a list of IPs of users who got infected with a botnet virus [or whatever you want to say]. Contacting them will allow them to remove it - this means less traffic you have to carry on your network, thus lowering your costs."

    Tiscali would jump at that one!!

    </coat>

  17. Anonymous Coward
    Paris Hilton

    Dilemma? What dilemma?

    Sorry, but I fail to see TippingPoint's dilemma. The problem presented is that of unauthorized access. The zombie machines, however, logged into TippingPoint's server and asked for directions. When a machine, acting as an agent for the end user, logs into your server and gives you root access, I don't see how this is unauthorized.

    Thus, I don't see the problem with completely disabling the box in a fashion characteristic of a virus. Unintended consequences are the user's problem, as he allowed his box to offer complete strangers root access.. Disabling the box with a spooky virus screen may also have the effect of causing users to invest more time and money into their virus protection plan.

    Paris... because she never lets strangers root her box.

  18. Stone Fox

    Windows based life support

    Come on then, all together now:

    BLUE SCREEN OF DEATH! :D

  19. Eugene Goodrich
    Paris Hilton

    I already get these popups...

    I already frequently get popups (or popunders) that note my machine is, or may be, infected with a virus or a bot, and I need only _click here_ for free removal.

    So clearly someone sidestepped this ethical dilemma some time ago. Even before this botnet was reverse-engineered, if I recall. Wait a minute...

    Paris, because even she would see the problem with doing popup notification. Durrrr....

  20. Jon Minhinnick

    Record the ip addresses...

    ... and blackhole them. If the user cares, they'll fix it themselves. If not, they stay blackholed. And because they're mainly home users with dynamic IP addresses, refresh the blackhole list once a week. Oh, and notify their ISPs so when the user rings up, there's a listed reason they've been sent to dev/null.

    Hmmm... what if webservers also use the same blackhole list, so they don't serve to spamming machines. Then, the user would really care about getting back online. Just send back a page to the user that the requested page will only be displayed if they remove their bot.

  21. Anonymous from Mars
    Thumb Up

    TippingPoint says 192.168.1.21

    I am greatly amused that 192.168.1.21 is on their list.

  22. This post has been deleted by a moderator

  23. Anonymous Coward
    Anonymous Coward

    Windows Life Support?

    Besides the scariness of that, why would a life support machine be connected to the internet? An intranet I could see, but not the big internet...

    They should have just kept mum about all this, and went through with removing the thing. Ethics indeed.

  24. RW
    Dead Vulture

    Windows LIfe Support

    It may be an urban legend but it sounded authentic when I heard it:

    Patient undergoing operation. Important apparatus controlled by Windows, anesthesia, ventilation, blood pump, something important. Windows decides it's time for an update, calls home, downloads update, installs it, reboots, and kerplunk, a patient in very bad shape thanks to Windows going off duty at a critical time.

    True? False? Anti-MS propaganda? Anybody know?

    Maybe our poor vulture was on Windows-run life support?

  25. Anonymous Coward
    Go

    Just do it!

    Stop creating a mountain out of a molehill and just remove the trojans! They've already stepped over the line of unauthorised access by taking control of them. If anything bad results it is because of the original hacker. Do we stop doctors from trying to save patients on the off chance that they might die in surgery? No.

  26. Dick Emery
    Paris Hilton

    Ethics?

    Just bloody fix it and stop being wusses.

    Ethics? I know an Ethics girl.

  27. wibbilus maximus
    Boffin

    here's a thought....

    "We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie"

    ok, in that case why not just do an 'update' that just changes the ip address that the machine reports to to 127.0.0.1. it wouldn't remove the zombie true, but it would disable the network and as it's not making any major change to the program, there shouldn't be any way that it would course the machine to crash

  28. Anonymous Coward
    Gates Horns

    When Self Righteous Reaches For The Crack Pipe

    I'm sure a quick search would show no medical life support program runs something so broken as a windows operating system. The decision is moronic and almost stinks of his involvement within the kraken system. How easy it would be to pose a ridiculous philosophical and moral dilemma to poor simpering geeks to keep your botnet alive.

    Ah fuck off with this

    - get us something real - this isn't even worth news, it's a cross cyber wank fest wherein the geeks nervously pat one another on the back at the same time as they offer a reach around.

    Kill the fucking thing.

    It's that simple.

    If you have the means to kill the botnet.

    Kill it.

    If not.

    Wait until you do.

    Releasing this information - just smacks of inside job bullshit.

  29. Ralph
    Go

    They better do it quick

    They should act fast whatever they do because you can bet the botnets creators are busy rolling out an update to change the DNS addresses it reports to as quickly as they can.

  30. Adrian Esdaile
    Unhappy

    @ here's a thought....

    "...that just changes the ip address that the machine reports to to 127.0.0.1...."

    That was the very first thing I thought of when I read the article. (Does this now make me a Cyber-Gibson-esque 1337 wh1t3-h47 playaz fo' shizzle?) Instead of remotely executing machines (and presumably people on MSN Live OneCare Life Support?), can't that they just patch the botnet to simply stop transmitting? Send all messages to /dev/null and/or 127.0.0.1? Couldn't they have just gone and bloody done this with little or no fanfare and watched as the internet breathed a collective sigh of relief, then sat back and basked in the afterglow of a Good Deed Done?

    But no, they had to yell to all and sundry "Hey Youse Bad d00dz, we's totally like ontaz ya and wiz gunn4 k1ck yoz asses", with the result the botnet controllers will just upgrade to Botnet 2.1.

    Thanks a heap, may all your pr0n get pwned by newer botnets.

  31. Danny
    Pirate

    Drama Queen

    Dilemma? Just fix it already, duh. I don't believe the airheads still using Windoze and allowing their machines to become zombies would even notice. And if it did go tits up how would they know it was the fix and not the zombie code? A fresh reinstall might well do their machine a world of good and rid it of any other parasites they are doubtless hosting.

    Better still, install a keylogger, grab the lusers credit card number and order them a copy of F-Secure et al. D'ya think they'd get the message? Hell, why not just install Ubuntu and have done with it.

    If TP leaves the network be, then the spammers will see these reports (if they haven't already) and reconfigure Kraken. TP will be back to where they started and the rest of us will continue to drown in invitations to buy dodgy rolexes and fake v1Agrrr.

  32. tony trolle
    Joke

    @rod - Microsoft Windows for Warships

    I was thinking Microsoft Windows Death Server 2006 (or ver 6.6.6)

  33. Kanhef
    Boffin

    Escalating warfare

    Attacking the botnet this way would set a precedent that could dramatically change the virus/antivirus battle. The so-called whitehats would presume the right to make arbitrary changes to any computer, neither asking permission nor notifying the owner of what they had done. Someone would decide that hijacking botnets isn't enough, or they evolved and became impossible to hijack, and write their own virus that removes others or fixes vulnerabilities as it spreads. The line between 'good guys' and 'bad guys' gets very blurry when both use the same means, only claiming different motivation.

    Today, the AV crowd fights the VXers by trying to educate users and admins, and make them install security patches and AV software. Tomorrow, that could become a head-to-head war for control of third-party computers (home, business, server, all fair game), with those same computers also the battleground. Both sides will write programs that try to infiltrate your computer and make changes to the system; one claims it's 'for your own good'. The AV programs won't just clean up your computer and leave; they'll stick around and try to prevent other infections. The VXers will be doing the same thing, of course. It will be hell for anyone who wants to connect to the 'net and still retain control over their own computer.

    This is why the 'good guys' who want to stay that way are hesitating. They're thinking about the consequences of their actions, not pulling the trigger as soon as they get their hands on a gun and seeing who they hit later.

  34. Maksim
    Stop

    @wibbilus maximus & others with idea of changing address to 127.0.0.1

    Don't be so quick in assumption that it wouldn't hurt anything. There's plenty of things that can go wrong with that, simplest being the bot client doing something unexpected when not receiving any ACKs for some period of time. And all kinds of possible resource problems - potential memory/handle leaks due to excessive retries, overflows and whatnot

  35. James Henstridge
    Unhappy

    @ here's a thought....

    The machines got infected through some vulnerability at some point in the past. Chances are that the vulnerability is still open and the user still does the things that got them infected in the first place.

    The bad guys have a mechanism for distributing software updates besides the botnet, so it isn't a stretch to imagine them using it to fix interference from the good guys.

  36. andrew
    Stop

    Been seen before...

    IIRC wasn't the Blaster or Nimda virus (as I remember them being called) followed up by a 'fix' virus that attempted to remove it.

    Working for IT support at the time the cure was as bad as the virus...

    I'd say that viral fixes (or even targeted as this is) is a great idea so long as a proper support mechanism is in place - as essentially who knows what's on that user's machine. And of course who wants to be responsible for supporting upwards of 25,000 disperate machines which are, by merit of being infected, utter pants.

    Personally I'd keep quiet, watch what's going on and going where and try and start to find out a little more about who's running the whole thing. Then use something with terminal force...

  37. Anonymous Coward
    Stop

    Nah

    Let 'em suffer in their jocks!

    If these users are so stupid as to not protect their computers, then let them get on with life under their Russian Overlords.

    As long as I am safe, that's all that matters.

  38. This post has been deleted by its author

  39. Simon

    Shameful hesitation.

    So what about the theoretical "Life support computer" that has its bandwidth and resources compromised by the spam these bots are sending? What about the sites that are DDoS'd, costing thousands and again, potentially putting lives at risk (Continuing Dave Endler's ridiculous theory)

    What about the genuine emails (Maybe giving life-saving information!) that will be incorrectly deleted either by humans or antispam filters required to deal with this problem? The potential positives, both proven and theorised, far outweigh the negatives. It's like picking ticks off your dog. It's a parasite, it's harmful, it has to go - you don't go agonising over how the mother and father of the tick might feel.

    Reporting to ISP's is useless, they so rarely do anything about anything, preferring to stay quiet and take the customer's money, ignoring *anything* they do. (Social responsibility from any big business? Pfft)

    TippingPoint, you have a golden chance and if you want to make a difference and actually do some good in the world instead of standing by and flapping your mouth. DO IT.

  40. Simon

    And another thing!

    If you have the chance to stop a crime and you don't, aren't you an accessory?

    In this case, TippingPoint might be seen as abetting the theft of credit card details, personal identify information as well as sending unlawful bulk emails and involvement in denial of service attacks.

  41. foo_bar_baz
    Thumb Down

    ISPs "not capable" are just not willing

    ISPs that are not proactive are just being lazy and bad Internet citizens. A major ISP in my country will redirect all web pages to one saying "your machine is acting as a spam zombie, clean it up to regain Internet access" if it detects excessive SMTP traffic.

    I'm not sure about the technical details (do they just redirect port 80 or block the entire connection; do they just look at volumes or do they analyze the traffic to see it's actually spam; is it automated or are humans involved) but it's happened to several people I know.

    Don't say ISPs cannot do it.

  42. amanfromMars Silver badge
    Alien

    Normal Service will be resumed as soon as Possible? The Great White Dope Hope?

    "I don't like the idea of an extended tit for tat exchange between the bot masters and the bot exterminators played out on my machine. This could get messy. Expecially when the next logical step in the arms race is to deliberately make attempted removal of the bot more damaging than leaving it be." ... I agree By James Smith Posted Tuesday 29th April 2008 20:15 GMT

    James et Al, [ Good Morning Dan Goodin in San FranCisco, how's Greg Garcia this morning. Shame that no one was really talking to him and that talks to him were so few, ..... http://www.theregister.co.uk/2008/04/25/greg_garcia_interview/comments/ .... which is unusual, whenever more were sent than were shared. Spooky that. Are you infected with a virus? However, that is water under the bridge, and I digress.]

    I would also agree, and suggest that any and all such attempts would be suicidal, and render no damage or harm to the intended target, at all.

    You may like to consider that you are reacting to a much SMARTer Program with ProgramMIng which is many more logical steps ahead than merely the next one, and is Perfectly Aware/Mindful of all possible reactions to ITs Programs and FailSafe Protected against all of them.

    You may like to further consider that what you are dealing with is .... AIRogue in Vogue HomeoPathic Binary with an Immune System which is Prepared for Assault and Attack by Simple Virtue of Assault and Attack which it has already suffered/sampled and which IT has Reverse Engineered for Source Recognition and Enjoyment.

    And finally, how do you deal with IT whenever the Driver Machine/Botnet/NIRobotIQs Virtualise their Systems Machinery from Control of Hardware/Computers to Control of Software/Computer Users in a Mirror of an Attack Vector suggested against ITs Presence ....Communication with Infected Machines with Advice of Infection. A SMART Virtual Machinery System using Advanced HomeoPathic Binary Codings, and let us call them CodeXXXX, would probably be into Sublime Messaging Systems, Quantum Communications which allow Stealth by Virtue of the Fact that their Signals are QuBits [A qubit has some similarities to a classical bit, but is overall very different. Like a bit, a qubit can have two possible values–normally a 0 or a 1. The difference is that whereas a bit must be either 0 or 1, a qubit can be 0, 1, or a superposition of both...... http://en.wikipedia.org/wiki/Qubit] Strung for All Purpose, dDeeply Embedding Entanglement for Host TakeOver/MakeOver.

    Just a Future Thought Shared, for it would be a QuITe Logical Next Step to move Matters into the Cloud for AI Beta Control of Mastering/Mentoring and Monitoring All Systems.

    And I also agree, if you can Fix IT, Fix IT if you Can. Although if you don't or can't, it means that it is a lot SMARTer than you have ever Imagined, and are equipped to Deal with, and you are Following ITs Lead[s]

    Has anyone Thought to Cut AIdDeal? Splash some Flash Cash? It appears to work well with everything else.

  43. Kevin McMurtrie Silver badge
    Gates Horns

    Notify the ISPs

    The right thing to do would be to notify the ISPs of which computers are suspected of being hijacked. Good ISPs will take care of the problem. Some ISPs won't give a crap, but spam filters and firewalls know about them already.

    Satan Gates because...

    <abuse@microsoft.com>:

    131.107.115.214 failed after I sent the message.

    Remote host said: 550 5.7.1 <Your e-mail was rejected by an anti-spam content filter on gateway (131.107.115.214). Reasons for rejection may be: obscene language, graphics, or spam-like characteristics. Removing these may let the e-mail through the filter.>

  44. Anonymous Coward
    Anonymous Coward

    Shut them down

    If shutting these botnets down might inconvenient a small percentage (let's say 1%) of the infected, out of 25,000 thats only 250.

    There are millions of people out there that will be glad of less spam.

    Further more so what if shutting down the botnets crashes someone's PC?

    They most likely say "f*cking Windows has crashed again....". Reboot and continue on their merry way.

  45. Dave Bell

    Ethical, legal, or neither?

    Ethics is not the same as law.

    And both Kraken and the proposed countermeasure seem equally illegal under the Computer Misuse Act. Though there are legal principles which might make sufficient distinction.

  46. Clint Sharp
    Paris Hilton

    Nike..

    Just do it.

    BTW, lots of medical devices run on windows, the foetal heart rate monitors in my local maternity dept and I assume many more run on Windows. Just because a *standard* EULA says you can't do it doesn't mean there's not a version that isn't designed for use in such devices.

    Paris, because I get a popup every time I see her.

  47. Anonymous Coward
    Paris Hilton

    Nike..

    Just do it.

    BTW, lots of medical devices run on windows, the foetal heart rate monitors in my local maternity dept and I assume many more run on Windows. Just because a *standard* EULA says you can't do it doesn't mean there's not a version that isn't designed for use in such devices.

    Paris, because I get a popup every time I see her.

  48. Anonymous Coward
    Anonymous Coward

    Google - Awareness Screen

    Google have the ability to change there homepage for ip's that are infected(thev'e done it before), they can present a do you want us to clean your PC Question screen it, by gaining permission they could send the IP to tipping point or fire the clean up code directly. It would be a good thing for them to alert the users in question. and good publicity for google too!

  49. Svein Skogen
    Happy

    If they have decoded the control protocol...

    If, as they say, they have decoded the control protocol of this dronenet, couldn't we, the various netadmins around, use that information to add policy-classes to our edge routers, that simply drop the "updates"? Afterall, this was possble with several of our older friends like nimda/code red/blaster/etc. Even if the first-line-support, and tieracks in management are all for making internet even less safe (so their school pals who are execs at the "security firms" selling "security software suites" can make more money), I sincerely doubt most thick-skinned netadmins would miss any sleep over policy-routing this botnets protocol into the same martian-filter they are already using.

    And I agree, that we must separate between blackhat problems, whitehat saints, redhat morons, and day-to-day operations engineering. The latter being a mix of most of these. Going all vigilante and actually executing software on the victim computers, don't solve the problem. It adds to it. Denying the botnet itself the update service, by blocking the protocol, sends the message that ISPs don't want to waste bandwidth on this. If the botnet goes into self-destruct-mode if it can't contact its main server, there is time to do some more digging, and find the individuals behind the botnet (and possibly the company they work for. Follow the money), and make sure that the persons behind this can be sued for ALL the damage they have done. If that means they (and the tieracks behind the dronenet, again; follow the money), will be sitting on the street with a big sign saying "will give head for food", and never again be able to touch a computer (and if they do, it will be confisacted to pay their debts), that is ok with me. If it damages property, make sure they are facing "damaging property with criminal intent" charges (this will solve the botmasters roof-over-head problem for a time), and doing things this way sends a fairly clear message (especially if we get the tieracks aswell!): We will not accept dronenet programming. Cross that line, and you are "fair game", and WILL be utterly removed from society.

    So, where is the regexp we need to add to our classmaps to disable the dronemasters remote-upgrade ability?

    //Svein

  50. Paul

    inform the authorities?

    Surely they should talk to the FBI etc who have people investigating these botnets. If they say 'yes we think you should remove them from peoples PC' then it would remove their liability for anything going wrong I should think?

  51. Jaap Stoel
    Flame

    I don't see it.

    I just can't see how killing Kraken is bad.

    You've got an ethical 'dilemma' that says: We can help tens of thousands of people. But we'll be doing it without their permission. And whats worse. Most of these people won't even notice being helped!

    The worst thing that can happen is that a small percentage of the users will suffer a crashed computer. Boo-hoo.

    I say nail em! Send out that update and kill Kraken.

  52. Anonymous Coward
    Anonymous Coward

    Contact them...

    I had a thought a bit back that browsers should check themselves against a blacklist somewhere (yes, problem right there) and flag up a problem in the browser if you're on the list. Like they all do in the tool bar for blocked scripts these days.

    Thus allowing some kind of feedback on security problems on your machine.

    I'm not sure how you would ever get off the list though.

    BTW It's not just life support directly running windows, it's all the networked file (et al) servers in hospitals and shops, accidentally crashing these by a botched update could still cause huge amounts of damage.

  53. Ryan Barrett

    Nuke the machines

    If they've managed to get themselves infected by such a bot, the only fair and safe thing to do is render the machines unusable.

    Removing terminally stupid people from having the ability to install the next big worm is an excellent idea.

  54. Didelphodon
    Alert

    Let the related CERTs and CSIRTs decide

    Split up the zombie IPs in countries and give them to the related national CERTs/CSIRTs - they (should) know what has to be done.

    Btw., there is much more medical hardware running unpached Windows (f.e. Win NT) OS than you would guess!

    Cheers,

    Didel

  55. Unlimited

    Utilise it.

    Now that they're controlling part of it, use the zombies they own to attack the other control servers.

  56. Ian

    @ James Smith

    "I don't like the idea of an extended tit for tat exchange between the bot masters and the bot exterminators played out on my machine. This could get messy. Expecially when the next logical step in the arms race is to deliberately make attempted removal of the bot more damaging than leaving it be."

    Then protect your machine, the point is they don't need to just remove the software opening them for reinfection but could patch the attack vectors in the first place other than dodgy sites. When the MS blaster thing went off someone released a worm that did just this, patched the broken machines. The problem was whoever wrote the "good" worm was an idiot and made the machines check ranges of IPs non-stop causing as much flood traffic as the original worm. As long as white hats at competent and sensible enough to fix the problem properly then that's all that matters.

    "Best to contact the users concerned. They'll need to get involved in order to patch the vunerability that got them infected in the first place."

    In all honesty even if a patch by the white hats causes a problem with the end users machine then I don't see it as a big deal, the user needs to go get their machine cleaned up and sorter anyway.

    As for ISPs not being willing to solve the problem is that really true? These bots just sit their chewing through bandwidth, there's a hell of a financial incentive for ISPs to cut this kind of traffic off their network and go back to raking in a fortune over low-bandwidth users rather than trying to blame the few high-bandwidth users for their failed business models that they do nothing to resolve.

  57. Adam Foxton

    Use it for distributed computing!

    400,000 more computers IIRC on Kraken- Think what that could do for the find-a-cure-for-cancer-boinc thing!

    And it's not like the infected would notice anyway. So just send out an upgrade to the Kraken software and get it doing something useful!

    Alternatively get the infected to download a load of mp3s and then the infected IP range to the RIAssAmerica. They'd never be able to take on 400,000 more cases, and if they don't defend against them then they're not defending their copyright. Which I seem to recall has something of a detrimental effect on the legal protections their copyright is granted.

  58. Ken Hagan Gold badge

    Re: I don't see it

    "You've got an ethical 'dilemma' that says: We can help tens of thousands of people. But we'll be doing it without their permission. And whats worse. Most of these people won't even notice being helped!

    The worst thing that can happen is that a small percentage of the users will suffer a crashed computer. Boo-hoo."

    No, the worst thing that can happen is that they don't manage to remove Kraken (so there is no benefit) but they establish the principle that it is OK to hack into someone else's computer as long as *you* (rather than the owner of the machine) think it is "for the best".

    Whilst you are in there, you could patch up their copy of Windows, disable unnecessary services, install a free AV product, and lock down the security settings for the "Internet" zone. How could anyone possibly object?

    Better still, you could replace their OS with Ubuntu and migrate all their Windows apps to WINE. How could anyone possibly object?

    It's the thin end of the wedge, and since Kraken's masters are now aware of the vulnerability they are probably already distributing a "fix". IOW, it is probably already too late to kill kraken. All you can possibly do now is harm. Given the level of stupidity amongst "the infected", a crashed computer might actually deprive them of their online presence for a few weeks whilst they get around to "buying a new PC, because the old one crashed". You might as well have stolen their PC. (But how could anyone possibly object?)

  59. Anonymous Coward
    Linux

    All your botnetz are belong to us

    ...except they aren't really, are they?

    14% of them out of action isn't going to make a big difference to the amount of spam sent, and that's just one of many botnets.

    I wonder how bad spam will have to get before we welcome the enforcement of annual MoT tests for PCs before being allowed to use the internet?

  60. Morten Ranulf Clausen
    Paris Hilton

    Doesn't matter

    This window of opportunity has probably closed already due to publicity. If the nitwits had started out just disabling the machines (by, say, killing the OS so a reinstall is needed) the botmasters wouldn't have had a clue to what the problem was and the operation could've continued. This open discussion is probably the single worst way of handling it. Gawd what idiocy... And no, it's not a crime to shut down a misbehaving machine by killing it. Dixit. It's not like it causes any kind of permanent damage.

    Paris, because she would've done the same...

  61. Richard Kay
    Stop

    @BKB

    "Considering the sad cases of people who've been arrested and even punished just for pointing out security holes, the idea of taking over these PCs is not wise. Does anyone remember the case of a security expert getting arrested over typing ../../.. into a web server?"

    I use the case of Rex v Daniel Cuthbert as a study for my students who are interested in the Computer Misuse Act. His actions were a bit like someone being seen nosing around my house trying all my doors and windows by the local bobby responding to an alarm and when questioned tells the police he was trying to help me by warning me that he thought I might need better locks. Daniel was lucky to have got off as lightly as he did. This was because his defence held up, which claimed that he was genuinely concerned about the security of the site through which a small donation was made. If this defence had not held up, he might have been up for a CMA section 2 offence (max 5 years) as opposed to a CMA section 1 offence (max 6 months). As it happens his unauthorised and unwelcome site-security probe in attempting to gain unauthorised access cost him a big fine and losing his job, which seems about right to me.

    Pointing out a security hole in a product you have bought or installed for yourself is fine. Probing someone else's installation of a security product when they have not asked you to isn't and thankfully the law seems to know the difference. If you don't know the difference then you could do the rest of us a favour by staying away from other peoples computers and systems until you do.

  62. Anonymous Coward
    Anonymous Coward

    >MoT tests for PCs

    It's the driving licence that is the problem.

  63. Anonymous Coward
    Coat

    What to do .. what to do ...?

    Inform ISPs? Some may take action, but a lot have shown remarkable inertia related t anything to do with security of their customers machines.

    Inform the machine owners? You're having a laugh. The majority of these people, being Windows users, won't have any idea what you're on about (I have enough painful experience of providing tech support to Windows users to be well aware of this) ... A lot have enough trouble with the concept of the 'start' button - they can't figured out how to run programs if there is no desktop shortcut. How do you expect them to remove cunningly engineered bot software off their machine, even its as simple as downloading and running a utility.

    Personally I'm in favour of proactive action. I can see why Tipping Point as an organsiation would have cause to hestitate as their finger hovers over the button. Goddamnit, give *me* the button, *I'll* push it for them.

    Mines the one with 'vigilante' across the back...

  64. Derek Thomas
    Go

    Do the deed and get rid.

    Unfortunately an email that tells the computer owner they have a bot is going to be taken as just more spam. I say get rid of them but using their own actions against them. As they are seeking instructions tell then to self destruct. If it were my PC (Even with the latest updated it still could be :-( .) I would be grateful for the help.

  65. Pete
    Heart

    @ Ken Hagan

    This is the way that the world is going. Imagine that you notice that your neighbour's front door is open and has been for a while. You know it shouldn't be and you worry that someone might take advantage of it and burgle them. What would you do? Simple - you would close their door for them. According to your argument, you shouldn't close the door because it would be the "thin edge of the wedge" and because you could have, instead, popped into their house for a cup of tea, watched their videos and taken a dump in their toilet.

    Previous comments are correct. People are simply wooses these days. More interested in self-serving publicity than in just doing the right thing. More scared of what could go wrong if they get involved. After all, turning a blind eye is so much safer. Let's just go about our business, let's forget our neighbours, let's allow the bad guys to win. Have you not tickled my tummy in a while mister bad man? Hang on, I'll just roll over for you. Pah - just take the Kraken down, or as much as you can do, or stop talking about it and wasting our time.

  66. JonP
    Black Helicopters

    Consequences

    Let's face it if they took any positive action to remove the infection they'd likely end up doing it to some government department's computer and "cause" >$5000 worth of damage etc. ... and even if this is unlikely there'll be someone in that 25,000 who objects and decides to cause trouble ...

  67. Shinobi87

    @Eugene Goodrich

    i think your machine is infected with malware spam! because its not normal to get popups saying "omg you may be infected buy this product" download spybot

  68. Ross

    Depends where the server is located

    Basically removing the trojan sans permission is illegal. If the server that does the disinfection is located somewhere that makes prosecution very hard for most people then they'd probably get away with it, but would you risk your business on it?

    The better option would be to set up the server ready to disinfect PCs on a case by case basis, and allow people to connect to the server, have it check the database of IPs and ask for permission to disinfect. Would it be as effective? No. But it's better than nowt, and it's legal to boot.

  69. Anonymous Coward
    Coat

    how about Tippingpoint run a dnsbl?

    Dan Goodin wrote: (a list of the infected IP addresses is at http://dvlabs.tippingpoint.com/pub/pamini/kraken_uniq_ips.txt)

    (Anonymous from Mars noticed 192.168.21.1 in the list but somehow failed to see the very first IP address in Tippingpoint's list!)

    Since this seems to be de rigueur here: mine's the bright florescent orange coat..

  70. Morten Ranulf Clausen
    Gates Horns

    Let them object

    IMO a botted PC is like a runaway horse - it can be shot at will if it looks even slightly dangerous to people or property and the owner has some explaining to do. No Windows Update, no firewall, no antivirus? Pay up, bud. Don't know what they are? Take a course. Even OAPs take courses in PC-driving. Can't understand it? Sad. Learn to crochet. Or take the dog for walk.

    Bill 'cause letting all those suckers get their paws on a full-featured PC was a baaad idea...

  71. amanfromMars Silver badge
    Alien

    If you wait for permission, you aint leading anything nor ever will. Just do IT.

    "No, the worst thing that can happen is that they don't manage to remove Kraken (so there is no benefit) but they establish the principle that it is OK to hack into someone else's computer as long as *you* (rather than the owner of the machine) think it is "for the best"." ...... By Ken Hagan Posted Wednesday 30th April 2008 09:28 GMT

    Now we're getting right down to the nitty gritty of the IP Matter.

    That Principle is long ago Established and Runs the Establishment System [everybody else's computers] which hides its Autocracy/Despotism behind the Spinning Magic Cloak of Democracy [the crack hack,*you* thinking it is "for the best" ]...except that the Magic is Jinxed and a Fraud/merely a Confidence Trick rather than anything ESPecial.

    However you can only Fix IT if you are able to supply more sophisticated/more Intelligent Intellectual Property for it is not a hardware Issue, it is an Intellectual Ideological Joust, which is not Really an Assault or an Attack at All, unless what you would be "protecting/defending" was Stupid and would be considered Indefensible.

  72. Eddie
    Paris Hilton

    All this hand wringing...

    and slagging of end users - it's wrong.

    I've done a little googling, and I'm meant to be an IT professional, though I never claim to be a good one, and one question that never gets answered adequately always follows me around "How the fucking hell do I tell if my machine is owned by a botnet?"

    The only page I found that asks that question is

    http://www.sei.cmu.edu/news-at-sei/columns/security_matters/security-matters.htm

    (if there are better, please post) and it details continuous detailled traffic monitoring, router tables, and so on...emphasising the fact that these bots are hard to detect even by IT professionals.

    Now, I can do this - but I'm meant to be able to. How is the average home user meant to know? These fly under the radar, they stealth, they are not discovered by most malware detection, as far as I know, and so on. Not only that, but tools for doing the discovery (I use Wireshark) are not exactly user friendly.

    Now, okay, it's a given that no-one should be given access to the interweb-thingy until they've got at least two doctorates in IT related disciplines, have answered the sacred question, and defeated the guardian of the modem - unfortunately, the world isn't like that.

    The researchers who produced this report would have spent their time far more wisely designing simple, home-user friendly, software to help them monitor their ports, and understand when traffic is anomalous.

    Paris, cos she always carefully monitors her ports for suspicious emissions

  73. Jimmy

    Lack of moral fibre.

    Botnets are the enabling mechanism for unethical commercial enterprises whose whole business model is based on the assumption that internet users have no rights whatsoever. (A similar assumption to that of the UK government in relation to its citizens.)

    So they feel free to install unsolicited software and use it to distribute unsolicited spam on a global scale without the least regard to the impact on bandwidth or the helpless recipients of their garbage.

    Some clever people come up with a partial solution to this problem and hesitate to apply it because they believe they have encountered a moral dilemma. Now, call me simple minded but I really don't see the problem here. Analogy: a bunch of hooligans break into your house, wreck the fittings and furniture and spray grafitti on the walls. You happen to have a solution to hand in the shape of a weighty baseball bat. Do you apply the solution or stand around with your finger up your ass pondering whether to call the local ethics committee?

    Just do it.

  74. This post has been deleted by its author

  75. Anonymous Coward
    Happy

    Patchen?

    I think that they should use their knowledge to create a new botnet that whitehats can use. They could perform denial of service attacks on phishing pages, and websites that inform hackers of exploits, such as the Microsoft knowledge base.

    In addition, they could use it to uninstall hacking tools from infected users PCs like hex editors or remote desktop software. They could allow use of the network by trusted organisations like the RIAA.

    I think just the name 'Whitehat' engenders such a wealth of good feeling that root access to anyone’s PC is a given.

  76. Anonymous Coward
    Flame

    FLIP THE DAMN SWITCH ALREADY!!

    Don't worry about someone who may or may not be using Windows to keep them alive.

    Worry more about the murderous rampage I will unleash lest this damn spam stops coming in.

    I'm drowning in it...

    HELP ME...

  77. Gleb

    Down the drain

    Don't remove the infection, just down the machine all together. No moral greys, but queue some satisfaction. And should someone **die** as a result of this, then it's their problem. This is war, dammit.

  78. Anonymous Coward
    Black Helicopters

    question, can you basically keep kraken quiesced?

    If so, keeping it sleep mode seems a good compromise. but what a job, to continually monitor the sleeping beast for signs of re-awakening.

    How interesting IT now mirrors many fantasy themes.

  79. Thomas Silver badge

    Re: And another thing! + other issues

    At least in the Anglo-American tradition, there is no positive duty to act to prevent crime. To aid or abet (as now used) you need to do things like help plan, help perform, encourage or knowingly provide materials for a crime. Stuff like that makes you equally as liable as those who commit the crime in the eyes of the law.

    If you do chose to try to prevent a crime, you are allowed to commit a lesser crime to prevent a greater. So, e.g. you can jump a red light if you do so to prevent a murder (don't ask me how).

    It would probably be hard to establish a defence on those lines in this case because it's difficult to point to the particular crime that the controllers of the botnet would otherwise have performed, but it's probably relevant to the ethics of the thing.

  80. Glenn
    Flame

    format C:\

    done.

  81. david
    Heart

    dont you guys watch startrek TNG

    when picard got kidnapped - data sent a sleep command through-out the network.

    Since the kraken network uses script si shouldnt be too hard to issue sleep command and repeat. in old basic it goes like this:

    10 sleep

    20 goto 10

    with maybe a proliferate command to render the network dead - the question is will that then only take down 50% of the network.

    the other option is to force the machines to send a tracer packet and then get any isp to shut down anyone sending that packet, they should be easy to automatically identify

  82. Morten Ranulf Clausen
    Dead Vulture

    @All this hand wringing...

    Exactly. It's too hard for end users to figure out. It's even harder to get rid of the infection. Solution: kill Windows, make it unbootable. A dead Windows is fixable, all it takes is a bit of hard work with a lot of CDs and it's back again, hopefully sans malware. If not, repeat until malware is detectable by AV. Delete c:\windows\ or whatever it takes to make the problem obvious and the solution likewise. Don't touch data, just shoot the bleeding horse already...

  83. Anonymous Coward
    Unhappy

    Take it down

    I fail to understand why ISP's will not hesitate to shape some torrent traffic but won't shape (block) and obviously infected PC. Maybe it's just turning too much into a world where everyone fears litigation so ends up doing nothing about it.

    Who was it that said "All that is necessary for the triumph of evil is that good men do nothing"?

  84. Anonymous Coward
    Paris Hilton

    Talking of Star Trek.

    Is it just me or have these whitehats just been watching too much Star Trek? IIRC there was some law or directive that said Kirk and everyone else couldn't interfere with another civilisation even if it was for their own good?

    This so called moral dillema just says to me someone is living out their Star Trek fantasy.

    Paris because she's someones fantasy, but not mine, the skank.

  85. Anonymous Coward
    Alert

    Just the wording that's the problem

    Getting Joe Apathetic to act to sort his apathy would take careful wording:

    DAY 1 (legal fears)

    "Your computer has connected to a CRIMINAL NETWORK. If this was not your intention press 'Remove' else press 'Continue'."

    DAY2 (I won)

    "Your computer has just become our 10000th BOTNET Member. As such you can claim your reward by pressing 'Winners Reward" else press 'Loser'

    DAY 3 (offers of a girlfriend)

    ....

    DAY 4 (political choice)

    Eventually theyre going to choose an activity you can interpret as "Wipe My Botty"

    Course on Day 2 'Winner' and 'Loser' could both clean the machine...

  86. Richard Kay
    Stop

    @BKB

    "So your attitude is that these people who've connected to thousands of PCs running the Kraken botnet should be arrested, or something?"

    Depends on who connected to what and why. If someone is attempting access to a system unauthorised by it's owner this is a Computer Misuse Act section 1 offence, which is the digital equivalent of picking someones lock and going around their house and opening drawers and looking at files, uninvited, but without taking anything away or doing any damage. This is how Daniel Cuthbert's actions were interpreted. Personally I don't see that scanning an address range for a port known to be left open by a particular worm is much different from walking down a road and observing how many ground floor windows are visibly open and reporting on that, which would be perfectly legal, though some might find it annoying if you published their street addresses in the process so others could break in.

    "I'm not sure what your opinion is on the point under discussion. "

    I was responding earlier to your remarks concerning what happened to someone caught trying out a ../../ directory traversal attack, which was a different incident. Personally I think the researchers who decided not to modify the computers which were part of the Kraken botnet stayed on the right side of a difficult line. I think it is up to the ISPs in a situation where a botnet host is detected within their network to limit the damage a bot within their network is allowed to do in line with the acceptable usage agreement they have with their customers.

    I think also that better standards are needed for collaborative reporting of security incidents concerning particular IP addresses and actions required by owners of affected address space. The Internet needs a more standards-coordinated abuse reporting system and abuse handling standards.

    The tone I used was in response to your statement:

    "Considering the sad cases of people who've been arrested and even punished just for pointing out security holes, the idea of taking over these PCs is not wise. Does anyone remember the case of a security expert getting arrested over typing ../../.. into a web server?"

    The issue here in connection with Cuthbert (whom I think I reasonably assumed you were referring to) wasn't to do with him pointing out security holes. It was to do with his illegal probing for security holes on systems where it wasn't his legitimate business to find them, when he claimed his motivation for doing this was to point these out if they existed. He didn't actually point out security holes, and it seems to me reasonable for others to suspect that his claim, that this was his motivation, was a mitigation strategy which helped him to avoid being charged under a more serious section of the computer misuse act. Probably better for him that he was given a fine to encourage him to understand the line the Kraken researchers seem to have demonstrated a somewhat better understanding of.

    "My point is that it's better to tread very carefully legally speaking before trying to control other people's computers, on which point you seem to be in agreement with me, although your tone is rather unpleasant."

    I agree with the first part of this sentence. The reason for my tone is because Cuthbert wasn't arrested or punished for "pointing out security holes" but for trying to find these by attempting to gain unauthorised access to a system whose owner hadn't asked him to pentest it. As Mandy Rice-Davies famously said about the government minister's (Lord Astor) denial of his affair with her, "well he would wouldn't he ?"

  87. Eddie
    Pirate

    @ Morten Ranulf Clausen

    http://yro.slashdot.org/yro/06/03/29/2211239.shtml

    http://blog.washingtonpost.com/securityfix/2006/03/when_macs_attack.html

    And Macs - not as prevalent yet, but soon :)

    Let's get rid of all computers eh?

  88. Morten Ranulf Clausen
    Thumb Up

    You're right but...

    ...taking the Windows machines out of the equation gets the most bang for the buck. I'm not a Linux fanboi, in fact the only OS I'm comfortable with right now is Windows in several flavors but let's face it - Windows machines make up 90% or more of the botnets. And no, not all computers need to be put away, just those making trouble for the rest of us. Kinda like in the real world, really... :-)

  89. David Webb

    Plusnet

    I saw a couple of IP's there with F9 IP's so posted on the Plusnet forums, they have raised a ticket and are going to help those infected by the botnet. So thumbs up for Plusnet.

    So if you see any IP there in the same range as you, pop a ticket with your ISP and see if they will do anything about it to help those who are infected.

  90. Steve Roper
    Stop

    Ethics

    Is the exploitable weakness utilised by the greedy, selfish and unscrupulous to gain the upper hand over anyone who shows a modicum of altruism. Result: the human race turns into a pack of selfish, opportunistic scum who will never realise their age-old dreams and ideals, for sinking into the cesspit of its own greed.

    These bastards aren't constrained by ethics. If we allow ourselves to be, they win. Every time. We have to fight them by their own rules: that is, no rules other than win at any cost. Bugger ethics! If someone loses their life's work because the security researchers deloused their machine, then that's a good lesson to a) back up your work, and b) practice safe surfing!

  91. This post has been deleted by its author

  92. Anonymous Coward
    Anonymous Coward

    >Plusnet

    You mean they responded to the forum, them actually doing something would be a gobsmacking miracle of the highest order.

  93. SoupDragon
    Gates Horns

    Remember that Stephen Hawking quote?

    'But then most forms of life, ourselves included, are parasites, in that they feed off and depend for their survival on other forms of life. I think computer viruses should count as life. Maybe it says something about human nature, that the only form of life we have created so far is purely destructive. Talk about creating life in our own image. '

    (http://www.hawking.org.uk/text/public/life.html)

  94. C. Fuhrman
    Heart

    Vigilante justice?

    I totally agree that it's unethical to shut down the Kraken Trojan. But I think the real reason isn't "life support" ROFL but rather Tipping Point getting sued.

    On the other hand, ISPs don't do their part, even when IPs get reported as infected. End user's don't do their part by installing proper firewall software or enabling automatic updates. Programmer's don't do their part by writing software that doesn't have security flaws.

    Just waiting for the Register to publish an article about Vigilante Zombie Killer groups that can't get sued (like the whitehats can).

  95. Anonymous Coward
    Joke

    make minor change

    Leave the infected machines be except to have them send feedback to /dev/null. Everybody is happy.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019