back to article Feds commandeer botnet, issue 'stop' command

For the first time ever, the US government has attempted to take down a botnet by setting up a substitute control channel that temporarily disables the underlying malware running on hundreds of thousands of infected end user computers. The move, announced Wednesday after federal prosecutors seized domain names, IP addresses and …

COMMENTS

This topic is closed for new posts.
  1. Steve Evans

    Blimee...

    Logging the IPs and working with ISPs to inform the end user...

    Impressive if it works... I tried that once. I was getting several thousand emails from one IP every day. I contacted the ISP and it stopped. I was impressed. A month later it started again. Same IP, so the user had obviously learnt very little. I contacted the ISP again, nothing happened, the spam continued.

    The IP is still blocked on my email server. Glad it was fixed and not dynamic!

    I think MS should be made to force an update onto PCs which works like the browser choice app, but gives a choice of antivirus.

    It's amazing to think how close the music industry have got (or are getting) to getting laws introduced which can have you disconnected from the internet, yet infected PCs which cause problems for far more people are just left to spew their infections penis and enlargement emails unchecked.

    I'm sure if they introduced a 3 strikes and you're off the net until you complete a PC driving licence course would be far more widely supported.

    Oh damn, I hope I haven't just given HMgovt a way to spin the music industries plans onto us under the guise of internet health.

    1. TeeCee Gold badge
      Thumb Down

      Re: Blimee...

      "I think MS should be made to force an update onto PCs which works like the browser choice app, but gives a choice of antivirus."

      As the Afcore maware behind this botnet has been on the target list of the MS Malicious Software Removal Tool for a year now, presumably those infected have updates turned off anyway so your cunning plan would have absolutely no impact at all.

      Besides, the Security Centre in XP and up already bitches continuously if you run without A/V (unless you deliberately disable it) and one of the things it does is advise on a choice of products. Much as you suggest really.

      There is no excuse bar sheer user stupidity.

    2. Cameron Colley

      I thought Windows did tell you to install AV?

      My XP VM certainly keeps warning me that I have no anti-virus software installed every time I boot it up, and I've left that pretty much untouched as far as config goes.

      As far as running AV goes, I won't. If I ever need to use a real Windows box regularly at home I'll not run AV and just take a few precautions instead -- AV is a resource hog and rarely actually prevents infection anyhow, due to the definitions not quite catching up with the malware.

      1. copsewood
        Boffin

        Uses for Window without antivirus

        If you just use Windows for legacy standalone applications there's little need to network it, other than to confirm the license keys as part of a clean install. Then the AV is just unwanted memory/CPU overhead.

        If you (like me) are using Windows as a VM using a more secure host OS, then presumably you don't need to use this Windows VM in order to access untrusted websites or networks, for which you have a more capable platform, or you can use another disposable VM for that purpose simply by restoring it to a trusted snapshot after accessing something or somewhere untrusted.

        Which leads to another appropriate use of Windows VMs without antivirus as honeypots, in order objectively to study malware. The idea is to use such a system as bait, then when you think you have hooked something, stopping it, mounting the virtual hard disk within an analysis environment incapable of executing the malware, but capable of checking the differences in the underlying system previously caused by the malware infection through before and after filesystem and registry difference analysis.

        1. Steve Evans

          @copsewood

          Viruses did exist before the internet, they just spread more slowly on infected floppy boot sectors and couldn't create spam email. They did however destroy local data and do "fun" things like make all the letters fall down the screen.

          If you want to run a machine without AV then you'd better hope the machine has no network connection or *any* removable storage support.

          If you want to try a honeypot, simply connect a windows 95 machine to the internet via a USB router. I'll be amazed if it has lasted the day before is turns belly up under the weight of infections.

          IIRC one of the techie sites did this a few years ago and had to unplug it after 45 minutes!

      2. Anonymous Coward
        FAIL

        @Cameron

        This would be an example of the aforementioned user stupidity. Yes, we're all very impressed that you have the knowledge and experience (or so you believe) to avoid infection but frankly it's this sort of cavalier attitude that leads to so many infections in the first place. Defence in depth is always better and every tool available to you should be used.

        After all, would you apply this same flawed bravado to your sex life and chose not to wear a condom because you think you're careful enough to chose partners who are completely free of STDs?

        1. Cameron Colley

          @AC

          I use a PC with AV at work every day and it doesn't work -- it let one site install malware on a colleagues PC, I didn't get it because I use Firefox with NoScript and Adblock Plus. I've also helped clean up friends PCs which were grinding to a halt due to AV and malware.

          When I used Windows at home on a regular basis I'd run virus checks every so often and never find anything -- that's with having no AV running at all.

          AV has its place, for regular checking or for users who can't be bothered being careful -- but it's an annoying CPU hog and to me at least is more trouble than it's worth most of the time.

          Just to use your analogy -- Porn stars are required to have regular STD checks and don't use condoms yet they're not dying in droves of AIDS because of taking precautions.

    3. Annihilator
      Unhappy

      Slight arrogance?

      "I'm sure if they introduced a 3 strikes and you're off the net until you complete a PC driving licence course would be far more widely supported."

      Or, do you think we in the IT industry have an obligation to provide PC solutions to end users without requiring them to know everything about malware or viruses? That argument rather annoys me when IT experts blame the user and not the device for allowing the user to get to that state in the first place. We've reached an age where a PC is sold as a household appliance, yet I don't see my hifi coming with obvious gaps in it, ready to steal my bank details.

      1. David 66
        Megaphone

        It's an appliance, yes...

        But like many appliances, proper hygiene needs to be practised when using it. That is a user responsibility. How many more must die before the great unwashed start taking internet health seriously?

        1. Steve Evans

          @It's an appliance, yes...

          Indeed. A car is also a consumer device, and if you operate ones of those like a complete muppet they will take away your right to use one.

  2. Anonymous Coward
    Grenade

    sigh...

    Used to work at a small regional ISP. Business and tech support ran in the front half of a retail building (think small-town main street). Servers and system administration in the back (us network guys didn't show well for customers). Two apartments upstairs had free Ethernet connections as a perk (ISP owner also owned the building).

    One of the apartment dwellers, who also happened to be working tech support for us, had a bit of trouble keeping his PC sufficiently locked down. The first time his connection took over our uplink (serving porn, MP3s, and lots of pirated movies) I just disabled the switch port remotely.

    The 2nd or 3rd time, I drove in to the office, grabbed a ladder and a pair of wire cutters, snipped the Cat-5 to his apt. and left the ragged end hanging off the wire ladder.

    Problem solved. He eventually got hooked up again, but became a bit more security aware.

    (yea, I know, traffic shaping and all that.. We were a pretty low-tech ISP running Ciscos with whatever IOS image was on them when we picked 'em up from eBay. Boss couldn't understand why one 2500 with 1M/1M and a bare-bones IOS couldn't do the same thing as a 8M/8M and a whizbang IOS No money for training. No testbed, so my self-taught networking was the cause of plenty of outages. Learned real quick to do 'rel in 5' before making any huge router config changes, especially for the router 300 miles away!)

    hand grenade, because there's no Etherkiller icon.

    1. Version 1.0 Silver badge
      Happy

      Good Point

      Please, pretty please, can we have an etherkiller icon? The lads over in the monastery did a nice one a few years back...

      It's worth noting that our mail server monitoring has shown a substantial increase in the number of infection attempts since Rustock went down - zip files arriving promising gifts etc

      1. Christoph

        @ Version 1.0

        Not a good idea. The discussion here may be 'robust', but it's got nothing on the monastery!

        Mind you, if anyone could get me some authorization codes for the Orbital Anvil Delivery System ...

        1. Version 1.0 Silver badge
          Happy

          Agreed!

          ... but I still want the CAT-5 <> AC line plug icon.

    2. Sir Runcible Spoon

      Sir

      Ah, the old 'reload get out of jail' command.

      We've all been there mate, even those of us with industry training :)

  3. jake Silver badge

    Oh noes!!!!!!11!!1eleven (etc, ad nauseam ...) ...

    ... teh gubbmint is hackxorizing TehIntraWebTubes!

    Is it still safe to browse pr0n on my iFad?

  4. Shannon Jacobs
    Big Brother

    Reminds me of the wild west

    The shoot-em-up Internet reminds me of the wild days of the American frontier. Instead of drunk cowboys blasting away with six-shooters we have black hat hackers with massive zombot networks. Which is more dangerous?

    So now the federal marshals are getting into the act? Anyone think they can clean up this town while Google, Yahoo, and Microsoft are on the other side, making massive profits from the way things are? The problem is that if we held the accomplices accessible for 1/10th of the crimes, they'd go bankrupt and probably take the Web down with them...

    I'd love to see Google take the lead against these criminals. ROFLMAO.

    1. copsewood
      Gates Horns

      This one wan't Google's problem

      This was a botnet running on Windows, and thankfully Microsoft are doing some of the work to clean up the mess on the platform they developed an sold. In my view they should be doing or paying for all of it. If and when we see anything similar on Android, it will be Google's responsibility to clean it up.

      1. Michael C

        not all of it

        more than half the active virus activity can be laid at either Sun or Adobe's feet. MS might be able, theroetically, to secure their own house, but 3rd parties can not be (until such a time as we all agree the current security model sucks, agree to loose backward compatibility, and start all over).

  5. Anonymous Coward
    Stop

    @ Steve Evans

    "Oh damn, I hope I haven't just given HMgovt a way to spin the music industries plans onto us under the guise of internet health."

    That would be a welcome change from the situation now, which is the tech industry spinning their plans onto us under the guise of promoting freedom and democracy.

  6. This post has been deleted by its author

    1. Panix
      Thumb Down

      Sounds not but not practical

      I know several parents who have tons of pictures of their kids stored on their computer with NO backup. And now, those kids are in Middle and High school. What's the chances of one of them getting hit by one of these drive-by downloads and getting the PC infected? Pretty high, I can assure you from talking to the parents.

      Whenever I've had to work on these PCs, their pictures is their main concern. If they were to lose their kids' childhoods because their kid clicked off some popup about saving their files and didn't say anything to anyone, you can imagine the anger that would follow. Granted, I'm sure the data recovery industry would love it.

      This sounds like a huge invasion of privacy. What's next? Removing software that you can't prove you bought?

  7. Fred Flintstone Gold badge
    Black Helicopters

    However ..

    Hands up whoever thinks that US officials be able to resist using the network for their own purposes. No-one? Thought so..

    1. Anonymous Coward
      Anonymous Coward

      Zombie army available if needed

      Exately my thought. Who believes that the authorities will really continue to sent the stop command if it need s army for a cyber war?

      That court ruling gave them the permission to recruit thousand or zobies for ther cyber army.

  8. dave 46

    It's a legal problem not a technical one - the law needs to sort it out.

    Make the ISPs responsible for traffic leaving their network.

    If Youtube host infringing material they are required to take it down but if an ISP is spewing malware and spam it's nothing to do with them?

    The law isn't perfect but I can't imagine youtube bothering with take down requests if there wasn't a legal framework backing them up.

    1. copsewood
      Boffin

      Different kind of framework needs development

      This one needs to come mostly from inside the way the Net is developed, and not so much from old law. The problems with the old law are that it is written in too many languages and in too many different ways, is subject to too much expensive and lengthy interpretation and its effects by and large can't be designed with automation in mind - the politicians and bureaucrats who design legislation are technically incompetent. So this instrument is too slow, blunt and expensive.

      The IETF (and to a lesser extent other standards bodies such as W3C etc) define network standards based upon consensus between interested parties, some of which already have the effect of regulating ISP behaviour. A couple of cases where effects have already been seen in industry self-regulation exist in relation to spam and ingress/egress filtering of packets with spoofed addresses. ISPs which act as front ends for mainsleaze spam operations have been depeered because other ISPs won't accept their traffic. Increasingly this standardisation of expected behaviour seems likely to get put into the membership agreements of interconnectivity providing organisations such as LINX see https://www.linx.net/ .

    2. Anonymous Coward
      Stop

      Be careful what you wish for...

      ...before you are stung by the law of unintended consequences.

      If the ISPs are legally reponsible for everything that leaves their network then they will also have a legal reason to implement technology that tells them exactly what is leaving their network. It's amazing how valuable information like that can be.

  9. iMacThere4iAm
    Stop

    Why not disinfect it?

    If they have control over the botnet, and assuming it can be made to run arbitrary code, can't they simply instruct it to uninstall itself?

    Far better (and permanent) solution than hackishly trying to knock out each node every time they come back online - which they concede will probably lead to the original operators eventually regaining control of the botnet, and no doubt protecting it against this kind of takeover in the future.

    1. lglethal Silver badge
      Go

      I think its a legal thing...

      If they did this and something went wrong and it, for example, formatted the hard drive or deleted key information or bricked the OS, etc. then this being America, the feds would be sued for all their worth!

      So their solution to avoid this is just to collect the IP addy's, contact the ISP's, who contact the customer and the customer does the removal. That way if something goes wrong, only the user is to blame...

      Unfortunately, the US litigation culture wins against common sense once more!

      1. Steve Evans

        The legal mine field...

        Yup, you got it. Sending a command to something which is already on the machine and telling it to "stop" is one thing, actually installing or uninstalling something starts to fall fowl of various computer misuse laws.

        Then again, the machine is already infected, so how the end user would know that he should blame the feds for his now dead PC is a good question... If he wasn't clued up enough to install antivirus in the first place, nor to notice his router or network icon blinking away excessively then I vote the feds keep quiet and just issue the format command...

        Or maybe just set up a persistent route for everything back to 127.0.0.1, then hopefully Jim-Bob would call someone in to fix his errant machine.

  10. Peter Galbavy
    Stop

    I can see it now...

    "Hello and blessings on you,

    My name is Frederick Smith of the FBI and you computer has been identified as one which is under attach but we have stopped it! To fully clean your computer for the noxious virus please install the software from this site: ..."

    Apologies for not speaking 419 fluently.

    Oh dear.

  11. Anonymous Coward
    Anonymous Coward

    Oh noes. The lolfedz...

    ... are watching you m******** !!!!!11111 one.

  12. There's a bee in my bot net

    Wow... government does the fucking obvious?

    I've been wondering why there hasn't been more international cooperation on this sort of thing.

    Sure you are going to have a hard time if the CnC is in deepest darkest Russia or the like but if you can identify the CnC in use and can get physical access to it, surely the best thing to do is take control of it (or replace it with your own).

    Assuming the CnC has exclusive control of the herd, keep sending those stop commands (if no kill command is available) until you can send an update to the herd to shut them all down. Otherwise it might be possible for someone to take control of at least part of the herd from somewhere else as and when each bot restarts.

    I'm sure there would be plenty of clever reverse engineer types out there who would be interested in taking apart a bot so it could be replaced with something harmless...

  13. Graham 25

    Why not just self-destruct the botnet ?

    Genuine question - legalities aside.

    If its possible to get control of the botnet, then I would have thought it was possible to instruct the compromised machines of the botnet to reformat the c drive or equivalent and thereby force the users to reload their system, or at least do something which removes the machine infection permanently ?

    If a machine is compromised, why not 'inform' the users by changing the desktop image that they have been hijacked by blah blah blah and to visit the DoJ website page blah blah for more information which basically says we are going to reformat your hard disc as your machine is compromised and spamming ?

    then it happens.

    Annoying to say the least if its your machine, but possibly in the greater good is several million sources of spam are taken out ?

    1. Mikel
      Happy

      Annoying if it's your machine

      >Annoying to say the least if its your machine...

      And disastrous if it's the server for a defense contractor or organ bank, the PC of a small family practitioner or local police department, or an errant laptop from a major national law firm or advertising agency.

      Since we're talking millions of infected Windows PCs the odds of something like that being in the pool is not just likely, it's certain. No, that just won't do.

      If only there were some way to avoid your Windows PC catching a Windows virus and joining a Windows Botnet this long nightmare would be over. It has been many years, but we don't seem to be able to find a common thread that would help us develop a best practice for avoiding Windows exploits. We've tried keeping up to date with all the Windows patches, and even updating our IE to the latest version. Even with Windows firewall turned on some of our PCs seem to fall ill from Windows malware problem through zero-day Windows exploits and Windows user error. Once one Windows user is infected on our networks the plague always spreads - often directly from Windows PC to Windows PC through the network, but sometimes through Windows shared folders or common Windows applications like Outlook and sometimes just with pen drives or burned CDs.

      It's a shame that there's nothing to be done. I guess software will always have these risks, and one time in three any of our info put into a PC will be available to some anonymous stranger to do with as he will. The alternative is to adopt the lifestyle of Thoreau and live in our own Waldens: sans running water, electric lights, flush toilets and the bustle of modern commerce.

      If only there were a third choice...

  14. Leona A
    Paris Hilton

    Issue command.

    So they can issue a Stop command, why then, can they not issue a Delete command, so the virus/worm deletes itself, surely then, problem solved.

    1. copsewood
      Boffin

      Who fixes this if something goes wrong ?

      If a botnet has a STOP command, using this remotely seems reasonably likely not to have unwanted side effects on the PC infected and could be argued as not being an unauthorised acess or modification if carried out in good faith in order to minimise damage and harm already provably occuring. It could be argued that the owner of a PC unwittingly infected with malware providing an external STOP command is authorising such access.

      I would imagine that it is because this issue is arguable that judicial authority had to be obtained. If harm occurs to the infected PC or its data as a consequence of the use of a STOP command to malware, the owner of the PC would have to prove use of this command was unauthorised, which would be difficult because the PC owner acted in a way which allowed software with this remote control functionality to be installed.

      Given the impossibility that every possible way the PC might be infected or every possible infected configuration can be tested in advance, there is a greater risk that a DELETE command could have unintended and adverse consequences, e.g. loss of user data on or use of the system affected. If such were to occur, the act of unauthorised modification (which is a more serious Computer Misuse Act offence than unauthorised access anyway) would give the PC owner grounds to sue for damages whoever had issued the DELETE command which triggered the damage.

  15. kain preacher

    Why

    People are asking why they just don't remove the virus . It's not a legal reason as you need permission to sue the US federal government . Here is a better reason why. Lets say they remove the virus and it borks a few government computers /servers , now I never said which government. Lets say it nukes an NHS server . How many people would say the NHS deserved it verse how many people would say how big , bad and evil the US is. That the US is trying to kill UK citizen. You might even get a MP calling it an act of war. Now instead of the UK lets say it hits a few government computers in North Korea, China, Russia or favorite middle east country that hates the west .

    1. Paul Crawford Silver badge

      @Why

      The real question is responsibility. But that applies also to those with infected computers. It is high time that those responsible for the running of computers were held accountable, maybe by forcing the suppliers of certain well known operating systems to also have some responsibility.

      Yes, getting a virus to remove itself, or to run a clean-up program, might bork the system, but it was ALREADY BORKED! Just the user was not aware that their system was open to the bad guys for any sort of exploit they may dream up.

      In a critical system like the NHS or defence, then WTF are they doing not taking sufficient care or corrective action?

      Solution - send a message telling the owner to fix it (by getting a local computer professional to deal with it, not this "download blah-bla-bla" business) and then a week later run the virus removal. If it works, the PC is clean. If it is broken, tough, as the owner already had sufficient warning and was complacent in their own downfall.

  16. John Smith 19 Gold badge
    Thumb Up

    Given the legalities the US govt is the *only* entity in the US that could *legally* do it.

    But here's a question.

    Large ISP's seem to do *lots* of traffic shaping.

    In order to do so they are looking *inside* those packets.

    Most users don't *want* TS.

    WTF can't they do something *useful* with that capability instead of just ekking out their bandwidth to slap a few more subscribers onto infrastructure that *cannot* support their existing subscribers at the bandwidth they *advertise* (not deliver)?

    Thumbs up for this action but *no* to any kind of *blanket* requirement//obligation, which would be a govt blank cheque.

  17. J. Cook Silver badge
    Pirate

    DELETE command?

    Y'all are assuming that the bot software even *HAS* a self-delete feature. Hell, I'm counting lucky they have a stop/pause feature!

    And the reason why the Feds would not push this mythical "remove self" button, if it exists? Pure legal liability, as many of you have pointed out. I would say that their current plan of attack (collect the IP addresses, identify the ISPs, hand over the info) is valid, and probably the best way to handle the situation. Technically, telling the bot software to stop or pause is against US laws for computer tampering already, so I imagine there's not much else that they can do without pushing the boundaries of legality.

This topic is closed for new posts.

Other stories you might like