Microsoft takes down ZeuS botnets A Microsoft-led operation resulted in the takedown of key servers associated with the infamous ZeuS and SpyEye banking Trojan botnets on Friday. Months of investigation culminated in the coordinated seizure of command-and-control servers associated with the botnets and hosted in Scranton, Pennsylvania, and Lombard, Illinois. …
Whilst one can of course say (with justice) that they should have begun this a long time ago it is indisputably true that in recent years they have been devoting increasing efforts and considerable resources (=a great deal of wonga and man-hours) to making a significant dent in the problem. Good to see.
>>Wednesday, 4 April 2001 DO YOU USE...
Gordon, where have you been in 2004 when I switched to Linux Sorry, too late I did not know about a "The Lion worm — yet another variant of the Ramen worm" back then. Spooky indeed.
"If youth only knew: if age only could"
Your post is most anti-Microsofty today.
This post has been deleted by its author
This post has been deleted by its author
No, the point is it should ONLY install things you intentionally install, not just any damn thing sitting on a website. Websites should only be able to display content unless explicit action is taken to cause something else to occur, and I'll even go so far as to include automatically starting an embedded media stream.
Whilst I am glad to see them helping the authorities and taking some responsibility for what they have wrought, it still seems odd to me that it is MS and not some government body leading the action.
it is as though cyberpolicing has been privatised.
but any take down is a good takedown. Send in the sherrif!
This post has been deleted by its author
>>the bin in my gmail account, there's no spam whatsoever
So you expect it in the spam box not your inbox? Thanks should be addressed to the spamfilter (supposedly based on spamassassin). My spam mostly lands there, unlike some of my friends with hotmail and others.
Or buy them some cheap ... lemonade, my older gmail account spambox does seem to receive less spam though this month. :)
What is sad is as someone who fixes and sells Windows PCs frankly it isn't Windows fault, its PEBKAC. you see the malware guys have figured out the "dancing bunnies' tactic, whereby you offer the victim something they REALLY want, be that pron, free software, even something as unlikely as a chance to win an iPod, and then the user will happily disable their own security and infect their own machines!
The only time I ever had to throw someone out of my shop was over a dancing bunny, where this person refused to listen to me when i told him that Limewire had been dead for years, so instead he takes his brand new PC and when he finds some malware listed as "the new limewire' he first tries to disable and then when that doesn't work REMOVES the AV AND UAC protections and then had the gall to complain because "The machine shouldn't have gotten infected like that" and demand i repair it for free. When i threw him out of my shop he was yelling "It says right there it is the new Limewire so you MAKE IT WORK!"
Sad that Windows so often gets blamed when I'd say a good 99% of the infections I see are just from mind numbing stupidity. I've seen users give up their passwords, lower their security, do whatever the malware writers ask them to, all to get some "prize' which of course only is a trojan package. You can design the most secure OS on the planet and when you have the user actively trying to dismantle your security you're as good as doomed.
I rather like the idea of a Microsoft assassin walking up behind the server with a pair of gardening shears, cutting the Ethernet cables and then bundling the server into a black van with a cloth over it's diagnostic panel so that it may be waterboarded for information in a dark room in the basement of the Redmond campus 200ft underground shielded from the world's eyes.
"how do you dismantle an IP address?"
Null route it on all core routers.
But seriously, what needs to happen IMHO is:
thread collect_ips
while true
collect IPs connecting to botnet Command and Control
store in infected computer database
wend
end thread
thread enforcement
while true
For all national governments
for all ips in infected computer database
look up owner of IP block containing IP
if owner is in government's country
if owner not contacted yet
snailmail owner "this machine is infected. See it gets cleaned up. You have 2 weeks to comply." --signature=required
owner contacted
else if time of contact > 2 weeks
disconnect owner from network.
end if
else
look up owner's peering partners in country
for all peering partners
if partner not contacted yet
snailmail partner "this machine is infected. Either compel owners of netblock to fix it or de-peer owners. You have 2 weeks to comply." --signature=required
parnter contacted
else if time of contact > 2 weeks
disconnect partner from network.
end if
end for
end if
end for
end for
end while
end thread
Harsh, but it would put a big dent in the botnet problem: ISPs would either have to bestir themselves to contact their lusers and get them ot fix the machines, disconnect the lusers machines from the network, or face disconnection themselves. Even if an ISP is in a country that doesn't help enforce the rules of the road, that ISP eventually gets de-peered from enough countries that do enforce the rules that they cease to be an issue.
(Now I await the masses of "how dare you ask anybody to be responsible for the consequences of their actions you fascist bastard!' to downvote me.)
Given the requirement for snailmail, I'd quibble with the specific time interval. Even in Western nations I think I'd want 3, though nor more than 4 weeks. For third world areas it would probably take significantly more in order to allow time to actually contact them and for them to have time to clean the machine.
But the overall algorithm looks good, and even with longer lead times would still get to the desired result.
>>Microsoft has detected more than 13 million suspected infections of ZeuS and SpyEye-related malware worldwide, with more than 3 million in the United States alone.
When a PC maker suggests something like "We recommend Microsoft Windows Vista/7/8" it should really add "and Microsoft may detect you to be among the millions of malware infected worldwide!" In the US specifically, the slogan can finish with "Isn't it cool?"
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
