back to article Must try HARDER, infosec lads: We're RUBBISH at killing ZOMBIES

Botnet takedowns need to be improved if the industry is to avoid the risk of creating more problems than it solves every time its decapitates a zombie network, according to a former Scotland Yard detective turned security researcher. Adrian Culley, a technical consultant at infosec firm Damballa* who served with the Met Police …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Sueball

    They need to lob a sueball at the center of the problem - Microsoft and it's insecure operating systems that become the zombies. Until it costs them money, they won't fix the problems that lead to the take over of hundreds of thousands of consumer's PCs.

    1. fix

      Re: Sueball

      You forgot your troll icon !

    2. Shrub

      Re: Sueball

      Nope, wordpress instance with outdated plugins are just as guilty

    3. Alan Brown Silver badge
      Mushroom

      Re: Sueball

      If you're using sueballs, you've got entirely the wrong kind of weapon for delaing with botmasters.

      Have something more appropriate. Preferably delivered from orbit to be sure.

  2. theblackhand

    Isn't the problem...

    That dealing with the symptoms is illegal (i.e. attempting to clean up or disable infected devices)?

    Currently, malicious code is analysed and all potential C'n'C hosts are taken down in some way (blocking routes/DNS/taking down C'n'C servers) but the vulnerability that allowed the devices to become infected remains.

    That requires a legal or contractual solution to how infected systems are handled.

  3. David Ireland

    Learn what an algorith is

    The combination of several algorithms, I think you will find, is one algorithm. Hyper-fluxing is fluxing. They both generate a pseudo random stream of domain names. Either you can run the algorithm and find out the domain names in advance (you have isolated the bot), or you can't. Secure pseudo random streams are easy to design - they don't need to be complicated. This article is the worst kind of security bollocks. It does nothing but introduce a bunch of meaningless terminology.

    But yes - I agree, we seem to be useless at taking down botnets, because we don't seem to bother decompiling the bots to predict their behaviour. The code is inherently not a secret.

    1. Charles 9

      Re: Learn what an algorith is

      Have you considered the idea that botnet designers KNOW about the possibility of decompilation and take steps AGAINST it using such things as self-modifying code, code obfuscation, and remote download of payloads that then only reside in memory (and more of them know how to root and thus block access to its own code; plus they're becoming VM-aware)?

  4. DanceMan

    Killing Zombies

    There's a card in the window of my favourite card shop. It says "Zombies Eat Brains."

    And below it says, "You're Safe."

  5. John Smith 19 Gold badge
    Unhappy

    I'm reminded of a story about the tunnels of Viet Nam...

    The VC and NVA were prodigious tunnelers. IIRC in 2 regions the US formed "Tunnel rat" units to chase them down the (small) holes and help destroy them.

    They never eradicated the threat.

    In the 3rd area they used all the troops to form a perimeter then set up a skirmish line doing a fingertip search of the ground not only for trap doors but also breathing hole. The marked every point.

    Then they blew the whole lot up in one go.

    AFAIK they did not have any further problems.

    IOW you have to be very coordinated to eliminate a bot net completely.

    But the infosec people can work together as a team in ways the (illegal) malware writers cannot.

    1. Charles 9

      Re: I'm reminded of a story about the tunnels of Viet Nam...

      That third group then must've been fortunate to not have their perimeter undermined because ONE tunnel snaking PAST their perimeter would've ruined their effort: not only providing an escape path for those underground but also creating a potential ambush point for anyone who dared to go down: possibly creating a line breach for a combined over/underground assault.

      That's the same thing you have now with these malware writers. They know the underground better than anyone so know all the routes they can take: some of them the InfoSec people may not even be aware (or even capable of addressing--consider havens in anti-Western countries). How does the West combat a botnet that's secretly being funded by radical Muslims or the Chinese or someone else who may not be inclined to cooperate?

      1. John Smith 19 Gold badge
        Unhappy

        Re: I'm reminded of a story about the tunnels of Viet Nam...

        "That third group then must've been fortunate to not have their perimeter undermined because ONE tunnel snaking PAST their perimeter would've ruined their effort: not only providing an escape path for those underground but also creating a potential ambush point for anyone who dared to go down: possibly creating a line breach for a combined over/underground assault."

        Correct.

        That's why you have to establish a tight perimeter first, otherwise it does not work.

        In the same you have to make sure you've got all the C&C servers when you hit them.

        1. Charles 9

          Re: I'm reminded of a story about the tunnels of Viet Nam...

          "That's why you have to establish a tight perimeter first, otherwise it does not work."

          But what happens when you discover part of the perimeter is, for one reason or another, UNREACHABLE? Like how the Cong kept some routes into neighboring (and neutral) Laos? Like how many of the malware writers are located in countries with less-than-favorable relations to the West?

  6. TheDillinquent

    Would it not be possible to use the c&c to order the bots to self-destruct?

    1. Charles 9

      No, because the malware writers are savvy enough to keep such a mechanism to an extreme minimum. Usually, the self-destruct is self-triggered upon the malware detecting a honeypot or VM (to prevent analysis) and can't be rigged remotely. The botherders want to make sure as many bots remain intact as long as possible.

    2. Crazy Operations Guy

      Possible, but not legal

      While it would be possible to convince the C&C servers to order the bots to self-destruct, it falls foul to the Computer Fraud and Abuse Act or similar laws in other countries. Government are in no rush to change this as there is a risk that the bot may take the rest of the system down with it and since it was the government who caused the bot net to self destruct, guess who gets to pay for repairs?

  7. Anonymous Coward
    Anonymous Coward

    Then the answer is obvious

    Everyone needs to use VMware and run unsecure code/ OS from within the VM, the attackers would then find it much harder to identify honeypots and when the users didn't need to play games then they can have a secure OS in another VM for things that need to be confidential.

    I vote we take a leaf out of M$ book and make VMware compulsory with every new machine sold, and M$ pay the cost

This topic is closed for new posts.

Other stories you might like