Researchers Take Down a Spam Botnet

The Register is reporting on the takedown of a botnet once responsible for 1/3 of the world's spam. The deed was done by researchers from the security firm FireEye, who detailed the action in a series of blog posts. PC World's coverage estimates that lately the botnet has accounted for 4% of spam. From the Register: "After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. ... Almost immediately, the spam stopped, according to M86 Security blog. ... The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change. ... With [the] head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control..."

Re:good work

[socceroos]

I'd like that too. Although, my IPCOP firewall with CopFilter installed has been killing 99.92% of the spam coming into our network. Really pleased with it.

On a more related note, would this be classed as vigilante justice? Justified?

I think its a cool idea for universities with security classes to study this kind of thing and 'bring it down - safely' as a project. I know I'd enjoy it.

Wrong title, not 'taken down'

[RichardDeVries]

From TFA:

Only two command server were found to be located outside the USA. So does it mean that shutting these servers down would result in a complete botnet shut down? Keeping in view Ozdok's multi layered fallback mechanism the answer here is 'no'.

and

After seeing all these fallback mechanisms, it doesn't look very easy to kill Ozdok in one go but hurting this beast might not be that difficult.

What OS?

[Yvan256]

What's the Windows OS percentage of that botnet?

Re:Patches?

[somersault]

Not to mention a lot of people would be seriously PISSED and you'd be in deep legal shit for messing with other people's computers.. I'm sure these guys could still face possible trouble even for just admitting they've brought down the head of the botnets, but IMO they're pretty justified to do that. Wiping people's machines, while tempting, is just a no-no. If we want vigilante justice to become more acceptable in these situations, then it's best to be 'nice' about it.

Re:Any more?

[Monkeedude1212]

Eh, depends what you're looking at. Other Botnets have been taken down, usually by physically arresting the hacker who started it. I'm sure that they've tried to stop other Spam Botnets before. They didn't actually STOP Ozdok, they just dented it a bit.

It's difficult to track how these things start because essentially you've got about a million breadcrumbs to go through.

Lets say you've got 3 computers, A, B, and C. A infects B, B infects C. There is no direct correlation between A and C, so you have to work your way all the way up the chain. Now imagine you've got a million infected PC's. Who infected who? How do you work your way backwards? There's lots of ways to do this, most simple of which is to look at the contacts and determine which of the contacts is infected. Then determine the time and date of which the infection occured (Date Modified/Date Created on the file). Whoever was first was who infected the others.

The problem with killing it is that it has a "multi layered fallback mechanism" - which is a fancy way of saying it replicates itself. It can do this by either having a secondary program or script copy itself back onto the infected PC when it detects the original infection is gone, or it can do this by RE-infecting any of the computers it was sent to infect in the first place.

I hope thats enough to make you stagger and wonder exactly how much damage they could have possibly done to this botnet.

Re:And meanwhile...

[somersault]

Spam isn't so much an economics problem as a "some people are just dicks" problem. A lot of the problem with spam is the current system we use for email. It was never intended for such widespread use and has little-to-none in the way of authentication or security measures. You can encrypt emails for security sure, but it doesn't help get around the problem of spam..

Re:good work

[Lennie]

You obviously don't work for an ISP, we have to drop SMTP-connections on everything which looks to much like a bot just because of the large number of connection that we get, so we're able to have the legit connections and because scanning all the content would just be to much to handle.

You would be amazed at the volumes of e-mail ISP's get. More then 98% of it is crap you don't want to receive.

In the words of Riddick...

[popo]

"You keep what you kill."

Now... what to do with this enormous botnet?

Re:What OS?

[tokul]

What's the Windows OS percentage of that botnet?

http://www.symantec.com/security_response/writeup.jsp?docid=2008-021215-0628-99 [symantec.com]
100%, minus controllers, that might run on any OS

Legality?

[Hurricane78]

I'm not against taking down a botnet. But I still think that basic laws are more important. If we don't apply the same rights on really everybody, those "rights" become meaningless.

FireEye isn't exactly a police or government agency. How exactly can they raid zombie computers of private people? I can't think of any way that this is legal. Which does not make them better than what they are "prosecuting" (A term, that when associated with a private company, usually makes a crime itself.)

Is it like Blackwater? A bunch of criminals who like to legally murder and beat up people? Just that here they like to raid computer systems?

If you take down a botnet, do it in a legal way!!

That's great, but...

[element-o.p.]

...the cynic in me wonders whether or not the researchers might be risking legal problems by doing this [informationweek.com] (at least in Illinois, Colorado, Delaware, Michigan, Oregon, Pennsylvania, and Wyoming and possibly Arkansas, Florida, Georgia, Massachusetts, Tennessee, and Texas as well).

Makes you wonder, doesn't it?

[Weaselmancer]

If we want vigilante justice to become more acceptable in these situations, then it's best to be 'nice' about it.

Ever read Frank Herbert's The White Plague? It's about a scientist on a trip to Ireland who loses his family in an IRA bombing. He goes nuts and engineers a virus to kill every woman on the planet, figuring "if it has to happen to me, then I'm going to share my misery with the world."

Where am I going with this?

We have some pretty epic hackers on the planet. Guys who can disassemble code by looking at it. Guys who don't give one billionth of a crap about legality. Doubt me? Go check your local torrent tracker. There are groups of people out there who break commercial software all the time. They do it for breakfast.

How much harder could hacker-originated code like botnets be?

Eventually you're going to get some hacker who has simply had enough. And he's going to form the internet version of the Lincoln County Regulators, go rogue, figure out every botnet they can get their hands on, and wipe every single PC they can right through the bot's command channel.

It's not IF, it's WHEN.

Remember - you heard it here first. This is going to happen. Some holier-than-thou uberhacker is going to figure "fuck 'em if they can't handle basic security - they're fucking up MY INTERNET" and lay waste to them all, nuke-it-from-orbit style.

I'm honestly surprised it hasn't happened yet.

Re:Makes you wonder, doesn't it?

[Weaselmancer]

No no no! You've missed my point. *I* won't be the one to do any of this. I am not Mr. I-am-going-to-fix-it. Holy crap no! I have a career and a family. I'm way too old for lulz. I'm just saying human nature being what it is, someone eventually will.

And when that someone does, then it'll become a thing. Others will follow. Cowboy justice for anyone who can't secure their systems. It won't happen in a single stroke. One botnet will get hit. Others will get the idea and hit other botnets. It'll become the next new internet game. Used to be cracking DVD protections was enough sport to keep these guys busy. Now it's on to bigger game, so back up your data files everyone.

What I'm saying is that right now, there is a teenaged kid somewhere. Probably in the Netherlands or some other hacker friendly country where if you do something like this you get a couple of years of community service. It's snowing, he's bored, and all the women are wearing parkas so there is nothing to do. And he keeps having to reconfigure his mail server. Whitelists, blacklists, pattern matching...it's pissing him off.

Then he's gonna have an idea.

A couple of weeks later some botnet is going to be completely in the hands of someone who has bigger ideas than spam. He's gonna nuke them. The whole thing.

Honestly I really am surprised it hasn't happened yet. Botnets are a beautiful hack target.

Do more,.....do more!

[hesaigo999ca]

>more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control
It's not enough, those 264k IP adresses, should be sent out to a sort of ISP provider sanctuary where
they need to contact the people who have the infected pcs, and tell them to clean their machines, just
leaving the machines with a ongoing malware pinging back home, might still be able to get owned.

They need to take down those infected that they know is infected, and force those users to update or get fixed.
They are a threat to the internet, and need to be delt with...maybe cutting them off the internet for awhile would make them call in
their ISP and then they could be warned they had been owned, and need to clean their pcs.
Any further attempts on their machines parts to contact that same "hole" would force them again to be locked out...until such time
they fixed their machines, no?