Forgot your password?
typodupeerror
Spam The Internet

Researchers Take Down a Spam Botnet 207

Posted by kdawson
from the chalk-up-one-for-the-good-guys dept.
The Register is reporting on the takedown of a botnet once responsible for 1/3 of the world's spam. The deed was done by researchers from the security firm FireEye, who detailed the action in a series of blog posts. PC World's coverage estimates that lately the botnet has accounted for 4% of spam. From the Register: "After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. ... Almost immediately, the spam stopped, according to M86 Security blog. ... The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change. ... With [the] head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control..."
This discussion has been archived. No new comments can be posted.

Researchers Take Down a Spam Botnet

Comments Filter:
  • by RichardDeVries (961583) on Tuesday November 10, 2009 @07:41PM (#30053486) Journal
    From TFA:

    Only two command server were found to be located outside the USA. So does it mean that shutting these servers down would result in a complete botnet shut down? Keeping in view Ozdok's multi layered fallback mechanism the answer here is 'no'.

    and

    After seeing all these fallback mechanisms, it doesn't look very easy to kill Ozdok in one go but hurting this beast might not be that difficult.

    • by Meshach (578918)
      I guess that the important this is that this process will make a dent in the spammers processes.

      Until now attempts to actually trace and shut down have not been fruitful. I think the face that something was done is very positive.
    • by shentino (1139071)

      Sounds also like a damn good reason why it's futile trying to rely solely on US law enforcement to take these bad boys down.

      I bet several of them are hosted in countries that don't give a flying fuck about the US.

      Iran being one of them.

      I wouldn't be surprised if some governments even look the other way on purpose just to spite the west.

  • And meanwhile... (Score:4, Insightful)

    by damn_registrars (1103043) <damn.registrars@gmail.com> on Tuesday November 10, 2009 @07:45PM (#30053524) Homepage Journal
    Another botnet is on the verge of picking up a good number of those systems. Within a very short while we'll see the spam levels right back where they were before. Anti-botnet activities are good when done in the name of anti-botnet activity, but they are weak efforts in the name of stopping spam. The way to stop spam is to fight it as the economic problem that it is; if people continue to go after the symptoms of spam like this they will continue to find themselves quickly thwarted.
    • Next thing you know we'll take the same approach to murder, theft, gangs, drugs, etc and soon we'll end up with a utopia... then how will the billionaires get $100 bills to light their $500 cigars???

    • Re:And meanwhile... (Score:5, Interesting)

      by somersault (912633) on Tuesday November 10, 2009 @07:57PM (#30053638) Homepage Journal

      Spam isn't so much an economics problem as a "some people are just dicks" problem. A lot of the problem with spam is the current system we use for email. It was never intended for such widespread use and has little-to-none in the way of authentication or security measures. You can encrypt emails for security sure, but it doesn't help get around the problem of spam..

      • by damn_registrars (1103043) <damn.registrars@gmail.com> on Tuesday November 10, 2009 @10:00PM (#30054854) Homepage Journal

        Spam isn't so much an economics problem as a "some people are just dicks" problem

        That statement is accurate only for those who believe that spam is sent out to piss you off. Perhaps the spam you receive is somehow different from the spam that is sent to me? The spam that is sent to my addresses is sent to sell various products or services. And why is the spam sent to sell products? Because someone is paying the spammer to send it.

        Spam is a product that people are willing to pay for.

        Hence spam is a economic problem, because there is economic incentive to send it. Billions or trillions of spam messages can be sent at nearly no cost to the spammer; very little business needs to come from those spam messages to make them incredibly profitable.

        A lot of the problem with spam is the current system we use for email. It was never intended for such widespread use and has little-to-none in the way of authentication or security measures.

        I have yet to see a proposed replacement for the existing email system that actually suggests anything that would make a bit of meaningful difference for spam issues.

        You can encrypt emails for security sure, but it doesn't help get around the problem of spam..

        I agree with you on that. Encryption isn't worth squat in regards to spam.

    • Another botnet is on the verge of picking up a good number of those systems.

      I wouldn't be so sure about that. I seem to remember a year or so ago reading about someones honeypot experiment. One of the first things done to the machine after the hacker got access was to close several common vulnerabilities.
      I don't know about this botnet, but if I were an evil bastard who managed to take over your computer, the first thing I would do would be to make sure your computer stayed mine.
      In fact from time to time

      • by iris-n (1276146)

        In fact from time to time I have considered the possibilities of a virus that would format the hard disk.

        As a time bomb, you see.

        But I always think about the grannies losing the family photos and I give up.

        Or it could be distributed only through porn.

        Nothing against porn. But that would select out (most) grannies, leaving the stupid fucks who hunt for porn in IE6.

        Humm. I'm getting bitter. Better stop with the porn and get sex.

    • by popo (107611)

      How exactly does one fight the economic problem? And does it involve giving everyone a pony?

    • by mcrbids (148650) on Tuesday November 10, 2009 @08:31PM (#30053982) Journal

      The way to stop spam is to fight it as the economic problem that it is; if people continue to go after the symptoms of spam like this they will continue to find themselves quickly thwarted.

      Sure. Let's educate every farking idiot on the face of the earth. Just like we did with consumers the world over in every single city across the fruited plain. It's worked well for hundreds of years! "Buyer beware" and Heaven help you if you should get defrauded...

      What's that you say? We didn't do that? Instead, we instituted "consumer protection" laws that require vendors to adhere to minimal standards of conduct and safety? Laws that prevent manufacturers from making unsafe cars and selling poisoned food? You mean, I can go into pretty much any restaurant and be confident that I probably won't get some terrible disease from poorly cooked food and un-refrigerated meats?

      Yes, on the 'net, it's the wild, wild west, all over again. But now problems "over there" have become problems "over here", and suddenly, things like the sorry legal state of Nigeria and Somalia are in our face. Will we fix it overnight? No, but we will fix it. Sure, we'll never get rid of it completely - the Mafia still exists, and gangs still thrive in areas of the mostly controlled First World. (We can get greatly mitigate the gangs by legalizing their primary revenue stream, the drugs, but while related, that's another post)

      The thing is that by legally controlling the terms of commerce, we promote healthy commerce. Outlawing commerce altogether has roughly the same effect of not regulating it at all - fraud and crime sets in, legitimate business moves out. To control spam, we need to control commerce, world wide. And that's a big, big problem that will take at least a generation or two to handle.

      • Sure. Let's educate every farking idiot on the face of the earth. Just like we did with consumers the world over in every single city across the fruited plain. It's worked well for hundreds of years! "Buyer beware" and Heaven help you if you should get defrauded

        If you somehow took what I said to mean that I wanted to do what you are suggesting, then I ask you to go back to read it again.

        To control spam, we need to control commerce, world wide. And that's a big, big problem that will take at least a generation or two to handle.

        That is a bit closer to what I was suggesting, but going from the opposing side of the same coin.

  • by turing_m (1030530) on Tuesday November 10, 2009 @07:50PM (#30053578)

    At company picnics, employees are encouraged to take part in "Whack-a-mole" competitions during summertime, and ice sculpting during the winter.

  • WTF? (Score:5, Insightful)

    by MikeURL (890801) on Tuesday November 10, 2009 @08:13PM (#30053804) Journal
    Why is some obscure security firm doing the job that governments should have done 10 years ago?

    Seriously. Can someone please give me a reasonable explanation that rogue CnC servers and registrars are allowed to continue operations?
    • Re: (Score:3, Funny)

      by socceroos (1374367)

      Seriously. Can someone please give me a reasonable explanation that rogue CnC servers and registrars are allowed to continue operations?

      Because its actually the government who creates and controls these 'botnets'. They're used to spy on us since they have a computer on each end of each router meaning they can reliably trace data streams in foreign countries to their true original source.

      Ok, so that wasn't necessarily accurate. But, I've heard on the low-down that the fellows who were working on Titan Ra

    • Re: (Score:3, Insightful)

      by mpe (36238)
      Why is some obscure security firm doing the job that governments should have done 10 years ago?

      Exactly we hear about "researchers" even broadcasters doing this. But never about regular law enforcement...
      Governments don't appear interested it dealing with this. Probably because it isn't the (alleged) profits of the entertainments industry being affected.
  • by popo (107611) on Tuesday November 10, 2009 @08:30PM (#30053974) Homepage

    "You keep what you kill."

    Now... what to do with this enormous botnet?

  • Legality? (Score:2, Interesting)

    by Hurricane78 (562437)

    I'm not against taking down a botnet. But I still think that basic laws are more important. If we don't apply the same rights on really everybody, those "rights" become meaningless.

    FireEye isn't exactly a police or government agency. How exactly can they raid zombie computers of private people? I can't think of any way that this is legal. Which does not make them better than what they are "prosecuting" (A term, that when associated with a private company, usually makes a crime itself.)

    Is it like Blackwater?

    • Re:Legality? (Score:4, Insightful)

      by JohnFen (1641097) on Tuesday November 10, 2009 @09:45PM (#30054672)

      From reading all the FireEye blog posts on the operation, I can't find any point where they broke the law or even behaved in a way that violated anybody's rights.

      What they did was to coordinate things so that ISPs and domain registrars followed existing procedures to shut down sites and revoke domain names. They also found some domain names that were programmed to be used as fallbacks but had not yet been registered, then registered those.

      It looks like at no time did they actually hack anybody or penetrate computers, either innocent bystanders or guilty people, nor did they use the botnet themselves, so there's no legal or ethical problem here -- assuming their reports are complete and correct, obviously.

    • Re: (Score:3, Informative)

      Zombies aren't people.
    • by cdrguru (88047)

      So what laws do you think are being broken? And how would any government prosecute someone or even collect evidence to be used in a prosecution? They might have an IP address, but we have just spent a few years proving in courts that an IP address cannot be connected to an individual.

      In most of the places where the people who are running these things are located it simply isn't against the law to do so. You might be surprised at how many places it is legal to defraud and steal from US citizens when it is

  • I for one welcome our new botnet masters.

  • That's great, but... (Score:4, Interesting)

    by element-o.p. (939033) on Tuesday November 10, 2009 @09:42PM (#30054624) Homepage
    ...the cynic in me wonders whether or not the researchers might be risking legal problems by doing this [informationweek.com] (at least in Illinois, Colorado, Delaware, Michigan, Oregon, Pennsylvania, and Wyoming and possibly Arkansas, Florida, Georgia, Massachusetts, Tennessee, and Texas as well).
    • FireEye employees have access computer systems they are not authorised to access, and have halted services and caused malicious damage. Bottom line.

      If any of those control servers were in the UK, I'd be writing to my MP to illustrate this point and calling for extradition of all employees which engaged in this activity. Garry McKinnon performed no such actions of damage, with no intent to deny access to any system whatsoever, unlike these "security researchers" (crackers).

      Troll? No, just looking for some
  • by mattr (78516) <mattr.telebody@com> on Tuesday November 10, 2009 @11:30PM (#30055742) Homepage Journal

    We really need an analysis done and report made to the public security community. This is a unique chance to discover what are the real vulnerabilities to the mass of computing power on which criminals prey.

    A federal or state level court needs to authorize the researchers to do such an analysis. Even a single state would be enough, if the zombie IPs can be reliably mapped to that state. I would envision the analysis to include:

    - Make a full study of many individual zombie PCs: What antivirus, firewall, OS, applications, etc. are installed, including version numbers and a fingerprint (to identify whether they are super-vulnerable copies from warez sites, infected OEMs, etc.).
    - Monitor usage of a small number of PCs to identify what user habits lead to zombification, based on the theory that these PCs will become zombies of another botnet soon probably. What should be monitored, and for how long?
    - Contact (with law enforcement assistance) a small number of individual users to interview them. Publish anonymized interviews for representative cases so the public can better learn what constitutes dangerous habits.
    - Report anonymized individual representative cases, trends and statistics.

    Discuss whether the defanged botnet should be used to destroy other botnets. Too much discussion would alert the other net owners. People could opt in based on a message sent to infected PCs, if the authorities support it, but unless those bots are hardened they might open the owners to retaliatory attacks.

    At least, let's find out if antivirus really doesn't work, what habits led to botnet creation, and how can we alert zombie owners so they adopt more secure practices.

  • by hesaigo999ca (786966) on Wednesday November 11, 2009 @10:52AM (#30060146) Homepage Journal

    >more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control
    It's not enough, those 264k IP adresses, should be sent out to a sort of ISP provider sanctuary where
    they need to contact the people who have the infected pcs, and tell them to clean their machines, just
    leaving the machines with a ongoing malware pinging back home, might still be able to get owned.

    They need to take down those infected that they know is infected, and force those users to update or get fixed.
    They are a threat to the internet, and need to be delt with...maybe cutting them off the internet for awhile would make them call in
    their ISP and then they could be warned they had been owned, and need to clean their pcs.
    Any further attempts on their machines parts to contact that same "hole" would force them again to be locked out...until such time
    they fixed their machines, no?

Repel them. Repel them. Induce them to relinquish the spheroid. - Indiana University fans' chant for their perennially bad football team

Working...