Zeus Botnet Dealt a Blow As ISPs Troyak, Group 3 Knocked Out 156
itwbennett writes "Ninety of the 249 Zeus command-and-control servers were knocked offline overnight when two ISPs, named Troyak and Group 3, were taken offline. Whoever was behind the takedown 'just decided to knock out a large area of cyber-crime, and this was probably one of the easiest ways to do it,' said Kevin Stevens, a researcher with SecureWorks. As with the McColo takedown of just over a year ago, Troyak's upstream providers seem to have knocked it off the Internet, Cisco said in a statement. 'The ISP was "De-peered,"' Cisco said. 'Troyak's upstream network providers effectively pulled the plug on Troyak's router, refusing to transmit its traffic.'"
Good (Score:5, Insightful)
What about the other 150?
I have a difficult time understanding how Zeus is *still* around; it started in mid 2007! According to WP, it has more than 3.6 Million infected PCs.
There is no reasonable stance that defends the existence or the activities of botnets either legally or morally. How is it that we know there are 150 other command nodes, presumably that we can also discover their IP addresses, but law enforcement has been unable to bring them down?
While I understand there are differences in laws, and with what is legal and what is accepted in different jurisdictions, but this seems patently absurd. If an ISP provides service to a verified botnet control node, and refuses to quickly turn them off, I would expect immediate upstream action like this. Why hasn't this happened even more?
Words (Score:5, Insightful)
knocked offline...taken offline....takedown...knock out.......have knocked it off..."De-peered,"'...pulled the plug... refusing to transmit
I'm sorry, you're going to have to repeat that; what happened? Were they somehow removed from the internet?
The short answer? Money. (Score:5, Insightful)
Because the spammers and such are paying good money for such "bullet-proof" hosting sites.
Meanwhile, the more legitimate ISP's don't want to spend the money to block the command/control servers individually on their networks.
Tangled memes (Score:2, Insightful)
I smell my karma burning.
Why the "statement" from Cisco? (Score:3, Insightful)
PININ' for the FJORDS?! (Score:3, Insightful)
knocked offline...taken offline....takedown...knock out.......have knocked it off..."De-peered,"'...pulled the plug... refusing to transmit
... IT IS A DEAD ISP! </cleese>
Re:Good (Score:4, Insightful)
Re:Good (Score:3, Insightful)
There is no reasonable stance that defends the existence or the activities of botnets either legally or morally.
"We can make money off of it" seems to work for a lot of people.
As will become more and more apparent... (Score:3, Insightful)
The only way to truely combat cybercrime is to just cut the connection.
When you have a country that willingly harbors criminals - just because they are attacking someone else - the problem ceases to be one of law enforcement or diplomacy. Sure, you can try to send some cops over there and see what can be accomplished. For the most part, not much.
The key is that if Russia, Bulgaria, Romania or whereever wants to have "Internet freedom" for their citizens where they can do whatever they heck they want without any consequences, the only possible response is for everyone else on the planet to just agree to pull the plug.
Now, so far it has been impossible to make this happen. Nobody has cared enough because "well, it is just some virtual land called cyberspace." For the most part, law enforcement doesn't care if people are robbed in cyberspace - it isn't really their jurisdiction. There is no global cop that can go anywhere to track down cybercriminals, and in most of the world a request to please go down and arrest someone because they committed a crime somewhere else is met with guffaws and snickers. So as long as your local law enforcement was willing to turn a blind eye to your activities, you could pretty much get away with anything.
And believe me, in most of the world today, law enforcement has a lot better things to do than deal with any sort of computer crime. So there are zero consequences. Something a lot of people have learned over the last 15 years or so. Of course a few Unix geeks knew that since 1980 or so.
Now, if this sticks and if it can be repeated - both of which are highly doubtful - we might actually get somewhere in having some real consequences for bad actions on the Internet. But I suspect this will all be put back together next week (if not sooner) and there will continue to be zero consequences. Keep this in mind, because if you annoy someone enough on the Internet there is a chance they already know there are no consequences in most of the world. Lori Drew is a case in point. They really wanted to nail her for something, anything. But the rule of cyberspace wins out in the end. The physical world has real consequences, the virtual world has only virtual consequences.
Re:Windows again (Score:5, Insightful)
The target is a "user". Anyone that doesn't understand system administration and security that is left alone with a computer can defeat anything that the OS does. If your grandma wants to install something like WeatherBug on Linux and the software to do this exists, she will succeed. If it requires root access and she has it, she will provide it in copious amounts for the malware application. Whatever is needed will be provided. Because she knows she wants to install this, for some utterly unknown reason.
Now, if you have a computer that it is impossible for the user to install stuff on, well then you have a much more secure platform. Unfortunately, this requires an administrator for those cases where something is really needed and actually should be installed. Once the user and the administrator are the same person, you have just lost any semblance of security.
99% of the Windows machines in homes out there do not have an administrator other than the user themselves. If these were magically replaced by Linux machines with the same administrator, this wouldn't solve anything. Sure, the user would need to do sudo or su in order to really screw things up, but if the application they thought they wanted to install asked for it, they would do it.
And these ISP's other customers...? (Score:4, Insightful)
There seems to be an implication that Troyak and Group 3 were somehow complicit with all this botnet activity, yet no such claims are actually being explicitly made - just that the ISPs have been "associated" with these botnets, whatever that means.
Did these ISPs have legitimate customers who have now been cut off because of the criminals alongside them on the ISP's network? Was the ISP asked to deal with the situation first, and either ignored or refused such requests? If these ISPs were fronts for the botnet owners, where's the evidence? Did someone just think, oh, there are a bunch of bad guys on this ISP; let's cut the whole thing off and fuck the rest of their customers?
This action sounds like the IT equivalent of a government blowing up an entire city block because a couple terrorists are renting an apartment there.
If these ISPs have legitimate customers, hopefully they sue the hell out of the upstream for this.
Beowulf cluster (Score:3, Insightful)
36% of their highly redundant infrastructure was made unavailable, leaving 64% of the control servers online and fully capable of servicing the millions of bots under its control.
Re:As will become more and more apparent... (Score:3, Insightful)
The only way to truly combat cybercrime is to just cut the connection.
What will end up happening is that there will be several chunks of the "Net". So Nigeria can do its own thing(as an example). There's absolutely nothing to keep other countries from yanking the plug on anyone that they want as soon as it crosses their borders. "We don't like you - get lost" seems like a fairly effective way, especially for countries that lack a proper satellite infrastructure and have to rely on optical and metal/copper wire connections to get in and out.
Often this boils down to as few as 2-3 main optical cables. Cut those at the border and they're in the dark. People are exactly correct that this is a political problem. The countries of the world that have the power need to flex their muscles and deny those who don't police their own traffic adequately a chance to participate. Now, I'm all for freedom and all of that, but it's like having a town meeting and one guy in the back with Tourette's keeps screaming at the top of his lungs. Sensible people politely push him out the door, lock it, and proceed with the meeting.
I bet even a week without any net in most countries would suddenly get a few thousand police mobilized and start kicking down doors. But as it is, without any stick, there's no incentive for them to do anything at all about it.
Re:YRO (Score:2, Insightful)
Nobody likes to see crooks get away with being crooks but keep in mind if you are championing the forced removal of content like this, then you are also championing the removal of any content deemed objectionable by a governing body.
Please drop the strawman and move away slowly.
Botnets are NOT content.
Re:Good (Score:3, Insightful)
All that needs to be done is force ISPs in other countries to stop peering with them.
"Force"? How do you propose we do that?
Re:Good (Score:4, Insightful)
Ya I'm not really seeing the victory here.
If 90 of their command and control servers are knocked off can't they just push an update out through one of their other 159 command servers to the botnet to add another 1000 potential command and control servers scattered around the internet?
Re:Words (Score:4, Insightful)
TFA attributes this to "anonymous community action".
Of which there might be more if someone would be thoughtful enough to publicly post the IP addresses of the command and control nodes of major botnets on a regular basis.
Re:Good (Score:1, Insightful)
It isn't always so clear cut. Sure, there's ISPs like McColo and the two from TFA, but what about ISPs frequented by stupid people (often the major telecom in most countries) who get themselves infected? We all know that these masses of zombie machines are out there, including the ISPs in question. So should those ISPs start cutting off infected users? Let alone the opportunity to sabotage competing ISPs (rent their service and do something illegal, then report them and get them shut down).
The other problem with your plan is that you suggest that ISPs should be responsible for their traffic. I can hear the cheers from the *IAAs from here, and I bet you can too. They'd pounce on this to force the ISPs to police their product, since obviously the ISPs are obligated to take down illegal traffic. And you better believe that any ISP-policing law won't explicitly target only botnets; in fact, I wouldn't be surprised if stopping botnets was a secondary consideration by the lawmakers (the primary being "stop those nasty internet folk from 'stealing' from the nice company that bought me this yacht").
This is all ignoring the fact that we don't have a world government and that diplomats will gladly refuse to police another country's laws, just to spite them (depending on the particulars of the political relationship) or to turn an advantage. And the criminals only need find one country which doesn't want in on this absurd law.
Re:Good (Score:3, Insightful)
You're assuming that most customers would not fix their equipment and that they would switch to another ISP, my experience tells me otherwise, most users will rather fix their own equipment than change ISPs.
Also, did you notice the second paragraph where I mentioned ISPs actually using these rules against other ISPs who are their customers? We're not talking about Bargain Bob's Discount Intarwebs here, we're talking about Level 3, TeliaSonera, Verizon, AT&T et al actually bothering to disconnect Bargain Bob's Discount No Questions Asked As Long As You Pay Us Intarwebs from their networks. There's a fairly small number of Tier 1 and regional Tier 1 ISPs out there and once a "rogue" smaller ISP gets blacklisted with a few of these it's likely the others will do the same.
/Mikael
Re:As will become more and more apparent... (Score:2, Insightful)
The countries of the world that have the power need to flex their muscles and deny those who don't police their own traffic adequately a chance to participate.
So you suggest our great leaders should cut every country from the internet that doesn't implement the terrorist-and-child-molester-stopping three strikes law? Politicians will abuse every power that we the people give them.