Torpig Botnet Hijacked and Dissected 294
An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"
uuh..yeah. (Score:5, Interesting)
why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?
Re:uuh..yeah. (Score:5, Insightful)
Funny thing is, if you do a favor for someone you don't even get thanked, but screw it up even a bit and you get slapped with a lawsuit.
Re:uuh..yeah. (Score:5, Insightful)
Re: (Score:2, Insightful)
We need the full weight of the law to come down on these creeps. How is this any better than a pickpocket, or a den of thieves? Answer, not at all. I understand that we like the freedom of the internet. But making a bot of somebody's computer is akin to rape. Stealing 10,000 credit cards warrants a life sentence, and governments must fund efforts to detect and arrest the people responsible. Plus, our banks and stores and so on must get smarter security.
Re:uuh..yeah. (Score:5, Insightful)
Wow. The sentiment is unarguable, but the rest of your post is amazingly uninformed.
What is a den of thieves? Do thieves nest in the rafters of seedy pubs or something? Did anyone imply that credit card theft was "better" than some other kind of theft?
I understand that we like the freedom of the internet. But making a bot of somebody's computer is akin to rape.
Non sequitur. Also, the analogy is not appropriate: there is no physical harm being done.
...governments must fund efforts to detect and arrest the people responsible.
They do. Perhaps you can improve on that suggestion with some further content.
Plus, our banks and stores and so on must get smarter security.
Smarter than what? As long as they have massive amounts of valuable information, they are targets. However, that's not really the subject of TFA, which is the low-hanging fruit consisting of people using insecure browsers and operating systems. The people running Torpig didn't need to hack a bank, they just relied on people being idiots. Vista and Win7 may be steps towards a more secure desktop environment, but they're not a cure for the root issue: PEBKAC.
PEBKAC being ubiquitous, we should not expect a solution to the botnet issue any time soon. Just try and think of it as another idiot tax.
Re:uuh..yeah. (Score:5, Insightful)
They do. Perhaps you can improve on that suggestion with some further content.
Problem is that a lot of countries DON'T care about these kinds of crimes. Laws tend to have a hard time keeping up with technology.
Re: (Score:3, Insightful)
I understand that we like the freedom of the internet. But making a bot of somebody's computer is akin to rape.
Non sequitur. Also, the analogy is not appropriate: there is no physical harm being done.
You could argue that no physical harm is being done in either case*. Most (if not all) harm is psychological. Assuming another crime is not commited at the same time (assault the victim is not rape. They just happened at the same time).
* STDs make this a bit more confusing. Until STD infection is a crime in and of itself, it will continue to complicate it.
Re:uuh..yeah. (Score:5, Insightful)
Let's not limit this to computers. If someone breaks into your house or steals your car, cell phone, credit card, etc. then you should be responsible for all crimes committed by the thief. You are not just a victim, you are an accomplice. If you cannot reasonably protect yourself from physical theft by learning martial arts and proper use of firearms/weapons, you should just stick to...computers?
Computers and the internet are sold as toys and a convenient way to handle business transactions for the common person. The common person has a reasonable expectation that upon opening the box, his computer and his personal data will be reasonably secure. If the OEMs can't provide that level of security, or that level of security can only be achieved by a certain amount of training, then they should put a giant disclaimer on the splash screen stating that any and all data put on that computer will likely be stolen and that the computer will probably be taken over by theives for crimminal activities.
Re:uuh..yeah. (Score:5, Insightful)
You've latched onto the wrong thing here. The key is not that you should be responsible to avoid becoming a victim, the key is that you should be responsible for the equipment you are operating causing harm to others. The analogous situation would be driving an unmaintained car. For instance, here in the UK, cars must undergo an MOT every year to determine that they are safe for the road. If a car owner skips their MOT and is involved in an accident, they are in big trouble. In addition, before driving that car, the person must show themselves to be capable of operating it with a degree of skill that is reasonable to avoid harm to others. To turn this back around, the analogous situation with computers would be a course before people are allowed onto the Internet to teach people not to run random executables etc., and a requirement to install all available security patches as part of their ongoing maintenance.
Re: (Score:3, Insightful)
Not quite. The analogy is that you drive an unmaintained car, after being sold that car with assurance that it requires zero maintenance and "just works", when the car manufacturer knows damn well that it will never work properly and is almost certain to get broken into and driven by others at will from time to time. Good try though.
Re:uuh..yeah. (Score:4, Funny)
I am so tired of the "license to use a car" argument that never seems to lose traction around here. Cars are just not computers, even if they do have some similarities.
I'll provide a handy reference guide since no one seems to get this:
CARS:
Use gasoline
Transport you physically from place to place
Can be loud if you have one of those annoying exhaust pipes
Does NOT run a spreadsheet
Can be used to get hot women
If you take the top off, you get a breezy fun ride
Can kill people if driven badly
Can get you a ticket if you drive through a red light
Works with my iPod
Serves as a makeshift bed for spontaneous sexual activity
Can be used to see women engaged in lude acts
COMPUTERS:
Use electricity
You don't really move out of your chair
Can be loud if you have one of those annoying huge fans
DOES run a spreadsheet
Can NEVER be used to get hot women
If you take the top off you just look like a nerd
Doesn't kill people if used badly
Can get you a fine if you download movies
Works with my iPod
Would result in bodily harm if used for spontaneous sexual activity
Can be used to see women engaged in lude acts
HINT: Cars require licensing because failure to operate one safely potentially results in the deaths of many people. Computers can only potentially result in yourself being harmed in a non-corporeal way.
I hope this helps.
Re:uuh..yeah. (Score:4, Interesting)
Fine, use geo-IP to only uninfect computers that are in countries that:
1) Aren't sue friendly (e.g not the US)
2) Don't have any jurisdiction in your country (e.g not the US)
Re: (Score:2, Insightful)
But who do they know to sue?
If you're smart enough to hack into this botnet and make it do your bidding, your smart enough to not have commands sent to it traced back to you.
Re:uuh..yeah. (Score:5, Funny)
True, but unfortunately it seems they aren't smart enough to keep quiet about it.
Re: (Score:2)
It just occurred to me. I have made the argument countless times that the true victims of all this "identity theft" are banks and large financial institutions and I still believe that is the case regardless of how much "big money" attempts to shift the blame and responsibility onto the people. What occurred to me is that if there were an interest larger than government that could get Microsoft to change its ways and fix its stuff, it would be "big money." I wonder if big money has even considered this?
Re: (Score:3, Interesting)
Yes, they have. It is called a security landscape. Banks calculate that it is cheaper to allow the fraud and compensate than implement security measures that would stop the problem. You can read more about this [amazon.com] if you want to know.
Disclaimer: I am not Bruce Schneier, nor do I play him on Slas
Fight assholes with assholes (Score:2)
Funny thing is, if you do a favor for someone you don't even get thanked, but screw it up even a bit and you get slapped with a lawsuit.
Even if you don't screw up, the recipients of your favours will probably be outraged if they find out. If they've got a bot-ridden unpatched box connected to the net, they're quite likely to be assholes in other ways also.
To fight an asshole, you must be an asshole. The researchers should first provision a "legal fund" by milking the financial data they apparently recovered. Then launch lawsuits against the dummies whose PCs were participating in the botnet as accomplices to said financial crime (e.g. ac
Re: (Score:3, Insightful)
This is where we need hackers with a 'license to kill... botnets'. Something like 007 for the digital age. The idea that killing a botnet can get you convicted of something is so ludicrous. The damage imposed by killing a botnet is miniscule compared to leaving the botnet open to prey on wider society. Where's the white hackers with a set of balls on 'em? Excuses, excuses, let's see action.
Re: (Score:3, Interesting)
Re:uuh..yeah. (Score:5, Funny)
Yes, if it were an illegally operated rental car company, or if I were using the rental cars to smuggle banned substances or stolen goods. Turn the car into a smoking pile of twisted metal, and all the coke hidden in the seats suddenly isn't there anymore.
Re: (Score:2, Interesting)
Re: (Score:2)
Re:uuh..yeah. (Score:5, Insightful)
why dont they just send a self destruct/uninstall command and kill it or would that be too simple ?
Because that would be highly illegal. Just as illegal as creating the botnet in the first place. You can't just make modifications to 180,000 computers without their owners knowledge or consent.
Some governmental agency should man up and do it, though. Researchers have been hijacking botnets to study them for a while now, they almost have it down to a science. Someone in Homeland Security should just grow some balls and hire a team of professionals to hijack and destroy botnets.
Re:uuh..yeah. (Score:5, Insightful)
What is to keep that agency from just hijacking and *keeping* the botnet? Suddenly you have a government agency with a trojan installed on many computers.
Re: (Score:3, Insightful)
"DoD doesn't need a botnet of worm-riddled, broadband connected civilian computers."
They also don't need to smuggle drugs and arms to insurgents, pay dodgy informers to tell them lies, and invade countries on false pretences... yet they do.
Re:uuh..yeah. (Score:5, Insightful)
"If YOUR homeland security fiddles with MY government computer, get ready for international troubles."
Here's your reason why they don't.
Re: (Score:3, Interesting)
"If YOUR homeland security fiddles with MY government computer, get ready for international troubles."
Link the IP to a location, then only fix bots in computers that are in your country, this has the additional advantage that you become more secure while your enemies get weaker. Alternatively, and i know that the American's about may find this crazy, you could ask permission of other countries to take out their bots too (as it benefits you that the bot net is dead). Ideally you could come to an agreement that protects you from prosecution of the laws you break, probably in exchange for the logs or some othe
Who's to say? (Score:4, Interesting)
How about the reverse? If you are stupid enough to be hosting a botnet node, you are likely too stupid to know when an anti-botnet attack will affect your machine, nor are you likely to be able to identify such behavior as the cause of any damage to your machine.
Nobody would ever find out. Places like the Geek Squad are populated with people who are instructed to turn stuff over for a profit rather than solve problems, so they won't look for evidence of the battle. They'll just reformat the machine and hand it back. Hackers like us on Slashdot are already probably secure against a lot of this crapware, so we'd never be "reverse-attacked."
And who's to say which piece of malware caused the damage: the original trojan, or the anti-trojan? Even if it were traced down to the anti-trojan, what evidence would you have that it was sent by the researchers, and not by some anti-botnet-vigilante group?
I bet these researchers could release an anti-trojan and get away with it completely. As long as they do it silently, the meddling kids never find out who did it.
Even better: an alliance of anti-botnet researchers! To enter, you have to swear an oath to not rat out the other guys anti-botnet software. "We tried really really hard, but we couldn't figure out who sent it, sorry." No one would ever know.
Re: (Score:3, Interesting)
How about me, being a government that isn't looking favorable at the US, setting up an infected machine, monitoring the access and using it as a PR stunt should the US "invade" their computers?
Playing host to hundreds of "vigilante patriot Chinese hackers" doesn't seem to have hurt the Chinese' ability to access the net, has it?
Besides, my point was it's all about deniability. "Sorry, we're the U.S. Government. We don't know who silently fixed your DAMNED VIRUS LADEN UNPATCHED TURD OF A SERVER. Rest assured, we have our top people looking at it. Top people. But anyway, it wasn't us."
Re: (Score:2, Interesting)
I would assume that the computer hacking side of government security does have their own form of black ops? A building/fake business with an internet connection under a false name. Of course any such "fiddling" would not remove the black op connection to your government system but merely the botnet that would be likely to be found eventually.
Re: (Score:2)
Re:uuh..yeah. (Score:5, Informative)
Although we could have sent a blank conguration le to potentially remove the web sites currently targeted by Torpig, we did not do so to avoid unforeseen consequences (e.g., changing the behavior of the malware on critical computer systems, such as a server in a hospital). We also did not send a conguration le with a different HTML injection server IP address for the same reasons. To notify the affected institutions and victims, we stored all the data that was sent to us, in accordance with Principle 2, and worked with ISPs and law enforcement agencies, including the United States Department of Defense (DoD) and FBI Cybercrime units, to assist us with this effort. This cooperation also led to the suspension of the current Torpig domains owned by the cyber criminals.
FTFA, they snaked a domain name they knew the botnet was going to use before the bad guys could, then just collected info sent to them by all the compromised systems.
The submission header and the body are encrypted using the Torpig encryption algorithm (base64 and XOR)
Torpig encryption algorithm: base64 and XOR. In contrast, Conficker uses all kinds of crypto (RC4, RSA, and MD-6 [sri.com]).
W
Re:uuh..yeah. (Score:5, Interesting)
Re: (Score:2)
which had already been registered by the criminals. Although we could have sent a blank conïguration ïle to potentially remove the web sites currently targeted by Torpig, we did not do so to avoid unforeseen consequences (e.g., changing the behavior of the mal-ware on critical computer systems, such as a server in a hospital). We also did not send a conïguration ïle with a different HTML injection server IP address for the same reasons.
I'm also under the impression that they couldn't uninstall the bots as they didn't have enough control. However i don't see why they couldn't change the page that is injected to a huge "your computer is infected, criminals have your bank details" and perhaps a url to a tool to remove the bot.
Re: (Score:3, Interesting)
Many would ignore such a message thinking it is yet another advertising scam. Those that would blindly follow the instructions are the ones who have so much crap on the machine from blindly following messages like this ("you may be infected, install SpamKillaBot now!!!!") in the first place that removing just one worm from their machine.
The only way to make most listen and do something about their PC security is to actually break something, and that definitely would be a moral no-no. Even then, some would j
Re:uuh..yeah. (Score:4, Interesting)
The injection normally happens on bank websites, I'd hope few would ignore a big scary message they saw when entering their bank details! Or they could inject it into ALL websites (the injection happens based on a whitelist of URLS) If they user got the warning at the top of EVERY page they viewed (Across all browsers), they'd soon get fed up and do something about it!
yes (Score:5, Funny)
no, maybe, oh I don't know. Why do I get all the hard questions?
3 years? Pfffft. (Score:5, Insightful)
Take a machine. Install Windows XP SP1. Hook it to an unfiltered intenet access. Watch Sasser install. Mean time before infection: 30 seconds.
That nuisance is 5 years old and still running rampart. Now, far from being the threat that Torpig is, but it shows you just how hard it is to get rid of something. And unlike Torpig, it's not really "in use" anymore. Its maker is gone, it doesn't get any updates or new variants to faciliate infection. We're talking about the same old crapware that every single AV kit knows and removes by now. Worse, it's a threat that any halfway decently patched machine is not susceptible to.
And you want to get rid of Torpig?
Re:3 years? Pfffft. (Score:5, Insightful)
Re:3 years? Pfffft. (Score:5, Informative)
Give him a CD with XP which includes SP3 and all patches up to now, and he should be good for some time.
Give him Linux, and he will be good for a looong time.
Re:3 years? Pfffft. (Score:5, Insightful)
Yes, consumers with their Dell OEM CD from seven years ago have easy access to slipstreamed SP3 CDs and know how to use Linux.
He'll be good until iTunes or some niche piece of software doesn't install and then he'll just be pissed at you.
We know better and we try to educate Joe Consumer, but Joe Consumer doesn't have our skills or knowledge, which was the point of my original post. The consumer is not to blame.
Re:3 years? Pfffft. (Score:5, Insightful)
We know better and we try to educate Joe Consumer, but Joe Consumer doesn't have our skills or knowledge, which was the point of my original post. The consumer is not to blame.
Sorry, but the consumer is to blame. They may not, at the present time, have any legal obligations, and may not suffer any direct liabilities while remaining blissfully oblivious of the consequences of their actions or inactions, but we're free and justified for assessing the blame on them as we are on the malware authors as both share responsibility for their actions or omissions. To use a cliche, it always takes two to tango.
I don't care whether you're talking about a guy handing over money to an unscrupulous investor (or worse, trying to invest it themselves), someone doing home wiring without understanding electricity or codes, someone driving a car who ignores the relationship between speed and stopping distances, or someone who bought a product that doesn't do work as well as it was advertised, the blame rests ultimately with the individual who fucked up. That should come as no surprise given that individuals who do fuck rarely need encouragement or a convincing argument to admit they fucked up.
The standard here is one of reasonableness.
Is it reasonable to assume that computers are complex beasts and that malware is problem? Yes. The former is self evident and the latter is a also truism that can be cited by most Windows users or gleaned from the local news by everyone else. Then WTF is Joe Average doing trying to install an operating system? Or manage it? He has lots of alternatives including hiring the kid down the block or taking it the local shop.
Is it reasonable to assume that Macs are also complicated but Mac users can do without requisite knowledge or skill? Yes. The reasons for that are as numerous as why Windows users continue to suffer problems.
You can go on about complexity and missing skillsets, but none of those justify anything. If you're trying to comfort those who fucked up, you're doing them a disservice. If you're conceding that the battle is lost and ha ha this is the way things are and always will be, then you're being irresponsible and contributing nothing to the discussion or solution.
Personally, I'd go so far as to say that anyone who trots out the "poor user" argument (usually in combination with the "Everyone is using Windows so everyone is doing it, too!" argument) is they participate in extending the current state of affairs and are therefore part of the problem.
Why pay lip service to user education advocacy when responsibility and blame are pre-requisites? Start blaming. Blame everyone involved, but don't skip the person ultimately responsible. We'll all be better off for it.
Re: (Score:3, Insightful)
How do I make such a CD? (Score:4, Insightful)
Give him a CD with XP which includes SP3
I'm curious: how would I go about producing such a CD, without any of my boxes getting "sassered"?
I have: a Linux box. An OS-less laptop. Some XP recovery disks.
Re:How do I make such a CD? (Score:5, Informative)
In fact, try that even otherwise. Simply install to a Virtual Machine without internet access, then get the redistributable SP3 using your safe Linux distribution, then create a slipstreamed ISO inside your Virtual Machine and burn it in your Linux distribution if you can't have passthrough enabled in the virtual machine.
Never tried this myself (I use a Linux distro), but can't see why it shouldn't work, and it should be safe.
Re: (Score:2)
I think I'd recommend Nlite [nliteos.com], although there are other means of accomplishing this task. It does appear to run in Wine [winehq.org].
Re:How do I make such a CD? (Score:4, Informative)
$59.00 Linksys router.
all done.
Re: (Score:3, Funny)
There, fixed that for you.
Re: (Score:3, Insightful)
I have used many selfmade CDs of XP, all of them legitimate.
Say about MS what you want, but they got one thing straight that many other manufacturers of software seem to forget all to easily: Whether it's legal depends on your license. Not your medium.
Re: (Score:2, Insightful)
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
"Unsolicited white hat hacking" is rarely welcome, regardless that you might well be helping them out. Would you be unequivocally glad to see a stranger mowing your back yard lawn when you came home from work? With your own lawnmower, which was supposed to be in your shed. He's just helping out...
While there may not be an organisation to protest all of your, say, 300.000 patches, there may very well be an organisation willing to protest the 14 patches that hit their machines. The world of pain you'd be in w
Re: (Score:2)
And I'd buy a better lock the very next day.
Suggested punishment (Score:5, Interesting)
How about we make the punishment for infecting a computer $100 and one day in jail for each system you infect. This way, someone who does something stupid but isn't actually malicious pays a few hundred dollars and spends a few days in jail while the real criminals pay big bucks and spend years in jail. For 180k systems, that's an eighteen million dollar fine and nearly five hundred years of jail time.
Of course, the problem is catching these bastards who tend to live in countries where the government doesn't care or is actively involved in these illegal activities (I'm looking at you Russia).
Re: (Score:2)
Re: (Score:2)
How about we make the punishment for infecting a computer $100 and one day in jail for each system you infect. This way, someone who does something stupid but isn't actually malicious pays a few hundred dollars and spends a few days in jail while the real criminals pay big bucks and spend years in jail. For 180k systems, that's an eighteen million dollar fine and nearly five hundred years of jail time.
You'd hit incompetent virus writers as hard as the big criminals. Think of the Melissa worm. Written for a
Re: (Score:3, Interesting)
Do that and I might start writing viri
Re:Suggested punishment (Score:5, Funny)
Re:Suggested punishment (Score:5, Insightful)
It's already illegal. We don't need to run around making new laws. The problem is law enforcement world wide does not care. Even if the perpetrators of a major botnet are in their grasp, they will do their best to ignore it. If it happens on the internet, that means it's an international problem. Which means it's not their problem. They are too busy busting 19 year olds trying to sleep with 17 year olds, and "drug busts" of people licensed and permitted by their state government to grow marijuana, and harassing random people with the same name as a suspected "terrorist". Has anyone seen the FBI actually even investigate an identity theft case? We aren't talking criminal masterminds here, most of them could be tracked down with minimal effort.
The only solution to crap like this will have to be technical. I suspect for the internet to survive, enforcement will have to come at the ISP level. Automated detection of botnets and ddos attacks in progress is possible. What should happen is when it's detected you are infected, your upload is heavily throttled, and you are contacted to correct it. Failure to do so results in suspension of service. ISPs that don't implement it should face having all their packets dropped by everyone else. It won't stop the latest and greatest, but years old botnets could easily be stopped. The potential for false positives will suck, as will the temptation for ISP's to abuse it, but currently theres several botnets out there that could easily take down critical infrastructure if they decide to ddos it.
Re: (Score:2)
Wouldn't that mean Bill Gates would have to give most of his money back and be in jail for eons - seems a bit harsh :(
Re: (Score:2)
So Great Aunt Mildred opens an email with the subject "Mildred, Improtant News From An Old Friend!!1!", gets a worm, and winds up infecting the 30 people in her outlook contacts list.
She has to pay three gr
So they committed a felony? (Score:2, Insightful)
Let me get this straight. They took over a botnet, which consists of computers they are unauthorized to access. Not only did they commit a felony but then they wrote a paper about it?
The reason that nobody else has done this before is not because they are incapable of doing it. The reason nobody has done this before is because it is illegal
Re:So they committed a felony? (Score:5, Insightful)
No, they purchased a domain name, set up servers to accept data sent to that domain, then collected that data. That their research had told them that the domain would be used by the botnet is incidental. If you mail your credit-card information to my domain, I haven't committed any crime if I accept it and turn it over to the authorities.
Re: (Score:2)
The first host that sends a reply that identifies it as a valid C&C server is considered genuine,
They sent information.. that means they were illegally accessing a computer system.
Re: (Score:2)
The first host that sends a reply that identifies it as a valid C&C server is considered genuine,
They sent information.. that means they were illegally accessing a computer system.
If that were true then any webserver replying to a request for a web page would also be illegally accessing the requester's computer system.
Seems legally sound to me that if you ask a question, you've consented to receiving a reply.
Re: (Score:2, Insightful)
Umm.. no, they deliberately sent a message that said "send me the confidential information you have collected". There isn't a court in the land that wouldn't convict these bozos. All they have to rely on is that the majority of people infected with this ancient malware are not going to go after them, cause they're too stupid to know they are infected.
Re: (Score:2)
They only reverse engineered the software for interoperability reasons though. Botnet's are a monopoly so I think it's reasonable to allow them to develop a competing product, especially for research purposes :)
Who would bring criminal charges against the researchers though...
The botnet operators? Unlikely.
The owners of the computers that were unknowingly running the botnet trojans? Also unlikely, e
Re: (Score:2)
Umm.. no, they deliberately sent a message that said "send me the confidential information you have collected".
Ummmmmmm...... no. All they EVER sent was the string "okn" - no matter what the bot asked for, that's all they ever sent in return.
Re: (Score:2)
With domain ux, each bot uses a domain generation algorithm (DGA) to com-
pute a list of domain names. This list is computed independently
by each bot and is regenerated periodically. Then, the bot attempts
to contact the hosts in the domain list in order until one succeeds,
i.e., the domain resolves to an IP address and the corresponding
server provides a response that is valid in the botnet's protocol. If a
domain is blocked (for example, the registrar suspends it to comply
with a take-down request), the bot simply rolls over to the follow-
ing domain in the list.
Re: (Score:2)
Lol, suck it up, you are wrong and you apparently know you are wrong and are cherry-picking quotes in order to mislead.
Is the size of your internet penis really so important?
Re: (Score:2)
hehe, just cause you can't read..
Re: (Score:2)
Re: (Score:3, Insightful)
That is probably true, if you live in the land of the anally retentives, who are incapable of understanding the spirit of the law, as opposed to the letter of the law.
Like, say, the USA?
Re: (Score:2)
And what "spirit" would that be?
Let's say you're a university researcher and you get a drug cartel's leader's cell phone number assigned to you, and just for fun, you now impersonate him. People call you and say "should we kill Johnny?" and you respond "sure". They call and ask you "what bank account should we wire the profits to" and you give your own number. Etc. You keep dilligent statistics on how many people the cartel murdered and how much money they sent you.
That's pretty much what's going on her
Re: (Score:3, Insightful)
For that to be even remotely true I would have to be able to do exactly the same thing.
Something tells me that if I was to go and setup a domain to receive information stolen from home computers which I did not originally infect that it would still be a crime.
Just because the FBI is not going to go after them for it does not make it either legal or moral.
Re: (Score:2)
Re: (Score:2)
Is it really illegal? Or people who are scared that goverment will use this excuse to mangle some exploited Windows XP for their own use says so? :)
More to point, afaik what they done borders with illegal, but it would be very very hard to convince that harm to society is done (which is basis of *any* conviction, ask any lawyer).
And also all situation is farse - botnet owners and operators are laughing all the way to the bank, no one can shut them down because it is illegal (someone is stealing money and st
Who are you..? I'M B- (Score:2)
"The proper authorities are helpless against the criminal scum plaguing the Internet. I shall become become a costumed vigilante hacker, but I need a sign...wait was that a frigging BAT that just hit the basement window...? What the hell? Now, wait...where was I...Oh, yes, I need a sign. I HAVE IT! I SHALL BECOME GOATSEE MAN!"
Ok hacker nerds, here is your chance to live out the fantasy. You have the talents, become a heroic hacker vigilan
Re: (Score:2)
WTF? (Score:2)
Yeah, it's probably technically illegal, but I thought there were folks out there doing it. I'd be interested to know if any
Speaking for myself... I haven't because of the technically illegal nature of the work (at least I think it'd be technically illegal). Plus, without ever doing it, I don't know enough
Re:WTF? (Score:5, Insightful)
Getting altruism out of people is hard enough at the best of times. Asking for altruism when the likely reward is getting arrested.. no.
Re: (Score:2)
Yo dawg, we heard you like control, so we put a botnet in your botnet so you can hijack while you hijack!
No mention of Windows as the target (Score:5, Informative)
What bothered me after reading this paper is nowhere does this paper come out and say that the infected machines are all running Windows, although this is strongly implied by the description of how the virus works. The reader is left to wonder whether machines other than Microsoft Windows were infected.
Instead, the paper leaves the impression that all computing has the same architectural vulnerabilities. I thought that was a surprising defect, sufficient to make me wonder what else isn't captured/stated/analyzed in the paper.
Re: (Score:2)
Snail Mail Analogy (Score:2)
This I feel is a good analogy to old fashioned snail mail.
A package gets delivered by mistake to your house, it is obviously intended (addressed) for someone else, but you open it anyway.
Regardless of whether the contents are legal or illegal (drugs, fake currency, or just a birthday card) etc., you are still comitting a crime by opening it. You'd be hard pressed to use the "I'm a researcher" defense on that one.
I mean, that implies that anyone intercepting a botnet's stolen data can simply claim "they didn
Re:Snail Mail Analogy (Score:4, Insightful)
Another analogy is that it's like buying a house at the address 1234 Main Street, Anywhere, USA knowing that other people would try to deliver packages to your address with a "Dear Occupant" label. It's not illegal to open those at all.
Torpig (Score:5, Funny)
Watching Sausage being made... (Score:2, Insightful)
Greetings and Salutations... /., it is even more amazing.
I have to say that the level of misunderstanding exhibited by MOST of the folks posting to this thread boggles the mind. Considering the alleged level of IT sophistication of the readers of
I read the researcher's report, and, I have to say that I found it a well-reasoned and interesting analysis of a terrible problem on the Internet. However, without following their methodo
Interesting article (Score:3, Insightful)
It's quite probable that this information (and particularly the techniques used to hijack the botnets) are also new and valuable to law-enforcement agencies. Such agencies tend to be desperately short of intelligence (both kinds), under-equipped to do research, and usually operate in a purely reactive way ("show us the bodies and we'll investigate").
And yes, I think that the researchers did fine by hijacking a botnet in the first place and secondly by not destroying it but instead contacting law-enforcement agencies. Researchers are neither law enforcement officers nor sysadmins for the infected systems. They have their own work to do (which law-enforcement agencies could not or would not do, or the Torpig botnet would have been cleaned up long ago).
It is interesting to note that *all* of the infected machines seem to be MS Windows based. Even though many of the targeted clients (Firefox, Skype) also run on Linux machines. If I had to guess I'd say that under Linux the need to have root access to either modify the MBR or to write downloaded malware code to the targeted executables on disk provides an effective barrier to infection (provided you don't surf the net with root privileges of course).
Unfortunately the publication of this sort of research may lead botnet administrators and designers to address the authentification weakness the researchers exploited. Ah well, such is life.
Help them fix their flaws? (Score:2)
This research paper gives the botnet people some more ideas on where their weaknesses are.
It's like a security researcher turning up at the underground base of an evil tyrant and finding a way in then writing a publicly available paper on where his defenses are weak.
The wrong kind of comment ... (Score:3, Informative)
First of all, the whole exercise was cut short because the botnet admins updated the Mebroot toolkit, causing the researchers to loose contact. That happened before publication, ok? Secondly it shows that the easiest way to protect your botnet is to update Mebroot once a week (or sooner), and savvy botnet admins already knew th
Re:Hacking is hacking isn't it? (Score:4, Informative)
Re: (Score:2)
how hard would it be to let that person know that they have a trojan. And to give directions on how to remove it
That would actually be effective? Very hard.
Re: (Score:3, Interesting)
Probably, but some well placed vigilante hacking could help the world. I mean if they have control how hard would it be to let that person know that they have a trojan. And to give directions on how to remove it
Unfortunately, that process would soon be usurped. There already is a class of malware called "rouge anti-virus" that gives false removal instructions, resulting in infection.
Better would be to plug the holes, and plug them fast enough so that you can't drive the proverbial slow moving truck, carrying a payload of *wares, through them.
Re:Hacking is hacking isn't it? (Score:5, Funny)
Fortunately they're quite easy to spot due to the red coloration.
Re: (Score:3, Interesting)
Re: (Score:2, Insightful)
Perhaps not. If I understand it correctly they acquired the domain (legally) and their only "control" act was to send the proper response when queried to find if they were the "masters". They then accepted the stolen data (that might well be a crime in itself though). Beyond saying "We are the corre
Re: (Score:2)
Ok, I'll bite.
Yes, the "correct" word for a person who does what they're doing is cracker, not hacker. Usage changes over time, and it's not as though hacker in the classical sense actually existed for that long.
Still, creating and managing a 180k node botnet strikes me more as the work of a hacker than that of a script kiddie, so even if you're right about the incorrect usage, your coat tails comment is really off-base. To ride the coat tails of your metaphor, just because you happen to be stealing a car,
Re: (Score:3, Insightful)
This is true, but falsely assumes that incorrect use becomes correct over time. It doesn't matter how many rappers use the word "minute" to mean a long time, it is 60 seconds long and they are not using the word correctly. 90% of the population misusing a word doesn't make the use correct automagically. There is a reason why "aint" aint a word ;-)