Join 3,555 readers in helping fund MetaFilter (Hide)


Command and control
March 22, 2011 1:55 PM   Subscribe

How Operation b107 decapitated the Rustock botnet (Previously)
posted by Artw (49 comments total) 10 users marked this as a favorite

 
Wiliam Gibson shit right there. Crazy.
posted by GuyZero at 2:00 PM on March 22, 2011


I thought a common cleanup mechanism was to use the botnet against itself. Once you control a tier of the command structure, as happened here, couldn't MS distribute a self patching/removal mechanism, and let the nature of the botnet heal itself?
posted by msbutah at 2:14 PM on March 22, 2011


Once you control a tier of the command structure, as happened here, couldn't MS distribute a self patching/removal mechanism, and let the nature of the botnet heal itself?

Some security researchers and white hats have done that kind of thing, but if Microsoft did it the owners of the affected machines would sue it into next week. Unauthorized access is unauthorized access, even if it's for noble purposes. The lawsuits would likely be motivated by greed rather than animus (I imagine most of the plaintiffs would actually be happy to have their computers fixed for free), but it would still be a giant, lucrative class action.
posted by jedicus at 2:19 PM on March 22, 2011 [3 favorites]


I thought a common cleanup mechanism was to use the botnet against itself. Once you control a tier of the command structure, as happened here, couldn't MS distribute a self patching/removal mechanism, and let the nature of the botnet heal itself?

I think the situation is slightly more delicate than simply using the botnet command structure to administer a patch, even with the best of intentions.

While that would seem like the easiest measure to destroy the botnet from the ground up, I imagine Microsoft and others involved would want to minimize the potential backlash of utilizing an unauthorized access point to a million users' computers and data without their knowledge.
posted by clearly at 2:27 PM on March 22, 2011


I wonder which operating system the computers were running which Microsoft has so heroically cleaned up.
Oh.
posted by alloneword at 2:27 PM on March 22, 2011 [4 favorites]


I'm always slightly confused by botnets; do enough people leave their computers on permanently that this works? Surely if enough people turned off their computers the botnet would cease to function (assuming of course that they are in the same timezone).
posted by a womble is an active kind of sloth at 2:42 PM on March 22, 2011


I don't want this to devolve into a microsoft slagging match, but I find it kind of admirable that microsoft were involved in this.

As for the automated cleaning up of computers. If they are Windows Machines, then microsoft should be able to do this with the malicious software removal tool which is installed automatically as part of windows update.

No legal hooey or class actions need be involved.
posted by seanyboy at 2:43 PM on March 22, 2011


Microsoft stifling innovation once again, using brutal and heavy handed tactics to wipe out smaller companies. How about the dozens of jobs you just destroyed with your insane quest for profits, huh microsoft?

I don't feel bad for the "people" who's computers were being hijacked to send spam, only slack jawed ijits use the "software" that Microsoft regurgitates from it's gaping maw. They don't belong on the internet anyway.

It is a shame that they can't produce a modern OS, instead choosing to focus patent trolling and relying on monopolistic tactics to keep afloat. OS X is based on UNIX, which has never been hacked. On OS X you can type PS at the command line to see your running processes, there is no way to do that on Winbloat, that is why it is so easy for your computer to get infected.

Zune and Bing suck, Give it up already.


Did I leave anything out, I feel we needed to get that out of the way.
posted by Ad hominem at 2:45 PM on March 22, 2011 [13 favorites]


It's interesting the response to a few major, well-connected global corporations working together with local authorities to do "clean-up" work that, in other not-so-dissimilar contexts, would otherwise be of concern.
posted by Blazecock Pileon at 2:47 PM on March 22, 2011


That seems to cover it, I particularly liked "UNIX has never been hacked".
posted by Artw at 2:47 PM on March 22, 2011 [1 favorite]


do enough people leave their computers on permanently that this works?

A great many computers in commercial settings get turned on the day they're put into service and turned off the day they're sent to the recycler. If they get rebooted a few times in there it's because someone's particularly on the ball.

An office I worked at tried to institute a "shut down at the end of the day" policy. Resistance was surprisingly huge. Users didn't like waiting to boot up in the morning, or shut down at night, or were still under the impression that shutting down at night 'wore out' the computer significantly faster. It probably also helped that they didn't pay the electric bill...
posted by Kadin2048 at 2:51 PM on March 22, 2011 [1 favorite]


Zombie bot army ...in the heart of the Internet.
posted by The Whelk at 3:02 PM on March 22, 2011



I wonder which operating system the computers were running which Microsoft has so heroically cleaned up.

You don't have to wonder, it says right in the fine article :
Rustock allows multiuser remote access to Windows clients in contravention of its license agreemen
posted by Pogo_Fuzzybutt at 3:03 PM on March 22, 2011


Did I leave anything out, I feel we needed to get that out of the way.

this?

posted by clearly at 3:05 PM on March 22, 2011 [6 favorites]


Yeah, shutting down Rustock for violating an obscure multi-user clause in the XP license agreement is like arresting Al Capone for tax evasion. It works, but geez guys, that's the best you can do?
posted by GuyZero at 3:06 PM on March 22, 2011


It's interesting the response to a few major, well-connected global corporations working together with local authorities to do "clean-up" work that, in other not-so-dissimilar contexts, would otherwise be of concern.

Well, context is everything, isn't it? Police shooting an unarmed immigrant reaching for a wallet is rather different from police shooting an armed robber pointing his assault rifle at others.
posted by kmz at 3:08 PM on March 22, 2011


this story is hilarious; what happens when the next malware strain has a kill switch that ruins the end user's filesystem (or worse) upon failure to connect to its control servers after X days?
posted by lulz at 3:10 PM on March 22, 2011 [1 favorite]


what happens when the next malware strain has a kill switch that ruins the end user's filesystem (or worse) upon failure to connect to its control servers after X days?

I doubt that would be created. There are all kinds of reasons why computers might not connect to control servers for X days, everything from someone moving to lack of payment to the computer just not being used that often, just a few of the reasons off the top of my head.

If people started having their computers go down like that in large enough numbers, it would raise red flags with both the industry and the hardcore white hat hobbiest, and they'd start Investigating. Which is the last thing any botnet controller wants.

Better to lie low and never be used because your control was taken out than to react to the control being gone and suddenly make everyone start looking for why.
posted by hippybear at 3:17 PM on March 22, 2011 [1 favorite]


I have a couple of issues with it, but I'm suprised this never got linked here: Vanity Fair on Stuxnet.
posted by Artw at 3:22 PM on March 22, 2011


I thought a common cleanup mechanism was to use the botnet against itself. Once you control a tier of the command structure, as happened here, couldn't MS distribute a self patching/removal mechanism, and let the nature of the botnet heal itself?

I doubt that would be legal. What happens if the cleanup damages the system that it's installed on? There's always a chance of screwing something when remotely patching something, especially if the system is compromised at a low level. It isn't like being part of a botnet prevents from having critical date on it.
posted by delmoi at 3:25 PM on March 22, 2011


I'm always slightly confused by botnets; do enough people leave their computers on permanently that this works? Surely if enough people turned off their computers the botnet would cease to function (assuming of course that they are in the same timezone).
Why would you turn your computer off? I doubt it's a significant component of your power bill. If you leave it on you don't have to wait for it to boot up, and you can run servers if you feel like it.

Also, you wouldn't need the whole bot net to be turned on at the same time. If you have 1 million nodes, and they're only online for 2:24 hours a day, that's 100k nodes.
posted by delmoi at 3:28 PM on March 22, 2011


I'm always slightly confused by botnets; do enough people leave their computers on permanently that this works? Surely if enough people turned off their computers the botnet would cease to function (assuming of course that they are in the same timezone).

Yes, enough people leave them on - but that's not the point and doesn't really matter.

There's no way to co-ordinate turning off millions and millions of computers at the same time, and it doesn't actually solve anything. They're still part of the botnet when they're turned back on. Not everyone works or keeps a regular schedule. And the botnet doesn't actually care what time zone they're in, because the internet doesn't sleep.

The computers don't have to be left "permanently on", either. Botnets are sophisticated distributed computing systems. When a botnet controller sends out a command, they don't care if all of the computers are on - or even if any of them are. The command gets picked up from a server or set of servers the next time an infected computer is turned on, and in this case it starts sending spam independently. If the computer is on, hey, instant results. If not, delayed results.

But with millions of infected computers at your disposal, you can be assured that at any given time a sizable percentage of them are turned on and online. These spammers organize millions of computers for reasons like this. They're not counting on every last computer to be online at all, only a good, usable fraction of them.

Another reason is that couple of dedicated computers could send out as much spam as a million computers in a botnet, but would be too easy to shut down, detect or seize. A few or a few thousand emails each from many different individual computers isn't as easy to shut down and detect. What is the FBI or FTC going to do, raid 10 million homes because their computers picked up a virus that's sending out "CHEEP V1aGRA!" spam?

Botnets are a very clever and functional hack. They're going to be around for a while.
posted by loquacious at 3:28 PM on March 22, 2011


I thought the legal parts of this were some of the most interesting: "Microsoft's standing in the case stemmed from claimed license infringements—Rustock allows multiuser remote access to Windows clients in contravention of its license agreement—[and] trademark infringement in the spam mail"

I wonder what specific trademark infringements they claimed - according to the article that claim allowed them to actually seize the servers, versus just getting them shut down. I'm glad to see spammers taken down and a botnet shut down, but the notion that Microsoft has the power to seize servers is a little alarming in itself. Presumably it was the US Marshals who did the actual seizing, since they are the only law enforcement agency I see in the (motley!) list of participants in this (apart from, for some reason, the Dutch police).
posted by whir at 3:51 PM on March 22, 2011 [1 favorite]


ArtW: ... Vanity Fair on Stuxnet

I love how the headline for that article is A Declaration of Cyber-War, because "cyber" gives me a warm feeling of nostalgia for the old days. When I was a kid, we called the internet "cyberspace" and we had to walk 5 miles at 14.4 kbit/s just to download a JPEG.

These days, cyberspace is declining, but seeing a word like "cyber-war" cheers me up right away, although not so much the "war" part.
posted by twoleftfeet at 4:01 PM on March 22, 2011 [1 favorite]


> I thought the legal parts of this were some of the most interesting...

I had a similar thought. The legal grounds of the takedown sounded analogous to what the MPAA and RIAA use for cutting off and suing file downloaders.

The long-term consequences of this might not just be more sophisticated botnet software, but also the operators preemptively expatriating themselves to, say, the Cayman Islands once their malware starts propagating.
posted by ardgedee at 4:02 PM on March 22, 2011 [1 favorite]


Yeah, the article says the trademark law let them perform the seizure, but it's interesting that Microsoft is apparently using a EULA violation to bolster its case. I thought EULAs were legally dubious, or hadn't been tested in court, or something? Is somebody better informed about this? I wonder if there's an element of Microsoft trying to build precedence for enforcement of EULA terms in here somewhere.
posted by whir at 4:09 PM on March 22, 2011


I thought EULAs were legally dubious, or hadn't been tested in court, or something?

Sony is using terms of service violations (among other things) to go after George Hotz over his PS3 crack. Ends rarely justify the means.
posted by Blazecock Pileon at 4:18 PM on March 22, 2011


Man, wouldn't it be great if a botnet actually turned out to be putting all of these zombie computers to use in a distributed computing project?
posted by beepbeepboopboop at 4:49 PM on March 22, 2011


They used it to contact aliens. Aliens that want to sell you V|@GRA.

@ and | are actually used as valid letters in the alien alphabet.
posted by Artw at 5:00 PM on March 22, 2011


Metafilter loves the snark. Microsoft did a huge amount of work shutting down Rustock. It's a complicated technical and legal task and it seems they executed it well. Microsoft also does a lot of work supporting and patching their operating system; they do a very good job getting fixes out to their users considering the enormity of the challenge and the fact they don't get paid to do it. I agree they have a responsibility to do make the effort to clean up botnets, as the owner of the majority Internet OS, but I still applaud a job well done.

The "derp Microsoft security sucks" thing comes up every single time we talk about this in Metafilter. Yes, Windows has security holes and design flaws. So does every consumer OS, particularly Linux distributions and MacOS. And once you consider the application code on top of the OS, like every Adobe product ever, no system is safe. Windows gets attacked because it's the valuable target.
posted by Nelson at 5:05 PM on March 22, 2011 [3 favorites]


Windows gets attacked because it's the valuable target.

And not because it's saddled with a million tons of legacy baggage. Right.

In fairness, people buy it because it's saddled with a ton of legacy baggage, but I feel pretty good saying that legacy support and attack surface area is pretty much a direct tradeoff.
posted by GuyZero at 5:14 PM on March 22, 2011


Microsoft has always had to walk a fine line between backwards compatibility with legacy applications that enterprise customers will not do without and trying desperately to shore things up.

In addition to legacy APIs they have a huge developer base and incredibly well understood internals. Third party windows developers love to go spelunking and come up with the wrong answer. And Microsoft is stuck supporting them.
posted by Ad hominem at 5:52 PM on March 22, 2011


I'm glad MS did this - it was a good thing to do. And I agree that that the Windows of today is on a par with the other desktop OSes of today, when it comes to the practical attack surface it presents to the bad guys on a clean install with modern apps.

But it isn't snark to say that by God, MS's legacy of screwing security is with us still. It's the valuable target, sure, but in those long, dark years when it was the only target MS refused to face up to the responsibilities of being the default OS for non-specialists on the Net.

This I know, because I was there. I was there in the mid 90s when an MS exec rounded on me over dinner - with real anger - because my colleague had asked him one too many questions about online security. "There is no problem with Windows and security and networks. It's all made up by journalists. Users don't care. They don't understand, and they don't care. If you'd fucking shut up, nobody would have a problem." I wish I was over-hyping this, but the man was furious. Also, he was in charge of Blackbird.

My colleague was and is a Unix chap by preference, although he'd never claim then nor now that this conferred a magic spell of invulnerability. But he did care about security, and wanted some sign that others did too. For a very long time, MS was in denial - and, worse, subsumed the implications of that denial to the imperatives of its business model.
posted by Devonian at 6:07 PM on March 22, 2011 [2 favorites]


If they are Windows Machines, then microsoft should be able to do this with the malicious software removal tool which is installed automatically as part of windows update. No legal hooey or class actions need be involved.

Presumably one of the first things the botnet software does is disable Windows Update.
posted by jedicus at 6:25 PM on March 22, 2011


My colleague was and is a Unix chap by preference, although he'd never claim then nor now that this conferred a magic spell of invulnerability

Unix, by virtue of making up the majority of hosts online in the early days was a punching bag for a long, long time. The Unix of the 80s makes windows of today look like fort Knox. Nobody here needs a history lesson but Unix was the target of the first "Internet worm" . For years there were new remote root exploits every week. Point is that people stepped up, it was painful and people has to change development habits they had for 20 years, but it got fixed. At the very least Microsoft has finally stepped up.
posted by Ad hominem at 6:57 PM on March 22, 2011 [1 favorite]


The obvious thing is to find the guys behind it.

Two ways: First, someone was paying for all those servers. Can't the payments be traced?

Second, the guys running the botnet weren't doing it for their health or amusement. They were selling their services. Necessarily that means they're out in the public in some way, because potential customers have to know about them, find them, and pay them. Can't they be traced that way?
posted by Chocolate Pickle at 7:16 PM on March 22, 2011


msbutah: "I thought a common cleanup mechanism was to use the botnet against itself. Once you control a tier of the command structure, as happened here, couldn't MS distribute a self patching/removal mechanism, and let the nature of the botnet heal itself?"

Not necessarily. It wouldn't be very hard for the owner of the botnet to cryptographically sign messages, so that only instructions signed with their private key were accepted by the bots. The intermediate tiers Microsoft controls would be able to pass on messages, but not create their own. Google isn't immediately telling me whether Rustock uses signed updates, but given its level of sophistication and size it seems more likely than not.
posted by jhc at 7:20 PM on March 22, 2011


Second, the guys running the botnet weren't doing it for their health or amusement. They were selling their services. Necessarily that means they're out in the public in some way, because potential customers have to know about them, find them, and pay them. Can't they be traced that way?

There is a huge and shady side of the Internet industry. On the low end it's guys who charge someone $500 to put up a static web page, or $2000 for what amounts to a custom WordPress theme. Move up the line and you get web developers who tout their SEO SKILLS SKILLS AT SEO SEARCH ENGINE OPTIMIZATION ABILITIES SKILLS CREDENTIALS EXPERIENCE SEO, never telling their marks that if Google (or any other search engine provider) discovers your SEO TECHNIQUES SEO TRICKS they will give you the death penalty. Move up the line a little bit more and you get mass-mailers, who porn sites and second-tier scammers will pay $1000 to send out ten million emails.

Marks fall for these things constantly because they don't know any better, and the volume is such that it's hard to tell who's a genuine scammer and who's just so incompetent that they think the SEO skills that hotgirlz.com used in 1996 still work.
posted by sonic meat machine at 7:38 PM on March 22, 2011


In the days of Boot block viruses it seemed like a good percentage of the ones out there were "counter-viruses", designed to overwrite other viruses. They ended up being just as much of a problem as the "real" viruses. Possibly there is a lesson to be learned there.
posted by Artw at 7:39 PM on March 22, 2011 [1 favorite]


Drats.
For my next botnet, I will set it to contact the emergency secret IP address 180 days after it is last able to contact the normal control hosts.
posted by bystander at 7:56 PM on March 22, 2011


Sony is using terms of service violations (among other things) to go after George Hotz over his PS3 crack. Ends rarely justify the means.
I think there was a recent court decision making EULAs enforceable if the user actually reads them, thus we've got this new generation of EULAs where you have to scroll down and read the whole thing. But how could you prove Hotz actually agreed to the EULA? I suppose he might have have had a 'regular' PS3 Live account or something, but in terms of the hacking, don't you think he could have gotten around the whole 'click OK' thing?

He could have bought a used PS3 with the license already agreed too, for example.
For my next botnet, I will set it to contact the emergency secret IP address 180 days after it is last able to contact the normal control hosts.
The thing is, if you hard-code an IP address, they'll be able to see what it is. The trick is digital signatures. You include a digital signature for commands, then if the bots lose their master signal, you can just set them all up to form transient P2P networks and scan the web google style to search for signed messages. You could make the signatures look like markov-style autogenerated text to make them harder to notice. With a million nodes, scanning lots of the web wouldn't be too hard for them.
posted by delmoi at 11:18 PM on March 22, 2011


The Unix of the 80s makes windows of today look like fort Knox

The point is, the Unix of the 90s - and awareness in general - had already evolved from that by the time MS was promoting Windows 9x as the connected OS of choice - but the company consciously and openly did not design for security on the desktop (or anything else) if it conflicted with its business model. The Unix world had been running security symposiums for years by that point, and if you go googling around that period you'll find a lot of discussion, shared experiences, theoretical and practical advice, based on decades of experiments and mistakes. All of which was available to MS.

I just don't think it's snark to say that this happened, that the effects are with us still (how many man-years are lost every day through Windows anti-malware clogging up computers?), and MS has a way to go yet before it earns forgiveness.

The botnet work - good. An awful lot of what Ballmer still says - not so good. Blaming journalists for telling people about security issues - priceless.
posted by Devonian at 1:44 AM on March 23, 2011


Ad hominem: On OS X you can type PS at the command line to see your running processes, there is no way to do that on Winbloat, that is why it is so easy for your computer to get infected.

How is this different then using Windows task manager to see which processes are running? (I'm ignorant of how the command line stuff works on OS X)

Anyway, it's always good to see botnets put out of commission, hopefully it lasts.
posted by Harpocrates at 1:49 AM on March 23, 2011


It's more Appley* - you might want to re-read Ad Hominems comment with an eye for tone.

* actually I think we established last time that OS X doesn't have those annoying svchost threads that can be hard to identify. I have to say that does sound like a good thing.
posted by Artw at 1:55 AM on March 23, 2011 [1 favorite]


The Unix world had been running security symposiums for years by that point, and if you go googling around that period you'll find a lot of discussion

Oh sure, I don't think Microsoft was sittings on it's hands though, I know they paid attention to bugtraq and they even went so far as to hire some of the hackers that were targeting Windows, like the kid that discovered the redbutton attack. It seems to me they suffered less from what unix did, remote buffer overflows, and suffered more from the fact that everyone ran as admin. If you ran as root and executed every thing within reach, including random shit off the net and email attachments your linux box wouldn't last long. Unix had the luxury of an educated userbase, even before sudo people did not run with . in their path in case people were dropping hacked copies of ls everywhere for them to execute.
posted by Ad hominem at 7:19 AM on March 23, 2011


How is this different then using Windows task manager to see which processes are running?

Sorry I was kidding, PS is pretty similar to the DOS tasklist command.
posted by Ad hominem at 8:12 AM on March 23, 2011


Why would you turn your computer off? I doubt it's a significant component of your power bill.

While your computer is on fire up the calculator.
posted by srboisvert at 11:02 AM on March 23, 2011


South Korea Wants To Mandate Everyone Must Install 'Security' Software To Prevent 'Zombies'
posted by Artw at 12:13 PM on March 24, 2011


It seems to me they suffered less from what unix did, remote buffer overflows

Err..

“The mean time to infection is less than five minutes.”
posted by Skorgu at 5:39 PM on March 27, 2011


« Older Even Japan’s infamous mafia groups are helping out...  |  Though Roald Dahl is better kn... Newer »


This thread has been archived and is closed to new comments