| This 69 message thread spans 3 pages: < < 69 ( 1  3 ) > > || |
|Massive Botnet Spamming Infestation Thwarts Standard Detection|
Only 20% of PCs Running Anti-Virus Detect This Malware
There appears to be a botnet called Kraken infesting many machines, primarily home broadband users, on possibly an unprecedented scale with estimates ranging from 165K to 600K infected machines.
The purpose of this botnet appears to be spamming but whether it's email spamming or web spamming was unclear from the articles.
|Researches have unearthed what they say is the biggest botnet ever. It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network. |
What's new and different is this botnet uses HTTP as it's primary protocol instead of IRC!
|In addition, compromised nodes speak to a control server using HTTP traffic instead of the more traditional approach of using IRC channels. IRC channel traffic is more obviously suspicious. |
The really scary part is that the anti-virus products are behind in detecting this:
|So far, only about 20 percent of PCs running anti-virus products are detecting the malware. |
What makes the anti-virus vendors being behind in detecting Kraken more astonishing, in my opinion, is this malware has been known in malware research circles for at least a month!
|APRIL 9, 2008 ¦ 4:00 PM - Damballa on Monday released details on Kraken, which it says is an all-new botnet that's twice the size of Storm, with 400,000 bots, including machines in 50 of the Fortune 500 companies. |
This obviously raises quite a few concerns for webmasters as the sheer scope of this network could obviously be used to create quite a problem for any web server with just the volume of requests that could be generated per second.
TippingPoint's DVLABS published a list of about 15K known infected IPs responding to the botnet and the range of many of these IPs are in areas of frequent discussion in the Spider forum already so that wasn't much of a surprise.
[edited by: incrediBILL at 1:33 am (utc) on May 1, 2008]
|An ethical line, or a legal one? If ethical, I'm very interested into where you draw this line. |
I did a little research in my jurisdiction (CA) and this line sums it up:
|Knowingly and without permission accesses or causes to be accessed any |
computer, computer system, or computer network.
It doesn't seem to matter if you're the first person to hack a machine or someone just using someone else's hack, sending the command to the botnet itself is considered "ACCESS", and anything you tell it to do is still unauthorized and without permission.
That's a line I won't cross as it carries up to 3 years jail and/or heavy fines.
It is illegal to break into someone elses house... Unless you are saving the occupier from a house fire.
It is illegal to hit someone with a baseball bat.... Unless you are defending yourself or someone else.
It is illegal to kill babies... Unless you are a doctor and are performing an abortion.
It is illegal to kidnap children... But what if you were removing them from harm?
Just because something is illegal does not mean you will be found guilty or face the maximum charge.
What about the rights of normal people to not have their machine attacked and be sent spam constantly? Who is discussing my rights and ethics? Instead you are more interested in the criminals and the incompetent Windows owners.
In fact this morning I am being joe-jobbed because of these scumbags and idiots, who is going to compensate me for my lost time?
>>>Instead you are more interested in the criminals and the incompetent Windows owners.
Not so. Just comparing the vigilante's to the criminals.
>>>>In fact this morning I am being joe-jobbed because of these scumbags and idiots, who is going to compensate me for my lost time?
Nobody. That's life (but yes, it's darn annoying, and expensive and we all want it stopped). And you're proposing vigilante justice to 'compensate you'. The 'do-gooder' philospophy here is a pretty thin veneer.
The proper course of action is legal action against the negligent people who allow their computers to be hacked and used to attack the rest of us. I appreciate that's not going to happen - but there's still two reasonable methods to fix this problem that have been proposed. First is allow the virus folks to correct the problem. The second one is for ISP's to knock these computers offline. I think I've even read that some ISP's do that already.
Only if we accept that. It is life that people will drink drive but it does not mean we should ignore the problem.
For other people the side effect is much worse than being joe jobbed or receiving spam. For those people the spam includes phishing attempts (which work) and viruses (which they always click on).
Spammers used to use open relays for spam, but some 'vigilante' action closed them down. The spammers now use botnets because they are easy and cheap to set up.
Silently fixing the bots would be like the immune system for the web and as long as the people running these operations documented their actions I do not see a problem. Even in the worst case scenario a court would decide in their favour, especially if everything was documented properly.
|First is allow the virus folks to correct the problem. |
This is not going to work, anti-virus is flawed from the start. All it does is discourage Microsoft from making their OS stronger and makes other companies rich and slows down peoples PC's.
|The second one is for ISP's to knock these computers offline. |
I would go along with that, but you realise that the effect of knocking a computer offline is probably worse than silently fixing the problem. I suspect most people would blame the ISP and switch to someone who doesn't block them.
ISPs could kill most botnet spam stone dead but they can't be bothered. If spam can be detected at it's destination, it can certainly be detected (much more easily) at its source. Upon detection, a variety of actions could be taken - but that's another discussion altogether.
Sending a warning message to an infected computer is not vigilante action. If you left your front door open at night and a neighbor rang the doorbell to draw your attention to it, that would not be illegal.
Taking any action beyond sending a message might, theoretically, result in legal action. For instance, someone might be studying the botnet and if you clean the computer you would interfere with that study.
|I would go along with that, but you realise that the effect of knocking a computer offline is probably worse than silently fixing the problem. I suspect most people would blame the ISP and switch to someone who doesn't block them. |
I did say the ISP would have to redirect all of their internet accesses to a dead-end site that explains they've been disabled do to AUP violations of spamming, possibly due to an infected machine.
The ISPs are not interested in helping fix every machine, they just provide connectivity. I think it would be fairly hard for them to monitor for each piece of malware because it is not their business.
The history of the UK police force is interesting as that started out as a lot of vigilantes and was hated because they were seen as corrupted, I think this situation is similar. If there was an official team who had special powers to knock out bots then I would be all for it. The alternative is anarchy and handing over a serious chunk of computing power and bandwidth to the bad guys. They must be laughing at the moment with everyone falling over their morals whilst they make millions pumping our inboxes with spam and offensive pictures.
|who is going to compensate me |
Ahhh, modern society. Myself I feel I deserve compensation for the pain and suffering I experience every time I hear someone say something like that. Hehe.
As far as whether or not the ISPs can be bothered to shut down or limit accounts that are infected, I suspect that, in many countries, the courts would rule on something like this in much the same way as intellectual property (DMCA, etc.). Web hosts are not responsible for the actions of their users until they have been informed. At which point they are obligated to act.
Even just a couple of groups like the one this thread refers to would be enough to put a huge dent in the botnet problem. And no doubt many ISPs would start to become proactive along the way.
|The ISPs are not interested in helping fix every machine, they just provide connectivity. I think it would be fairly hard for them to monitor for each piece of malware because it is not their business. |
That would be one theory but ISPs are already known to block SMTP access to stop spamming and can filter out lots of other rogue information if they want.
It will take one piece of legislation for force them to disable known botnet IPs and this will be a moot conversation.
Dialing my legislator now, you dial yours, let's see who passes the bill first.
California is pretty aggressive, I'll stake money we pass it first :)
>> force them to disable known botnet IPs
Most IPs are dynamic and few are static. Suppose I'm on a compromised system and I logon only to check my email and then log off. Imagine the list of IP addresses. Now suppose I log off and a while later someone else logs in as is assigned my old IP address, how do you guard against the innocent being caught up in blocking IP addresses? It would seem that the theory, currently, could only be applied to static IP addresses. I suppose that as this becomes more and more of an issue/problem, that everyone will get assigned a static IP address at birth much like a Social Security Card.
|Most IPs are dynamic and few are static. |
The ISP will know who you were based on the date you used that IP.
|Most IPs are dynamic and few are static. |
IP address allocation is based on the existence of unique MAC addresses. Although you may be able to change the apparent MAC address of the network adapter on your computer, and you may be able to change the apparent MAC address on your router, you will not be able to change the MAC address on your cable modem and if you did, it would not connect anyway.
Be assured, your ISP knows the MAC address of your adapter and could disconnect you (and display a standard "You've been disconnected" page) with little difficulty.
How would the ISP know that you are infected with a bot rather than just talking on IRC or sending an email newsletter every day?
ISP's are not in the security business so how are they supposed to judge when someone is infected? The computer does not send out a message telling everyone that it is infected and what it is infected with.
|How would the ISP know that you are infected with a bot |
So far as spam is concerned (but not DOS attacks)...
As I said before, if spam can be detected at the destination, it can (more easily) be detected at source. Once detected, a human inspection will normally be sufficient for immediate confirmation. Even if no bot infection exists, TOS will normally prohibit sending spam.
Detection at source is easier, not least, because if many users are sending similar emails, a flag should be raised immediately.
Speaking as someone who has had a lot of hassle with my emails being falsely rejected as spam, I am not sure I like this idea. If it went through then I would be constantly contacting my ISP to reconnect me.
Anyone who is stupid enough to send a mailshot which might be thought of as spam would be disconnected.
We cannot detect spam easily, it is a constant battle, if a false negative meant being cut off from the internet then it will cause more problems than it is trying to solve.
What if someone came to my office with an infected laptop? BOOM! Bye bye business... No thanks... Nuke the infected machine directly, the only way to do that is through the botnet C&C.
I expect most webmasters send mail using their servers rather than their ISPs. i.e. this would mostly affect users not webmasters.
Of course, there is no actual need for a full disconnection, a temporary smtp block should suffice. If the user then completed a captcha the block could be removed.
|The computer does not send out a message telling everyone that it is infected and what it is infected with. |
Actually, it does send messages when the botnet talks over the C&C (command and control) channel which can be detected using BotSniffer techniques.
Additionally, if you catch the machine attempting to spam or attempting to hack a server, both relatively easy to detect with simple filters, you can be reasonably sure you have an infected machine on your hands.
I could send the ISPs a huge list of infected machines that have hit my server, so even if they can't detect them their targets can help identify them.
[edited by: incrediBILL at 6:21 pm (utc) on May 3, 2008]
|that's the way it should go down, not Rambo-nerd style |
Why not, we're having billionaire geeks, evil geeks, time for Robinhood geeks for a complete cast.
I am fairly sure that the C&C IRC sessions are encrypted so ISP's cannot sniff them. Even detecting spam as it passes through their servers is very hard. Even if you ignore the false positives, you would also have to perform stateful packet inspection and reassemble each mail before sending it on.
Remember each email is sent in packets and reassembled on the other end, ISP's would not be able to scale to read and virus check each packet passing through their network. ISP's checking for infected computers and then cutting off the customer is not practical.
|Remember each email is sent in packets and reassembled on the other end, ISP's would not be able to scale to read and virus check each packet passing through their network |
What on earth are you talking about about?
Basically, SMTP is merely a communication protocol that builds a file (or any type of data block) line by line. When the whole has been assembled, it is dispatched. No one in their right mind would fanny about sniffing packets, they would merely scan the fully assembled email before dispatch.
Each spam email is typically dispatched with ten or more cc or bcc addresses. Consequently, if emails are scanned at source, the overall job is at least ten times easier. In addition, the real source is known (unlike scanning at the destination). Finally, it reduces server/internet load (in terms of bandwidth) because the spam is never sent.
Tell me, how many more advantages do I need to point out?
|I am fairly sure that the C&C IRC sessions are encrypted so ISP's cannot sniff them. |
That would be incorrect as there are already commercially available packages that do IDS-Driven Dialog Correlation to detect botnet activity. If you couldn't analyze the dialog then that product wouldn't work.
If you've ever seen raw botnet dialog it's just IRC chatter, nothing special.
The trick is to identify IRC chatter outside of normal operating parameters which also isn't that complicated because my IRC chatter would typically only be with a specific service provider so any other IRC chatter on my box can be, and is, firewalled.
Besides, the ISPs are trying to combat the problem by providing tools with broadband subscription such as "Virus protection, firewall, privacy tools ... included free for the length of your subscription" but again, it was the AV that failed, and is still failing, that allowed the infection in the first place and is still incapable of fixing the problem.
[edited by: incrediBILL at 9:04 pm (utc) on May 4, 2008]
Good news on this as it looks like the code has been broken by reverse-engineering at TippingPoint Technologies and they can now have the request sent to a subdomain created by the research team.
Intresting read on it and sure more will follow.
|What on earth are you talking about about? |
I am talking about the network layer
You are talking about the App layer, but unless the ISP is relaying all mail on behalf of their users then they will not see the entire message unless they recombine it before sending it to the recipient (the outgoing SMTP server that the user is using for outgoing mail).
@incrediBILL: Even if we ignore the false positives which that sort of system would introduce. Even if we ignore the fact that the botnets could (and have) switched to HTTP or HTTPS for C&C. What happens when the user is disconnected? Antivirus will not work so they will have to reinstall, losing their applications and settings. Surely the better alternative is to shut off the malware and leave the OS intact?
Congratulations, you just described exactly how it works.
|unless the ISP is relaying all mail on behalf of their users then they will not see the entire message unless they recombine it before sending it to the recipient |
SMTP is a simple protocol designed to upload messages to a mail server (typically the ISP). When the message is complete, the mail server relays to its destination(s). If you are under the impression that SMTP is some sort of broadcast protocol whereby multiple destinations can be simultaneously bombarded with data in real-time as as you upload a message, you are mistaken. Theoretically, it could work that way, but why would it?
Perhaps you have misunderstood my point. Spam can be detected at its source, i.e. when it has been fully assembled for the first time by the mail server prior to dispatch. When the mail server is also the ISP (as is commonly the case with users, but not necessarily webmasters) such detection would be eminently sensible. Naturally, it would require a little effort and that effort seems to be too great an obstacle for ISPs right now - quite pathetic really.
@kaled : Why don't you speak to your ISP, maybe they can explain things to you. The ISP knows nothing about SMTP because it is working at the network layer not the app layer. The only thing they know is that you are connecting to some machine on port 25 and sending some data (which is fragmented). If your ISP ever did reassemble all of your packets to check for viruses, you would see worse network performance than you would on dialup.
|Spam can be detected at its source |
It can even be detected in the infected machine before it's mailed out when an unauthorized application attempts to send mail. However, considering the machine is already infected then it's probably OK to assume that firewall protection against sending unauthorized email is probably no longer valid.
|Surely the better alternative is to shut off the malware and leave the OS intact? |
Define intact as the OS is already unstable when it's infected so leaving the OS intact is just wishful, not reality. Updates from the OS vendor, MS or whoever, will most likely fail to install properly, 3rd party software will probably have issues as well.
|Even if we ignore the fact that the botnets could (and have) switched to HTTP or HTTPS for C&C. |
Why should we ignore this fact?
Once you know what destination services this botnet looks for to communicate with the C&C, which we already do, then blocking all machines from communicating with those C&Cs is quite trivial from any firewall or router.
|Antivirus will not work so they will have to reinstall, losing their applications and settings |
Who said AV didn't work?
I said at the time of the posting not ALL of the AV worked, only 20% did when one article was published and the latest data I can find claims 50% can detect it. McAfee claims it could detect and remove Spam-Mailbot.f (aka Kraken) and has been able to detect and remove it since 12/12/2007.
The only way AV couldn't deal with this is if the Kraken code disabled your AV before the AV was able to detect Kraken and if your AV is already fried, time to reinstall, otherwise everything can then hack into your machine if you have no protection whatsoever.
It's only a matter of time until the rest of the AV vendors catch up or perish because of disgruntled customers.
So what you are saying is...
Spam can be detected on the infected machine... unless the machine is infected.
Detecting C&C networks are trivial, unless they keep changing the method of communicating.
AV works... except for the 80-50% of the time when it doesn't... And then its only on an uninfected machine, once it is infected the AV cannot be relied upon...
If AV vendors do not keep up and they perish, what will happen then?
It makes me glad I switched away from Windows, it sounds like a bit of a nightmare.
That's not what I said whatsoever and didn't add any value to the discussion.
What I said was that if the malware gets in before the AV knows about the malware then the firewalls (which can detect malware spam) may be compromised which is always a possibility.
I said detecting rogue behavior is trivial, not necessarily botnets, because they do things outside of the norm of your machine.
|It makes me glad I switched away from Windows, it sounds like a bit of a nightmare. |
Nobody was discussing Windows, I run Linux, it's not any better and Mac is just too small of a footprint to be a target so it's security through obscurity but that's drifting off the topic of botnets.
[edited by: incrediBILL at 5:49 pm (utc) on May 5, 2008]
|What I said was that if the malware gets in before the AV knows about the malware it's like the firewalls (which can detect malware spam) may be compromised which is always a possibility. |
This is why AV is totally broken, they rely on signatures which cannot keep up with new infections. Once you are infected then the AV is totally unreliable.
|I said detecting rogue behavior is trivial, not necessarily botnets, because they do things outside of the norm of your machine. |
There is no way to know what is normal for your machine, unless you are on your machine and you sample network activity for at least a month. That would require stateful inspection (if done by the ISP) which is not feasible and would result in too many false positives (and ISP's being sued for cutting people off). This is not trivial since most active users will send out thousands of connections per day, a lot of them would be unique or strange.
|Nobody was discussing Windows, I run Linux. |
Most or all of these infected machines are running XP (not Vista or OSX or Linux), so really this is a Windows (XP) problem.
Getting back on topic, the only reliable way to stop botnets in the future is to attack their C&C directly. If some infected machines become the victim of friendly fire then that is the cost of war. All other methods fail because they are not practical or simply will not work.
|Most or all of these infected machines are running XP (not Vista or OSX or Linux) |
But they are typically all herded from Linux boxes running the C&C.
|There is no way to know what is normal for your machine |
That's why the anti-spam firewalls whitelist all email clients so each task that attempts to send email is always challenged to send email a) always, b) never or c) just one time.
Likewise, you can take the same whitelisting approach to anything attempting to communicate on IRC channels or send HTTP requests.
I have a hardware firewall as well, which most people don't, which is where trouble starts because any flaws in the software firewall and it's game over. So having both a hardware and software firewall give you twice as much chance to avoid becoming an unwilling participant in a botnet.
FYI, the solution to shutdown Kraken is actually simpler than it seems without touching anyone's PC:
IMO one of the better ideas that's been discussed in this thread is the possibility of ISPs responding to 3rd party information about infected IPs.
This does not require the ISP to detect anything, merely to look at logs and verify the report.
3rd parties could also report, or maintain passive lists of, target bot herder addresses. ISPs could then scan network traffic for these addresses, potentially both blocking them and identifying infected PCs. False positives would be relatively rare.
| This 69 message thread spans 3 pages: < < 69 ( 1  3 ) > > |