| This 69 message thread spans 3 pages: 69 (  2 3 ) > > || |
|Massive Botnet Spamming Infestation Thwarts Standard Detection|
Only 20% of PCs Running Anti-Virus Detect This Malware
There appears to be a botnet called Kraken infesting many machines, primarily home broadband users, on possibly an unprecedented scale with estimates ranging from 165K to 600K infected machines.
The purpose of this botnet appears to be spamming but whether it's email spamming or web spamming was unclear from the articles.
|Researches have unearthed what they say is the biggest botnet ever. It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network. |
What's new and different is this botnet uses HTTP as it's primary protocol instead of IRC!
|In addition, compromised nodes speak to a control server using HTTP traffic instead of the more traditional approach of using IRC channels. IRC channel traffic is more obviously suspicious. |
The really scary part is that the anti-virus products are behind in detecting this:
|So far, only about 20 percent of PCs running anti-virus products are detecting the malware. |
What makes the anti-virus vendors being behind in detecting Kraken more astonishing, in my opinion, is this malware has been known in malware research circles for at least a month!
|APRIL 9, 2008 ¦ 4:00 PM - Damballa on Monday released details on Kraken, which it says is an all-new botnet that's twice the size of Storm, with 400,000 bots, including machines in 50 of the Fortune 500 companies. |
This obviously raises quite a few concerns for webmasters as the sheer scope of this network could obviously be used to create quite a problem for any web server with just the volume of requests that could be generated per second.
TippingPoint's DVLABS published a list of about 15K known infected IPs responding to the botnet and the range of many of these IPs are in areas of frequent discussion in the Spider forum already so that wasn't much of a surprise.
[edited by: incrediBILL at 1:33 am (utc) on May 1, 2008]
As I understand it, Kraken is primarily used for email spamming.
Hopefully the link below is permitted - these researchers claim to have 'infiltrated' the network and got connections from a significant percentage of compromised clients:
Kraken Botnet Infiltration [dvlabs.tippingpoint.com]
From Andy's link:
|we entered into a moral dilemma and ethical discussion. We have the ability to successfully redirect infected systems. We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie .. Is it wrong to do so? |
|what happens if we accidentally crash the target system? What if that target system is responsible for someone's life support? |
A very hard question to answer.
Not a hard question. It doesn't matter who's doing the hacking on someone's system, it's generally illegal. You don't get to claim 'good' intentions.
Are there many life support machines that run Windows and are connected to the internet and used for web browsing?
AFAIK the moral (and/or legal) dilemma does not exist here because the bots are connecting to the researchers C&C and so its not their fault if the machines obey their command. If the researchers were targeting the machines then it might be different.
I say nuke em and see what happens. If it all goes wrong then we will know next time...
Yes you don't, but it's like watching someone sliding then falling off a cliff and doing nothing to save your own skin, the right thing to do here has two sides and there is no easy answer.
|AFAIK the moral (and/or legal) dilemma does not exist here |
Oh yes it does.
The machines are just looking for the bot herder so these researchers simply answered that call which is as far as they should go legally and ethically. The machines in that botnet were taken by force, never by permission, which means the people now contemplating trying to 'update' them also don't have permission. Just because a machine contacts you doesn't give you the right to do whatever you want with it, it's still not yours.
Many of these machines have AV software which has been granted permission and when the AV software finally tries to remove this malware, if it nukes the machine in the process, at least it's ethical because it has permission.
IMO, the most these researcher guys should be ethically and legally doing is:
- Working with the AV companies to help identify and extract the malware
- Working with the residential broadband companies to identify and notify owners of infected machines on their network.
That's the way it should go down, not Rambo-nerd style.
I think the moral dilemma is an interesting one. Even if we discount the individual PCs concerned, what about the damage being perpetrated by this network?
If we were to take a utilitarian approach I think it's clear that damage by the network (e.g. DoS as incrediBILL suggested in the original post or perhaps even just email spam) far outweighs potential damage to a single user's home computer. There are victims other than just the infected machines themselves.
The real problem is not this botnet but the fact that people who make them remain free to improve and create next versions of botnets - these people usually live in countries where normal law can't really be enforced - Russia, China etc. Perhaps Europe+USA+some other countries where law can be enforced should suggest that either above mentioned countries are cooperating very very actively in catching these people (which is much easier to do in authoritarian country than in the West), then those countries get switched off completely off all connections to Western segment of the Internet. Harsh? Overreaction? Maybe - but short from nuking the whole site from orbit I don't see any other way to be sure. :(
|There are victims other than just the infected machines themselves. |
But that doesn't give anyone the right to decide which victims should be punished.
The least intrusive method to get the attention of the owner of the infected machine is to use the broadband provider's AUP to pull the plug on their internet connection and redirect all requests for the internet to a site that serves them nothing but pages stating:
"This message is from your broadband provider and your internet access has been disabled for violating our network policies (spamming). It looks like your machine may have been infected by malware which is doing that spamming. Please correct this situation and provide us with proof of correction to have this ban lifted."
The problem is that the broadband providers don't want to lose the revenue so there is no way that the many thousands of infected machines involved get taken offline the legal way.
|The least intrusive method to get the attention of the owner of the infected machine is to use the broadband provider's AUP |
I was mulling over the idea that maybe the AUP should allow for cases like botnets - a minefield, certainly, but a clause that suggested certain groups (your rambo-nerd types, or better still a more controlled group) would be permitted to remove infections would seem to cover most of the objections above.
I couldn't say I personally like the idea, but it seems to address the 'permission' problem, while doing something to address the side issue that most individuals will not know where to start in cleaning PCs, and ISPs aren't going to accept extra workload.
Just to make it clear, the solution they are proposing is to remove the infection from the computer, it is possible it could go wrong and make it inoperable but not likely.
Personally I am tired of dealing with spam and having to constantly tweak my emails so they do not get reported as false positives. Anything that can be done to reduce the DDOS and spam problem is good in my book. ISP's do not want to do anything because it would cause customers to leave and would increase the support call level.
It is not much good to ask people to clean their PC's because as the first post suggests, AV is no good (in fact it is broken by design).
I think legally people would be safe because the person is polluting the internet and causing problems for other people not to mention putting themselves at risk. In the UK the Police have the obligation to secure peoples property so they are allowed to nail your door shut if someone knocks it down when you are on holiday. I think a similar principle applies here, but with botnets you are not just putting yourself at risk.
In fact why not arrest the owners of the infected PC's as an accessory to a crime? I am sure a few high-profile cases will make people take security more seriously.
>arrest the owners of the infected PC's
Then by your justice scale, developers of insecure operating systems full of vulnerabilities should be hanged?
Interesting that no one is tracing the responsibility back to M$, people seem to take it as a given that they are not responsible.
|Interesting that no one is tracing the responsibility back to M$, people seem to take it as a given that they are not responsible. |
I'd say the blame lies on both sides.
And, I'd be an avid supporter of fines/penalties for those servers found to have not secured their environment. That's like leaving the keys in your car and in some cases, leaving it running.
|In the UK the Police have the obligation to secure peoples property so they are allowed to nail your door shut if someone knocks it down when you are on holiday. I think a similar principle applies here, but with botnets you are not just putting yourself at risk. |
Using your methaphor about the Police securing property, that's why I think restricting those IPs from the 'net until they are properly serviced is the best solution. If they are secured away from the 'net they can't be used to commit more crimes nor can anyone phish information from the machine like passwords, personal data, etc.
Going the other route of trying to force a 'fix' is just bad for everyone.
When private individuals crash other private individuals computers, even with the best of intentions, especially without permission, the possibility for a lawsuit is huge.
Don't forget that 50 of the Fortune 500 had infected machines.
Can you imagine that you tried to "help" remove the infection and disabled a critical part of a major corporation?
Now imagine that word gets about about this Fortune 500 company being disabled by someone with all the right intentions trying to "fix" their infected machines.
Once that hits the press people lose faith in that company, stock plunges, and suddenly their legal dept. is on full tilt hunting down everyone involved.
It's not a simple B&W issue, wish it was, but it's not.
|Interesting that no one is tracing the responsibility back to M$, people seem to take it as a given that they are not responsible. |
That's an unfair position as Linux is way easier to hack than Windows and the security of the Linux box is left solely up to the System Admin.
Heck, if you merely install WordPress the odds of your server account getting hacked go up exponentially and there are lots of threads at the moment about the thousands of currently hacked WordPress accounts, so is WordPress responsible for that?
At some level it's like trying to blame the lock manufacturer because someone got in the house by kicking down the door. You do the best you can to secure your house but there's always a way in, it's a fact of life, we're not perfect.
|I'd be an avid supporter of fines/penalties for those servers found to have not secured their environment. |
Ah, here's a ride on the slippery slope.
Define "secured environment".
Now, here's a real life scenario that happened on RedHat servers a few years back.
A vulnerability was discovered in Apache and our entire server farm was infected within hours of this vulnerability going public.
The patch to fix it wasn't available for 7 days.
The only solution to avoid being hacked was take Apache offline and you can't take Apache offline if you want to run web servers. So the most we could do for a week was to keep replacing the hacked boot drive with a new boot drive and wait to get hacked again until the fix was available.
Should we have been fined?
What happens if the infected machines of a corporation take down a charities website or disable a local government website and people actually suffer because of it? I think the shareholders would be more cross that the Fortune 500 company for having such bad security rather than the people that stopped the infection spreading.
How is Linux easier to hack than Windows?
Wordpress can install on Windows or on Linux and it is not an operating system. Linux is many many more times secure than Windows in a default install. You cannot even put XP SP1 on the internet without it being infected before you can download the updates.
At least Linux has a proper user/administrator separation so even if you were infected, it is very easy to remove anything nasty. You wouldn't need specialist removal tools or antivirus. Using SELinux and AppArmor, you can really harden the OS so it is almost impossible for anything to get through. Wordpress bugs are their fault, but an OS can prevent any problem spreading further.
You can bet that 99.9% of these bots are Windows XP, they are totally open to attack because everything is run as admin.
It is like blaming the manufacturer of some locks sold as 'safer than the last lock' when you find out they are made of low grade steel which cannot withstand a strong boot.
For those advocating that these folks hack computers because they're the 'good' guys, there's two problems with that. The first one is, you don't get to predefine that your intentions on hacking are better than someone else's. What a freakin' rodeo that is. I can hack your computer because I might save a life and I'm doing it because I think it's the right thing to do? Pulleeze. Hacking someone else's computer without permission is wrong. No exceptions, and I certainly don't want to hear excuses if you hack my computer. You're a criminal as far as I'm concerned.
Secondly, if you're going to justify hacking on ethical grounds you might want to consider that for the people who did the original hacking:
1) it might very well be perfectly legal where they are, and
2) this may be the only way they have to put food on the table for their kids.
For them, it's both legal and ethical. For the folks advocating rehacking of course you can claim ethical but you know for darn sure it's illegal. Seems like the original hackers actually have a better case.
Nobody is 'hacking your computer' they are thinking about telling a virus to uninstall itself if it asks them what to do. It is quite a long way from a targeted hack. If anyone does it to you then it is for your own good, if you do not agree then you are condoning the criminals who are setting up the botnets.
These botnet herders make millions of pounds per year and all reports suggest that they (or at least their customers) are in the USA where spamming is illegal too. Do not fool yourself that they are one man bands with no money, they are run by large gangs who will break your legs without thinking twice.
If your machine starts hacking others, then should you be responsible too? You would be an accessory even if you were unaware. In the real world, you would be liable so why not on the internet? If I buy a stolen TV, I can be prosecuted for handling stolen goods.
|Should we have been fined? |
If there were a fine, then yes. Even more than a home user who is unaware.
You knew your machine was comprimised and I assume there was a fix in source form from Apache. You had quite a few choices.
1) Switch to another web server (lighttpd etc)
2) Recompile the patched source, losing official support for a few days.
3) Turn it off.
4) Keep going, and reinstall occasionally.
5) Get an application level firewall.
You chose 4 because it was the easiest short term solution for you. What about people who were attacked by your server, don't they have the right to not be attacked or spammed?
|Hacking someone else's computer without permission is wrong |
The permission problem (as far as many of the people who don't know they're currently hacked is concerned) is not a difficult one: there would be various means to enable large scale adoption.
I don't think the idea is that far-fetched. Wasn't there some talk of Microsoft considering a botnet of their own? It would be easy for companies like them to ask users to also have Remote UpdatingTM. A kind of ultra-unstoppable Windows Update botnet ;) (I'm sure that would be popular with some).
IMO whether or not it would be a good idea is just as important a question as if it's currently legal.
|this may be the only way they have to put food on the table for their kids |
I'm not sure about that as an ethical justification. I imagine for most people the repercussions on potential victims would sway them as to whether or not this was ethical behaviour.
Remember that botnets undertake denial of service and various other large-scale attacks, that can cause a lot of damage to significant amounts of people.
>>> Nobody is 'hacking your computer' they are thinking about telling a virus to uninstall itself if it asks them what to do.
Yeah, that's deliberate and malicious hacking, and is illegal in most westernized countries. It doesn't matter if people crow about it being 'for my own good'.
The fact that someone set up a honeypot to collect the information from infected computers again highlights the similiarites between the first and second hackers. Same kind of operation. You're exploiting someone's computer without permission. Oh, but they're computer contacted mine, I just responded. Same argument the original hackers used. You just visited my website and downloaded this code - I didn't force you to do it.
And calling these people criminals isn't likely correct either. As I noted, the original hackers are possibly not breaking the law, where the second hackers are - and know it.
|You knew your machine was comprimised and I assume there was a fix in source form from Apache. |
Please re-read my post, there was NO FIX for 7 days after the vulnerability was known.
You can't simply turn off your business for 7 days.
We fixed the machines the minute the re-intrusion was detected and just kept knocking the hackers out of the box as fast as they got back in.
|What about people who were attacked by your server, don't they have the right to not be attacked or spammed? |
There weren't any as we shut down the box and cleaned it the minute re-intrusion was detected.
I guess the point being missed is we could detect the intrusion, there was just no way of stopping it without closing port 80 which meant going out of business. Therefore we just kept shutting down and fixing the machines as the intrusions happened until the patch was available.
They only hit each server about every 2 days and it took about 15 minutes to get the box back online after infection so it wasn't the worst, but it was stressful just the same.
However, others out there didn't even know they were infected let alone know they were even vulnerable, so don't shoot the messenger!
OK Wheel, I'm with you until you get here:
|You're exploiting someone's computer without permission. Oh, but they're computer contacted mine, I just responded. Same argument the original hackers used. |
That logic would mean that anyone using a honeypot to track spammers and scrapers is using the other machine without permission when in reality it's just using the nature of the beast to identify it's tracks around the 'net.
Setting up a honeypot isn't the same as the honeypot only reports on computers that seek out the honeypot, it's not trying to exploit those machines.
Only when someone tries to use the machines located by the honeypot, even to uninstall the code, do they step over the line.
[edited by: incrediBILL at 8:03 pm (utc) on May 1, 2008]
*** and I assume there was a fix in source form from Apache. ***
Nope. The OP already said, the fix was available a week later.
|Yeah, that's deliberate and malicious hacking, and is illegal in most westernized countries. |
I thought accessing computer systems without permission was illegal, technically they would not be accessing the bot computer at all. Once the message is sent they will not touch the computer again. Its not a buffer overflow or a hack at all it is just a message to a computer asking for a command. If they have hacked anything it is the botnet communication protocol.
|Only when someone tries to use the machines located by the honeypot, even to uninstall the code, do they step over the line |
An ethical line, or a legal one? If ethical, I'm very interested into where you draw this line. To suggest that remote modification of any computer system for any reason is unethical (with or without permission) seems a bit dubious to me.
[edited by: Receptional_Andy at 12:04 am (utc) on May 2, 2008]
Simple problem, simple solution...
Clearly, these machines can be controlled remotely, therefore use that control to directly send a message that reads "This computer has been hacked - it is infected with the Kraken botnet. Visit the site listed below for more information."
There is no point silently cleansing infected computers remotely since they will simply become reinfected - that whole discussion is a complete waste of time.
A "Name and Shame" of defective AV software might help too.
|Clearly, these machines can be controlled remotely, therefore use that control to directly send a message that reads "This computer has been hacked - it is infected with the Kraken botnet. Visit the site listed below for more information." |
But there's a massive initiative to teach people not to trust unsolicited messages that appear on their computers. I don't think the same method for an 'ethical' campaign would be appropriate.
|Are there many life support machines that run Windows and are connected to the internet and used for web browsing? |
Hehe.. Good point that needed to be made. The life support argument was pretty silly.
However there are plenty of other good arguments for not "white hat hacking", many have been mentioned already, here's another: Let's say they go ahead and remove the malware from as many systems as they can...
1) These systems still have the same security vulnerabilities that allowed them to get infected in the first place. They will become infected again very quickly.
2) If they did manage to put a dent in the bot network, it's creators would immediately begin working on a new system. Pointless arms race.
|that's why I think restricting those IPs from the 'net until they are properly serviced is the best solution. |
Good idea, but not the IPs, those are often dynamic. Instead it would work well if the hosting companies would agree to suspend the user accounts themselves until they got their systems cleaned and patched.
|Should we have been fined? |
Heck no! Forcing limits or penalties on the domestic internet population in response to overseas hackers who aren't effected by those laws in the slightest will never be a good solution.
Makes me shudder just to hear it suggested :-)
| This 69 message thread spans 3 pages: 69 (  2 3 ) > > |