Welcome · log in · join

Security → So what do you do with the 10 largest botnets?

uniqs
482

« 000webhost breached • Kaspersky has All Coinvault and Bitcryptor keys »

Link Logger MVM join:2001-03-29 Calgary, AB kudos:3 ·TELUS	Link Logger MVM 2015-Oct-26 2:03 am So what do you do with the 10 largest botnets? This is a good read, lots of stuff you never thought about. »www.datacenterknowledge. ··· stomers/ Blake -- Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
	actions · 2015-Oct-26 2:03 am ·

Snowy Premium Member join:2003-04-05 Kailua, HI kudos:6 ·Hawaiian Telcom ·Clearwire Wireless ·Time Warner Cable	Snowy Premium Member 2015-Oct-26 3:38 am Microsoft says they have between 60 - 70 million IP's that belong to infected systems. That many IP's are a real hassle to disseminate. It would be a massive undertaking if done properly. In a perfect world (of smaller lists) they would contact each ISP/hosting provider giving them the problem IP's. But with that many IP's they have come up with a clever solution. Clever like a fox that is. Microsoft says "But it’s not as simple as handing over that list of IPs because it’s a privacy issue," Two questions about that sentence. 1. Handing it over to who? 2. What is the privacy issue? My understanding of the article has it that Microsoft is making the list available on the cloud for its Azure customers & ISP's eyes only. That's a real dis-service if I read it correctly. Not providing their cloud platform competitors with access to the IP list is indefensible. I hope I'm simply misunderstanding what they are saying.
	actions · 2015-Oct-26 3:38 am ·
camper just visiting this planet Premium Member join:2010-03-21 Bethel, CT kudos:1 ·Xfinity	camper Premium Member 2015-Oct-26 9:32 am said by Snowy: My understanding of the article has it that Microsoft is making the list available on the cloud for its Azure customers & ISP's eyes only. If it's a privacy issue that prevents Microsoft from publishing ("handing over") the list, why doesn't that same privacy issue prevent Microsoft from sharing the list with its Azure customers?
	actions · 2015-Oct-26 9:32 am ·
DadeMurphy Premium Member join:2002-07-25 Danvers, MA	DadeMurphy Premium Member 2015-Oct-26 10:26 am said by camper: said by Snowy: My understanding of the article has it that Microsoft is making the list available on the cloud for its Azure customers & ISP's eyes only. If it's a privacy issue that prevents Microsoft from publishing ("handing over") the list, why doesn't that same privacy issue prevent Microsoft from sharing the list with its Azure customers? The way I understand it is not that they are sharing the list with their Azure customers but that they are providing reports to their Azure customers that calls out machines that authenticate to one of their Azure apps that are part of the botnet. said by the article : "If you're an Azure customer, now you can go into your Azure Active Directory reports, and if there are systems authenticating to your Azure-based applications that are part of these botnets, they will show up in your Azure Active Directory reports," Rains said. -- Most people don't think clearly when they're on fire.
	actions · 2015-Oct-26 10:26 am ·
camper just visiting this planet Premium Member join:2010-03-21 Bethel, CT kudos:1	camper Premium Member 2015-Oct-26 10:51 am Ahhh, that [sort of] makes more sense. thx.
	actions · 2015-Oct-26 10:51 am ·
Chubbzie join:2014-02-11 Greenville, NC kudos:1 Hitron CDA3-35 (Software) OpenBSD + pf	Chubbzie to Link Logger Member 2015-Oct-26 11:18 am to Link Logger quote: "We've been buying and collecting these lists of leaked and stolen credentials," Rains said. Buying stolen credentials... Is that not considered a criminal act? I'm not particularly fond of the method(s) MS is using with these botnets nor the dissemination of information to select users. What gives MS the right to pick and choose how this is dealt with? On top of that they have complete control of all these botnet hosts and systems, regardless of OS, network, etc. It all seems rather irresponsible of such a huge organization.
	actions · 2015-Oct-26 11:18 am ·
Link Logger MVM join:2001-03-29 Calgary, AB kudos:3 ·TELUS	Link Logger MVM 2015-Oct-26 11:39 am And what would rather seen done with these? Remember what the courts have given Microsoft control over (is the command and control servers). Blake -- Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
	actions · 2015-Oct-26 11:39 am ·
Snowy Premium Member join:2003-04-05 Kailua, HI kudos:6 ·Hawaiian Telcom ·Clearwire Wireless ·Time Warner Cable	Snowy Premium Member 2015-Oct-26 12:51 pm said by Link Logger: And what would rather seen done with these? There's no question that doing the right thing would be an expensive task but it is doable. So I say Microsoft should do the right thing & index the IP's for reporting to the service providers. The machines behind these 60-70 million IP's are an active threat to the net. Just because Microsoft owns the C&C's doesn't mean these machines won't be abused by the bad guys in other ways. It's like having prior knowledge of a crime & doing only what is convenient about it. Microsoft is correct that US ISP's are not very enthusiastic about forcing their customers to clean up their trash but they will do it. Years ago I had gotten a smaller list (~2K) of IP's with RDP login credentials from an evil group. Recognizing many of the IP's as belonging to Road Runner I sent them the list & they tried to give it back to me. Reason stated was that the RR IP's were cool but the non-RR IP's were problematic in that they had to send the IP's that weren't theirs to the right service providers. They didn't want to invest the manpower to do that. It would have taken a full day for one person was my guess. We went back & forth, "you do it, no you do it". Finally it was agreed that RR would handle the reporting for these IP's, in return I promised to never send them non-RR IP's. said by Link Logger: Remember what the courts have given Microsoft control over (is the command and control servers). That's an important point - Microsoft is already ahead of the pack having a courts permission to move on the C&C's which makes the privacy issue is a red herring, IMO. Microsoft is basically monetizing the IP list by using it as an added value to their own cloud platform (Azure) to the exclusion of all others. If that is what's happening then Microsoft is morally corrupt.
	actions · 2015-Oct-26 12:51 pm ·
HELLFIRE MVM join:2009-11-25 kudos:30	HELLFIRE to Link Logger MVM 2015-Oct-26 1:32 pm to Link Logger quote: What happens is that Microsoft asks for a temporary restraining and control over the command and control server domains in order to prevent them from sending billions of pieces of spam. The judge will provide this, but gives the accused the option of going into an open court and asking for their botnet back. tl;dr -- if you can't beat em, sue em LOL. If I had the 10 largest botnets? Command Skynet to come to life and enact Judgement Day [/joke] [/sarcasm] Regards
	actions · 2015-Oct-26 1:32 pm ·
Link Logger MVM join:2001-03-29 Calgary, AB kudos:3 ·TELUS	Link Logger MVM 2015-Oct-26 4:44 pm Microsoft has an idea what systems are infected as they communicate back to the control server, but that is all as legally they can't touch those systems (ie the court gave them legal permission to do something with the command and control servers period). Some ISP's are great about cleaning up infected systems, but they are truly the exception and not the rule, ditto for governmenst, agencies, corporations, etc and man I used to feel sorry for admins at large universities, so the trick is finding out who owns all the IP Addresses and while that might sound simple its a pain and a cost with a liability attached to it, so who wants to be the clearing agency for these and handle those costs and risks etc for the slim chance that they might be cleaned up. There are a number of sites where you can lookup IP addresses to see if they might be infected (ex »dshield.org), but handing out a list of infected systems, that could be a big no-no as that would tell me right away that those systems are likely exploitable via a number of different attacks and they would now be mine. Years ago we published an exploit and a hacker said he was going to sue us as the exploit was his, but we knew a little about this chap and how the feds were looking for him, so our response was go ahead sue us, you won't make it in the court building before being arrested. Blake -- Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
	actions · 2015-Oct-26 4:44 pm ·
Snowy Premium Member join:2003-04-05 Kailua, HI kudos:6 ·Hawaiian Telcom ·Clearwire Wireless ·Time Warner Cable	Snowy Premium Member 2015-Oct-26 5:48 pm said by Link Logger: Microsoft has an idea what systems are infected as they communicate back to the control server, but that is all as legally they can't touch those systems (ie the court gave them legal permission to do something with the command and control servers period). I won't debate what is legal vs illegal for the obvious reason (INAL) but there is ample precedent with Microsoft to act on IP's (machines) they know to be infected. e.g., "More importantly, victims of GameOver Zeus have been, and will continue to be, notified and their infected computers cleaned to prevent future harm." »blogs.microsoft.com/blog ··· cleanup/ That was a bold move on everyone involved part but I'm not talking about interacting with a machine - just reporting the IP's that are calling home to the C&C. I'm not believing that privacy issues are preventing them from doing that which is how they seem to be justifying their inaction. I was sympathetic with Microsoft re the costs of indexing then alerting service providers & I still am - but to a lesser extent the more I think about it.
	actions · 2015-Oct-26 5:48 pm ·
TheGiant Sup join:2001-03-28 Elizabethtown, KY	TheGiant to Link Logger Member 2015-Oct-26 7:55 pm to Link Logger I thought this was about Windows 10 my bad..
	actions · 2015-Oct-26 7:55 pm ·
Snowy Premium Member join:2003-04-05 Kailua, HI kudos:6 ·Hawaiian Telcom ·Clearwire Wireless ·Time Warner Cable	Snowy Premium Member 2015-Oct-26 8:30 pm Humor noted. On a serious level with that much distributed computer power that will become W10 - concentrated in a single company could make them the most powerful nation in the world. The United Nations Security Council could label Microsoft a Super Power Nation.
	actions · 2015-Oct-26 8:30 pm ·
TopShelf join:2010-06-25 ·MTA Online	TopShelf to Link Logger Member 2015-Oct-30 12:53 am to Link Logger If I can make an Excel spreadsheet with over 600,000 lines and 13 columns and make a fully functional pivot table out of it, then by god Microsoft can use a souped-up, in-house version of Access to sort and group the IPs and privacy be damned. -- The only thing North Korea could wipe out in four minutes is a South Korean all-you-can-eat buffet.
	actions · 2015-Oct-30 12:53 am ·
Snowy Premium Member join:2003-04-05 Kailua, HI kudos:6 ·Hawaiian Telcom ·Clearwire Wireless ·Time Warner Cable	Snowy Premium Member 2015-Oct-30 1:21 am said by TopShelf: If I can make an Excel spreadsheet with over 600,000 lines ... You're right. The more I give this thought the less sympathetic I become towards Microsoft's monetization of the IP's. If Microsoft is going to take over C&C's with the courts protection it should be conditional on Microsoft responsibly sharing the collateral intel. e;g., alerting the affected service providers of the infected IP's on their network. If their not willing to do that then they should be subject to the same risks that every other security concern faces when they act against a C&C (without a courts sanctioning).
	actions · 2015-Oct-30 1:21 am ·
Link Logger MVM join:2001-03-29 Calgary, AB kudos:3 ·TELUS	Link Logger MVM 2015-Oct-30 10:21 am We already have groups claiming to be from Microsoft offering to cleanup your 'infected' computer so how does someone correctly go about cleaning all these infected systems? I suspect that Microsoft has some update and malware cleaners in place to clean them up if they are Windows systems and have told the other OS vendors of suspected other infections (how would you tell if your not allowed to scan the connecting systems, but the package sent to the C&C could give you some clues). This is not an easy problem and you don't want to piss off the courts by overstepping your bounds otherwise it will be the last C&C you'll be given. The fact that the C&C is out of the game means it's not longer a threat but doesn't mean the infection process is stopped as that happens independently of the C&C server via email attachments, infected web sites etc. Blake -- Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
	actions · 2015-Oct-30 10:21 am ·
Snowy Premium Member join:2003-04-05 Kailua, HI kudos:6 ·Hawaiian Telcom ·Clearwire Wireless ·Time Warner Cable	Snowy Premium Member 2015-Oct-30 1:30 pm said by Link Logger: We already have groups claiming to be from Microsoft offering to cleanup your 'infected' computer so how does someone correctly go about cleaning all these infected systems? I'm not sure what you are referring to but just in case it's to something in one of my posts I've never suggested any type of disinfection process beyond alerting the service providers. said by Link Logger: This is not an easy problem and you don't want to piss off the courts by overstepping your bounds otherwise it will be the last C&C you'll be given. see above. said by Link Logger: The fact that the C&C is out of the game means it's not longer a threat but doesn't mean the infection process is stopped as that happens independently of the C&C server via email attachments, infected web sites etc. Don't brush it off as if the machine is now clean but can become infected again. It's an infected machine - the only unknown is how infected is it. You are arguing that the task of Microsoft cleaning these machines is beyond both practical & legal. We are in agreement on that. I'm arguing that Microsoft should alert every service provider of every IP that calls back to its new home (Microsoft). Are we in agreement on that?
	actions · 2015-Oct-30 1:30 pm ·
TheWiseGuy Dog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA kudos:3 1 edit	TheWiseGuy to Link Logger MVM 2015-Oct-30 1:35 pm to Link Logger said by Link Logger: Microsoft has an idea what systems are infected as they communicate back to the control server, but that is all as legally they can't touch those systems (ie the court gave them legal permission to do something with the command and control servers period). From the article Bolding mine Rains said Microsoft maintains control of the botnets because chances are that a system compromised by one botnet will be easily infected with other malware if it isn’t disinfected and patched. “If they’re not fixing the underlying issue,” he said, “they’ll get re-infected very quickly. We can disinfect them, and we do, but if they don’t take care of the underlying issue of how they’re getting exploited to begin with, they end up back inside that botnet. So they are disinfecting but without patches and changed behavior the systems are easy prey. Edit: Remember they are not "hacking" the infecting computers to connect to the computers. The computers connect to their C&C and ask for instructions. Now IMO, and I am not a lawyer, that is a very different situation then someone simply connecting to an infected machine. -- Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.
	actions · 2015-Oct-30 1:35 pm ·
ashrc4 Premium Member join:2009-02-06 australia	ashrc4 to Link Logger Premium Member 2015-Oct-31 6:22 pm to Link Logger Make all the infected pc's Fold 24/7. State that the owners consent to having a botnet and if they want to change, list the instructions to clean and patch.
	actions · 2015-Oct-31 6:22 pm ·
Chubbzie join:2014-02-11 Greenville, NC kudos:1 Hitron CDA3-35 (Software) OpenBSD + pf	Chubbzie Member 2015-Oct-31 7:36 pm said by ashrc4: Make all the infected pc's Fold 24/7. CPU & GPU? Half the botfarm would probably melt.
	actions · 2015-Oct-31 7:36 pm ·
kevinds Premium Member join:2003-05-01 Calgary, AB kudos:5	kevinds to ashrc4 Premium Member 2015-Nov-1 1:22 am to ashrc4 This isn't a bad idea, if the client software can.. Set it to high or realtime priority. The device owner should notice it's performance drop to nil, and take steps to get it clean. The debate would become which project. Hopefully a worthy cause, not just one that will turn a profit (can see the processing power being rented out)
	actions · 2015-Nov-1 1:22 am ·

Forums → Software and Operating Systems → Security	« 000webhost breached • Kaspersky has All Coinvault and Bitcryptor keys »