Print 48 comment(s) - last by damage75.. on Jul 12 at 5:53 AM

Microsoft blasted recent claims that the new TDL-4 botnet was indestructible. No botnet is impervious to decapitating C&C takedowns and a concerted attack, it states.  (Source: Google Images)
Company points to takedown of "indestructible" Rustock, Waledac as case studies in how to kill a tough botnet

Today, networks of malware infected computers called "botnets" are controlled by malicious masters to spread spam and orchestrate takedown attacks across the internet.  The botnets are growing very, very well crafted, leading some to suggest that they may be "indestructible".

In response to one such claim by Dell Inc. (DELL) SecureWorks research Joe Stewart, who said that the TDL-4 botnet was "pretty much indestructible", the senior attorney with Microsoft Corp.'s (MSFT) Digital Crime Unit argued that claim is false and that any botnet is destructible.

Richard Boscovich comments in an interview with ComputerWorld, "If someone says that a botnet is indestructible, they are not being very creative legally or technically. To say that it can't be done underestimates the ability of the good guys. People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.'"

TDL-4 will certainly be a tough.  The malware has infected 4.5 million PCs thus far, and embeds a rootkit deep in the hard drive, in the master boot record.  The malware removes other pieces of malware found on the machine to avoid detection.  And it uses peer-to-peer connections to update its list of command and control (C&C) servers, safeguarding the botnet from takedown of C&C servers.

However, Microsoft takes major issue with the idea that TDL-4 is indestructible.  After all, Microsoft already killed a botnet called "Waledac" that used similar peer-to-peer updates.  Waledac, known for sending up to 1.5 billion pieces of spam daily, was decapitated in February 2010 when a court order allowed Microsoft to cut off 276 domains associated with the botnet.  

Microsoft also used additional undisclosed measures (perhaps denial of service attacks) to make sure the peer-to-peer network was fully dead and unable to update the C&C information.

In March, with help from Microsoft, federal agents raided a hosting company, seizing servers responsible for the Rustock botnet.  With the botnet brains decapitated, the botnet effectively died, taking half of spam in the U.S. with it.  And in April Microsoft and federal authorities successfully killed the 10-year-old "Coreflood" botnet via a similar C&C decapitation approach.

Mr. Boscovich comments, "[Waledac] was a proof of concept that showed we are able to poison the peer-to-peer table of a botnet. Each takedown is different, each one is complicated in its own way. Each one is going to be different, but that doesn't mean that there cannot be a way to do this with any botnet."

Symantec security researcher Sergey Golovanod says the botnet is "practically indestructible."  He remarks, "[TDL-4 is] the most sophisticated threat today."

However, even Dell backed off somewhat from their initial remarks, with a SecureWorks spokesperson saying this week, "Since mid-March 2011, Dell SecureWorks' CTU [Counter Threat Unit] research team has seen a significant decline in the number of attempted Rustock attacks, and we do attribute it to the comprehensive efforts of Microsoft."

Indeed Alex Lanstein, a senior engineer with FireEye, a security organization who worked with Microsoft on the takedowns says cooperation between Microsoft, other companies, and U.S. law enforcement agencies has proved integral to creating combined assaults capable of bringing down tough botnets.  He states, "It's the trust relationships Microsoft has created and I think [the technique] speaks to any malware infrastructure where some kind of data feed exists. It really, really works. With the Rustock takedown, Microsoft has built the framework for others to do the same. This is definitely not the last botnet we're going to go after."

So, TDL-4 may be tough -- but "indestructible"?  Not so much.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: botnets lol
By macdevdude on 7/10/2011 3:08:06 PM , Rating: -1
LOL they're not impervious, especially in the case of OSX which is the least secure OS of all three. These people just dont bother with botnets for these OS's as the market share is so low, but i can see it happening to OSX if it keeps gaining market. Linux will never go anywhere though.

Oh really, then where are all the OS X botnets?

If the OS was so insecure, why wouldn't malware writers just write really quick and easy programs to steal Apple owners' credit cards?? Oh right, because you're just making stuff up.

Nice try.

OS X/Linux were built on the multi-user security-minded world of Unix. Windows, by contrast, was originally built with a single-user mindset, thus why the platform is inherently less secure.

The original op was 100 percent correct.

RE: botnets lol
By Warwulf on 7/10/2011 3:34:19 PM , Rating: 5
The truth is no one bothers with OS X because hardly anybody uses it. What are they going to do, write a virus/botnet/worm that targets 10% of PCs running OS X?


RE: botnets lol
By Reclaimer77 on 7/10/2011 10:01:40 PM , Rating: 5
10%? I think you're being too generous.

RE: botnets lol
By rudolphna on 7/10/2011 3:53:31 PM , Rating: 5
You're name says it all.

Dude, stfu or gtfo. Those security conferences are evidence enough. You know, the "Hack a computer, win a computer" competitions. Windows, Linux machins take hours, days sometimes. Macs? A few minutes, every time.

Apple is the most insecure platform of them all. Again, the reason that they don't bother writing that many viruses and go through the work of creating a botnet for mac users, is because there are so few macs out there, relatively speaking, compared to Windows, that there is no real benefit in doing so. Mac users should be proud, they are basically considered too inconsequential and irrelevant to deal with.

RE: botnets lol
By themaster08 on 7/10/2011 5:17:21 PM , Rating: 5
If the OS was so insecure, why wouldn't malware writers just write really quick and easy programs to steal Apple owners' credit cards?? Oh right, because you're just making stuff up.
Sure, it's called MacDefender.

RE: botnets lol
By Flunk on 7/10/2011 9:21:41 PM , Rating: 3
"single-user mindset"? You're thinking of Windows 9X. NT (which was a total rewrite of the OS) was always designed as a multi-user, graphical OS.

RE: botnets lol
By tecknurd on 7/10/2011 11:32:54 PM , Rating: 2
OS X/Linux were built on the multi-user security-minded world of Unix. Windows, by contrast, was originally built with a single-user mindset, thus why the platform is inherently less secure.

Yes, Mac OS X and GNU/Linux is built with a multi-user security minded world, but these operating systems used for desktops are setup differently. Ubuntu for example, sets up root with a random password and ask the normal user for their password when doing administrating tasks. Is this secure? Not exactly. The root is used when it is absolutely necessary, but asking a user's password for everything that root does is not any secure than Windows. Ubuntu uses sudo for substituting a user for root privileges, but it is supposed to be used for certain users and not all users.

Mac OS X is the same as Ubuntu.

For everybody's information, botnets can run any operating system. Botnet creators just attacks Windows because it is easy to tamper and yes it is majority OS.

RE: botnets lol
By spacemonkey211 on 7/11/2011 12:08:27 PM , Rating: 2
Actually Ubuntu locks out root with no password and then requires a password to access root. Since it doesn't have one, root is effectively blocked from direct access.

Sudo is used to elevate your status to root using your own password. To use sudo you need root access to change it's config to give you access. The initial "admin" user is given total sudo control.

Root is only as secure as the sudo users passwords are in Ubuntu and without root access you are limited to your home folder and maybe /tmp.

RE: botnets lol
By hillsurfer on 7/11/2011 1:20:49 AM , Rating: 2
Unix was originally designed for sharing information, not for keeping it secure. It's evolved a lot since, but it's not impervious, just a waste of time for anyone wanting millions of computers for a botnet. If you managed to convince the world that every computer should have a unix-based OS, and everyone on the planet did such, then every botnet would run on a unix-based OS.

So, by promoting unix/osx/linux, if everyone takes your advice (which is unlikely), you're making the world a safer place for unix/osx/linux botnets.

"We’re Apple. We don’t wear suits. We don’t even own suits." -- Apple CEO Steve Jobs

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki