Print 48 comment(s) - last by damage75.. on Jul 12 at 5:53 AM

Microsoft blasted recent claims that the new TDL-4 botnet was indestructible. No botnet is impervious to decapitating C&C takedowns and a concerted attack, it states.  (Source: Google Images)
Company points to takedown of "indestructible" Rustock, Waledac as case studies in how to kill a tough botnet

Today, networks of malware infected computers called "botnets" are controlled by malicious masters to spread spam and orchestrate takedown attacks across the internet.  The botnets are growing very, very well crafted, leading some to suggest that they may be "indestructible".

In response to one such claim by Dell Inc. (DELL) SecureWorks research Joe Stewart, who said that the TDL-4 botnet was "pretty much indestructible", the senior attorney with Microsoft Corp.'s (MSFT) Digital Crime Unit argued that claim is false and that any botnet is destructible.

Richard Boscovich comments in an interview with ComputerWorld, "If someone says that a botnet is indestructible, they are not being very creative legally or technically. To say that it can't be done underestimates the ability of the good guys. People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.'"

TDL-4 will certainly be a tough.  The malware has infected 4.5 million PCs thus far, and embeds a rootkit deep in the hard drive, in the master boot record.  The malware removes other pieces of malware found on the machine to avoid detection.  And it uses peer-to-peer connections to update its list of command and control (C&C) servers, safeguarding the botnet from takedown of C&C servers.

However, Microsoft takes major issue with the idea that TDL-4 is indestructible.  After all, Microsoft already killed a botnet called "Waledac" that used similar peer-to-peer updates.  Waledac, known for sending up to 1.5 billion pieces of spam daily, was decapitated in February 2010 when a court order allowed Microsoft to cut off 276 domains associated with the botnet.  

Microsoft also used additional undisclosed measures (perhaps denial of service attacks) to make sure the peer-to-peer network was fully dead and unable to update the C&C information.

In March, with help from Microsoft, federal agents raided a hosting company, seizing servers responsible for the Rustock botnet.  With the botnet brains decapitated, the botnet effectively died, taking half of spam in the U.S. with it.  And in April Microsoft and federal authorities successfully killed the 10-year-old "Coreflood" botnet via a similar C&C decapitation approach.

Mr. Boscovich comments, "[Waledac] was a proof of concept that showed we are able to poison the peer-to-peer table of a botnet. Each takedown is different, each one is complicated in its own way. Each one is going to be different, but that doesn't mean that there cannot be a way to do this with any botnet."

Symantec security researcher Sergey Golovanod says the botnet is "practically indestructible."  He remarks, "[TDL-4 is] the most sophisticated threat today."

However, even Dell backed off somewhat from their initial remarks, with a SecureWorks spokesperson saying this week, "Since mid-March 2011, Dell SecureWorks' CTU [Counter Threat Unit] research team has seen a significant decline in the number of attempted Rustock attacks, and we do attribute it to the comprehensive efforts of Microsoft."

Indeed Alex Lanstein, a senior engineer with FireEye, a security organization who worked with Microsoft on the takedowns says cooperation between Microsoft, other companies, and U.S. law enforcement agencies has proved integral to creating combined assaults capable of bringing down tough botnets.  He states, "It's the trust relationships Microsoft has created and I think [the technique] speaks to any malware infrastructure where some kind of data feed exists. It really, really works. With the Rustock takedown, Microsoft has built the framework for others to do the same. This is definitely not the last botnet we're going to go after."

So, TDL-4 may be tough -- but "indestructible"?  Not so much.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: botnets lol
By MrPerez on 7/10/2011 6:51:57 PM , Rating: -1
by Argon18 on July 10, 2011 at 2:54 PM

Linux, OSX, and all the other unix-like OS's win again, for being impervious to these botnet viruses. Have fun Microsofties!

Linux is even less secure the reason its not a target is because the hackers will feel they are attacking their own backyard.

A botnet is a "program" that takes commands, so anything that allows for a program to be installed is able to get "infected". Hackers are now targeting smartphone's.

You might want to research your stuff before you make an ass out yourself like you just did.

RE: botnets lol
By Etsp on 7/11/2011 1:05:38 AM , Rating: 2
How is Linux less secure? I mean, specific examples. What metric are you using to make that judgement? Number of security patches? Number of vulnerabilities? Everything I've read that a well configured Linux computer is one of the most secure computing platforms.

RE: botnets lol
By themaster08 on 7/11/2011 2:48:07 AM , Rating: 3
Everything I've read that a well configured Linux computer is one of the most secure computing platforms.
As is a well configured Windows computer. We've all seen what happens to Windows machines that are not kept updated and are abused. As we've seen hackers such as LulzSec take down many, many Unix-based servers that have been ill maintained. Being a multi-user OS didn't save them from LulzSec. Windows is also multi-user. Those poor Macheads just can't find their way out of the 1998. The world remains the same while OS X advances.

Do you really think that every Windows user keeps their system up-to-date with the latest security patches and anti-virus definitions?

The amount of PCs, even in enterprise, that I've worked on, repaired, removed viruses from, and disposed of that are running Windows XP Service Pack 2 or less, with out-of-date virus definitions from 5 anti-virus vendors at the same time is absurd.

Do you know what the average person does when they see an update show up in their notification area? They ignore it. That is the start for many of the problems that Windows users experience. Because they're simply too lazy to click a button that says Update.

RE: botnets lol
By spacemonkey211 on 7/11/2011 12:02:50 PM , Rating: 4
Hate to burst your bubble, but more of the internet is run on GNU/Linux computers. So it is a HUGE target. Linux is very secure... and is constantly under attack.

"It's okay. The scenarios aren't that clear. But it's good looking. [Steve Jobs] does good design, and [the iPad] is absolutely a good example of that." -- Bill Gates on the Apple iPad

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki