backtop


Print 48 comment(s) - last by damage75.. on Jul 12 at 5:53 AM


Microsoft blasted recent claims that the new TDL-4 botnet was indestructible. No botnet is impervious to decapitating C&C takedowns and a concerted attack, it states.  (Source: Google Images)
Company points to takedown of "indestructible" Rustock, Waledac as case studies in how to kill a tough botnet

Today, networks of malware infected computers called "botnets" are controlled by malicious masters to spread spam and orchestrate takedown attacks across the internet.  The botnets are growing very, very well crafted, leading some to suggest that they may be "indestructible".

In response to one such claim by Dell Inc. (DELL) SecureWorks research Joe Stewart, who said that the TDL-4 botnet was "pretty much indestructible", the senior attorney with Microsoft Corp.'s (MSFT) Digital Crime Unit argued that claim is false and that any botnet is destructible.

Richard Boscovich comments in an interview with ComputerWorld, "If someone says that a botnet is indestructible, they are not being very creative legally or technically. To say that it can't be done underestimates the ability of the good guys. People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.'"

TDL-4 will certainly be a tough.  The malware has infected 4.5 million PCs thus far, and embeds a rootkit deep in the hard drive, in the master boot record.  The malware removes other pieces of malware found on the machine to avoid detection.  And it uses peer-to-peer connections to update its list of command and control (C&C) servers, safeguarding the botnet from takedown of C&C servers.

However, Microsoft takes major issue with the idea that TDL-4 is indestructible.  After all, Microsoft already killed a botnet called "Waledac" that used similar peer-to-peer updates.  Waledac, known for sending up to 1.5 billion pieces of spam daily, was decapitated in February 2010 when a court order allowed Microsoft to cut off 276 domains associated with the botnet.  

Microsoft also used additional undisclosed measures (perhaps denial of service attacks) to make sure the peer-to-peer network was fully dead and unable to update the C&C information.

In March, with help from Microsoft, federal agents raided a hosting company, seizing servers responsible for the Rustock botnet.  With the botnet brains decapitated, the botnet effectively died, taking half of spam in the U.S. with it.  And in April Microsoft and federal authorities successfully killed the 10-year-old "Coreflood" botnet via a similar C&C decapitation approach.

Mr. Boscovich comments, "[Waledac] was a proof of concept that showed we are able to poison the peer-to-peer table of a botnet. Each takedown is different, each one is complicated in its own way. Each one is going to be different, but that doesn't mean that there cannot be a way to do this with any botnet."

Symantec security researcher Sergey Golovanod says the botnet is "practically indestructible."  He remarks, "[TDL-4 is] the most sophisticated threat today."

However, even Dell backed off somewhat from their initial remarks, with a SecureWorks spokesperson saying this week, "Since mid-March 2011, Dell SecureWorks' CTU [Counter Threat Unit] research team has seen a significant decline in the number of attempted Rustock attacks, and we do attribute it to the comprehensive efforts of Microsoft."

Indeed Alex Lanstein, a senior engineer with FireEye, a security organization who worked with Microsoft on the takedowns says cooperation between Microsoft, other companies, and U.S. law enforcement agencies has proved integral to creating combined assaults capable of bringing down tough botnets.  He states, "It's the trust relationships Microsoft has created and I think [the technique] speaks to any malware infrastructure where some kind of data feed exists. It really, really works. With the Rustock takedown, Microsoft has built the framework for others to do the same. This is definitely not the last botnet we're going to go after."

So, TDL-4 may be tough -- but "indestructible"?  Not so much.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Oy veh!
By damage75 on 7/11/2011 7:23:33 AM , Rating: -1
Talk about throwing down the gauntlet. Is this lawyer crazy?

First, passing a law isn't going to do dick, so put that out of your mind. Second, he just alerted the C&C ops for TDL-4 that they are going to "watch" for domains and "decapitate" them. Hmm, if I had a bot-net I knew was about to be torched, what would I do? Maybe rotate the C&C domains? Ya think?

Waledac was stopped via b49 - which was MS *buying* each of the 276 domains of its C&C. That approach is *not* going to work if the TDL-4 writers are as clever as they appear to be. I haven't read the TDL-4 code, but changing the C&C model is trivial. (No, I am not a virus writer, I am a computer scientist).

Note everyone saying it can be "fixed" is commercially connected to MS, that doesn't feel balanced to me (and hey, I like MS). You go MS - I hope you do cure it, just don't use a lawyer as your mouthpiece. It lowers believability and raises infinitely the probability that whoever wrote the thing will take this a challenge.




RE: Oy veh!
By damage75 on 7/11/11, Rating: 0
RE: Oy veh!
By Fireshade on 7/11/2011 8:50:22 AM , Rating: 2
Well, a law itself won't help of course. Enforcement and reach is the strength of a law.
What a law can do, is giving 'bot fighters' free reign in methods used to kill a botnet. Which can stretch pretty far, if so allowed. In analogy, I guess the USA PATRIOT Act is a good example of giving free reign to the government to counter ehm.. pretty much anything.

Also, that lawyer (or anyone else for that matter) did not say it's easy to take down a botnet. He said that they can be taken down. They're not "indestructable" as others put it.


RE: Oy veh!
By ajcarroll on 7/11/2011 9:26:02 AM , Rating: 5
Actually the law plays a huge role here. Microsoft deserves kudos for taking the lead in shutting down Waledac. It not only involved considerable heavy hitting technical skills on their part, but it also involved them leveraging a rarely used legal maneuver, an Ex Parte Temporary Restraining Order - which basically gave them the legal right to take action without notifying the other party. Typically if someone takes legal action against you, you are notified. What made the legal side of the Waledac takedown novel was the Ex Parte TPO - basically Microsoft got a court order to simultaneously seize over 250 domains - they did this in conjunction with some serious technical effort.

They get a lot of credit for this in the security community. I think the comments their lawyer made that are referenced in the article are actually fair and reasonable - it's not a case of some ill-informed mouthpiece.

Only time will tell whether the manage to shutdown TDL-4 - but they are very well regarded in the security community for what they're pulled off recently, and yes it does indeed combine legal with with technical stuff - ie. they get very specific and detailed court order, that allows them to attach a botnet and seize domain names.


RE: Oy veh!
By aromero78 on 7/11/2011 9:31:53 AM , Rating: 2
Me thinks he doth protest to much!


RE: Oy veh!
By damage75 on 7/11/2011 9:56:02 AM , Rating: 2
Possibly protesting too much - yes. I suppose if MS had the legal right to just shut off any and all domains they cared to - that would dent the virus. My point is that TDL-4 has shown some interesting twists and it would not surprise me to find it uniquely cycling C&C domains. That would mean, regardless of MS's authority, they would not be able to snuff it as they did with Waledac (where the C&C's were essentially hard-coded).

Now if they could get every user to perform an update - no problem, but there is the "rub" as they say...


RE: Oy veh!
By damage75 on 7/11/2011 10:29:50 AM , Rating: 2
Ah ha! The TDL-4 writers may not be so smart after all.

From Roland Dela Paz (Threat Response Engineer) at TrendMicro -
"Interestingly enough, I noticed that the malicious URLs and IP addresses from which WORM_OTURUN.ASH downloads BKDR_TDSS.ASH are hard-coded into the worm’s code."

If that remains the case, then MS could use the Waledac tactic and we're good to go. I hope that this continues to be true.


RE: Oy veh!
By Mitch101 on 7/11/2011 12:24:11 PM , Rating: 4
I wouldnt be surprised if Symantec says these things to try and scare everyone into buying thier Anti-Virus/Anti-Malware products and I take anything Symantec has to say with a grain of salt thier products have been going downhill for ages. Wanna rebuild your machine just uninstall a symantec product and youll be forced to rebuild it. No other products Ive used have destroyed more machines than Symantec.


"There is a single light of science, and to brighten it anywhere is to brighten it everywhere." -- Isaac Asimov














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki