Microsoft Says Any Botnet Can be Decapitated, Destroyed
July 10, 2011 2:20 PM
comment(s) - last by
Microsoft blasted recent claims that the new TDL-4 botnet was indestructible. No botnet is impervious to decapitating C&C takedowns and a concerted attack, it states.
(Source: Google Images)
Company points to takedown of "indestructible" Rustock, Waledac as case studies in how to kill a tough botnet
Today, networks of malware infected computers called "botnets" are controlled by malicious masters to spread spam and orchestrate takedown attacks across the internet. The botnets are growing very, very well crafted, leading some to suggest that they may be "indestructible".
In response to one such claim by Dell Inc. (
) SecureWorks research Joe Stewart, who said that the
TDL-4 botnet was "pretty much indestructible"
, the senior attorney with Microsoft Corp.'s (
) Digital Crime Unit argued that claim is false and that any botnet is destructible.
Richard Boscovich comments in
, "If someone says that a botnet is indestructible, they are not being very creative legally or technically. To say that it can't be done underestimates the ability of the good guys. People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.'"
TDL-4 will certainly be a tough. The malware has infected 4.5 million PCs thus far, and embeds a rootkit deep in the hard drive, in the master boot record. The malware removes other pieces of malware found on the machine to avoid detection. And it uses peer-to-peer connections to update its list of command and control (C&C) servers, safeguarding the botnet from takedown of C&C servers.
However, Microsoft takes major issue with the idea that TDL-4 is indestructible. After all, Microsoft already killed a botnet called "Waledac" that used similar peer-to-peer updates. Waledac, known for sending up to 1.5 billion pieces of spam daily, was decapitated in February 2010 when a court order allowed Microsoft to cut off
276 domains associated with the botnet
Microsoft also used additional undisclosed measures (perhaps denial of service attacks) to make sure the peer-to-peer network was fully dead and unable to update the C&C information.
In March, with help from Microsoft, federal agents raided a hosting company, seizing servers responsible for the Rustock botnet. With the botnet brains decapitated, the botnet effectively died, taking half of spam in the U.S. with it. And in April Microsoft and federal authorities successfully
killed the 10-year-old "Coreflood" botnet
via a similar C&C decapitation approach.
Mr. Boscovich comments, "[Waledac] was a proof of concept that showed we are able to poison the peer-to-peer table of a botnet. Each takedown is different, each one is complicated in its own way. Each one is going to be different, but that doesn't mean that there cannot be a way to do this with any botnet."
Symantec security researcher Sergey Golovanod says the botnet is "practically indestructible." He remarks, "[TDL-4 is] the most sophisticated threat today."
However, even Dell backed off somewhat from their initial remarks, with a SecureWorks spokesperson saying this week, "Since mid-March 2011, Dell SecureWorks' CTU [Counter Threat Unit] research team has seen a significant decline in the number of attempted Rustock attacks, and we do attribute it to the comprehensive efforts of Microsoft."
Indeed Alex Lanstein, a senior engineer with FireEye, a security organization who worked with Microsoft on the takedowns says cooperation between Microsoft, other companies, and U.S. law enforcement agencies has proved integral to creating combined assaults capable of bringing down tough botnets. He states, "It's the trust relationships Microsoft has created and I think [the technique] speaks to any malware infrastructure where some kind of data feed exists. It really, really works. With the Rustock takedown, Microsoft has built the framework for others to do the same. This is definitely not the last botnet we're going to go after."
So, TDL-4 may be tough -- but "indestructible"? Not so much.
This article is over a month old, voting and posting comments is disabled
RE: botnets lol
7/11/2011 8:14:32 AM
Rootkiting botnets move through networks like real human viruses. The trick is to find a vulunrability that can be exploited, exploit the crap out of it with your new code until someone notices and fixes it or creats defenses against it to get enough systems infected to make it worth the time you spent creating the botnet.
The reason there are fewer Linux/OSX botnets has little to do with system security and everything to do with economics. Basically there are too many variations and too few systems using Linux/OSX around to make an attack that will work long enough to make a worthwhile botnet. You live in the 5% and below saftey net similar to typical real vaccination programs so long as 95+% of the population is "immune" via vaccination the remaining population that cannot be vaccinated is "fairly" safe from infection because the herd protects you. In this case your popultation is so sparse and diverse passing the infection on becomes difficult and thus not worth the time.
As to iOS/Android/WP7 time will tell, the way data is metered on cell phones makes it easier to spot unusual activity. I doubt attacks will move beyond annoyance type attacks and data theft type attacks there.
"DailyTech is the best kept secret on the Internet." -- Larry Barber
TDL-4 Botnet is Close to Indestructible Say Researchers
June 30, 2011, 11:26 AM
Ten-Year-Old, 2 Million PC Botnet Finally Killed; Stole up to $100M USD
April 14, 2011, 11:21 AM
Microsoft Granted Permanent Ownership of 276 Botnet Domains
September 9, 2010, 9:29 AM
Russian Hackers Compile List of 10+ Million Stolen Gmail, Yandex, Mailru
September 11, 2014, 11:41 AM
House Minority Leader Pelosi Criticizes FCC's "Fast-Lane" Net Neutrality Plan
September 9, 2014, 4:15 PM
Smarter Than Siri? Cortana Adds Game NFL Game Winner Prediction
September 3, 2014, 4:12 PM
Apple Says Nude Celebrity Photo Dump Wasn’t Result of iCloud, Find My iPhone Breach
September 2, 2014, 3:26 PM
FCC Orders Advertisers to Cut Out That Racket, Turn Down Commercials
August 29, 2014, 12:49 PM
Dropbox Bows to Competitive Pressure, Provides 1TB of Storage for $10/Month
August 27, 2014, 11:17 AM
Most Popular Articles
Dell Announces "World's Thinnest" Tablet: The Venue 8 7000 Series
September 11, 2014, 8:51 AM
Apple Announces Its Smartwatch: The $349 Apple Watch
September 9, 2014, 2:09 PM
Quick Note: Buy an Xbox One Sept 7-13, Get a Free Game
September 4, 2014, 10:42 AM
Quick Note: Microsoft to Ditch Windows Phone, Nokia Branding
September 10, 2014, 2:14 PM
Apple Announces 4.7" iPhone 6, 5.5" iPhone 6 Plus
September 9, 2014, 1:45 PM
Latest Blog Posts
Space Terrorism is a Looming Threat For the United States
Apr 23, 2014, 7:47 PM
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information