Storm worm smackdown as researchers unpick control system A team of security researchers have developed a technique for automatically purging the remnants of the Storm worm infection from the internet. But the approach - which involves turning the botnet's command and control system against itself - could run foul of computer hacking laws in Germany and elsewhere, which ban the …
Just too bad that the German, as well as some other European and the U.S. governments have seen fit to criminalize the digital crimefighters for using the tools they need to fight digital crime, while the governments, themselves, are legalizing the same tacticts to be used on innocent citizens without the need for a warrant...
The good guys always have a harder job because they follow the rules. It would be nice to be able to spread cleanup code in the same way that malicious code is spread, but you can't. Just because you are trying to do good does not mean you are exempt from the law. At the same time, would it be such a bad thing for governments to pass laws that allow for cleanup like this? A case by case situation? Sort of deputizing security companies to take down an organized crime institution.
yes, that is unauthorised access.
Liability is high as well, if those machines are being used for any day to day legitimate activity and they go down during the dismantle attempt. And then there is the false positives, crack into someone's machine just because it under your impression is compromised is dubious.
Wasn't one of these botnets actually controlled by a 'digital crimefighter', who do you trust. What is going on here, is some people want to crack machines, and they are trying to make some legitimate targets for their unauthorised incursions, just another social engineering trick.
They will have to track down all the owners of the systems to do this legitimately, and should be going through the ISPs, when actions like that are taken it is better for the general good, these maverick style actions are not really that beneficial.
I had a quick mooch through the stormfucker code, I think the Xor key has had a few bytes edited and the code needs to be compiled with the flag -DXOR there's probably other things need fixing to make it work but those 2 things stood out.
You would also need the peers.ini from an infected pc to get tit to start talking on the storm network i think.
The ability to take over command and control functions of botnets is not new, in fact early last year TippingPoints research team at DVLabs had a semi-religious debate about commanding the Kraken worm to kill itself and clean up.
http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration
and
http://dvlabs.tippingpoint.com/blog/2008/04/28/owning-kraken-zombies
I echo the first comment - its a shame that despite having the technology to mitigate these infrections, Governments throughout the World ban the action.
Allowing security researchers break the law in order to stop other people breaking the law is digital vigelantism, its not a good idea in the same way that normal vigelantism isnt. Different people have different ideas of justice, and enforcing an individual view, rather than societies view is not healthy. What is needed is a co-ordinated, international body, or group of national bodies that deals with malware in a way that society views is fair.
1) Identify a zombie
---a) Researchers or a cohort of ISP techs agree an verify that a particular computer is acting as a zombie
2) Inform an ISP of all identified zombies on their network, giving them a 48 hour deadline
---a) Zomibies' ISP blocks affected computers and informs users why.
---b) Affected systems not allowed back on until they are verified clean.
---c) Users added to a "watch list" so no other ISP will accept them until system is clean
---d) Users may need to pay for cleaning/verification
3) ISP responds within 48 hours that all zombies are now blocked
---a) Zombies probed - if blocked, all is well
---b) If still live, ISP faces risk of blacklisting (>5% still live, immediate blacklist, <5% ISP has 3 hours to block)
4) Once 48 hours deadline passes with no response that *ALL* zombies are blocked (99% is not good enough), ISP gets black listed.
5) ISPs required to inform users of their responsibility to ensure that their systems are secure. The users should also be informed that they may well be held liable for all costs and penalties the ISP incurs as a result of the user's lax security.
There is NO EXCUSE for a computer being on the net without security. ***NONE*** Even Windows can be secured to a reasonable enough extent (and for free).
PMSL! "the approach - which involves turning the botnet's command and control system against itself - could run foul of computer hacking laws in Germany and elsewhere, which ban the modification of computer systems without consent.".
So, the worm can do it illegally and cause havoc, but it can;t be fixed as that's illegal ROFL.
I was kind of forgetting about all the other spurious drive-by popup crap.
In my (lame) defence, I was only really interested in the legal side of it, but yeah, I guess you need someone's consent even to get the consent popup to run.
Maybe I'll engage my brain before posting next time.
Naah, on second thoughts, where's the fun in that?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
