back to article Anti-botnet initiatives USELESS in sea of patch-hating pirates

Three Dutch researchers have crunched data gleaned from efforts to battle the Conficker bot and declared anti-botnet initiatives all but useless for clean up efforts. Conficker was born in 2008 spreading aggressively through a since patched remote code execution Microsoft vulnerability (MS08-067) that affected all operating …

  1. Anonymous Coward
    Anonymous Coward

    This makes no sense!

    Rampant Windows piracy is also a major factor in hindering botnet cleanup efforts as it means often that automatic patch updates, one of the best security tools available, are turned off.

    Starting with Windows Vista you needed more than just a license key. There's built-in key management to insure that this Windows O/S is legit. It hasn't been worth the effort to keep track of the nuts and bolts but these installs update just fine. So poor updating isn't a valid condition unless pirates systematically disable updates regardless.

    Yes, Windows XP and 2000 did require "activation" which did enable Windows Updates but a quick hack and you could activate it offline. [X-Setup was handy for offline setups to activate when dialup was restored)] I suppose all those zombies could easily be XP. If that's the case, no low cost upgrade keeps the world hosting a systemic infection with no treatment regimen in sight.

    1. Anonymous Coward
      Anonymous Coward

      Re: This makes no sense!

      You're excusing the masses for using unlicensed software? Why?

      1. Anonymous Coward
        WTF?

        Re: This makes no sense!

        tl;dr - not excusing a thing. Hate bullshit lies. Value in being legit (usually).

        I'm not excusing anything. I am pointing out that the Emperor is obviously deluded if "He" believes that pirated Windows can't update from the official site. There's even advice on what updates to avoid from what I've read while doing a walkabout in the "underground*." I really don't like bald faced lies for the exact same reason I don't like bad and/or unenforceable laws. They tarnish the others that really should be respected. Saying bullshit like this is stupid. When someone that has a pirated Windows, or other software, finds out that they've been lied to that's yet one more reason to ignore what is good advice. Legit stuff actually has benefits in some/most cases: Avoiding the extreme cases (Oracle, Adobe), it's registration has added value. You do have to evaluate that in relation to your situation.

        Despite a limited (medically retired) income, not even above the poverty line for one here (US), I do pay for my software. Windows 7 Ultimate was worth every penny here. There's others. But the significant value here is being known as a long-time, supportive, alpha/beta-tester. That's what I do for fun. That and come up with weird hardware/software combinations. Anyway, it's being legit that keeps me on the lists. Your (economic) utility may vary, the same elsewhere.

        *[Underground? Not even close to the real deal. The very first thing I did with VMWare 1.0.1 was a browser appliance that gets nuked after each session.Has all the trimmings (VPN, MAC Address changed, forged the rest. Logs? only the date/time group will/may be accurate. "Jack of Shadows" for a reason.].

  2. Anonymous Coward
    Anonymous Coward

    So, much as with human diseases, being poor and badly educated drastically increases the chance of infection. Who would of thought...

    1. Alister
      Headmaster

      Who would of thought..

      AAAAARGH!

      Would HAVE!!!!

      1. Anonymous Coward
        Anonymous Coward

        who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought! who would of thought!

  3. Anonymous Coward
    Anonymous Coward

    Why not issue a kill command?

    I don't know the specifics of confiker, but a lot of bot malware has the option to update and even remove itself. Instead of just monitoring the phone home requests why don't they respond with the uninstall / kill command and actually clean up the machines?

    There may be a good reason for this (technical or ethical) but it would make sense to try and eliminate them entirely.

    1. Androgynous Cupboard Silver badge

      Re: Why not issue a kill command?

      This is still relevant, after at least 25 years.

      (Edit: in case it's not obvious, the box to tick here is "Laws specifically prevent it", namely the Computer Misuse act or your local equivalent. Specifically, modifying the infected computer to kill the botnet would be unauthorised access)

      1. Captain DaFt

        Re: Why not issue a kill command?

        -"Laws specifically prevent it", namely the Computer Misuse act or your local equivalent.-

        Funny old world, innit?

        Remotely removing malware, bots and viruses without permission violates the law.

        But Microsoft, Google, Amazon, Sony, a million ad peddlers, and any Five Eyes Agency can install, remove, delete, or alter any part of your system without permission, and it's all legal.

        Worst they get is bad publicity when caught being blatant about it.

      2. Vic

        Re: Why not issue a kill command?

        This is still relevant, after at least 25 years.

        It always is.

        Vic.

      3. Robert Helpmann??

        Re: Why not issue a kill command?

        ...in case it's not obvious, the box to tick here is "Laws specifically prevent it"...

        This points the way to the solution. If a politician or a sufficient number of a politician's top donors are made to realize that their servers are infected with something like this, the politician will Do Something1. This will take the form of passing legislation which we all know will fix everything. In this particular case, it might remove the impediment to two wrongs in fact making a right or perhaps fund a new agency which is authorized to cleanse this blight from the world2.

        1 This is the dodgy part as it involves getting politicians to deal with something technical and have that lead to a reasonable and useful outcome.

        2 Yes, the entire world, because there are no borders among the interwebs!

    2. Anonymous Coward
      Anonymous Coward

      Re: Why not issue a kill command?

      Yeah, write another worm that exploits, removes malware and patches MS08-067.

    3. Anonymous Coward
      Anonymous Coward

      Re: Why not issue a kill command?

      I wonder why they can't redirect all traffic from a botnet affected machine to a message telling them they have XYZ botnet and that they need to get their machine disinfected. ANy traffic flowing from that machine is redirected so that it can no longer phone home. ISPs would need to sign up to it but I'm sure they don't want the traffic on their network taking up bandwidth.

      1. SImon Hobson Bronze badge

        Re: Why not issue a kill command?

        > I wonder why they can't ...

        Well yes, they can - but they have to want to. It's not as simple as going along to (say) a few dozen ISPs and problem solved - there will be thousands if not millions of organisations involved.

        For each IP address, you need to track down the administrative contact for that IP range. For some it's easy as whois will give you the details, for others it's "opaque". And then whoever is responsible has to actually take action, and that means actually taking the issue seriously.

        Just intercepting the traffic and redirecting it is not on - and still has to be done at a level fairly close to the IP, specifically that organisation or their connectivity provider. But if our connectivity provider started with a redirection then we'd be "livid doesn't start to describe it" with them and legal action for losses would follow. So you have to have notified the end customer and given them a chance to sort out the mess before you disrupt their business - and that's a lot of hassle for which you'll get little thanks.

        For most ISPs, the effort isn't worth it relative to the relatively small cost of the bandwidth consumed.

        So if the ISP closest to the user isn't going to do it, then what ? Go to their upstream provider ? Same issues apply really, a lot of hassle for little benefit.

        You could try co-ercing them by (for example) dropping their routes from the global routing table - but that can only really be done by any peers/providers they use. Again, a drastic measure with little business justification.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why not issue a kill command?

          "But if our connectivity provider started with a redirection then we'd be "livid doesn't start to describe it" with them and legal action for losses would follow"

          If you had a confirmed botnet on you network that was active and in use (and therefore obviously unknown to you), you'd be livid that your ISP had redirected you to a warning message to that effect? You'd prefer not to know as all you files get encrypted, your customer and staff details are removed and someone in a far away land quietly wonders around your network? If your first step is to reach for the sue gun then you should probably consider whether you are suitable to be in charge of IT? You could easily just click a continue button on the redirect to resume access for a period of time or just call your ISP to let them know that you'd found the botnet and removed the offending device while thanking them for alerting you to it.

          You also don't need to lookup the WHOIS for each IP. The list can be published and then the ISP can check for their ranges on it. It can be optional but you only need a few of the large ISPs in each country to use it to make a massive difference.

  4. Tony S

    Who's responsible

    One of the problems with getting these devices patched, would be to identify who would be responsible for doing that (as per Simon's comment above).

    Here is a scenario that I am dealing with.

    The company where I am performing some consultancy work, has an IT Manager and 5 IT staff. They are a brand new company, just in operation for about 8 - 9 months. Most stuff they are working on is outsourced, so they have no servers on site.

    One group of the people that are providing the hosting *should* be performing backups, patching, maintenance etc. but no-one is checking this. As far as I can tell, none of the servers have been patched in at least 3 months. Another group of servers for the ERP system are being patched; but as they currently don't have the ERP system running on those, it doesn't make a huge difference.

    The IT Manager has placed an order for a server; but there is an issue because he wants the vendor to set-up and configure the server. When I queried why, he told me that he "doesn't know how to do this" and none of his staff do either. On top of that, he insisted that they "don't have time to learn".

    Anyone think that these guys are going to make sure that their systems are patched?

    1. Jimmy2Cows Silver badge

      Re: Who's responsible

      Sounds like where I work, only your place has more "IT" people (they clearly aren't actually proper IT people, or they'd be able to configure the server themselves). Actually the place you're at sounds like a cushy job for 6 people to sit around doing fuck all and get paid for it...

      Here, the only guy who knew much about IT (wasn't actually an IT guy, just happened to grasp the enough for us to get by) has just left, and now any and all IT consideration is a finger waving exercise outsourced to the lowest bidder. Sad.

    2. Doctor Syntax Silver badge

      Re: Who's responsible

      @Tony S

      I hope you're invoicing them and being paid daily. Just to minimise the amount of your fees at risk.

  5. hadi_asghari

    Clarifications

    As one of the authors of the report I would like to make two clarifications. Before that, thank you for interest in the research and covering the topic.

    First, we definitely wouldn't say that the centers are failures; we don't have data of other bots to do a full evaluation of the centers. With regards to Conficker, the centers had no effect.

    Secondly, part of this failure might be resolved by tweaking the anti-botnet initiatives. For instance the cleanup procedure super-simplified, and experiments done with how to notify infected users. In particular, users still infected with an ancient malware such as Conficker are running old machines with outdated software, no AV, and no one in their surroundings to notice and fix the situation. Cleaning up this group of users requires even more work.

  6. Old Handle

    Maybe if Microsoft didn't push out DRM disguised as security updates this wouldn't happen. It's sort of a tricky issue though. Even I wouldn't argue that Microsoft has any duty to support pirate copies of Windows, but on the other hand, if pirates kept their systems up to date it would keep legitimate users safer as well.

    1. Anonymous Coward
      Anonymous Coward

      Same principal as "herd immunity" for vaccines. You don't have to have 100% vaccination for the population, just enough to make each of the non-vaccinated have la vanishingly small chance of exposure.

  7. rtb61

    Easy to Solve

    The easiest solution, an immediate ban on all unprotected modems and a requirement that only modem, firewall, routers be used on the internet. Most attacks can be stopped by firewall routers detecting the traffic going across the interface being provided and block it. Done and finished.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like