[Infowarrior] - more on... Japan has national botnet warriors; why don't we?

Fri Oct 22 07:12:20 CDT 2010

Begin forwarded message:

> From: Rich Kulawiec <rsk at gsp.org>
> Date: October 22, 2010 7:58:39 AM EDT
> Subject: Re: [Infowarrior] - Japan has national botnet warriors; why don't we?
> 
> Unfortunately, this:
> 
>> In stage three, the relevant ISPs are alerted. They send those
>> users an "attention rousing mail" directing them to a customized "bot
>> deinfestation" website, where (in stage four) they receive downloads and
>> instructions on how to clean their computer and prevent future attacks.
> 
> is not only spamming, but ineffective, since of course the bots can be
> trivially programmed to prevent the users in question from ever seeing
> those email messages.  Or to substitute their own.  Or to redirect
> users to sites of their choosing where more interesting downloads
> are available.  When a bot has taken over someone's system, *it's not
> their computer any more*, and it's therefore silly to believe that it
> will permit the former user (or anyone else) to interfere with its operation.
> 
> No doubt botnet operators with systems in Japan will eventually react
> to this by doing one or more of those things if the activities of
> these "botnet warriors" become a sufficiently-annoying inconvenience.
> I think if I were one of The Bad Guys, my first-order attempt at
> undercutting this would likely involve making an entry (on all of
> my bots) in whatever the Windows equivalent of /etc/hosts is along
> these lines:
> 
> 	1.2.3.4		disenfectant-stuff.example.ne.jp
> 
> where "disenfectant-stuff.example.ne.jp" is the site that users are
> advised to go to, and 1.2.3.4 is of course a fake disenfectant site
> under my control.  Any user who received the spam advising them to snag
> the anti-bot software would thus (a) oblige me by downloading
> the latest version of my malware and (b) provide me with some
> possibly-useful data on bot detection rates and methods.  And of
> course the latest version of my malware would include a GUI that
> mimics the real disenfectant and dutifully reports to users that
> their systems have been cleansed.  Optionally, it could modify
> their MUA to add a ruleset functionally equivalent to:
> 
> 	if
> 		(mail "From:" matches domain of botnet-warriors)
> 	then
> 		discard
> 
> so that future messages land in the bit-bucket.
> 
> (Let me note in passing that I really do mean "first-order"; I've
> put 30 seconds of thought into this over my first cup of coffee.
> No doubt further consideration would suggest far more subtle and
> devious methods for retaining bot ownership.)
> 
> The only way to really recover a system from bot infestation is to
> boot it from known-clean media, back up all user data, scrub it to bare
> metal, reinstall the operating system and all applications, restore all
> (sanitized) user data, and then add sufficient protections to prevent
> it from being quite-so-easily botted again.  However even this is only
> a temporary measure: users who insist on using insecurable operating
> systems and/or insecurely designed/implemented applications, or who have
> poor computing hygiene, will soon enough defeat all those measures and
> the cycle will repeat.
> 
> And of course only a tiny fraction of bot'd systems are actually given
> this treatment.  Nearly all the time, the course of action involves
> running a putative anti-virus/spyware/malware package *on a known-infected
> system* and vaguely hoping that it might work.  As we see here.
> 
> Given that we have watched the worldwide bot population monotonically
> increase for the better part of the a decade, and that there are at bare
> minimum 100 million of them, it will take more than inept half-measures
> like this to seriously attack the problem.
> 
> ---rsk
> 