NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA List Master

NRT-0500 Seizing Control of a Botnet:


Industry researchers have found a way to seize control of one of the world's largest botnets, igniting a debate over whether to intercede. TippingPoint Technologies' Cody Pierce and Pedram Amini, cracked into the code used to operate Kraken - a 400,000-strong botnet of infected computers - by reverse-engineering the encryption routines and figuring out the communication structure. They found that the infected computers were trying to connect to a master command and control (C2) server by systematically generating subdomains from various dynamic Domain Name Server (DNS) resolver services. The researchers could predict where the bots would connect upon reboot, and create a fake Kraken server capable of taking them over.

Over a seven day period the TippingPoint team monitored Kraken connections and found that the fake Kraken server received more than 1.8 million requests from infected systems worldwide, mostly from home broadband users in the United States, the United Kingdom, Spain, and Central America.

TippingPoint sees an ethical dilemma in whether infected computers used in denial-of-service attacks and spam runs should be cleansed without the owners' consent. The researchers' work has proven that technically it would be simple to shut down the communication between the bots and their controllers. Essentially, the infected system would connect to TippingPoint's fake Kraken server and receive a command to kill the process handling the communication.

Amini and Pierce have argued that cleansing should be used to help slow the botnet epidemic. They called for industrywide discussion about using more proactive approaches to fighting botnets.

David Endler, director of security research at TippingPoint, held an opposing view. He said, "The reality is that you really don't know what you're modifying," Endler said in an interview. "What if that end-user system is performing a critical function? What if that target system is responsible for someone's life support? It really is a moral and a legal quandary." He cited liability issues as one of the key reasons Tipping Point has so far opted to leave the Kraken botnet alone.

Andrew Hay, product manager at Q1 Labs, a network security management company, said the concept of tampering with a user's machine without consent, even if it is to remove malicious software, is "ethically questionable." "I couldn't in good conscience send any command to a machine without the user's knowledge and apporval," Hay said. "Ethically speaking, we just can't make that decision regardless of it it's right or whether it's the best thing to do for the good of the internet."

(www.eweek.com 01MAY08)


Valid XHTML 1.0! Valid CSS! Counter Image
Last Modified: Saturday, 02-Aug-2008 22:34:07 EDT