FBI Hijacks Botnet, With Court Order... Then Issues Kill Signal To Millions Of Computers

from the good-samirtan-hacking? dept

For years there's been talk about the value of "good samaritan" viruses or botnets, that would go out and try to delete or kill of "bad" viruses or botnets. Lots of computing experts have, reasonably, warned that the unintended consequences of such an action could be large and dangerous. Apparently, the FBI figures, why not test it out anyway? In a rather surprising move, the FBI was able to get a court order that allowed it to effectively hijack a large botnet, involving millions of computers, and send a "stop" command to all of those PCs that would disable the malware (called Coreflood).

While there are obviously good intentions here, and it's definitely a good thing to see a large malicious botnet go dark, there still are really serious concerns about this move, the legality of the move, and the risk of unintended consequences. Do we really want to set a precedent where the FBI can send commands remotely to millions of computers? And how confident are people that the FBI's programming skills won't cause problems, if not this time, at some point in the future? In the filing requesting the right to do this, the FBI even pointed out that a newer version of Coreflood had been released that morning "but that the FBI had tested the kill command against that variant and it had worked successfully." Of course, testing in the lab and deploying to millions of machines in the real world is entirely different. There are also concerns that this is an ongoing effort, since Coreflood apparently reruns every time a machine is rebooted, meaning that the FBI will have to keep sending this kill signal. And while the FBI swears up and down "that this would cause no harm to computers," how confident are you that this is really the case?

Again, I recognize the importance of trying to stop botnets and take them down. Additionally, there don't appear to be any early reports of trouble or unintended consequences from this move. But... when dealing with something like this, where the FBI is sending execution commands to millions of PCs, you have to assume that sooner or later, something bad is going to happen. Does the FBI have a technical support helpdesk to help your grandparents when it kills their computer?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Hephaestus (profile), Apr 14th, 2011 @ 7:38am

    Better title Idea ...

    FBI commits several million acts of computer tresspass.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Skeptical Cynic (profile), Apr 14th, 2011 @ 7:48am

    All I can say is Holy Crap!!!

    I'm in IT and the thought of any government agency sending any command to any computer to do what it wants just freaks me out.
    What right do they have to do that?

    I hate bot-net infected computers because they cause all kinds of issues but anyway you look at it the FBI just made all those computers do what it wanted. It issued forced instructions to those computers that were executed.

    Big Brother is all grown up and has just made it to college.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    RHOPKINS13 (profile), Apr 14th, 2011 @ 7:50am

    Thinking about the consequences...

    Don't get me wrong here, I'm all for destroying botnets, but I don't think this was thought out fully. First of all, it's a temporary fix. I'm sure that many if not most of the computers that were infected get rebooted on a regular basis, and it'll only be a small matter of time before they're up and running Coreflood again.

    Second, it sounds like this "stop" command was programmed in by the original writers. If that's the case, the obvious reaction to this is for them to make an update that leaves out this "stop" command.

    Not saying that there's a correct way of stopping a botnet, but I don't think this is it.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Jes Lookin, Apr 14th, 2011 @ 7:55am

    Is This A 'More Friendly' Problem

    So... there are thousands of computers infected with malicious and annoying botnet software controlled by scum-bags. The FBI wants to see if they can stop it by sending out an application kill command. So what ? I'm surprised some teen hackers don't do this regularly just to screw around. The only problem may be that infected systems crash, like all mismanaged or Microsoft system will anyway - there will just be someone that seems convenient to blame...

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    umccullough (profile), Apr 14th, 2011 @ 7:56am

    This did little to help the owners

    Removed a piece of malware from a bunch of machines - wow... what good samaritans right?

    Not likely. The machines are probably infected with multiple pieces of malware (such is generally the case with machines like this), and the owners have learned nothing from this exercise.

    Notification and Education should be the proper solution - not "let us clean this up for you without your knowlege".

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    umccullough (profile), Apr 14th, 2011 @ 7:58am

    Re: All I can say is Holy Crap!!!

    The conspiracy theorist in me wants to suggest we'll see more of these botnets now, infecting machines belonging "people of interest" - and th FBI will receive court orders allowing them to "take control" of said botnets and "clean them up" ;)

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Jay (profile), Apr 14th, 2011 @ 7:58am

    Orrin Hatch

    So Orrin Hatch just got his wish to blow up a pirate's computer. Judges actually saying this was legal or to "test it out" really need to be smacked when they don't know what the implications could be...

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Mike, Apr 14th, 2011 @ 7:58am

    Frankly, the kill command should DISABLE all infected computers, preferably with a boot-time blue screen telling the owner to call their IT dept or have the computer professionally virus-scanned and cleaned.

    These people need a heads-up, not coddling and excuses.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 7:59am

    Hitting the self destruct button on a built botnet isn't really the same as say, amazon deleteing things from your computer. Even if it caused problems for someone, guess what, they know there's a problem now, when there was one all along, and it prevents them from far worse things such as maybe identity theft that these things are great for.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 7:59am

    Uh... First, it wasn't the FBI, it was the ISC. Second, they didn't "kill the computers", they issued a kill order to the malware.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 8:02am

    We all want botnets and other assorted malware to get squashed, but this just doesn't fly with me. FBI - set up your command servers, record the IP addresses of infected machines, then forward that info to the respective ISPs to deal with it in a phone call or letter to the individual subscriber.

    If this sort of thing begins to take off, then how long will it be before some paid-for Senator decides to get P2P software classified as "malware" so the FBI can hack into your machine to shut it down?

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Gryphonn, Apr 14th, 2011 @ 8:03am

    The Untested kill signal

    One day a gung-ho FBI hack(er) will send out an untested kill command. Maybe that could be the day that the coreflood (or future bot) coder has written code to either kill the systems or spread further malware to other systems.
    We should all hope this court order is a one off and not a precedent.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 8:05am

    Re: This did little to help the owners

    Read the original article - they didn't remove the malware, they just issued an already built in command for the malware to stop running. It restarts at reboot. Microsoft added the malware to their malicious software removal tool and those who get it through windows updates will have the software removed.

    Also, notification IS in the works. The ISC is recording IP addresses connecting to their new C&C servers and forwarding those lists onto ISPs, who can then notify their customers.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 8:09am

    Re: The Untested kill signal

    Especially now that the hackers know the FBI is involved with this sort of thing. If I was a vindictive malware author, I'd make sure all my future software had a very well-documented kill command that didn't just kill the malware, but also wiped the bios of the machine it's installed on.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 8:10am

    "Does the FBI have a technical support helpdesk to help your grandparents when it kills their computer?"

    If your grandparents are having problems with their malware, they should contact the malware's author, not the FBI.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 8:11am

    It doesn't look like the FBI is doing any programming...

    The FBI isn't writing any new code/applications and distributing it to the infected hosts. With the ISC, they're just issuing a 'stop' command - a command already preprogrammed into the malware running on the compromised systems. Any damage has already been done by the malware itself. Stopping it from running is really a low impact action.

    The real action comes with the microsoft malicious software removal tool. This is distributed via windows update and has been for years.

    I'd be a bit more wary if the FBI was taking some kind of active or invasive action on the compromised systems (e.g. distributing a new program to 'fix' the problem), but they're just issuing a stop command. The ISC is logging the IP addresses of infected system and sending those lists onto ISPs so the owners can be informed. I'm all kinds of wary about the FBI interfering with private systems and concerned about unintended consequences, but this all seems really benign.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Idobek (profile), Apr 14th, 2011 @ 8:12am

    But.. but... cyber-warfare

    Note to the FBI, the DOD, and others demanding more powers to combat cyber-terrorism and cyber-warfare:

    a) The ability of foreign powers to shut down power plants and, other computer based infrastructure, over the internet is not real - and, therefore, this cause of action is safe but your demands for more power are based on lies.

    OR

    b) Whoops - you accidentally disabled the control system of a nuclear power plant because it was infected with a botnet.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 8:12am

    DRMs like SONY's CD rootkit, Starforce, and Securom all worked very nicely in the 'lab' too.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    kellythedog (profile), Apr 14th, 2011 @ 8:15am

    How long until the FBI or whoever starts turning on the webcams and having a look.
    Seems someone else was doing that and it worked kind of well.
    "Oh Noes...more people eating Mike and Ikes, we definitly have a drug problem" send in the troops"

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    The eejit (profile), Apr 14th, 2011 @ 8:18am

    Re: It doesn't look like the FBI is doing any programming...

    Considering recent actions by the US Government, I'd rather keep my tinfoil hat just in case, thank you very much.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    Skeptical Cynic (profile), Apr 14th, 2011 @ 8:26am

    Re: Re: All I can say is Holy Crap!!!

    That is not a theory. It's just a matter of time. Power always drives them to seek to maintain and increase their power. It's only surprising they have not been able to (legally) take more control of your computer in the interest of "National Security" or other Big Brother reason.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Justin, Apr 14th, 2011 @ 8:27am

    jumping to conclusions ....

    I think some folks are jumping to conclusions here. Nothing says they are killing or targeting the computers, just the botnet. As long as that's the case I'm all for it.

    If it is a case of "targeting" the infected machine then we have a problem.

    In other words if my IP gets wrongly targeted and has no code for the botnet and thats the code they are sending, then no harm. If they are sending something to my computer because they THINK the botnet is there, that's an issue.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Michial Thompson, Apr 14th, 2011 @ 8:27am

    Hard Sale for stopping this activity

    It does kinda suck that the FBI would do this, but your going to have a hard time selling the fact that they shouldn't do it.

    You have Millions of people screaming about SPAM, and malware, and bandwidth consumption etc... Lots are screaming at congress to do something about all this etc...

    A legitimate and secure network and PC is at no risk of the FBI issuing THIS command to stop because you or your IT staff would have already removed the MalWare. So screaming about the FBI issuing this stop order on this malware isn't going to get you far.

    In the end, like it or not your likely to see more and more of this from the Government all in the name of "security."
    ---------
    Personally I have mixed feelings about it. My GMail account's spam filter has 2600+ emails in the SPAM box, that's the highest I have seen it in several years and it's only the past 30 days too. Obviously Google's filter is doing well, but my corporate email server is still bombarded with all this same SPAM, and I cannot afford the $10k/yr that the SPAM Filter Companies want to extort from my company and they still don't do anything to reduce the bandwidth I have to pay for for this crap to attempt to hit my servers.

    It sucks that the FBI did this, but it's obvious that the owners of the PCs in the Bot-Net don't give a rats ass about the damage they are doing because they have done nothing to secure their computers.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Skeptical Cynic (profile), Apr 14th, 2011 @ 8:35am

    Re: Re: This did little to help the owners

    Are you not freaked out that the FBI can issue a command to your computer to do what it wants? By whatever means or excuse? I am a die-hard US citizen but no way, no how, should the Gov get away with ever, for any reason, or under any law be able to do anything legally to your computer without a clear and defined legally approved purpose!!!

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    Meek Barbarian (profile), Apr 14th, 2011 @ 8:40am

    Re: Hard Sale for stopping this activity


    It sucks that the FBI did this, but it's obvious that the owners of the PCs in the Bot-Net don't give a rats ass about the damage they are doing because they have done nothing to secure their computers.


    I'd amend that a bit. I'm sure some (a lot?) of it is more along the lines of ignorant users (e.g., the computer illiterates) that don't even know their PCs are causing damage. It's not that they don't care - they just don't realize that the toy water gun they keep pointing at the internet has live ammo loaded in it.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    MrWilson, Apr 14th, 2011 @ 8:42am

    Re:

    That's about as effective a suggestion as telling someone to write their congressman.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Christopher, Apr 14th, 2011 @ 8:42am

    Ummm, wow.

    We need to add voting buttons for "RTFA", "Offtopic", "Blundering dope".

    I'm happy the FBI hijacked -- in the truest definition of the word -- the botnets and killed the clients. Did it solve a minor issue? Yep. Is it an invasion? Nope. That conduit already existed. The FBI closed it. Thank them, for Pete's sake.

    Your fears are largely misplaced. Instead of blaming a system that allows shitbirds to run botnets with impunity, you blame a government entity for *possibly* inducing a side-effect to a largely beneficial act. that's like blaming vaccines for the plague.

    -C

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 8:45am

    Misleading headline

    So basically you've turned a story that actually says "FBI uses the same somewhat risky techniques that have already been used on several occasions by security researchers, but with more oversight" and turned it into a headline that sounds far more like "Court allows FBI to remotely wipe millions of people's computers"... Really?

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 8:45am

    Re: Hard Sale for stopping this activity

    10k a year? Whaaa? We spend $300 a year, and have the most awesome spam filter ever. Only ones that ever get thru are people that are on the whitelist, and get their accounts hacked.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 9:00am

    Re: Re: Re: This did little to help the owners

    They can't issue the command unless your computer is already infected with malware. In that instance the criminals are already controlling your infected machine.

    This was a clear and defined legally approved purpose. They went to court and got a court order to carry this out. It specifically included provisions regarding personal information - they believe the action would not result in the transmission of any personal information and if it did, it would be destroyed upon recognition.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 9:01am

    Re: Misleading headline

    Exactly. This entire article is completely misleading. It's as if he didn't even read the original post he linked to; and instead created his own conclusions base on no facts or evidence.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    W. Banchs, Apr 14th, 2011 @ 9:02am

    FBI - crosses ethical lines to cut un-ethical lines

    I can understand the "greater good" mentality that prompted the FBI to seek and, let's not forget from a judge, obtain court approval to commit this act of sanctioned government trespass on private computers.

    Who's to know what else was on the payload of the programming that FBI sent to each computer, even if it was to monitor the life of the bot programming it still would be an unlawful/uninivited seizure of that virtual property of the computer owners whouldn't you think?

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    The eejit (profile), Apr 14th, 2011 @ 9:04am

    Re: Misleading headline

    Because the FBI have now tipped their hands, yes.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    Mike42 (profile), Apr 14th, 2011 @ 9:04am

    Re: Re: Re: This did little to help the owners

    Dude, seriously. I can do it to these computers anytime I want. So can tons of hackers/crackers, white hat or black hat.

    If these systems were secure, the malware wouldn't have gotten there in the first place. Yes, you CAN harden your system and make it secure from these guys AND the feds. It's just that these people didn't.

    Chill. Breathe. No one wants your files anyway.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 9:04am

    Re:

    So.. have them police your computers instead of take care of the treat? Great.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    Griff (profile), Apr 14th, 2011 @ 9:05am

    Re: Re: Hard Sale for stopping this activity

    Whitelists ain't much use for new customers.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    moe, Apr 14th, 2011 @ 9:06am

    A telling detail

    I think it's telling that the FBI/ISC didn't use the same methodology used by the Dutch. When the Dutch did this, they also sent along a message to the computer (I'm guessing a pop-up/windows messaging service message) notifying the user that they were infected with malware.

    Privacy and individual rights vary from country to country. If this was a legitimate use of law enforcement authority in the U.S., why didn't the FBI/ISC pass along a message also? From a technical standpoint, there is no difference between sending this "kill" command to the malware and sending a message via the Windows Messaging Service (or some similar mechanism). The only difference between the two is that one is undetectable.

    What does that tell you?

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    Griff (profile), Apr 14th, 2011 @ 9:08am

    Re: Hard Sale for stopping this activity

    So google goes a great spam filtering job but your corporate spam filter costs $10k.

    Hmm. Why not send corporate email through google ?
    Route it in, pop/IMAP it out. One google user each, free.
    KISS as they say.

    Or even go the whole hog and move to Google corporate email. Saves you running a mail server too.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 9:08am

    I'm just shocked they bothered to get a court order this time.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    lavi d (profile), Apr 14th, 2011 @ 9:09am

    Unintended Consequences

    But... when dealing with something like this, where the FBI is sending execution commands to millions of PCs, you have to assume that sooner or later, something bad is going to happen.

    Would ... you like ... to play a ... game?

     

    reply to this | link to this | view in thread ]

  41.  
    icon
    Chuck Norris' Enemy (deceased) (profile), Apr 14th, 2011 @ 9:15am

    Re:

    screen telling the owner to call their IT dept or have the computer professionally virus-scanned and cleaned

    Do you know how many scammers are already following this scheme? Except they recommend you call them for the "professional virus-scan".

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    ServerMonkey (profile), Apr 14th, 2011 @ 9:24am

    Really?

    Ok guys... seriously? The FBI found a bot-net that was already in existence. They figured out the ports and ID schema to gain control of it. Rather than have the people "in charge of it" fry the OS's or change the access... they simply shut it down using what was already available as a tool through the bot-net program. This was a safety measure, and nothing more. They didn't hack the machines... they didn't send codes to a computer that wasn't already compromised in some way.

    As someone who does this kind of thing for a living (CEH/CPTE), please learn more before you just fly off the handle and start spouting "big brother" comments. They used a tool someone else maliciously installed in a way that prevented further issues for the time being... if you see something wrong with that, then you have serious trust issues.

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Michael, Apr 14th, 2011 @ 9:31am

    Users

    "Malicious" software or not, who is the FBI to determine that software isn't allowed to run on my computer.

    Talk about unintended consequences - who determines that software is worthy of being killed by the FBI? What if I wanted Coreflood running on one of my machines because I was working on malware detection software?

    If they are allowed to do this, how can we ensure they will not issue a kill command to any other software they deem "Malicious" - sometimes MS Office crashes my machine - are they allowed to kill it?

    At the VERY LEAST, they should be contacting every user of every computer to determine if this is malicious software on the machine they intend to kill it on before being allowed to touch it.

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    el_segfaulto (profile), Apr 14th, 2011 @ 9:51am

    Re: All I can say is Holy Crap!!!

    In fairness, the likeliest scenario is that the FBI simply sent a predefined kill signal to the infected PCs, probably mimicking a command and control server. It's not as if they can arbitrarily send whatever commands they want to any workstation and take control (this isn't Hollywood). If there isn't software listening for that specific command on that specific port, the packet will simply rebound off into the aether.

     

    reply to this | link to this | view in thread ]

  45.  
    icon
    Rob (profile), Apr 14th, 2011 @ 9:57am

    I felt a great disturbance in the Force, as if millions of voices suddenly cried out in terror, and were suddenly silenced...... no, hang on....they're back

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 10:03am

    It's a great experiment. All governments want to control "their" people.

     

    reply to this | link to this | view in thread ]

  47.  
    icon
    harbingerofdoom (profile), Apr 14th, 2011 @ 10:16am

    Re: Orrin Hatch

    its unlikely that there were many actual pirates infected with this bot. the type of person that is savvy enough to fall into the category of pirate is usually savvy enough to not have bots roots bloatware crapware and the like.
    its pretty much only affects the clueless general public.

    not that your average politician would actually understand the ramifications of what i actually just said, but still....

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 10:24am

    Re: Re: Re: Hard Sale for stopping this activity

    Honestly, nothing beats a good set of human eyes to see what's going on. That's the bigger problem here, IT workers want things so automatic they totally forget the value of a smart IT worker that has a pulse on what goes in and out of the network.

    Bet you didn't know that some of your mail is being routed thru DoD servers......

     

    reply to this | link to this | view in thread ]

  49.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 10:31am

    Re: Re: Re: Hard Sale for stopping this activity

    I would also like to add, that even Yahoo/AOL uses whitelists...

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 10:39am

    Re: Re: Hard Sale for stopping this activity

    There are just some businesses that cannot operate 'in the cloud', without breaking a bunch of laws/contracts/rules/regulations.

    Aerospace manufacturing being one of them.

     

    reply to this | link to this | view in thread ]

  51.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 10:48am

    Re: Really?

    Have you learned nothing in the past 10 years. The problem is, they will take it too far. They always do.

    Need I remind you that we went from Profiling at the airport to full on pat downs, all in the name of 'good'.

    Pishaw.

    Are we gonna wait until they go to far to put our foot down?

    The next issue is, I think this is all dog and pony. I think the botnet dudes have just infiltrated and pulled off the biggest social engineering exploit ever.

    Now the botnet dudes know EXACTLY how the government is set up on the inside.

     

    reply to this | link to this | view in thread ]

  52.  
    icon
    Atkray (profile), Apr 14th, 2011 @ 10:58am

    Re:

    You must not have any elderly around you.

    I get calls from elderly neighbors weekly because of problems like this.

    Most of them have multiple antivirus programs installed and expired.

    The grand-kids click on whatever pops up on the screen.

    Frequently they have already taken the computer in to a big box store and spent $250 to repair a $300 computer running Vista basic with insufficient memory.

    All they want to do is email and facebook pictures of their family.

    Somehow I don't think your suggestion that they contact the author of the malware is a viable solution, especially since most of them don't even know they have malware.

    It is easy for those of us that have a little more knowledge of how computers work to say that computer users need to be more responsible, but the truth is as manufactures have made computers easier to use the minimum requirements to be able to use one have gotten pretty low.

    The reality is many people will go through multiple computers without ever seeing a command prompt and will be glad they didn't. Expecting them to do more than turn it on and off is probably an unreasonable expectation at this time.

     

    reply to this | link to this | view in thread ]

  53.  
    identicon
    JH, Apr 14th, 2011 @ 11:03am

    Re:

    Frankly, the kill command should DISABLE all infected computers, preferably with a boot-time blue screen telling the owner to call their IT dept or have the computer professionally virus-scanned and cleaned.

    These people need a heads-up, not coddling and excuses.

    --

    Yeah...and when your car fails inspection the mechanic should pour sugar in the gas tank immediately.

     

    reply to this | link to this | view in thread ]

  54.  
    icon
    AndyD273 (profile), Apr 14th, 2011 @ 11:12am

    FUD storm

    It's not like they are actually targeting these computers.
    "Next computer: 153.54.23.123 -kill. One down, three million to go."

    It's likely just an untargeted broadcast, using the same way that the virus writers issue commands to it.
    Which is worse, a federal agency sending a stop command to the malware on my computer, or a malicious group of thugs sending commands to my computer to do who knows what, possibly stealing private data.

    Honestly, this is semi encouraging just because they went through proper legal channels to get the court order, instead of just doing it under their own authority, like all those wiretaps.

    It's just to bad they cant put a message up on the screen warning people they are infected and advising them to run windows update to fix the problem.

     

    reply to this | link to this | view in thread ]

  55.  
    identicon
    Elder-Geek, Apr 14th, 2011 @ 11:14am

    Its not your computer

    At the point your computer is compromised by a botnet, it is not really your computer anymore. The botnet owns it and allows you as a patsy to continue to use it. This is about the same as someone making a copy of your car keys and borrowing your car every night to commit crimes and gases it back up and leaves it for you in the morning.

    I am not sure how a compromised PC should be treated. But I do not think you have the same rights as with an uncompromised PC. If you don't want the FBI poking around on your computer. Then you need to make sure it does not get infected. Because once it is infected, it is a threat and danger to the public and yourself. Spewing out spam, being used to crack passwords, serve up illegal porn and as a playground for stealing your online identity and accounts.

    The minute your computer is compromised it is like going to a bad neighborhood and leaving an unlocked car with a pile of cash, a machine gun, ammo, and drugs laying around in the front seat. You have encouraged something bad to happen.

    Should the FBI have just traced the IP address and filed suit against these individuals as spamers? Should they send you a letter telling you your computer is infected and you need to spend $200 or more taking it to someone who knows what their doing to backup your data and reinstall your OS and software?

    I think sending the kill signal is the best thing they could have done. Otherwise there is a good chance some hacker would be able to re-acquire these machines.

     

    reply to this | link to this | view in thread ]

  56.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 11:19am

    Don't know if this question has been asked already, but did the FBI limit this kill command to computers only inside the US?

     

    reply to this | link to this | view in thread ]

  57.  
    icon
    Josh in CharlotteNC (profile), Apr 14th, 2011 @ 11:29am

    Re: Is This A 'More Friendly' Problem

    So what ? I'm surprised some teen hackers don't do this regularly just to screw around.

    Probably not 'teen' and not 'just to screw around' but it does happen. There are various types of malware that purposely kills off other competing malware when it gets on a system.

     

    reply to this | link to this | view in thread ]

  58.  
    identicon
    New Mexico Mark, Apr 14th, 2011 @ 11:33am

    Wow, what a difference!

    Last week my computer was acting funny. Now it's serious all the time, and wearing a dark suit and shades.

    NMM

     

    reply to this | link to this | view in thread ]

  59.  
    icon
    Bruce Ediger (profile), Apr 14th, 2011 @ 11:54am

    Re: It doesn't look like the FBI is doing any programming...

    Of course the FBI isn't writing any software. Ever heard of the "Virtual Case File" fiasco? (http://spectrum.ieee.org/computing/software/who-killed-the-virtual-case-file)

    The FBI has traditionally been an all-IBM shop, in particular, an all-mainframe shop. The FBI's first website, way back when, was hosted ON A NASA MACHINE. That's right, the FBI didn't have anything that could run a web server in 1995 or so.

    The internal FBI culture probably prevents them from having anyone tech-savvy enough to do this kind of thing.

     

    reply to this | link to this | view in thread ]

  60.  
    icon
    Bruce Ediger (profile), Apr 14th, 2011 @ 11:57am

    Re: Re: Misleading headline

    Sock-puppet much?

     

    reply to this | link to this | view in thread ]

  61.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 12:25pm

    Re:

    Legislations is already being written for it i'm sure. Probably being read for one final check before introducing it tomorrow.

     

    reply to this | link to this | view in thread ]

  62.  
    identicon
    Steve Jobs, Apr 14th, 2011 @ 12:29pm

    Botnet

    Maybe you should by a iMac, if you don't want to be hassled by botnet or the FBI

     

    reply to this | link to this | view in thread ]

  63.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 12:34pm

    Re: FUD storm

    honestly If I had a alert message pop up on my screen telling me my computer's been infected and gave me a link or instructions on how to repair it... i'd disregard it like every other spammy website out there trying to tell me "Your antivirus is out of date, download the new version here"

     

    reply to this | link to this | view in thread ]

  64.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 12:58pm

    Re: Re: Re: Misleading headline

    Troll much?

     

    reply to this | link to this | view in thread ]

  65.  
    identicon
    Mike, Apr 14th, 2011 @ 1:10pm

    Re: Re:

    "All I want to do is go to the store and pick up some milk, how can I be expected to pay attention to stop signs, traffic lights, pedestrians and carjackers? All these unreasonable expectations..."

     

    reply to this | link to this | view in thread ]

  66.  
    icon
    senshikaze (profile), Apr 14th, 2011 @ 1:24pm

    Re: Re: All I can say is Holy Crap!!!

    And what if the botnet program (the "virus") has a buffer overflow bug? Bugless code is hard, especially when you have to work with the constraints that malware writers have to deal with. If the FBI had found a bug and sent a formed packet that could cause the buffer overflow, now, since the virus more than likely has kernel level access, you have a Gov't agency with the ability to run arbitrary code on your machine. It isn't Hollywood, it is how damn near every exploit and hack works. All Hollywood does is make it shiny it up and adds stupid terms noone uses.

    But it's cool, I use Linux. :)

     

    reply to this | link to this | view in thread ]

  67.  
    icon
    senshikaze (profile), Apr 14th, 2011 @ 1:32pm

    Re: Re:

    you don't work in IT.
    Expecting them to be able to turn it off and on IS unreasonable. I have gotten more than one person, from 20 years old to over 60 who didn't know how to turn off the damn machine they sit in front of for 40 hours a week.

    I hate people...

    (oh and your elderly neighbor, try Linux Mint. Might hit the spot.)

     

    reply to this | link to this | view in thread ]

  68.  
    icon
    Charles (profile), Apr 14th, 2011 @ 1:46pm

    probably already posted but my time online is short today:

    I'm sure it has been mentioned already, but who is to say that one of the computers that was sent the kill command is not part of some system critical piece of machinery, say a control computer for a nuclear reactor, or a computer that checks to see if the engines on a nuclear missile are non-operating? I'm half sure that the FBI thought of this, but we have definitely seen other cases of the govt doing things that have consequences beyond what they thing is "possible."

     

    reply to this | link to this | view in thread ]

  69.  
    identicon
    moe, Apr 14th, 2011 @ 1:56pm

    Re:

    Yes, they only sent the kill command to computers with IP addresses in the US.

     

    reply to this | link to this | view in thread ]

  70.  
    icon
    Any Mouse (profile), Apr 14th, 2011 @ 3:40pm

    Re: Re: Re: Re: This did little to help the owners

    And you really trust them to destroy any information they get out of this? Well, I suppose, it /is/ the government, right? After all, they're hired by us to handle these sorts of things, right?

     

    reply to this | link to this | view in thread ]

  71.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 3:45pm

    Re: probably already posted but my time online is short today:

    Just so I'm clear, you are perfectly happy that people running the botnet has their code on some critical piece of machinery and can do anything they want, but you are concerned about the govt shutting down said botnet?

    Just how much testing and care do you think the botnet creators of done to ensure critical computer systems don't fail in some horrific way because of their botnet?

     

    reply to this | link to this | view in thread ]

  72.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 4:01pm

    Re: Users

    Wow. You are really an idiot.

    If the operators of the botnet had decided to shut it down, are you going to be equally upset?

    If you are working on software to detect malicious software, then take it offline. The code is going to remain on your machine whether it is online or not.

    They didn't hack into your computer and run 'pkill -9 coreflood', they issued a command though the botnet to shut it down.

     

    reply to this | link to this | view in thread ]

  73.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 4:08pm

    Re: Re: The Untested kill signal

    There's no money in crashing botnet clients.

     

    reply to this | link to this | view in thread ]

  74.  
    icon
    Any Mouse (profile), Apr 14th, 2011 @ 4:10pm

    Re: Re: Re:

    Not even close to analogous.

     

    reply to this | link to this | view in thread ]

  75.  
    icon
    el_segfaulto (profile), Apr 14th, 2011 @ 4:19pm

    Re: Re: Re: All I can say is Holy Crap!!!

    I use Linux too (Debian and CentOS lately) and I agree completely that we're at the mercy of the agencies and that if they chose to take advantage of the same vulnerabilities that the original botnets used, we would have no recourse. In fairness though, even the Linux kernel has been shown to have vulnerabilities, though none at the level of Windows or OSX.

     

    reply to this | link to this | view in thread ]

  76.  
    icon
    senshikaze (profile), Apr 14th, 2011 @ 4:24pm

    Re: Re: Re: Re: All I can say is Holy Crap!!!

    of course, of course.

    Yea, if the FBI/CIA/Whatever have not only the capability but also the backing of the courts we are all screwed.

     

    reply to this | link to this | view in thread ]

  77.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 4:30pm

    Re: Re: Re: Re: This did little to help the owners

    Exactly. Find a rooted box, netstat it and check the IPs. Connect to the server, find the channel, have fun. Most of the time, the botnets have different triggers but same commandsets. Meaning once you find the trigger, you can manually shut down the botnet. It's not that hard to figure out, even without a 'reverse engineered' source/code to work off.

     

    reply to this | link to this | view in thread ]

  78.  
    identicon
    Anonymous Coward, Apr 14th, 2011 @ 4:46pm

    What if it were your car

    If a person's car was leaving oil spills, lots of blue exhaust, and was unroadworthy, would you support the government ie. the police to get that dangerous car off the road? Would you really defend the car owner's right to drive? How would you respond to the driver's pleas that they need to get places in their car? Or can't afford to, or know how to fix it?

     

    reply to this | link to this | view in thread ]

  79.  
    icon
    aldestrawk (profile), Apr 14th, 2011 @ 4:49pm

    Re: Re: All I can say is Holy Crap!!!

    I don't think it is likely that the botnet program is listening for a command that would terminate itself (i.e. terminate all the running processes associated with the botnet on that computer). A software update is one of the available commands to the botnet. The likeliest scenario is that the FBI would be sending an update to the botnet program. That update would either terminate the program directly or listen for a separate termination command.
    If the FBI can update the botnet program then it can write updates that can do anything that is permissible for the owner of the botnet processes. That might well be full administrative permission. This botnet program already has a keylogger component. It is not clear to me if the botnet is sending collected data along with it's beacons or there is simply a command for the C&C server to be send the collected data.
    In the court filing, the FBI says they are not going to collect data from any of the infected computers other than the source IP address contained in the beacon packet.

     

    reply to this | link to this | view in thread ]

  80.  
    icon
    Any Mouse (profile), Apr 14th, 2011 @ 4:54pm

    Re: Really?

    you do this for a living. Nice. Ummm, you know they just shut down the client, right? if your computer reboots? Oops! There it is, again! so, it's not even a 'safety measure.'

    And 'wasn't already compromised in some way' isn't an excuse, either.

     

    reply to this | link to this | view in thread ]

  81.  
    icon
    aldestrawk (profile), Apr 14th, 2011 @ 5:14pm

    Re: Is This A 'More Friendly' Problem

    The following is what the FBI, along with ISC, needed to do:

    -Allow a computer to be infected and the analyze the code via reverse engineering and by monitoring all the packets involved in communication.

    -They apparently have actually seized, at least some of the C&C servers. This isn't strictly necessary. They do need to take over the domain names used by the botnet client computers to communicate with the C&C servers. The FBI seized those domain names by court order and now are using them for their own purposes here.

    A lone hacker could have done the first step but not the second. Without having access to a C&C server, a lone hacker cannot even find out the IP addresses of the other botnet clients. There is a remote possibility that a vulnerability in the C&C servers will allow code injection by a botnet client. Otherwise, that teen hacker has no hope.

     

    reply to this | link to this | view in thread ]

  82.  
    icon
    aldestrawk (profile), Apr 14th, 2011 @ 5:26pm

    Re: Re: Orrin Hatch

    I don't know the Orrin Hatch pirate reference but one type of pirate is likely to be infected with malware and be part of a botnet. The pirate who isn't running a legal copy of Windows.

     

    reply to this | link to this | view in thread ]

  83.  
    icon
    aldestrawk (profile), Apr 14th, 2011 @ 5:37pm

    Re: FUD storm

    The C&C could possibly use multicast addressing for the control of a botnet. I am not aware this has ever been done. A problem is that not all ISPs support multicast routing. There really isn't much of a problem having a single server control a large botnet using just unicast. I am sure the FBI is just using the same mechanism.

     

    reply to this | link to this | view in thread ]

  84.  
    icon
    aldestrawk (profile), Apr 14th, 2011 @ 5:43pm

    Re: probably already posted but my time online is short today:

    The FBI could have made an attempt to clean the system of the malware completely. That can be risky since it may include system files and Registry entries for WIndows. Killing a process or processes is fairly safe considering they were designed to serve the purposes of a botnet.
    I agree with anonymous coward better the FBI does this with a critical system than letting the botnet owners maintain control.

     

    reply to this | link to this | view in thread ]

  85.  
    identicon
    Mike, Apr 15th, 2011 @ 7:03am

    Re: Re:

    If my car is off attacking pedestrians without my knowledge, yes, please disable it in any manner you need to.

    The issue is not that their computers failed inspection, but that they have been hacked, owned, and are being remotely controlled to attack other people. This is indeed just cause to at the very least prevent them from booting, preferably in some manner that can be easily reversed by someone with the know-how.

     

    reply to this | link to this | view in thread ]

  86.  
    icon
    Bruce Ediger (profile), Apr 15th, 2011 @ 10:43am

    Re: Re: Re: Re: Misleading headline

    Back atcha, "pal". Sock-pupppeting a troll is still trolling, "Coward".

     

    reply to this | link to this | view in thread ]

  87.  
    identicon
    David, Apr 15th, 2011 @ 11:21am

    From across the pond

    Looking from my UK viewpoint; although I think that the sooner botnets are smashed, the better, I would certainly be uneasy about our "authorities" doing a similar thing. I'm glad to see that there was, at least, some sort of due process through a court, unlike (so I understand) the domain seizures carried out by your Homeland Security people but I still remain unconvinced that this is the best way of dismantling a botnet, in case there were unintended consequences. Perhaps there should be a specialised government department for such affairs, manned by REAL I.T. experts who know exactly what they are doing and, hopefully, can foresee any problems.

     

    reply to this | link to this | view in thread ]

  88.  
    icon
    Bob Webster (profile), Apr 15th, 2011 @ 3:29pm

    If I can't or won't be secure, I would rather the FBI have control of my computer than a spammer.

     

    reply to this | link to this | view in thread ]

  89.  
    icon
    wvhillbilly (profile), Apr 17th, 2011 @ 8:48pm

    Re: Re: All I can say is Holy Crap!!!

    What's really needed is software that will detect such malware on a computer and notify the user of same and give instructions how to remove it. Seems to me like virus protection software would be the ideal medium for this, and could provide the means of both cleaning out the malware and protecting against re-installation/re-infection.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This