FBI Hijacks Botnet, With Court Order... Then Issues Kill Signal To Millions Of Computers
from the good-samirtan-hacking? dept
For years there's been talk about the value of "good samaritan" viruses or botnets, that would go out and try to delete or kill of "bad" viruses or botnets. Lots of computing experts have, reasonably, warned that the unintended consequences of such an action could be large and dangerous. Apparently, the FBI figures, why not test it out anyway? In a rather surprising move, the FBI was able to get a court order that allowed it to effectively hijack a large botnet, involving millions of computers, and send a "stop" command to all of those PCs that would disable the malware (called Coreflood).While there are obviously good intentions here, and it's definitely a good thing to see a large malicious botnet go dark, there still are really serious concerns about this move, the legality of the move, and the risk of unintended consequences. Do we really want to set a precedent where the FBI can send commands remotely to millions of computers? And how confident are people that the FBI's programming skills won't cause problems, if not this time, at some point in the future? In the filing requesting the right to do this, the FBI even pointed out that a newer version of Coreflood had been released that morning "but that the FBI had tested the kill command against that variant and it had worked successfully." Of course, testing in the lab and deploying to millions of machines in the real world is entirely different. There are also concerns that this is an ongoing effort, since Coreflood apparently reruns every time a machine is rebooted, meaning that the FBI will have to keep sending this kill signal. And while the FBI swears up and down "that this would cause no harm to computers," how confident are you that this is really the case?
Again, I recognize the importance of trying to stop botnets and take them down. Additionally, there don't appear to be any early reports of trouble or unintended consequences from this move. But... when dealing with something like this, where the FBI is sending execution commands to millions of PCs, you have to assume that sooner or later, something bad is going to happen. Does the FBI have a technical support helpdesk to help your grandparents when it kills their computer?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Better title Idea ...
[ link to this | view in chronology ]
All I can say is Holy Crap!!!
What right do they have to do that?
I hate bot-net infected computers because they cause all kinds of issues but anyway you look at it the FBI just made all those computers do what it wanted. It issued forced instructions to those computers that were executed.
Big Brother is all grown up and has just made it to college.
[ link to this | view in chronology ]
Re: All I can say is Holy Crap!!!
[ link to this | view in chronology ]
Re: Re: All I can say is Holy Crap!!!
[ link to this | view in chronology ]
Re: Re: All I can say is Holy Crap!!!
[ link to this | view in chronology ]
Re: All I can say is Holy Crap!!!
[ link to this | view in chronology ]
Re: Re: All I can say is Holy Crap!!!
But it's cool, I use Linux. :)
[ link to this | view in chronology ]
Re: Re: Re: All I can say is Holy Crap!!!
[ link to this | view in chronology ]
Re: Re: Re: Re: All I can say is Holy Crap!!!
Yea, if the FBI/CIA/Whatever have not only the capability but also the backing of the courts we are all screwed.
[ link to this | view in chronology ]
Re: Re: All I can say is Holy Crap!!!
If the FBI can update the botnet program then it can write updates that can do anything that is permissible for the owner of the botnet processes. That might well be full administrative permission. This botnet program already has a keylogger component. It is not clear to me if the botnet is sending collected data along with it's beacons or there is simply a command for the C&C server to be send the collected data.
In the court filing, the FBI says they are not going to collect data from any of the infected computers other than the source IP address contained in the beacon packet.
[ link to this | view in chronology ]
Thinking about the consequences...
Second, it sounds like this "stop" command was programmed in by the original writers. If that's the case, the obvious reaction to this is for them to make an update that leaves out this "stop" command.
Not saying that there's a correct way of stopping a botnet, but I don't think this is it.
[ link to this | view in chronology ]
Is This A 'More Friendly' Problem
[ link to this | view in chronology ]
Re: Is This A 'More Friendly' Problem
Probably not 'teen' and not 'just to screw around' but it does happen. There are various types of malware that purposely kills off other competing malware when it gets on a system.
[ link to this | view in chronology ]
Re: Is This A 'More Friendly' Problem
-Allow a computer to be infected and the analyze the code via reverse engineering and by monitoring all the packets involved in communication.
-They apparently have actually seized, at least some of the C&C servers. This isn't strictly necessary. They do need to take over the domain names used by the botnet client computers to communicate with the C&C servers. The FBI seized those domain names by court order and now are using them for their own purposes here.
A lone hacker could have done the first step but not the second. Without having access to a C&C server, a lone hacker cannot even find out the IP addresses of the other botnet clients. There is a remote possibility that a vulnerability in the C&C servers will allow code injection by a botnet client. Otherwise, that teen hacker has no hope.
[ link to this | view in chronology ]
This did little to help the owners
Not likely. The machines are probably infected with multiple pieces of malware (such is generally the case with machines like this), and the owners have learned nothing from this exercise.
Notification and Education should be the proper solution - not "let us clean this up for you without your knowlege".
[ link to this | view in chronology ]
Re: This did little to help the owners
Also, notification IS in the works. The ISC is recording IP addresses connecting to their new C&C servers and forwarding those lists onto ISPs, who can then notify their customers.
[ link to this | view in chronology ]
Re: Re: This did little to help the owners
[ link to this | view in chronology ]
Re: Re: Re: This did little to help the owners
This was a clear and defined legally approved purpose. They went to court and got a court order to carry this out. It specifically included provisions regarding personal information - they believe the action would not result in the transmission of any personal information and if it did, it would be destroyed upon recognition.
[ link to this | view in chronology ]
Re: Re: Re: Re: This did little to help the owners
[ link to this | view in chronology ]
Re: Re: Re: This did little to help the owners
If these systems were secure, the malware wouldn't have gotten there in the first place. Yes, you CAN harden your system and make it secure from these guys AND the feds. It's just that these people didn't.
Chill. Breathe. No one wants your files anyway.
[ link to this | view in chronology ]
Re: Re: Re: Re: This did little to help the owners
[ link to this | view in chronology ]
Orrin Hatch
[ link to this | view in chronology ]
Re: Orrin Hatch
its pretty much only affects the clueless general public.
not that your average politician would actually understand the ramifications of what i actually just said, but still....
[ link to this | view in chronology ]
Re: Re: Orrin Hatch
[ link to this | view in chronology ]
These people need a heads-up, not coddling and excuses.
[ link to this | view in chronology ]
Re:
Do you know how many scammers are already following this scheme? Except they recommend you call them for the "professional virus-scan".
[ link to this | view in chronology ]
Re:
These people need a heads-up, not coddling and excuses.
--
Yeah...and when your car fails inspection the mechanic should pour sugar in the gas tank immediately.
[ link to this | view in chronology ]
Re: Re:
The issue is not that their computers failed inspection, but that they have been hacked, owned, and are being remotely controlled to attack other people. This is indeed just cause to at the very least prevent them from booting, preferably in some manner that can be easily reversed by someone with the know-how.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If this sort of thing begins to take off, then how long will it be before some paid-for Senator decides to get P2P software classified as "malware" so the FBI can hack into your machine to shut it down?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The Untested kill signal
We should all hope this court order is a one off and not a precedent.
[ link to this | view in chronology ]
Re: The Untested kill signal
[ link to this | view in chronology ]
Re: Re: The Untested kill signal
[ link to this | view in chronology ]
If your grandparents are having problems with their malware, they should contact the malware's author, not the FBI.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I get calls from elderly neighbors weekly because of problems like this.
Most of them have multiple antivirus programs installed and expired.
The grand-kids click on whatever pops up on the screen.
Frequently they have already taken the computer in to a big box store and spent $250 to repair a $300 computer running Vista basic with insufficient memory.
All they want to do is email and facebook pictures of their family.
Somehow I don't think your suggestion that they contact the author of the malware is a viable solution, especially since most of them don't even know they have malware.
It is easy for those of us that have a little more knowledge of how computers work to say that computer users need to be more responsible, but the truth is as manufactures have made computers easier to use the minimum requirements to be able to use one have gotten pretty low.
The reality is many people will go through multiple computers without ever seeing a command prompt and will be glad they didn't. Expecting them to do more than turn it on and off is probably an unreasonable expectation at this time.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Expecting them to be able to turn it off and on IS unreasonable. I have gotten more than one person, from 20 years old to over 60 who didn't know how to turn off the damn machine they sit in front of for 40 hours a week.
I hate people...
(oh and your elderly neighbor, try Linux Mint. Might hit the spot.)
[ link to this | view in chronology ]
It doesn't look like the FBI is doing any programming...
The real action comes with the microsoft malicious software removal tool. This is distributed via windows update and has been for years.
I'd be a bit more wary if the FBI was taking some kind of active or invasive action on the compromised systems (e.g. distributing a new program to 'fix' the problem), but they're just issuing a stop command. The ISC is logging the IP addresses of infected system and sending those lists onto ISPs so the owners can be informed. I'm all kinds of wary about the FBI interfering with private systems and concerned about unintended consequences, but this all seems really benign.
[ link to this | view in chronology ]
Re: It doesn't look like the FBI is doing any programming...
[ link to this | view in chronology ]
Re: It doesn't look like the FBI is doing any programming...
The FBI has traditionally been an all-IBM shop, in particular, an all-mainframe shop. The FBI's first website, way back when, was hosted ON A NASA MACHINE. That's right, the FBI didn't have anything that could run a web server in 1995 or so.
The internal FBI culture probably prevents them from having anyone tech-savvy enough to do this kind of thing.
[ link to this | view in chronology ]
But.. but... cyber-warfare
a) The ability of foreign powers to shut down power plants and, other computer based infrastructure, over the internet is not real - and, therefore, this cause of action is safe but your demands for more power are based on lies.
OR
b) Whoops - you accidentally disabled the control system of a nuclear power plant because it was infected with a botnet.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Seems someone else was doing that and it worked kind of well.
"Oh Noes...more people eating Mike and Ikes, we definitly have a drug problem" send in the troops"
[ link to this | view in chronology ]
jumping to conclusions ....
If it is a case of "targeting" the infected machine then we have a problem.
In other words if my IP gets wrongly targeted and has no code for the botnet and thats the code they are sending, then no harm. If they are sending something to my computer because they THINK the botnet is there, that's an issue.
[ link to this | view in chronology ]
Hard Sale for stopping this activity
You have Millions of people screaming about SPAM, and malware, and bandwidth consumption etc... Lots are screaming at congress to do something about all this etc...
A legitimate and secure network and PC is at no risk of the FBI issuing THIS command to stop because you or your IT staff would have already removed the MalWare. So screaming about the FBI issuing this stop order on this malware isn't going to get you far.
In the end, like it or not your likely to see more and more of this from the Government all in the name of "security."
---------
Personally I have mixed feelings about it. My GMail account's spam filter has 2600+ emails in the SPAM box, that's the highest I have seen it in several years and it's only the past 30 days too. Obviously Google's filter is doing well, but my corporate email server is still bombarded with all this same SPAM, and I cannot afford the $10k/yr that the SPAM Filter Companies want to extort from my company and they still don't do anything to reduce the bandwidth I have to pay for for this crap to attempt to hit my servers.
It sucks that the FBI did this, but it's obvious that the owners of the PCs in the Bot-Net don't give a rats ass about the damage they are doing because they have done nothing to secure their computers.
[ link to this | view in chronology ]
Re: Hard Sale for stopping this activity
I'd amend that a bit. I'm sure some (a lot?) of it is more along the lines of ignorant users (e.g., the computer illiterates) that don't even know their PCs are causing damage. It's not that they don't care - they just don't realize that the toy water gun they keep pointing at the internet has live ammo loaded in it.
[ link to this | view in chronology ]
Re: Hard Sale for stopping this activity
[ link to this | view in chronology ]
Re: Re: Hard Sale for stopping this activity
[ link to this | view in chronology ]
Re: Re: Re: Hard Sale for stopping this activity
Bet you didn't know that some of your mail is being routed thru DoD servers......
[ link to this | view in chronology ]
Re: Re: Re: Hard Sale for stopping this activity
[ link to this | view in chronology ]
Re: Hard Sale for stopping this activity
Hmm. Why not send corporate email through google ?
Route it in, pop/IMAP it out. One google user each, free.
KISS as they say.
Or even go the whole hog and move to Google corporate email. Saves you running a mail server too.
[ link to this | view in chronology ]
Re: Re: Hard Sale for stopping this activity
Aerospace manufacturing being one of them.
[ link to this | view in chronology ]
Ummm, wow.
I'm happy the FBI hijacked -- in the truest definition of the word -- the botnets and killed the clients. Did it solve a minor issue? Yep. Is it an invasion? Nope. That conduit already existed. The FBI closed it. Thank them, for Pete's sake.
Your fears are largely misplaced. Instead of blaming a system that allows shitbirds to run botnets with impunity, you blame a government entity for *possibly* inducing a side-effect to a largely beneficial act. that's like blaming vaccines for the plague.
-C
[ link to this | view in chronology ]
Misleading headline
[ link to this | view in chronology ]
Re: Misleading headline
[ link to this | view in chronology ]
Re: Re: Misleading headline
[ link to this | view in chronology ]
Re: Re: Re: Misleading headline
[ link to this | view in chronology ]
Re: Re: Re: Re: Misleading headline
[ link to this | view in chronology ]
Re: Misleading headline
[ link to this | view in chronology ]
FBI - crosses ethical lines to cut un-ethical lines
Who's to know what else was on the payload of the programming that FBI sent to each computer, even if it was to monitor the life of the bot programming it still would be an unlawful/uninivited seizure of that virtual property of the computer owners whouldn't you think?
[ link to this | view in chronology ]
A telling detail
Privacy and individual rights vary from country to country. If this was a legitimate use of law enforcement authority in the U.S., why didn't the FBI/ISC pass along a message also? From a technical standpoint, there is no difference between sending this "kill" command to the malware and sending a message via the Windows Messaging Service (or some similar mechanism). The only difference between the two is that one is undetectable.
What does that tell you?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Unintended Consequences
Would ... you like ... to play a ... game?
[ link to this | view in chronology ]
Really?
As someone who does this kind of thing for a living (CEH/CPTE), please learn more before you just fly off the handle and start spouting "big brother" comments. They used a tool someone else maliciously installed in a way that prevented further issues for the time being... if you see something wrong with that, then you have serious trust issues.
[ link to this | view in chronology ]
Re: Really?
Need I remind you that we went from Profiling at the airport to full on pat downs, all in the name of 'good'.
Pishaw.
Are we gonna wait until they go to far to put our foot down?
The next issue is, I think this is all dog and pony. I think the botnet dudes have just infiltrated and pulled off the biggest social engineering exploit ever.
Now the botnet dudes know EXACTLY how the government is set up on the inside.
[ link to this | view in chronology ]
Re: Really?
And 'wasn't already compromised in some way' isn't an excuse, either.
[ link to this | view in chronology ]
Users
Talk about unintended consequences - who determines that software is worthy of being killed by the FBI? What if I wanted Coreflood running on one of my machines because I was working on malware detection software?
If they are allowed to do this, how can we ensure they will not issue a kill command to any other software they deem "Malicious" - sometimes MS Office crashes my machine - are they allowed to kill it?
At the VERY LEAST, they should be contacting every user of every computer to determine if this is malicious software on the machine they intend to kill it on before being allowed to touch it.
[ link to this | view in chronology ]
Re: Users
If the operators of the botnet had decided to shut it down, are you going to be equally upset?
If you are working on software to detect malicious software, then take it offline. The code is going to remain on your machine whether it is online or not.
They didn't hack into your computer and run 'pkill -9 coreflood', they issued a command though the botnet to shut it down.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
FUD storm
"Next computer: 153.54.23.123 -kill. One down, three million to go."
It's likely just an untargeted broadcast, using the same way that the virus writers issue commands to it.
Which is worse, a federal agency sending a stop command to the malware on my computer, or a malicious group of thugs sending commands to my computer to do who knows what, possibly stealing private data.
Honestly, this is semi encouraging just because they went through proper legal channels to get the court order, instead of just doing it under their own authority, like all those wiretaps.
It's just to bad they cant put a message up on the screen warning people they are infected and advising them to run windows update to fix the problem.
[ link to this | view in chronology ]
Re: FUD storm
[ link to this | view in chronology ]
Re: FUD storm
[ link to this | view in chronology ]
Its not your computer
I am not sure how a compromised PC should be treated. But I do not think you have the same rights as with an uncompromised PC. If you don't want the FBI poking around on your computer. Then you need to make sure it does not get infected. Because once it is infected, it is a threat and danger to the public and yourself. Spewing out spam, being used to crack passwords, serve up illegal porn and as a playground for stealing your online identity and accounts.
The minute your computer is compromised it is like going to a bad neighborhood and leaving an unlocked car with a pile of cash, a machine gun, ammo, and drugs laying around in the front seat. You have encouraged something bad to happen.
Should the FBI have just traced the IP address and filed suit against these individuals as spamers? Should they send you a letter telling you your computer is infected and you need to spend $200 or more taking it to someone who knows what their doing to backup your data and reinstall your OS and software?
I think sending the kill signal is the best thing they could have done. Otherwise there is a good chance some hacker would be able to re-acquire these machines.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Wow, what a difference!
NMM
[ link to this | view in chronology ]
Botnet
[ link to this | view in chronology ]
probably already posted but my time online is short today:
[ link to this | view in chronology ]
Re: probably already posted but my time online is short today:
Just how much testing and care do you think the botnet creators of done to ensure critical computer systems don't fail in some horrific way because of their botnet?
[ link to this | view in chronology ]
Re: probably already posted but my time online is short today:
I agree with anonymous coward better the FBI does this with a critical system than letting the botnet owners maintain control.
[ link to this | view in chronology ]
What if it were your car
[ link to this | view in chronology ]
From across the pond
[ link to this | view in chronology ]
[ link to this | view in chronology ]