Jump to content
Sign in to follow this  
petzl

FBI: OPERATION: BOT ROAST

Recommended Posts

Well, great! I am glad to see that someone is notifying the owners! Now will the owners do something?

Miss Betsy

Share this post


Link to post
Share on other sites

Well, great! I am glad to see that someone is notifying the owners! Now will the owners do something?

Miss Betsy

Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity
This quote leads me to believe the contact could be direct and the FBI may be trying to collect data from these machines. I may be reading too much into it, however.

Share this post


Link to post
Share on other sites
This quote leads me to believe the contact could be direct and the FBI may be trying to collect data from these machines. I may be reading too much into it, however.

Some time ago I heard that the FBI had a super-duper sniffer that they could wheel into an ISP (with a warrant) and use to suck up all the traffic for later analysis. Of course, this is probably pretty old-hat by now, as I suspect I could do ths same with wireshark/ethereal if they let me into the right spot in the server room.

-- rick

Share this post


Link to post
Share on other sites

Personally, sounds like someone got a bit excited in creating that press release.

"We" all know about compromised computers. "We" have even documented some of them 'here' ....

However, all that information provides is the IP address of that computer. The only way to get the "owner's ID" is through the ISP involved. Most ISP's take the general TOS stand that privacy is an issue, and 'personal details' will not be provided without (in general) proper authority, paperwork, etc.

Looking at the prospect of asking some court to provide subpoena documentation to obtain "million's" of computer owner's names based on the premise of "being unknowledgable third-parties" in the grand scheme of investigating these "bot-herders" seems a bit far-fetched.

On the other hand, an ISP receiving an 'interesting' letter from the FBI with a long list of IP addresses, dates, times, etc. with a subpoena for that data would likely result in a passing of data .... but then, it would alos boil down to just what data was requested. The press-release states that "on-line contact" will not be made, so the assumption would have to be that these ignorant folks would be receiving an interesting snail-mail letter ... which seems like a tremendous waste of time .. why not go back to what "we" have always wondered about, asked for, suggested, etc. .... have the ISP cut off access for these compromised computers ?????

Share this post


Link to post
Share on other sites
why not go back to what "we" have always wondered about, asked for, suggested, etc. .... have the ISP cut off access for these compromised computers ?????

Or, at least, cut 'em off from outgoing traffic on SMTP ports, and incoming traffic on HTTP ports. My employer, along with many others, already does this. Don't know why it would be so hard for an ISP. That would lower things to a dull roar, if only until the spammers figure out workarounds.

-- rick

Share this post


Link to post
Share on other sites

I'm all for blocking all SMTP traffic from compromised machines and only allowing them access to a local page on the ISP's server where all the information and tools are located to allow them to clean their machines up, (possibly!).

However it seems to me that it would be more productive to chase after the numerous US servers that are controlling these tens of thousands of zombies and the 'blackhat' providers that knowingly host them.

I've just put five weeks of effort into getting a botnet controller hosted by Eonix/Infinitie.net, (ns1.search-pnd.com [66.196.43.228]), closed down & they are far from being the only company that ignores all abuse reports of this activity. Make knowingly hosting a botnet a federal crime and charge & close the companies down that aid and abet crime in this way.

The criminal involved is now back up using another botnet controller, (ns1.lp-vote.com [64.38.5.126]), hosted by FastServers, Inc. of Chicago. (Why does abuse.net come up with a Powersurge abuse address for them, by the way?- I don't believe it!). These are the people controlling the zombies & should be whacked hard & fast.

Share this post


Link to post
Share on other sites

I'm all for blocking all SMTP traffic from compromised machines and only allowing them access to a local page on the ISP's server where all the information and tools are located to allow them to clean their machines up, (possibly!).

However it seems to me that it would be more productive to chase after the numerous US servers that are controlling these tens of thousands of zombies and the 'blackhat' providers that knowingly host them.

I agree with your post, but if the remote machine stays corrupted, it will likely be simple for another botnet to take it over as well, probably with no additional actions by the machine owner. Machines still need to be cleaned up or removed frm the internet.

Share this post


Link to post
Share on other sites
<snip>Machines still need to be cleaned up or removed frm the internet.

Agreed.- it has to be a two-pronged attack. Edited by bobbear

Share this post


Link to post
Share on other sites
Prepared Remarks of Attorney General Alberto R. Gonzales at the Technet Intellectual Property Roundtable
http://www.standardnewswire.com/news/219401281.html

I'm not sure this is the right place for this. I'll rely on better minds than mine to file it properly.

In a case brought last month by the U.S. Attorney's Office for the Western District of Washington, Robert Alan Soloway was indicted on charges related to using botnets to send tens of millions of spam emails. Investigators dubbed Soloway the "spam King" because of the alleged scale of his operation.

In bringing cases like this one, we recognize that spam is not just an annoyance. Such hostile uses of the Internet are a very real threat, and the Department of Justice takes them very seriously.

Notwithstanding that it is understandably self-serving, ARG's release discusses what the DoJ wants the world to know/think it is doing WRT to IP Protection and Cyber Crime.

Edited by rooster

Share this post


Link to post
Share on other sites
... all that information provides is the IP address of that computer.

...

Most ISP's take the general TOS stand that privacy is an issue, and 'personal details' will not be provided without (in general) proper authority, paperwork, etc.

...

That's a problem that needs to be solved. What the FBI really needs from the ISP is not personal info of a subscriber. What they need is information about the type of traffic going out of that computer that is not the subscriber's personal info. They need to have details of the kind of trojan on that machine, the kind of activity the trojan conducts and the spam going out of the particular machine (that would carry information leading directly to whoever paid money to use that trojan).

So there's a need for a way that law enforcement can ask for this info and get it without the ISP providing private information of the subscriber.

I have been following a particular Israeli spammer that seems to be sending using zombies. In every spamcop report of spams I get from this spammer I now include a request to the ISP that they inform me if they can positively identify that it really is a compromised PC. Only one ISP replied. It was a local ISP in Oklahoma. They checked the traffic out of the (dynamic) IP address that received several reports and saw that it was sending out spam and also some binary data thru some open ports, and said it was definitely an infected PC. With that I went to the Israeli police. They said they cannot do anything with spam, but using a compromised PC is a different thing, and they would investigate.

Anyway, reporting spam from zombie PCs is quite frustrating. It seems that most ISPs do not care too much since it is not affecting their mail servers and thus not affecting their subscribers' outgoing mail. What is needed is that each such IP address that can be assciated with a real spam email from an identified spammer (or advertiser) be checked for abuse and then if it can be posotively verified that spam advertising a product or service has been sent using a trojan horse on a PC criminal charges would be brought against the advertiser. I don't want to argue with anyone who thinks that businesses should be allowed to legally hire a spammer to send spam (I don't think they should). They certainly should not be allowed to hire a botnet to send their spam, since that is not much different from purchasing stolen goods (hiring botnet based services is purchasing stolen services and resources) so they should be punished if they do. If some advertisers go to jail for hiring botnet-based services we would see much less of that since most advertisers would be much more careful in choosing their service previders.

Share this post


Link to post
Share on other sites
<snip>

It seems that most ISPs do not care too much since it is not affecting their mail servers and thus not affecting their subscribers' outgoing mail.

<snip>

...Hmm, that seems a bit narrow of them -- if the ISP does not charge customers by bandwidth use (as seems to be the case these days, at least for non-commercial users), then all its customers and/or owners are paying for the bandwidth consumed by the spew.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×