Schneier on Security

That should cover their research funding for the next couple of years.

UCSB's security group is consistently incredible. They're also the ones who poked all those holes in voting machines (and youtubed it), and also won ctf at defcon a few times.

I'm curious why the researchers didn't attempt to destroy the botnet after the fact. Certainly they knew that it wouldn't do anyone any good to perpetuate it.

@Mat:
"and cut the observation short.". I'm taking that as they didn't get chance to do all they wanted.

@Matt
It could be a few reasons. Of course as Marq noted, they simply could have ran out of time.
But you also have the possible mind set of a Researcher that does not directly interfere with it's subject, or of course the gray legal line of "accessing unauthorized computer systems". While the computers were initiating contact and they were only retrieving the data that was sent to them could be construed as legal. Once they interfere in the actions of systems that they do not have direct authority to access things could get a bit murkier.

Again, just some options, not saying any of those are actually, or even legitimate concerns.

@ Tynk et. al,

If I read well they say in the article that they are afraid to change the behavior of the botnet from trying to alter it and subsequently causing failure of infected systems (they mention Hospital systems as example)

Intervention in the botnets operation could have had unexpected side-effects, especially when the "mebroot" component (installed in the MBR) has the potential to prevent the OS booting. The headlines could well have read "University of California Santa Barbara's control of Botnet nukes 180,835 computers..."

In a similar experiment the "BBC Click" programme in the UK opted to change the Desktop wall-paper of the infected computers, alerting the owner to the infection and offering advice on curing the problem.

http://www.bbc.co.uk/blogs/theeditors/2009/03/...

It's not unreasonable to assume that the UCSB researchers could have done something similar had the Botnet's masters not intervened with the mebroot's C&C server (which they still controlled).

The interesting part of this research is that the team has collected enough data to gain insights that were impossible without taking over the botnet's command and control server. Well one of them, as obviously the new technique of using different CC servers allows to separate a part of the botnet from the other CC servers by sending the victims the proper responses.
Interestingly the takeover was assisted by the DoD, FBI and various ISPs, so that it's likely to be more of a supervised activity than a pure, independent research effort.
Let's hope that the data gathered will be used to gain an unequalled understanding of the internal mechanisms that botnets use to be able to implement effective means of defense.

Will we ever see smart card authentication replace passwords? I would love to have the option to do that. I already carry credit/debit cards everywhere I go, it would be so worth the tradeoff to carry just one more card and know only one password...

I would like to see a university program work on a package to deploy to systems via a captured botnet to somewhat safely sanitize the zombie pc/server. A lot of research is in studying the malware, what is being done to facilitate the cure?

The cure, much like most security issues, is training and cultural changes.
Forcefully correcting systems could lead to any number of data corruptions on the infected machines, an informational message to the infected devices would be safer and in the "give a man a fish" theory more beneficial to the end users in the long run.

> The cure, much like most security issues, is training and cultural changes.

Interesting philosophical discussion. Is that true?

Sure, preventative medicine is good (and cheap, and all that) but what if every doctor you went to told you to suck up that cancer cause you shoulda stayed away from risk factors, handily outlined in this phamplet. Now, in the future, please remember this.

Same for machinery that is poorly PM'd. We don't scrap everything on principle, but fix it. IS there a plausible /theory/ of mass inoculation for computers/networks even?

@Steven Hoober
Interesting, but both of your examples fit.
If you get a virus, or cancer, you go to the doctor and they do what they can to fix you, on your way out they tell you how to try and prevent it from happening in the future. Stop smoking, lose wait, eat better, exercise more.

And my understanding is that when ever you buy machinery you receive a manual detailing proper procedures to allow your machine to last longer with out problems. They tell you to change your oil, we tell them to run a virus scan every day/week/month. They tell them not to smoke, we tell them not to open links in emails...

Same thing. Train a person who to live healthy, they live longer. Train a person to keep their car maintenanced they get to drive it longer. Train a person to tred safely on the internet, they keep their computer running safely longer.

@Karl

I think the cost of smart cards still might out weigh the cost of compromised systems, though some institutions are issuing them for their systems. I have read engineers looking at a *different* Internet have proposed a Single Sign On ID.

Would be interested in reading good comments on hopefully neat article of NSA vs West Point "hack test."

See slashdot on todays date, for article links.

My comment, sorry west point, but this type of security, Fedora 8, MySQL, Apache, FreeBSD routers, is LAME.

Any stock *BSD will get owned hard by NSA, and even good hackers, it just costs $! One would expect that NSA can do any scripted up BSD on most hardware very fast.

Hardware sure matters a lot, especially when you have seen some weird stuff before.

I think that the idea of replacing the desktop background of infected machines with a warning that the machine is infected and details of how to clean it up is good.

@Karl:

Right now, I'm carrying several cards that can be used for things like cleaning out my checking account and getting me into other trouble. However, I know a few things, like PINs and passwords, that can be used to restrict what can be done.

If I carry another card in my wallet, enabling all the current ones to be used to their fullest without any restriction, I'm in real trouble if I lose my wallet.

@PackagedBlue

Astroturfing for microsoft I guess?

I seriously doubt a stock OpenBSD system will get owned just like that. Is it possible? Of course, as most things in computers are. However blanket statements that are seriosly bent, have no facts and are prmarily designed to promote FUD about open source seriously undermine your effort.

E

there was a presentation about the storm botnet at last year's chaos communications congress, see here and search for stormfucker:

http://events.ccc.de/congress/2008/wiki/...

.~.

>>> ... replacing the desktop background of infected machines with a warning that the machine is infected and details of how to clean it up ...

Unfortunately, a variation of this technique is already being used by hackers who put some code on web pages that tell the user that their system is infected, and points them to a site where they can purchase a "spyware, and virus removal" program. Unfortunately, this program, when run actually infects the system... (sigh)

So, how is the user to know if this is a fake, or actual "you are infected" message?!?

I only skimmed the paper, but was a bit surprised not to see a note that the study had been approved by a Human Subject Review Board or similar. Is it not standard practice to have an ethics review of such research in advance, especially given the private and sensitive nature of the data expected to be collected?