Dutch Botnet

Back in October, the Dutch police arrested three people who created a large botnet and used it to extort money from U.S. companies. When the trio was arrested, authorities said that the botnet consisted of about 100,000 computers. The actual number was 1.5 million computers.

And I've heard reports from reputable sources that the actual actual number was "significantly higher."

And it may still be growing. The bots continually scan the network and try to infect other machines. They do this autonomously, even after the command and control node was shut down. Since most of those 1.5 million machines -- or however many there are -- still have the botnet software running on them, it's reasonable to believe that the botnet is still growing.

Posted on December 22, 2005 at 8:18 AM • 30 Comments

Comments

xprsgDecember 22, 2005 8:59 AM

Will it be too controversial and legally impossible job to have the botnets self destruct; considering the fact that the command and control centers are now in proper (a very disputable term) control?

VinceDecember 22, 2005 9:33 AM

May it be possible to check that nothing can go wrong. For example, analyzing the source code of the bot ? I suppose it was on these people's computer.

AlrayyesDecember 22, 2005 9:39 AM

While these people were caught because they were trying to extort money I think this is just a taste of things to come.

Image someone doing this for fun (or malice) instead of profit. With a little imagination (and maybe a tad of A.I.) you could make an army of bots do all sorts of fun (or destructive) things of their own accord. As long as you release your bots annonymously (ie internet cafe, open wifi router etc) and no longer contact the network you have little chance of being caught.

Image a bot that checks your inbox and cut/pastes random mails together to send to spam/DOS someone. A spam filter would have a lot of trouble seperating legitimate mail from malicent ones.

Mike SherwoodDecember 22, 2005 9:40 AM

The machines exist and are already compromised. There should be some legal protection offerred for someone to make a good faith effort to help resolve the problem.

Self destruct seems dangerous, but how about some sort of notification? The problem with the botnets is that the participants are unaware of their involvement, and will continue to be unaware until they notified.

Fear of liability is a recurring excuse for failing to do anything about a problem. To paraphrase someone, the only thing necessary for evil to prosper is for good men to do exactly what our society demands of us right now.

Bruce SchneierDecember 22, 2005 10:20 AM

"Image someone doing this for fun (or malice) instead of profit."

I think profit is the primary motivator, though.

What else can you do with that kind of botnet farm for profit? Extortion. Sending spam. Phishing. What else?

AdamDecember 22, 2005 10:39 AM

Assuming that control of the machines can be assumed, would it be less risky to persuade them to alert their operators as to their status than to disable the malware directly?

Mike SherwoodDecember 22, 2005 10:47 AM

"What else can you do with that kind of botnet farm for profit? Extortion. Sending spam. Phishing. What else?"

DDOS for reasons other than extortion. As much as I hate everything being called terrorism these days, a group of people with a divergent political agenda could create a notable impact with this kind of botnet.

How many nodes did it take for the previous large scale DDOS attacks against major companies? I would think 10,000 nodes would go a long ways towards creating a significant problem for a handful of selected targets. This botnet would allow for 150 such attacks, so they could be distributed over time as well as over machines. An attack that lasts a month would be significant. If it were aimed at financial instititions, I think a lot of people would feel the impact.

Fred PageDecember 22, 2005 10:52 AM

"What else can you do with that kind of botnet farm for profit? Extortion. Sending spam. Phishing. What else?"

Anything that requires a lot of computational power, and/or many connections. Cracking (weakly) encrypted messages, warfare simulations, tests of large numbers of varients of malware, AL programming, R&D, creating DOS-style attacks, the list goes on. I can think of a number of second and third-world militaries, for example, that might like this sort of computing power.

AGDecember 22, 2005 11:18 AM

"What else can you do with that kind of botnet farm for profit? Extortion. Sending spam. Phishing. What else?"

What about advertising? Or marketing research?

There must be hundreds of legitimate uses.

ALSO, what about renting your system out to a large organization that wants to use your processing power (along with millions of other subscribers) when you are not using your system?
For instance, I'm at work all day why can't I sign up my machine to be working also?

Seriously, I think it is a great idea. Build a large distributed processing system and pay the nodes a fraction of what a real supercomputer would cost. Thoughts?

Davi OttenheimerDecember 22, 2005 11:20 AM

@ Fred Page

I agree. The ironic thing is most mid to large size enterprises have a heck of a time trying to manage Windows systems remotely and leverage all the idle cycles. Goodbye big fat slow client software and hello kiss-bots -- companies (rather than criminals) should realize the opportunities of distributed computational power.

DaedalaDecember 22, 2005 12:04 PM

'"Marketing research" is an interesting idea. The botnet could be rented out to companies who want to know what people do on their computers.'

Don't say things like that! Someone might think you mean it!

spamfighterDecember 22, 2005 12:09 PM

Bots have been discussed extensively on various spam-related mailing lists/newsgroups. Consensus best estimate (with input from people who have visibility into large system populations) is 100M worldwide and growing; growth rate estimated at 150K to 200K per day on average, with spikes corresponding to various events, e.g., the Microsoft Windows worm/virus-of-the-day.

All kinds of interesting mischief has been observed. For example: some spammers are hosting (many copies of) their web sites on bots and using rapidly-updating DNS to (a) distribute the load and (b) minimize the loss-of-service effects generated by down, offline, or cleansed systems. Of course the next logical extension is to use the bots for DNS as well, and that's being done as well. These approaches seem to be particularly popular with spammers hawking various forms of illicit content, as they're well aware that the (former) owners of the hijacked
systems are most likely to be left holding the bag should this be noticed.

Oh. Nearly forgot. Carefully coordinated spam delivery attempts from many systems worldwide are now commonplace. I see thousands of instances per day involving anywhere from 4 to 16 systems, scattered all over the world, each attempting to deliver the same spam to the same address, making the attempts within a 20-second to 8-minute window (usually).

I've been using OpenBSD's passive OS fingerprinting to classify these systems as best as I can. In two years' worth of monitoring, I've bserved only (a) Windows systems (accounting for well in excess of 99% of connecting systems) and (b) unidentified systems -- robably Windows with a TCP stack that pf doesn't know about. In other words: the bot problem appears to me to be, at this time, a Windows-only problem.

Roy OwensDecember 22, 2005 12:41 PM

Assuming the bot could easily glean the identity of the machine's user, then access could be sold to interested parties -- again and again and again.

The great bulk of those users would be unimportant, but some names would stand out.

If one of the names on the list belonged to a Supreme Court judge, a Congressional whip, a Cabinet member, a Lieutenant Governor, -- and so on -- does anyone think there wouldn't be a market for that access?

Reading a judge's informal communication would likely reveal more about upcoming decisions than formal communication. The same set of emails could be sold to a large number of buyers.

Not only could information be retrieved, it could be inserted. Want to destroy the reputation -- and political future -- of your greatest political opponent? Create a secret directory on his computer, upload a few hundred megabytes of kiddie porn, and inform the authorities.

For a chilling thought, think of a Donald Segretti of the Internet age.

another_bruceDecember 22, 2005 1:26 PM

@mike sherwood
it was edmund burke who said that. burke said something else also relevant to security:
"the essence of economy lies not in savings, but in selection."
@fred page
a newly rehabilitated white-hat botnet can be used for all kinds of distributed computing projects. if you like mathematics, check out www.mersenne.org, home of the project which has found several of the largest known prime numbers, the mersenne numbers (2 raised to the power of a prime number, minus 1). many links to other interesting projects on there.

peachpuffDecember 22, 2005 2:15 PM

"What else can you do with that kind of botnet farm for
profit? Extortion. Sending spam. Phishing. What else?"

Selling it. Not just renting it, but an outright sale.

Rob MayfieldDecember 22, 2005 2:33 PM

@Bruce S: "What else can you do with that kind of botnet farm for profit? Extortion. Sending spam. Phishing. What else?"

Distribution? One very successful use of distributed systems to date has been file distribution - napster, kazaa, etc - just add the 'user x has paid, now you can download from someone nearby' code and large download sites can potentially become small(er) seed sites with lots of helpers ...

I. ThoughtsoDecember 22, 2005 2:42 PM

@spamfighter

It would be interesting if you published a report of your findings.

IMHO this is the kind of TCO we all must bear for having an OS monopoly.

SrijithDecember 22, 2005 4:02 PM

I had the chance to listen to a presentation by a guy from Netherlands National High Tech Crime Center who was involved directly with the crackdown on the group.

At the end of the presentation he was asked whether it was much more easy to send self-destruct payload to the zombie machines. His response was that while it might be easier technically, it is a minefield when it comes to legal matters. Since the zombies are distributed across several countries with different levels of IT laws, it is just more cleaner to contact the counterparts like CERTs or ISPs and ask their help in disabling the machines.

MozDecember 22, 2005 4:21 PM

@bruce & xprsg

The original article does mention that they began to "dismantle" the botnet. I imagine that means terminating the bot process? Isn't that what you expect them to do? Or are you expecting them to destroy the end system?

What security were the bot herders using? Is there any real reason to believe that others could not gain control of the network?

Other things a bot net might do: click through fraud. Sell clicks to web sites with banner advertising. Since you have millions of unique addresses, it's impossible to tell which ones are fraudulent. Alternatively, hunt the web for competitor's/potential blackmail victim's adverts and click through those to use up their advertising budget.

TomDecember 22, 2005 9:04 PM

I've often though about what creative things people could do with worms and such huge networks... why not inject an anti-virus program into the botnet, or at the very least some sort of notification to the user to let them know how to fix and protect their computer. Although even if your intentions are good it's probably not legal.

Someone also mentioned distribution. Turn the botnet into a huge p2p storage network. Again, even more illegal.

My point is these people aren't very creative, there's much more potential, good and bad.

Jason M.December 23, 2005 3:26 AM

@AG:

>> "What else can you do with that kind of botnet farm for profit? Extortion. Sending spam. Phishing. What else?"
> What about advertising? Or marketing research?
> There must be hundreds of legitimate uses.

I think many of us here would be of the opinion that advertising and marketing research are dubiously "legitimate."

Dave WalkerDecember 23, 2005 5:44 AM

"What else can you do with that kind of botnet farm for profit? Extortion. Sending spam. Phishing. What else?"

Supercomputing.

Consider software which drives and manages / distributes jobs on Grid environments, and which is able to readily handle nodes appearing and disappearing. Such node behaviour closely parallels the situation of compromised systems being periodically connected to and disconnected from the Internet by their legitimate owners.

For the types of supercomputing workload which parallelise well, a botnet would be an excellent resource. For example, the various fine folk who use spare cycles knowingly donated by system owners to look for signs of extraterrestrial intelligence, brute-force crypto algorithms and perform molecular model manipulation in the search for new medicines could benefit significantly from a botnet of this size if they weren't law-abiding.

There may be other ongoing research by other groups which we'd sooner not donate cycles to, and who instead could benefit by hijacking cycles without legitimate system owners' knowledge.

EthosDecember 23, 2005 11:07 AM

"What else can you do with that kind of botnet farm for profit? Extortion. Sending spam. Phishing. What else?"

Along the 'supercomputing' line...lets see...we have 1.5 million machines and each can have three failed login attempts? Or was it five? Hmmm....

AnonymousDecember 23, 2005 12:09 PM

"What else can you do with that kind of botnet farm?"
just for horror:
Neural network! Heil new overlord!
seriously, it could be possible to make some really interesting artificial intelligence experiment. My fav. horror story is something that like chess computer find best move for own survival.

AnonymousDecember 23, 2005 12:11 PM

p.s. today it is not possible to make real artificial intelligence, but what's about tomorrow?

BrianDecember 23, 2005 1:22 PM

"What else can you do with that kind of botnet farm for profit?"

Crack DES keys very quickly. Cracking the krbtgt for a corporation's Kerberos infrastructure could be profitable (tons of sites still have DES enabled). There are probably some companies engaged in corporate espionage that would love to get the keys to their competitor's kingdom...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..