Musings: Would it be possible to notify zombies?
I’ve been reading a Register story about disabling botnets.
The story writer advocates disabling of botnets. Essentially hacking them and shutting them down. But wouldn’t those bots get herded into another botnet pretty quickly? Unless the hole was patched, of course. But machines belonging to people who allow their machines to get infected, would probably get infected with something else pretty quickly.
Would it be possible for anyone who’s good enough to log into a botnet to send a big popup to the computer, telling the owner that it’s infected, and exhorting him/her to do a full reinstall? Maybe a link to an article at a very prestigious site where they could read more?
Just a theory…
May 27th, 2006 at 10:40 am
Long ago I read something on this topic. It was someone doing just what you suggest. The problem was, he was sometimes getting accused of hacking the computers himself even though he was using an already open hole and was trying to prevent further abuse of their system.
May 27th, 2006 at 10:47 am
Soo… The perfect outfit to do this would be the FBI, then…
May 27th, 2006 at 11:11 am
Even better would be the ISP, like I said in another comment recently, government agencies have more important things to deal with (such as finding missing kittens) than warning individual computers on a bot net. Some major ISPs were disabling internet access to those customers that were found to be on botnets. They could easily redirect any network access to a page explaining that their computers are infected and offer free support and tools to clean it.
May 27th, 2006 at 11:16 am
To Joe:
Yeah, but that is a completely different mechanism. That’s detecting zombies on your net, and setting up a redirection. It’s fundamentally different from doing it from the hub of the botnet.
May 27th, 2006 at 11:24 am
In that case, the FBI does sound better, but they may have to be careful. They are supposed to deal only with things in the US. I suspect most botnets hubs are outside the country.
But the end result is the same if all ISPs or even just the big ones would do it. And more likely to have anything done about it. If you get a popup from someone claiming to be the FBI, wouldn’t you ignore it as a scam? They would have to get ISP records of each botnet computer and write/phone the owners to tell them of their infection. Which involves privacy issues if done without a subpoena. Usually just informing victims will do no good, though a letter from the FBI might. That is why the ISP cutting off their access is the only solution.
May 27th, 2006 at 6:08 pm
You make a significant point… that if the zombies are vulnerable to infection, then they are also vulnerable to disinfection.
I agree with the other posters that ISP’s should take a greater responsibility to identify and remove/disinfect zombie PC’s on their network. Sadly, many couldn’t care less, as long as the zombie owners pay their monthly fee, the ISP is happy.
May 29th, 2006 at 8:42 am
well I have been thinking of making “desinfection” work as any other internet protocol, like for eg. HTTP:
1) there is a zombie out there
2) it connects to the “serwer” to a) send spam, b) probe ports c) etc.
3) server detects that this “client” is a zombie (just like User-Agent detection)
4) server sends “data” to the client
5) the zobie receives the data and does whatever is needed (cleans itself)
if you have a big banner on the server forehead “connecting here causes your zombie to get disinfected” there wil be no problem with the FBI guys.
June 1st, 2006 at 11:18 am
I doubt that popping up a helpful message would be very useful. I’ve seen users who are willing to click through any warning they see as long as the computer itself still seems functional. I think this is made worse by the companies who use banner adverts that resemble Windows system alerts and warn the customer about fictional issues to get them to visit a web site.
It’s a shame that the best technical solutions are probably the most illegal ones
June 8th, 2006 at 1:19 pm
I see many problems with this.
1. If you notify the owner and don’t give an address, you need to notify using a HUGE popup! And he’ll probably close it.
2. If you notify the owner pointing to a webpage, you will probably get sued.
3. If you notify the owner via e-mail (or by making a virus which will email him or his contacts), you will probably get sued. And / or the spammers can joejob you and you’ll end up getting sued anyway.
4. If you hack into the computer, you will probably get sued.
5. If you use proxy chains to hack into the computer, you will probably get sued anyway.
6. If you write a worm to do that, you’ll probably get sued too.
7. If you don’t use a worm, you won’t do much anyway so what’s the point?
Computer iliteracy is a social problem, and it must be solved socially.
This is why I propose to launch a worldwide “botnet awareness campaign” with the help of the EFF, the FTC, the Internet Task Force, to make a day the “International antivirus day” and all users will be given instructions on how to cleanse their computers from viruses. I’d like Microsoft to provide free updates to SP2 (even to “pirated” computers, which happen to be the most vulnerable to botnets) for the sake of the internet health.
(Unless of course a new Bill was proposed to the congress that specifies it’s legal to intrude into computers with the EXPLICIT intention of cleaning them from infections - but with the congress we see today, I doubt it)