
 Please do not take down the Sality botnet - wglb
http://seclists.org/fulldisclosure/2012/Mar/315
======
s_henry_paulson
The guy takes all the time to put this together, write this up, and is
perfectly ok with the outcome, but instead of going to a coffee shop and doing
this himself, he spends a lengthy amount of time writing up instructions and
giving the criminals a chance to fix their injection problems before someone
can take down the botnet.

Baffling.

Not only that, but this guy seems to know what he's doing and instead of
someone who knows what they're doing completing the task, he's willing to
watch script kids bork the whole thing, or run the risk of russians (or others
taking over the whole network and hardening it)

~~~
daemon13
I apologize in advance for the tone, but as a Russian I have a question - are
you racist?

Since Sergey Brin and Mila Yovovich are "russians", do you imply that Google
and Hollywood are part of this botnet?

The most famous hacker is Kevin Mitnick [american] and most recent hackers
charged/arrested by FBI are also american citizens.

Why don't you change "russians" to "americans"? Or may be "new_zealanders"
[Kim dot com]? Or may be "brits" [UK kid, extradicted recently to US on
copyright violation charges].

If you would change to "americans", I just wonder whether some people will
feel offended and how many?

~~~
icebraining
I agree that it is a prejudice and should be avoided, but it's not completely
groundless:

    
    
        According to industry analyses, Russia accounts for about 35 percent of
        global cybercrime revenue, or between $2.5 and $3.7 billion. That’s wildly 
        out of proportion with the country’s share of the global information 
        technology market (which is around 1 percent).
    

[http://themoscownews.com/siloviks_scoundrels/20111121/189221...](http://themoscownews.com/siloviks_scoundrels/20111121/189221309.html)

It's not that Russians are inherently cybercriminals, but the country does
seem to be currently suffering from conditions that help it foster.

~~~
daemon13
thank you :-)

Just to point to a couple of facts:-

1\. From the same article:

"Why does every hacking and cyberscam story – real or fictional – seem to have
a Russia connection?

In part, it is prejudice and laziness. The stereotype of the Russian hacker
has become such a common media trope that it gets recycled again and again. It
also offers a handy update for those looking for new ways to perpetuate the
‘Russian threat.’"

2\. Following article line on FSB - anyone knows who hacked PCs of Iran nuke
facility? If we judge on who had a reason - US - we shall assume that US have
the same or even better hacker team than Russia [very clever OS hack that
resulted in hardware malfunction at the nuke plant, thus significantly
reducing its output - was covered in 2011].

3\. I suspect that most of 'industry analysis' is funded by government
agencies, directly or indirectly. So if the conclusion of 'industry analysis'
would be that US accounts for 35 or 65 percent of global cybercrime revenue,
then the next question would be - what the hell are the various government
agencies doing and how effective do they spend government/taxpayers' money?

4\. From the same article:

"However, a more basic answer is that a disproportionate number of Russians
have worldclass math and computers skills, yet not the kind of jobs to use
them legitimately. Although many firms in the industry are based in Russia, or
else hire Russians, there is a pool of skilled but under-employed programmers
who embrace the hacker world for fun, out of disillusion, or for profit."

Anyone can show me a skilled but under-employed programmer in Russia?

"Skilled but under-emplored programmer in Russia" is like Bigfoot [also known
as sasquatch] - everyone heard about him/her, but noone saw. It is a legend...

But of course there are russians, americans, germans, brits, and other
nations, which do quite some harm. I just do not think there is a legitimate
way to define the winner.

Sorry for off-topic rambling, probably due to habit of enjoying fact-based
debate, which resulted from my days in finance ;-))

~~~
s_henry_paulson
It looks like most people have already responded.

While my comment was poorly worded, statistically the majority of large
botnets like Coreflood, Storm, BredoLab, Rustock, Kelihos are of Russian
origin. Even the botnet we are discussing was first seen in Russia.

To comment on a couple of your points

2 - With Stuxnet, I think everyone agrees that US/Israel is to blame. The
Russian connection is made because aside from the Iranians, the Russians are
the only ones that had access to the facility, and they built the place. A
Russian spy is a more likely culprit than a US-Iranian scientist double-agent
sabotaging his own facility with results that could kill all of his co-
workers.

4- No-one is talking under-employed. These criminals make more money than they
ever would at any other job selling access to their botnet, advertising,
spamming, installing fake virus software, stealing credit cards, etc. etc.

This gives rise to entities like the Russian Business Network (RBN)

Anyway, I meant no offense, if only americans or brits were clever enough to
create a similar profile or stereotype, but I think some script kids guessing
passwords pales in comparison to outsmarting the worlds largest software
vendors and security researchers.

~~~
daemon13
Appreciate your intent.

You are correct on #4. I've heard some stories about hrackers storing piles of
cash under the couch [this case was in Ukraine], made from cracking
banks/ATMs. Definitely, black activities are much more profitable. But I do
not think that [in real life] those that crack get most of the money, with few
exceptions. Biggest pile usually goes to those who organize or cover
(underworld Board/CEO equivalent).

However, the start-up fever, which started in Russia appr. 1-1.5 years ago, is
getting traction, as well as tech industry. This provides more opportunities
and better risk/reward ratio and shall result in that more and more people
will be moving to bright side.

And yep, the smart brain has no nationality.

------
Dove
I am reminded of the "wine blocks" sold (legally!) during the prohibition,
which came with the following warning:

 _After dissolving the brick in a gallon of water, do not place the liquid in
a jug away in the cupboard for twenty days, because then it would turn into
wine._

[http://en.wikipedia.org/wiki/Prohibition_in_the_United_State...](http://en.wikipedia.org/wiki/Prohibition_in_the_United_States#Winemaking_during_Prohibition)

~~~
_sentient
I can't help but think that must have tasted terrible!

~~~
bravura
It probably does. In Quebec, wine can only be imported and sold in state-
controlled liquor stores.

As a loophole, _dehydrated_ wine is imported, rehydrated, bottled, and sold in
corner stores ("depanneurs"). It tastes rank.

~~~
ahorne
Would you be able to provide a reference for this? As a Quebecer, this is of
interest to me.

------
acqq
Reading README in the linked zip file, inside is, first, an executable which
is a QBFC (<http://www.abyssmedia.com/quickbfc>) packaged and slightly
modified version of AVG's Sality Removal Tool (<http://free.avg.com/us-
en/remove-sality>) to automate the removal of the Sality virus. Then, there is
the encrypted version of the same executable, so it will run properly when
downloaded by the Sality virus. And finally, there's a simple Python script
that queries super peers from a bootstrap list for the most recent URL pack
pushed to the Sality P2P network.

~~~
ucho
Allow people check for themselves
<http://uploadmirrors.com/download/1DQGRXOQ/byesality.zip>

------
etrain
I would love to hear a lawyers opinion on whether the OP has any legal case
whatsoever if his "not suggestions" are ever used, his identity is identified,
and someone decides they want to throw the book at him.

Basically, if some DA decides this is modern day vigalanteism, a step removed
- could the OP ever defend himself in court?

~~~
yukyukyuk
Not a lawyer. But this would never come to pass - no DA would have the brains
let alone the skill or political will to prosecute. Also, seems like a freedom
of speech issue. Otherwise it would be difficult for educators to discuss
computer security. In fact, I'm pretty sure he could even do away with all of
the "non-suggestion" text and still be fine.

If I say, "I think you should hack website X, humanity will be better off for
it" that's just my opinion. I can even say, "I think you should empty all of
Goldman Sach's bank accounts and use the proceeds to buy up endangered rain
forest land in Brazil." As long as I'm not materially facilitating the
commission of the crime, I'm just another guy on the internet with an opinion.

Edit: After reviewing
[http://en.wikipedia.org/wiki/Freedom_of_speech_by_country#ci...](http://en.wikipedia.org/wiki/Freedom_of_speech_by_country#cite_note-
Biederman2007p457-77) I'm coming to the conclusion that the above is pretty
far from accurate in any country. Apparently freedom of speech has been under
serious assault for decades. Which is sort of sickening, but also a fact of
life.

~~~
a3camero
Law student. These sort of situations have been considered by the people that
write criminal laws.

If you recommend a crime to someone and then they do it then you're a party to
that offence (<http://laws-lois.justice.gc.ca/eng/acts/C-46/page-6.html#h-5>
[Canadian Criminal Code, but I assume US is quite similar on this]).

There are a variety of ways to become a party to a crime, and then you're as
guilty as the rest of 'em.

~~~
rprasad
The U.S. criminal code is not like the Canadian Criminal Code. Also, I suggest
you reread the statute. By the plain language of the CCC, it is not enough to
recommend that someone commit a crime, you must actually counsel them in how
to do it (i.e,. provide advice).

~~~
phillmv
I don't see how TFA _doesn't_ fall under counsel. He gives you a step by step
process.

------
ricardobeat
So why can't those nice guys from the FBI go and do it already? It's so easy
to replace sites when piracy is involved...

~~~
rplnt
They simply can't. This is very different from closing down some "piracy"
sites. In this case they need to mess with data on your computer. Do you want
FBI to have a legal way to read, modify or destroy data on your computer? Even
if you want (which I don't believe), there is no way that would work on
international scale.

I remember a case from some years back when some group (some AV group or
something like that) took control over a major botnet by taking control over
domains botnet would use in future for receiving updates/commands. The
algorithm was pretty sophisticated as it generated dozens of new domains each
day and was trying to contact them on random. E.g. generate 100 domains, try
to contact 15 of them, if none responds wait a day. Statistically the bot
would get its commands in a 2-3 days (I don't really remember exact numbers so
this example might not add up). Well, in order to stop the botnet you'd need
to register all available domains out of those 100. So, they were doing just
that for some time. They practically blocked the owners operating on the
botnet. But they couldn't destroy it. Because that would require manipulating
with data on random peoples' computers without their consent which you simply
can't (legally). And I think it should stay that way. So anyway, they left it
be and owners took control back.

But what can be done? You have to run your operating system updated. Having AV
software (which is quicker in updates and act as a prevention) doesn't hurt
either. And as this is not a real option for a some time, this is a good way.
You destroy it in illegal fashion. But no official organization can do that.

~~~
ricardobeat
Is just changing the source code for the next update on the servers a privacy
violation? Every zombie machine will download it by itself.

------
kevinchen
Does anyone know exactly why it's illegal to take down Sality?

~~~
pluies_public
Messing with other people's computers _in any form_ without their information
and consent is usually prohibited by law.

A slightly broken analogy would be breaking into a house to remove a hornets
nest. Even if you do it carefully and not do any damage and what you do is
beneficial for the community as a whole, it's contrary to the law.

~~~
piggity
If my neighbours hornets nest had killer hornets that were biting all the
children in the neighbourhood and the police / council refused to do anything;
then it'd be a damned shame if someone neatly removed the hornets nest.

Of course that wouldn't make it any more legal; but your defence would have a
field day with the prosecution I'd imagine.

IANAL but I've watched the first double episode of The Firm, and I reckon I've
got a pretty good grasp on how the law works now!

~~~
polymatter
I'm curious now. What if my neighbours house was on fire? That fire threatens
the whole neighbourhood. Surely I can protect my property by attempting to put
out the fire. Do firefighters have indeminty for attempting to put out fires?
What about volunteer firefighters?

Obviously I consider a house on fire to be analagous to an infected computer,
but I do have some protection putting out a fire right? Nobody would sue me
for fire damage (as long as I'm reasonable etc).

~~~
DanBC
With a house on fire you're taking reasonable action to protect life.

In general, when you do something you then take responsibility for the
consequences of that action. Thus, if there was a tiny fire and you flooded
the house with water and foam and caused considerable water damage you may
find the home owner suing for damage caused. You could counter by saying you
prevented much more damage, but they'd say that a competent fire-fighter would
have done that and avoided all the water damage.

The analogy fails (as they always do) because there are specific criminal laws
around computer misuse / unauthorised use. Running software on someone's
machine without their permission is unlawful.

You may have mitigation if you can claim that the harm from the botnet was
more severe than the harm caused by the clean-up-hacking.

It is frustrating. I used to say "Don't fight abuse with abuse", but it's
pretty hard to keep that attitude in the face of so much malware and spam.

~~~
rickdangerous1
Pointing a water hose at someone else's is probably illegal too...unless the
house is on fire. Then is ok....see?

------
jakejake
Is it just me or did the OP just blow a rare opportunity to be a hero? The
power of a zero-day exploit is that you don't announce it and give the target
a chance to make a patch.

~~~
rplnt
So he should've contacted the botnet owner and tell him to patch sites he use
for controlling the botnet?

~~~
jakejake
That's exactly what he did by announcing this publicly instead of just going
to a public wifi and quietly taking down the botnet.

------
daemon13
Looks like the OP is doing a hack - he is trying to achieve his goal [of
destroying parts of the botnet] by hacking legal system, since he can not do
this on his own...

Resourceful!

------
psb
Does anyone know if the actions described in the article have been carried
out? I'd hate to think that the "current owners" of the Sality botnet have
fixed this exploit.

------
maaku
What if I get permission from the owner of one of the infected systems to
"penetrate" his setup and upload the botnet-destroyer. Would that still be
illegal?

~~~
eridius
I think the issue is that to remove the botnet, it requires having your code
be executed on all infected machines. You can't possible get permission from
the owners of the millions of infected machines to do this.

~~~
zacharypinter
Yep. Imagine if it bugged out and broke all the infected machines. Even if the
bug that broke the machines wasn't his fault, he'd probably still be in a grey
area.

~~~
vidarh
Even a bug that affects just 0.1% of a 1 million big bot net would still leave
a 1000 unhappy users with broken setups that might consider themselves to have
been better off with the bot net.

------
rdl
I'm kind of confused why one would publish the HOWTO-kill anonymously. It
would be totally reasonable to publish the howto and "wouldn't it be horrible
if this happened; don't do it" under your name (if you want fame, without
legal liability). Or, just publish and do it all anonymously. I guess I'm
motivated by either fame or kills, which might be different than the anonymous
party here.

I guess even publishing legally-protected information doesn't protect you from
the nuisance of civil lawsuits, or potential extralegal/illegal actions by
either the botnet staff or anyone who is harmed by the botnet or removal of
botnet.

~~~
dfc
Why are you assuming that lawabidingcitizen is not a disgruntled member of the
organization behind sality?

~~~
rdl
My lack of creativity or deep thinking on this issue (deadened by 8h of
accounting catch-up tonight). That sounds like a highly plausible scenario.

------
seanp2k2
Guys, the reason that the author didn't use these tools himself is because
/they will kill you if you mess with their stuff/.

That's what global crime syndicates do.

------
majmun
You should NOT takeover botnet and harden it.

------
micaeked
would this be completely prevented if the botnet owners signed (with a private
key) their payloads?

~~~
nathan_f77
Yes, I believe that would be very effective.

------
jakejake
Please OP, you obviously have done the work, just go to a library or any free
wifi location and run the damn thing.

------
hackermom
So, is it down yet?

------
trotsky
You're not actually a law abiding citizen if you just publicly recruited for
people to join your felony conspiracy.

