Hey, your computer is infected!
Introduction
In a press release 25 October the Dutch High Tech Crime Team (THTC) of the National Crime Squad announced a successful takedown of a major botnet. 143 malicious computer servers were taken down from the Internet resulting from collaboration with a Dutch hosting provider, the Dutch Forensic Institute (NFI), the Internet security company Fox IT, and GOVCERT.NL, the Dutch computer emergency response team.
These servers were part of a botnet running the Bredolab malware.
The Dutch authorities should be congratulated with this successful operation. In this security article we will discuss a particular aspect involved in the takedown and its follow-up.
Cleaning zombie computers
The "clients" that are the (normally) unknown participants in a botnet are often called "zombies". These are infected and may receive instructions and updates from the command and control servers. If the servers controlling the botnet are removed from the Internet as in the case discussed here, the zombie computers still have the malicious client program installed. They may thus eventually be included in the botnet if the net is able to re-establish itself with command and control computer(s).
Consequently one wants to clean the zombies from the botnet malware. But how to contact thousands (millions?) of computers around the world with information that they are infected and also provide cleaning instructions?
By using the malware's existing communication method, obviously!
And this is what the Netherlands' authorities did in this case. They sent a small program to the infected computers that ensured that this information is displayed:
Click image to enlarge
Clicking the link at the end of this warning brings up a web page from the Netherlands authorities with instructions about how to remove Bredolab.
The communication technique that is used has some very disturbing implications, which are mentioned in yesterday's blog item from Norman's Righard Zwienenberg, as well as in several other Internet postings, see for example Kevin Townsen's interesting comment.
General discussion
The issue we will discuss is of a general type. Several questions are relevant to ask:
- Is it "a good thing" to inform (all) users that their computers are infected?
- If the answer to 1 is yes, who are authorized to issue such a warning?
- By which communication means should such a warning be issued?
- How can the message to infected customers be secured from misuse and/or tampering?
- How to overcome different legislation issues regarding computer owners' privacy?
In Norman's view it is obviously wise if infected computer users could be informed about such infections, provided that the warning can be issued in a way that satisfies a certain set of standards.
In some previous articles we have discussed approaching infected computers in the same manner as societies approach infected humans. See our article - Your computer has been quarantined and cannot access the Internet - for the latest (though hardly last) contribution in this series.
The case illustrated by the Bredolab server takedown is an example when one knows that some (a huge number in this case) computers are infected with a particular malware. The potential for issuing exact information to the affected users in similar situations is therefore present. To disallow such a system a priori based on some idea that there are too many potential problems and conflicting interests, seems too weak as a general approach to this opportunity.
In Norman's view one should rather try to solve the problems by cooperation between parties that have
- expertise in the technical issues involved (e.g ensuring secure communication)
- the authority to engage in issues that involve legislation issues (authorities in different countries)
Multinational agreements exist in a lot of other areas, not least in the field of police cooperation, which may be analogous, and it should be possible to agree in this area as well.
The most problematic issue may be an "ideological" one: Should one use the communication channel that has been maliciously established (i.e. the botnet's communication method in this case) to send benign messages? Our answer is that this should not be disregarded provided that the other potential problems are satisfactorily taken care of.
Unfortunately there are lots of issues that are involved in setting up such an efficient global system. It will therefore obviously take time and effort to accomplish. That in itself is no argument against starting the process, though.
