Programming a Viral Botnet Killer_问答_开发者_运维开发者技术经验分享

Wouldn't the best way to dismantle a botnet come from writing your own Virus?

Anti-Virus software never plays offense. It simply waits to be attacked by people who have ample time to steal/download/install X software, test its defenses, and deploy new updates to their drones/zombies to exploit X software's weakness. Thus instantly defeating X software (especially if your PC winds up being candidate #1 for testing the new exploit).

So to play offense, why not write your own Anti-Virus Virus.

Ethics/Morality aside, if your wrote a self propagating virus whose sole mission was to take out Zeus, Conficker, Grum, Bobax, etc. you could sit back, relax and watch as your email filter gradually runs out of things to do.

You could be the Batman of the web. Breaking the rules for the greater good! I'm not seriously advocating vigilantism of course, but in theory, you could wage a war against any botnet using the same tactics that a virus/worm/trojan uses.

To keep it more ethical, have your program self delete once it's cleaned a PC and copied itself to another.

The people participating in the botnet didn't ask to participate in it, so should they need to be asked to not participate in it?

What do you think?

EDIT

As @Woot4Moo pointed out, I clearly don't have a lot of background in this field.

And I certainly know you can't truly separate morality/ethics from this question, since at the end of the day I don't want anyone messing with my stuff either (regardless of their "good" intentions).

开发者_开发知识库I guess my question was more along the lines of (again attempting to remove morality) "Which would be more efficient at combating the problem?" Waiting to be attacked or offensively attacking. This idea spawned my "Good Botnet" idea (an idea clearly beaten down).

So my counter question is how do we go on the offense then? Attack the Command & Control Servers? (Again, illegal to burn down a building even if it's owned by the mob). Or should we not bother and play defense forever? (And if I'm ignorant of an offensive initiative then please enlighten me).

The idea has appeal in theory, and it has happened

1) Worm-vs-Worm (the patch idea): The Welchia worm in 2003 tried to clean up after the Blaster worm in 2003, but the law of unintended consequences (and some poor design choices) kicked in: bandwidth saturation, new attack vectors http://www.icir.org/vern/worm04/castaneda.pdf

As far as I know, this is the only time that a counter-worm was launched. Later worms (like Conficker) hedge against this by patching the vulnerability and putting in special protocol features that only allow affiliated C & C to get in - so the vulnerability becomes a backdoor with a code.

2) Hijacking the C & C channels: Several research groups have done taken over botnets to study them: UCSB has a public paper at ACM CCS in 2009: http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

Public botnet business is big money, so a lot of work is put into making the C & C channels unassailable (strong crypto, decentralization, double flux, etc) to prevent the shutdown and takeover.

Addenda:

2012/2: Seawave: PhD thesison benign layer 2 "Topology-Aware Vulnerability Mitigation Worms " 2012/1: Japan/Fujitsu has an "active-defense" virus project (3 year in making) that claims to attribute and neutralize in case of cyber-attacks cnet link

From a technical point of view this is probably possible and I have heard it is already happening at a botnet vs. botnet level (can't find the reference - sorry), and I wouldn't be surprised if there were researchers out there also doing similar things, though they're unlikely to announce it or brag about it due to the ethical concerns.

From an ethical point of view, you probably shouldn't do this. You're installing software onto someone else's machine and mucking around with it without their permission. It would be similar to breaking into someone's house through the living room window to ensure that the smoke alarms are still working. If the users participated in it voluntarily (that is, they deliberately install the software) then it would be OK, but then it would be like any other anti-virus... consent is the key here.

This cant happen. It sounds good in theory, but if they didnt kill you, you would soon find your self in jail. You can simply push ethics aside and do as you wish.

How is this any different from when Sony put spyware on each CD so they could prevent users from ripping the music? Its not. In Sony's eyes they person who ripped music was the bad guy, and they employed a measure similar to what you suggested to combat it. In the end they got sued and slapped with a huge fine. The lesson? Just because you think you need to protect your interests, it is never ok to put something on another computer without disclosure. Never.

Some researcher already created something like this, but this was never used. That is as illegal as creating the botnets in the first place. And I don’t think this would really help for long.

This is honestly the worst idea I have ever heard, ever. You either have a lack of knowledge or you are intentionally being ridiculous. I don't ask the police to protect me, but I surely would be upset if they shot at my car every day, ya know just in case. Additionally you make more money in research by finding ways to circumvent protection than you do by creating the protection. Look at any scientist whom helps a professional athlete hide steroid use.