On 29/03/12 08:32 AM, Zooko Wilcox-O'Hearn wrote:
(N.B. I (still) disagree with Ian Grigg's thesis in several of its
other steps.
:)
However, the part about how botnets, which don't pay for
the marginal cost of their electricity, will provide an increasing
contribution to the global Bitcoin transaction-confirmation service
(a.k.a. "mining") -- that part I'm starting to agree with.)
"In addition to spamming and distributed denial-of-service attacks,
this latest botnet was capable of both stealing Bitcoin wallets from
infected computers, and BitCoin mining, which uses the resources of
victimized computers to make new Bitcoins." ¹
¹
http://arstechnica.com/business/news/2012/03/p2p-botnets-the-bigger-they-come-the-faster-they-fall.ars
So, Kaspersky and company took down this botnet, which they say had
about 116,000 bots, starting on March 21, nabbing three quarters of
them within 24 houres, and the botnet was mostly dead within a week.
Does anyone know why they did this? I had a read of the FAQ and it
makes the most astounding claims:
=============
The only permanent solution is advocating to politicians for more
international legislation and laws to be passed for more involvement
between cyber security professionals and federal law-enforcement
agencies. Sinkholing is a temporary solution but finding the groups
behind the botnets and allowing law enforcement to apprehend them is the
only permanent solution to the problem. New regulations will give more
jurisdiction to execute the following countermeasures:
Carrying out mass remediation via a botnet
Using the expertise and research of private companies, providing
them with warrants for immunity against cybercrime laws in particular
investigation
Using the resources of any compromised system during an investigation
Obtaining a warrant for remote system exploitation when no other
alternative is available
After the taking down the old Hlux we asked your readers on
securelist.com how Kaspersky should proceed with the botnet: The answer
was quite clear: Only 4% voted for “Leave the botnet alone.”. 9% agreed
with “Keep the sinkholing up and provide IP address logs to the
appropriate contacts so they can take actions.” and 85% voted for “Push
a cleanup tool that removes the infections.”. In this poll 8539 votes
were counted.
===========
https://www.securelist.com/en/blog/208193438/FAQ_Disabling_the_new_Hlux_Kelihos_Botnet
ArsTechnica suggests more fascinating comments:
The researchers said that security companies are informing Internet
service providers about the infections, but cannot legally take direct
action to clean up the machines. ....
.... But "there is one other theoretical option to ultimately get rid of
Hlux," Ortloff wrote. "We know how the bot's update process works. We
could use this knowledge and issue our own update that removes the
infections and terminates itself. However, this would be illegal in most
countries."
The security company people told the Ars Technica reporter that they
were surprised that the Botnet operators didn't try to recover control
of the bots.
(If I was them, I'd be worried about backtracking. Once I knew I was
under attack, I would prefer to cut & run rather than reveal.)
BOTTOM LINE
A 100,000-node botnet was taken down. The architects of the takedown
made statements that it was used for Bitcoin mining. At the same time,
there was a substantial dip in the global rate of transaction
confirmation (a.k.a. "mining"), which last about 48 hours. However,
back-of-the-envelope calculations by yours truly indicate that a
100,000-node botnet would not contribute even 10% of the hash rate
seen in the dip.
Good observations and calculations. So, let's say you wanted a botnet
to do mining. What could you do to improve that?
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography