Question about botnets

[Nod]

I got a wild hair the other day and decided to do some research on botnots. One of the unifying themes that I found in almost every article was that whitehat hackers loathe botnets and that this is especially true of the storm botnet. My question is this. Why don't these hackers either get copies of these viruses and rewrite them to either turn on each other or the master? Or even write a virus who's only purpose is to propagate and find/destroy the other virus. Maybe I'm dumb, maybe someone's already tried it and it didn't work. I don't know. It's just a thought I had. Would it work if someone were smart enough to implement it?

[ApprenticePhreak]

I rather like the idea of implimenting a counter bot to be released into a system with infected bad bots. Like a mini-infectious anti-virus that hopped around through illegally downloaded music that searches for other bots.

More or less it fixes botA from your illegally downloaded MetallicA and the next time someone downloads your Master of Puppets they get the cure. Or something.

[Nod]

EXACTLY! Like an infectious immunization.

[Zazen]

I thought of this a long time ago and I'll tell you why I think it's never going to happen on a useful scale.

Propagating a "useful" worm, virus, whatever you call it, is illegal (like how breaking into a system to patch it is illegal). So this makes the idea limited to individuals or small informal groups who are willing to accept that risk. From that point those small organizations will be vastly outgunned by the incredible variety of malware that they attempt to combat. They might be able to make something that combats only a certain bot strain, say storm or rockphish, but they'd have to have the same resources as the authors of those bots in order to have it spread around with the same effectiveness and deploy updates quickly without being traced. And they'd be working without pay, unlike the authors of those bots.

I read an article in SC a few months ago about some engineers at a security firm that cracked some big botnet (i.e. they could issue commands). They were talking about how easy it'd be to just issue a self-cleaning command so the bots would delete themselves. But they didn't, because they realized that it was illegal and they would be liable if that command had any unintended effects. They did nothing.

[m0rdekai]

I've wondered about writing a viral anti-virus before.  Why shouldnt we?  In my opinion, its more likely that the authorities would turn a blind eye to this, especially if it was effective.  The only thing thats kept me from trying to mutate some code into a cleaner has been this:  If I write a viral anti-virus based off of someone elses code, or even completly original code, how hard would it be for someone to take said code and recode it to be viral.  Another scenario would be if someone wrote an anti-anti-virus.  It would find out that you have files infected with the anti-virus, and just mutate that code to be malicious.  I think the only way this would be a worthwhile undertaking, would be if we could release at least 50 different anti-viruses at once.  Otherwise, it would be a matter of sheer numbers.  That or we code a virus with AI.  Ah, but now I wax into movie plots...

[ErrorLoading]

The trouble is the people who prosecute these things do not understand them.  They'd never turn a blind eye to it.  They hear the word virus and you'd be done.

Besides, there is so much variation in malware that you'd never be able to successfully write something.  By the time someone got infected, it'd be outdated by a couple versions from the real infection.

I know these things as I have spent years removing this shit from PC's.  It has slowly evolved from running a simple file scan and/or removing an entry from startup to cleaning out rootkits and manually removing registry keys and replacing protected system files to clean the shit out.

[Tachyon]

I think the answer is a bit more pragmatic than that. Consider how easy it is to make a computer fuck up, pretty much anything unexpected will crash one if you do it properly. Aren't viruses mostly written by dumbass script kiddies who wouldn't know a Hopfield network from a Boltzmann machine anyway? It seems like it would be a lot more complicated to code an intelligent agent to destroy viruses than to OMG PWN somebody's hard drive, and not something that the average virus coder would be into anyway.

[Godot]

Aren't viruses mostly written by dumbass script kiddies who wouldn't know a Hopfield network from a Boltzmann machine anyway?

Yes, I am sure most virus writers don't know their neural networks. If they did, we'd be in deep shit when those viruses become self-aware. You thought they were bad before, just wait until they all team up and enslave humanity.

[m0rdekai]

<snip>Besides, there is so much variation in malware that you'd never be able to successfully write something.  By the time someone got infected, it'd be outdated by a couple versions from the real infection.</snip>

Thats why i proposed an AI virus.  However, the implications of someone getting the sourcecode of such a program are pretty bad.  As godot so eloquently put it:

Yes, I am sure most virus writers don't know their neural networks. If they did, we'd be in deep shit when those viruses become self-aware. You thought they were bad before, just wait until they all team up and enslave humanity.

THREAD HIJACK: Why has an Artificial Intelligence virus not shown up on the scene?  It seems like this would be a lucrative thing to code.  Have I missed it and a virus HAS been released, or am I ignorant of the employment of such technology?  Enlighten me.

[Nod]

Where's Trev's answer? I would think he wouldn't be able to resist a thread like this. It's like crack for crack fiends to him.

[mr_doc]

The people who have the potential to implement this idea are for the most part not using windows and are therefore unaffected and have no incentive to do so

[ApprenticePhreak]

Where's Trev's answer? I would think he wouldn't be able to resist a thread like this. It's like crack for crack fiends to him.

*waits for the same thing*

[tully]

ahhh botnets, they are actually quite hard to manage unless you know how to fight av's. The storm bot is so effective because the owners of it constantly updated it and kept it undetected by anti virus software. Last i heard was that the storm bot was up to around 1 million bots or so and thats enough to take small countries offline, although it would be hard to do that unless you hit the isp's individually. But there are many types of botnets, win32, *nix, rfi nets, etc. You could in theory create a good bot that will remove the storm or other but you have to know how it starts, if they have a backup file on your system to re-download it if deleted, where it is in the registry etc. For win32 and *nix bots you can remove them with a "good" bot, but for rfi nets those run in php so you will have to first close the rfi vuln, then restart your php service, which can be a hastle because finding the rfi vuln in big sites takes time, and you first have to know that there is malicious code running which can be even harder to detect.

[SpaceBison]

Why don't these hackers either get copies of these viruses and rewrite them to either turn on each other or the master? Or even write a virus who's only purpose is to propagate and find/destroy the other virus. Maybe I'm dumb, maybe someone's already tried it and it didn't work. I don't know. It's just a thought I had. Would it work if someone were smart enough to implement it?

It's been done.
http://en.wikipedia.org/wiki/Welchia
If I remember correctly, it crashed a Navy network because of all the traffic it created trying to download the patches.

[Tachyon]

Looks like somebody has done it!

http://hackaday.com/2009/01/16/dismantling-the-storm-worm-botnet/