20,000 Zombie PCs -- $3000 423
Saint Aardvark writes "From F-Secure blog comes these links to two USA Today articles on spamming. The first gives an example of how a grandmother ended up becoming a security expert after Comcast cut her connection for spamming. The second quotes spammers advertising networks of Zombie PCs for sale. The price? $3000 for 20,000 machines."
So, for 3 Grand... (Score:5, Funny)
GTRacer
- Things to do
Re:So, for 3 Grand... (Score:5, Funny)
Probably a lot of them would, after all look how many people clicked on something to become a zombie in the first place...
Re:So, for 3 Grand... (Score:5, Funny)
BTW, I'm really surprised that the 20,000 PC's are "only" $3,000 - seems like you could have 'em do clicks on Google Ads or other affliiate type stuff and make a lot more than that ... assuming you don't get caught.
Re:So, for 3 Grand... (Score:4, Insightful)
caveat emptor (Score:5, Interesting)
I fully expect follow-up news stories on how someone who wanted to open a business online fell for a mass marketing scam, paying spammers thousands of dollars only to see the spammers vanish in thin air with their money.
Re:So, for 3 Grand... (Score:5, Interesting)
Um, no, we really wouldn't appreciate you doing that with our software. And it is against our terms of use. http://vsp27.stanford.edu/license.txt [stanford.edu]
But back in my d.net days, we estimated that about 1/3 to 1/2 of all installs were zombies or forgotten. The original 5 proxies (hardcoded IP's, including my old dorm IP) probably still get pounded on after all these years.
Re:So, for 3 Grand... (Score:3, Informative)
But this is against the distributed.net's policy, and they do pay for a winner.
But really, it wouldn't do anything noticable to the user since it works during "idle" times only.
I've always kept dnet up when doing CPU intensive work, it never interferes.
Re:So, for 3 Grand... (Score:5, Insightful)
MOD PARENT UP (Score:5, Insightful)
Oh if I had mod points, my friend, you would be more karma-ful than you are right now. I couldn't agree more. At least she did something about it, instead of sitting ignoring it, hoping it gets better, unlike the other 20,000 plus people mentioned.
Re:So, for 3 Grand... (Score:5, Insightful)
Re:So, for 3 Grand... (Score:5, Insightful)
If grandma figures that all out, and especially if she tells all her friends, then I have no problem with her calling herself an expert. Don't worry, no prospective employer is going to hire her over someone who knows something, unless maybe she's hired to train end-users in the humdrum tasks of everyday workstation security. Imagine, if you will, a Beowulf Cluster of "grannies-who-get-it" showing everyone they know the nuts and bolts of how not to infect their computers! How to manage Microsoft update, how to d/l, install and run SpyBot S&D, a virus scanner, a spam filter program like POPFile, and maybe even a more secure browser (read, one that doesn't automatically install and run whatever random piece of code it finds on the net). They would do more for overall Internet security than a batallion of security experts preaching arcane router strategies to tired and jaded Network Admins. There would still be occasional viruses, worms, and exploits, but those could be left to the experts. I see no reason to be cynical about this.
Obligatory (Score:5, Funny)
Re:Obligatory (Score:5, Funny)
Re:Obligatory (Score:3, Funny)
I look forward to laboring in her cookie mines.
Will this give WETA a run for their money? (Score:5, Funny)
Re:Will this give WETA a run for their money? (Score:3, Funny)
Whose fault? (Score:5, Insightful)
Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.
Yes, it's her fault. She did something foolish.
Re:Whose fault? (Score:5, Insightful)
Re:Whose fault? (Score:3, Insightful)
Re:Whose fault? (Score:5, Insightful)
Or do you think every time you hand a credit/debit card to a cashier at K-mart, that gives them the right to start charging things to your account?
Hell, your account number and routing info is on a cheque. So everyone you write a cheque to gets unlimited access to your chequing account?
Thinking bigger, all I need is your SSN (easily obtained) to steal your identity and take out a few hundred thou in mortages.
And it's all your fault! You gave it to me when you came to work for me! Hahahaha.
If BoA allows any unauthorized person to remove money from my account, it is their fault.
It doesn't matter how they came across my PIN or account number.
Re:Whose fault? (Score:5, Insightful)
The closer analogy would be you walking up to me, saying "Hey, the Bank of America is over there", and giving me directions to an address where you have, overnight, erected an identical replica of a bank of america branch. (OK, perhaps the font on the logo is just slightly wrong if I think to look really closely.)
In retrospect, I shouldn't have trusted directions from a random stranger, but by the time I'm standing there with the bank branch in front of me and the original referral already forgotten, it may not really cross my mind to doubt its legitimacy.
The real idiocy here is all the banks setting up "secure" websites where you authenticate by sending them one secret (or maybe one of a few secrets), with the result that all it takes is for that secret to be compromised once, and your identity is compromised forever.
Perhaps this will finally them that they need something better. (Surely some kind of USB dongle/smartcard-like thingy would be cheap enough now?)
--Bruce Fields
Re:Whose fault? (Score:3, Insightful)
And even closer analogy than that would be you saying "I work for the Bank of America - you must go to that new office over there and enter your banking information, because otherwise we'll shut
Re:Whose fault? (Score:5, Interesting)
Re:Whose fault? (Score:3, Insightful)
Though I do agree that this is the law and that you are correct, I disagree with the law. Fraud and scams have b
It's a crime but so are lots of things (Score:3, Insightful)
And robbing me at gunpoint while I take money out of an ATM is a criminal act also. Should I expect Bank of America to reimburse my lost funds? I might have a case against them if I can prove that they didn't erect adequate security measures around their ATM. But nobody ever told me I was guarantee
Comment removed (Score:4, Insightful)
Re:Whose fault? HERS!!! (Score:3, Insightful)
No. It didn't follow the proper security procedures. It followed its choice of security procedures. The success of this kind of phishing scam is evidence that those security procedures are not proper; they're inadequate because they're so easily defeated with a bit of social engineering. The bank needs to design a better security system- one that uses a time-dependent smart card, for instanc
Re:Whose fault? HERS!!! (Score:3, Insightful)
Banks are legally responsible for securing the funds in your account, and for only giving those funds to authorized people. To do this, banks have a wide number of s
Re:Whose fault? (Score:3, Insightful)
Things get even worse when someone registers a domain like "ebay.it" or "citlbank.com". Even many close examinations would fail to note the problem in the URL.
Re:Whose fault? (Score:5, Informative)
With the ability to register unicode domain names, you may indeed see www.citibank.com and have no idea that the "a" is from the russian alphabet and therefore points to a different server and IP, even though visually, right down to the pixel, they are identical.
All browsers should show warnings for any domain containing characters from multiple languages, or not permit them at all. I can think of no legitimate use for them.
Re:Whose fault? (Score:5, Informative)
Do you have any links to examples or javascript that can actually do this?
Firefox spoof demonstration [nd.edu]. No padlock spoof, though, I believe.
JP
Re:Whose fault? (Score:3, Interesting)
Sounds like a good time to try the Phishing IQ test [mailfrontier.com]. As for using the exact domain, lots of sites use a different provider for their online commerce, so that won't necessarily work.
Re:Whose fault? (Score:5, Interesting)
Since I haven't sensed that a widespread educational movement is in place to tell users otherwise (besides the occasional article in the newspaper, and I personally believe that doesn't count), can someone else step up to the plate? It sucks to have to repeat the "who's responsibility is it"? thing ad infinitum.
So here's a story... I have two Macs hooked up at home. Comcast gives you the cable modem and basically just tells you to plug it in. Not surprisingly, if I were to have an old WinXP system that was stuck on dial-up (I can't download 400 MB service packs or security updates), I would be virus infected. Fortunately, I had OS X with a firewall... except they told me to disable the firewall and virus software since I was having problems. If that works, ordinary user thinks, "Wow, well if I can't use a high-speed internet connection with a firewall/virus software, what's the point"? That seems like a setup for disaster.
Remember, most users come up with questions like this [isprank.com]. I don't think they're at all aware of what can happen, or what the effects of identity theft are, or how much it sucks. All they know is that geeks like us tend to berate them, companies like Comcast give them a mile of rope to hang themselves, and companies like Microsoft push insecure solutions that have enough security holes to cause companies like Comcast to shut off their internet access.
Come on, we can do better, all around.
No wonder... (Score:4, Interesting)
So that's all it takes to be a security expert these days? No f'ing wonder there are so many security problems these days
Also, it lightens my heart and makes me feel all warm and fuzzy that it only took "as many as 70,000 pieces of mail" in a day to get Comcast to shut her down.
Re:No wonder... (Score:5, Funny)
Re:No wonder... (Score:3, Funny)
If I were you I'd brush up on my spell checker skills before firing off those CVs...
Re:No wonder... (Score:3, Funny)
By that token, everyone who's installed SP2 for XP is now a security expert.
Are you linux guys listening? Huh?
When's the last time YOU updated YOUR virus definitions? If you ever wanted proof that linux is a hobby OS, and not for security experts like Gramma Carty, this is it.
Re:No wonder... (Score:4, Insightful)
A one-eyed man in the land of the blind is King.
Re:No wonder... (Score:3, Insightful)
From the article (Score:5, Funny)
Not without some kind of sauce or dressing. Plain 1's and 0's taste like cardboard.
Heres an idea! (Score:3, Interesting)
Security Expert? (Score:5, Insightful)
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
It is quite sad that a person who just updates their computer and runs a virus scanner is now considered a "security expert."
Re:Security Expert? (Score:5, Funny)
Voodoo Legend (Score:5, Funny)
I didn't realize the zombies of voodoo legend were online.
Another story: Telenor takes down 'massive' botnet (Score:3, Informative)
Odd. (Score:5, Interesting)
I have to say, I don't understand how people get into so much trouble.
Maybe I've been lucky, but I've ran a Windows XP system for about a year now (and a Windows 98SE system for about 2 years prior under the same conditions), doing the occasional patches from Windows Update, without a virus scanner or firewall. If I do something stupid that makes me suspect that I've contracted something, I'll drop over to http://housecall.antivirus.com/ [antivirus.com] and do a quick scan. This generally only happens when I'm trying to find a crack for something on a P2P network and the bastards have embedded a keystroke logger or some other little nasty in a trojan crack package.
Otherwise, I do an occasional glance-over at the list of processes running, and if my modem is lighting up like a Christmas tree I might fire up Sygate Personal Firewall or something just to see what's happening with the traffic, but I've never seen it give me real cause for concern. I still get some port traffic for the old Code Red worms and what not, but nothing that seems to have been really problematic.
As I said, maybe I'm just lucky. Then again, maybe I don't use Internet Explorer or Outlook Express, and maybe that helps a lot. Who knows.:-)
Re:Odd. (Score:3, Funny)
Re:Odd. (Score:3, Insightful)
Article attaches no blame to Microsoft (Score:3, Interesting)
Re:Article attaches no blame to Microsoft (Score:5, Insightful)
Re:Article attaches no blame to Microsoft (Score:5, Insightful)
First lady in the story - obviously had zero protection beforehand, and it took a major problem w/her connection being disconnected before she got some. If nothing else, at least it sounds like she has the concept of basic security down a little better now.
Second lady mentioned - a single call to her bank for verification would have likely saved her any trouble. I have gotten several "phishing" mails myself, and they are incredibly easy to recognize - often from a bank I have no accounts with or that never sends mail otherwise, they contain grammatical/spelling errors that would never appear in a real mail, and ask for information that the real bank would have absolutely no reason to need verified.
Third lady mentioned - more Microsoft's fault than the others, due to the security holes. Still, it sounds like she either didn't patch things, opened a nasty attachment, or otherwise brought the software on through her own action. Hard to tell since they don't mention anything by name.
So yes, Microsoft is evil. But don't fool yourself into thinking that users aren't contributing their share of problems either.
The reverse firewall defense ... (Score:3, Informative)
Granny had the right ideas.
Home users, please note - a. You need a firewall
b. You need a reverse firewall
c. You need to dump IE and use Firefox
d. You need to try dumping windoze and move on - that puppy is probably crapping all over your machine.
--
What kind of zombies? (Score:3, Funny)
Spam declining? (Score:3, Interesting)
Actually, according to my spammeter [ispol.com] the amount of spam has been slightly declining over the past few months. I'm still at around 400/day level though...
Re:Spam declining? (Score:3, Interesting)
The price? $3000 for 20,000 machines... (Score:5, Funny)
...the ability to DoS SCO for the rest of the century...priceless.
There are some things money can't buy. For the rest, there's my Zombie Army of Evil.
Funny (Score:5, Funny)
Whenever I view this it.slashdot.org site, everything on my screen is all washed-out.
Is this a symptom of being a zombie PC?
Pay the $3k and clean house (Score:5, Insightful)
- a list of machines that need to be cleaned up
- a bank account or other information that can be used to track down the spammers/crackers
I guarantee $3k is cheaper than what it would actually cost tax payers if the authorities did their job with normal investigative work.Re:Pay the $3k and clean house (Score:5, Insightful)
It all sounds good on paper until you look at the fact that the people that kidnapped the kids got paid, so they have incentive to repeat the process. The argument was that the better (albeit longer and harder) fight was to make child prostitution not profitable or try to arrest or contain the kidnappers somehow.
Somehow I think the the spammers would figure out a way to get their money, cover their tracks, and sneak away. I don't think they really care what happens to the 20k zombies. They got their money, weather the zombieNet was used to clean house or actually send spam.
Re:Pay the $3k and clean house (Score:3, Interesting)
ISPs could do *so* much here. (Score:5, Insightful)
So where are the cops? (Score:5, Insightful)
- The perpetrator (a spammer) is almost universally hated.
- Spammers do real damage [internetweek.com].
- They are doing this damage for a pure profit motive.
- They are operating out in the open, making for an easy arrest.
So why are these bozos still in business?Re:So where are the cops? (Score:5, Funny)
How embarrassing would it be for the police to discover their own machines in the zombie network
Re:So where are the cops? (Score:3, Funny)
Breaking into someone else's computer without permission is illegal.
It isn't breaking in if you ask to be let in and they let you in.
what is this supposed to mean? (Score:3, Insightful)
how is it my ISP's fault if i am too stupid to secure my own system? it is quotes like this that pass the buck from the end-user/consumer. hey, if you want to drive a car, you need a license. want an internet connection over 56k? make people pass some sort of security review or test.
(yes, save your breath, i know ISPs can do things to reduce the problems, but it's not their fault in the end that these machines are messed up.)
Security Expert? (Score:3, Insightful)
I wonder how the transaction is actually made (Score:3, Insightful)
Tired of inflated stats (Score:5, Interesting)
Does anyone else wonder where MessageLabs gets their statistics? I can't help but wonder at their methodology (though I suspect rectal extraction). I get daily reports on SpamAssassin and my configured DNS block lists for the servers I manage. Their spam traffic doesn't start to approach 95% of inbound messages. After eliminating all internal email from the statistics, SpamAssassin flags about 20% of incoming email as suspicious and SpamHaus blocks another 10% or so. These are not confidential, hard-to-find addresses. These are university servers where staff and faculty are required to have valid email addresses posted on the department web pages. Any spider worth a damn should have harvested them long ago. I find it very hard to believe that this environment is getting 60% less spam than systems that don't provide a directory of valid addresses.
Spam is a problem, but it's time journalists (online and otherwise) start taking stats with a grain of salt. Too many organizations are willing to publish questionable numbers in an attempt to sound like they have thoroughly researched the issue.
Or in the MessageLabs case, to sell a product that will 'solve' the problem.
Re:Tired of inflated stats (Score:3, Interesting)
These are university servers where staff and faculty are required to have valid email addresses posted on the department web pages. Any spider worth a damn should have harvested them long ago. I find it very hard to believe that this environment is getting 60% less spam than systems that don't provide a directory of valid addresses.
Let me guess: .edu? Spammers have long since started washing their lists for .edu, .gov and .mil addresses. I believe many also filter out ccTLDs. You're looking at a skewed s
The zombie collectors arent even bashfull about it (Score:3, Interesting)
Going to the website, I find its one that sells proxies of some form. Gee.
Now this seems like they are signing their own name to their evil deeds. Could this mean anything other than this company is scanning for proxies and registering them using their own website?
Worst quote from TFA (Score:3, Interesting)
I only partially agree with this. What should happen is they should sell me access, and I should be able to waive their protections under the promise that I provide my own. I want to run my low-traffic web and email servers from my connection. Most people don't need to. I will take the extra work of securing them in return for being allowed to use them.
A blanket stop of much of this is all but impossible, though.
How do they get the PC's away from the zombies? (Score:3, Funny)
Basically the Undead could have rights too, I suppose.
SpecialHam.com? (Score:5, Funny)
One indication of the going rate for zombie PCs comes from a June 11 posting on SpecialHam.com [specialham.com], an electronic forum for spammers.
And you guys didn't put that link in the main Slashdot article?!?!?! Oh come on! If there's a site that deserves to be slashdotted, that one must be it.
-S
I hereby crown this woman "Queen of the Idiots" (Score:3, Insightful)
----------
Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number.
[deletia]
Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.
----------
Gee, I hate to break it to you, sweetheart, but it WAS your fault. YOU were the gullible one who clicked on the wrong link and gave thieves your username, password and account number!
As long as her attitude is prevalent among the majority, the problem of malware will never go away. Not only are these people completely oblivious to the dangers waiting to snare people using Windows PCs, even when something bad befalls them they just flat out refuse to believe it was their fault.
~Philly
Re:I hereby crown this woman "Queen of the Idiots" (Score:3, Insightful)
WHAT THE HELL???
It was NOT the woman's fault!
The fault rest solely with the theif. If somebody steals money from my bank account, it doesn't matter if they got it at gunpoint or with a fraudulent email, it is not my fault, it is not the bank's fault, it is the theif's fault.
But of course it's so much easier to bl
Contact your AGs (Score:3, Insightful)
Disagree with the "utility" analogy. (Score:5, Insightful)
Seems to me this is off the mark, and it typifies what is wrong with our telecom-oriented providers, as they too believe this all too often.
The provider provides a connection. He does not provide content. ISDN was a gigantic failure because telco's thought they had to provide content, rather than just a reliable connection.
If I want content, I will buy an AOL subscription. Otherwise, what I expect is not clean water but a reliable liquid movement mechanism. You don't call it a pipe for nothing. The liquid that comes out will be determined by me, not by the provider of pipes!
MW
Opportunity for Providers + Law enforcement (Score:3, Interesting)
If the deal is a scam, follow the money and bust the crook. If it's real, follow the money and bust the crook then clean up the zombies on your network.
Basically it's a no lose opportunity.
Psst... Hey buddy, can you spare a
Zombie network (Score:3, Funny)
Comment removed (Score:3, Informative)
Re:Rhetorical question: (Score:3, Insightful)
These people have The Will To Stupid, and cannot be stopped!
Re:Rhetorical question: (Score:5, Informative)
But unless they're running with root privileges (which most distributions don't do by default) you can't overwrite system binaries or executables, or run daemons on priviledged ports (like open smtp relays on port 25), etc. I know that the attacker could do things like use nonstandard ports or privilege escalation hacks like buffer overflows, but it's extra work the attacker needs to do, making it a less attractive target (and thus, more secure by default).
Re:Rhetorical question: (Score:5, Insightful)
My Linux Box was a zombie... (Score:4, Informative)
Re:Rhetorical question: (Score:3, Interesting)
Not so much actually (Score:5, Informative)
Linux needs patching as well because OSS is not immune to security holes. SSH, BIND and even PNG are three off the top of my head that have had security problems in the past. If you run a Linux box that has an SSH server, and you don't patch it when an SSH venurability comes out, someone WILL hack it.
Did you miss where I said (Score:3, Insightful)
Silly Rhetorical question: (Score:3, Insightful)
Even that isn't totally informing, as how many of those people who run Windows would be less vunerable if they ran linux? Most of the problem isn't the OS, but the lack of understanding on how a computer works. If you aren'
Re:Rhetorical question: (Score:3, Insightful)
Re:Rhetorical question: (Score:4, Funny)
Re:Rhetorical question: (Score:3, Insightful)
How many % of all end-user machines are running Microsoft Windows?"
Significantly less than the % af rooted Win boxes.
">Zombie Macs and Zombie Linux boxes are about as common as snowcones in hell, it would seem.
In the world of common users, Linux boxes are about as common as snowcones in hell, too. Macs are almost as common as snowcones in Florida...not quite."
Nonsense.
Last Google Zeitgeist (before it was taken offline) was 4% Macs (sorry not 3% as ai s
Re:Rhetorical question: (Score:3, Funny)
How many % of all end-user machines are running Microsoft Windows?"
Significantly less than the % af rooted Win boxes.
There are more rooted Windows boxes than there are Windows boxes?
Actually that should be read as "The percentage of end-user machines running windows is (significantly) less than the percentage of windows machines that have been compromised (rooted).
It's possible that that could be true, though not likely, since if 95% of users run windows, its unlikely that more than 95% of t
Re:Rhetorical question: (Score:5, Insightful)
Insightful??? No. Funny??? Yes.....
Funny thing is that the author seems to say that Macs are close to ubiquitous (snowcones seem to be likely to be common in Florida because they are a form of hot-weather refreshment) but Linux machines are nowhere.
Worldwide, Linux machines probably marginally beat Macs in the desktop space. Domestically, Macs are a bit ahead, for now....
In China, OTOH, legal copies of windows are much more rare than FreeBSD desktops in the US!!!
Re:Break down percentages. (Score:3, Insightful)
100% Windows. (Score:3, Insightful)
Re:Hard to believe this stuff is going on... (Score:3, Insightful)
Yeah, it's nasty all right.
Wanna be more disgusted, though? Say we did get a good handle on one of them. Well, then the federal prosecutor has a hell of a job on his hands. All he has to do is make 12 people understand how spam works, how they found the guy, why their "searches" were legal, what he was doing, and why it's a crime. Which, if it were possible to make people understand, would have prevented the crime in the first place.
And, if he's really unlucky, the defendant waives jury trial and he
I think you underestimate the average jury pool. (Score:3, Insightful)
Anyone who has an e-mail address gets spam. It's an ugly fact of life in the modern age. Figure that, out of a pool of - say - 100 potentials, at least 10 of them have kids. Spammers are notorious about not checking the ages of the people who own the addresses that they spam - and they work very hard on ways to get around filters.
Leaving the parents aside for the moment, everyone in the hypothetical
Re:End Users are Stupid (Score:5, Informative)
Probably only the the automobile. We make people take written and practical tests before they're allowed to drive unsupervised, and then in most places they are expected to get insurance to cover any damage their operation of the car may cause.
Is that where you want to go?
Using a computer on the Internet will never be as simple and relatively safe as using a TV, but it could be moved down the scale of complexity in that direction, by better engineering of Internet software and making ISP managed reverse firewalls part of the standard broadband service.
Granny should be able to just turn on her computer to order to sell her crocheting on ebay or get email with pictures of her grandkids without having to research computer administration. And, when she's done, I think she should be able to flick a massive off switch (like on the old PC/XTs) and watch the CRT raster turn into a little dot, without having to worry that somebody is using her computer when she thinks it is idle. I for one would think that was cool.
Re:End Users are Stupid (Score:5, Insightful)
It's not the end users' fault the majority of home computers are by default magnets for virii, trojans, worms and spyware.
Certain OS manufacturer is at fault here, as well as the Dells and Gateways of the world, who insist on selling zombie networks when solutions to prevent them from occurring have been in place for quite a while.
Re:End Users are Stupid (Score:3, Insightful)