Slashdot Log In
New Botnet Dwarfs Storm
Posted by
CmdrTaco
on Mon Apr 07, 2008 09:30 AM
from the that's-a-lotta-zombies dept.
from the that's-a-lotta-zombies dept.
ancientribe writes "Storm is no longer the world's largest botnet: Researchers at Damballa have discovered Kraken, a botnet of 400,000 zombies — twice the size of Storm. But even more disturbing is that it has infected machines at 50 of the Fortune 500, and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques that hinder its detection and analysis by researchers."
Related Stories
[+]
Kraken Infiltration Revives "Friendly Worm" Debate 240 comments
Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Designate Windows OS as Terrorist Tool (Score:5, Funny)
Re:Designate Windows OS as Terrorist Tool (Score:5, Interesting)
And who knows, perhaps Kraken is sending your data to HLS on the side? If I made a government spy virus, I'd disguise it as a spambot too... the signal is lost in the noise.
This, needless to say, could also explain the surprisingly low discovery rate on standard AV tools.
[/tinfoil hat]
Parent
Re:Designate Windows OS as Terrorist Tool (Score:5, Insightful)
Parent
Re:Designate Windows OS as Terrorist Tool (Score:5, Insightful)
Parent
Re:Designate Windows OS as Terrorist Tool (Score:5, Interesting)
Parent
Re:Designate Windows OS as Terrorist Tool (Score:5, Interesting)
Well, at least you have an opinion. It's really the mark of users that plain suck.
I really wish this was the case, but OS vendors could do much much, much more to make their systems secure by default. As for the metric that users suck, sure they do. Last I read, however, compromises that had no user interaction were still responsible for more incidences than ones that have a user interaction component, There are a lot more trojans out there than worms that compromise machines silently, but the latter hit a lot more machines at a time and more often.
Give all those same users who click on everything and anything that sounds vaguely interesting a nice, shiny new Ubuntu machine - ALL of the users mind you - so replace most people's Windows machines. See how long it takes those same people to be rooted.
Actually, they would probably last a lot longer. The truth is, Linux is attacked less by automated worms so most users would fare better. It is not that Ubuntu is really much better for security than Windows (it is better in some ways, worse in others) but there is one big thing Ubuntu has going for it. Canonical does not have monopoly influence on the desktop OS market.
Ubuntu currently has security that is appropriate to the threat posed by malware attacking it. Regardless if that security is currently better or worse than Windows, there is no reason to think Ubuntu would not continue to provide whatever level of security is desired by users. You see, Canonical sells services based around Ubuntu. Most of the contributors to Linux are users (either on a large or small scale) or are hired by users. If Canonical does not provide them with the security they want, they can and will go elsewhere. There are lots of Linux distros and companies selling services based upon it. In a worst case, Linux can fork to provide users what they need. Basically, is comes down to motivation. If Ubuntu is not good enough, Canonical loses money; ergo, Canonical will invest in security improvements so they can make more money.
When Windows does not provide the appropriate level of security to make the average user happy, Microsoft does not lose significant money. In fact, in many cases machines are slowed down by malware such that the user does switch to a new vendor. The problem is, they switch computer vendors (from Dell to Lenovo for example) and Microsoft actually gets an extra sale out of it. Usually the influence MS wields in the desktop OS market makes switching to another OS vendor impractical or uneconomical, especially given MS's ability to break interoperability with other OS's and lock in user's via their data, applications, etc.
Now what will you complain about? Their sucky OS?
It is not even that Windows sucks on technical merits. They suck because they are the biggest target and they don't care. When I go down to the bar, I don't wear a bulletproof vest of any sort. When I browse the internet from a Mac or Linux machine I don't bother with sandboxing my browser or running it in a VM that resets every time I use it, or even running antivirus software scans. I don't need to. If, I take a business trip to Baghdad, I'll probably wear a vest. Most people would not think to do so. For someone at a tourist bureau in Baghdad to try to persuade people that Baghdad is a more secure place than Minneapolis is absurd. For them to argue that there are more troops protecting you in Baghdad than in Minneapolis is beside the point. For them to argue their are concrete emplacements and checkpoints to catch "bad guys" is likewise beside the point. The measures in place are insufficient to deal with the level of threat presented. This is true for Baghdad and Windows.
And to answer your second question, if Ubuntu were regularly compromised in daily use, yeah I'd argue its security sucks. There is a lot of work that can be done to make every OS more secure for users, but for the most part only Windows has a big problem for normal
Parent
Re:Designate Windows OS as Terrorist Tool (Score:5, Informative)
You can make system files immutable in Linux with chattr, an immutable file may not be overwritten by root unless chattr is first run, to remove the immutable flag.
furthermore, you can during install, use chattr to set files immutable, and then set user:owner of chattr to user chattr and set permissions to only allow user chattr to read or execute chattr as well as making chattr immutable so root can't replace it.
So yes, you can idiot proof a Linux system. Even if they still have sudo permissions so they can install new programs.
the basic point of this would be to have some type of chrontab based scanner, a remote administrator (eg: the guy who set it up for mr. i love porn and am stupid) and basically is mr idiot isntalls bad software mr remote admin can remove it, and make fake files in his owner/user group so that mr idiot can't install it again (although without access to chattr it might be hard to prevent mr idiot to find out how to use sudo to delete those files when he asks on a message board how to get around this 'error' when he tries to install software etc..)
although it's SO much easier to just not give Mr idiot sudo permissions and allow mr remote administrator approve any software Mr idiot wants on his system. the point was can linux be idiot proofed, and yes it can, in many functional ways.
Parent
Re:Designate Windows OS as Terrorist Tool (Score:5, Insightful)
Nothing will happen; the OS will stop it. How? By the trivial means of not allowing downloaded files to be executed unless I explicitly edit their permissions to turn on the execute bit.
Yes, this really would help. Mere double-clicking can be done reflexively. But more complex instructions like "save this to your filesystem, then open a terminal window and type 'chmod +x free_porn.sh', and then double-click it for free porn!" gives your victim just that little bit longer to realise that they're being conned. Is it 100% secure? No, of course it isn't. Is it more secure than an OS that will blindly execute anything that has a filename ending
Parent
Re:Designate Windows OS as Terrorist Tool (Score:5, Funny)
Don't underestimate me.. I've performed WAY more complex operations than that in order to obtain free porn.
Parent
Re:Designate Windows OS as Terrorist Tool (Score:5, Funny)
The new Axis of Evil?
Parent
I am not trying to obnoxious. (Score:5, Insightful)
Re:I am not trying to obnoxious. (Score:5, Insightful)
-jcr
Parent
Re:I am not trying to obnoxious. (Score:4, Informative)
Parent
Re:I am not trying to obnoxious. (Score:5, Informative)
Parent
Re:I am not trying to obnoxious. (Score:5, Informative)
Parent
Re:I am not trying to obnoxious. (Score:5, Funny)
The WINE developers really need to work on the compatibility...
Parent
Re:Or Unix or Mac ... (Score:4, Insightful)
The only way I can see it working is if someone runs parrallels with windows and opens the executable there - thus it is technically a "windows machine" that is infected.
No os is totally safe from access - what distinguishes Linux/Unix/BSD and maybe even MACOS from the Windows crowd is what you can do when you have penetrated the firewall/got a mail inside.
With Windows it is easier (for various reasons) to have a program do something illegal - either via user click or automagically - than with the others.
For a hacker it would still be hard to do anything on a Linux/BSD/Unix box without root/admin privileges - maybe stealing info is the worst (via accounts that do not need special privileges to view/access files).
Thus the term "HOW SAFE" needs to be defined before one can argue the strong points of an OS over the other.
For one person ACCESS to the info is a security issue, and for another RUNNING AN UNWANTED PROGRAM (virus/keylogger/trojan/bot) is the issue.
With the first issue I'd say Linux/BSD/Unix is a little safer than Mac which is a little safer than Windows, with the second issue I'd say Linux/BSD/Unix is way safer than the others.
Parent
Re:Or Unix or Mac ... (Score:5, Interesting)
Viriuses and bots are Incredibly easy to get installed and infected on a PC. It's brain dead easy.
It's far harder to get a linux or OSX or BSD infection going as you trigger the "you are trying to install "XXXX" enter your admin information to allow this to install for applications that are going to get it's hooks in the system. all other applications ca reside in a location that is safer and installable by the user only. and YES you can do this in linux, a user can download compile and run or even install an app to the user directory and use it just fine.
all OSX users I know dont simply click yes to everything because the software makers have 1/2 a brain for those platforms. windows apps all think they need to shove crap all over the pc. and therefore pc users are usedto having even a fricking mp3 playing app shoving thing in the windows system directory, changing the registry, etc...
stop that stupid behavior (return to farking ini files in the app directory instead of the incredibly stupid registry) and stop installing 65,000 random dll's in the system directories.
Parent
Untrue. (Score:5, Insightful)
Your solution simply does not address the dancing bunnies problem [codinghorror.com].
Parent
Re:Or Unix or Mac ... (Score:5, Insightful)
Only we're talking about normal users here. Users who aren't going to go to these lengths to protect themselves and their computers. Nor are they going to modify the default behavior of their Linux computers, if we were to set them in front of one. We're talking about users who don't even realize that these are good things to do, so why do you expect them to do them?
Parent
Re:Or Unix or Mac ... (Score:5, Insightful)
If someone says "Windows is insecure", I hear "Yeah, damn right. Stupid n00bs and its all Bill Gates fault, stupid people".
If someone says "Linux is insec.." I hear "lalalalalala. I can't hear you. lalalalalala".
The problem is about usage patterns of the OS. Put the same person in front of any OS and they will get infected the same way they always did. As someone mentioned, bots generally send spam or steal financial info - well, there's nothing stopping this from happening in any app. Either you restrict users from doing things they consider normal (like downloading gadgets and toys, and opening their own files) or you have to accept that they will get infected, no matter which OS they use.
Sure, there are technical, tricky issues with
The answer is to educate users about security, which would be an ongoing task forever (as new exploits are discovered, new attack vectors invented). Or to try and fix the damage an infected machine can do. Eg. why aren't the defaults for emailing set to only allow 1 per minute, or why doesn't the software pop a dialog every time an email is sent? If either of these were implemented at a point closer to the network (rather than the user application) then we'd get significantly less spam from infected PCs.
Of course, its tricky to do. A firewall could do it, but they tend to be focussed on on-demand access - ie, it'll pop a message everytime an app wants to use the network, and you end up with people turning the messages off.
Hiding the file extension - meaningless from a security viewpoint. Users still download SmileyCentral icon packs and explicitly install them.
Parent
Re:Or Unix or Mac ... (Score:5, Insightful)
Well done, you've managed to switch the argument from the factual to the hypothetical.
This is the standard debate tactic in this situation. Get everyone tangled in debating the possibility of potential but non-existant Mac and Linux malware, judging its likelihood against factual and vastly damaging Windows viruses, worms and botnets.
Just acquit Microsoft of all culpability for poor and short-sighted decisions, incurring costs in the billions, for millions of users, by saying, "eh, it was inevitable."
Parent
Re:Or Unix or Mac ... (Score:5, Insightful)
Parent
Re:Or Unix or Mac ... (Score:5, Insightful)
The second biggest problem is that people don't define what "secure" really means. In the context of trojan horses, it mostly means that the rest of the system is safe, even if the user account is wholly compromised. This is important, because it will be much easier to clean up the infection from a super-user account if the trojan can't use rootkit-like behavior to hide itself. In short, anti-virus running as root will have an easier time finding malware that isn't running as root. In this specific context, an operating system which (by default) runs as administrator is going to be less secure; however this has more to do with configuration and less to do with architecture, which is where a lot of people try to define security.
There are other contexts that you can look at, though. In most distributions of Linux, software updates are handled somewhat automatically for all software on the system. While this could be a security concern, in most cases, it's a boon to security. Did someone find a bug in Firefox? Ubuntu's daily security check will find it and ask you to install the new version. Bug in libc? Same thing. Since most software on the system will be updated in this way, security updates are more likely to be applied, and the system will, in general, be less susceptible to exploits.
Of course, all of this assumes classical malware that expects to be run as administrator. There's no particular reason that malware couldn't be written to be hard to detect from the user-account, and which waits until it can sniff a password or execute privileged code within a password-less sudo context. Malware also can do a lot of damage without hiding itself, and before the user becomes aware of its existence. This applies to just about any platform (indeed, any platform where the user is allowed to execute arbitrary code.)
Parent
Re:Or Unix or Mac ... (Score:5, Informative)
I assume that I found the correct contest, it fits the description.
They did however get the Vista box, by exploiting a flaw in Flash (from the same article). Both successful cracks was only achieved after the rules had been relaxed to allow exploits by "tricking" the judges into clicking on links to malicious web pages created by the contestants.
On the first day only direct attacks over the network was allowed, and all OSes survived that.
Parent
Re:Or Unix or Mac ... (Score:4, Insightful)
By that reasoning, there should be a proportional amount of viruses/worms/trojans for Linux and OS X. If 5% of desktop computers are Unix (OS X is Unix) or Linux , then 5% of the viruses should affect Unix or Linux. Somehow I don't see that. The reason that so much malware exists on Windows is that the Windows architecture makes it so easy to do. Linux and Unix makes it harder to do.
Parent
Re:I am not trying to obnoxious. (Score:5, Insightful)
1. Fine - call me a dumbass. Water off my back.
2. I am not an average user - but I am not a hardcore Linux pro either.
a) I started somewhere - I used to be an average user way back when. No one is born a pro.
b) My mom is using linux via an XDMCP client on my dad's XP box - and loving it.
c) My wife is using Linux - and loving it.
d) You argument sounds like an uninformed rant on a perception of the linux desktop.
Now, on user-friendlyness. You complain about something like installing a AGP card, or let's go wireless card.
And then you talk about the "average user" - let's then exclude gamers and geeks.
How many "average users" install new hardware on their Windows computers? The moment you feel confident enough to open up your tower case, rip out an old Graphics card and install a new one you are no longer an "average user".
I used to work in IT support at a retail store - and I had TONS of pc's come through my hands from normal people wanting me to do things like set up 3g modems, modems - yes dialup on board thingies would you believe, "screen cards" and the like.
Now then - a windows pc is pre installed with the OS no?
Let us go to Linux - you get pre-installed Linux boxes - fine for the "average user" - even easier to use. Plug into the network and you are online instantly, as a for instance.
No need to install office - it's there, chat client? there. You see - linux (and here I am referring to the desktop targeted distros such as Ubuntu/PCLOS/Mandriva etc) is very user friendly.
The moment you crack open the box to do something out of the ordinary however, you cross the line from "average user" to "pending geek".
I just wrote my first bash program this week, check it out - the source code is on my blog. It is a horrible mish-mash of commands and stuff to do something really badly - but it is there, and it is mine.
No way that I would have grown to the point of even attempting something like that as a Windows user.
There is a perception that Linux is hard/unfriendly/a nightmare - and detractors cling to this with all they have because in reality that is all they have criticism wise.
The one thing that detractors of Linus tend to overlook is the underlying philosophy behind it. I was able to write my little script because the community wanted me to write it. My success as a user/contributer is important to them.
That, my friend, is what makes Linux great.
As to you using it yesterday - if that is true I gladly apologize for my assumption. Your original comment, however, leaves me to think you are either lying for dramatic effect, or you popped in a disk, tried something out of the ordinary, and base all your assumptions on one wacky experience.
Most of getting to use Linux is getting past the "how it works differently" and then if you get your head around that you will be a-for-away...
peace.
Parent
Scary (Score:4, Insightful)
Re:Scary (Score:5, Interesting)
Or you could just learn how to properly secure XP and not go clicking all willy-nilly on every email you receive.
With a combination of three free programs and a bit of common sense, I haven't gotten a single virus or bit of spyware on my XP box in literally years. ZoneAlarm, AVG, and Spybot make a fantastic defense.
Parent
Re:Scary (Score:5, Funny)
Parent
Re:Scary (Score:5, Interesting)
Hence why I also said using a bit of common sense (i.e. not clicking on everything that shows up in your email) and using a well-configured firewall. I also will occasionally check on the traffic that is outbound from my PC just to make sure something like this has not occured.
It really is not difficult to keep a windows box secure. Granted, it requires more attention than a Linux box, but still...it's quite easy to set up and maintain.
Parent
Re:Scary (Score:4, Insightful)
So Windows is fine if you know exactly what you're doing and don't make any mistakes.
But Linux is supposed to be the complicated OS...
Parent
Re:Scary (Score:5, Insightful)
ZoneAlarm, AVG and Spybot are _incapable_ of detecting trojans like the aforementioned Kraken simply because they are polymorphic. Don't be ignorant, just because these programs say you haven't been infected, there's a non-trivial chance that you have been.
Parent
Detection? (Score:5, Insightful)
How does it get in? Duh! (Score:5, Informative)
Re:How does it get in? Duh! (Score:5, Funny)
Parent
Re:How does it get in? Duh! (Score:4, Insightful)
And then they must be willing to act along the guidelines for security set by IT dept.
Parent
Re:How does it get in? Duh! (Score:5, Insightful)
Parent
Re:How does it get in? Duh! (Score:5, Interesting)
Of course, the user should think "hmm, why does this filename have
Windows could do a lot more itself. It could have a set of very basic rules to run on files when they are downloaded or double clicked.
e.g.,: Filename has two extensions, last of which is exe - mark as highly probably virus/trojan/spyware. Alert the user to this fact, with the disabled "Continue" button for 10 seconds, or never enabled to force the user to rename (Also only use the extension as a hint to the action that will be undertaken when double clicked. Perform analysis of file contents to check that it actually appears to be that type of file.)
Don't run downloaded
Self-extracting zip archives should be identified and de-archived by the OS Zip extraction function, and the
But in the end, there will be idiot-user ways around these rules, there will be flaws in the rules (I'm not spending all day tweaking them for a mere Slashdot post), and the malware will adapt.
On a Mac I imagine you could just give you malware the system image icon in the application package, and it would fool most users. Apart from user education (hahahaaaaaaaaaaaaaaaaaaaaaaaaaa) it's going to be difficult to eradicate the malware problem.
Of course every time an image file format, or Office file format, etc, has a buffer overrun issue on an OS, exploits will be made. Parsers should be stricter, and peer reviewed for good secure programming practices.
Parent
Spamming (Score:5, Insightful)
Re:Spamming (Score:4, Informative)
Yet another reason why you shouldn't be opening e-mail on a production server. Even if you are, the server admin at a Fortune 500 company ought to be smart enough to not click on the latest "Anna Kournikova pics!" e-mail.
Maybe this is my MS says that Outlook on an Exchange server is an unsupported configuration.
Parent
Re:Spamming (Score:4, Interesting)
How about "don't trust your users" and "don't set up your server as an uncontrolled relay for them"? It certainly possibly, if nothing else, to limit the number of connections/minute or the number of recipients/message to at least contain the damage rather than allow your users unfettered access to your mail subsystems.
Parent
Aggravating... (Score:5, Insightful)
1. Never tell you how you know if you're infected, and
2. Never tell you how to clean up your shit if you are.
However, they always give massively generalized statistics on how vulnerable you are!
Thanks, asshats.
The battle is lost (Score:4, Insightful)
There just aren't enough words.
Idiots (Score:5, Funny)
If it ends in
How bad will i get flamed for this? (Score:4, Insightful)
AV vendors ought to be ashamed of themselves. Even more so, the customers should be ashamed of themselves for continuing to pay for a program that doesnt REALLY protect them.
We MUST move away from definition-based "protection" and move to behavioral-based protection. Unfortunately there's only one major player who's trying to do that. That is Microsoft, with Vista's User Account Control. Unfortunately, that is also the feature that people dislike about Vista, and way too many people turn it off.
It's funny how badly people hate the tools need to protect a PC.
Re:How bad will i get flamed for this? (Score:5, Insightful)
UAC isn't really a solution, either. All it does is to train the monkeys that you have to click an extra time in order to get the banana.
Education is what's needed. I no longer recommend antivirus to my family--I tell them to avoid running programs that they don't know about, not to trust any attachment that comes through the mail, and offer other suggestions for safe computing practices. Running without antivirus works to remove the perception of safe computing, making them actually think about the things that they're doing. This, incidentally, leads to actual safe computing.
Parent
Heed my words (Score:5, Funny)
Why is it hard to block this spam? (Score:5, Interesting)
most folks don't send more than 50 mails a day (number pulled out of a** and is for illustration only)
so how about this ISP anti-spam approach:
1) if a user sends more than 350 emails in a week, or more than 100 emails in a day, the ISP emails the user with a 'do you have a zombie' email.
this would list the subjects & initial contents of emails sent.
user could either reply 'yup, I send a lot of email please bump me up to a higher trigger level' or 'please help me fix this - I'm not really a viagra salesman'
x days/emails after the warning, the ISP could start blocking stuff if there was no response to their warning mail.
This would give people a chance to know if their machine was infected (I think mine is clean - but I certainly don't monitor outgoing smtp traffic) and generally provide a service to all at little inconvenence.
Would this be bad ??? Is it really hard to spot a zombie PC that is sending spam out through your network?
Undetectable? (Score:5, Interesting)
If it's truly undetectable, how would you know what percentage of cases were undetectable? Surely, be definition, you couldn't tell?
In other news, most women think I'm damn sexy. It's just undetectable in 99% of cases. But I'm sure they do!