Two Worm "Families" Make Up Most Botnets 176
JMoon writes "HNS has an article about the Sdbot and Gaobot families which are responsible for most botnets worldwide. These two families were responsible for 80 percent of detections related to bots during the first quarter of 2007. Other culprits, although on a much lesser scale, included Oscarbot, IRCbot or RXbot."
Well, you see, (Score:3, Funny)
Re: (Score:3, Funny)
Re: (Score:3, Informative)
And that won't change soon (Score:5, Informative)
Boy, was I wrong!
It took 10 seconds for the FTP to go berserk, a minute later I was a happy member of the still strongly going family of wormspreaders.
People simply don't update their systems. It's amazing, that thing is afaik about 5 years old now, and still there are a LOT of machines existing that still blow the worm through the net.
We're not talking about an unfixable problem, or at least one where the user has to be dumb enough to open the can for the worm (ok, bad pun). It's as simple as updateing to SP2, something that works automatically.
You actually have to disable MS Messenger to at least cease to get those annoying popup messages, so why can people disable that but not update their systems? That's simply beyond my comprehension.
Re: (Score:3, Interesting)
Liability... (Score:5, Interesting)
Either way, the law doesn't look to kindly on computer trespass even if (you *claim*) your intentions are good.
Re:Liability... (Score:4, Interesting)
Are they arrested in thrown in jail? No, they are living very well in Russia from their ill-gotten gains.
There is no liability unless you are a complete idiot.
Re:Liability... (Score:5, Funny)
Re:Liability... (Score:5, Funny)
Are they arrested in thrown in jail? No, they are living very well in Russia from their ill-gotten gains.
There is no liability unless you are a complete idiot.
Re: (Score:3, Funny)
Ask Robert Morris (Score:5, Informative)
Re:And that won't change soon (Score:4, Insightful)
Updating to SP2 isn't simple though. It's a massive download if you're on dailup or even a slow DSL connection. On top of that it takes up a lot of disk space/RAM and if you have anything but latest high-speed machine you're going to be sitting there waiting a long time while it installs.
Make a CD (Score:5, Insightful)
If you have DSL or Cable and nothing else on your LAN is infected, your NAT or other firewall should protect you from "out of the box" threats. As long as you stick to known-safe web sites like windowsupdate and most security-software vendors, you should be OK long enough to get updated.
What's that? You are on DSL or Cable and do NOT have a firewall? Spend a few bucks and get one!
Re:Make a CD (Score:5, Insightful)
That one bears repeating. If you want to run windows, you are simply going to have to run it behind an idenpendent firewall, unless you enough of a security expert to be able to outline a IP packet without looking at the books. If you are too cheap or poor to get one, (k)ubuntu is right over there. CD's to be had for a couple of euros, and with the refund for the windows license, you're even going to save a few dollars or euros.
This goes for Windows up to and including the XP. Never been near Vistas, but from I hear, it's the same deal.
Re: (Score:3, Insightful)
Re: (Score:2)
I'm using a Linux (CentOS) box as a firewall for my Windows network. Can you give me an example of the vulnerabilities you mention? I'd like to know how much risk I'm taking.
Re: (Score:2)
Spend money on one?! Dear oh dear..
Zonealarm [zonelabs.com] (requires annoying popups asking you to buy),
Agnitum [agnitum.com] (requires reg),
Kerio [sunbelt-software.com] (reverts to free features after 30 days),
Comodo [comodo.com] (totally free as it's an advert for Comodo other products)
Dialups aren't good Bot fodder anyway (Score:3, Insightful)
A large fraction of the problem can be taken care of by using a hardware firewall in front of your PC from the moment you first plug it in, which'll usually keep you safe long enough to get the current se
Re: (Score:2)
Re: (Score:2)
It's 2007. A couple hundred megs isn't a lot of disk space.
Come to think of it, a couple hundred megs is an average amount of RAM.
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
26
138
12.654
See? I also enjoy pulling random numbers out of my ass...
Re:And that won't change soon (Score:5, Informative)
Re: (Score:3, Insightful)
I have a plan. Thanks for helping me on the track.
Re: (Score:2)
]{
Re:And that won't change soon (Score:5, Interesting)
I have seen firsthand and heard countless confirmations of people re-installing XP on their OEM system using the license key from the sticker that was glued to their system case, and being rejected by Microsoft's Product Activation. I'm not sure the reason behind this, but I'd guess that most likely some keygen hacker program ended up randomly generating the same key and was used enough times that MS decided to distrust that key anymore.
In my case, I was helping out a friend of the family with getting their laptop back in service after it had been hopelessly compromised by malware. I entered the key from the sticker on the bottom of their laptop, and Product Activation failed. I called the 1-800 number that Microsoft said to call, and went through all their steps to generate a new number, but it just told me that I was rejected and that my number was in fact really no good. I had no recourse, no appeal, no live body to talk to on the phone. So I did the only thing I could do to return the system to service, and used a Corporate license key that didn't need to be run through Product Activation and would not trip of on WGA.
Now, you might say that pissing off all these legitimate users would actually be a good thing, because it will ultimately help Microsoft to shoot its foot clean off by enraging masses of legitimately licensed end users who've been disconnected from the net because they couldn't maintain their systems properly because MS couldn't validate their license even though it wasn't pirated. But I don't think it's quite fair to say that every license key that fails to pass WGA is ipso facto a pirate user. If you block everyone on suspicion of running an unpatched, compromised, pirated OS, you're going to affect a lot of screwed paying customers. As long as they rightfully blame Microsoft for being the cause of their woes, you should be in the clear. If the collateral damage is worth it, then I guess it's not a bad plan.
Re: (Score:2)
I wouldn't dream of doing this. If someone has problem with Windows and asks me for help my usual response is that I really don't know too much about Windows. Which is actually true.
Were I in your situation as described, I would be more inclinded to say, "Sorry, you'll have to deal with Microsoft directly on
Re: (Score:2)
I don't want to report the WGA failures, I want to report the bot IP Addies. If nothing else, it might give clueless people an incentive to update their system or get the hell out of the 'net.
Either way is fine with me.
Re: (Score:2, Informative)
I called the 1-800 number that Microsoft said to call, and went through all their steps to generate a new number, but it just told me that I was rejected and that my number was in fact really no good. I had no recourse, no appeal, no live body to talk to on the phone
Through that 1-800 number you can eventually make it to a person. You can then read off your 48 digit number and they will give you another 48-digit number. They will then ask you the same questions they ask everyone and you will be on your way. I often have to call this number for OEM workstations.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
And yes, I am aware of a small percentage of legitimate users who had their licences invalidated. If that is the case, a simple 5 minute call to MS will have you up and rolling again. But don't try to blow smoke up anyone's ass and claim most of
Re: (Score:2)
Or don't do it, which is also their choice.
For the first time since win98 I'm actually on a legit copy of windows. I leave autoupdate on but usually take a few weeks to reboot after it grabs one because frankly, I don't really care. Half the time
Laziness as far as I can tell (Score:4, Insightful)
1) People who won't do any manual steps at all to update. Every so often, Windows has an update that needs you to interact with it. Rather than autoinstalling it'll just put the little "You've got updates" icon in your sys tray and pop up a bubble about it from time to time. However some people just refuse to deal with that. A couple clicks is more than they are willing to do. Totally automated is ok, but they can't be bothered to do anything more.
2) However an even larger number don't want their system to reboot. Tons of those at work. They have something or other running continuously that they can't be bothered to save the state on. So they turn off the updates so that it won't reboot. Yes, really.
That accounts for at least 90% of the no-update people I run across. There's a small percentage that won't do it because they read on some forum that some guy had a problem with an update and they are convinced Microsoft will break their system, but most are just lazy as hell.
Re: (Score:2)
They just turn them off entirely (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Recently, I had to put an SP1 WinXP online to demonstrate that it's (still) insecure to do that. I was expecting that the blaster menace has somewhat dwindled since its outbreak, simply 'cause it's been a while since its outbreak.
Clearly, you didn't turn on the firewall. Why not ?
Reduced diversity. (Score:5, Interesting)
2006: 74% from these families.
Hmm. Too bad bots reproduce asexually, otherwise we could hope for inbreeding to take them out.
Seriously, though, is the decreased diversity in bot "heritage" a good thing -- does it mean that bot infections are easier to detect and treat?
Or does it not make any bit of difference until the typical user learns to protect their PC?
Re: (Score:3, Funny)
Your answer: "yes". Now where's my cookie?
Re: (Score:2)
Name: Milk.Cookies.H567
Type: Tracking Cookie
Risk: Low
Fix / Quarentine / Delete / Do Nothing
Re: (Score:2)
Until either a) the average Net user's savvy increases and they take steps to protect their personal systems or b) systems are developed that don't require the user's interaction to provide adequate defense, the number of bots will increase steadily. Bots using the same base code but with variations will always be easier to track than completely new strains, but I think at this point the mechanisms for bot injection are so well known that that this will end up being the best way to control them. And even th
Re: (Score:3, Informative)
Ecology problem (Score:2)
Seriously, though, is the decreased diversity in bot "heritage" a good thing -- does it mean that bot infections are easier to detect and treat? Or does it not make any bit of difference until the typical user learns to protect their PC?
The limited heritage diversity suggests that one might make a dramatic impact on the non-technical aspects of the problem with a carefully applied use [slashdot.org] of [slashdot.org] hardware [wikipedia.org]. Unfortunately, that's a very short-term solution most likely to only result in rediversification and speci
Food for thought (Score:2)
I would not necessarily call that a good sign. Actually, I'd take it as an alarming signal. People are still as stupid as last year, so I wouldn't say that it's harder to infect machines.
Non Windows Bots (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Non Windows Bots (Score:5, Interesting)
I noticed my servers SSH port being hit a few years ago. I moved it to another port, locked the port down, then set up an SSH honey pot on the standard port. The honey pot attempts to ID people from programs using a verity of methods such as space between key strokes and use of the backspace or delete key.
I found that once the attacking software appeared to have access to the server, A person would login and check it out. Most of them attempted to use wget to dump a root kit onto the server. I have grabbed copies of the software they attempt to down load and checked it out.
It normally consists of a root kit, network scanner, packet sniffer, and the scanning software to scan and hack SSH.
I think these are wannabe hacker kids trying to get in.
Redone bot runs on Linux (Score:3, Informative)
Re:Non Windows Bots (Score:5, Informative)
I am always willing to help people secure a system.
Re: (Score:2)
denyhosts (Score:2)
There's a reason for that. (Score:5, Informative)
People without the knowledge to code their own trojan/bot from scratch will naturally gravitate towards tools which allow them to make their money more easily, and it's a real time saver.
Or so I hear.
Re: (Score:3, Funny)
Yeah, I used to Oscarbot, but the EULA with their latest upgrade was freakin' joke! Then they dropped support for Oscarbot 98, meanwhile their crappy software isn't even compatible with Vista. Thank God for OSS!
Re: (Score:2, Funny)
You get a lot of blank stares in casual conversation, don't you?
Re:"Or so I hear." (Score:4, Funny)
Oh wait, that'd be giving blank stares.... nevermind.
Families of Virii (Score:2)
There has to be some kind of parallel here.
Weird, but as I was writing this something tried to change my default search page. Usually I wouldn't say this, but I hope it was Microsoft
TLF
Re: (Score:3)
Though you may have learned that the plural of 'octopus' is 'octopi' and the plural of 'cactus' is 'cacti', the plural of 'virus' is viruses, not 'virii'.
If you use the logic "-us" => "-i", then we should have "virus" => "viri". Where the heck do people get the extra i?
Math-oriented people must be familiar with "radius" => "radii", but it does follow the same logic with the extra i already there in the singular form. Then again, "virii" is funny in the way that it emphasizes incorrect spelling. It's even more funny when used by someone pretending to work with computers where typos are much more dangerous than in natural languages.
Re: (Score:2)
But, language rules are sometimes broken. And virii looks better than viri and sounds better than viruses. It might be wrong, but that doesn't mean I can't like it more than what's 'right' as defined by some self-described language nazi.
Re: (Score:2)
Just like they like to use "boxen" as the plural form of box. It's pure 1337ness, and I hate it.
Does this make it easier for ISPs to spot them? (Score:2, Interesting)
If they do, then getting ISPs to proactively monitor their customers for botnet-specific activities and phone them when they see suspicious activity will go a long way toward eliminating these particular threats.
Imagine if your mother getting this answering-machine message from her DSL provider:
"Hello Ms. Jones. You've heard of computer viruses? Our engineers are seeing signs of a virus on one of your computers. Pleas
Re: (Score:2)
No. Money spent and customer antagonized.
Re: (Score:3, Funny)
And for those who don't have geek relatives...
Her next call will be to the ISP's tech in India who will say to call Microsoft who to says to call your OEM-Computer Vendor who says to call your Anti-virus vendor who tells you to call your local Geek squad who then proceeds to just somehow fry your video card while formatting your computer.
Problem solved! Oh wait...
Re: (Score:2, Interesting)
My roommate set up a box and I guess he didn't finish patching it or something, because in less than a week, we got e-mail and snail mail from our ISP informing us of our PC that was scanning ports and more than likely had a virus. We took it off the network, but still haven't taken the time to wipe it and clean install it.
Fine, until... (Score:2)
Of course, I don't know whether the return is high enough to justify this sort of tactic, bu
Re: (Score:2)
Why should ISPs do that? (Score:2)
And now again, do you REALLY expect ISPs to have a keen interest to shut them down? They are their cash cows!
A valid botnet .. (Score:3, Interesting)
2 years ago I almost gave our security people a heart attack when I suggested an internal botnet.
We have most of our servers plugged into a tightly controlled IRC server.
All servers run a custom bot with limited access that pipe all critical files into specific IRC channels.
Response bots monitor the channels and take appropriate action, signaling the bots to run specific commands, paging, emailing, etc.
It allows NOC to run things like 'uptime' and have dozens of servers reply at once.
Security it tightly controlled at the bot and server level, using a custom hacked and very locked down UnlreaIRCd.
For our security at least, it was the first example of a useful IRC setup that allowed easy monitoring and limited control of servers.
As bad as botnets are, they are very good at what they do.
Good example of allowing totally unrelated applications to communicate with each other, as basically all programming languages have IRC support.
And a funny side note, my slashdot "verification image" is "misuse"
Don't call it a botnet (Score:2, Insightful)
Probably not.
If you'd called it a distributed asset-monitoring and -control system and given it a fancy acronym like DAMACS or something, it would've been a better sell.
Re: (Score:3, Interesting)
The bots are all stored in our Subversion repository.
To install the bot they run a simple script along the lines of -
wget http://repos/installer [repos] | perl
The IRC server is the next pert, UnrealIRCd running modules such as NSAuth (among others).
Can't login without a user/pass, can't create a channel that isn't defined, can't
Can only msg in channels, and all non-bot chatter is logged.
Can't talk in log channels, but if you have permissions you can enter and watch the logs.
T
The Same Old Bots (Score:5, Informative)
First, the majority of these trojans, specifically these are all IRC based. They are very easy to spot, especially in corporate environments. Why? Well because most people do not use IRC while they are at work. Not to mention many companies will have policies against it. This makes intrusion detection for these kinds of bots very easily. Since most of these servers housing the bots are just standard Unreal IRCD (generally hacker-installed) or whatever IRCD undernet/efnet/etc. run on, they are not encrypted. This means when a machine connects, traffic with "NOTICE", "PRIVMSG", "JOIN #" etc is all sent in the clear. There have been snort/bleeding snort rules to look for this type of activity for years and they haven't had to change much. Sure the ports might not always be 6667-6669/7000, but looking for activity like this on a certain port is dumb to do anyway.
A simple analysis of most IRC traffic should you have real-time peaks or capture logs will tell you pretty quick if it's malicious. If you see a nick change to XP|24249429 or USA|2942949 and it joins a channel called #owned with a topic of
Now finally these two are quite popular. Why? Well it has been said already. The source for them is our there and they are readily available. People frequently update and modify them to avoid AV detection. Hell, many people don't update and modify them. So many people are running without [updated] AV that it doesn't seem to matter much. If you notice how most people get infected, it's the same old thing. IM worm, e-mail worm, malicious website, or a scan for the 2 year old dcom exploit. Every time some new IE/Firefox/etc vulnerability is released, someone quickly makes it download their trojan.
These variants have been around for years. Luckily the people using them are pretty dumb. It's just a matter of time before worms/viruses/etc turn to web-based (not IRC) and encryption as the norm.
Re: (Score:2)
Re: (Score:2)
i believe that did happen sometime. the problem is, it's legally risky and opens then up to lawsuits/criminal charges.
ISP's half the problem (Score:5, Insightful)
What we have are general-purpose computers that people install random software on without thinking about where it came from, what it might do and the consequences of having that happen. Then, they don't check to see what their computer is doing when it is supposedly idle and thrashing around on the hard drive or is really slow. Well, maybe it is just getting old and needs to be replaced. Right.
So we have the equivalent of handing a loaded revolver to a three-year-old and leaving the room. We have seen how they can hurt themselves with it. We can see how they hurt others with it. And about all that is done is giving them some more bullets.
Let's be clear about one thing here. Windows "security" or the lack of it is not the problem. If the machine is locked down utterly so that nothing can be installed, removed or modified Windows security is perfectly adequate. Unfortunately, nobody seems to want to run their computer this way. There is no security if the "user" can simply install any old thing they want, be it some new flash player with a bug in it, WeatherBug or a bot trojan. Signing code is not the answer - people aren't reading the messages that are displayed. You could have a page of text displayed when a trojan is installed that says in eight different ways "this will take over your computer and make it ours" and people would install it.
The answer is pretty clear. General purpose computers that can have software installed are a tool that must be monitored, controlled and administered. Giving one to a user and leaving them alone with it is a reciepe for disaster. Just like the disaster with spam, botnets and viruses we are seeing right now.
Re: (Score:2)
Your solution would take computers out of the hands of every non-expert user who didn't have a systems administrator handy. This would almost completely wipe out the home computer market. I don't disa
Re: (Score:2)
We'd create a whole new market.
Re: (Score:2)
Of course, this would only take care of the zombies in the country where the incentive is being offered...
Re: (Score:2)
As in, if Comcast or Verizon or AOL says, "Look, if you're not going to do something about the evil packets coming from your IP addresses, I'm going to have to do it myself by dropping all packets from you."
That has the effect of putting pressure even on ISPs from other countries. When their valid users start complaining that they can't g
O RLY? (Score:2)
ISPs should, and some do, look for infected machines and shut down the connections.
Re: (Score:2, Insightful)
I'm sure there are many large companies - ones that would love to protect the status quo - that would greatly support your proposal.
I think what you propose is crazy.
You have failed to follow throug
Re: (Score:3, Interesting)
Not on today's OSes and architectures, but those aren't the only possibilities.
Moving away from the assumption that software is trustable would be a great start. Why does my web browser have authority to overwrite my hosts file, just because I do and I'm the one logged in while it's running? Why does my email client have authority to launch executables?
O
Re: (Score:2)
Umm, I call BS on that statment!
See the proof!
Dear Valued Subscriber;
Thank you for subscribing to Ygnition's High Speed Internet Service. It
is our objective to provide excellent service to residents residing in the
apartment communities we serve. To that end, our service is provided for
the recreational use and enjoyment o
Regulating General-Purpose Computers (Score:2)
Two families??? (Score:3, Funny)
Oh, you mean *PUBLICLY* acknowledged virus writers?
Re: (Score:2)
Re: (Score:2)
White hat "mal'-ware? (Score:2)
Re: (Score:2, Interesting)
There is a classic case of this that happened IIRC at MIT on one of the early networks. Some bright person wrote a small worm that went around and performed regular updates to the systems. All went well for a few months or so, but then a previously unknown bug in the worm caused it to go nuts and brought the network down HARD. In a similar vein, as an example of how things can go wrong, there's a famous story of someone (seem to remember him being connected with NSA or CIA or one of them... son of the direc
Re: (Score:2, Informative)
Detection Question (Score:2)
Assuming the worm is smart and disables any/all preventative measures on the host system - can one observe certain network activity behavior that would give the worm away?
Re: (Score:3, Interesting)
Unusual activity on non-standard ports. Atleast thats how I discovered it at my last job. Open up a packet sniffer, let it pull in traffic for a little while, then investigate.
Smarter worms use standard ports, but then you tell but unusual traffic patterns. (ie, why does "Bob the idiots" computer keep sending 2k of data to pron-iz-gud.com 50 times a minute??)
Re: (Score:2)
ISPs don't want to be responsible for net security (Score:2)
The problem as I see it is that ISPs don't want to be responsible for net security.
An ISP could detect bot IRC traffic and notify a customer who is originating bot commands. It's not that hard. All these bots use IRC. The IRC traffic is sent in plain text using well known commands. Even the most of the channel names are well known. Every ISP knows the email address (and billing details) associated with every active IP address on their network. It's basic logging.
But if an ISP were to "offer this servi
responsible for most botnets worldwide (Score:2)
Re: (Score:2)
Actually they were people. They've all moved on now buddy!
Re: (Score:2)