Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Operating Systems Software Windows

New Massive Botnet Building On Windows Hole 223

CWmike writes "The worm exploiting a critical Windows bug that Microsoft patched with an emergency fix in late October is now being used to build a fast-growing botnet, said Ivan Macalintal, a senior research engineer with Trend Micro. Dubbed 'Downad.a' by Trend (and 'Conficker.a' by Microsoft and 'Downadup' by Symantec), the worm is a key component in a massive new botnet that a new criminal element, not associated with McColo, is creating. 'We think 500,000 is a ballpark figure,' said Macalintal when asked the size of the new botnet. 'That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's... starting to grow.'"
This discussion has been archived. No new comments can be posted.

New Massive Botnet Building On Windows Hole

Comments Filter:
  • Go vigilante (Score:2, Insightful)

    by Anonymous Coward

    It's time MS write botnets to exploit their own holes as means for patching said hole. Who gives a shit about the ethics of it, we are losing.

    ISPs need to be more vigilant as well. Cut off subscribers ASAP when they're machine begins sending botnet traffic.

    • Re:Go vigilante (Score:5, Insightful)

      by alohatiger ( 313873 ) on Monday December 01, 2008 @11:13PM (#25955367) Homepage

      ISP action is definitely appropriate. If they can tell who is using torrent software, they should be able to tell who is sending spam and which machines are part of a botnet.

      Filtering/quarantine at this level is like shooting down a scud missile on the way up instead of on the way down.

      • The biggest ISP at the college I used to go to (not the univeristy itself) used to do this. They'd profile traffic and shut down machines that were spamming or otherwise behaving badly.

        The way I see it, it's good for everyone, including the ISP. The only downside was when your roommate had something and your internet got shut off before a paper was due. :)

    • Re: (Score:2, Informative)

      Take a look at Schneier's arguments against this: http://www.schneier.com/blog/archives/2008/02/benevolent_worm_1.html [schneier.com]. One additional point is that stack/heap overflows and other memory-corrupting vulnerabilities often can't be made to be 100% reliable, and can be difficult to code for different service packs and such. This can be, and is, coded around as a matter of course, but a bug in the exploitation process can have disastrous and unpredictable results (in this case, interruption of a large swath of c

    • Re: (Score:2, Informative)

      Personally, I'd rather see Microsoft put the effort into writing a version of Windows that doesn't have all those vulnerabilities in the first place. Of course, that would mean throwing out an awful lot of old code and that goes against their corporate culture, so I'm not holding my breath.
  • It would be so easy. (Score:5, Interesting)

    by Surreal Puppet ( 1408635 ) on Monday December 01, 2008 @10:48PM (#25955163) Journal

    Every time i see one of these high-yield Windows remote execution holes, I'm tempted to couple a timed network-stack-erasing payload to it (24 hours should be enough for it to be able to infect through vpn-connected laptops and such) and send it cracking. Then i always begin to wonder why this hasn't been done already; is the combination of narcissistic recklessness and technical competence really that rare? It could be argued that it's more fun to play pranks and infiltrate corporate and government networks, but we don't even see things like that (I know it was more common up to the early 90s, when the "criminal prankster hacker scene" still existed outside of small tight groups...)? Or do people just cover it up? You sysadmins out there, have you ever had anything like that happen to you, or anyone you know?

    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday December 01, 2008 @10:54PM (#25955225)

      Then i always begin to wonder why this hasn't been done already; is the combination of narcissistic recklessness and technical competence really that rare?

      Pretty much. The closest was the "I Luv U" email which overwrote media files.

      Since then, it's all about profit. Why destroy a computer when you can use it to send spam?

      If you want to be really cruel, your "virus" would randomly alter a few numbers on any Excel spreadsheet it could access.

      • by Kijori ( 897770 )

        If you want to be really cruel, your "virus" would randomly alter a few numbers on any Excel spreadsheet it could access.

        Fortunately Microsoft cleverly protect their users against this by using closed file formats. Thank God for Microsoft!

      • It seems to me that if you had a 100K CPUs at your control, you could find something to do with those compute cycles that would be more profitable than SPAM, especially if you weren't restrained by what was legal. Like breaking encryption keys.

        Isn't there a more imaginative/profitable use of a botnet than to send spam?

    • by Anonymous Coward on Monday December 01, 2008 @11:15PM (#25955383)

      Welcome to the 21st century.

      Unlike the 90's, viruses aren't typically coded for the purpose of doing as much damage as possible. Between eBay, Paypal, Amazon, and the other major e-commerce sites, the internet is now worth hundreds of billions - even trillions - of dollars every year. Dollars that would be lost if it went down or that can be stolen by the boatload. By and large, the motive for hacking - including the use of botnets - is all money driven these days. The two most common attack vectors are to either hold a site for ransom, threatening to take it offline via a Denial of Service attack if a certain mount is not paid or to simply use the masses of drones to slow down anti-phishing efforts by distributing the fake page across hundreds of bots (after all, you can run a web server using 500k of RAM and 200k of disk space, plus space for the pages, i.e. a Paypal clone takes up about 5MB on a drone.)

      Judging by the size of this one, I'm going to guess its use will be the former rather than the later. 500,000 bots, all launched, say, the week of Christmas, would do a LOT of damage. Many of those systems will be corporate boxes and nobody will be sitting at them to monitor or notice anything, meanwhile a site that offers "last minute" shipping could be taken offline at the...well...last minute, costing them billions in lost sales. $10 mil would be a small price to pay to avoid that.

      So yeah, it was more common in the 90's, but hacking solely to cause damage isn't something done any more. At all. The only people doing that would be, for example, if the Chinese were trying to crack a US State Department or Pentagon system (using the drones for brute force remote login attacks). That happens, but even there, the intent isn't to harm the systems, but merely to gain a valid login so you can steal information. This goes on in the corporate world too. After all, don't you think Ford would be willing to cough up $2 mil if someone could hand them a copy of Toyota's future business plan right now?

      It's not so much that there aren't people who want to "just cause damage" but rather that those people grew up and realized they could make a lot of money by NOT damaging the systems. They needed jobs and there aren't a lot of positions available for someone with a skill set that includes brute forcing SSH logins. The generation that has come since them, mine (I'm 21, but I have friends who are 18 and 19, and we see each other as about the same) doesn't generally posses the level of skill of those who came before us. Sure, I can crack SSH and brute force NT Hashes with the best of them, but if you sit me and my 60 year old uncle both in front of a binary disassembler only he will know what he's doing, and finding the kind of flaw needed to make this massive botnet will require a very intimate knowledge of one.

      Sorry, the script kiddies that bring the world to its knees have grown up and they refuse to work without pay.

      • ...or to simply use the masses of drones to slow down anti-phishing efforts by distributing the fake page across hundreds of bots (after all, you can run a web server using 500k of RAM and 200k of disk space, plus space for the pages, i.e. a Paypal clone takes up about 5MB on a drone.)

        Interesting... if I wanted to host a web page on my computer, I'd have to log into my ISP to unblock port 80, direct port 80 on my router to my computer, and turn on web sharing on my computer. But I guess a lot of people stil

        • Re: (Score:3, Insightful)

          by Graymalkin ( 13732 )

          For starters it is trivial to embed an HTTP or mail server in a worm and is done all the time. They don't need to be full featured, simply functional enough to get their intended job done. As for the NAT issues the default usernames and passwords for popular routers is common knowledge. Given the number of LINKSYS and 2WIRE WiFi networks I can see from my apartment it's safe to say at least some of those people are still using those defaults. From there it's simply building the appropriate POST or GET reque

          • by socsoc ( 1116769 )
            I hate 2Wire equipment, but they did something right. There is not a common username and pass installed. The default pass is (mostly) unique to that piece of equipment and printed on a sticker on the bottom of the unit.
      • Re: (Score:3, Interesting)

        by trawg ( 308495 )

        Many of those systems will be corporate boxes and nobody will be sitting at them to monitor or notice anything, meanwhile a site that offers "last minute" shipping could be taken offline at the...well...last minute, costing them billions in lost sales. $10 mil would be a small price to pay to avoid that.

        Question: I'm not too savvy with the intricacies of DNS, but - could an organisation that was threatened with such a blackmail attempt do something like this:

        1) duplicate your web infrastructure on a number of different networks
        2) lower the TTL on your DNS records to something more responsive
        3) /if/ you are attacked, update DNS records to point to your alternate hosting (..repeat as necessary until you run out of sites or they give up)

        This is under the assumption that such an attack once launched would be

      • People worried all the time about viruses back in the 90's, because they wiped away important data and because it affected the end user. These days, the virus writers are so clever you can't tell there's a bot running on the computer at all, and so end users don't care anymore.

        It may not be a bad idea to start spreading time bombs via these security holes, to bring back user awareness of viruses and the damage they can cause. And, it would probably reduce the ability for such massive botnets to be created,

    • There was a fork of Blaster that installed the patch for the hole it used to spread, then deleted itself. Unfortunately, like Blaster, it had a tendency to crash the Messenger service, which causes Windows to reboot without letting the user interrupt the reboot. The anti-Blaster didn't get very far.

  • by FunkyRider ( 1128099 ) on Monday December 01, 2008 @11:03PM (#25955283)
    Reminds me an ancient joke:
    Windows is same as whores: They both have massive hole and full of viruses.
  • by PPH ( 736903 ) on Monday December 01, 2008 @11:03PM (#25955287)

    Do you want a larger, firmer botnet? One that all the ladies will love and other guys will envy? Here's how to enlarge your botnet quickly and easily.

    If your botnet stays up for 6 hours or longer, please seek the help of a physician.

  • Analogy (Score:4, Insightful)

    by jaavaaguru ( 261551 ) on Tuesday December 02, 2008 @12:01AM (#25955707) Homepage

    If you buy a gun, and leave it sitting in your front garden, then some criminals come along, take control of it, and kill everyone in your street, you're kind of responsible for that.

    Apart from the obvious killing != spam and/or fraud, how is leaving an unprotected OS with known problems available to be hijacked by anyone who wants to do damage with it any different? You should still be responsible (although the punishment might be different). Suppliers should be forced to make this obvious to people buying this stuff.

    • Re:Analogy (Score:5, Insightful)

      by NicknamesAreStupid ( 1040118 ) on Tuesday December 02, 2008 @12:42AM (#25955987)
      What if I buy a rosebush and plant it in my garden, then somebody uses it to deface little kids and old ladies with its thorns? Am I kinda liable for that?

      Is a computer more like a gun or a rosebush? I guess that depends on whether it is running Windows or Linux.
      • Re: (Score:2, Funny)

        by Anonymous Coward

        Is a computer more like a gun or a rosebush? I guess that depends on whether it is running Windows or Linux.

        Wait... which is which?

      • Your analogy is more apt than the OP's. A loaded gun's uses are more singularly designed compared to that of say a crow bar, baseball bat, chainsaw, rosebush, unkempt PC, or unconscious syph infected hooker. All of the latter have designed uses other than causing harm whereas the gun is more or less useless other than as a weapon.

        You cannot blindly blame the owners of certain tools if the tools are covertly used by another party. If someone sneaks into my house, steals my carving knife, stabs someone with i

    • What if the choices are (Leave a gun in your yard) or (smash your television, audio system, and car). Because I just upgraded to Fedora 10 and lost all support for the Integrated sound, Nvidia, and my DVD burner. It's a choice between a security vulnerability and having half your hardware not working.
      • I'll go with the third option, thank you. The last computer I bought works fine with the Ubuntu it came with. Even then, I'll keep a NAT router between me and the Internet because I know I don't always install the security updates as soon as they're available.

        • Did you know Windows has Wi-Fi?
          • by Tatsh ( 893946 )

            Did you know in Windows Vista it takes 5+ clicks just to connect to a network? XP takes about 3, Linux takes one right-click on the NetworkManager icon (which shows found networks), Mac OS X takes one click on the wifi icon (which also shows found networks). Windows always lags.

            • And, at least in XP, you need admin privs to change network settings, and make those 3 clicks.

              That's nice, eh?

    • If you buy a gun, and leave it sitting in your front garden, then some criminals come along, take control of it, and kill everyone in your street, you're kind of responsible for that.

      Gun? Are you mad? Slashdot is about car analogies only.

      how is leaving an unprotected OS with known problems available to be hijacked by anyone who wants to do damage with it any different?

      One buys a car, forgets to lock it at night & it's used for a ram raid. Is the car owner responsible for the ram raid or a victim?

    • Re:Analogy (Score:5, Insightful)

      by Bane1998 ( 894327 ) <kjackson@@@crimebucket...com> on Tuesday December 02, 2008 @04:17AM (#25957021)

      Computer to 'Some simple concept' analogies are stupid as hell. Get over your elitism. Most people don't understand the first thing about computers, and they don't have to. Just like most people use a TV, VCR, whatever, without any clue how it works, they just use it to play movies. Blinking 12:00.

      Your analogy fails because leaving a gun out is gross negligence. It's a dangerous thing, and that's fairly obvious. A computer isn't. I suppose an argument could be made that computers are dangerous. It would be quite a stretch though. In that case there should be mandatory licensing to operate one, you know... like a car. But there isn't. So, either make the argument that computers are dangerous and should be controlled (and make sure you understand the actual ramifications of that argument), or stfu and realize that no, most people don't understand Computer Security or why it's important, and they never will.

      And then, as an expert in the field, learn that you aren't smarter than mom and dad using their computer, you just have a specialized skill set. Most nerd kids like prolly half the slashdot crowd are or were.. started out with computers coming naturally to them. It's easy to assume then that it shoudl come naturally to everyone. And when you see it doesn't, your first reaction is that something is broken in them. After that nerd grows up a bit in the world, that person learns that no... they aren't idiots. We just have an aptitude for something that others don't. And that doesn't make them dumb. They probably have skills we don't. Say... socializing for example. So my guess is your (and all those who always come to slashdot posting the same song and dance) maturity level hasn't quite evolved yet.

      And to not be elitist myself... I can admit I was once the same way. I grew out of it, as will you. :)

      • by kv9 ( 697238 )

        It's a dangerous thing, and that's fairly obvious. A computer isn't. I suppose an argument could be made that computers are dangerous.

        are you mad? look at HAL, Colossus or Skynet. pretty dangerous computers there.

      • by D Ninja ( 825055 )

        In that case there should be mandatory licensing to operate one, you know... like a car.

        Given that pretty much anybody can get a license (including some idiots that should never be a passenger in a car, much less the driver), I'm not entirely certain that this is the best analogy.

        The rest of your post is excellent, though.

  • use norton (Score:2, Funny)

    by delvsional ( 745684 )
    I use Norton, Mccaffee and AVG Grisoft all at once, oh wait nevermind. I don't use windows anymore.
  • Wouldn't it be nice (Score:2, Interesting)

    by Smuttley ( 126014 )

    if the people writing exploits for these security holes wrote a worm that once it had got onto a computer patched the exploit and then detached?

    You could call it Good Samaritan Computing or something ;)

    • by vwjeff ( 709903 )
      It is not uncommon for some of these malware programs to install, remove existing malware, and then patch the system. In this case the application writer is removing competition and preventing other malware programs from using the exploit.
  • by Chris Tucker ( 302549 ) on Tuesday December 02, 2008 @01:17AM (#25956161) Homepage

    "Botnets, spammer's botnets!
    What kind of boxes are on botnets?

    Compaq, HP, Dell and Sony, true!
    Gateway, Packard Bell, maybe even Asus, too!

    Are boxes, found on botnets.
    All running Windows, FOO!"

    I'm running Mac OS X 10.5.5, here.

    Why, yes. I AM a smug bastard!
    Thanks for asking.

  • How Do They Survive? (Score:4, Interesting)

    by Bob9113 ( 14996 ) on Tuesday December 02, 2008 @01:45AM (#25956347) Homepage

    I'm curious - how do infected computers survive on the Internet?

    We have legions of honeypots for the detection of infected hosts (not to mention the likes of GMail). ISPs have been qqing about bandwidth - surely bandwidth consumed by infection is the most loathsome waste.

    Why don't ISPs have a takedown system? They could restrict who they trust - perhaps only Symantec and McAffee, maybe hotmail, yahoo, and GMail as well. The could do a limited takedown of outbound email only, adding a message to the customer's email account. Perhaps have an HTTP interceptor display a page with links to tools for system cleaning, maybe commercial products if they feel the defense of their corner of the net is not sufficient recompense.

    OK, I can dig the risk of inappropriate takedowns - but we run that risk non-stop with the DMCA for a heckuva lot less tangible benefit.

    Expense? I'm sure we could get a few dozen folks together to write the software.

    Customer experience? Really now - if my Mom's computer was infected and her ISP told her, and gave her links to fix it, she'd love it.

    Inability to trust the router droppings? Half the Internet connections in the world are probably covered by a couple dozen ISPs - start with trusting only those router entries.

    So - what am I missing?

    • Re: (Score:2, Funny)

      by slydder ( 549704 )

      Bob,

      I agree 100% and that is exactly why I started WIPOC (World Internet Providers Organization Counsel) back in the early 90's. had a few ISP's/Hosting Companies interested.

      However, a majority of them were like "why? this will all be gone by the beginning of 2000 anyway. They will get it all under control".

      Well, hate to say it but "I F*CKIN TOLD YA!"

      You CANNOT always push responsibility for your problems onto others. and believe me. it's your networks so it IS your problem.

      rant done. nothing left to see he

      • by Bob9113 ( 14996 )

        hehe - damn - you were way ahead of me. :)

        However, a majority of them were like "why? this will all be gone by the beginning of 2000 anyway. They will get it all under control".

        So sad. How could they not understand? Ummm, "they"?!? Who is "they"? Hey, ISP - you are "they". Now let's get to work.

        Alas. Thanks for trying!

    • Re: (Score:2, Interesting)

      by ko10ha ( 1343785 )
      > Why don't ISPs have a takedown system?
      My ISP does. It took me down within hours when I let a friend connect his laptop to my network. He had a problem with his computer he told me. That proved correct - it was spamming like mad. But his own - cheapish - ISP did not take him down. So perhaps only solid and more expensive ISP have a take down system.
    • It's not always easy to clean up an infection. You can clean it up once, and then get infected again the next day because the cleanup didn't catch something. And having to clean up the same infection every day will hurt customer experience.

      And Microsoft's need to validate Windows before allowing access to patches doesn't help anything all. People who run illegal copies of Windows just won't update. It's not like being a part of a botnet has any effect on them.

  • Just block excessive web-requests or mails coming from a regular home connection and you have defanged whatever bot or zombie that might be lurking there. Without the ability to send spam or to participate in DDoS blackmail attacks, the machine is essentially worthless to the cyber-criminals. Sure, it might provide a password to some online backing and maybe a credit card number, but that's about it.

  • I think of Windows antivirus and I think of this picture [today.com]. "Ur doin it rong."
  • Re: (Score:2, Troll)

    Comment removed based on user account deletion

"For the love of phlegm...a stupid wall of death rays. How tacky can ya get?" - Post Brothers comics

Working...