Infected PCs for Rent 281
prostoalex writes "UK authorities are raising concerns about entire networks of infected and compromised PCs (BotNets) being available for sale or rent to the highest bidder. The Register quotes a detective from Hi-Tech Crime Unit saying 'The trade of BotNets of compromised machines is becoming an industry in itself. Organised crime is making use of this industry.'"
Immense power. (Score:5, Interesting)
Gives some merit to distributed hosting companies like akamai, etc.
Seriously guys. . . (Score:4, Interesting)
microsoft (Score:5, Interesting)
Media-whoring (Score:3, Interesting)
I just wrote a (bad) paper on a networking structure for games systems. I give it three weeks from when I hand it in until Organised Crime get their hooks into it. Apparently film piracy is also part of Organised Crime, and not my mate Donn, as I have previously thought.
Call me a cynic - but it seems to me that anyone who wants to get the media in on their thing cites Organised Crime as a benefactor and watches the links roll in.
OK - I'm done.
There is a solution (Score:5, Interesting)
Yes, I know this approach would be illegal. A felony computer crime in fact. I want legislation to make it legal and justified. I see it as self defense. Compromised nodes are clogging the internet with crap and the best defense is to knock them off-line. If I were standing in the middle of the freeway, clogging traffic and causing accidents the police would come remove me, by force if necessary. I see zombie nodes on the internet the same way.
... the dark side of distributed computing :-) (Score:5, Interesting)
Really, I do find this fascinating, albeit in an underhanded way.
Regards,
John
question (Score:5, Interesting)
Presumably the exploitation of these victim-lists will proliferate with all the automated efficiency that is the spammer's hallmark. At its logical extreme, there'll soon be multiple spammers descending simultaneously en masse onto each listed victim, which one way or another results in the victim being shut down (presumably).
So, might the predators eat themselves out of existence?
(I know. I've been watching too much sci-fi.)
Re:Blaming the user (Score:5, Interesting)
Installing anti-virus & firewall software are basic computer security measures, like closing the windows & locking your doors. Neither are foolproof, but both are simply a matter of training the user. Unfortunately, its been my experience that installing anti-virus & firewall software tends to be a much more painful process.
And of course - downloading updates would be analogous to putting fuel in the car: it is basic maintenance that needs to be done relatively frequently.
Re:question (Score:5, Interesting)
An interesting idea.
If we take our cues from nature, I would expect that long before the predators exhaust their supply of prey, they will turn on each other. Each predator's worms/virii/malware will begin to not only infect machines, but destroy competitors' malware that has already infected the machine.
In fact, come to think of it, the most effective way to own a box is to infect it, destroy any competing malware, and then patch the exploit that allowed you to infect it in the first place! We may begin to see host-healing worms that do just this. (Without the ability to kill off competing infections, however, this practice is only marginally useful.)
Taking responsibility (Score:1, Interesting)
the only answer (Score:5, Interesting)
unfortunately, this would be illegal. however, that won't stop anyone; what's stopping people from doing this is that to someone who could do it it's a waste of resources. if you have all those machines out there you can get your hands on, why not use them for your own nefarious purposes, since the people who own them neither have the common sense nor the ability to control their own machines.
Re:the only answer (Score:3, Interesting)
Once you release a self-replicating entity, you loose control! This is a recurring theme in biological viruses, computer viruses, computer worms, the grey goo, etc. If you wrote a 'nice' worm, maybe you could keep a bit of temporary control by having a callback - until you DOS'd yourself if it spread well or someone else took over your machine or shut it down because either they want to own the worm and rent out infected machines or they just got sick of your worm running around and wasting their bandwidth.
That said, it might be interesting to make something more akin to a venus flytrap rather than just a honeypot.... If it got pinged by a known worm, it could respond automatically by rooting the box, removing the worm(s), and patching it. It'd still be illegal in most countries (unauthorized access / modifications), but at least the control would be centralized and the ethics thereof could be intelligently argued.
Of course, with anything like that, you're still going to trash *someone's* machine eventually. That said, I am very concerned about the current state of the worm business. It's only a matter of time until people start tracking *what* they actually get into rather than using these shotgun methods for peanut-level monetary gains renting zombie-net's out for spamming.
Here at Miami University (in Oxford, Ohio)... (Score:5, Interesting)
We estimate anywhere between 400 and 1500 of the ~10,000 on campus (student resedential) machines have some sort of back door installed.
We have blocked any incoming traffic to any dorm machine (regrefully) so they can't be controlled from outside because we mostly are tired of getting blacklisted for DoSing people or for spamming.
The saving grace has been TippingPoint, a network traffic analysis tool that sits behind the backbone routers and adds a latency-free checkpoint dropping traffic related to the M$ft security exploits. And when they get Blaster, Bagle, Nachi, etc etc etc they get automatically disabled by the routers and we (IT Services Support on campus) either fix their issues for them or they have to fix them themselves. When fixed they are automatically re-enabled.
Re:Blaming the user (Score:4, Interesting)
For the sake of arguement, let's say currently a full 90% of users are totally clueless, and it is somehow possible to wave a magic wand and make 90% clueful, leaving only 10% of them blameworthy.
What happens?
DDoS type attacks can't find nearly as many machines to work from. So the writers use a trojan, and have to increase the delay between propagation and activation. Because infection is typically a non-linear process, often approaching a square or logarythmic function for some parts of the process, the delay has to be increased from, say, a week to two weeks. Meanwhile, the patch for the trojan takes its usual month to develop, and the social structures that be are reluctant to tell even the clueful about a threat that is still unpatched as yet.
So long as the Trojan writer has abundant extra time to maneuver within, 'he' isn't strongly affected by the improvement in user cluefulness. Yes, it creates some extra stumbling blocks, such as a better chance of the Trojan being detected earlier in the process, but professional Trojan writers have shown serious ability to work around these obstacles.
In addition, although its an unrelated point to yours, these particular attacks are also supposed to be related to blackmail. Successful blackmail doesn't require a real threat, but merely one the victim believes is real.
Re:Blaming the user (Score:3, Interesting)
Fourtunately getting the firewall on slowed it down enough to get the patch and clean the system.
This was the third virus I've gotten, the other I got at the same time off of a 5.25" floppy (that long ago, MSdos was still on the 3.x version.)
As far as I'm concerned that is a recall level problem, if a car or tv was that faulty out of the box a recall would almost be certain.
How is it we tolerate this out of 'comercial' software? And accept we'll have to patch most out of the box to get them to work. It's one thing if something doesn't work perfectly with some obscure hardware (though the o.s. and drivers are what's broken in this case). But to be almost unuseable is not acceptable.
Would you buy a car that if the radio was turned on at the wrong point during some songs it blew a fuse and caused the controll module to think it was pumping to much gas to the injectors?
Would you buy a tv that couldn't get the odd numbered channels after watching a channel above 9 unless you powered it off then on with the remote only?
And before anyone starts in on how computers are so much more complex than the above, or how impossible it is to test against everything, etc. I would like to point out that cars and tv's and so on have gotten VERY complex (just look into some of what the ecm module in a new car does)
And simply making shure your code can handle, in a gracefull way, any inputs,exceptions, or other out of bounds conditions it may have to deal with, and that is possible. Some languages make it hard not to and still 'comercial' programs written in these languages still crap out for things they should have been able to deal with, or at least recover from.
Mycroft
Re:Terrorism? (Score:3, Interesting)
Mom? Bro? MacOS thank you. OSX means I can fix mom's machine from 3000 miles away.
So yeah, my boxes that serve and relay mail (80% spam) can just block SMTP connections with Windows fingerprints. Perhaps just bump it up to port 26 and a listener with much more rigourous anti-spam.
Nah, just segregate the dangerous windows folks off. Like to AOL or CompuServe. I'll never get back the happy days when you had to be tall enough to be on the Internet.
And yeah, 2 people on IPv6. Heard about the same thing in 1990 about the Internet. Just a couple geeks. Nobody over here. You guys just stay on your boxes and keep your CompuServe accounts and stay on IPv4.
RE: terrorism
When important services are brought down by DDOS and viruses (east coast blackouts anyone?), it's terrorism. The U.S.A.P.A.T.R.I.O.T. act [epic.org] notwithstanding, being able to buy and run hundreds of thousands of compromised Windows machines (and cable/DSL providers and MS stand by with no action) means that we ain't seen the least of it.
Taking responsibility not possible for most (Score:2, Interesting)
I hate to say it, but the only solution for Windows users is Paladium. Yes, Paladium prevents users from running the software of their choice and effectively puts their machine under the control of Microsoft. But their stupid choices are the problem! Besides, if they really wanted choice, they wouldn't be running Windows.
Paladium doesn't fix the system security holes, but it does fix the biggest security hole on most Windows machines - the user. It could be good for the net - provided that responsible users aren't forced to use it. At present, the test is easy. Windows users need Paladium. Others don't. (Yes, I know there are competent Windows users out there - but I've never met one.)
Re:Terrorism? (Score:5, Interesting)
That kind of thing already happens. A friend of mine does administration for a couple small and medium size ecommerce sites. The calling card is typically a 30 minute DDoS attack followed by an email and/or phone call saying "we can make this problem go away if you pay us".
If you don't pay them they DDoS you a few more times. If you pay them, they DDoS you a few more times and demand more money. Only option is to go to the Feds with it and hope they use attacks your upstream provider can help filter.
Re:question (Score:5, Interesting)
This begs the question: will viruses ever stop being viruses and start being symbiotic entities that live in our computers similar to the e. coli bacteria in our intestines (which we need to digest food properly)?
Someone earlier mentioned that there are few viruses out there that reformat hard disks, because doing so puts people on guard, preventing future infections. And someone else mentioned that he knows someone whose hard drive is full of strange executables that are undoubtedly of malicious origin, but the person doesn't care as long as the computer still runs the same.
Following these trends to their head, I believe the "virus" (if you want to call it that) of the future will be something that infects a machine, and then does everything it can that is invisible to the user to improve the state of the computer: it would run windows update periodically to defend against other worms, perform hard disk defrags and other performance optimizations to give it more computing resources to work with, all the while giving the user's packets and tasks a higher priority so as to not set off any alarms. This is the type of worm that would "earn" its place on the computer by being so inocuous that the user wouldn't even have to worry that it's there.
Viruses have already evolved to parasites, and soon they will be symbiotes.
Re:How is that possible? (Score:3, Interesting)
The banks would get a message like "we've found $HUMILIATING_SECURITY_BREACH but for $25,000 we won't tell the press". Then they'd pay, and in a week would get a bunch more messages from other places making the same threat and demand.
Different kind of threat, but the same underlying problem.
Re:Blessing in disguise? (Score:4, Interesting)
Now if these machines were being used to do something illegal then the buyers of the service could be held accountable, and the money trail makes it trivial to track down.
Re:A preview for Grid Computing? (Score:3, Interesting)
University computers: queues for PCs at any hour of the day or night, and 80% CPU when they're being used because they're 500MHz pentiums running Windows.
Normal corporate computers: okay, these aren't being used at night, but remember they're being maintained by petty little people whose ideal day at work involves imposing a coffee-machine policy: don't be surprised if they're all powered-down at night to save electricity.
Corporate development machines: Rather better specified (racks of dual 3GHz machines), but again being used day and night, almost continously compiling, running, or testing something, and at night (when the developers leave at midnight), they're either left compiling something that takes all night, or left downloading ISOs that would take too much bandwidth in daytime.
Grannys' home computers: turned on when needed. Arguably it's mostly idle, but the owner will complain like buggery if it's ever slow to respond, plus it's internet connection is a 56K phone line once every 3 days.
Slashdotters' home computers: Constantly on, and constantly in use. How many people are going to put up with Tribes running slowly because their "idle" computer is being used to fold proteins? And how many people want their pr0n to download slower because they're DDoSing some public target?
So where are all these PCs running at 1% CPU continuously?