Infected PCs for Rent

prostoalex writes "UK authorities are raising concerns about entire networks of infected and compromised PCs (BotNets) being available for sale or rent to the highest bidder. The Register quotes a detective from Hi-Tech Crime Unit saying 'The trade of BotNets of compromised machines is becoming an industry in itself. Organised crime is making use of this industry.'"

Immense power.

[nil5]

With the number of known vulnerabilities in Microsoft operating systems, (not to mention the ones we don't even know about) it is really not hard to imagine these botnets being frighteningly large. I read one article that estimated the current number at something like 100,000! I'm doubt it's enough to bring down the entire Internet, but this could still be capable of providing some crushing DoS attacks, a la SCO.

Gives some merit to distributed hosting companies like akamai, etc.

Seriously guys. . .

[UFNinja]

We need to start beating the living crap out of people who mess with our stuff. Spammers, malware writers, black hats, you wouldn't put up with the neighborhood kid stealing your bike would you? No. You'd go kick his ass and take back your back. It's time to start kicking ass and taking back our Internet.

microsoft

[stfubye]

A guy I know runs his unpatched Windows XP computer 24/7, and never does virus scans. The other day he got 1000+ (around 400mb) executable files in his C home directory. I asked him what he plans to do about it, and surprisingly enough he didn't want to apply critical updates. He said he doesn't care what people do to his computer, because he does nothing important on it. It amazes how many people must think like him.

Media-whoring

[Pike65]

Is there anything that Organised Crime isn't making use of these days?

I just wrote a (bad) paper on a networking structure for games systems. I give it three weeks from when I hand it in until Organised Crime get their hooks into it. Apparently film piracy is also part of Organised Crime, and not my mate Donn, as I have previously thought.

Call me a cynic - but it seems to me that anyone who wants to get the media in on their thing cites Organised Crime as a benefactor and watches the links roll in.

OK - I'm done.

There is a solution

[osjedi]

I strongly believe that the most effective way to end this would be to scan for compromised nodes, identify them, and KNOCK THEM OUT. Then the user can call the local home-computer fixit guy to come fix their computer. He'll see it's infected with malware and fix it. User gets his computer fixed, fixit guy makes a buck, and one less node is spewing out sh*t.
Yes, I know this approach would be illegal. A felony computer crime in fact. I want legislation to make it legal and justified. I see it as self defense. Compromised nodes are clogging the internet with crap and the best defense is to knock them off-line. If I were standing in the middle of the freeway, clogging traffic and causing accidents the police would come remove me, by force if necessary. I see zombie nodes on the internet the same way.

... the dark side of distributed computing :-)

[JMZorko]

I find this fascinating. Programs like SETI@home use the CPU of millions of distributed nodes to crunch SETI data -- a far more scalable solution to computing problems like this than running a big machine / cluster of your own. This article describes the same thing, except on the opposite side of the line -- millions (potentially?) of distrbuted nodes being used to do the will of spammers / virus writers / etc., a far more scalable solution than running your own spamming system.

Really, I do find this fascinating, albeit in an underhanded way.

Regards,

John

question

[moviepig.com]

So there's a new micro-ecology of predators (spammers) and prey (vulnerable machines).

Presumably the exploitation of these victim-lists will proliferate with all the automated efficiency that is the spammer's hallmark. At its logical extreme, there'll soon be multiple spammers descending simultaneously en masse onto each listed victim, which one way or another results in the victim being shut down (presumably).

So, might the predators eat themselves out of existence?

(I know. I've been watching too much sci-fi.)

Re:Blaming the user

[Draknor]

No, its more like blaming the dumb shit who leaves his doors unlocked and his windows open (pun not intended, but apt!), and then leaves the car sitting in a questionable neighborhood.

Installing anti-virus & firewall software are basic computer security measures, like closing the windows & locking your doors. Neither are foolproof, but both are simply a matter of training the user. Unfortunately, its been my experience that installing anti-virus & firewall software tends to be a much more painful process.

And of course - downloading updates would be analogous to putting fuel in the car: it is basic maintenance that needs to be done relatively frequently.

Re:question

[Xeger]

An interesting idea.

If we take our cues from nature, I would expect that long before the predators exhaust their supply of prey, they will turn on each other. Each predator's worms/virii/malware will begin to not only infect machines, but destroy competitors' malware that has already infected the machine.

In fact, come to think of it, the most effective way to own a box is to infect it, destroy any competing malware, and then patch the exploit that allowed you to infect it in the first place! We may begin to see host-healing worms that do just this. (Without the ability to kill off competing infections, however, this practice is only marginally useful.)

Taking responsibility

[Anonymous Coward]

Tracing controllers of a botnet is next to impossible ... and everyone says that the people running the trojans are innocent victims. Well, this is going to carry on until the 'victims' are punished for their BLATANT NEGLIGENCE. They CHOOSE to run M$ software, and Outlook ... therefore they CHOOSE to run the risk of viruses. I say we start cutting them off their ISPs, maybe even prosecuting a few to make an example of them ... windoze lusers will start paying attention to their security *then*, and botnets will die.

the only answer

[pizza_milkshake]

the only real answer would be to write a worm to wiggle its way onto exploitable machines, patch known holes, i.e. turning off most services, setting common application settings to common-sense ones and then delete itself.

unfortunately, this would be illegal. however, that won't stop anyone; what's stopping people from doing this is that to someone who could do it it's a waste of resources. if you have all those machines out there you can get your hands on, why not use them for your own nefarious purposes, since the people who own them neither have the common sense nor the ability to control their own machines.

Re:the only answer

[Satan's Librarian]

Eh? And what happens when you need to fix next week's patch after already releasing last week's worm? Are you going to flood the net with crap for each Microsoft update? Leave a 'back door' in your worm that no bad guys will find? It wouldn't work in the long run (and I'm being generous and allowing that there's a small chance in hell it might work short-term to patch a few current holes), and it'd be at least as annoying as the previous viruses. We already have NetSky et. all and a worm war - and I haven't noticed it helping the situation much. The idea is old (late 80's, google for DenZuk), and it failed then too.

Once you release a self-replicating entity, you loose control! This is a recurring theme in biological viruses, computer viruses, computer worms, the grey goo, etc. If you wrote a 'nice' worm, maybe you could keep a bit of temporary control by having a callback - until you DOS'd yourself if it spread well or someone else took over your machine or shut it down because either they want to own the worm and rent out infected machines or they just got sick of your worm running around and wasting their bandwidth.

That said, it might be interesting to make something more akin to a venus flytrap rather than just a honeypot.... If it got pinged by a known worm, it could respond automatically by rooting the box, removing the worm(s), and patching it. It'd still be illegal in most countries (unauthorized access / modifications), but at least the control would be centralized and the ethics thereof could be intelligently argued.

Of course, with anything like that, you're still going to trash *someone's* machine eventually. That said, I am very concerned about the current state of the worm business. It's only a matter of time until people start tracking *what* they actually get into rather than using these shotgun methods for peanut-level monetary gains renting zombie-net's out for spamming.

Here at Miami University (in Oxford, Ohio)...

[ToadMan8]

We have a bot network problem like everyone else... these things riding in on the coat-tails of the M$ft vulnerabilities has given us the 'ol one-two punch.

We estimate anywhere between 400 and 1500 of the ~10,000 on campus (student resedential) machines have some sort of back door installed.

We have blocked any incoming traffic to any dorm machine (regrefully) so they can't be controlled from outside because we mostly are tired of getting blacklisted for DoSing people or for spamming.

The saving grace has been TippingPoint, a network traffic analysis tool that sits behind the backbone routers and adds a latency-free checkpoint dropping traffic related to the M$ft security exploits. And when they get Blaster, Bagle, Nachi, etc etc etc they get automatically disabled by the routers and we (IT Services Support on campus) either fix their issues for them or they have to fix them themselves. When fixed they are automatically re-enabled.

Re:Blaming the user

[Artifakt]

Blaming the user is the least productive approach.
For the sake of arguement, let's say currently a full 90% of users are totally clueless, and it is somehow possible to wave a magic wand and make 90% clueful, leaving only 10% of them blameworthy.
What happens?
DDoS type attacks can't find nearly as many machines to work from. So the writers use a trojan, and have to increase the delay between propagation and activation. Because infection is typically a non-linear process, often approaching a square or logarythmic function for some parts of the process, the delay has to be increased from, say, a week to two weeks. Meanwhile, the patch for the trojan takes its usual month to develop, and the social structures that be are reluctant to tell even the clueful about a threat that is still unpatched as yet.
So long as the Trojan writer has abundant extra time to maneuver within, 'he' isn't strongly affected by the improvement in user cluefulness. Yes, it creates some extra stumbling blocks, such as a better chance of the Trojan being detected earlier in the process, but professional Trojan writers have shown serious ability to work around these obstacles.
In addition, although its an unrelated point to yours, these particular attacks are also supposed to be related to blackmail. Successful blackmail doesn't require a real threat, but merely one the victim believes is real.

Re:Blaming the user

[Mycroft_VIII]

Exactly, withing minutes of finishing my first install of XP pro (SP1) (finishing NOT starting), I connect to net intent on A) making shure it's connecting properly and all settings are correct. And B) donwloading the necessary patches, never made it to the windows update page as winxp's firewall isn't on by default and blaster had my system nearly unusable on the net by the time I'd logged in and verified I could get e-mail.(this with a connection that rarely reaches 28.8)
Fourtunately getting the firewall on slowed it down enough to get the patch and clean the system.
This was the third virus I've gotten, the other I got at the same time off of a 5.25" floppy (that long ago, MSdos was still on the 3.x version.)
As far as I'm concerned that is a recall level problem, if a car or tv was that faulty out of the box a recall would almost be certain.
How is it we tolerate this out of 'comercial' software? And accept we'll have to patch most out of the box to get them to work. It's one thing if something doesn't work perfectly with some obscure hardware (though the o.s. and drivers are what's broken in this case). But to be almost unuseable is not acceptable.
Would you buy a car that if the radio was turned on at the wrong point during some songs it blew a fuse and caused the controll module to think it was pumping to much gas to the injectors?
Would you buy a tv that couldn't get the odd numbered channels after watching a channel above 9 unless you powered it off then on with the remote only?
And before anyone starts in on how computers are so much more complex than the above, or how impossible it is to test against everything, etc. I would like to point out that cars and tv's and so on have gotten VERY complex (just look into some of what the ecm module in a new car does)
And simply making shure your code can handle, in a gracefull way, any inputs,exceptions, or other out of bounds conditions it may have to deal with, and that is possible. Some languages make it hard not to and still 'comercial' programs written in these languages still crap out for things they should have been able to deal with, or at least recover from.

Mycroft

Re:Terrorism?

[MrChuck]

Not ISPs. Not them. You! Just each of us personally. Of course this is slashdot. Where most of y'all are running Windows. (Me? I count 12 working boxes in sight, with 4 Intel now (none 4 years ago). And no MS software in the house.)

Mom? Bro? MacOS thank you. OSX means I can fix mom's machine from 3000 miles away.

So yeah, my boxes that serve and relay mail (80% spam) can just block SMTP connections with Windows fingerprints. Perhaps just bump it up to port 26 and a listener with much more rigourous anti-spam.

Nah, just segregate the dangerous windows folks off. Like to AOL or CompuServe. I'll never get back the happy days when you had to be tall enough to be on the Internet.

And yeah, 2 people on IPv6. Heard about the same thing in 1990 about the Internet. Just a couple geeks. Nobody over here. You guys just stay on your boxes and keep your CompuServe accounts and stay on IPv4.

RE: terrorism
When important services are brought down by DDOS and viruses (east coast blackouts anyone?), it's terrorism. The U.S.A.P.A.T.R.I.O.T. act [epic.org] notwithstanding, being able to buy and run hundreds of thousands of compromised Windows machines (and cable/DSL providers and MS stand by with no action) means that we ain't seen the least of it.

Taking responsibility not possible for most

[CustomDesigned]

Most Windows users are not capable of taking responsibility. They are simply too ignorant. Even if Windows shipped with zero security holes, when an email arrives saying "save this attachment to a file, then double click for a surprise", they will follow the instructions. When the email says "go to this web site and enter all your banking details", they will follow the instructions.

I hate to say it, but the only solution for Windows users is Paladium. Yes, Paladium prevents users from running the software of their choice and effectively puts their machine under the control of Microsoft. But their stupid choices are the problem! Besides, if they really wanted choice, they wouldn't be running Windows.

Paladium doesn't fix the system security holes, but it does fix the biggest security hole on most Windows machines - the user. It could be good for the net - provided that responsible users aren't forced to use it. At present, the test is easy. Windows users need Paladium. Others don't. (Yes, I know there are competent Windows users out there - but I've never met one.)

Re:Terrorism?

[SacredNaCl]

So how long before companies/gov't are taken "hostage" by rented DOS machines?

That kind of thing already happens. A friend of mine does administration for a couple small and medium size ecommerce sites. The calling card is typically a 30 minute DDoS attack followed by an email and/or phone call saying "we can make this problem go away if you pay us".

If you don't pay them they DDoS you a few more times. If you pay them, they DDoS you a few more times and demand more money. Only option is to go to the Feds with it and hope they use attacks your upstream provider can help filter.

Re:question

[tunabomber]

This thread is getting really bizarre. This "host-healing worm" you describe reminds me of that episode of Futurama where Fry gets infected with space worms that turn his body into their palace and treat it as such, giving him superhuman healing abilities, as well as increasing his intelligence and muscle build.
This begs the question: will viruses ever stop being viruses and start being symbiotic entities that live in our computers similar to the e. coli bacteria in our intestines (which we need to digest food properly)?
Someone earlier mentioned that there are few viruses out there that reformat hard disks, because doing so puts people on guard, preventing future infections. And someone else mentioned that he knows someone whose hard drive is full of strange executables that are undoubtedly of malicious origin, but the person doesn't care as long as the computer still runs the same.
Following these trends to their head, I believe the "virus" (if you want to call it that) of the future will be something that infects a machine, and then does everything it can that is invisible to the user to improve the state of the computer: it would run windows update periodically to defend against other worms, perform hard disk defrags and other performance optimizations to give it more computing resources to work with, all the while giving the user's packets and tasks a higher priority so as to not set off any alarms. This is the type of worm that would "earn" its place on the computer by being so inocuous that the user wouldn't even have to worry that it's there.

Viruses have already evolved to parasites, and soon they will be symbiotes.

Re:How is that possible?

[Beryllium Sphere(tm)]

Rumor has it, in fact, that some banks have paid blackmail money to gangs in Russia only to discover that blackmail gangs in Russia share lists of suckers.

The banks would get a message like "we've found $HUMILIATING_SECURITY_BREACH but for $25,000 we won't tell the press". Then they'd pay, and in a week would get a bunch more messages from other places making the same threat and demand.

Different kind of threat, but the same underlying problem.

Re:Blessing in disguise?

[pavon]

Only if the machines were hijacked illegally. I wonder how the court would rule if the distributed service running on the machine was a spyware program that technically told the user what it was doing (because none reads software licence agreements) and which the user agreed to install.

Now if these machines were being used to do something illegal then the buyers of the service could be held accountable, and the money trail makes it trivial to track down.

Re:A preview for Grid Computing?

[gnu-generation-one]

"Where grid starts taking off is in corporate (or educational) environments where you have tons of hardware on desktops all over the place that spend 99% of the time doing nothing."

University computers: queues for PCs at any hour of the day or night, and 80% CPU when they're being used because they're 500MHz pentiums running Windows.

Normal corporate computers: okay, these aren't being used at night, but remember they're being maintained by petty little people whose ideal day at work involves imposing a coffee-machine policy: don't be surprised if they're all powered-down at night to save electricity.

Corporate development machines: Rather better specified (racks of dual 3GHz machines), but again being used day and night, almost continously compiling, running, or testing something, and at night (when the developers leave at midnight), they're either left compiling something that takes all night, or left downloading ISOs that would take too much bandwidth in daytime.

Grannys' home computers: turned on when needed. Arguably it's mostly idle, but the owner will complain like buggery if it's ever slow to respond, plus it's internet connection is a 56K phone line once every 3 days.

Slashdotters' home computers: Constantly on, and constantly in use. How many people are going to put up with Tribes running slowly because their "idle" computer is being used to fold proteins? And how many people want their pr0n to download slower because they're DDoSing some public target?

So where are all these PCs running at 1% CPU continuously?