CA Warns Of Massive Botnet Attack 357
m4dm4n wrote to mention a story running on The Register which describes a coordinated malware attack designed to establish a massive botnet. From the article: "The attack involves three different Trojans - Glieder, Fantibag and Mitglieder - in a co-ordinated assault designed to establish a huge botnet under the control of hackers. Computer Associates reckons that access to the compromised PCs is for sale on a black market, at prices as low as five cents per PC."
There is a money trail. (Score:1, Insightful)
Evolution, baby (Score:4, Insightful)
And in the meantime, technology gets more sophisticated. Progress eitherway.
Ideal opportunity to disinfect the internet (Score:4, Insightful)
2. White-hat hack into the botnet.
3. Tell all compromised PCs to wipe their hard drives.
4. No more compromised PCs! Well... not for a while anyway!
Many Bothans died . . . (Score:3, Insightful)
Bah. Big Deal!
If you run Windows, you PC will be owned at some point. (Yes, yes, I know some of you out there are perfect, and haver *never* messed up *anything* security wise) This happens to me, this happens to less computer literate people, and this happens to large organizations with IT staffs, like the U of Chicago and Allstate.
The solution is the same as always. Switch OSs.
The hotfix is the same as always. Backup data, use your restore disk. Rinse, lather, repeat.
I don't understand why zombie networks are news. The only way that they should be news is when they are used to DDOS major targets. Then, someone should be held accountable. Software manufacturers? Zombie PC owners? ISPs?
I'm not sure. But just like the guy with the TV that summoned the coast guard, (http://www.syncmag.com/article2/0,1759,1781135,0
Re:This is interesting... (Score:5, Insightful)
I remember my early days with Linux, back when I used to futz around and actually made my machines less secure, before I learned a great deal more about the OS and its features.
I am not saying that switching is bad, I am just saying that it is important to know what you are switching to before making the switch.
Nobody should get caught with their firewall down holding their LAN cable in their hand...
As I've been saying for years: (Score:3, Insightful)
This is more work for ISP support staff, but it would dramatically reduce network traffic; I bet it'd be an even flush as far as overall cost.
Re:As I've been saying for years: (Score:3, Insightful)
Have a sign-up page. You could even make it automatic.
"You recognize X-Y-Z, and confirm that you will be held responsible in the case of abuse, and confirm that you will be responsible for your own security, yadda yadda"
Then, if abuse is detected, cut'em off, and force them to call in to get off the blacklist.
Personally, I don't really like this. Better to make OS manufacturers accountable, methinks.
If your car could be infected with a 'virus', via Bluetooth, which caused the cruise control to turn on all the time, and accelerate to max, your car manufacturer would get hit hard by the government.
Why should your OS manufacturer be any different. Hell, they control *all* aspects of the chain now:
OS, E-mail client, Virus scanner, and Spyware scanner.
They are your one-stop security vendor, computing-wise. Yet if anything goes wrong, its your problem, not theirs. Sounds like a jobs for the courts to me.
The fundamental problem (Score:1, Insightful)
I wish ISPs (victims and hosting) would hold the lusers responsible for this - I think criminal negligence would be an appropriate charge. I for one look after my boxen and keep them patched (easier on the gentoo linux one).
Re:As I've been saying for years: (Score:3, Insightful)
If you want to be protected from the big bad Internet, signup with AOL. Some of us just want IP dialtone. Route the damn packets and leave us alone. I certainly don't want my ISP passing judgement on what ports they'll allow in packets that traverse their network.
Re:The fundamental problem (Score:3, Insightful)
Racketeering? (Score:2, Insightful)
That is a terrible idea, how about... (Score:3, Insightful)
I'm sure my ISP would love it if I would say ask for ports 4662 to 4672 and 6881 to be unlocked.
I wonder what they'd think I was planning with those...and I'm sure the new knoppix iso would not be their theory.
Now after having edonkey and bittorent work,
I'll only need
5800 for VNC
21 & 22 anybody?
How about this idea, everyone has complete access privileges. The isp notices for common characteristics of a bot net and common malware. If such is found on the user the ISPs gateway forces all HTTP connects to a URL that has detailed instructions on how to install spybot seach & destroy, ad aware etc. Kind of like a hotel sends you to a registration page to buy internet access for the day when you connect.
The last step is for the user to either call or through some other mechanism notify the ISP that his machine is (for now) clean. The ISP removes the user from its black list and not only do we now have a patched windows box, but also one with basic defenses for the future. It be kind of like catching the criminal pc, putting it into jail until the software is installed and then releasing it as a rehabilitated system
Security guy cynicism (Score:4, Insightful)
CA is the only product which detects ALL three of the mentioned viruses as of this posting. Which is not to say that they're making this up, but I'd be more willing to believe it if it came from the Secret Service or CERT.
Re:How does the money change hands? (Score:5, Insightful)
Re:As I've been saying for years: (Score:3, Insightful)
Quite frankly, I don't care what some of you want. Some/most of you are on machines that try just about every available exploit against my web/email server, and chew up a significant portion of my bandwidth with spam forwarded through your rooted boxes.
Some/most of you have proven you don't know how to keep you box locked down, so I'm all for the ISPs doing it for us.
Re:Many Bothans died . . . (Score:3, Insightful)
It's because they put distribution above the product. They were in it for the money more than the product quality. As a consequence they paid the lawyers to shield them from users with stolen identity, trashed credit, stalkers, or whose machines have been hijacked to participate in illicit activity.
Siphoning off computing power just like the politicians siphon off tax money--when you're not looking and in a way that you can't do anything about it or hold anyone accountable. I guess we know who taught these botnet owners how to do business.
Re:As I've been saying for years: (Score:3, Insightful)
Re:How does the money change hands? (Score:2, Insightful)
It's not like these guys are all on their own, two kids who think they can make money. Often these groups are backed by, or associate with, traditional organized crime. That's what organized crime means... criminals helping criminals. You want to do something and get away with it? You pay your bit and get some help from others who already know how to do this.
Re:Tickets? (Score:4, Insightful)
Re:organized crime? (Score:3, Insightful)
Step 2 - explain crime to local law enforcement so they know who to arrest and what evidence to collect.
Step 3 - explain it again to DA, judge and grand jury so they know what to charge them with, if there is even a law that can be applied.
Step 4 - watch local lawyer demolish case because no-one can figure out who was injured or assign a monetary value to loss
Talking about one machine? (Score:3, Insightful)
You can't just wake up one day and decide that you are going to switch all your network servers and workstations to a new OS over the course of a few days. These things take time.
Re:As I've been saying for years: (Score:4, Insightful)
Re:who WRITES this shit (Score:4, Insightful)
Organized crime.
In the old days, virus authors were really just trying to see how much of a nuisance they could be. Now, however, the ability to combine stolen resources spread over a large geographical area makes it incredibly easy to do some serious crime for relatively low risk.
Try looking at it from a criminal's perspective. The resources to mount a massive attack are easy to come by; thanks to most folk's unwillingness/fear to learn anything about computer security. The police are perceived as being just as clueless as the victims with the cracked computers. The investigation has to start with the machines that were cracked, which gives the crakers more time to cover their tracks.
And this says nothing about the complexities of getting a conviction with the morass of International laws involved.
It's evil as hell, but a bit ingenious.
Re:As I've been saying for years: (Score:3, Insightful)
The Internet is used for more than web and email. Do you think that all those 'random ports' were invented just because "hey we need a new way for viruses to propagate!!!" Do you think that the Internet should be locked down into a stagnant wasteland devoid of anything interesting besides webpages? Because that's what it will become when you start locking down ports. Streaming music? Forget it. VoIP? No. Games? No. Something new? Ha, why would you even bother developing something when 95% of people have their ports locked off and won't be able to use it and will *blame you* for the problem, rather than the ISP.
Re:This is interesting... (Score:5, Insightful)
As great and infallible as non-Windows OSs are, these same problems exist with Linux, Mac et al, just on a much smaller scale. Having some 95% of all desktops, Windows is the natural target here.
The problem isn't Windows or Microsoft. The problem is the **users**. They open email attachments without questioning the source. They don't run anti-virus software (or don't maintain the subscription). They don't employ firewalls. They don't update and patch their systems. They don't scan their systems for adware.
Yes, IE allows adware to be installed. Yes, Windows has the RPC hole. Yes, the windows kernel is, has been, and most likely will always be, insecure. But there are steps that a user can take to protect themselves. I have used Windows since Win286 and I have never been infected with a virus, never been compromised by a worm and never been the victim of spyware. I'm not an anti-MS person but I don't blindly use their software. I have more *nix servers than Windows servers but you could hardly consider me a fanatic.
True, I'm an IT professional and have a greater knowledge of PCs than 99% of users out there (just like the rest of us here), but it's not rocket science to keep yourself protected.
If the Penguin Dream of taking over the desktop ever comes true, you can bet that viruses, trojans, adware, etc will become an epidemic on Linux just as it is on Windows.
Remember: dumb users are platform-independent.
Re:As I've been saying for years: (Score:3, Insightful)
For that matter, I wouldn't either. I would call and say "Listen, I don't want to have to call you whenever I want to play with a new protocol. So you will open up every damn port for me right now, or I will terminate my account." Please note that this is assuming the ISP has a 24/7 staff on the phones. Which is extremely unlikely. Waiting for business hours is an absolutely ridiculous proposition.
Most people will not even bother to install a piece of software to get a task done, such as viewing a video, if it's not included in the OS or browser good luck. What makes you think that people will phone their ISP whenever they want to do something new? People developing such apps/videos/products/whatever will certainly not assume that they will, so they will have no incentive to create whatever it is they would otherwise have created. You're adding a small barrier to entry for anything besides http/email. A small barrier to entry is all it takes to kill something.
Thanks for the ad hominem, by the way, it really added a lot to your argument. In my opinion, it's people like you who belong in management. The bottom line, the end result, is all that matters to you. You want to end spam and internet-borne viruses, and you don't care what it takes to get there or what collateral damage is inflicted in the process.
punitive firewalls suck (Score:3, Insightful)
If you read the article, its not the ports thats the problem its users opening these infected emails. Youre still allowing the biggest hole - email. Zombie software can easily be written so it doesnt have to keep a port open, it can simply initiate the connection to a server someplace on its own.
ISPs eventually will have to police their network, as some are doing right now. So are universities. They'll do port scans and traffic analysis, then shut down the offenders. If these people can't keep their machines clean then the ISP can kick these customers as I'm sure it costs more to keep them than to lose them. After that, lots of people will suddenly renew their AV subscriptions, learn how to patch, etc.
Not to mention better server side email attachment scanning; users shouldnt be getting this stuff to begin with. Or if the big players decided to just block all executable attachments. Sure, everyting will be zipped, but that'll discourage "the double click two-step."