CA Warns Of Massive Botnet Attack

m4dm4n wrote to mention a story running on The Register which describes a coordinated malware attack designed to establish a massive botnet. From the article: "The attack involves three different Trojans - Glieder, Fantibag and Mitglieder - in a co-ordinated assault designed to establish a huge botnet under the control of hackers. Computer Associates reckons that access to the compromised PCs is for sale on a black market, at prices as low as five cents per PC."

There is a money trail.

[Anonymous Coward]

How long can this continue for?

Evolution, baby

[metlin]

Cops and robbers, all the time.

And in the meantime, technology gets more sophisticated. Progress eitherway.

Ideal opportunity to disinfect the internet

[technogogo]

1. Get every compromised PCs to join the same botnet.
2. White-hat hack into the botnet.
3. Tell all compromised PCs to wipe their hard drives.
4. No more compromised PCs! Well... not for a while anyway!

Many Bothans died . . .

[WhiteWolf666]

... Bringing us this information.

Bah. Big Deal!

If you run Windows, you PC will be owned at some point. (Yes, yes, I know some of you out there are perfect, and haver *never* messed up *anything* security wise) This happens to me, this happens to less computer literate people, and this happens to large organizations with IT staffs, like the U of Chicago and Allstate.

The solution is the same as always. Switch OSs.

The hotfix is the same as always. Backup data, use your restore disk. Rinse, lather, repeat.

I don't understand why zombie networks are news. The only way that they should be news is when they are used to DDOS major targets. Then, someone should be held accountable. Software manufacturers? Zombie PC owners? ISPs?

I'm not sure. But just like the guy with the TV that summoned the coast guard, (http://www.syncmag.com/article2/0,1759,1781135,00 .asp [syncmag.com]), someone needs to be held accountable, or no-one will fix their behavior.

Re:This is interesting...

[cnelzie]

Moving to a new platform/OS without knowing all the ins and outs, could be just as dangerous as staying with Windows.

I remember my early days with Linux, back when I used to futz around and actually made my machines less secure, before I learned a great deal more about the OS and its features.

I am not saying that switching is bad, I am just saying that it is important to know what you are switching to before making the switch.

Nobody should get caught with their firewall down holding their LAN cable in their hand...

As I've been saying for years:

[grasshoppa]

Most, if not all, ISPs need to lock down the end user's access to ports. Give them the basics ( outgoing 80, 110 and 143 ), but lock everything else down. In this case, I'd say everyone is guilty until proven innocent. Then, when someone calls in, you simply open the port they request.

This is more work for ISP support staff, but it would dramatically reduce network traffic; I bet it'd be an even flush as far as overall cost.

Re:As I've been saying for years:

[WhiteWolf666]

Don't even have to have them call-in.

Have a sign-up page. You could even make it automatic.

"You recognize X-Y-Z, and confirm that you will be held responsible in the case of abuse, and confirm that you will be responsible for your own security, yadda yadda"

Then, if abuse is detected, cut'em off, and force them to call in to get off the blacklist.

Personally, I don't really like this. Better to make OS manufacturers accountable, methinks.

If your car could be infected with a 'virus', via Bluetooth, which caused the cruise control to turn on all the time, and accelerate to max, your car manufacturer would get hit hard by the government.

Why should your OS manufacturer be any different. Hell, they control *all* aspects of the chain now:

OS, E-mail client, Virus scanner, and Spyware scanner.

They are your one-stop security vendor, computing-wise. Yet if anything goes wrong, its your problem, not theirs. Sounds like a jobs for the courts to me.

The fundamental problem

[Anonymous Coward]

End users just *don't care*. This is why there are botnets. Because, although their owned boxen are f-ing with the rest of the internet, it doesn't affect them - a selfish luser attitude, why should they bother virus/trojan scanning their boxen?
I wish ISPs (victims and hosting) would hold the lusers responsible for this - I think criminal negligence would be an appropriate charge. I for one look after my boxen and keep them patched (easier on the gentoo linux one).

Re:As I've been saying for years:

[Detritus]

Where did I put the tar and feathers?

If you want to be protected from the big bad Internet, signup with AOL. Some of us just want IP dialtone. Route the damn packets and leave us alone. I certainly don't want my ISP passing judgement on what ports they'll allow in packets that traverse their network.

Re:The fundamental problem

[Jeff Hornby]

And what happens when a free software box is owned? Who gets held responsible then? Red Hat? Linus?

Racketeering?

[StormShadw]

Could this be considered racketeering somehow? Prosecution under RICO would be interesting.

That is a terrible idea, how about...

[Phelan]

So basically you want me to give my ISP a list of ports I may require so they can white list them for my machine?
I'm sure my ISP would love it if I would say ask for ports 4662 to 4672 and 6881 to be unlocked.
I wonder what they'd think I was planning with those...and I'm sure the new knoppix iso would not be their theory.

Now after having edonkey and bittorent work,
I'll only need
5800 for VNC
21 & 22 anybody?

How about this idea, everyone has complete access privileges. The isp notices for common characteristics of a bot net and common malware. If such is found on the user the ISPs gateway forces all HTTP connects to a URL that has detailed instructions on how to install spybot seach & destroy, ad aware etc. Kind of like a hotel sends you to a registration page to buy internet access for the day when you connect.

The last step is for the user to either call or through some other mechanism notify the ISP that his machine is (for now) clean. The ISP removes the user from its black list and not only do we now have a patched windows box, but also one with basic defenses for the future. It be kind of like catching the criminal pc, putting it into jail until the software is installed and then releasing it as a rehabilitated system

Security guy cynicism

[lythander]

OK, these things need to be taken seriously, but any press release needs to be taken with a grain (or bag) of salt. Spyware is the threat flavor of the day, and the specialized programs (ad-aware/spybot/spy sweeper/etc.) are better at managing it than traditional A/V is (at least right now). Bots are scary. Need to reformat and reinstall (our instructions to students at this major university). Viruses you can just clean (mostly, but mytob is throwing a wrench into that clean division). You figure which is scarier.

CA is the only product which detects ALL three of the mentioned viruses as of this posting. Which is not to say that they're making this up, but I'd be more willing to believe it if it came from the Secret Service or CERT.

Re:How does the money change hands?

[Hognoxious]

even shady businesses have semi-legitimate escrow services

Also know as "Switzerland".

Re:As I've been saying for years:

[grasshoppa]

If you want to be protected from the big bad Internet, signup with AOL. Some of us just want IP dialtone. Route the damn packets and leave us alone. I certainly don't want my ISP passing judgement on what ports they'll allow in packets that traverse their network.

Quite frankly, I don't care what some of you want. Some/most of you are on machines that try just about every available exploit against my web/email server, and chew up a significant portion of my bandwidth with spam forwarded through your rooted boxes.

Some/most of you have proven you don't know how to keep you box locked down, so I'm all for the ISPs doing it for us.

Re:Many Bothans died . . .

[SilverspurG]

Then, someone should be held accountable

I nominate the politicians who were paid by lobbyists to write the laws to help the lawyers to convince the judges to uphold EULAs that divest companies like MIcrosoft from accepting any responsibility for selling software which allows these sorts of things to happen.

It's because they put distribution above the product. They were in it for the money more than the product quality. As a consequence they paid the lawyers to shield them from users with stolen identity, trashed credit, stalkers, or whose machines have been hijacked to participate in illicit activity.

Siphoning off computing power just like the politicians siphon off tax money--when you're not looking and in a way that you can't do anything about it or hold anyone accountable. I guess we know who taught these botnet owners how to do business.

Re:As I've been saying for years:

[badzilla]

Yeh right... here's what would REALLY happen. If you need your port re-opening all you'd have to do is call the ISP, navigate a large and confusing IVR system, get routed to an overseas callcenter, discover that you're 18th in line (but your call is important to them), and finally get to speak to a script-droid who has no idea what a port is but suggests that you should reinstall Windows. No thanks mate I'll stick with my real internet.

Re:How does the money change hands?

[mindstrm]

Simple answer: the same way traditional organized crime moves money around.

It's not like these guys are all on their own, two kids who think they can make money. Often these groups are backed by, or associate with, traditional organized crime. That's what organized crime means... criminals helping criminals. You want to do something and get away with it? You pay your bit and get some help from others who already know how to do this.

Re:Tickets?

[Intron]

Here's [sans.org] a good spot.

Re:organized crime?

[Intron]

Step 1 - Determine where the crime is taking place - location of hacker, zombie or target of attack?

Step 2 - explain crime to local law enforcement so they know who to arrest and what evidence to collect.

Step 3 - explain it again to DA, judge and grand jury so they know what to charge them with, if there is even a law that can be applied.

Step 4 - watch local lawyer demolish case because no-one can figure out who was injured or assign a monetary value to loss

Talking about one machine?

[cnelzie]

I am talking about a whole network.

You can't just wake up one day and decide that you are going to switch all your network servers and workstations to a new OS over the course of a few days. These things take time.

Re:As I've been saying for years:

[Detritus]

Sounds like a personal problem. You are free to buy a firewall and any other toys you need to harden your network and systems to the level that makes you happy. You are free to file complaints with other ISPs about systems that are trying to abuse your systems. You can even hire a lawyer to take legal action against their owners. Lobby your legislature for new laws and/or increased funding for enforcement. Just don't ask my ISP to cripple their network because you can't take the heat.

Re:who WRITES this shit

[The Angry Mick]

Organized crime.

In the old days, virus authors were really just trying to see how much of a nuisance they could be. Now, however, the ability to combine stolen resources spread over a large geographical area makes it incredibly easy to do some serious crime for relatively low risk.

Try looking at it from a criminal's perspective. The resources to mount a massive attack are easy to come by; thanks to most folk's unwillingness/fear to learn anything about computer security. The police are perceived as being just as clueless as the victims with the cracked computers. The investigation has to start with the machines that were cracked, which gives the crakers more time to cover their tracks.

And this says nothing about the complexities of getting a conviction with the morass of International laws involved.

It's evil as hell, but a bit ingenious.

Re:As I've been saying for years:

[Cecil]

Nice double-standard there, O King of the Internet. "I want to run my servers without having them spammed" -- fair. "I think that we should do so by preventing the rest of you from having proper Internet access because my servers are more important than you unwashed masses" -- not fair.

The Internet is used for more than web and email. Do you think that all those 'random ports' were invented just because "hey we need a new way for viruses to propagate!!!" Do you think that the Internet should be locked down into a stagnant wasteland devoid of anything interesting besides webpages? Because that's what it will become when you start locking down ports. Streaming music? Forget it. VoIP? No. Games? No. Something new? Ha, why would you even bother developing something when 95% of people have their ports locked off and won't be able to use it and will *blame you* for the problem, rather than the ISP.

Re:This is interesting...

[Ryosen]

>>is there any hope that all the bad things that are happening with Windows (and Microsoft), that they will change their ways and actually anticipate some of these problems that are occurring?

As great and infallible as non-Windows OSs are, these same problems exist with Linux, Mac et al, just on a much smaller scale. Having some 95% of all desktops, Windows is the natural target here.

The problem isn't Windows or Microsoft. The problem is the **users**. They open email attachments without questioning the source. They don't run anti-virus software (or don't maintain the subscription). They don't employ firewalls. They don't update and patch their systems. They don't scan their systems for adware.

Yes, IE allows adware to be installed. Yes, Windows has the RPC hole. Yes, the windows kernel is, has been, and most likely will always be, insecure. But there are steps that a user can take to protect themselves. I have used Windows since Win286 and I have never been infected with a virus, never been compromised by a worm and never been the victim of spyware. I'm not an anti-MS person but I don't blindly use their software. I have more *nix servers than Windows servers but you could hardly consider me a fanatic.

True, I'm an IT professional and have a greater knowledge of PCs than 99% of users out there (just like the rest of us here), but it's not rocket science to keep yourself protected.

If the Penguin Dream of taking over the desktop ever comes true, you can bet that viruses, trojans, adware, etc will become an epidemic on Linux just as it is on Windows.

Remember: dumb users are platform-independent.

Re:As I've been saying for years:

[Cecil]

I didn't miss it, I ignored it because it's not reasonable. It's not something my grandma would ever do. Even if I coached her on what she needed to ask for, she still wouldn't do it. It's inconvenient and frustrating.

For that matter, I wouldn't either. I would call and say "Listen, I don't want to have to call you whenever I want to play with a new protocol. So you will open up every damn port for me right now, or I will terminate my account." Please note that this is assuming the ISP has a 24/7 staff on the phones. Which is extremely unlikely. Waiting for business hours is an absolutely ridiculous proposition.

Most people will not even bother to install a piece of software to get a task done, such as viewing a video, if it's not included in the OS or browser good luck. What makes you think that people will phone their ISP whenever they want to do something new? People developing such apps/videos/products/whatever will certainly not assume that they will, so they will have no incentive to create whatever it is they would otherwise have created. You're adding a small barrier to entry for anything besides http/email. A small barrier to entry is all it takes to kill something.

Thanks for the ad hominem, by the way, it really added a lot to your argument. In my opinion, it's people like you who belong in management. The bottom line, the end result, is all that matters to you. You want to end spam and internet-borne viruses, and you don't care what it takes to get there or what collateral damage is inflicted in the process.

punitive firewalls suck

[gad_zuki!]

Its way too late, not to mention disingenious to do this. First off, most users are using p2p, bitorrent, IM, etc which all require open ports for full functionality. Shutting them out or just approving Kazaa and a handful of apps is silly. The phone traffic from someone wanting to open a port would be ridiculous. Imagine how many times a PC wants to listen legitimately. Warcraft update? Call your ISP. IM file receive? Call your ISP. etc.

If you read the article, its not the ports thats the problem its users opening these infected emails. Youre still allowing the biggest hole - email. Zombie software can easily be written so it doesnt have to keep a port open, it can simply initiate the connection to a server someplace on its own.

ISPs eventually will have to police their network, as some are doing right now. So are universities. They'll do port scans and traffic analysis, then shut down the offenders. If these people can't keep their machines clean then the ISP can kick these customers as I'm sure it costs more to keep them than to lose them. After that, lots of people will suddenly renew their AV subscriptions, learn how to patch, etc.

Not to mention better server side email attachment scanning; users shouldnt be getting this stuff to begin with. Or if the big players decided to just block all executable attachments. Sure, everyting will be zipped, but that'll discourage "the double click two-step."