25 Percent of All Computers in a Botnet?

Beckham's_Ponytail writes to mention an Ars Technica article, with some disturbing news out of the World Economic Forum in Davos, Switzerland. Vint Cerf, one of the 'fathers of the internet', has stated that the number of botnets online is larger than believed. So large, in fact, that he estimates that at this point one in four computers is infected with botnet software. We've discussed the rise of botnets numerous times here on Slashot, but the image of 150 million infected computers is more than a little bit sobering. With the extremely lucrative activities that can be done with botnets (such as password ripping, spamming, DDoSing), as well as reports of organized crime adopting 'cyber-terrorism' as a new line of income, is it likely that law enforcement will ever be able to curb this particular bane?

Re:Request

[beakerMeep]

i think a bot is just a virus/trojan/rootkit in terms of dectection/removal. I think it's named "bot" is more because of it's function. ex: sleeping and waiting for commands from the bad guy to start spamming email.

Ramen worm

[TypoNAM]

Like the ramen worm that effected most Redhat systems and then disabled the exploits it used? http://news.com.com/2009-1001-251311.html [com.com]

Re:Request

[bigberk]

One interesting method is to query an anti-spam database using your IP address, and see if you are listed as a spam source. Quick checks can be done at robtex [robtex.com] or dnsstuff [dnsstuff.com].

If your IP address shows up on PSBL [surriel.com], CBL [abuseat.org], SpamCop [spamcop.net], or WPBL [wpbl.info] your host is probably infected and a source of spam or other abuse.

Re:Request

[mrtexe]

For Windows, use IE to go to Safety.live.com - Microsoft's official online free spyware, virus detector/remover [live.com] (choose your language)

Re:Doesn't care or doesn't know?

[morgan_greywolf]

s/IE/IE or Outlook/ and I would mostly agree with you, but not completely. Plenty of other software people install themselves from the Web either includes spyware or is spyware itself. Remember Bonzi Buddy? What illiterate mom/little sister/etc. could resist the cute purple monkey?

More recently, there have been programs claiming to spyware removers that are spyware themselves!

Re:Request

[sporkme]

Does anyone know a utility/website for detecting and cleaning bots?

I use a can of airduster, a cotton swab and an alochol solution to clean my bots.

There are a bunch of port scanner sites out there that can check the integrity of your firewall. DSL Reports has a decent one if memory serves. Use Spybot Search & Destroy, LavaSoft AdAware and a good antivirus like AVG or Avast. If you suspect that there is unwanted network traffic to and from your system, use Ethereal to see where it is going to and coming from. If you suspect an exploit of Internet Explorer, HijackThis can shed some light on it. Check the task manager process tab for suspicious looking entries and Google them. Lay off the pr0n! and v1agr@ emails.

By far the most powerful and versatile utility is The Geek Down The Street (TM), possibly surpassed by Your Local Computer Repair Shop (TM). Ultimately, there is no replacememnt for smart practices and secure software. Use an alternative browser like Firefox or Opera, or better yet pop on over to http://www.linux.org/dist/ [linux.org] and take your pick.

Re:The ISPs could help stop this

[Fez]

Botnets spoof IP addresses to make if harder to track down the bots. But the IPS know where the bots are and could kill them, or filter them, if they had the testicles to do it. By pass the spoofed IP addressed traffic they make it harder for the rest of the world to filter the bots.

Spoofing might work for simple attacks like ping or flooding-style attacks, but IP spoofing does not help them with spam delivery or infection, which is where they make the bulk of their money (unless it's DoS blackmail...) Ingress/Egress filtering helps, but it's not a magic bullet against botnets. (See http://www.securityfocus.com/infocus/1674 [securityfocus.com])

Also -- If finding and killing the bots were that easy, it would be done a lot more often.

Re:How to stop the bots

[Planesdragon]

Dude.

1: Learn how to use the <A> tag.

2: That's a two-year old article, predating either Vista or XP SP 2. I wager that, even if you did that now with the same OSes, you'd have far less likely results.

3: That's "fresh install of windows with absolutely no security at all plugged into broadband." Sheesh. Install something as trivially easy as ZoneAlarm, and well, it just doesn't happen.

Re:How to stop the bots

[Bodhammer]

You can make yourself Slipstreamed XP Install disks with SP2 so you don't get infected. See
http://www.winsupersite.com/showcase/windowsxp_sp2 _slipstream.asp [winsupersite.com] or http://www.theeldergeek.com/slipstreamed_xpsp2_cd. htm [theeldergeek.com]. It is well worth the time. Make a disk for next time.

Re:Just install linux

[fleischdot]

Well, this friday i've desinfected two of our (linux)servers which have been infiltrated by abusing vulnurable CRM Software (customers installations). It doesn't matter if you jail this software and put it behind firewalls; these days it also doesn't matter what kind of architecture your server hardware is. It's way enough having a simple webserver with scripting capabilities and one single hole in the web software. The toolbox of todays crackers (or should i name them botnet consultants?) is huge enough to have success with simple trial and error. If the machines refuses to run x86 binaries, there are plenty of perl and/or php scripts doing the same stuff. Today was really frustrating since i found 3 Megs of well-designed tools and good code on a formerly known secure machine. The quality of the tools leads me to the thought that a) crackers are well organized and b) paid for their work. Another frustrating part is the communication with different abuse helpdesks to track down this crap. Not to mention that all ended up in romania... Sorry for sarcasm, but do you have *ANY* laws?

Oh... this is not my day, even slashdot's captcha offers me "punisher" ... i ask myself, why always me??

Re:Just install linux

[Anonymous Coward]

Frankly, this is a lot of crap. Although a lot of botnets are propagated by lusers running attachments, many more are spread through the instrinsic stupidity in Windows! I have copies of hacker manuals that describe taking over Windows 2k servers using the tftp that is setup and running in a default install of Windows. Early copies of IE 6 were easily infected with crafted ads on web pages; the owners/creators of websites were not even involved, they purchased the crafted ads from others. Outlook suffered from vulnerabilities that didn't even require reading mail, just viewing the email message in a list. SQL Server had vulnerabilities that were taken advantage of on machines that their owners didn't even know were running it beacuse Microsoft installed and enabled it by default.

And, you know what, there are still a lot of those machines out there. The whole world isn't running XP (or a fully patched version) yet and many users of Microsoft software don't know enough about hardening their machines.

The biggest advantage to *nix systems is not so much intrinsic security as it is knowledge and acknowledgment of the hacker mentality out there through a long history of fending off such attacks; a history that started long before Windows was a gleam in Bill Gates' eyes. But you know the old adage "Those who ignore the past..."

When I recently brought up a personal FreeBSD server, the default install had nothing, repeat, NOTHING enabled by default. Every service I wanted had to be installed and setup properly before it was facing the Web. Even then, the setup almost always involved setting up user names and passwords, something Microsoft has only worried about recently.

Re:Request

[JasonTik]

I believe it is called a bot because of the medium it uses. On Internet Relay Chat, the most popular system for controlling these botnets, computer programs that interact with chatters and perform miscellaneous functions are called bots, short for robots. These systems are little different, except that they are malicious and not legally hosted, so the same name applies.

Re:Request

[Jesus_666]

The other ISPs are caught by the "dynamic host" blocklists.

Re:Just install linux

[dbcad7]

This is what makes repositories the best way to install software. What are the chances a script like that would make it past "testing" and into "stable" ?

I'm sure you probably conviced some people that "lamers" are in grave danger on Linux, but I suspect that the majority install stuff through repos anyway. Those that dabble around and even know how to run a script in Linux probably have a little more brains than you give them credit for.

I don't know why Microsoft, or another third party group, doesn't create a repository like download center.. where you know that what your getting has been tested and shown not to have crap in it. Sounds like a better system to me.

Re:You Are Required by Law

[khayo]

This is beside the point in this discussion, but for the record: if your ham radio emits legal signals
in amateur bands (per FCC rules Part 97 subpart D) and causes interference in your neighbor's TV,
you aren't required to do anything, much less to "stop using the thing". Of course you'll want to
work with them and be nice, but the law pretty much says that the neighbor ought to buy a less
crappy TV and/or fix his cable mess. Just wanted to clarify a common myth.

Re:Botnets

[statemachine]

"...feel pretty fscking real to you too. ..."

this is the internet, you can say fucking.

This is Slashdot, where we also get computer references.