Two Worm "Families" Make Up Most Botnets 176
JMoon writes "HNS has an article about the Sdbot and Gaobot families which are responsible for most botnets worldwide. These two families were responsible for 80 percent of detections related to bots during the first quarter of 2007. Other culprits, although on a much lesser scale, included Oscarbot, IRCbot or RXbot."
And that won't change soon (Score:5, Informative)
Boy, was I wrong!
It took 10 seconds for the FTP to go berserk, a minute later I was a happy member of the still strongly going family of wormspreaders.
People simply don't update their systems. It's amazing, that thing is afaik about 5 years old now, and still there are a LOT of machines existing that still blow the worm through the net.
We're not talking about an unfixable problem, or at least one where the user has to be dumb enough to open the can for the worm (ok, bad pun). It's as simple as updateing to SP2, something that works automatically.
You actually have to disable MS Messenger to at least cease to get those annoying popup messages, so why can people disable that but not update their systems? That's simply beyond my comprehension.
Re:And that won't change soon (Score:5, Informative)
There's a reason for that. (Score:5, Informative)
People without the knowledge to code their own trojan/bot from scratch will naturally gravitate towards tools which allow them to make their money more easily, and it's a real time saver.
Or so I hear.
Ask Robert Morris (Score:5, Informative)
The Same Old Bots (Score:5, Informative)
First, the majority of these trojans, specifically these are all IRC based. They are very easy to spot, especially in corporate environments. Why? Well because most people do not use IRC while they are at work. Not to mention many companies will have policies against it. This makes intrusion detection for these kinds of bots very easily. Since most of these servers housing the bots are just standard Unreal IRCD (generally hacker-installed) or whatever IRCD undernet/efnet/etc. run on, they are not encrypted. This means when a machine connects, traffic with "NOTICE", "PRIVMSG", "JOIN #" etc is all sent in the clear. There have been snort/bleeding snort rules to look for this type of activity for years and they haven't had to change much. Sure the ports might not always be 6667-6669/7000, but looking for activity like this on a certain port is dumb to do anyway.
A simple analysis of most IRC traffic should you have real-time peaks or capture logs will tell you pretty quick if it's malicious. If you see a nick change to XP|24249429 or USA|2942949 and it joins a channel called #owned with a topic of
Now finally these two are quite popular. Why? Well it has been said already. The source for them is our there and they are readily available. People frequently update and modify them to avoid AV detection. Hell, many people don't update and modify them. So many people are running without [updated] AV that it doesn't seem to matter much. If you notice how most people get infected, it's the same old thing. IM worm, e-mail worm, malicious website, or a scan for the 2 year old dcom exploit. Every time some new IE/Firefox/etc vulnerability is released, someone quickly makes it download their trojan.
These variants have been around for years. Luckily the people using them are pretty dumb. It's just a matter of time before worms/viruses/etc turn to web-based (not IRC) and encryption as the norm.
Comment removed (Score:3, Informative)
Redone bot runs on Linux (Score:3, Informative)
Re:And that won't change soon (Score:3, Informative)
Re:Non Windows Bots (Score:5, Informative)
I am always willing to help people secure a system.
Re:White hat "mal'-ware? (Score:2, Informative)
Re:Automated Trolling System (Score:3, Informative)
Re:And that won't change soon (Score:2, Informative)
Through that 1-800 number you can eventually make it to a person. You can then read off your 48 digit number and they will give you another 48-digit number. They will then ask you the same questions they ask everyone and you will be on your way. I often have to call this number for OEM workstations.