The World's Biggest Botnets

ancientribe writes "There's a new peer-to-peer based botnet emerging that could blow the notorious Storm away in size and sophistication, according to researchers, and it's a direct result of how Storm has changed the botnet game, with more powerful and wily botnets on the horizon. This article provides a peek at the 'new Storm' and reveals the three biggest botnets in the world (including Storm) — and what makes them tick and what they are after."

Re:Does it run on Windows?

[Wonko the Sane]

I'd feel a lot safer if I could ever get selinux to work...

Note total absence of word "Microsoft"

[Animats]

It's interesting that these articles don't even mention that Microsoft's insistence on running executable content from the browser is at the heart of all these problems.

You Sank My Enterprise!

[twitter]

Ah, but you fail it!

In other words, stupid people and people who dont care about security punish the rest of us. How nice. You dont know how much I would appreciate a "Internet License" to show basic security and protections on the net.

Anyone who thinks non free software can be secured should be denied said license. FTFA:

This shift has even awakened enterprises, which historically have either looked the other way or been in denial about bots infiltrating their organizations. (See Bots Rise in the Enterprise [darkreading.com].)

If you think you can do better than Fortune 100 support teams, you are sorely mistaken. They have all the time, money and employees they want to throw at this problem and still get their ass kicked. People trying to tweak non free software are working in the dark and will always be surprised. No matter how much they spend, they can never fix the problem.

The lack of mention of business security here...

[downix]

All of these articles on botnets such as Storm always mention home system vulnerability...

Well, let me point out for a second how while dangerous for a single home system to be infected, it is a world worse when a business system becomes infected.

Within hours, typically that botnet has replicated to all of the machines on the internal network. Worse, now that botnet has access to your critical database information, consisting of customer records. Often times, the brains behind these botnets can better datamine than your business can, finding interconnections with your customers to better flood them with spam, or worse.

At my job, one of our machines was hit with the Storm. We isolated it within minutes, but even then it still wa a close call. If I hadn't been doing a routine portscan at just the right moment, we'd have never spotted it.

After that, the boss authorized me to begin a slow migration to Linux.

Re:Note total absence of word "Microsoft"

[Shados]

In Protected Mode, IE7 on Vista is genuinly sandboxed, and throws a fit if you so much as do a right click View Source (which would run an executable: notepad by default). If the browser was actually standard compliant (sometimes by the time Duke Nuken Forever and Spore comes out I guess), it would be an excellent all around browser.

Other stuff, like running an executable sent to you by MSN is so freagin hard it puzzles even me sometimes (I beleive by default you have to change something in the registery, or it simply will flag em and you'll never be able to so much as extract exes from a zip file). Thats probably pushing it too far, but point is, if you don't have the admin password, its relatively difficult to do something retarded aside to hit your own account (which is possible in any OS really, and even then, you get quite a few warnings).

Something of interest, though not really related: Once I installed some game (I forget which) that tried to install a copy protection crap, and Vista actually asked me if I wanted to install it separately from the game itself (I got 2 pop ups). Said no, and it happened that this particular game would run without the copy protection...so I was able to tell it to shoo off (while my friend on XP hosed his install because of it...a patch came out the week later to fix the issue, but I never had the problem in the first place). MS is learning. Slowly.

Re:Microsoft isn't the only irresponsible company

[GaryOlson]

Microsoft is not the only culprit. I have a Netgear FVS124G (with the latest firmware) which has been compromised: 3 sets of packets were sent on port 80 to the router and after the last set of packets "Access rule 257 added" was logged. Access rule 257 did not show in the interface. Then the router started sending botnet check-in packets on IRC ports to various IP addresses. And, the router log showed the malware was sending traffic using every MAC address in the route table as a "compromised PC" -- even the laptop which was disconnected from my network.

Yes, the router was still emailing me every log of all network traffic -- my traffic and the malware traffic also. Seems the malware author does not think my ability to log their traffic was significant.

Netgear was very helpful. Tier1 tech support said securing the router was my responsibility. Asshats!

Re:Note total absence of word "Microsoft"

[fred fleenblat]

Maybe solve isn't the right word, but switching everyone to linux (for example) would cut the infection rate to zero for about a year, until the bad guys adapted. After that it would still be way, way lower, mostly because of the better management of admin privileges.

OLPC is potentially quite secure against naive user problems. There are plans for about a billion of these, so you'll have your answer pretty soon.

Re:Yes, free software would fix the problem.

[thogard]

But most sun machines are on very big pipes compared to most windows boxes. The same is true of Mac as the people who own them tend to be well off enough to have decent broadband.

Also a bot net of suns is worth far more per machine than windows machines. The numbers I've heard are a sun box on a big connection is worth at least $100 vs about $.1 for a windows box. And there are Solaris 10 botnets out there (thanks telnetd)

Re:You Sank My Enterprise!

[hedwards]

If you think you can do better than Fortune 100 support teams, you are sorely mistaken. They have all the time, money and employees they want to throw at this problem and still get their ass kicked. People trying to tweak non free software are working in the dark and will always be surprised. No matter how much they spend, they can never fix the problem.

The reason that the corporate world has issues with bots, has far more to do with the corporate environment than it does with the security of the platforms involved. After all any sufficiently secure platform can be made insecure by allowing the wrong morons to use it.

On my home network, I can do things like block every single incoming port and disable pretty much all of the outgoing ones as well. I can install firewall software on each computer to scan the remaining ones. I can create my own install media to remove nearly any part of windows which isn't related to the bare essentials, then install the bets antispyware software and demand that anybody that uses the computers not click on links in email.

I'm sure there's more, but I would be surprised if I were allowed to do even that much if I were responsible for securing a corporate network.

Re:Well....

[bot24]

I'm very concerned that ISPs will attempt to force the user to run antivirus or some other type of software to connect to the network. Besides compatibility and security issues involved in running software controlled by your ISP, some of the antivirus software out there is terrible.

My school requires that you must have some sort of antivirus software installed to connect to the network and provides a virus scanner for us. I was running Windows XP in a virtual machine, so I grabbed the free scanner. It was a Symantec corporate style scanner thing. After going through all the settings, the scanner would still run full system scans in the background. Unfortunately, "in the background" isn't very in the background when you're running Windows XP in a virtual machine, and the VM would use as much of the CPU as possible to do a background scan.

So, I tried to uninstall it. You can't do that. You need a password. I had to manually delete all the files and registry keys manually. Months later I was having problems with 16-bit applications because Symantec had not provided complete removal instructions.

I don't want to need to worry about my ISP forcing me to use some software that will permanently damage any software installation or degrade performance while doing things unrelated to my ISP. There are enough hidden problems with ISPs already.

Re:Note total absence of word "Microsoft"

[Alpha830RulZ]

It's quite possible to configure Windoze to prevent these infestations. It's a pain in the ass, to be sure, but it can be done. My company works with the large banking corporations, and they all to a one have their machines locked down so that users can't install squat, which prevents this problem fairly well. It's at quite the cost of user convenience, but it can be done. In these same corporations, it's also a pain in the ass to get anything done on the linux machines that we install, because the same measures are taken there as well - install a slimmed down version of the OS, and drag your heels hard when users want to add any application other than vi and ls.

Linux can be quite secure, but most of the fanboiz forget that you all have the root password in your hip pocket. If (or when) Linux were to become the dominant consumer environment, these problems will migrate to linux, because the essence of a consumer machine is that the consumer has admin rights to it. Uneducated admins are the problem, not the OS they happen to be running.

Re:Microsoft isn't the only irresponsible company

[Plutonite]

Serious hack. I did a quick run on your router and there does not seem to be a documented hole ATM. Also, if the rules don't show up on your interface then either:

1) Netgear ppl were complete morons and the GUI is not directly linked to the filesystem records/small database/whatever
or
2) Hacker is good enough to alter this part of the router's code as well, meaning he flashed the firmware remotely.

I wonder how many people have been hit with this without knowing. It is one thing to monitor your PC's activity, but a router? Scary shit. Better get that rusty copy of Snort up and running again.

PS: you actually check your logs..wow. You either work for the NSA or you are half Klingon. Also, did you find out who it was, and whether you were sending out payloads similar to the one you received(meaning that it wasn't an "important" node that attacked you)?

Re:Linux/MacOS are just as insecure

[Kadin2048]

Agreed. I think the long-term solution is to design OSes so that each application can only write to a limited subset of the filesystem; either each app is kept in some sort of individual sandbox, or maybe it can only write to files it creates, or files of a certain type that are associated with it, or some similar scheme. You could probably fudge something like this into a current OS with enough chroots/jails/runases and ACLs, but I think it's the sort of thing that's going to require a ground-up rewrite for an entirely new security model. I'm not even sure that it would be compatible with the idea of a single 'filesystem' as we currently think of it; you might instead have segregated applications each with their own sets of files, and a single 'browser' that allowed you to move/share files between applications as necessary. From a user's perspective, such a machine might be entirely 'task-oriented' rather than file-oriented.

I think there's a research OS or two around that have been designed like this, but it's a long way off for most mainstream ones. Of any of the commercial vendors, I could probably see Apple doing it first, because they seem to be the ballsiest when it comes to just breaking backwards-compatibility and rewriting things for the sake of rewriting them (and which arguably "weren't broken" according to others, e.g. launchd), but I still have a hard time imagining it within the next decade. Windows is and will always be a slave to its software base, and most of the Unices tend to be evolutionary rather than revolutionary in their design (which is fine, it's just a different approach).

Software paladins?

[Richard Kirk]

Part of the Storm threat is that it is able to intimidate those who stand up to it, or attempt to combat it. This would suggest that Storm is in turn vulnerable to an attack by an even bigger botnet. It can succeed on poorly protected machines and lurk in the many dark corners of the Internet, like cockroaches. Suppose enough of us willingly subscribed the spare cycles in our machines to serve as a botnet that would fight the others? Could that work?

Can we come up with a working definition of 'good' for such a botnet? I would not subscribe my machine to any government directed search for terrorists, for example (that's probably got me on a no-fly list). However, it should be possible to confine our botnet to the named botnets in the article, and do 'good' in an sense that would be acceptable to most users. If the project veers towards evil, then there must always be a way to unsubscribe.

Then, we want a fancy UI like the SETI screensaver, so we can see how we are doing, and root for our side.

Re:Microsoft isn't the only irresponsible company

[GaryOlson]

Absolutely....did that immediately. I keep the Netgear router on the shelf as a reminder of why the extra effort of the Linux router is necessary.

PS actually your reply is Redundant; but a good reminder for all. Keep up the good work ;)