Forgot your password?
typodupeerror
Security IT

New Botnet Dwarfs Storm 607

Posted by CmdrTaco
from the that's-a-lotta-zombies dept.
ancientribe writes "Storm is no longer the world's largest botnet: Researchers at Damballa have discovered Kraken, a botnet of 400,000 zombies — twice the size of Storm. But even more disturbing is that it has infected machines at 50 of the Fortune 500, and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques that hinder its detection and analysis by researchers."
This discussion has been archived. No new comments can be posted.

New Botnet Dwarfs Storm

Comments Filter:
  • by weyesone (1216104) on Monday April 07, 2008 @10:34AM (#22988480)
    Forbid Windows OSs from running in the USA because it's a defacto tool for terrorism.
    • Last I heard, they were arguing the exact opposite - non-Windows systems are too hard for the government to break into.

      And who knows, perhaps Kraken is sending your data to HLS on the side? If I made a government spy virus, I'd disguise it as a spambot too... the signal is lost in the noise.

      This, needless to say, could also explain the surprisingly low discovery rate on standard AV tools.

      [/tinfoil hat]
      • by jandrese (485) <kensama@vt.edu> on Monday April 07, 2008 @12:09PM (#22989770) Homepage Journal
        I find it easier to believe that that antivirus tools just suck.
        • by Facetious (710885) on Monday April 07, 2008 @12:22PM (#22989984) Journal
          And _I_ consider the existence of antivirus tools to imply an OS that just sucks.
          • by Anonymous Coward on Monday April 07, 2008 @12:55PM (#22990452)
            Well, at least you have an opinion. It's really the mark of users that plain suck. Give all those same users who click on everything and anything that sounds vaguely interesting a nice, shiny new Ubuntu machine - ALL of the users mind you - so replace most people's Windows machines. See how long it takes those same people to be rooted. Now what will you complain about? Their sucky OS? Or their lack of ability to treat their computing resources as carefully as they SHOULD be treating their government ID's such as SSN's in the US and bank info, etc.? It's the users - not the OS.
            • by Jezza (39441) on Monday April 07, 2008 @01:08PM (#22990652)
              Actually while I don't totally buy this (Windows gets a lot of "drive by" infections) you do make a compelling point. Even a "secure OS" cannot help if the users is willing to type their admin password at anything that asks for it.

              Of course, you could make code show what it will do upfront ("This program will create files in your home directory, but won't open any network ports, or modify any files it didn't create"). This is something that could be done (I think Microsoft's "managed code" is a valid template for this approach). But the UI is really hard to nail, and the user must still read and understand what's being proposed. Consider: "This program will modify system files and read any files on the system, and open network connections both on the local zone and the Internet", does the average user allow that to run? Perhaps not, but what if it's pron?! Seriously, though - can an OS be secure, if it's users don't make rational choices?

              Still, I'm not running Windows here...
              • by kesuki (321456) on Monday April 07, 2008 @02:19PM (#22991656) Journal
                "Seriously, though - can an OS be secure, if it's users don't make rational choices?"

                You can make system files immutable in Linux with chattr, an immutable file may not be overwritten by root unless chattr is first run, to remove the immutable flag.

                furthermore, you can during install, use chattr to set files immutable, and then set user:owner of chattr to user chattr and set permissions to only allow user chattr to read or execute chattr as well as making chattr immutable so root can't replace it.

                So yes, you can idiot proof a Linux system. Even if they still have sudo permissions so they can install new programs.

                the basic point of this would be to have some type of chrontab based scanner, a remote administrator (eg: the guy who set it up for mr. i love porn and am stupid) and basically is mr idiot isntalls bad software mr remote admin can remove it, and make fake files in his owner/user group so that mr idiot can't install it again (although without access to chattr it might be hard to prevent mr idiot to find out how to use sudo to delete those files when he asks on a message board how to get around this 'error' when he tries to install software etc..)

                although it's SO much easier to just not give Mr idiot sudo permissions and allow mr remote administrator approve any software Mr idiot wants on his system. the point was can linux be idiot proofed, and yes it can, in many functional ways.
              • by 99BottlesOfBeerInMyF (813746) on Monday April 07, 2008 @04:53PM (#22993350)

                Of course, you could make code show what it will do upfront ("This program will create files in your home directory, but won't open any network ports, or modify any files it didn't create").

                Your argument here is interesting because of two points. First, generally restricting new programs so that they cannot do anything they want. The second and more focused point is preventing installers from writing files here there and everywhere. I think default ACLs to restrict programs are going to be very important to the future of computing. Keeping programs contained within a given part of the filesystem is also useful and I'd argue an approach that does well in this regard is the application packages used on OS X. It is a win in that it removes the need for installers in most cases (drag and drop beats running random code) and provides a folder where all an applications files can be stored. It allows applications to write to specific other locations, but just config files, not binaries and there are advantages to storing the config files outside the package.

                This is something that could be done (I think Microsoft's "managed code" is a valid template for this approach). But the UI is really hard to nail, and the user must still read and understand what's being proposed.

                I agree with this although I'd make a few points. MS's UI is a travesty. It is not just poor, but it makes the same UI mistake people have been complaining about for years. The "OK/Cancel flaw" has been well documented and explained by numerous experts. MS has little excuse for doing it all over again. Second, I think if you get to the point of asking users to authorize or deny specific activities it should only be as a last resort after several other passes that attempt to resolve the issue.

                Consider: "This program will modify system files and read any files on the system, and open network connections both on the local zone and the Internet", does the average user allow that to run? Perhaps not, but what if it's pron?!

                Has your OS certified this software is from a specific vendor? Has your antivirus provider certified this software as specifically safe or unsafe? Given that it is uncertified software from somewhere unknown I think it is very important to give the user good options. Don't give them buttons that say: (OK)(Cancel). Give them buttons that say: (Allow program_name to run, but restrict access)(Don't allow program_name to run)(Allow program_name to run and have complete control of the computer)(Advanced options). If they click the first option try running the software without letting it touch the network of system files and see what happens. If that fails automatically run it, but give it access to dummy files and network access. If that too fails, let it run in a clean VM with a bridge to the network (while watching that VM/network for potentially malicious behavior like running a mail server that sends a lot of traffic).

                Seriously, though - can an OS be secure, if it's users don't make rational choices?

                I think the key is to give the users good choices and only as a last resort after automated work by the experts has failed. Never give users cryptic choices. You have to avoid training users into thinking allowing access to programs equates to programs working. Right now clicking "OK" for most users is a conditioned response that people do like putting gas in a car. You click "OK" all the time to keep your computer running stuff. That association needs to be broken. Granting access should be a separate issue to whether or not a program will run. A user can validly want to run a program so they can look at porn, but still not trust that program. A secure OS should let them run it, but still not trust it. Let it connect to he internet and access a dummy address book file and take control of a dummy Webcam and install a keystroke logger in the VM and send that useless data to some third party. Then, the user can look at their porn and still be secure as much as possible.

            • by 99BottlesOfBeerInMyF (813746) on Monday April 07, 2008 @02:26PM (#22991742)

              Well, at least you have an opinion. It's really the mark of users that plain suck.

              I really wish this was the case, but OS vendors could do much much, much more to make their systems secure by default. As for the metric that users suck, sure they do. Last I read, however, compromises that had no user interaction were still responsible for more incidences than ones that have a user interaction component, There are a lot more trojans out there than worms that compromise machines silently, but the latter hit a lot more machines at a time and more often.

              Give all those same users who click on everything and anything that sounds vaguely interesting a nice, shiny new Ubuntu machine - ALL of the users mind you - so replace most people's Windows machines. See how long it takes those same people to be rooted.

              Actually, they would probably last a lot longer. The truth is, Linux is attacked less by automated worms so most users would fare better. It is not that Ubuntu is really much better for security than Windows (it is better in some ways, worse in others) but there is one big thing Ubuntu has going for it. Canonical does not have monopoly influence on the desktop OS market.

              Ubuntu currently has security that is appropriate to the threat posed by malware attacking it. Regardless if that security is currently better or worse than Windows, there is no reason to think Ubuntu would not continue to provide whatever level of security is desired by users. You see, Canonical sells services based around Ubuntu. Most of the contributors to Linux are users (either on a large or small scale) or are hired by users. If Canonical does not provide them with the security they want, they can and will go elsewhere. There are lots of Linux distros and companies selling services based upon it. In a worst case, Linux can fork to provide users what they need. Basically, is comes down to motivation. If Ubuntu is not good enough, Canonical loses money; ergo, Canonical will invest in security improvements so they can make more money.

              When Windows does not provide the appropriate level of security to make the average user happy, Microsoft does not lose significant money. In fact, in many cases machines are slowed down by malware such that the user does switch to a new vendor. The problem is, they switch computer vendors (from Dell to Lenovo for example) and Microsoft actually gets an extra sale out of it. Usually the influence MS wields in the desktop OS market makes switching to another OS vendor impractical or uneconomical, especially given MS's ability to break interoperability with other OS's and lock in user's via their data, applications, etc.

              Now what will you complain about? Their sucky OS?

              It is not even that Windows sucks on technical merits. They suck because they are the biggest target and they don't care. When I go down to the bar, I don't wear a bulletproof vest of any sort. When I browse the internet from a Mac or Linux machine I don't bother with sandboxing my browser or running it in a VM that resets every time I use it, or even running antivirus software scans. I don't need to. If, I take a business trip to Baghdad, I'll probably wear a vest. Most people would not think to do so. For someone at a tourist bureau in Baghdad to try to persuade people that Baghdad is a more secure place than Minneapolis is absurd. For them to argue that there are more troops protecting you in Baghdad than in Minneapolis is beside the point. For them to argue their are concrete emplacements and checkpoints to catch "bad guys" is likewise beside the point. The measures in place are insufficient to deal with the level of threat presented. This is true for Baghdad and Windows.

              And to answer your second question, if Ubuntu were regularly compromised in daily use, yeah I'd argue its security sucks. There is a lot of work that can be done to make every OS more secure for users, but for the most part only Windows has a big problem for normal

              • by h4rm0ny (722443)

                I just want to say that this is one of the most interesting comments I've seen on Slashdot. Not because it is well-written (it is), but because I learnt something from it, which is too rare on Slashdot. I'm not a Linux zealot (though I use it exclusively at home now) and am bracing myself for when it does become a popular target for widespread attack. This is an argument about Linux security that I've read that really addresses it which I hadn't heard before. The "thousand eyes" principle may provide anoth
    • by Trigun (685027) <evil@evilempi r e .ath.cx> on Monday April 07, 2008 @11:36AM (#22989326)
      FTA: "The primary C&C servers are hosted in France, Russia, and the U.S., according to Damballa."

      The new Axis of Evil?
      • Re: (Score:3, Insightful)

        by Trevoke (821533)
        Or, maybe, countries trying to move forward too fast and without watching their step. How many people here know/work in a company where IT doesn't get the budget it needs for proper network defense?
  • by AndGodSed (968378) on Monday April 07, 2008 @10:36AM (#22988502) Homepage Journal
    How many of those zombies are Linux platforms?
    • by jcr (53032) <jcr@nOspAm.mac.com> on Monday April 07, 2008 @10:40AM (#22988548) Journal
      About as many as are running Mac OS X or Solaris.

      -jcr
    • by Thelasko (1196535) on Monday April 07, 2008 @10:47AM (#22988642) Journal

      Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.
      This implies that it's primarily targeting windows machines. But I still worry...
    • What you meant was surely:

      "But... does it run Linux?"
  • Scary (Score:4, Insightful)

    by Mr2cents (323101) on Monday April 07, 2008 @10:37AM (#22988510)
    A few years ago, you saw you were infected by all the popups that apperared out of nowhere. But now, there is no way to tell for sure, is there? Every time my computer does something strange, I'm worried that I might be infected.
    • Re: (Score:3, Interesting)

      I simply wrote a script that scans through traffic logs on the router and gives me a nice report of questionable (not typical) traffic patterns. I've caught some baddies on a buddies machine that was on my network.
    • Build a router, and install ntop. You can track connections going through it to the internet. Most bots or viruses then show up like a nuclear blast, and even the clever ones you'll notice traffic increases over 80 and to strange IP addresses.
  • Detection? (Score:5, Insightful)

    by Brit_in_the_USA (936704) on Monday April 07, 2008 @10:37AM (#22988514)
    With an "80%" miss rate by AV tools, It would be very helpful to know what software anti-virus programs do detect Storm and Kraken? So that responsible users can check their PC's.
  • by apachetoolbox (456499) on Monday April 07, 2008 @10:37AM (#22988520) Homepage
    Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.
    • by ceoyoyo (59147) on Monday April 07, 2008 @10:44AM (#22988600)
      They should just ban that .exe image file format. It's nothing but trouble. It doesn't even always reproduce the image!
    • by AndGodSed (968378) on Monday April 07, 2008 @10:45AM (#22988618) Homepage Journal
      Which just goes to show that the best defense against infection is an educated userbase.

      And then they must be willing to act along the guidelines for security set by IT dept.
    • Re: (Score:3, Insightful)

      by liquidpele (663430)
      I find it hard to believe it got that many machines by having users click "olsontwinsnude.jpg.exe". Probably multiple points of infection, but that's the only one they've found so far.
      • by bestinshow (985111) on Monday April 07, 2008 @12:30PM (#22990102)
        The problem is that Windows hides file extensions to make filenames look prettier.

        Of course, the user should think "hmm, why does this filename have .jpg still?", but let's ignore the user for now and assume them to be a moron that will do the worst possible action.

        Windows could do a lot more itself. It could have a set of very basic rules to run on files when they are downloaded or double clicked.

        e.g.,: Filename has two extensions, last of which is exe - mark as highly probably virus/trojan/spyware. Alert the user to this fact, with the disabled "Continue" button for 10 seconds, or never enabled to force the user to rename (Also only use the extension as a hint to the action that will be undertaken when double clicked. Perform analysis of file contents to check that it actually appears to be that type of file.)

        Don't run downloaded .exes (in fact, any .exe that hasn't been run before) until there has been a warning, with a delay so the user can't just click Continue. The warning window shouldn't be bland non-exciting 9pt Calibri either, there should be something to make the user pay attention and think. "Why is Aunt Mavis sending me a cool dancing sheep screensaver?!" I think that Vista does this already?

        Self-extracting zip archives should be identified and de-archived by the OS Zip extraction function, and the .exe part should never be run. Indeed, self-extracting zips should be banned, simply because they're a useless format nowadays.

        But in the end, there will be idiot-user ways around these rules, there will be flaws in the rules (I'm not spending all day tweaking them for a mere Slashdot post), and the malware will adapt.

        On a Mac I imagine you could just give you malware the system image icon in the application package, and it would fool most users. Apart from user education (hahahaaaaaaaaaaaaaaaaaaaaaaaaaa) it's going to be difficult to eradicate the malware problem.

        Of course every time an image file format, or Office file format, etc, has a buffer overrun issue on an OS, exploits will be made. Parsers should be stricter, and peer reviewed for good secure programming practices.
    • by jandrese (485) <kensama@vt.edu> on Monday April 07, 2008 @12:22PM (#22989972) Homepage Journal
      Microsoft's "hide extensions by default" has to be the worst security decision of all time. I know it's the first thing I turn off when I use a new machine, but still, most people leave it on and it's just asking for trouble.
    • Re: (Score:3, Insightful)

      by rbochan (827946)
      "We know the picture... ends in an .exe, which is not shown"

      And yet, still to this day, Microsoft has the godawful stupid default of hiding the damn file extensions.
  • Spamming (Score:5, Insightful)

    by Scutter (18425) on Monday April 07, 2008 @10:39AM (#22988538) Journal
    There are still Fortune 500 companies that allow unimpeded outbound SMTP traffic from their general userbase?
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Any given Fortune 500 company is big enough to justify having their own mail servers that handle all their traffic for them. Internal users will use the server as relay to the outside world, and all internal machines will naturally be "trusted". How do you suggest the admins are supposed to know which traffic passing out from inside their own network is legitimate and which is botnet traffic? Yes, you could filter all traffic, but that isn't going to be much of a help when a new infection springs up inside
      • Re:Spamming (Score:4, Interesting)

        by Scutter (18425) on Monday April 07, 2008 @10:56AM (#22988752) Journal
        Any given Fortune 500 company is big enough to justify having their own mail servers that handle all their traffic for them. Internal users will use the server as relay to the outside world, and all internal machines will naturally be "trusted". How do you suggest the admins are supposed to know which traffic passing out from inside their own network is legitimate and which is botnet traffic? Yes, you could filter all traffic, but that isn't going to be much of a help when a new infection springs up inside your own network.

        How about "don't trust your users" and "don't set up your server as an uncontrolled relay for them"? It certainly possibly, if nothing else, to limit the number of connections/minute or the number of recipients/message to at least contain the damage rather than allow your users unfettered access to your mail subsystems.
      • by BigGar' (411008)
        Well for starters all SMTP traffic should be dumped at the firewall except that coming from the white listed servers.
  • by Anonymous Coward
    Maybe if people stopped relying on antivirus and malware detectors alone, and started educating their users and locking down their systems (instead of giving everyone root / local admin rights), we wouldn't have this problem...

    Security isn't a technology problem, it's a people problem.
  • "The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day."

    So that's why I have been getting so much spam lately.
    • Re: (Score:3, Interesting)

      by Creepy (93888)
      yeah - I have a feeling the situation is a lot worse than this with botnets - my blog server was hit with a comment spam bot slowing that machine to a crawl. After shutting down my forum for two days, I dumped the database for 200000 'pending' posts that failed a graphical word ID check (meaning they would get trashed from pending in a week), wrote a script to grep out the IPs and got almost 120000 as unique (all now blocked). I re-enabled comments and got 80000 more before I disabled it again yesterday a
  • by maxch (1264500) on Monday April 07, 2008 @10:44AM (#22988590)
    The biggest one is the one that hasn't been found yet.
  • All the emails it's sending are to names like sarah_conner@, sconner@, sarahc@, etc.

  • Aggravating... (Score:5, Insightful)

    by MachineShedFred (621896) on Monday April 07, 2008 @10:45AM (#22988624) Journal
    Does anyone else find it absolutely aggravating that these stories

    1. Never tell you how you know if you're infected, and
    2. Never tell you how to clean up your shit if you are.

    However, they always give massively generalized statistics on how vulnerable you are!

    Thanks, asshats.
    • by Scutter (18425)
      1. Never tell you how you know if you're infected, and

      If you don't know whether you're infected or not, you are. Or rather, you should assume you are and take whatever steps are necessary to prevent the spread (like blocking port 25 on your firewall, for example).
    • by Thelasko (1196535)
      Yes, Just I also hate it when the nightly news runs teasers that say something like, "There's something in your home that can kill you at any second. Details at 10."
  • The battle is lost (Score:4, Insightful)

    by value_added (719364) on Monday April 07, 2008 @10:49AM (#22988674)
    From the fine article:

    Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.

    There just aren't enough words.
  • Idiots (Score:5, Funny)

    by whoda (569082) on Monday April 07, 2008 @10:56AM (#22988744) Homepage
    ""We know the picture... ends in an .exe, which is not shown" to the user, Royal says."

    If it ends in .exe it isn't a picture, you shouldn't keep calling it one.
  • by joe 155 (937621)
    I should apologize, I read a scroll of genocide but had no idea it was cursed - now the moat is full of krakens and evidently they seem to be spreading...

    Also, have you seen how much spam they are sending out? "Its bots are prolific, too: The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day." - if all 400000 bots did that that'd be 200 billion a day. That has to represent a pretty large (albeit distributed) cost to ISPs
  • by JeremyGNJ (1102465) on Monday April 07, 2008 @11:14AM (#22988968)
    AntiVirus software has been relatively useless for the past few years. They charge extra just to detect basic "non virus malware" and they still dont detect the REAL threats!

    AV vendors ought to be ashamed of themselves. Even more so, the customers should be ashamed of themselves for continuing to pay for a program that doesnt REALLY protect them.

    We MUST move away from definition-based "protection" and move to behavioral-based protection. Unfortunately there's only one major player who's trying to do that. That is Microsoft, with Vista's User Account Control. Unfortunately, that is also the feature that people dislike about Vista, and way too many people turn it off.

    It's funny how badly people hate the tools need to protect a PC.
    • by Sancho (17056) * on Monday April 07, 2008 @11:43AM (#22989432) Homepage

      AntiVirus software has been relatively useless for the past few years. They charge extra just to detect basic "non virus malware" and they still dont detect the REAL threats!
      Signature-based detection is on its way out, and antivirus manufacturers are not adapting well. They have some heuristics that look for weird types of files, but they're not great.

      UAC isn't really a solution, either. All it does is to train the monkeys that you have to click an extra time in order to get the banana.

      Education is what's needed. I no longer recommend antivirus to my family--I tell them to avoid running programs that they don't know about, not to trust any attachment that comes through the mail, and offer other suggestions for safe computing practices. Running without antivirus works to remove the perception of safe computing, making them actually think about the things that they're doing. This, incidentally, leads to actual safe computing.

  • by illegalcortex (1007791) on Monday April 07, 2008 @11:28AM (#22989184)
    Beware the Botnet Dwarfs!
  • by ConfusedVorlon (657247) on Monday April 07, 2008 @11:53AM (#22989582) Homepage
    serious question:

    most folks don't send more than 50 mails a day (number pulled out of a** and is for illustration only)

    so how about this ISP anti-spam approach:

    1) if a user sends more than 350 emails in a week, or more than 100 emails in a day, the ISP emails the user with a 'do you have a zombie' email.

    this would list the subjects & initial contents of emails sent.

    user could either reply 'yup, I send a lot of email please bump me up to a higher trigger level' or 'please help me fix this - I'm not really a viagra salesman'

    x days/emails after the warning, the ISP could start blocking stuff if there was no response to their warning mail.

    This would give people a chance to know if their machine was infected (I think mine is clean - but I certainly don't monitor outgoing smtp traffic) and generally provide a service to all at little inconvenence.

    Would this be bad ??? Is it really hard to spot a zombie PC that is sending spam out through your network?
  • by Prototerm (762512) on Monday April 07, 2008 @12:01PM (#22989692)
    ... and God just builds a better idiot.

    A great deal of the problem here isn't necessarily Windows, it's the people who use it. In an attempt to make its operating system easier for the idiot to use, Microsoft has added "features" that increase the vulnerability as well, particularly the "I'm-ok-you're-ok-can't-we-all-just-get-along-and- share-our-deepest-darkest-secrets" design philosophy that's behind so much of the Windows experience.

    But the vast majority of Unwashed Humanity shouldn't even be using a *light switch*, nevermind a computer! Even otherwise very intelligent people are so completely clueless when it comes to things that come to them in email and on web sites. I swear, if I sent out an email asking people to cut out their large intestine and email me a scan of its contents, most of them would happily do it, and thank me for the privilege.

    I tell my family to follow two rules:

    1. Everything you read on the internet and in email is a complete and utter lie from someone you do not know, which will steal all your money, rot your brain, and leave you (male or female) with an unwanted love child. You should completely delete all email before reading.

    2. See Rule #1.

    Microsoft advocates Trustworthy Computing. I recommend Paranoid Computing instead, because *nobody* can be trusted!
  • Instead of filtering torrents, your local ISP should be redirecting their deep packet inspection efforts on thwarting spambots. Regardless how deep it is buried in your OS, at some point it is going to have to announce its presence when it starts spewing spam. With >90% of the internet being choked up with spam, shouldn't ISPs worry about spambots rather than P2P? If spam is detected, a friendly email could be sent back to the source indicating that your PC is likely infected with malware.

    Also, if more people ( not everybody ) switched to alternative operating systems such as Macs and Linux, (preferrably different distros) it would be much harder for malware to propogate, as they would have to split their efforts at hiding in many different targets and spreading between incompatible systems.
  • Undetectable? (Score:5, Interesting)

    by nick_davison (217681) on Monday April 07, 2008 @12:29PM (#22990090)

    a botnet of 400,000 zombies...is undetectable in over 80 percent of machines
    So, does that mean it's a botnet of 2,000,000 zombies, or that there are actually only 80,000 that have been detected but they're pretty sure they're only finding 20% of them so 400,000 sounds right?

    If it's truly undetectable, how would you know what percentage of cases were undetectable? Surely, be definition, you couldn't tell?

    In other news, most women think I'm damn sexy. It's just undetectable in 99% of cases. But I'm sure they do!

To err is human -- to blame it on a computer is even more so.

Working...