Top Botnets Control Some 1 Million Hijacked Computers

Puskas writes "Joe Stewart is the director of malware research at SecureWorks, and presented a dire view of the current botnet landscape at the RSA conference this week. He conducted a survey of the top spamming 'nets, extrapolating their size from the volume of emails that flow across the internet. By his calculations, the top 11 networks control just over a million machines, hitting inboxes with some 100 billion messages a day. 'The botnet at the top of the chart is Srizbi. According to Stewart, this botnet — which also goes by the names "Cbeplay" and "Exchanger" — has an estimated 315,000 bots and can blast out 60 billion messages a day. While it may not have gotten the publicity that Storm has during the last year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart's list.'"

Let's see some truthful tagging

[toby]

Start with "microsoft" and "windows" as the technologies which bring you the largest, most profitable botnets!

Re:How do I tell...?

[Volante3192]

Put a good firewall in front of it and watch the packets go in and out. Any rogue port 25 traffic would be a big clue.

Simple answer...

[Gordonjcp]

I just block everything incoming on port 25 from IP blocks in the US, apart from a (very small) handful of whitelisted servers.

Re:How do I tell...?

[maxume]

Short of a firewall, you can use something like TCPView to look for unexplained network activity:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx [microsoft.com]

A rootkit can hide its activity, so this isn't as good as a firewall, but it is easier, and you'll at least be able to figure out if you have a non-rootkit infection.

Re:Let's see some truthful tagging

[Jeremiah Cornelius]

Here I go again. Every time I point out real shortcomings of an Apple product, I get modded to oblivion - "There are none so blind as those who will not see." Posted from my MacBook, BTW.

'Tis no mere canard or straw man. Simple economies of scale keep the Macs out of the botnets - not Cupertino prowess.

Microsoft is Swiss Cheese, that's wrapped in foil.

Apple is Swiss Cheese labeled as "Ementhaler" - believing that the luxury branding will ward off serious scrutiny, but leaving those holes exposed.

Lo! http://www.news.com/8301-13579_3-9905095-37.html [news.com]

It's like this every [washingtonpost.com] year [news.com]. Apple leaves vulnerabilities wide enough to drive a truck through, and I've lost count of the number of these things given away as prizes to the cracking teams.

Apple patch the OS like Microsoft used to, before Slammer. The ususal culprits? QuickTime and Safari.

The guys who cracked the MacBook Air need only have coupled this with the DNS flaw in AT&T customer TwoWire routers, and a very bad situation would exist in the wild. Not trivial - but not too difficult. The hard part was finding the flaw - now it's an exercise for the Kid33z. If there were an economically feasible number of Macs to do this, you can bet it would be crime syndicates and not kids - and you'd have a happy, Apple botnet.

Re:Let's see some truthful tagging

[DJ Jones]

You're right, NIMDA and Slammer didn't hit Apache or LAMPS. You know why? because they're both server applications not operating systems with kernel exploits.

You're comparing apples to oranges. You might have made good argument if you referenced linux, but you didn't. You also failed to realize that most botnets exploit home computer terminals, not web servers that are generally patched and monitored by knowledgeable administrators.

Now show me an OS that hasn't been exploited at least once?

Re:How do I tell...?

[Technician]

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

As a smart software developer, you know not to trust a box that may be untrustworthy. You packets leave the untrusted box and must pass elsewhere where they can be monitored. Do you monitor your router traffic? That's number 1. Windows Updates may cause unexpected traffic, but the addresses will let you know if it's outgoing spam or request for updates from Microsoft.

For example my recent URL's from my router log show the following..
192.168.1.81 168.143.175.215 www
192.168.1.81 74.125.47.164 www Google
192.168.1.81 210.50.7.243 www Doubleclick --- I'm going to have to add this to my hosts file..
192.168.1.81 8.14.216.9 www
192.168.1.81 74.125.47.164 www Google
192.168.1.81 203.34.47.165 www IDG publications
192.168.1.81 210.50.7.243 www Doubleclick
192.168.1.81 210.247.196.12 www www.facilitatedigital.com/
192.168.1.81 217.20.16.80 www
192.168.1.81 209.27.52.115 www Doubleclick
192.168.1.81 66.35.250.151 www Slashdot
192.168.1.81 209.62.176.153 www Doubleclick
192.168.1.81 74.125.47.164 www Google
192.168.1.81 74.125.47.103 www Google

It's all WWW traffic and no unexpected port 25 traffic. A simple Linksys router can give you this information. Take the addresses given and plug them in to the URL bar in your browser to see if there is any unexpected traffic. Don't trust a possibly owned machine. Go upstream and look at the traffic. Most routers will log some incomming and outgoing traffic. Check it once in a while. You machine might be clean, but the kids may have problems. The kids are at school so all recent traffic is mine. If my wife's desktop was spewing traffic, I would see the traffic from another machine's IP address.

And yes, that is my real IP address for today. I'm glad media sentry isn't in the list. ;-)

Re:How do I tell...?

[Beardo the Bearded]

Linux boxes are the sergeants in the Botnet army. [softpedia.com]

If you think you're immune just because you're running Linux, then you're part of the problem.

You're just as bad as someone with an unpatched HP-branded WinXP system fresh from Office Depot.

Re:Block outgoing TCP port 25 at ISP border router

[Jeremiah Cornelius]

Bull.

I have a legitimate right to send SMTP from my machine - and I do so. I also run an SMTP server at home - have since 1993, when I got off of uucp.

I have never been an open relay, and access is passwd. I already have assholes at AT&T blacklisting me for no reason - and suffering their ridiculous petition process to get off their RBL.

This is the Internet. A collection of networks. ISPs are not cops, nor should they be. When you mandate this on common carriers, they become something else - and any slim protections we still have remaining will be long gone.

Re:Let's see some truthful tagging

[number6x]

Windows and Linux have market share that is on the same order of magnitude, in the server market place.

Windows may have just below 90% market share in the home user space, but how many home users have high bandwidth upload capability? Cable broadband providers block server ports upstream for home users and ADSL providers provide asynchronous bandwidth, broad download skinny upload, as well as blocking server ports upstream.

Because of this the target for spammers is the server space. There are a lot of people in medium and small businesses paying for high bandwidth connections and installing linux and MS Small Business server for themselves.

These guys don't have an IT department to configure things right, and they have business accounts for bandwidth that allow fast uploads with the ability to run a mail server.

This marketspace is where your spammers target. Linux and Windows have 26% and 38% marketshare respectively in the server market. I bet it is even closer in the small business market.

Windows is not the king of marketshare most people believe it to be.

And besides even if they were its still no excuse for shipping a product full of holes.

Re:How do I tell...?

[PitaBred]

That won't work... that'll ask them if they want to format their disk.

format c: /y

THAT is what people should type if you really want them to get hit.

Re:Let's see some truthful tagging

[kesuki]

Let me just point out, you can use an apple PC without running quicktime OR safari.

And Since it's based off FreeBSD, there are really easy ways to harden the OS against exploits, like with any unix or unix-a-like OS variant. (like chflag aka chattr on linux)

and if you REALLY want to harden an apple system there is Darwin.

I mean, at least someone with some common sense can add a nice layer of security for apple without adding anything more than a replacement for safari and removing quicktime.

For windows security you need to run vista, or have a hardware firewall to protect your XP machine... Is it just me or is an OS with 58 'unpatched' vulnerabilities not somehow worse?
http://www.frsirt.com/english/Unpatched-Microsoft-Vulnerabilities.php [frsirt.com]

I know the safari vulnerability is pretty serious, but is it not as equally serious as the ActiveX Control Dialog Box Security Bypass Vulnerability, that is still unpatched on XP? I mean think of the dancing bunnies problem of internet security, a dancing bunnies site could easily use the activex bypass to install malware, on millions of XP machines.