Top Botnets Control Some 1 Million Hijacked Computers

Puskas writes "Joe Stewart is the director of malware research at SecureWorks, and presented a dire view of the current botnet landscape at the RSA conference this week. He conducted a survey of the top spamming 'nets, extrapolating their size from the volume of emails that flow across the internet. By his calculations, the top 11 networks control just over a million machines, hitting inboxes with some 100 billion messages a day. 'The botnet at the top of the chart is Srizbi. According to Stewart, this botnet — which also goes by the names "Cbeplay" and "Exchanger" — has an estimated 315,000 bots and can blast out 60 billion messages a day. While it may not have gotten the publicity that Storm has during the last year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart's list.'"

How do I tell...?

[AdamTrace]

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

I don't necessarily trust that a clean-virus scan means a whole lot.

What's the best way to make this determination?

Why don't the ISPs do something?

[pembo13]

They obviously don't have a problem with tracking down and monitoring people. And they apperantly have bandwidth issue. Why don't they basically mail merge to SELECT * FROM `customers` WHERE `customers`.isinfected? Simple, cheap snail mail... nothing fancy.

My wife's notebook is one of them

[should_be_linear]

God knows I installed on that notebook each and every Anti-Spyware, Antivirus, Anti-everything in order to get rid of it. I traveled each and every "advisory" site with my HijackThis logs, removed numerous keys from registry. Still, every now and then goddamn popup window with site "pc-on-internet.com" appears. I spent altogether perhaps 3 working days trying to remove stupid thing, there is lot of data and SW installed so I am trying to avoid re-installation. Now I am in sitting-in-the-corner-and-crying phase.

Re:How do I tell...?

[s0litaire]

(probably get flammed for this but...) If you're that worried about Viruses. Drop Windows and look into a Linux install instead. :D But if you wan't to keep windows then keep running Virus scans and praying to the FSM on an hourly basis..:D

Re:This is a job for goons

[darkmayo]

Do we really know who is in control of these botnets? Would love to see some spammers eat bullets but i'd like to know the ones with power are the ones that get neutralized.

Re:Just a thought...

[Umuri]

Most infections actually patch and update machines they infect. Once they get in they seal the door behind them, as well as try to remove any competing infections already on the machine. That way they don't get their zombie stolen from them.

Why?

[oni]

WHO IS CLICKING ON THE LINKS IN THESE EMAILS?

Why does spam work? Who are these stupid people and why do they click? Also, if you get 80 spam a day for the same fake product, why would pick one at random and say, "der, I think I'll go buy this!"

Can someone please tell me why?

I wish some news reporter would send out a billion spam but then, instead of taking money from the people who click, contact them and do an interview. I want to know who these people are and what the hell they are thinking.

Botnets-spam

[gmuslera]

There are a good chart mapping current botnets and spam at Marshall TRACE center [marshal.com] (updated frequently afaik). That over 80% of all internet spam comes from botnets (and almost 50% of it just from srizbi) is a good sample of what is the impact of this kind of spam sources.

Re:Let's see some truthful tagging

[Beardo the Bearded]

Third time posting this link in this thread:

Compromised Linux machines are an integral part of the botnet. [softpedia.com]

No technology can replace determined stupidity... or just plain arrogance.

But... you are INVINCIBLE!, right?

Re:How do I tell...?

[Reapman]

Unlike the poster below, I don't believe that installing Linux makes you invincible from this... the only way I feel I can be totally secure is to monitor the network traffic.. if my computer is just sitting there, not running any apps, and there's a ton of traffic leaving my router, I know something is wrong. Not for the faint of heart however, and i'm still looking at how best to put this in place, I'm thinking OpenWRT on a Linksys Router, sending the data back to a sever for analysis.

Sadly there's no way a typical user could do this, but I don't know how else you can be sure your safe.. Although like anything, nothing is 100% a sure bet. :/

Re:Take away their licenses

[raju1kabir]

ISPs really should have better IDS on outgoing traffic. At the very least they should be dropping the malicious traffic

My home ISP just started outbound blocking traffic from DSL customers to port 25 a few days ago, which has stirred up some controversy [lowyat.net]. Maybe I'm just imagining things, but I believe my connection has been faster since then. We're always suffering from bandwidth problems (the downside of being on the end of a very long cable across the Pacific) so anything that eliminates our share of 100 billion daily spams clogging the line is a good thing in my book.

On mail servers I use spamdyke [spamdyke.org] to immediately drop connections from end-user IP addresses (using the reject-ip-in-cc-rdns rule and Spamhaus PBL [spamhaus.org]) and it's been remarkably effective.

If everyone did this, the botnets would be useless.

Re:Why don't the ISPs do something?

[Opportunist]

And that's pretty much what's wrong here. Especially if that customer is on a metered link (which is not too unheard of in many parts of Europe). He actually pays for the spam he sends! Hello? Why'd I cut off one of my best customers!

You can't even sensibly put something like that into law. How? What do you have to do to secure your machine? How are you supposed to be responsible for it? What's to be considered "justifiable expense" when it comes to security (i.e. what do you require from a user)? Do you want to force someone to run AV tools to have his bases covered?

The questions are hard to answer. I would love to see some sort of legal liability for damage done by your computer, but I would like to see sensible limits. Nobody can make 100% sure all of the time that his machine is perfectly malware free. What precautions would you consider sensible demands from a user to be a "good netizen" and pull his weight to avoid the spread of botnets?

Interesting approach to spam.

[John Sokol]

A friend of mine is investigating an interesting approach to spam.

From this article it quite clear that chasing the source of the spam is quite pointless.

His research is into tracking the destination.

Spams only make sense if they can make some money from it. This means the payload(content) must lead
someplace with a URL to order, a URL with adds, or a phone number for orders.

His blog is at:
http://spamdirect.blogspot.com/ [blogspot.com]

I have to push him to post some of the more interesting stuff he has discussed in E-Mails with me.

One very odd note.
My domain unmailable.com get's no spam!
without any filters and addresses even posted publicly there is just no spam to it.
I think they must remove any mail reference to unmailable assuming it must not be a real domain.

Apple vs Microsoft

[ezwip]

Apple's are less likely to be targeted because their users are more observant. They know how to use their operating system and try to get the most out of it. Performance detiorating is going to cause notice. Microsoft users are smart and savvy as well, but not all of them. Alot of them are just used to the Microsoft way of doing things. They are never going to try an Apple or flavor of Linux. These users are the people the botnet makers are after. They are unlikely to do anything when they lose performance. Instead they'll keep signing on to check their email and use yahoo messenger. If they download a game and the exe is infected they are going to allow that port through and they are probably never going to remove it. If anyone removes it for them it's likely to be Best Buy or some kid that stops by to use it. You can blame Microsoft for convincing people that the Microsoft way of doing things is the simplest, and for giving out free software in schools to get people used to it. That's not the answer though. It's what people want. They wanted the simplest device to get online and go which is what the company has provided. Anyone that wants to take the time to dig deeper can easily spot a backdoor.