New Massive Botnet Building On Windows Hole

CWmike writes "The worm exploiting a critical Windows bug that Microsoft patched with an emergency fix in late October is now being used to build a fast-growing botnet, said Ivan Macalintal, a senior research engineer with Trend Micro. Dubbed 'Downad.a' by Trend (and 'Conficker.a' by Microsoft and 'Downadup' by Symantec), the worm is a key component in a massive new botnet that a new criminal element, not associated with McColo, is creating. 'We think 500,000 is a ballpark figure,' said Macalintal when asked the size of the new botnet. 'That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's... starting to grow.'"

Go vigilante

[Anonymous Coward]

It's time MS write botnets to exploit their own holes as means for patching said hole. Who gives a shit about the ethics of it, we are losing.

ISPs need to be more vigilant as well. Cut off subscribers ASAP when they're machine begins sending botnet traffic.

Re:Going around my work already

[Anonymous Coward]

Three words:

Incompetent IT Department.

Re:Idiots

[Anonymous Coward]

wait, wait, but then you do complain when a patch does not get installed and your system is compromized and it's all MSFT's fault... right, right? Am I right?
What did I win?

Re:Idiots

[six025]

Auto-update works if you have a legitimate copy of Windows, and there are plenty of people using pirated copies of Windows which do not qualify for the "genuine advantage" required by Windows Update.

Even if MS managed to patch every security hole in Windows, there would still be a massive gaping hole left by the people who can't use auto-update and who are not inclined, or simply lack the technical ability, to seek out and install the required patches via a manual download.

This leads one to wonder about the wisdom of blocking illegitimate licenses from obtaining security updates via the auto-update service, as the end result of the decision is that everyone suffers to some degree e.g. increased spam levels.

Peace,
Andy.

Re:Idiots

[LtGordon]

I own a legit copy of XP Pro and it bothers me how frequently MSFT releases that Genuine Advantage garbage. If only they put that kind of enthusiasm into the rest of their products.

Re:Go vigilante

[alohatiger]

ISP action is definitely appropriate. If they can tell who is using torrent software, they should be able to tell who is sending spam and which machines are part of a botnet.

Filtering/quarantine at this level is like shooting down a scud missile on the way up instead of on the way down.

Re:Idiots

[jaxtherat]

Auto-update is really annoying, especially if you don't have a very good connection. Its one of the first things I disable when I do a fresh install of XP.

Not sure why this was modded funny, as this seems to be far and away the predominant mentality of windows users...

Re:Idiots

[0123456]

"Some think they know better what updates to install than Microsoft suggests."

When updates stop breaking other software, and Microsoft stop bundling DRM as 'critical updates', then I suspect people will start trusting Microsoft to tell them what updates to install.

Personally I like to see what Microsoft are doing to my computer before I install it.

Re:Idiots

[Xabraxas]

You're just an idiot then. You don't need to click on FREEREGISTRYSCANNER or anything like that to get infected. In fact you can click on a link that you click everyday and get infected. The best you can do is stay up-to-date and pray for no 0 day exploits.

Analogy

[jaavaaguru]

If you buy a gun, and leave it sitting in your front garden, then some criminals come along, take control of it, and kill everyone in your street, you're kind of responsible for that.

Apart from the obvious killing != spam and/or fraud, how is leaving an unprotected OS with known problems available to be hijacked by anyone who wants to do damage with it any different? You should still be responsible (although the punishment might be different). Suppliers should be forced to make this obvious to people buying this stuff.

Re:Idiots

[dissy]

I dont get viruses because I'm not a wintard who opens any FREEREGISTRYSCANNER add they see.
I've been running windows xp without firewalls/AV for like four years now. Every 6 months or so I scan for viruses, rootkits, trojans, and adware, and i've yet to come up with anything.

Well of course if you have a rootkit, scanning for rootkits will show clean. Thats how they work.

A rootkit modifies the kernel so that it intercepts all API calls, including the read() functions your scanner is using, and the rootkit feeds back false info such as directory listings omitting the rootkits files, and if one tries to open one of its files by name, the open() call now controlled by the rootkit returns a no such file error.

You no doubt have a home router that does a form of NAT, which acts as a firewall for all intents and purposes for incoming connections, so your statement about not running a firewall is false.
At least I hope so, else you have been rooted 10 minutes after connecting your computer to the internet. Sadly, your description fits the profile of someone who is infected and doesn't even know it because it has been that way since day one it went online.

Re:Analogy

[NicknamesAreStupid]

What if I buy a rosebush and plant it in my garden, then somebody uses it to deface little kids and old ladies with its thorns? Am I kinda liable for that?

Is a computer more like a gun or a rosebush? I guess that depends on whether it is running Windows or Linux.

Re:Idiots

[LackThereof]

On machines that fail WGA, Auto-update functions fine; manually updating from the Microsoft website is disabled.

However, XP's autoupdate is not particularly reliable with service packs. It's more likely to sit in the tray saying "click here to install SP2" than actually install itself, even if the machine is set to "Automatically download and install updates". And users always ignore tray warnings; it's just another bubble between Weatherbug and VirusProtectPro.

Re:It would be so easy.

[Graymalkin]

For starters it is trivial to embed an HTTP or mail server in a worm and is done all the time. They don't need to be full featured, simply functional enough to get their intended job done. As for the NAT issues the default usernames and passwords for popular routers is common knowledge. Given the number of LINKSYS and 2WIRE WiFi networks I can see from my apartment it's safe to say at least some of those people are still using those defaults. From there it's simply building the appropriate POST or GET request to modify the port forwarding settings. Besides opening connections for remote hosts a worm can simply listen for local connections and modify the hosts file to point paypal.com to localhost and then collect information that way.

Information harvesting worms do not need to be 100% effective to make their handlers money. If they get a few thousand PayPal accounts for every million machines they infect they can make a lot of money. Even if they don't get PayPal accounts or other information they can still be used for DDoS attacks and sending spam.

Re:Analogy

[Bane1998]

Computer to 'Some simple concept' analogies are stupid as hell. Get over your elitism. Most people don't understand the first thing about computers, and they don't have to. Just like most people use a TV, VCR, whatever, without any clue how it works, they just use it to play movies. Blinking 12:00.

Your analogy fails because leaving a gun out is gross negligence. It's a dangerous thing, and that's fairly obvious. A computer isn't. I suppose an argument could be made that computers are dangerous. It would be quite a stretch though. In that case there should be mandatory licensing to operate one, you know... like a car. But there isn't. So, either make the argument that computers are dangerous and should be controlled (and make sure you understand the actual ramifications of that argument), or stfu and realize that no, most people don't understand Computer Security or why it's important, and they never will.

And then, as an expert in the field, learn that you aren't smarter than mom and dad using their computer, you just have a specialized skill set. Most nerd kids like prolly half the slashdot crowd are or were.. started out with computers coming naturally to them. It's easy to assume then that it shoudl come naturally to everyone. And when you see it doesn't, your first reaction is that something is broken in them. After that nerd grows up a bit in the world, that person learns that no... they aren't idiots. We just have an aptitude for something that others don't. And that doesn't make them dumb. They probably have skills we don't. Say... socializing for example. So my guess is your (and all those who always come to slashdot posting the same song and dance) maturity level hasn't quite evolved yet.

And to not be elitist myself... I can admit I was once the same way. I grew out of it, as will you. :)

Re:Dial up users.

[Ragzouken]

Did you read the bit where he said what you said?

Re:Idiots

[mowall]

not at all: - install XP with network unplugged - turn on firewall - plug in network

XP didn't come with a firewall. You had to upgrade to SP2 (IIRC) to get the Windows firewall. Granted, if you bought XP after SP2 was released you'd have the firewall, otherwise you can potentially get infected very quickly... way before you get the chance to download SP2 and enable the firewall.

Re:Idiots

[aliquis]

I see that you have already been (correctly) moderated as troll.

But anyway, for your information those systems isn't without exploitable bugs either. I would assume that OS X is especially risky since it might have a more standard collection of software and Apple bundles a bunch of security upgrades at the same time instead of sending them out as soon as there is an issue.

I won't say that I'd rather trust Microsoft getting updates out in time than Apple because then I to will be moderated troll but well, let's just say neither of them are perfect.

Regarding BSD and Linux it will to a big extent depend on what software you have installed.