New Mega-Botnet Discovered 257
yahoi writes "According to the DarkReading article, 'Researchers have discovered a major botnet operating out of the Ukraine that has infected 1.9 million machines, including large corporate and government PCs mainly in the US. The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains — 51 of which are in the US government. Researchers from Finjan who found the botnet say it's controlled by six individuals, and includes machines in major banks.'"
Re:Can Help? (Score:5, Insightful)
How so? Network security in this context doesn't mean setting up a firewall and calling it a day, it means layered security of the entire network, including all the devices attached to it.
In the case of a trojan payload, properly patched machines along with restricted user accounts help quite a bit.
Re:is it really this bad? (Score:3, Insightful)
Why are you blaming the US government for (a) defects in software they didn't write; and (b) a malicious botnet created and operated by someone else? The only reason the US government is being singled out in this article is because it makes the story more sensational, which means more eyeballs, which means more ad revenue.
One of four malware tools to find it... (Score:5, Insightful)
I think it's great that they find this kind of stuff but at the same time I have some misgivings about how they don't do much to point the public in the right direction as far as finding out if they're infected or what they can do to remedy the situation. It seems that a lot of security articles are lean on providing the details about helping yourself to a more secure system.
Re:Anti-MS Marketing Spin (Score:2, Insightful)
Re:FTP? (Score:4, Insightful)
But maybe a new system where users click some 'I want to download this file' button and get the content via an e-mail?
Right, because uninformed people opening attachments don't cause enough problems already...
Re:Can Help? (Score:2, Insightful)
Re:Can Help? (Score:3, Insightful)
> In the case of a trojan payload, properly patched machines
> along with restricted user accounts help quite a bit.
So why does the XP installer first create an Administrator account and then prompts you to create a "user" account, which ALSO has (to have) administrative access??
There's a few million infections right there...
Re:Can Help? (Score:5, Insightful)
Clean up botnets (Score:5, Insightful)
Re:Can Help? (Score:3, Insightful)
It won't open eyes. It will encourage laws like the DMCA to sweep the problems under the rug. Security through obscurity doesn't work in the long haul, but in the short run, it is great.
I can see Draconian laws being passed banning ownership of "hacking tools" (debuggers come to mind) that might catch some clueless script kiddie from some junior high school, whom is promptly made an example with, having adult felony Federal charges pressed. However, the people in Elbonia will still be running their botnets and will be more undetectable because sysadmins won't have the tools to detect attacks. The result will be less DETECTED attacks, and that is what top brass in a number of companies and organizations want.
In my experience, most companies don't give a shit about intrusions. Its the ones that make the press they care about. If they can make it where detecting it is harder, then the top brass is happy, even though someone from Elbonia is using their main Exchange server as a P2P hub.
Re:Can Help? (Score:5, Insightful)
> In the case of a trojan payload, properly patched machines > along with restricted user accounts help quite a bit.
So why does the XP installer first create an Administrator account and then prompts you to create a "user" account, which ALSO has (to have) administrative access??
There's a few million infections right there...
We're not talking about home users, we're talking about sys admins who should know better than to allow this when they configure users in their domains; and when they mass-prepare their workstation images.
Re:Can Help? (Score:5, Insightful)
Wow (Score:4, Insightful)
So where's some real info? (Score:4, Insightful)
Blurred screen shots, off-handed mention of files and sites...
Why not at least release specifics so that we can avoid these sites?(or at least get them to clean up their act)? Why not give us details about the actual filenames and so on?
Or at least give us details on the actual control application and the files it is paid to infect the computers with so that we can avoid them.
Articles like this annoy me because they accomplish nothing constructive.
Re:Can Help? (Score:4, Insightful)
Required for what exactly? There are probably government computers that legitimately need access to the internets.
Ahh yes, those immune Macs (Score:2, Insightful)
I get a little tired of this silliness of "Oh Windows is unfixably hackable!" That shows an amazing ignorance of computer security. Good admins realize that there is no such thing as perfect security, and no system that can't be broken in to. So the answer isn't the hunt for the perfect system, the answer is defense in depth. You secure your systems and network on multiple levels, and you keep an active watch on what happens. You take proactive steps to keep things secure, you don't just sit back and say "Well my OS is invincible."
It is the same basic philosophy you see in physical security. Good physical security doesn't come from trying to have a single unbreakable defense, it comes from layers.
The crowing on about Macs really makes me think of a home analogy: The Mac types have decided security comes from living in a gated community away from the "rabble". They pay to live in their special enclave, and figure the exclusivity keeps them safe. Over all, it does, they are a smaller target. However they are lax on their security because of this, they leave doors unlocked, valuable laying around and so on. However the security is all in appearances, it isn't real. Finally, someone decides to hit the community, and simply goes off road and bypasses the gate guard. They then have free run, because of the laxness of the users.
Me? I take the bad neighborhood view, regardless of OS. Security comes from a host firewall, and a network firewall, and a virus scanner, and an IDS, and keeping the system patched, and a good password, and running as a deprivileged users and so on. No one of those things is what makes security good, it is the more of them you do. It is a defense in depth, so that a single failure doesn't have wide spread implications.
So if your security is switching to Macs, well have fun then. Best you DON'T encourage others to join you though, since your security is all in remaining small.
Re:is it really this bad? (Score:1, Insightful)
Why are you blaming the US government for (a) defects in software they didn't write...
I don't blame them for flaws in software they didn't write, I blame them for buying that crap in the first place....
Re:Can Help? (Score:5, Insightful)
Cue the response of the typical /. user:
Too bad you forgot to turn off images and just got pwned by the 0 day buffer overflow the hackers discovered in libjpeg.
Re:is it really this bad? (Score:1, Insightful)
I'm shocked they're still your bank.
But if you're not willing to put in extra effort to protect your own money, why are you surprised your bank doesn't?
Re:Can Help? (Score:5, Insightful)
Ever notice that 99% of trojan and virus attacks require user intervention?
Social Engineering is the primary attack risk to a computer network once basic protection measures are taken (firewall, AV, and current updates), because users are the primary vulnerability. That's why it is usually worth the trouble to simply give the user bare minimum rights to their machines. It helps limit the damage they can cause.
This is, however, inconvenient, and so is not done universally. There are even reasons not to do it that are sound, though requiring any kind of security generally makes low user rights a necessity.
Re:Ahh yes, those immune Macs (Score:3, Insightful)
The crowing on about Macs really makes me think of a home analogy: The Mac types have decided security comes from living in a gated community away from the "rabble". They pay to live in their special enclave, and figure the exclusivity keeps them safe. Over all, it does, they are a smaller target. However they are lax on their security because of this, they leave doors unlocked, valuable laying around and so on. However the security is all in appearances, it isn't real. Finally, someone decides to hit the community, and simply goes off road and bypasses the gate guard. They then have free run, because of the laxness of the users.
By the same analogy, Linux users moved some place where there was no town or civilized society of any sort, built their own community brick by brick, and the place isn't even on the map. But, they still aren't boneheaded enough to leave their doors unlocked. Linux users lock their doors using locks that they created, made their own latching systems to actually open the doors when unlocked, and know what their houses looked like when they left, so they can identify anything out-of-place when they return. Not only is it small, like the Mac community, but the people living there designed their own security into their customizable systems. The reward-to-effort ratio is just not high enough to justify even trying to get at the valuables inside, which may or may not be valuable to wherever the burglar came from in the first place.
Am I right?
Overinflated figures (Score:1, Insightful)
I don't think you can just grab some numbers from a convenient botnet CnC portal and say ah-hah 1.9 million infected machines for a lot of reasons.
Check out the blog about counting botnet victims at http://blog.damballa.com [damballa.com]
what of the ISP's (Score:4, Insightful)
What of the ISP's that host these botnets. Many of these botnets are used to spew spam. If they do then this is easily detected and IMHO the ISP uplink in question should simply pull the plug and advise their client that it looks as if their toilet is broken because there sure seems to be a lot of sh*t coming from them.
I know my ISP does this. I know because they have phoned me and I had to advise them its not my OpenBSD servers generating spew, but another of their clients on the subnet. We found it fairly quickly.
I've heard so many excuses. Some involve excuses it would breach service agreements. So lets look at that one. How many end users write service agreement contracts? How many end users even read them? I think the answer here is obvious. Pretty much anything reasonable can be written into the contracts so that sort of excuse doesn't hold much water.
The obvious answer is the ISP's in question actually might make money carrying this spew. They certainly made money when they provided connectivity to known spammers. They also make money when they charge extra for static IP's. Note that a static IP makes it much easier to trace and quarantine a bot.
If we want these problems to go away then one way to address the issue is to look at issues of an accessory either before or after the fact.
Let me provide an example. If someone digs a big hole in the road and someone else drives in and wreaks their car and many kills some people in the process, then the excuse of "I didn't know a car could fall into a hole" or "I didn't think anyone would drive their car down this road at night" or any other excuse that might be dreamed up is not likely going to carry much weight. If someone sees the hole and ignores it using the excuse that "Well, its not my hole", then that excuse also is not likely to hold much weight.
An ISP hosting infected machines should be just as liable as the client who owns it. Many of these botnets reveal themselves. We need to start asking for accountability.
Consider people like Conrad Black. Last I heard he's in jail. That is accountability. Any excuses he and his lawyers might have dreamed up didn't carry much weight.
Here is another example. In the movie called "Nuremburg", Alec Baldwin asks in one scene if "anyone in this country accepts responsibility for anything?". I think this says an awful lot. Only one person seemed to be responsible for the killing of millions.
So in this story we have over 1 million bots discovered and apparently 6 perpetrators and how many are responsible? These bots are identified, now what? I've had more than 50,000 bots attack my servers. Can I call the cops? If I provide IP addresses does anyone pull a plug?
We need to think on this.
Re:is it really this bad? (Score:3, Insightful)
I do not know the exact law, exact regulation or a link or I would list it, but when I mention this, it will seem obvious to most.
I talked to a tech at a bank, he stated that there were laws on the books that made it illegal to connect up the banks private network that connects to other banks.
He also indicated that automatic updates (any and all) would be considered a violation of those same banking laws.
This is probably why nobody screams bloody murder and why the banks are so quick to eat losses due to fraud and scamming. They know that once the TRUST in the system is compromised, they have lost the war.
Yet just a couple of days ago I read about institutions who did NOT segment their networks (physically separating the connections between public internet and backend banking systems) and were finding that someone with enough technical knowledge could install monitoring software between connections and watch everything that passes. That much of the information is not encrypted as it is suppose to be.
Lets face it people, if you are NOT monitoring your outgoing packets and communications you simply do NOT KNOW whether you are safe or not. This monitoring takes time, time is money. Have you looked at salaries of IT professionals in the Security area of networks. You get what you pay for and the pay typically lags behind almost everyone else in IT, except in specific rare cases and where companies understand the importance. Than they pay higher rates for better people. You do not have to believe me, just go to Glassdoor [glassdoor.com] and see for yourself.
These companies literally lose billions when they are hit, yet they will not pay a simple 6 figure salary to have someone with TCP/IP monitoring and packet sniffing experience montior their networks. Just hiring 3 or 4 of these types of IT professionals would be cheap insurance at preventing break ins and quickly cutting off attempts that probe your networks for weaknesses.
Personally I think companies should create Tiger teams of 3 - 5 IT white hat hackers to work each of three shifts. When the company is probed, have their team attack back. When the honey pot is accessed, proof positive of a cracker and/or hacker, basically someone doing something they should not be doing, go on the offensive.
I have always thought the best defense was a strong offense. Pretty soon the smart crackers would leave your company alone as they do NOT want their infrastructure crippled by attacks any more than you do. And if someone has left their PC unprotected and gets attacked, well that is their personal responsibility. Had they never allowed themselves to get cracked in the first place they would never have been used, attacked and thrown away.
Re:Can Help? (Score:3, Insightful)
Yup, there sure are.
And there are tons that don't, yet do.
Important shit needs to be severed from the internet and the intranet and CDs/Flash Drives/etc by default, and access to each granted on a i-can-has? basis.
That aside, these stories always imply that OMG THEY GOT INTO THE MISSILE CONTROL SILO. No, they got into the computer of some office assistant at some university. That's a "government computer".