New Mega-Botnet Discovered 257
yahoi writes "According to the DarkReading article, 'Researchers have discovered a major botnet operating out of the Ukraine that has infected 1.9 million machines, including large corporate and government PCs mainly in the US. The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains — 51 of which are in the US government. Researchers from Finjan who found the botnet say it's controlled by six individuals, and includes machines in major banks.'"
Re:Can Help? (Score:3, Interesting)
Maybe this isn't such a bad thing after all.
Maybe it'll finally open the government's eyes to protecting their networks. They are generally in really bad shape. There are some exceptional sysadmins out there, but they are often hogtied by anti-security regulations and expectations.
Need I say more? (Score:5, Interesting)
From the article:
Around 45 percent of the bots are in the U.S., and the machines are Windows XP.
On the other hand:
Nearly 80 percent run Internet Explorer; 15 percent, Firefox; 3 percent, Opera; and 1 percent Safari
What else does one expect? Since it is an infection spread through trojans on legitimate sites and XP the target, what can we expect the browser to do?
In the end, we might see all browsers running completely sandboxed on demand, that is: no interaction with the rest of the system; a 'browse-only' kiosk.
Re:FTP? (Score:5, Interesting)
Then what would people use to download and upload files? Would FTP come back into style?
I already use a program called SandBoxie after seeing it mentioned on /.
You can either allow files to escape the sandbox on a case by case basis or setup default allows wherever you like.
And as a general comment, it's terribly easy to allow files into a sandbox, like when you want to upload something, but not allow any changes out.
P.S. FTP server/client software has terrible security. Even the most popular ones, which have been around for over a decade, still get hit with remote exploits.
Re:FTP? (Score:3, Interesting)
As you may guess, I am aware of the consequences. Though it seems to make sense in many cases, when everything any anything that one downloads is just for rendering the site.
Would FTP come back into style?
I, actually, hope not. Not FTP. But maybe a new system where users click some 'I want to download this file' button and get the content via an e-mail? Oh, wait, that's only slightly better than FTP.
Still, yes, a separate channel for file transfer outside of that box, not using any http could be safer.
Re:is it really this bad? (Score:5, Interesting)
I think it is more widespread. I'll take my local bank as an example. I stop by to make a deposit, I notice the teller minimizing her facebook page as I glanced at the screen.
I am shocked that a bank would allow any www access on a machine that has direct access to accounts. Dollars to donuts there is some form of malware on that machine, or already throughout their network.
It was my belief that competent IT would only allow the necessary Intranet infrastructure to run the banks applications. But I would bet their policies get changed by ignorant management that are sold on 'security' appliances and software to protect themselves while granting www access.
Re:FTP? (Score:2, Interesting)
Sandboxie rules!! I don't use XP machines often but if I have to run something that I don't entirely trust *cough*keygen*cough* I just use it.
Something to note, as my wife painfully discovered: Sandboxie is useless with patches since it can't "technically" patch the real binary, and if it patches the binary with a trojan AND you move the patched binary out of the sandbox...you're fUx0R3d. Yeah, now she's using Linux and forbidden from playing any Windows games at all after that episode...and she was sitting RIGHT NEXT TO ME and never once bothered to ask if she was doing something not good..."Task Manager has been disabled by your Administrator", when you're an admin is usually not a good thing to read.
Security stupidity... (Score:2, Interesting)
I am shocked that a bank would allow any www access on a machine that has direct access to accounts.
It is funny how people can spend a fortune on security and then do something like install a WEP protected Wifi access point in one of the offices that is trivial to crack and that gives you direct access to otherwise heavily fortified networks. Another thing that can guarantee a good laugh is wireless connected security cameras. I saw this interview on TV the other day with a guy whose child had some sort of chronic disease. Apparently he was something of a Nerd because had installed a camera in the back of his car hooked up to and a Netbook or some such gadget so he could keep an eye on the kid. He told the reporter that the system worked fine but he had to make some modifications to the software because when he used the out-of-the-box configuration when he was driving through the city centers and business districts, he would keep getting cross connections from wireless connected security cameras all the time. You'd think that in this day and age wireless security cameras would have an encrypted connection.
Re:FTP? (Score:3, Interesting)
File Transfer Protocol has been around since the early 1970s, and while most servers/clients FTP implementations have a history of exploits, their weakness is due not necessarily because of the exploits but rather because of the way the FTP protocol transfers information. FTP communication includes not only the transfer of files but also the transfer of authentication parameters. All this information is transferred in clear text. Clear text is also the way http transfer information/files. You can think of http as an ftp with anonymous authentication (no authentication required) Clear text transmission only became a major problem when the Internet spread like a virus, and the network could not be trusted from prying eyes.
As a result, secure File Transfer Protocols have been developed, which is nothing more than a transfer protocol (ftp, http, telnet) on top of an encrypted/secure layer. HTTPs, SSH, SFTP, FTP over HTTPS are such protocols, which are used every time security information has to be exchanged securely.
So in conclusion,file/information transferring is performed every time you click a link, not only when you want to upload/download a file. If the contents of the file/information does not need to be secure than the information is transferred in clear text. If on the other hand, information(including not only content, but also authentication)/files have to be secure, than a secure/encryption layer HAS to be used, and has been used since the mid 90s.
Re:Can Help? (Score:5, Interesting)
Maybe it'll finally open the government's eyes to protecting their networks.
Oh, they realize it. There is a big push to have a standard [nist.gov] secure desktop to all of the Fed's computer. The standard is good. It does everything that you'd expect for a secure desktop. Restriction of services, and admin accounts, and blocking Active X controls. Lock down the ability to connect to Windows share willy-nilly. Make sure that all the patches to software are installed in a timely fashion. (IE: Conflicker should not be infecting Federal machines, if they were following these guidelines, they would have had the patch deployed in 10 days) And the best part is (in theory anyway, I have yet to see it actually happen) that if a software vendor wants to be on GSA, they need to certify that their application can run without admin rights. And if they don't they need to document exactly why.
The problem? It was supposed to be implemented February of 20088. And outside of a few big pilot programs, nobody has the thing 100% implemented yet.
Part of the problem is that if you implement everything, you're practically guaranteed to not be able to work in your environment, so one must find and document the exceptions. If you have a crappy network/desktop practices to begin with, you'll be screwed in your deployment. Our practices were good to begin with, scoring 80% compliance, and it didn't take much to get to 90%, but that last 3% to be in the green is proving to be a killer.
There are some exceptional sysadmins out there, but they are often hogtied by anti-security regulations and expectations.
The regulations generally aren't the problem (Though just last month it was announced that Entrust encrypted email is no longer acceptable to send PII through. You have to use an encrypted USB thumbdrive. And not just any drive, A Kanagaroo drive. No BlackBox Data Travellers, no IronKeys, just these colorful Kanagroo drives, so sometimes the regs don't make sense), it's the expectations. I'm always told that "The company (I work for a subcontractor to the feds) will do everything that they can to make sure that we meet Cyber's needs". Which is great until somebody with enough political clout is inconvenienced. Fortionatly, this is becoming more and more rare, as the Feds have been backing our decisions.
Support from software vendors also suck: "It works for us, why don't you give them admin rights, that'll fix it?" Uh, not just no, HELL NO
Re:Need I say more? (Score:3, Interesting)
Given the story a few posts down the main page about an exploit that can jailbreak out of a VM to attack other VMs and the host itself, or the one from a few months back that infected the BIOS to the point where the only possible repair was to pull and replace the the chip itself, I don't think that even a fully sandboxed browser will be good enough in the future.
It would both amuse and sadden me if something like "trusted computing" were the only result that ended up with a secure system (though my money's on THAT being broken/exploited, too, which leads to my next thought: the future is a world of hardened, single purpose, completely locked down devices, and won't that just be a "wonderful" future to live in.)
Re:Security stupidity... (Score:4, Interesting)
Re:Need I say more? (Score:4, Interesting)
If browsers become completely sandboxed, you might see botnets living in the browser's CPU/filesystem space that are active in the background
Sure. To me that's like in those cyber-cafés where the whole machine is riddled with crapware at the end of the day; when it will be wiped and receive a clean install from an image over the network. When the browser shuts down, all those botnets are gone. Assume, that history and cache are likewise. 'Kiosk', as I wrote.
Assuming sandbox is what it is supposed to be, we would see transient botnets. Which in itself would be a great improvement to the current resident ones.
Re:Clean up botnets (Score:3, Interesting)
Personally, I think it's time we started fining people, when their computers are found in a botnet. Start small at, say, $10, then double it for each subsequent violation, until it reaches $160, or even $320. Then, Microsoft will either have to fix the problem, or people will start using more secure operating systems. Either way, it's a win for the Internet.
Re:Can Help? (Score:2, Interesting)
Ten years ago, you wouldn't have needed to explain what I meant by "anti-security regulations" because most Slashdotters were working in the industry. Meh.
Re:Can Help? (Score:5, Interesting)
Let me take you back in time to when most computers were embedded systems. The program ran from ROM (or EEPROM) and could not be changed at all without physically switching out the non-volatile memory - in-system programming was a rarity. Moreover, many processor architectures had entirely separate executable and data spaces - you couldn't actually write to the executable memory, so even if it was flash or battery-backed static RAM, it wouldn't work. Thus no matter how corrupt the data became, it could only crash the software or make it misbehave; to restore operation you'd simply reset the CPU and everything would return to normal!
In contrast, the x86 usually boots the OS into RAM, even shadowing the BIOS into RAM (because it's faster), and it's possible to scribble all over executable code space - the obvious example being to overflow stack space to execute unauthorised code. The NX bit was added relatively recently to ameliorate these problems.
Sparc architecture has been more resilient to attack too, partly because of its relative obscurity, but mainly due to its relative immunity to stack smashing.