Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Internet IT

Zombie Networks On The Rise 235

A reader writes " According to Symantec via the BBC online, Zombie PC nets are growing very fast. Of course, it should also note that Symantec may want those numbers to be as scary as possible. " ITMJ is part of OSTG, like Slashdot. There's also a NY Times story on the article as well.
This discussion has been archived. No new comments can be posted.

Zombie Networks On The Rise

Comments Filter:
  • by Dagny Taggert ( 785517 ) <hankrearden AT gmail DOT com> on Monday September 20, 2004 @07:38AM (#10296381) Homepage
    ...numbers to be scary. And, they want the bad news to come from them. Otherwise, people would wake up and start using products like Panda or Kaspersky.
    • by Davak ( 526912 ) on Monday September 20, 2004 @07:50AM (#10296456) Homepage
      Surveys and public information releases like this are great free press.

      First, it makes you appear to be THE expert because you reported it first. Second, it links your name to someone that focuses on this problem.

      Why do you think we see the abc/new york times poll or whatever? It's because it's a cheap way to make news... it's a cheap advertising campaign.

      Is this bad? I don't think so...

      People get into the security business, for example, by reporting new viruses or exploits.

      You can't blame them for releasing press releases.... it's part of their business. As it shoud be...
      • not to mention that if people stopped making viruses, the anti-virus companies would go bankrupt...

        so IMO it's in those companies' vital interest to make sure everyone and their dog knows that the virus menace is everywhere and affects (potentially!) everyone.
        • by Cat_Byte ( 621676 ) on Monday September 20, 2004 @08:16AM (#10296620) Journal
          I don't know about that. I find it ironic that even on P2P networks people are so infected that their files aren't even usable. The irony is that you can download functioning copies from the same networks that they are participating in or at least can get a free version of some decent virus protection, yet they don't. So I think even if not one more single computer virus was made starting tomorrow it would take forever for them to disappear.

          Not trying to flame here but some of the worst havens I have seen are samba shares because people don't put antivirus on *nix servers. It is like pulling teeth trying to tell those admins that it DOES affect them. If their users are running windows, get a virus that does keylogging, and they log in again...guess what...it did affect the *nix server.
          • by Anonymous Coward
            I have seen are samba shares because people don't put antivirus on *nix servers.

            Any suggestions for a home user with Samba on Linux and a very small budget.
            As a simple but not as safe method. I use the W32 client antivirus software to scan the network shares. Better then nothing.
            On that note, the free version AntiVir [free-av.com] for W32 does NOT scan anything on network drives at all. A good free solution for home users without network shares though.
          • Not trying to flame here but some of the worst havens I have seen are samba shares because people don't put antivirus on *nix servers. It is like pulling teeth trying to tell those admins that it DOES affect them. If their users are running windows, get a virus that does keylogging, and they log in again...guess what...it did affect the *nix server.

            I'll agree that running AntiVirus on all systems is a good practice, but the Samba share and the UNIX system aren't really to blame for obtaining the virus in
            • Defense in depth. (Score:4, Insightful)

              by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday September 20, 2004 @09:02AM (#10297001)
              "True that the *nix server could be affected, but it's really due to a compromise on the MS Win32 system."

              Yup. But infected is infected.

              The *nix box won't be affected by any of those viruses, but the machines it shares them with can be infected. And that infection can put a load on the network (particularly the viruses that do scanning).

              It's easy to put anti-virus on the file server and just kill the infections there.
              • Yup. But infected is infected. I guess we have a different definition of infected. If I'm understanding you correctly, the file in question only affects MS Win32 clients and is really just another file to the *nix server. Maybe the term carrier would be more appropriate here as the UNIX system itself isn't compromised.

                It's easy to put anti-virus on the file server and just kill the infections there.

                I totally agree that running AntiVirus software on all file servers (especially those who serve to MS
              • I don't know about YOUR network, but on ours, the W32-based viruses spread BECAUSE they run on a W32-based server (W32 bots, DCOM hacks, ActiveX controls, etc.). In contrast, my desktop W2K machine has never picked up viruses from any of our *nix boxes.

                Sure, it's possible for an infected file to be sitting on a *nix box, waiting for the unsuspecting W32 client to pick it up, launch it, and so on. However, without a mechanism to put it on that box (as an attachment to an e-mail, or something similarly obvio
                • What if a client machine (running Windows) has a drive mapped to the Unix file server, and contracts a virus that scans all available drives looking for files to infect?

                  Without effective antivrus software on the file server, the files on it are going to be infected. True, effective anti-virus software on the client would stop that too, but that's a lot harder to control, especially if users are running as admin, or can bring laptops in from home, etc. The server you can definitely control.
              • The *nix box won't be affected by any of those viruses, but the machines it shares them with can be infected. And that infection can put a load on the network (particularly the viruses that do scanning).

                It's easy to put anti-virus on the file server and just kill the infections there.


                But the Unix server will be equally affected by viruses the clients get from other sources, so having a virus scanner really only protects the clients from files on the server itself. The server is vulnerable only because v
    • by WIAKywbfatw ( 307557 ) on Monday September 20, 2004 @07:57AM (#10296500) Journal
      Why bad-mouth Symantec for pointing out the reality of the situation? Would you be happier if it were CERT or someone else delivering the bad news?

      Symantec and its tools are part of the solution. Not exclusively the solution, or the only solution, but a part of it. And, by letting people know that problems are out there, they're performing a service that is necessary; you didn't think someone like Microsoft was going to be issuing press releases to the media that put its products in a negative light, did you?

      It's not even as if the other AV vendors that you mention are any different to Symantec: both Panda and Kaspersky are closed-source commercial products and both companies have prevalent virus activity and warning indicators on the homepages of their respective websites. And I bet they both send out press releases to the media highlighting large-scale infestations and particularly dangerous threats, so why crucify Symantec for being the company whose press release the BBC chose to focus on?

      Bottom line: why blame the messenger if the message is accurate?

      Just what's Symantec done here to warrant you being any more ticked off at them than anyone else? Do you have a legitimate reason for targetting them or are you just trolling?
      • I think anti-virus software should be developed with tax dollars by the government. As long as software security comes at a price, too many people won't want or be able to pay for it, bringing everybody down. The internet is a shared public resource, like the highway system, and we'll never be able to keep it running smoothly by expecting users to pay for protection, because most of them won't.

        What if Microsoft were held responsible for some of the damage its software was doing to our public resource? You
        • by TykeClone ( 668449 ) <TykeClone@gmail.com> on Monday September 20, 2004 @08:43AM (#10296846) Homepage Journal
          Yeah - lord knows that there are no free antivirus programs (AVG), or spyware removal tools (Spybot and AdAware).
        • I agree that in an ideal world, anti-virus etc software would be available for free, but I do not think that tax dollars is the solution. Why? Simply because the Internet is a worldwide public resource - being British I would be happy for you to pay for it, but do not think that would be fair. Now if Microsoft had to pay for it that would be another matter but that raises another point. The current anti-virus software authors would raise a stink about it (a freebie from M$ would do them out of business and
        • Do you really want government software to scan your computer on regular bases? At least that this point, they need a warrent to scan your computer without your permission, but you if download their software and agree to their EULA (which most people won't read) you may be allowing them to scan your computer for more than virues. Remember that government services always come with string attached.
    • "And, they want the bad news to come from them."

      Of course, I get all my virus news from emails from Bill Gates and AOL. They're always nice enough to attach a cure for the virus as well. Would you like me to forward them on to you as soon as I get them?
  • Is there any way... (Score:5, Interesting)

    by rhsanborn ( 773855 ) on Monday September 20, 2004 @07:39AM (#10296382)
    ...to get people to realize that the internet is not a nice place? I applaud Microsoft's attempt to make their OS more secure, even if it isn't as comprehensive as it should be. As illegal as it is, I would love to see a zombie virus spread that locks down peoples computers, cleans them and installs a firewall. I certainly wouldn't put my head on the block for that one, but I'd love to see it happen. Hopefully it'd cut down on my spam.
    • by noselasd ( 594905 ) on Monday September 20, 2004 @07:43AM (#10296413)
      A firewall ? Theo de Raadt just said [computerworld.com.au] that a firewall won't fix the windows security, for very good reasons..
      • by archeopterix ( 594938 ) * on Monday September 20, 2004 @08:14AM (#10296606) Journal
        A firewall ? Theo de Raadt just said that a firewall won't fix the windows security, for very good reasons.
        This is what he said:
        Microsoft's security problems have to do with its Web client which probably has 300 to 500 vulnerabilities in it which a firewall will never block as they are all in http, all inside a TCP session and a packet filter does not help you.
        This is only partially true. IE vulnerabilities are numerous, but they aren't the most dangerous. To take advantage of them, the user has to load a malicious WWW page. More danger comes with open ports that let the hacker take control of any running Windows system with public IP regardless of the user actions and those CAN be blocked by a firewall.

        There is also quite a different kind of firewall - the reverse one, ideally implemented outside the user's PC (cable modem/ISP router/etc) that blocks outgoing attacks in case the PC gets zombified. Too bad this is probably too costly to happen on a mass scale.

        • The WinXP SP2 firewall limits open outward bound packets to a certain number. This is to slow down the rate of infection if the system is hijacked. However, P2P performance gets killed.
    • by jdwest ( 760759 ) on Monday September 20, 2004 @07:44AM (#10296425)
      ... but Microsoft is a part of this problem. Look at its marketing and advertising, from touting the user-friendliness of IE through it's MSN "Butterfly" logo and commercials, it's as if they've thrown the keys to a car to a ten-year old without explaining any of the dangers, responsibilities or precautions that need to be taken when behind the wheel.
      • by Finuvir ( 596566 )
        Car companies go on about how safe their cars are all the time. It's government groups and non-profits that produce the "drive safely" ads and tell you to wear a seatbelt. People don't (often) die as a result of a Windows box being infected, so the push to get people to use their computers responsibly isn't too strong. But businesses are affected, so they should be coming together to push the proper use of networked machines. Big businesses should commision television ads, or something similarly visible, to
    • Good idea, virus companies should start writing virii that lock down the 'average' users machine, patch holes in Windows, and replace the IE shortcut on the desktop with a Mozilla Firebird one :)

      But wouldn't that put anti-virus makers out of business? (In my personal conspiracy theory, Symantec, Norton & Friends write the virii in the first place to generate even more revenue).

      The alternative is for everybody to move over to Mac OSX - Making Unix user-friendly is easier than debugging Windows :)

  • Reg Free Link (Score:5, Informative)

    by Davak ( 526912 ) on Monday September 20, 2004 @07:40AM (#10296391) Homepage
  • NAT !!! (Score:3, Informative)

    by alatesystems ( 51331 ) <chris&chrisbenard,net> on Monday September 20, 2004 @07:41AM (#10296399) Homepage Journal
    This is another case where NAT should be used to protect our more feeble computer-using companions. Click here [slashdot.org] for my previous comment on the subject.

    NAT really would stop all these type of things from happening by just purchasing a $50 dollar router for our friends and family. We're never going to be able to teach them, so just give in and recommend a hardware based solution they don't have to manage.

    Chris
    • Re:NAT !!! (Score:5, Insightful)

      by Trigun ( 685027 ) <evil&evilempire,ath,cx> on Monday September 20, 2004 @07:46AM (#10296434)
      How exactly would NAT protect them? A amjor control vector for these bot-nets is IRC, which can be used through NAT. The infection vector is e-mail, which is also useable through NAT.

      If NAT became widespread, then the zombies will adapt. It is only a false sense of security.
      • Re:NAT !!! (Score:4, Interesting)

        by lachlan76 ( 770870 ) on Monday September 20, 2004 @07:56AM (#10296495)
        It can stop the ones that exploit Windows security holes, which are the fast-spreading ones.

        NAT can protect, because if it doesn't know where to send the buffer-overflow to, it just drops the packet.
        • Re:NAT !!! (Score:5, Insightful)

          by tialaramex ( 61643 ) on Monday September 20, 2004 @08:16AM (#10296617) Homepage
          That makes no sense. If you would normally receive a packet (e.g. because you provide web service, or have an IM port open or whatever) then the NAT router will rewrite the packets so that you still receive the trojan.

          OTOH if you wouldn't normally receive something (e.g. it's an HTTP attack and you don't run a web server) then the NAT makes no difference, you still won't receive it. Big deal.

          NATs are not magical protective charms. They're just a desperate hack to get around running out of IP addresses. If you want a firewall, install a firewall, not a NAT.
          • Re:NAT !!! (Score:4, Insightful)

            by lachlan76 ( 770870 ) on Monday September 20, 2004 @08:25AM (#10296704)
            But, would the NAT box normally be told to forward port 445, etc?

            I didn't say that it was an alternative to a firewall for actual security, but it's better than nothing.
            • Re:NAT !!! (Score:3, Informative)

              by TykeClone ( 668449 )
              True. Just having a NAT router ahead of your computers would have prevented the SASSER worm from hitting you this spring.
          • Re:NAT !!! (Score:3, Insightful)

            by Anonymous Coward
            That's not totally true. Sometimes you might receive something -- if a worm runs through random IP ranges -- and the NAT does protect you from that. For the typical home user who won't configure the NAT to do anything, a non-exploitable NAT will keep them safe because it'll only forward packets to the user's box that have corresponding outbound packets. They're not perfect security, but when set up like that, they do act as a decent firewall.
      • How exactly would NAT protect them? A amjor control vector for these bot-nets is IRC, which can be used through NAT. The infection vector is e-mail, which is also useable through NAT.

        By shielding a computer long enough to fully update itself. In addition, all those autonomous worms and scanners will be effectively blocked. Shutting down the email vector is the difficult part - people say they won't run random shit that they find, but that's just to get you out of the room. I think the best way to deal w

      • Re:NAT !!! (Score:3, Informative)

        by azander ( 786903 )
        NAT won't help (much). I run an IRC Network and see these zombies, many behind NAT routers, try to use my network as homes. They get banned as fast as we can when they show up.

        Recently (within the past year) many of the IRC networks have started banding together via a mailing list to discuss, warn, and attpemt to stop these nets. If you would like more information just google for "fizzer task force".
    • Re:NAT !!! (Score:3, Interesting)

      by lachlan76 ( 770870 )
      It won't protect them from viruses coming from the inside (people with laptops, some guy connecting through their unsecured wireless lan, etc, etc)
    • Re:NAT !!! (Score:5, Insightful)

      by gad_zuki! ( 70830 ) on Monday September 20, 2004 @07:52AM (#10296469)
      A lot of good that will do when the trojan goes through your NAT/Firewall through that big hole we call "email."

      Only a comprehensive approach will make a big enough difference. That includes patching, being skeptical of email attachments, firewalling, and virus scanning.

      PC hygiene goes a long way too. People are slowly learning that you just can't install the "newest c00lest blah-blah of the day" anymore as it will be 99% spyware and 1% app. It will be poorly written and cause all sorts of problems.

      These are just growing pains and even though the stats dont look good right now at least I can talk about spyware and viruses and have people understand what I'm saying.
  • Big Business (Score:4, Insightful)

    by artlu ( 265391 ) <artlu@art[ ]net ['lu.' in gap]> on Monday September 20, 2004 @07:41AM (#10296404) Homepage Journal
    Symantec's industry survives because of news article that promote security threats.
  • by YetAnotherName ( 168064 ) on Monday September 20, 2004 @07:44AM (#10296422) Homepage
    The new Hacker Horror film from Miramax!

    With Christian Slater as the disenfranchised White Hat Hacker ... "My tcpdump is showing huge numbers of zombie packets, and they all want more brains."

    Winona Ryder as the potenial but largely unreachable love interest ... "When's the last time you shaved?"

    Donald Sutherland as the evil mastermind behind the Zombie Networks ... "Um, moo ha ha ..."

    Written, directed, produced, and music composed on the Casio by Roland Emmerich.

    ZOMBIE NETWORKS. This film is not yet rated.

    MORE PACKETS!

    Opening everywhere February 30th 2005.
  • by Jarnis ( 266190 ) on Monday September 20, 2004 @07:45AM (#10296430)
    As a guy who gets to clean up these pieces of junk daily, the number of trojans around is growing. Earlier it was maybe one a week. Two or three if there was a major outbreak. Now its 1-2 a day. Good business as clueless lusers pay OK amounts for cleanup as long as they dont have to do the dreaded reinstall that their compaq/hp/dell support line offered as a solution.

    Whats annoying is that some of these buggers can really mess up the system. Simple 'pop in cd / go to free online web scanner and clean up' no longer works in some cases... Symantec should concentrate more on making their crappy AV software work better and resist disabling by virii better and stop issuing more sensationalist press releases.

    Its way too common to get a virus-filled computer with norton internet security installed. Some bug had just killed the whole AV software, leaving an empty 'shell' up that keeps telling the user everything is fine. They usually wake up when their ISP cuts their line and tells them to clean up and call back when their system is secured.
    • Whats annoying is that some of these buggers can really mess up the system. Simple 'pop in cd / go to free online web scanner and clean up' no longer works in some cases... Symantec should concentrate more on making their crappy AV software work better and resist disabling by virii better and stop issuing more sensationalist press releases.

      And tell the users that they could just clean up by killing processes and changing

      HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      HKCU\Software\Microsoft\Windows

    • by Lumpy ( 12016 ) on Monday September 20, 2004 @08:30AM (#10296755) Homepage
      Personally I have made more money freelance in IT the past few months than ever before. I have a great recipie.

      1 -uninstall whatever Virusscanner they have. Norton is absolute crap. antivir catches more nasties, uses far less resources, is 100% free, and overall is a better product. Install it and update it.

      install adaware and update it, install spybot search and destroy and update it and then install hijackthis.

      then reboot the windows machine into safe mode. this BLOCKS most spyware and bugs from running so you can eliminate them. run antivir full scan on all files, set to clean then delete and look for all unwanted types of programs.

      after that is done, reboot bact to safe mode and run adaware, do what it want's to clean, then spybot search and destroy, do what it says, then finally hijacthis to look for the typical nasties that are left clinging around.

      finally I install for the user startupmonitor tha twill give you a warning box every time ANYTHING tries to insert it's self in the registry to run as soon as the computer boots, and allows you to block that action.

      Then after it's clean and i na normal boot I no longer detect any virus or crapware I give it back to the user with a list of what I did, what I added and how it works, and finally a note that this will not immunize them, but they can and will start getting this crap again the second they start hitting the net again. i tell them they can limit the re-infection rate if they install and use mozilla and mozilla mail.

      They also get a CD with all the apps I installed plus the latest mozilla.

      All that Get's me $150.00 a pop. I usually have 3 of them on my bench running my process every day.

      local computer "experts" are charging $250.00 and only re-install the OS, they do not offer a cleaning.

      needless to say, I'm cleaning up.
      • I've also developed a "computer maintenance document" that I hand out with the bill. It tells the user (how) to run Spybot and Adaware at least weekly, and (how) to check to make sure that the antivirus software is up to date and working.
    • I usually don't see so many nasty viruses any more (but did see a bunch this spring and early summer!). Most of what I clean up is spyware and adware.

      I just got done cleaning up a machine with a bunch of the stuff, and had a persistent bad guy called "VX2" that neither AdAware or Spybot could kill. Turns out that you need to download a plugin for AdAware to kill that guy.

      On a side note - never recommend that anyone purchase an XP system with less than 256MB RAM. It just plain sucks to work on a machi

  • by ATAMAH ( 578546 ) on Monday September 20, 2004 @07:47AM (#10296442)
    I mean, for example - on IRC people used to make spambots and run them off of their shells or even their own PCs. Now its zombified machines that do the spamming. There was (is?) a huge problem on Undernet not so long, for instance where miriads of hosts were used to promote a certain website under false pretenses, fooling people into accepting a DCC send request or even downloading a file of the said website and infecting their machine to have more spam bots.
  • Zombies at the gate (Score:5, Interesting)

    by AndroidCat ( 229562 ) on Monday September 20, 2004 @07:51AM (#10296466) Homepage
    There was some zombie network hammering on port 18128 yesterday. No amount of rejection would make them go away and they were coming from all over. (No, not a "stealthed" firewall.) The strange thing was that they all sent the string 0x13,"BitTorrent protocolex"...

    Seriously, most P2P protocols need to be improved in detecting that there is no one home, or someone is going to figure out how to inject IP addresses into their networks for DDoS attacks.

  • by Anonymous Coward on Monday September 20, 2004 @07:51AM (#10296468)
    Zombie networks tend to get their DNS services from DNS servers which are themselves part of the zombie network. Because the network itself has multiple redundant systems and built-in fault tolerance (because of people's habit of.. I dunno.. wanting to shut down their PCs once in a while) this can make them difficult to kill. They key thing is to eliminate the DNS servers by deactiving the DNS-serving-domain.

    For example, spamwarez.biz gets name services from ns1.zombie-dns.biz thru ns7.zombie-dns.biz. zombie-dns.biz nameservers are *also* running on a Zombie network, and setting DNS servers in the domain registrar's control panel. If you can shut down zombie-dns.biz at the registrar and deactivate, then the entire zombie network collapses.

    Of course, most registrars don't give a damn about this, especially the Spam friendly ones, but I've successfully managed to shut down a small number of zombie networks by using various means.. not all of which might be considered ethical or even 100% legal.. but who cares?

  • by Chatmag ( 646500 ) <editor@chatmag.com> on Monday September 20, 2004 @07:53AM (#10296479) Homepage Journal
    Someone is sending spam using my email address as the return, and I'm getting hundreds of bounced emails.

    The originating IP's are all different, and I am assuming these are all compromised systems. I'm not going to email every ISP to let them know, as I've found out that most ISP's do not contact their clients to inform them their systems are compromised. All I can do is contact the upstream providers for the web site being spamvertised, and hope that the hosting provider shuts them down.
    • Are you getting genuine inquiries too?

      Reply to them stating that the product is stolen. It's what I did last week when I was Joe Jobbed. The personnel satisfaction was great.
      • It's spamvertising a mortgage lender. I'm tempted to go to their site, fill out the info, and see who contacts me. I have a few disposable telephone numbers I can use so that they can call.
        • The mortgage lead business is as dirty as it gets. The companies that buy these "100% opt-in" lists of leads are either clueless or just don't care. Some people make it a hobby to salt their lists and see who bites. You could ask in news.admin.net-abuse.email. (On this topic, you would get a better reaction. ;)
          • I'll hang off posting on NANAE for now unless someone mentions it, thanks anyways :) On another note, I got an Ebay phish this morning, sent out an email to the site host, and within an hour the site was down, with a thanks from the hosting provider. Interland was the provider, and they acted very quickly to shut the site down. The email bounces seem to be slowing down, so it looks like a short spam run, hopefully.
    • Someone is sending spam using my email address as the return, and I'm getting hundreds of bounced emails.

      Install spamassassin with Bayesian filtering or some other adaptive filter, and declare all of these bounces to be spam. I used to get dozens a day, now just a few slip through each week.

      If you administer any systems for other people, install filters for them, too.

    • While it won't help a 100% yet, you should start publishing SPF records to help stop Joe-Jobs. if you don't already.
  • Isn't this criminal? (Score:2, Interesting)

    by maximilln ( 654768 )
    Isn't there a law someplace about knowingly compromising someone's computer for use without their explicit consent? Sabotage, or stalking, or just plain theft?

    Over the first six months, the number of monitored bot networks rose to more than 30,000, from fewer than 2,000.

    This is like saying that there's an increase in monitoring car dealerships which steal cars to resell to car rental agencies. Can we repo the cars which are within US borders? Are _ALL_ of the botnet owners somehow in other countries?
  • by stealth.c ( 724419 ) on Monday September 20, 2004 @07:55AM (#10296490)
    ...when my PC started its habit of flashing the word "BRAAAIIINS" every few minutes.
  • Any bets? (Score:4, Insightful)

    by barks ( 640793 ) on Monday September 20, 2004 @07:57AM (#10296503) Homepage
    "The key challenge for Microsoft is not XP users," said Mr Beighton, "it's the Windows 98 and 95 machines."

    Any bets that we'll still this line 5 or 10 years down the road? The "ain't broke, don't fix" mentality is above and beyond some individuals' concept of needing to update.

    "Update? Why do'z I need to do'z dat? My solitare runz just fine ma!"
    • Re:Any bets? (Score:4, Informative)

      by Tinik ( 601154 ) on Monday September 20, 2004 @08:19AM (#10296644)
      That's all well and good if you can afford to update. A lot of people don't see the need to spend the money for a new PC if the one they have does what they need. Any machine running 98 will likely not be able run XP, and $500US for a cheap Dell is outside some peoples budget.
    • Re:Any bets? (Score:3, Insightful)

      by daveewart ( 66895 )
      The "ain't broke, don't fix" mentality is above and beyond some individuals' concept of needing to update.
      No-one *needs* to update, as such. You can argue they have a duty to keep their system *secure*, but that's not the same thing. Are you really suggesting that in order to 'secure' Windows 98 you should install Windows XP? *shudder*
    • Re:Any bets? (Score:5, Interesting)

      by Benedick ( 737361 ) on Monday September 20, 2004 @08:58AM (#10296969)
      Actually, I'm safer running Win98SE than WinXP. The new virues coming out attack the security holes built into XP. Since it's a very different code base than 98, those exploits rarely infect 98.

      I have talked to several people with XP boxes who have gotten infected while my 98SE box is just fine. Now, I protect that box with anti-virus, a hardware firewall, and using Mozilla and maybe that has something to do with it, or maybe I'm just lucky, but you have to admit that 98 is immune to many of the latest viruses.

    • It's the only 98 machine I use as all my other ones are Linux or XP. It's at my company's office running legacy DOS applications that don't run well under XP, much less Linux/BSD. I also use it for e-mail and web browsing. I've had zero trouble with viruses, worms, trojans, and all the other flavors of malware because I use a little common sense, don't use IE or OutLook, and do use the AVG virus scanner (which never goes off), Zone Alarm freebie firewall and Ad Aware.

      "Do the Right Thing. It will gratify s
  • by Anonymous Coward on Monday September 20, 2004 @07:59AM (#10296517)
    Looking at the security logs on my Linux system (with a broadband connection), there is at least one hack attempt to log into my system using sshd (users such as root, cisco, syadmin, admin etc...) .

    In the past week these have been from the India Institute of Technology, Florida International University, and various Korean servers. And that doesn't include the RPC DCOM exploits that come in all the time from other windows systems (about one every five minutes).
    • I get a lot of sshd too.
      Yesterday (19th Sept) it was 213.33.89.156 and 205.209.151.40---(OrgName: Managed Solutions Group, Inc. --- Ouch!!!)
      On the 18th it was 64.163.55.45 and 62.193.232.55.
      17th, 211.10.156.25
      16th, 200.143.125.194
      etc. etc.
      They try a root, a bunch of names and I suspect default application passwords.

      They seem to be cycling through IPs. There isn't much "interleave" between IPs so it looks like these boxen are part of a timed (coordinated) attack.

      Using nmap, the look like RedHat boxen
  • Zombie PC (Score:3, Funny)

    by cronius ( 813431 ) on Monday September 20, 2004 @07:59AM (#10296520)
    A sure bet your PC is indeed a zombie PC:

    It continues to moan even when your not watching pron!
  • Numbers mean jack (Score:3, Interesting)

    by Turn-X Alphonse ( 789240 ) on Monday September 20, 2004 @08:04AM (#10296545) Journal
    Why do we HAVE to look at numbers? just kill all the PCs which have been turned "undead" and move onto the sequal already. Quoting numbers and writing down names is all fine and dandy but it's not preventing it.

    Force people to install security updates or sell the PCs with them all pre installed and make windows update automaticly run once a month.

    Install some open source virus scanners and such the same way. Make sure it is CLEARLY labeled that the PC will automaticly update all these files the first of each month by an update program. As and when possible (AKA soon aspossible).

    Tell the people it will prevent viruses, make things faster and generally help things. Is it really that difficult?
    • by flakac ( 307921 )
      Force people to install security updates or sell the PCs with them all pre installed and make windows update automaticly run once a month.

      Sorry, but I'm not going to let any program, Windows Update included, automaticly [sic] run on my computer and update software willy-nilly. If you do this, you're just looking for trouble down the road when some "update" happens to either break software that you've got installed or install "new and improved" DRM from MS. You have to remember that a large number of
    • Force people to install security updates or sell the PCs with them all pre installed and make windows update automaticly run once a month.

      Yet another grand solution involving more laws and less freedom. That's the ticket: use FORCE to compel everyone to do what you want them to because, of course, it's for 'the greater good'. Fuck the fact that they may not like your solution, especially the automatic updates to THEIR property that they can't opt out of - making their property YOUR property in the proce
    • Who do you propose should perform the little tricks that you suggest? The US government has already proven itself incapable of making sane, useful, effective, and enforceable laws regarding the Internet.
  • by Anita Coney ( 648748 ) on Monday September 20, 2004 @08:08AM (#10296564) Homepage
    It'd continue to run even after it died! But I hope it'd run as fast as those zombies in 28 Days Later and not slow like in Night of the Living Dead.

  • by daveewart ( 66895 ) on Monday September 20, 2004 @08:15AM (#10296609)

    To quote the fine article:

    "The key challenge for Microsoft is not XP users, it's the Windows 98 and 95 machines. Getting those people to upgrade and improve their security is going to make the difference."

    Don't think so. There are *far* fewer exploitable services running on Windows 95 and Windows 98, as compared to Windows 2000 and XP. I'd *much* rather use Windows 98 online than Windows 2000 or XP, in security terms. Most of the recent worms use exploits in services that never existed prior to Windows 2000 ...

  • Just in case... (Score:2, Informative)

    ...you're not aware of what a zombie network, or zombie is then:

    "A zombie computer is a computer attached to the Internet that has a hidden software program, a "backdoor". This backdoor allows the computer to be remote-controlled by others.

    A Zombie Computer army can then be used for the purpose of Denial of Service attacks (DDoS).

    A singe Zombie Computer can send unsolicited e-mails ( spamming).

    Backdoors are often installed with spammed trojans or e-mail worms."

    http://en.wikipedia.org/wiki/Zombie_c [wikipedia.org]
  • I have the latest anti-virus software which 100% prevents my computer from being targeted by an sort of vi[NO CARRIER] ... brainzzz ... must have brainzzzz ...
  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Monday September 20, 2004 @08:33AM (#10296776)
    Comment removed based on user account deletion
  • by Bruzer ( 191590 ) on Monday September 20, 2004 @08:40AM (#10296831) Homepage
    This zombie problem is worse than we thought! Check out the Zombie Infection Simulation [kevan.org]!

    - Bruzer
  • They are slow as Hell!!

    However they are very tenacious.

  • So - what's a good reference to detect and fix XP zombie issues? I run a firewall, (ZoneAlarm) and up to date antivirus softwrae, but I ain't no network expert. SpyBot and Adaware seem to deal with the junk other users (family) load onto the machine (and the occasional clue by four when needed), but I'd like to be more certain I ain't part of the problem. Unfortunately, moving to Linux is not an option (yet).

    Any good suggetsion s- I've seen a lot of gloom and doom reports, but few good sources of what t
  • by Maul ( 83993 ) on Monday September 20, 2004 @09:40AM (#10297352) Journal
    Hackers on Mars have accidentally opened ports allowing Hell to infect PCs with evil viruses and turn them into Zombies!

    AntiVirus software isn't enough. Hand me my pistol, my shotgun, my BFG and my flashlight.
  • by denisdekat ( 577738 ) on Monday September 20, 2004 @09:50AM (#10297446) Homepage
    I am a sys admin for a hosting comapny, I cannot tell you guys how many spam zombies are out there, they are growing and the are scary, they will target a domain and spew out thousands of alpha numeric combinations hoping to land one delivery. We had so much trouble wiht one customer, he had to change his domain name, it is really bad... I am now starting to support the trend of ISP blocking port 25 all together, and to only allow email out via their mail servers (so they can make sure their users are no spam zombies). Spam sux :(
  • by DrDebug ( 10230 ) on Monday September 20, 2004 @10:22AM (#10297784) Journal
    Let's look at the average home PC. Most owners treat it like any other appliance, like a toaster or a refridgerator. They never consider the security implications. They see these bright shiny advertisements on TV for hyper-speed DSL or cable downloads and they hook right into the Internet, without any security forethought.

    It's like walking out onto the Dan Ryan expressway blindfolded during the morning rush hour. Your survival rate is measured in seconds.

    Of course, in a perfect world, this would not be a problem, because the good people would exercise netiquitte and leave the security-ignoramauses along. But unfortunately, there are bad people out there-- ones that write viruses; send spam; and use other peoples machines to wreak some imagined vengence against some site. What's a mother to do?

    OK, here is what I want on my machine-- developers, wake up!

    1) I want a zombie detector running at all times. I want it to tell me if someone is trying to get into my machine from the outside (regardless of port). I want it to tell me if some process on my machine is trying to reach a remote machine on the Internet (regardless of port). I want this to have an icon in my startup tray that will check for updates every x minutes, and blink if there are any. I want it to check for updates when I boot up anyway. And I want it to have the option to remove the zombie it finds.

    Yes, I know this looks a lot like some commercial products (like from Symantec) but I want it free. And hacker-proof.

    Does anyone out there have a zombie detector??

    2) I want a utility that will check my incoming email, and check for a valid senders IP/hostname. If it fails, dump the email into the spam folder. This is in addition to any Baysian filters and other spam traps that almost work.

    3) I really want an appliance computer. Not something where I need (a) a friendly neighborhood computer expert, or (b) a comp science degree (as if that helps), or (c) a hacker mentality to keep my machine vermin free and configurable. To you computer manufacturers / OS designers / application developers: Make it EASY for us, EVEN IF IT MAKES IT HARD ON YOU!! Apple, you are the closest right now.

    When my wife feels comfortable on a computer, you have succeeded.

    Off my soapbox.
  • Microsoft software is closed-source. As a consequence of this, the good guys (who vastly outnumber bad guys) are not allowed to look at the code and spot potential security holes, suggest fixes &c. Meanwhile, bad guys look at the code anyway, permission or not, spot the security holes and write software which takes advantage of them.

    Symantec sell anti-virus software. This software is closed-source. As a consequence of this, everyone who wants a copy has to pay for it. Plus, the good guys (who
  • by tburt11 ( 517910 ) on Monday September 20, 2004 @01:16PM (#10299541)
    I recently got tagged with a BHO spyware infection. Initially, it annoyed me by changing my browser homepage to a search website, but appeared to do little else.

    This bugger was really tough to remove. I tried the adaware and Panda and any other "auto removal" tools that I could find. These efforts got me to the point where the homepage was no longer being affected

    But through the process, I got introduced to "HijackThis" and "FindNFix" which is (or was at the time) more of an analysis tool than a repair tool. Using these tools, I was able to see that my efforts were only partially successful. Even though my homepage was no longer changing, I continued to have a persistent BHO that I could not get rid of. Or rather, once removed, it would re-appear on each reboot, usually with a different name.

    I came to the realization that I was infected by a dormant bot. And that any time I started my browser, the bot would "phone home" and receiving no instructions, would do nothing. I knew that the day was coming when this bot would be instructed to do something besides nothing, and my computer would be enlisted as a soldier in a "drone army".

    Because the "phone home" occurs as an http request via port 80, it occurs almost undetectably (I could see it happening via tcpdump on my firewall) and it is essentially impossible to block, unless you block web browsing to your user population.

    This is the new evil..

    I don't know that we have seen these drone armies put to use yet. The possibilities are frightening.

    I see many posts, by the uninformed, that say.. Patch em up. Scan em thouroughly and run your adaware. You'll be safe then. Don't be misled. This is infection is more stealthy than that.

    In the end, it took me several hours to learn how to remove this infection. I used the tools listed above, and some procedures I found documented in the news groups. I had to disable recovery, boot into safe mode, move (rename) the file three times and only then did my diagnostics come up clean.

    I don't want to needlessly frighten anyone, but this one really scares the bejeesus out of me.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...