Zombie Networks On The Rise 235
A reader writes "
According to Symantec via the BBC online, Zombie PC nets are growing very fast. Of course, it should also note that Symantec may want those numbers to be as scary as possible. " ITMJ is part of OSTG, like Slashdot. There's also a NY Times story on the article as well.
Of course they want the... (Score:4, Interesting)
Re:Of course they want the... (Score:5, Interesting)
First, it makes you appear to be THE expert because you reported it first. Second, it links your name to someone that focuses on this problem.
Why do you think we see the abc/new york times poll or whatever? It's because it's a cheap way to make news... it's a cheap advertising campaign.
Is this bad? I don't think so...
People get into the security business, for example, by reporting new viruses or exploits.
You can't blame them for releasing press releases.... it's part of their business. As it shoud be...
waiter there's a computer virus in my soup! (Score:2)
so IMO it's in those companies' vital interest to make sure everyone and their dog knows that the virus menace is everywhere and affects (potentially!) everyone.
Re:waiter there's a computer virus in my soup! (Score:5, Interesting)
Not trying to flame here but some of the worst havens I have seen are samba shares because people don't put antivirus on *nix servers. It is like pulling teeth trying to tell those admins that it DOES affect them. If their users are running windows, get a virus that does keylogging, and they log in again...guess what...it did affect the *nix server.
Re:waiter there's a computer virus in my soup! (Score:3, Interesting)
Any suggestions for a home user with Samba on Linux and a very small budget.
As a simple but not as safe method. I use the W32 client antivirus software to scan the network shares. Better then nothing.
On that note, the free version AntiVir [free-av.com] for W32 does NOT scan anything on network drives at all. A good free solution for home users without network shares though.
Re:waiter there's a computer virus in my soup! (Score:5, Informative)
Re:waiter there's a computer virus in my soup! (Score:3, Informative)
I'll agree that running AntiVirus on all systems is a good practice, but the Samba share and the UNIX system aren't really to blame for obtaining the virus in
Defense in depth. (Score:4, Insightful)
Yup. But infected is infected.
The *nix box won't be affected by any of those viruses, but the machines it shares them with can be infected. And that infection can put a load on the network (particularly the viruses that do scanning).
It's easy to put anti-virus on the file server and just kill the infections there.
Re:Defense in depth. (Score:3, Insightful)
It's easy to put anti-virus on the file server and just kill the infections there.
I totally agree that running AntiVirus software on all file servers (especially those who serve to MS
Infected *nix Servers vs W32 Servers (Score:2)
Sure, it's possible for an infected file to be sitting on a *nix box, waiting for the unsuspecting W32 client to pick it up, launch it, and so on. However, without a mechanism to put it on that box (as an attachment to an e-mail, or something similarly obvio
Re:Infected *nix Servers vs W32 Servers (Score:2)
Without effective antivrus software on the file server, the files on it are going to be infected. True, effective anti-virus software on the client would stop that too, but that's a lot harder to control, especially if users are running as admin, or can bring laptops in from home, etc. The server you can definitely control.
Re:Defense in depth. (Score:2)
It's easy to put anti-virus on the file server and just kill the infections there.
But the Unix server will be equally affected by viruses the clients get from other sources, so having a virus scanner really only protects the clients from files on the server itself. The server is vulnerable only because v
Why blame the messenger? (Score:5, Insightful)
Symantec and its tools are part of the solution. Not exclusively the solution, or the only solution, but a part of it. And, by letting people know that problems are out there, they're performing a service that is necessary; you didn't think someone like Microsoft was going to be issuing press releases to the media that put its products in a negative light, did you?
It's not even as if the other AV vendors that you mention are any different to Symantec: both Panda and Kaspersky are closed-source commercial products and both companies have prevalent virus activity and warning indicators on the homepages of their respective websites. And I bet they both send out press releases to the media highlighting large-scale infestations and particularly dangerous threats, so why crucify Symantec for being the company whose press release the BBC chose to focus on?
Bottom line: why blame the messenger if the message is accurate?
Just what's Symantec done here to warrant you being any more ticked off at them than anyone else? Do you have a legitimate reason for targetting them or are you just trolling?
Re:Why blame the messenger? (Score:3, Insightful)
What if Microsoft were held responsible for some of the damage its software was doing to our public resource? You
Re:Why blame the messenger? (Score:5, Informative)
Re:Why blame the messenger? (Score:2, Insightful)
Re:Why blame the messenger? (Score:2)
Re:Of course they want the... (Score:2)
Of course, I get all my virus news from emails from Bill Gates and AOL. They're always nice enough to attach a cure for the virus as well. Would you like me to forward them on to you as soon as I get them?
Block them (Score:3, Interesting)
Perhaps less experienced users would benefit from firewalling at the ISPs network too. I believe all the ISPs that appeal to inexperienced users (AOL) should provide this as standard.
Is there any way... (Score:5, Interesting)
Re:Is there any way... (Score:5, Interesting)
Re:Is there any way... (Score:5, Informative)
There is also quite a different kind of firewall - the reverse one, ideally implemented outside the user's PC (cable modem/ISP router/etc) that blocks outgoing attacks in case the PC gets zombified. Too bad this is probably too costly to happen on a mass scale.
Re:Is there any way... (Score:2)
There are a lot of security holes... (Score:2, Informative)
Remember the URL path hacks, esp. on Macs? foobar:/local/path links combined with location.href redirecting javascript... no buffer overflows there.
Many of the old outlook flaws that propogated some huge viruses and worms were because of how shittily it handled MIME-types and what attachments should be activated in the preview pane...
Again.
Sometimes the biggest problems aren't the much maligned buffer overflows but by people figuring out
Re:Is there any way... (Score:3, Interesting)
Historically, this was true. However, currently Microsoft is moving towards
Re:Is there any way... (Score:5, Interesting)
Re:Is there any way... (Score:3, Interesting)
Re:Is there any way... (Score:2, Insightful)
Good idea, virus companies should start writing virii that lock down the 'average' users machine, patch holes in Windows, and replace the IE shortcut on the desktop with a Mozilla Firebird one :)
But wouldn't that put anti-virus makers out of business? (In my personal conspiracy theory, Symantec, Norton & Friends write the virii in the first place to generate even more revenue).
The alternative is for everybody to move over to Mac OSX - Making Unix user-friendly is easier than debugging Windows :)
Re:Is there any way... (Score:5, Funny)
Re:Is there any way... (Score:5, Insightful)
What do you call OS X then?
Re:Is there any way... (Score:2)
I've also never really liked the UI for any Mac, OS X or before.
Re:Is there any way... (Score:2)
Re:Is there any way... (Score:2, Funny)
Expensive
(Given that I'd have to buy a Mac)
Re:Is there any way... (Score:2, Funny)
Damn't... any other suggestions? HURRY! She's starting to smell.
Reg Free Link (Score:5, Informative)
Here the reg free link...
http://www.nytimes.com/2004/09/20/technology/20se
NAT !!! (Score:3, Informative)
NAT really would stop all these type of things from happening by just purchasing a $50 dollar router for our friends and family. We're never going to be able to teach them, so just give in and recommend a hardware based solution they don't have to manage.
Chris
Re:NAT !!! (Score:5, Insightful)
If NAT became widespread, then the zombies will adapt. It is only a false sense of security.
Re:NAT !!! (Score:4, Interesting)
NAT can protect, because if it doesn't know where to send the buffer-overflow to, it just drops the packet.
Re:NAT !!! (Score:5, Insightful)
OTOH if you wouldn't normally receive something (e.g. it's an HTTP attack and you don't run a web server) then the NAT makes no difference, you still won't receive it. Big deal.
NATs are not magical protective charms. They're just a desperate hack to get around running out of IP addresses. If you want a firewall, install a firewall, not a NAT.
Re:NAT !!! (Score:4, Insightful)
I didn't say that it was an alternative to a firewall for actual security, but it's better than nothing.
Re:NAT !!! (Score:3, Informative)
Re:NAT !!! (Score:3, Insightful)
Re:NAT !!! (Score:2)
How exactly would NAT protect them? A amjor control vector for these bot-nets is IRC, which can be used through NAT. The infection vector is e-mail, which is also useable through NAT.
By shielding a computer long enough to fully update itself. In addition, all those autonomous worms and scanners will be effectively blocked. Shutting down the email vector is the difficult part - people say they won't run random shit that they find, but that's just to get you out of the room. I think the best way to deal w
Re:NAT !!! (Score:3, Informative)
Recently (within the past year) many of the IRC networks have started banding together via a mailing list to discuss, warn, and attpemt to stop these nets. If you would like more information just google for "fizzer task force".
Re:NAT !!! (Score:3, Interesting)
Re:NAT !!! (Score:5, Insightful)
Only a comprehensive approach will make a big enough difference. That includes patching, being skeptical of email attachments, firewalling, and virus scanning.
PC hygiene goes a long way too. People are slowly learning that you just can't install the "newest c00lest blah-blah of the day" anymore as it will be 99% spyware and 1% app. It will be poorly written and cause all sorts of problems.
These are just growing pains and even though the stats dont look good right now at least I can talk about spyware and viruses and have people understand what I'm saying.
Re:NAT !!! (Score:2)
Big Business (Score:4, Insightful)
Re:Big Business (Score:2)
ZOMBIE NETWORKS (Score:4, Funny)
With Christian Slater as the disenfranchised White Hat Hacker
Winona Ryder as the potenial but largely unreachable love interest
Donald Sutherland as the evil mastermind behind the Zombie Networks
Written, directed, produced, and music composed on the Casio by Roland Emmerich.
ZOMBIE NETWORKS. This film is not yet rated.
MORE PACKETS!
Opening everywhere February 30th 2005.
These buggers are getting more common (Score:5, Interesting)
Whats annoying is that some of these buggers can really mess up the system. Simple 'pop in cd / go to free online web scanner and clean up' no longer works in some cases... Symantec should concentrate more on making their crappy AV software work better and resist disabling by virii better and stop issuing more sensationalist press releases.
Its way too common to get a virus-filled computer with norton internet security installed. Some bug had just killed the whole AV software, leaving an empty 'shell' up that keeps telling the user everything is fine. They usually wake up when their ISP cuts their line and tells them to clean up and call back when their system is secured.
Re:These buggers are getting more common (Score:2)
And tell the users that they could just clean up by killing processes and changing
Re:These buggers are getting more common (Score:5, Informative)
1 -uninstall whatever Virusscanner they have. Norton is absolute crap. antivir catches more nasties, uses far less resources, is 100% free, and overall is a better product. Install it and update it.
install adaware and update it, install spybot search and destroy and update it and then install hijackthis.
then reboot the windows machine into safe mode. this BLOCKS most spyware and bugs from running so you can eliminate them. run antivir full scan on all files, set to clean then delete and look for all unwanted types of programs.
after that is done, reboot bact to safe mode and run adaware, do what it want's to clean, then spybot search and destroy, do what it says, then finally hijacthis to look for the typical nasties that are left clinging around.
finally I install for the user startupmonitor tha twill give you a warning box every time ANYTHING tries to insert it's self in the registry to run as soon as the computer boots, and allows you to block that action.
Then after it's clean and i na normal boot I no longer detect any virus or crapware I give it back to the user with a list of what I did, what I added and how it works, and finally a note that this will not immunize them, but they can and will start getting this crap again the second they start hitting the net again. i tell them they can limit the re-infection rate if they install and use mozilla and mozilla mail.
They also get a CD with all the apps I installed plus the latest mozilla.
All that Get's me $150.00 a pop. I usually have 3 of them on my bench running my process every day.
local computer "experts" are charging $250.00 and only re-install the OS, they do not offer a cleaning.
needless to say, I'm cleaning up.
Re:These buggers are getting more common (Score:2)
Re:These buggers are getting more common (Score:2)
Re:These buggers are getting more common (Score:2)
I just got done cleaning up a machine with a bunch of the stuff, and had a persistent bad guy called "VX2" that neither AdAware or Spybot could kill. Turns out that you need to download a plugin for AdAware to kill that guy.
On a side note - never recommend that anyone purchase an XP system with less than 256MB RAM. It just plain sucks to work on a machi
well, they ARE growing in numbers (Score:5, Informative)
Zombies at the gate (Score:5, Interesting)
Seriously, most P2P protocols need to be improved in detecting that there is no one home, or someone is going to figure out how to inject IP addresses into their networks for DDoS attacks.
Go for the Zombie's brains.. (Score:5, Interesting)
For example, spamwarez.biz gets name services from ns1.zombie-dns.biz thru ns7.zombie-dns.biz. zombie-dns.biz nameservers are *also* running on a Zombie network, and setting DNS servers in the domain registrar's control panel. If you can shut down zombie-dns.biz at the registrar and deactivate, then the entire zombie network collapses.
Of course, most registrars don't give a damn about this, especially the Spam friendly ones, but I've successfully managed to shut down a small number of zombie networks by using various means.. not all of which might be considered ethical or even 100% legal.. but who cares?
I'm not surprised. "Joe Job" in progress. (Score:5, Interesting)
The originating IP's are all different, and I am assuming these are all compromised systems. I'm not going to email every ISP to let them know, as I've found out that most ISP's do not contact their clients to inform them their systems are compromised. All I can do is contact the upstream providers for the web site being spamvertised, and hope that the hosting provider shuts them down.
Re:I'm not surprised. "Joe Job" in progress. (Score:3, Interesting)
Reply to them stating that the product is stolen. It's what I did last week when I was Joe Jobbed. The personnel satisfaction was great.
Re:I'm not surprised. "Joe Job" in progress. (Score:2)
Re:I'm not surprised. "Joe Job" in progress. (Score:2, Interesting)
Re:I'm not surprised. "Joe Job" in progress. (Score:2)
Re:I'm not surprised. "Joe Job" in progress. (Score:2)
Install spamassassin with Bayesian filtering or some other adaptive filter, and declare all of these bounces to be spam. I used to get dozens a day, now just a few slip through each week.
If you administer any systems for other people, install filters for them, too.
Re:I'm not surprised. "Joe Job" in progress. (Score:3, Interesting)
While it won't help a 100% yet, you should start publishing SPF records to help stop Joe-Jobs. if you don't already.
Isn't this criminal? (Score:2, Interesting)
Over the first six months, the number of monitored bot networks rose to more than 30,000, from fewer than 2,000.
This is like saying that there's an increase in monitoring car dealerships which steal cars to resell to car rental agencies. Can we repo the cars which are within US borders? Are _ALL_ of the botnet owners somehow in other countries?
You know, I thought something was up... (Score:5, Funny)
Any bets? (Score:4, Insightful)
Any bets that we'll still this line 5 or 10 years down the road? The "ain't broke, don't fix" mentality is above and beyond some individuals' concept of needing to update.
"Update? Why do'z I need to do'z dat? My solitare runz just fine ma!"
Re:Any bets? (Score:4, Informative)
Re:Any bets? (Score:3, Insightful)
Re:Any bets? (Score:5, Interesting)
I have talked to several people with XP boxes who have gotten infected while my 98SE box is just fine. Now, I protect that box with anti-virus, a hardware firewall, and using Mozilla and maybe that has something to do with it, or maybe I'm just lucky, but you have to admit that 98 is immune to many of the latest viruses.
I'm running 98SE, you insensitive clod!! (Score:3, Informative)
"Do the Right Thing. It will gratify s
Just look at your own security logs (Score:3, Insightful)
In the past week these have been from the India Institute of Technology, Florida International University, and various Korean servers. And that doesn't include the RPC DCOM exploits that come in all the time from other windows systems (about one every five minutes).
Re:Just look at your own security logs (Score:3, Informative)
Yesterday (19th Sept) it was 213.33.89.156 and 205.209.151.40---(OrgName: Managed Solutions Group, Inc. --- Ouch!!!)
On the 18th it was 64.163.55.45 and 62.193.232.55.
17th, 211.10.156.25
16th, 200.143.125.194
etc. etc.
They try a root, a bunch of names and I suspect default application passwords.
They seem to be cycling through IPs. There isn't much "interleave" between IPs so it looks like these boxen are part of a timed (coordinated) attack.
Using nmap, the look like RedHat boxen
Zombie PC (Score:3, Funny)
It continues to moan even when your not watching pron!
Numbers mean jack (Score:3, Interesting)
Force people to install security updates or sell the PCs with them all pre installed and make windows update automaticly run once a month.
Install some open source virus scanners and such the same way. Make sure it is CLEARLY labeled that the PC will automaticly update all these files the first of each month by an update program. As and when possible (AKA soon aspossible).
Tell the people it will prevent viruses, make things faster and generally help things. Is it really that difficult?
Re:Numbers mean jack (Score:3, Insightful)
Sorry, but I'm not going to let any program, Windows Update included, automaticly [sic] run on my computer and update software willy-nilly. If you do this, you're just looking for trouble down the road when some "update" happens to either break software that you've got installed or install "new and improved" DRM from MS. You have to remember that a large number of
Re:Numbers mean jack (Score:2)
Yet another grand solution involving more laws and less freedom. That's the ticket: use FORCE to compel everyone to do what you want them to because, of course, it's for 'the greater good'. Fuck the fact that they may not like your solution, especially the automatic updates to THEIR property that they can't opt out of - making their property YOUR property in the proce
Re:Numbers mean jack (Score:2)
A Zombie PC would be totally cool... (Score:4, Funny)
Windows 95 and Windows 98 the biggest risk?? (Score:5, Insightful)
To quote the fine article:
Don't think so. There are *far* fewer exploitable services running on Windows 95 and Windows 98, as compared to Windows 2000 and XP. I'd *much* rather use Windows 98 online than Windows 2000 or XP, in security terms. Most of the recent worms use exploits in services that never existed prior to Windows 2000 ...
Re:Windows 95 and Windows 98 the biggest risk?? (Score:2)
Re:Windows 95 and Windows 98 the biggest risk?? (Score:3, Interesting)
Just in case... (Score:2, Informative)
"A zombie computer is a computer attached to the Internet that has a hidden software program, a "backdoor". This backdoor allows the computer to be remote-controlled by others.
A Zombie Computer army can then be used for the purpose of Denial of Service attacks (DDoS).
A singe Zombie Computer can send unsolicited e-mails ( spamming).
Backdoors are often installed with spammed trojans or e-mail worms."
http://en.wikipedia.org/wiki/Zombie_c [wikipedia.org]
I will NEVER get infected by something like this! (Score:2, Funny)
Comment removed (Score:5, Informative)
It is worse than we thought ! (Score:4, Funny)
- Bruzer
One positive outcome of Zombie PCs.. (Score:2, Funny)
However they are very tenacious.
OK - how to detect and fix? (Score:2)
Any good suggetsion s- I've seen a lot of gloom and doom reports, but few good sources of what t
Be sure to pack your flashlight. (Score:3, Funny)
AntiVirus software isn't enough. Hand me my pistol, my shotgun, my BFG and my flashlight.
Spam Zombies on the rise? You bet, I see them!!! (Score:3, Informative)
Does this scare you? It should. (Score:3, Insightful)
It's like walking out onto the Dan Ryan expressway blindfolded during the morning rush hour. Your survival rate is measured in seconds.
Of course, in a perfect world, this would not be a problem, because the good people would exercise netiquitte and leave the security-ignoramauses along. But unfortunately, there are bad people out there-- ones that write viruses; send spam; and use other peoples machines to wreak some imagined vengence against some site. What's a mother to do?
OK, here is what I want on my machine-- developers, wake up!
1) I want a zombie detector running at all times. I want it to tell me if someone is trying to get into my machine from the outside (regardless of port). I want it to tell me if some process on my machine is trying to reach a remote machine on the Internet (regardless of port). I want this to have an icon in my startup tray that will check for updates every x minutes, and blink if there are any. I want it to check for updates when I boot up anyway. And I want it to have the option to remove the zombie it finds.
Yes, I know this looks a lot like some commercial products (like from Symantec) but I want it free. And hacker-proof.
Does anyone out there have a zombie detector??
2) I want a utility that will check my incoming email, and check for a valid senders IP/hostname. If it fails, dump the email into the spam folder. This is in addition to any Baysian filters and other spam traps that almost work.
3) I really want an appliance computer. Not something where I need (a) a friendly neighborhood computer expert, or (b) a comp science degree (as if that helps), or (c) a hacker mentality to keep my machine vermin free and configurable. To you computer manufacturers / OS designers / application developers: Make it EASY for us, EVEN IF IT MAKES IT HARD ON YOU!! Apple, you are the closest right now.
When my wife feels comfortable on a computer, you have succeeded.
Off my soapbox.
No Surprises Here (Score:2)
Symantec sell anti-virus software. This software is closed-source. As a consequence of this, everyone who wants a copy has to pay for it. Plus, the good guys (who
The importance of the BHO Browser Helper Object (Score:3, Informative)
This bugger was really tough to remove. I tried the adaware and Panda and any other "auto removal" tools that I could find. These efforts got me to the point where the homepage was no longer being affected
But through the process, I got introduced to "HijackThis" and "FindNFix" which is (or was at the time) more of an analysis tool than a repair tool. Using these tools, I was able to see that my efforts were only partially successful. Even though my homepage was no longer changing, I continued to have a persistent BHO that I could not get rid of. Or rather, once removed, it would re-appear on each reboot, usually with a different name.
I came to the realization that I was infected by a dormant bot. And that any time I started my browser, the bot would "phone home" and receiving no instructions, would do nothing. I knew that the day was coming when this bot would be instructed to do something besides nothing, and my computer would be enlisted as a soldier in a "drone army".
Because the "phone home" occurs as an http request via port 80, it occurs almost undetectably (I could see it happening via tcpdump on my firewall) and it is essentially impossible to block, unless you block web browsing to your user population.
This is the new evil..
I don't know that we have seen these drone armies put to use yet. The possibilities are frightening.
I see many posts, by the uninformed, that say.. Patch em up. Scan em thouroughly and run your adaware. You'll be safe then. Don't be misled. This is infection is more stealthy than that.
In the end, it took me several hours to learn how to remove this infection. I used the tools listed above, and some procedures I found documented in the news groups. I had to disable recovery, boot into safe mode, move (rename) the file three times and only then did my diagnostics come up clean.
I don't want to needlessly frighten anyone, but this one really scares the bejeesus out of me.
Re:The duty of securing ones computer (Score:2)
Working everyday in the real world (Score:2)
Please tell me you aren't even in the running to take responsibility for your network's problems. It should be pointed out that most ISPs have a mandate in their ToS that tell people to use these things, but it's user education that stops them answering inbound blaster requests with 'yes'. As for 'hardware firewall', the only good one is around 2 i
Re:You've got cash (Score:2)
Re:Zombie Network IRC Control Stations (Score:3, Insightful)
Re:Is this true? (Score:2)
I thought 98 was immune to blaster, sasser, et. al.
It is. This seems to be more of an "upgrade your systems now and improve Microsoft's Q4 figures" FUD exercise rather than a true representation of virus activity.
IMHO, of course. ;o)