Over a Million Zombie PCs 564
Doyle writes "A BBC article discusses new research revealing that over 1 million computers have been compromised and are being used in bot nets. From the article: 'The largest network spied on by the team was made up of 50,000 hijacked home computers.'"
Where have I heard this before? (Score:5, Funny)
Anyone know... (Score:5, Insightful)
You never know, it might be a nice bit of PR for some Apple/Linux/BSD organisation to casually slip into a Press Release.
Re:Anyone know... (Score:3, Funny)
There are blue screen screen savers available that show fake error messages randomly for Linux. "Joe User" should feel right at home.
Re:Anyone know... (Score:5, Insightful)
Even if this is true, you're seriously downplaying this problem. With Windows, in order to use your computer at all, you're probably going to have to install vendor-written drivers for something, because there are no community-maintained drivers as there are for OSS OSes. MS does include some basic drivers for very common hardware, but almost any computer will have at least something that will require a vendor driver. History has shown us that these vendor-written drivers have a very poor record, and are known to cause a lot of problems on Windows systems.
This alone is a good reason to avoid Windows. What good is it as an OS if you can't add various hardware (scanners, cameras, wireless ethernet, etc.) without expecting it to suddenly become unstable?
It doesn't matter how great Ford engines are if they keep sticking tread-separating Firestone tires on their vehicles.
Re:Anyone know... (Score:5, Interesting)
You can tell that Windows is meant to be used as a tool and not just for hobby because in Office and the Explorer search pane they have dozens of these little characters that'll dance and do tricks and stuff without really helping you out in the process. And a bunch of the window actions can be animated to slow them down a bit. You've got connection limits and such to ensure that you only use your desktop for desktop stuff. Network authentication restrictions ensure that your intranet design fits a standard, well supported model, and that the right edition gets used for the right job. And the whole thing is pretty awesome for running games.
Linux must certainly be meant just for hobby because it comes with thousands of these little tools that just do their jobs without much in the way of glitter and animation to impress the user, or even a requirement that a user must be directly interacting with them.
Re:Anyone know... (Score:3, Interesting)
I'm not proposing Windows or Linux for that matter. The number speak for themseleves. Linux is getting adopted quickly in the server room because the people who manage are trained professionals in computer-related fields. Joe User, for the most part, is not.
10 Year Setback Sounds Great! (Score:5, Insightful)
"If Joe User were required to start by using Linux or BSD, it would set computing back 10 years."
To a time before rampant SpambotNets and the DMCA. Sign me up! :-)
Re:Anyone know... (Score:3, Insightful)
Am I alone in wondering whether this truth extends to running Windows Limited Accounts, instead of Administrator logins?
Running XP in a safe manner is as challenging as my Gentoo boot, without the benefit of reasonable documentation, unless you want to count these <adjective> bubbles popping up over the system tray.
Having had some Linux experience, I am guessing my way to understanding _some_ of what to do, but a nice walkthr
Re:Anyone know... (Score:5, Informative)
As for resources, ask Google [google.com].
noadmin.editme.com [editme.com] has a wiki about it, and also see Aaron Margosis' WebLog [msdn.com], aka the The Non-Admin blog, made by a Microsoft employee.
Windows NT Security in Theory and Practice [microsoft.com], a long-running set of MSDN articles about NT security is also interesting, espescially to developers.
Also useful are FileMon [sysinternals.com] and RegMon [sysinternals.com] from SysInternals, to see what files/reg keys an app is hung up on trying to get unreasonable access to. (Remember that security is checked only on open/create, so set the filter to show opens only)
Still, there is too little information about running stuff as non-admin. Part of the problem is that making a program run as non-admin when it wasn't designed for that, usually isn't easy.
You've just described ... (Score:5, Insightful)
Have your machine intentionally be part of the "zombies", and you get all the goodies, and look like a victim at the same time.
Must Be M$ Boxes Right ?? (Score:5, Funny)
Re:Must Be M$ Boxes Right ?? (Score:5, Funny)
Re:Must Be M$ Boxes Right ?? (Score:3, Funny)
Re:You Must Be Linsux User Right ?? (Score:3, Funny)
Re:Must Be M$ Boxes Right ?? (Score:4, Informative)
That's still low... (Score:5, Funny)
Come to think of it, the two just may be related.
Why arent governments proacting agaisnt these nets (Score:5, Interesting)
Re:Why arent governments proacting agaisnt these n (Score:5, Informative)
Something like that already exists. [dshield.org]
Feel free to contact any of the infected and cross them out.
Why not ISPs (Score:5, Interesting)
Re:Why not ISPs (Score:5, Insightful)
Re:Why not ISPs (Score:3, Interesting)
The ISP needs to force the user to at minimum to install a software firewall.
If the user has a windows box directly connected to the Internet and they don't have a software firewall, they should not be allowed to connect.
Re:Why not ISPs (Score:3, Insightful)
I work for my ISP as helpdesk/tech support. I get calls all the time, 'Yeah, I got this pop-up from Norton says that Internet Explorer is trying to access the internet, what should I do?'
If these PCs became zombies, than the users that operate them would have no clue how to operate a software firewall. Instead, they need AV software, and some computer training, and possibly a hardware firewall.
Easiest to implement would be a DSL/Cable modem and firewall combo that the
Re:Why not ISPs (Score:3, Insightful)
But for Cable/DSL the easier answer is just put in a NAT box. I mean a simple router goes for $10. If the ISPs hadn't tried to gouge everyone for hooking up two computers to one line, this probaly wouldn't be an issue now.
Appliance (Score:3, Interesting)
Simpler than that. Just give customers a firewall appliance with their modem, and warnings of the doom that will befall them if they don't hook it up between their modem and PC....
Re:Appliance (Score:4, Informative)
Re:Why not ISPs (Score:3, Insightful)
Re:Why not ISPs (Score:3, Insightful)
While I agree with the sentiment, it doesn't practically work when applied to the Internet. There are a few reasons. One is the legal reason. ISPs are common carriers and if they start monitoring their traffic and nicking people for being zombies, they could be held responsible if they miss some zombies and those zombies cause damage (yes, I realize this is inane, but it's how lawyers and the law think). The
Re:Why not ISPs (Score:5, Insightful)
Because it is not in the ISP's best (i.e. financial) interests to do so. Finding these machines, teaching users how to clean them up, and then reactivating their access would require a great deal of manpower and money. Since not doing it is consequence-free, there is no incentive to do it. It's like dealing with hazardous waste; it's difficult and expensive. Without some outside force compelling companies to dispose of it appropriately, they would deal with it the cheapest and easiest way possible. That is, dumping it on the rest of us, like these ISPs do.
Re:Why not ISPs (Score:5, Insightful)
Re:Why not ISPs (Score:5, Interesting)
Re:Why not ISPs (Score:5, Interesting)
Harsh times call for harsh measures.
Re:Why not ISPs (Score:5, Interesting)
I don't think it's that bad:
- Draft a standard letter / web page explaining why you're disconnecting a customer and how they can get re-connected.
- Port scan.
- Disconnect.
- Get kickbacks from local computer repair shop.
- Profit!
which beats the heck out of- Ignore the situation.
- Pay $BIGNUM for the bandwidth you're using to broadcast your customers' computers' spam.
- Lose legitimate customers who get tired of their outbound mail bouncing because your netblock is listed in every blackhole list on the planet.
- Loss!
Either way, you will spend some money on the problem, either by proactively fixing it or by paying to repair the damages. Your call.Re:Why not ISPs (Score:4, Interesting)
Do NOT clean up Winboxen for free. (Score:4, Interesting)
Bad PR but who the fuck cares.
tihihi I said boxen.
Re:Do NOT clean up Winboxen for free. (Score:3, Funny)
Dude you want me to charge my Mom? Should I tell my 60 year old mom "PAY UP WITH THAT SOCIAL SECURITY CHECK MONEY BITCH"? Sorry I am not a heartless bastard.
Re:Do NOT clean up Winboxen for free. (Score:3, Insightful)
Who said anything about charging $ to clean up Mom's PC? Better yet to barter with her...clean it up for a batch of cookies...or a 6-pack. People are generally a lot more willing to trade goods/services than pay $.
And if she's family, she should understand where you're coming from. You may not be a heartless bastard, but the spammers sure are. And
Re:Do NOT clean up Winboxen for free. (Score:3, Insightful)
Re:Why not ISPs (Score:5, Insightful)
At least in linux TOP shows you what process is sucking up the cycles, giving you a fighting chance. I'm not completely clueless, I've used windows since 3.11, cut my teeth on basic and dos batch scripts, installed Linux on a machine before win95 was released and still I know the wife's WinXP machine that's fully patched hardware and software firewalled is owned and can't find out how; what's Joe average going to do?
Re:Why not ISPs (Score:3, Informative)
Also, if you're privvy, before you clean the box up you should download ethereal and see what kind of traffic it is passing. Of course, you need to have a little bit of networking understanding, but it's not hard to look at and see all of the source/destinations that packets are traversing.
In addition, I've found that
Recommend: Process Explorer (Score:4, Informative)
-2A
My local one does sometimes (Score:3, Informative)
One case it was actaully not the customers machines, but his neighbor who was taking a free ride on their wide open wireless network. Turning on WEP immediatly fixed the problem. The customer cou
Re:Not their responsibility (Score:3, Informative)
And your ISP pays *its* ISP by the MB. It is therefore in their interest to halt traffic generated by spam-bots and ddos-bots.
Re:Why arent governments proacting agaisnt these n (Score:5, Informative)
8. Do you prosecute the people that compromise systems within the Honeynet? No. The prime directive of the Honeynet Project is research and to share those lessons learn. It is not our goal to catch and prosecure blackhats. We do forward information about compromised systems to CERT so CERT can notify admins of compromised systems. We limit our contact with authorities only when the Project feels there is a critical need. If we were to become involved in a major legal case everytime a system was compromised, we would not have time for research, let alone our real jobs.
read more about honeypot here [honeynet.org]. It seems they probably could, but are not going to.
Re:Why arent governments proacting agaisnt these n (Score:5, Insightful)
Re:Why arent governments proacting agaisnt these n (Score:5, Funny)
Re:Why arent governments proacting agaisnt these n (Score:3, Interesting)
Why should they? It's the ISPs who make money by providing Internet access. They should be responsible for alerting their customers about compromised machines. Most of them don't because it costs too much money, and there's little liability even if you do absolutely nothing.
On the other hand, customers aren't willing to pay for a notification service, or acce
Re:Why arent governments proacting agaisnt these n (Score:3, Insightful)
To paraphrase the late great Jerry Orbach playing Lenny Briscoe, "Sure, let's get the government involved. That'll solve everything."
And as far as the ISPs go, I've worked for ISPs that wouldn't even cut someone off for non-payment for fear of their subscriber numbers going down. Do you really think they have the manpower, resources, or interest in doing anything about this until they're forced to by business
Re:Why arent governments proacting agaisnt these n (Score:5, Funny)
ROTFL...
Quickly! Disconnect the backbone from the internet! Unplug the DNS root servers! Take the routers offline! Cut the cables leading into Mae East! The internet is too dangerous!!!
Hope (Score:3, Interesting)
Re:Hope (Score:5, Insightful)
I imagine there are quite a few more machines that are zombie infected that were not detected for whatever reason (turned off, firewalls, etc), plus all the millions of more machines that are "just" infected with viruses, spyware, or trojans that do not produce bot-net like activity.
Not surprising (Score:5, Interesting)
Re:Not surprising (Score:4, Interesting)
Re:Not surprising (Score:5, Informative)
No, I think most legitimate traffic is under 5000 simultaneous connections =). When we see a machine with 10,000 , 20,000 , 30,000 (which has been detected). We know there's a problem =)
Re:Not surprising (Score:3, Insightful)
bah (Score:3, Funny)
*Connection Terminated Unexpectedly*
Imagine... (Score:5, Funny)
(Hmm, can zombies be clustered? We all know from Night of the Living Dead that they DO cluster. Quite well, in fact...)
Back when Windows was just a hole in the wall (Score:3, Insightful)
Re:Back when Windows was just a hole in the wall (Score:3)
well at least we're smarter than that [SPAM] (Score:5, Funny)
fix them (Score:4, Interesting)
It is probably quite complicated, technically speaking, because these machines now have to be scanned for every possible trojan, logger, virus in existance, but it's not impossible. Can an antivirus company, say, get a grant from a government to run a job like that?
Bullshit (Score:3, Interesting)
One machine can reconnect to the same botnet multiple times as the person reboots to try and clear the problem.
One machine gets multiple IP addresses every time her reboots.
I was wondering... (Score:5, Funny)
not entirely user behavior... (Score:5, Interesting)
It's sad, but it seems the only way to mitigate this is to hold the OS vendor responisble for insecure code. Similar to cars, we hold the driver responsible if they ( say ) drive drunk, but the manufactorer responsible if while driving the wheels come off.
What role for ISPs (Score:4, Insightful)
Home PC users do not need to generate traffic on port 25 that's going anywhere other than their ISP's mailserver. ISP mailservers should use SMTP authentication. Of course these simple measures would mean support calls from users who need to reconfigure Outlook, and support calls cost money, so it'll never happen.
Nonetheless, these companies are proffiting while user machines get hijacked. Someone needs to make a little bit of effort, 'cause for now spreading these nets wider is way too easy.
Welcome to the internet age (Score:3, Insightful)
I know * linux
Spam - DDOS and freinds continue to plauge our internet services.
Fine blame the average user for not updating etc , the fact remains that a person who is skilled in other areas should not need to have the knowlidge level of a Tech or even System admin or developer just to be able to safely use a computer (Ease of use is a difrent kettle of fish)
Sorry for the rant , but I am rather narked off at Spam nets
Ethics be damned... (Score:5, Insightful)
-Charles
Re: (Score:3, Insightful)
Next Step: Take them over. (Score:5, Interesting)
The only thing that makes me think it might not work is that it's similar to the stereotypical way of ridding the world of aliens in almost every sci-fi movie. Come to think of it, I might have gotten this idea from Independence Day.
... and they affect Linux too (Score:4, Interesting)
It's really annoying. I've thought about what I can do to shut down bots that are annoying me with excess traffic...
Does anyone have some good suggestions for keeping zombie PC traffic off of linux webservers either via firewall rules, apache config files, or ?
Perhaps a more interesting question is... if your machines is being attacked by a zombie PC, is it okay to attack it back (and try to take it offline?) - Isn't this sort of like 'self defense'?
Re: (Score:3, Insightful)
Re:... and they affect Linux too (Score:5, Interesting)
So basically my machine becomes invisible to the attacker and their ip address stays shitcanned forever.
Re:... and they affect Linux too (Score:3, Interesting)
http://www.exgenesis.com/banips.txt [exgenesis.com]
Part of the team (Score:5, Funny)
<-[XP]-86840>: This message brought to you by Backdoor.Win32.Rbot.gen
Any better metrics on this? (Score:3, Interesting)
The article says:
Many well-known vulnerabilities in the Windows operating system were exploited by 'bot net controllers to find and take over target machines.
That's the only mention of an OS. Any metrics on exactly which OS and version/patchlevel is the most responsible?
Re:Any better metrics on this? (Score:3, Insightful)
I wonder.. (Score:3, Insightful)
Does anyone know if... (Score:4, Interesting)
I find it interesting... (Score:5, Insightful)
Re:I find it interesting... (Score:3, Insightful)
I think that's what worries me the most about the sizes of the current botnets we're seeing - how big are the ones we can't see yet? There are definitely some crafty hacker orgs out there who are smart enough to realize that a covert and/or latent botnet would be the most devastating kind, especially if it could return to latency after use. Imagine it, one day a quarter million previously 'safe' windows boxes
Zombie.SETI@home (Score:3, Funny)
windows 2000 box: a zombie in ~ 5 minutes (Score:4, Interesting)
Rent zombies online! (Score:5, Informative)
When they're up, they're very entertaining.
An older spammer forum, SpecialHam.com [specialham.com] is back up. With banner ads, even. "DarkMailer - not for newbies". "Blackbox Hosting - bulletproof hosting options" "SendSafe - bulk mail has never been this easy". "Bulkhost.com - the leader in bulk-friendly e-mail hosting".
Sites like these are where the hackers and spammers meet, find deals, and scream about being ripped off by each other. The actual deals tend to take place on ICQ.
Re:Rent zombies online! (Score:3, Funny)
So I clicked on the Dark Mailer ad, thinking it'd be good for charging them some ad money, and was amused instead:
If you have installed a cracked version on your computer by mistake, we suggest you format your hard drive and reinstall Windows. Delete the cracked version and download Dark Mailer from this site.
Beware teh cracked SPAM software!
Distributed processing (Score:3, Insightful)
Cluster (Score:3, Funny)
Of course it runs Windows! Go Microsoft!
*ugh*
A fresh install solaris is just as vulnerable (Score:4, Interesting)
A couple of days later, his cable-modem based lan was nigh unusable; lo and behold, the unpatched solaris box was sending out data as fast as it could. Neither of us had the technical expertise to figure out what exactly had happened, but the process that was causing all the trouble was sitting in a dir full of various tools that seemed to be doing some sort of IP range scaning and self propegation.
If there are enough systems out there with a given hole, someone will exploit it, reguardless of OS.
What is the control group? (Score:5, Interesting)
Shit I forgot why I wrote this - oh yeah. What is the definition of "GOOD"? So while there 1.2 globzigillion zombies out there, what is the likelihood you're actually clean? I'd say damn near zero.
Re:What is the control group? (Score:3, Insightful)
I can run any spyware tool @ random and find something and once a month I trap a virus either in the browser cache or the jpi cache on one or all of these machines.
I wasn't looking over your shoulder when you performed this scan, so I don't know precisely what you saw, but finding things in the browser cache is not cause for alarm. For example, if I were to rename some virus-laden executable to have the JPEG extension, reference it in an img tag in an HTML file, and pop it on a website, all browsers wou
Why don't ISPs use Firewalls? (Score:4, Interesting)
I'm surprised more ISPs don't do this as we used to be overloading our pipe due to the bots but now we're using half of our pipe durring peak times.
I could see this as a potential issue for some broadband ISPs but the saved money in bandwidth is much higher than the cost of manpower
Re:Why don't ISPs use Firewalls? (Score:3, Insightful)
It's not the ISP's job to firewall. The clients are paying for an Internet connection, not a web-browsing service, so they get a damn Internet connection.
Besides, by doing some filtering, you take responsibility. You remember, common-carrier status and all that.
Will never stop unless.... (Score:5, Interesting)
It's up to the benevolent hackers or MS. My $$ is on the geeks outside of Redmond.
Re:Will never stop unless.... (Score:3, Insightful)
P2P Nets (Score:3, Interesting)
"But Judge, I wasn't me that was sharing those files "
Before you laugh, I had a Linux 'router' broken into about 8 years ago. I of course caught it in nightly auditing, but it happened.
Turned my machine into a porn ftp server and a bridge to break into the next person.. If I hadn't been auditing, might have been months before discovery..
Honeynet (Score:3, Interesting)
Apparently they were using SUSE 8 Pro and Solaris 8 as the Honypots. My issue with the BBC article is that although (as can be seen from the Honeypot site) 90% of the attacks were aimed at, or originated from a Windows machine, the offending OS is mentioned only once.
They (the BBC) should spell it out, so that the general public actually gets notified officially, and thus make it a well known issue amongs non-IT literate people.
Re:Before Everybody Blames Microsoft (Score:3, Insightful)
Thank you, I could not have said it better myself. I use Linux everyday, and in all honesty I patch my Linux box more than I patch my Windows XP box. Sure, the Linux box is frequently getting simple app upgrades/patches, but there are a good number of security fixes in those patches as well. An admin I work with left his Red Hat box unpatched and for a year and it got n
Re:Before Everybody Blames Microsoft (Score:5, Funny)
Microsoft's browser that gives developers every last inch of control over a user's PC is what inevitably led to developers just completely taking over users' PCs. Microsoft insists on certain features in Internet Explorer that make it a pain for even the smartest PC users to control what they see.
Here's some problems with IE:
- no real ability to disable popups (Completely disallowing all forms of popups is more secure and convenient for the USER. Fuck developers.)
- Install on demand (What a fucking trainwreck feature this is. Developer puts the 'yes' button behind the 'close' button nested 8 popups under the first one. User gets frustrated and clicks 7 close buttons and 1 button marked 'fuck me in the ass please')
- Patch-and-fix attitude.. It's somehow not Microsoft's fault if they allow 'get into my PC free' for two months if they eventually release a patch for it?
Here's how you fix Internet Explorer:
- get rid of 'install on demand' (Make it so users have to actively download and install what they want installed. This whole 'make things easier for flash to install itself and bombard you with ads' is stupid.
- SUE MICROSOFT. That's right. Consumer class-action large-scale - the type of lawsuit that puts them in the red for a quarter. How many billions has this cost Joe Consumer?
"Just remember that it is also the responsibility of the computer users to patch their systems in a timely manner as soon as they are available."
What if my computer is already fucked up, assface?
Ya, I'm pissed. I'm not an idiot computer user - I spend 8 hours a day on a computer. Yet, while typing this, I got a goddamn a.tribalfusion.bullshit popunder sitting there on my taskbar... and this is while I'm running a proxy filter, run Spybot, run Ad Aware.. And, if I'm having problems like this, Joe Consumer is getting raped.
Ya, you can call me stupid and say I browse the Internet wrong or whatever shit like that. But, this shit never happened back when Netscape was the dominant browser and it did not allow the developer to ad 'features' that work much like a virus.
These zombie PCs ARE by and large Microsoft's fault. Microsoft needs to implement features with the idea that developers will EXPLOIT at every turn possible for money and they need to focus on the consumer, for once. You can't tell me that Microsot doesn't know that Joe Consumer does not want 8 popups while browsing Slashdot.org.
BTW, if anyone has an easy, one-click fix for all the problems I have browsing (that is made by Microsoft, built-in to Internet Explorer), I will print out this post and EAT IT.
Re:Before Everybody Blames Microsoft (Score:3, Interesting)
This is true, but I'd like to go one step even further. Is there software out there to check if your PC has been co-opted, like what honeynet has but for regular users (just an integrity check)? I have a server with a firewall, then a router with a firewall, then ZoneAlarm software firewall on my main home PC. I expect this should be safe, but I know I've gotten spyware and adware on it
Obligatory Buckaroo Banzai: (Score:4, Funny)
"Planet Ten!"
"When?"
"Real soon!"
Re:What can I use to detect a hijacked computer? (Score:4, Informative)
Task Manager will show you the currently running processes. This is of limited usefulness since it doesn't show the path of the executable nor the arguments used to launch it. So SVCHOST.EXE will show up multiple times because it is used to by 2000/XP to run several different services.
"Control Panel > Administration Tools > Computer Management" will run an applet that, among other things, will allow you to see the number of open shares and connections to your computer. There are some other useful things in there.
Re:Actively Scanning (Score:3, Insightful)
P2P users all do it, why can't a worm/botnet client do it?