Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Worms

Over a Million Zombie PCs 564

Doyle writes "A BBC article discusses new research revealing that over 1 million computers have been compromised and are being used in bot nets. From the article: 'The largest network spied on by the team was made up of 50,000 hijacked home computers.'"
This discussion has been archived. No new comments can be posted.

Over a Million Zombie PCs

Comments Filter:
  • by maotx ( 765127 ) <maotx@@@yahoo...com> on Thursday March 17, 2005 @12:57PM (#11966781)
    Maybe I should have sent THIS [slashdot.org] in afterall...
  • Anyone know... (Score:5, Insightful)

    by gowen ( 141411 ) <gwowen@gmail.com> on Thursday March 17, 2005 @12:57PM (#11966790) Homepage Journal
    ... the breakdown of that million by operating system?

    You never know, it might be a nice bit of PR for some Apple/Linux/BSD organisation to casually slip into a Press Release.
  • by Anonymous Coward on Thursday March 17, 2005 @12:58PM (#11966794)
    Aren't zombies constantly searching for "brains" ?
  • by BeneathTheVeil ( 305107 ) on Thursday March 17, 2005 @12:58PM (#11966797) Journal
    compared to the millions of zombies in front of PCs.

    Come to think of it, the two just may be related. :P
  • by panxerox ( 575545 ) * on Thursday March 17, 2005 @12:58PM (#11966799)
    If 1,000,000 computers can be identified as being zombie machines than 1,000,000 computer owners can be contacted. This is THE major problem afflicting the internet, why dont governments form a unit to identify and at least notifiy the owners of these machines? Will it take a major internet terrorist attack like bringing down a power grid to make governments act?. As net users we should advocate government involvment in a measured controlled way rather than the reaction that will come after an attack (patriot act?)
    • by maotx ( 765127 ) <maotx@@@yahoo...com> on Thursday March 17, 2005 @01:01PM (#11966842)
      and at least notifiy the owners of these machines?

      Something like that already exists. [dshield.org]
      Feel free to contact any of the infected and cross them out.
    • Why not ISPs (Score:5, Interesting)

      by winkydink ( 650484 ) * <sv.dude@gmail.com> on Thursday March 17, 2005 @01:03PM (#11966861) Homepage Journal
      Better yet, why don't ISPs disconnect them until they can demonstrate they've been cleaned up?
      • Re:Why not ISPs (Score:5, Insightful)

        by ArsonSmith ( 13997 ) on Thursday March 17, 2005 @01:10PM (#11966942) Journal
        Yea, they had the ability to disconnect me until I cleaned up some p2p software I had running. I'd say this is much more important than a few TV episodes.
      • Re:Why not ISPs (Score:3, Interesting)

        That would be a start. However, just because they 'cleaned up' won't prevent them from becoming a zombie again.

        The ISP needs to force the user to at minimum to install a software firewall.

        If the user has a windows box directly connected to the Internet and they don't have a software firewall, they should not be allowed to connect.

        • Re:Why not ISPs (Score:3, Insightful)

          by destiny71 ( 731278 )
          Believe me, this is not the answer.

          I work for my ISP as helpdesk/tech support. I get calls all the time, 'Yeah, I got this pop-up from Norton says that Internet Explorer is trying to access the internet, what should I do?'

          If these PCs became zombies, than the users that operate them would have no clue how to operate a software firewall. Instead, they need AV software, and some computer training, and possibly a hardware firewall.

          Easiest to implement would be a DSL/Cable modem and firewall combo that the
          • Re:Why not ISPs (Score:3, Insightful)

            by swv3752 ( 187722 )
            The Windows XP firewall is pretty seamless. It is on and just sits there unlike NIS or ZoneAlarm.

            But for Cable/DSL the easier answer is just put in a NAT box. I mean a simple router goes for $10. If the ISPs hadn't tried to gouge everyone for hooking up two computers to one line, this probaly wouldn't be an issue now.
        • Appliance (Score:3, Interesting)

          The ISP needs to force the user to at minimum to install a software firewall.

          Simpler than that. Just give customers a firewall appliance with their modem, and warnings of the doom that will befall them if they don't hook it up between their modem and PC....
      • Re:Why not ISPs (Score:5, Insightful)

        by eaolson ( 153849 ) on Thursday March 17, 2005 @01:29PM (#11967183)
        Better yet, why don't ISPs disconnect them until they can demonstrate they've been cleaned up?

        Because it is not in the ISP's best (i.e. financial) interests to do so. Finding these machines, teaching users how to clean them up, and then reactivating their access would require a great deal of manpower and money. Since not doing it is consequence-free, there is no incentive to do it. It's like dealing with hazardous waste; it's difficult and expensive. Without some outside force compelling companies to dispose of it appropriately, they would deal with it the cheapest and easiest way possible. That is, dumping it on the rest of us, like these ISPs do.

        • Re:Why not ISPs (Score:5, Insightful)

          by BitwiseX ( 300405 ) on Thursday March 17, 2005 @01:36PM (#11967276)
          They won't clean up, they will go to an ISP that doesn't care. I run a small ISP, I've called customers and informed them of these issues... nothing happens... threaten to cut them off... nothing happens... cut them off... they call angry say "Fine! Don't bother!" and a customer is lost. A customer lost, is a customer lost. Police != Profit unfortunately, and it's a fine line to walk.
        • Re:Why not ISPs (Score:5, Interesting)

          by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Thursday March 17, 2005 @02:32PM (#11968115) Homepage Journal
          Because it is not in the ISP's best (i.e. financial) interests to do so. Finding these machines, teaching users how to clean them up, and then reactivating their access would require a great deal of manpower and money. Since not doing it is consequence-free, there is no incentive to do it.

          I don't think it's that bad:

          1. Draft a standard letter / web page explaining why you're disconnecting a customer and how they can get re-connected.
          2. Port scan.
          3. Disconnect.
          4. Get kickbacks from local computer repair shop.
          5. Profit!
          which beats the heck out of
          1. Ignore the situation.
          2. Pay $BIGNUM for the bandwidth you're using to broadcast your customers' computers' spam.
          3. Lose legitimate customers who get tired of their outbound mail bouncing because your netblock is listed in every blackhole list on the planet.
          4. Loss!
          Either way, you will spend some money on the problem, either by proactively fixing it or by paying to repair the damages. Your call.
      • Re:Why not ISPs (Score:4, Interesting)

        by FriedTurkey ( 761642 ) on Thursday March 17, 2005 @01:33PM (#11967236)
        Actually they do. My parents computer got disconnected from Roadrunner for being a spam bot. Spending next weekend cleaning it up. Argh.
        • by Werrismys ( 764601 ) on Thursday March 17, 2005 @02:28PM (#11968053)
          Do not clean up these boxes. Disconnect them from net and tell the relative in question to either PAY for the cleanup, get someone else to clean it, or get a Mac.

          Bad PR but who the fuck cares.

          tihihi I said boxen.

          • Do not clean up these boxes. Disconnect them from net and tell the relative in question to either PAY for the cleanup, get someone else to clean it, or get a Mac.

            Dude you want me to charge my Mom? Should I tell my 60 year old mom "PAY UP WITH THAT SOCIAL SECURITY CHECK MONEY BITCH"? Sorry I am not a heartless bastard.
            • Dude you want me to charge my Mom? Should I tell my 60 year old mom "PAY UP WITH THAT SOCIAL SECURITY CHECK MONEY BITCH"? Sorry I am not a heartless bastard

              Who said anything about charging $ to clean up Mom's PC? Better yet to barter with her...clean it up for a batch of cookies...or a 6-pack. People are generally a lot more willing to trade goods/services than pay $.

              And if she's family, she should understand where you're coming from. You may not be a heartless bastard, but the spammers sure are. And

            • Consider telling your mom "Hey mom, I just bought you a new PC. Here's the deal, though: since you don't have the time or money to keep your computer from getting infected, I had to get you a different kind of computer. It's very easy to use, and does lots of great stuff, but looks a little different. The good part is, you won't get disconnected again. Oh, and I'm putting this little box (router) between you and the internet for your protection. Don't worry, you don't have to actually touch it or do anythin
      • Re:Why not ISPs (Score:5, Insightful)

        by budgenator ( 254554 ) on Thursday March 17, 2005 @02:19PM (#11967902) Journal
        I'd just like to know why taskmanager says CPU utilization is over 50%, the hard disk is thrashing, and the network light is on constantly, but task manger only list 3 processes using 2%? Nothing shows up on virus scans, nothing shows up on spyware scans and half the time it quits as soon as I open taskmanager.
        At least in linux TOP shows you what process is sucking up the cycles, giving you a fighting chance. I'm not completely clueless, I've used windows since 3.11, cut my teeth on basic and dos batch scripts, installed Linux on a machine before win95 was released and still I know the wife's WinXP machine that's fully patched hardware and software firewalled is owned and can't find out how; what's Joe average going to do?
        • Re:Why not ISPs (Score:3, Informative)

          by karnal ( 22275 )
          There are programs out there (freeware) that can list every process running on the box etc. Some will even show you what filename launched the process etc... much better than task mangler.

          Also, if you're privvy, before you clean the box up you should download ethereal and see what kind of traffic it is passing. Of course, you need to have a little bit of networking understanding, but it's not hard to look at and see all of the source/destinations that packets are traversing.

          In addition, I've found that
        • by x2A ( 858210 ) on Thursday March 17, 2005 @06:28PM (#11970552)
          Google for "Process Explorer" - free download, shows all processes and CPU usage (there is also an option to show % fractions of CPU usage or context switches for being really precise). Shows processes in a tree also, so you can see what's started what. Also gives ability to pause (a la -SIGSTOP/CONT) processes, very handy lil download. Well done the creators.

          -2A
      • I've had machines show up in my shop along with notes from Road Runner stating that they can't regain their service until they show proof the machine was repaired properly. These machines have always been so bad off, they were unusable, yet they were kept online constantly, to display popups and act as zombies.

        One case it was actaully not the customers machines, but his neighbor who was taking a free ride on their wide open wireless network. Turning on WEP immediatly fixed the problem. The customer cou
    • From honeypot FAQ:

      8. Do you prosecute the people that compromise systems within the Honeynet? No. The prime directive of the Honeynet Project is research and to share those lessons learn. It is not our goal to catch and prosecure blackhats. We do forward information about compromised systems to CERT so CERT can notify admins of compromised systems. We limit our contact with authorities only when the Project feels there is a critical need. If we were to become involved in a major legal case everytime a system was compromised, we would not have time for research, let alone our real jobs.

      read more about honeypot here [honeynet.org]. It seems they probably could, but are not going to.
    • by MatthewNewberg ( 519685 ) on Thursday March 17, 2005 @01:04PM (#11966870) Homepage
      Governments?, What about ISPs? They are the ones having to pay for the added bandwitdh on both sides. I'm surprised most ISPs dont run IDS that can detect Zoombie Networks and automatically send emails to its infected customers. This will not only pay for itself by reducing bandwidth, but also make the customers more happy.
    • I get nice little pop ups telling me my computer may be already infected all the time, don't you?
    • This is THE major problem afflicting the internet, why dont governments form a unit to identify and at least notifiy the owners of these machines?

      Why should they? It's the ISPs who make money by providing Internet access. They should be responsible for alerting their customers about compromised machines. Most of them don't because it costs too much money, and there's little liability even if you do absolutely nothing.

      On the other hand, customers aren't willing to pay for a notification service, or acce
    • why dont governments form a unit to identify and at least notifiy the owners of these machines?

      To paraphrase the late great Jerry Orbach playing Lenny Briscoe, "Sure, let's get the government involved. That'll solve everything."

      And as far as the ISPs go, I've worked for ISPs that wouldn't even cut someone off for non-payment for fear of their subscriber numbers going down. Do you really think they have the manpower, resources, or interest in doing anything about this until they're forced to by business
  • Hope (Score:3, Interesting)

    by Rosonowski ( 250492 ) <rosonowski.gmail@com> on Thursday March 17, 2005 @12:58PM (#11966800)
    Is it really only one million? When I think of how the average user ends up getting a machine infected, I think of a whole lot more than 1 million. 10 million, perhaps.
    • Re:Hope (Score:5, Insightful)

      by jayhawk88 ( 160512 ) <jayhawk88@gmail.com> on Thursday March 17, 2005 @01:09PM (#11966933)
      Well this is 1 million zombie-infected PC's, which are infected with specific types of trojans and such and presumably are actively being used in bot-nets.

      I imagine there are quite a few more machines that are zombie infected that were not detected for whatever reason (turned off, firewalls, etc), plus all the millions of more machines that are "just" infected with viruses, spyware, or trojans that do not produce bot-net like activity.
  • Not surprising (Score:5, Interesting)

    by dmf415 ( 218827 ) * on Thursday March 17, 2005 @12:59PM (#11966811)
    At my university, we have to run snort at the head end of the network in order to control the havoc these compromised machines create. We also monitor the number of simultaneous connections each machine creates and block the ones at the very top.
    • Re:Not surprising (Score:4, Interesting)

      by gordyf ( 23004 ) on Thursday March 17, 2005 @01:20PM (#11967063)
      Do you find that blocking machines with lots of simultaneous connections causes problems with bittorrent clients? (Or is that an intended side effect? :) )
    • Re:Not surprising (Score:5, Informative)

      by dmf415 ( 218827 ) * on Thursday March 17, 2005 @01:27PM (#11967145)
      Do you find that blocking machines with lots of simultaneous connections causes problems with bittorrent clients? (Or is that an intended side effect? :) )

      No, I think most legitimate traffic is under 5000 simultaneous connections =). When we see a machine with 10,000 , 20,000 , 30,000 (which has been detected). We know there's a problem =)
    • Re:Not surprising (Score:3, Insightful)

      by budgenator ( 254554 )
      I'm not an expert or anything, but it seems to me that the zombies, need to report their presence to the controller, and that usualy done through an IRC channel. If you find the IRC's with the most connections, and block it or even better spoof-it to a tarpit and nobody complains about not being able to connect to their favorite IRC you'd be pretty safe. Of course a lot of people might complain that their 'puters lock-up as soon as they log in.
  • bah (Score:3, Funny)

    by ltwally ( 313043 ) on Thursday March 17, 2005 @12:59PM (#11966816) Homepage Journal
    bah, i run unsecured windows xp and i'm saf..FJEIOJFJIJS

    *Connection Terminated Unexpectedly*

  • Imagine... (Score:5, Funny)

    by RedMage ( 136286 ) on Thursday March 17, 2005 @12:59PM (#11966818) Homepage
    ... a Beowulf Cluster of... oh wait...

    (Hmm, can zombies be clustered? We all know from Night of the Living Dead that they DO cluster. Quite well, in fact...)
  • Remmeber when viruses would just "format C:"? When you were infected, you knew it cause your HD was blank. Now the average user can't tell when they have a problem or not...
  • by peculiarmethod ( 301094 ) on Thursday March 17, 2005 @01:01PM (#11966845) Journal
    I know one thing: There's no way in hell they're ever gonna get passed my *ENLARGE YOUR PENIS* super leet windows 2003 install modded to look like xp *HELP RETRIEVE MY MILLIONS*. I even use IE7 beta, but I'm not scared cause I run McAfee *BUY SLIGHTLY USED PORN AT ROCK BOTTOM PRICES* firewall to protect my cable modem network. Let's see 'em try to get into THIS network! HA!
  • fix them (Score:4, Interesting)

    by roman_mir ( 125474 ) on Thursday March 17, 2005 @01:07PM (#11966905) Homepage Journal
    Now that the machines are known, their IPs are compiled into a list, what stops a good samaritan from setting up a script to patch them up?

    It is probably quite complicated, technically speaking, because these machines now have to be scanned for every possible trojan, logger, virus in existance, but it's not impossible. Can an antivirus company, say, get a grant from a government to run a job like that?

  • Bullshit (Score:3, Interesting)

    by LiquidCoooled ( 634315 ) on Thursday March 17, 2005 @01:07PM (#11966908) Homepage Journal
    One machine can be infected by multiple trojans.
    One machine can reconnect to the same botnet multiple times as the person reboots to try and clear the problem.
    One machine gets multiple IP addresses every time her reboots.
  • by justforaday ( 560408 ) on Thursday March 17, 2005 @01:07PM (#11966914)
    This explains why my startup sound suddenly changed into a groaning voice saying "Braiinnnnnssss..."
  • by grassy_knoll ( 412409 ) on Thursday March 17, 2005 @01:08PM (#11966923) Homepage
    from TFA:

    Getting the machines hijacked was worryingly easy. The longest time a Honeynet machine survived without being found by an automatic attack tool was only a few minutes. The shortest compromise time was only a few seconds.


    It's sad, but it seems the only way to mitigate this is to hold the OS vendor responisble for insecure code. Similar to cars, we hold the driver responsible if they ( say ) drive drunk, but the manufactorer responsible if while driving the wheels come off.
  • What role for ISPs (Score:4, Insightful)

    by Albanach ( 527650 ) on Thursday March 17, 2005 @01:10PM (#11966939) Homepage
    There has to be a role here for ISPs. Often these machines are either spitting out spam or worms, yet abuse reports to ISPs can take days or weeks to receive any attention.

    Home PC users do not need to generate traffic on port 25 that's going anywhere other than their ISP's mailserver. ISP mailservers should use SMTP authentication. Of course these simple measures would mean support calls from users who need to reconfigure Outlook, and support calls cost money, so it'll never happen.

    Nonetheless, these companies are proffiting while user machines get hijacked. Someone needs to make a little bit of effort, 'cause for now spreading these nets wider is way too easy.

  • Now many will call me a Microsoft basher and i unashamedly am and with a dammed good reason. The insecurity of microsoft OSs does not just effect those who want to use (or dont know they have other options)windows, but it effects me and my peers.
    I know * linux ,HPUX,Solaris,OS X(maybe i should just include this in *BSD) and *BSD are not perfect and have some security issues , though nothing on this scale(my opinion ) , you can use the argument about if blah had blah monopoly then blah would be just as cracked (which i think is rubbish and doth not change the fact that it is only and if as it isnt so cant be proven) So as a user of the internet on my chosen Unix variants at home and at work I still have to suffer microsofts lackluster Network security through the set-up of botnets .
    Spam - DDOS and freinds continue to plauge our internet services.
    Fine blame the average user for not updating etc , the fact remains that a person who is skilled in other areas should not need to have the knowlidge level of a Tech or even System admin or developer just to be able to safely use a computer (Ease of use is a difrent kettle of fish)

    Sorry for the rant , but I am rather narked off at Spam nets
  • by chill ( 34294 ) on Thursday March 17, 2005 @01:11PM (#11966949) Journal
    Time for someone to write a worm that forces an update from Windows Update; downloads a copy of SpyBot Search & Destroy, runs it and then turns on the firewall.

    -Charles
  • by bigtallmofo ( 695287 ) on Thursday March 17, 2005 @01:11PM (#11966957)
    I think the only plausible defense against a botnet of such a size is to use the botnet against itself. Allow one of your systems to be infected with the botnet - effectively join their network. Then sniff the network traffic to find out what IRC server and channel to join and any security codes that are necessary to control the botnet. Then upload a "virus" into the botnet that will patch the infected system and remove the botnet binaries. No more botnet.

    The only thing that makes me think it might not work is that it's similar to the stereotypical way of ridding the world of aliens in almost every sci-fi movie. Come to think of it, I might have gotten this idea from Independence Day.

  • by poopie ( 35416 ) on Thursday March 17, 2005 @01:13PM (#11966981) Journal
    My home machine's webserver gets regularly punished by bots that are sending buffer overflow URLs. I only have port 80 open, too. I use my home machine for mythtv, and I certainly notice when the bots start attacking me.

    It's really annoying. I've thought about what I can do to shut down bots that are annoying me with excess traffic...

    Does anyone have some good suggestions for keeping zombie PC traffic off of linux webservers either via firewall rules, apache config files, or ?

    Perhaps a more interesting question is... if your machines is being attacked by a zombie PC, is it okay to attack it back (and try to take it offline?) - Isn't this sort of like 'self defense'?
  • by dfj225 ( 587560 ) on Thursday March 17, 2005 @01:15PM (#11967007) Homepage Journal
    I'm glad to be just part of the team!

    <-[XP]-86840>: This message brought to you by Backdoor.Win32.Rbot.gen
  • by Weaselmancer ( 533834 ) on Thursday March 17, 2005 @01:15PM (#11967010)

    The article says:

    Many well-known vulnerabilities in the Windows operating system were exploited by 'bot net controllers to find and take over target machines.

    That's the only mention of an OS. Any metrics on exactly which OS and version/patchlevel is the most responsible?

    • Doesn't matter now because even if they've been upgraded, the infections are probably still present and running. They could all be Windows XP SP2 now for all we know, but the trojans are already in.
  • I wonder.. (Score:3, Insightful)

    by MoceanWorker ( 232487 ) on Thursday March 17, 2005 @01:17PM (#11967024) Homepage
    How many, out of that estimate, pertain to those who still didn't patch up that stupid RPC/DCOM vulnerability for 2000/XP?
  • by bluprint ( 557000 ) on Thursday March 17, 2005 @01:17PM (#11967027) Homepage
    bots that infect computers ever conflict with each other. Like Bot1 takes over a PC, then Bot2 comes along, and maybe they fight over that PC or its resources?
  • by suitepotato ( 863945 ) on Thursday March 17, 2005 @01:24PM (#11967112)
    ...that all these botnets themselves seem to compromised that journalists and researchers can so easily get into them. If you're going to compromise other people's computers for whatever nefarious use, do you want your system itself wide open for someone to steal away from you or document your doings for law enforcement? The best back doors and holes are ones that no one sees until you're using them and it is too late.
    • The best back doors and holes are ones that no one sees until you're using them and it is too late.

      I think that's what worries me the most about the sizes of the current botnets we're seeing - how big are the ones we can't see yet? There are definitely some crafty hacker orgs out there who are smart enough to realize that a covert and/or latent botnet would be the most devastating kind, especially if it could return to latency after use. Imagine it, one day a quarter million previously 'safe' windows boxes

  • by mykroft42 ( 831331 ) on Thursday March 17, 2005 @01:28PM (#11967165) Homepage
    Perhaps all these Zombie comps should be put to good use. Who cares if people don't want to participate in grid computing ... they can be forced!
  • by hurricaen ( 868015 ) on Thursday March 17, 2005 @01:29PM (#11967178)
    My coworker is doing some of his own investigations into this stuff. He hooked up a freshly installed, but unpatched, windows2000 box to the net with a freebsd box in between to monitor traffic. Within minutes it was infected, and we could see IRC traffic: connecting to a hidden channel to await instructions. Not that I'm that outraged that an old unpatched windows 2000 box is vulnerable; it's just amazing how quickly a worm will get you if you are vulnerable! -K
  • Rent zombies online! (Score:5, Informative)

    by Animats ( 122034 ) on Thursday March 17, 2005 @01:32PM (#11967229) Homepage
    They're down today, but SpamForum.biz [spamforum.biz] carries ads for zombies, open proxies, botnets, etc. Numbers available range from 1000 to 50,000.

    When they're up, they're very entertaining.

    An older spammer forum, SpecialHam.com [specialham.com] is back up. With banner ads, even. "DarkMailer - not for newbies". "Blackbox Hosting - bulletproof hosting options" "SendSafe - bulk mail has never been this easy". "Bulkhost.com - the leader in bulk-friendly e-mail hosting".

    Sites like these are where the hackers and spammers meet, find deals, and scream about being ripped off by each other. The actual deals tend to take place on ICQ.

    • With banner ads, even. "DarkMailer - not for newbies"...

      So I clicked on the Dark Mailer ad, thinking it'd be good for charging them some ad money, and was amused instead:

      If you have installed a cracked version on your computer by mistake, we suggest you format your hard drive and reinstall Windows. Delete the cracked version and download Dark Mailer from this site.

      Beware teh cracked SPAM software!

  • by mr_z_beeblebrox ( 591077 ) on Thursday March 17, 2005 @01:44PM (#11967394) Journal
    How long til they start using distributed hijacked PC networks to crack complex codes etc....
  • Cluster (Score:3, Funny)

    by EduardoFonseca ( 703176 ) on Thursday March 17, 2005 @01:49PM (#11967461) Homepage
    And people say that the largest computer cluster in the world runs Linux. Bah!

    Of course it runs Windows! Go Microsoft!

    *ugh*
  • by merreborn ( 853723 ) on Thursday March 17, 2005 @01:58PM (#11967593) Journal
    My father recieved his first couple of Sparc-based unix boxes about 4 years ago in the wake of the dot-com collapse. For one reason or another, he decided to reinstall (a somewhat old version of) solaris from a disc he got with the system.

    A couple of days later, his cable-modem based lan was nigh unusable; lo and behold, the unpatched solaris box was sending out data as fast as it could. Neither of us had the technical expertise to figure out what exactly had happened, but the process that was causing all the trouble was sitting in a dir full of various tools that seemed to be doing some sort of IP range scaning and self propegation.

    If there are enough systems out there with a given hole, someone will exploit it, reguardless of OS.
  • by gelfling ( 6534 ) on Thursday March 17, 2005 @02:10PM (#11967754) Homepage Journal
    I have a bunch of Win XPhome, Pro and W2K boxes @ home, fully patched, personal firewalled, my router screens what it can, in fact it blocks most every port and tosses pings from both sides. There's antispyware and AV scanners running on all desktops. And brute force scans for virus and all other malware kick off weekly. The uplink is cable (shared). Am I contaminated? You betcha. I can run any spyware tool @ random and find something and once a month I trap a virus either in the browser cache or the jpi cache on one or all of these machines.

    Shit I forgot why I wrote this - oh yeah. What is the definition of "GOOD"? So while there 1.2 globzigillion zombies out there, what is the likelihood you're actually clean? I'd say damn near zero.
    • I can run any spyware tool @ random and find something and once a month I trap a virus either in the browser cache or the jpi cache on one or all of these machines.

      I wasn't looking over your shoulder when you performed this scan, so I don't know precisely what you saw, but finding things in the browser cache is not cause for alarm. For example, if I were to rename some virus-laden executable to have the JPEG extension, reference it in an img tag in an HTML file, and pop it on a website, all browsers wou

  • by guru42101 ( 851700 ) on Thursday March 17, 2005 @02:22PM (#11967940)
    I work for a minor dialup in BFE, KY. We used to have large problems with our users getting hacked and zombiefied. But we decided since they weren't going to have a local firewall then we'd run one for them. Generally speaking Joe User doesn't need an internal SMTP server, http server, and so on. So we've got it set up now where they can connect to http, ftp, send their emails, send their IMs, play their games, and even use BT. But, alot of things that they'll never noticed are disabled for their own good. We'll occasionally have someone call about something not working and we'll then add in a rule to punch a hole for them. But I think that has been one person in the past year so far.

    I'm surprised more ISPs don't do this as we used to be overloading our pipe due to the bots but now we're using half of our pipe durring peak times.

    I could see this as a potential issue for some broadband ISPs but the saved money in bandwidth is much higher than the cost of manpower
    • It's not the ISP's job to firewall. The clients are paying for an Internet connection, not a web-browsing service, so they get a damn Internet connection.

      Besides, by doing some filtering, you take responsibility. You remember, common-carrier status and all that.

  • by Electric Eye ( 5518 ) on Thursday March 17, 2005 @02:23PM (#11967974)
    ....a group of super smart nersd somehow figures out how to do the same thing to these millions of PCs, but in reverse. Somehow create a worm that turns on the XP firewall, installs MS Anti-Spy and SpyBot and whatever else is needed. Isn't this easy to do (for the geek crowd)? Every new client I get (I'm a home computer tech) is infected with massive amounts of spyware. They have NO idea. My last two clients had more than 10,000 files and programs that were deemed spyware (not including cookies). It took forever to clean these machines, esp with those damn trojans not wanting to leave. I've got years of experience so I know what to do. But 99.999% of Windoze users doesn't have the damndest clue. My clients can't even set up their own DSL connections. how are they going to prevent their computers from being turned into zombies? Hell, they don't even know what that means.

    It's up to the benevolent hackers or MS. My $$ is on the geeks outside of Redmond.
  • P2P Nets (Score:3, Interesting)

    by nurb432 ( 527695 ) on Thursday March 17, 2005 @03:13PM (#11968663) Homepage Journal
    So how many of these are being used for P2P serving?

    "But Judge, I wasn't me that was sharing those files "

    Before you laugh, I had a Linux 'router' broken into about 8 years ago. I of course caught it in nightly auditing, but it happened.

    Turned my machine into a porn ftp server and a bridge to break into the next person.. If I hadn't been auditing, might have been months before discovery..
  • Honeynet (Score:3, Interesting)

    by smoker2 ( 750216 ) on Thursday March 17, 2005 @03:44PM (#11969005) Homepage Journal
    From the Honeynet homepage: [rwth-aachen.de]
    More than 90% of these connection attempts were caused by a machine running Windows, whereas only about 3% could be identified as originating from Linux machines.
    The first attempt to attack one of the honeypots was noticed about ten minutes after the whole honeynet was attached to the Internet. The system was systematically searched for weaknesses (port scan) and the attacker tried to exploit a known vulnerability in the Internet Information Server (IIS). After this short period of time, an unpatched version of this server would have been compromised.
    The ports 445, 135, 137 and 139 - all belonging to Netbios, the protocol favored by the Microsoft Operating System family - see by far the most traffic.

    Apparently they were using SUSE 8 Pro and Solaris 8 as the Honypots. My issue with the BBC article is that although (as can be seen from the Honeypot site) 90% of the attacks were aimed at, or originated from a Windows machine, the offending OS is mentioned only once.
    They (the BBC) should spell it out, so that the general public actually gets notified officially, and thus make it a well known issue amongs non-IT literate people.

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...