FBI Releases Results of Operation Bot Roast

coondoggie writes to tell us that the FBI has released the findings of their recent botnet study and have identified over 1 million botnet crime victims. "The FBI is working with industry partners, including the Computer Emergency Response Team Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Microsoft and the Botnet Task Force have also helped out the FBI. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity, the FBI said in a statement.Bots are widely recognized as one of the top scourges of the industry. Gartner predicts that by year-end 75% of enterprises 'will be infected with undetected, financially motivated, targeted malware that evaded traditional perimeter and host defenses.'"

Skip the spammy site

[Anonymous Coward]

and go straight to the source
http://www.fbi.gov/pressrel/pressrel07/botnet06130 7.htm [fbi.gov]

Re:

[easyTree]

The majority of victims are not even aware that their computer has been compromised or their personal information exploited,

Indeedy, I seem to recall, a while back, 'hearing' of someone running an xdcc server on an fbi box..

The debate has moved on

[RedToad]

Having scanned through the entries in this topic, I see it has moved on from the tired old "bash Microsoft" and "extol Linux" rot. Then there are a few suggestions about how to track botnets and shut them down. The FBI 1 million infections number has been quoted as a US-centric benchmark.

A few months back a botnet herder in Europe went down for running ONE 1.5 million seated botnet. The global botnet infection numbers are therefore in the tens to hundreds of millions of infected machines. Forget about wh

And here come the phishers....

[HTH NE1]

Anyone else think this will start a new wave of phishing where botnet controllers send e-mail messages out forged as coming from FBI.gov to people telling them their machines are infected with bots (linking to the URL in parent) and that they need to install the program attached to the e-mail that is claimed to remove the offending software but in fact turns your machine into another zombie?

Re:And here come the phishers....

[yuna49]

It wouldn't get too far in our mail system. We don't accept mail with From addresses in fbi.gov or irs.gov unless they originate on those agencies own servers. Mail coming from a server in rr.com claiming to be "From: fixyourcomputer@fbi.gov" is going to be dropped on the floor.

There have already been tons of viral messages from these two domains over the past few years. One of the big Windows worms ("Slammer," if I recall correctly) was often mailed out with an fbi.gov From address. Forging irs.gov messages is common among phishers.

Re:And here come the phishers....

[bob_herrick]

FTFA

The FBI will not contact you online and request your personal information so be wary of fraud schemes that request this type of information, especially via unsolicited emails. To report fraudulent activity or financial scams, contact the nearest FBI office or police department, and file a complaint online with the Internet Crime Complaint Center, www.ic3.gov.

Re:

[HTH NE1]

FTFA

The FBI will not contact you online and request your personal information

But you don't need to provide any personal information to install a trojan.

Re:

[JohnnyBigodes]

Basically, what the parent is talking about is SPF - Sender Policy Framework [openspf.org]

Re:

[yuna49]

In our case, we instituted these rules for fbi.gov and irs.gov long before SPF came into being, but yes, SPF would help alleviate this problem nowadays.

Re:

[Intron]

Nope, no spf on fbi.gov or irs.gov.

dig -t TXT fbi.gov
QUERY: 1, ANSWER: 0

dig -t TXT irs.gov
QUERY: 1, ANSWER: 0

Re:

[JohnnyBigodes]

I didn't say those hosts had SPF records, what I was saying is that what the parent is doing is basically a simple form of SPF.

And yes, they should have those records. There are naysayers about SPF's effectiveness with valid arguments, but I think the "big fish" on the Internet should have records on their hosts.

Re:

[yuna49]

Not too long ago one of our clients was unable to receive mail from some fellow attorneys in the IRS. Turns out that their outbound server not only doesn't have an SPF record, it didn't even have reverse DNS resolution configured! So all the mail from the attorney at the IRS was blocked by our irs.gov rule. I now have a special whitelisting rule for the subnet in which that server resides.

I was impressed by the level of incompetence displayed here. Hell, some major email services like AOL won't usually

Re:

[Em Adespoton]

We don't accept mail with From addresses in fbi.gov or irs.gov unless they originate on those agencies own servers.

Well, based on the report, it is entirely possible that the messages WILL originate on those agencies' own servers.

Stuff like that already happens

[billstewart]

Usually it's pretending to be from Microsoft or AOL or your ISP or McAfee (though some of the mail I get claiming to be from McAfee is because I'm using a different anti-virus product at home this year :-) So the FBI is another authority that scammers can tell the gullible that they're working for.

If enough different authorities get forged, maybe the gullible will believe them less often...

Re:

[Adam9]

FWIW, here's the email I received from Microsoft with certain information removed.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

VIA EMAIL:

Date: --- May 2007

URL address: IRC://----/#----

Dear Sir or Madam,

Microsoft Corporation has received information that a host/domain name registered to/by your company is acting as an IRC server controlling a network of computers compromised with an unauthorized backdoor, commonly referred to as a 'botnet'. Botnets are often controlled in violation of criminal laws and co

If it wasn't for spam and advertisers..

[QuantumG]

There would be an RFC for getting an email address for an ip address and it wouldn't take an expert to figure out how to contact the right person when you see a machine doing something it shouldn't.

That's easy to do.

[khasim]

Every IP address belongs to a block that has been assigned to some ISP.

Simply find the block containing that IP address and then find the ISP controlling that block.

Now, whether the ISP is going to spend any time (time == money) on dealing with the problem is the next issue.

RFC 1491: you CAN get an email for an IP

[artifex2004]

IPs resolve by WHOIS if they have been properly SWIPed.

I thought I knew what I was doing too

[elrous0]

I thought of myself as an expert until a few months ago. I have good antivirus/malware software, only use Firefox, never do stupid things like opening attachments with executable extensions, etc. Hell, I even have a wired network in my house to protect against wardrivers.

Then a few months back I get word from my credit card company that someone had hacked into my account online (using my username and password), changed my billing address to someplace in NJ, then proceeded to try to charge a bunch of stuff on the account (luckily the CC company caught on to them and locked it down). I couldn't figure out how they did it.

Then a few months after that, I started to notice my computer acting strange. My router would be showing HEAVY activity even when I wasn't doing anything and Windows wasn't downloading updates. Eventually, I realized that someone must had botted my computer (still don't know exactly what they were up to, but I'm sure it involved sending out letters from an innocent Nigerian official just wanting people to help him transfer some money). That's how they got my account info for my credit card.

Anyway. I wiped the whole system clean (even tried out Linux for a while, but didn't care for it) and now the problem is gone. But it still makes me nervous as Hell. What drives me crazy is that I can't figure out how they did it. But, as a hacker friend once said: If it's on a network, it can be hacked--period.

Re:I thought I knew what I was doing too

[PitaBred]

Oohh, oooh, analogy time!

"I accidentally got my girlfriend pregnant by pulling out too late. After giving the kid up for adoption, we tried using a condom, but I didn't care for it, so now I'm back to pulling out, and hoping she doesn't get pregnant, because I really don't know what happened the first time."

Found your problem

[symbolset]

... and Windows wasn't ...

It's right here.

... I wiped the whole system clean ...

That's a good start. If you're going to insist on using Windows, wiping and reinstalling on a regular basis is a must. I recommend at least annually. More often if you use Yahoo search, flash games or shareware. If you use AOL or MSN and chat or IRC, you may as well boot from the Windows install CD each day.

Getting it set up the way you like it, and creating an "image" file of that setup with Symantec Ghost or something like it makes the process a lot less painful.

Or you could try actually solving the problem [ubuntu.com], but I note from your post you don't care for that answer for some non-specified reason.

If you do ecommerce from a platform you know to be insecure, don't expect everyone here to lobby for legal solutions to your technical problem.

Re:

[ozmanjusri]

If you're going to insist on using Windows, wiping and reinstalling on a regular basis is a must.

From TFA

Microsoft and the Botnet Task Force have also helped out the FBI.

It's nice to see Microsoft hasn't taken sides on this issue. They're helping the FBI too.

Re:

[Intron]

What mail client do you use?

As the magic 8-ball says: "Outlook not so good"

Re:

[Bearhouse]

Yup, seems the only thing to do is to keep your data on another physical / logical drive and reinstall frequently.

I do it once a month.

Slipstreamed and updated DVDs (keep up to date by using a Linux partition / virtual machine) ease the pain.

Oh, a decent firewall (not M$) helps too... You'll (probably) spot the nasty stuff trying to get out.

Before the 'use a virtual machine to surf' fanboys jump all over me - yeah, I do that too...

Re:

[crabpeople]

You didnt whipe your computer when you found out your online bank account was hacked. wow.

This is why there will always be botnets out there. People like the parent that just dont care.

Re:

[bill_mcgonigle]

only use Firefox

Do you use NoScript? There have been some Firefox vulnerabilities of late, and everything has zero-days in it.

You also don't mention your firewall/NAT setup. I assume you know one doesn't run a Windows machine naked on the Internet.

Re:

[AnyoneEB]

Or you could use Core Force [coresecurity.com] (Wikipedia article [wikipedia.org]) where the full version is free as in beer and supports per application file system and registry checks as well as network connections. And also can be uninstalled if you wish unlike ZoneAlarm [wikipedia.org].

Re:

[camperslo]

Many reasonably well managed Windows machines still get hit. It is also possible to be infected with something not detected by standard antivirus programs, or by something that does not currently show any obvious side-effects. To lower risk as far as possible, avoid using any Windows machines for browsing or accessing any internet applications.

If you must access the internet from a machine on the same network as a Windows computer, consider doing so only from one running another OS. Use of browser plugin

Why not shut them down?

[DamonHD]

I would have thought that a nice call from the FBI to the CxOs of the main appropriate ISPs and a selection of those users on the fastest connections (ie with the most capacity to be damaging) would have a salutary effect.

And then a follow up with negligence-related charges for those who refused to give a f**k maybe?

Rgds

Damon

Or another approach.

[khasim]

Since the FBI can identify the machines to the ISP, it should be simple for the ISP and FBI to work together to track traffic to/from those machines.

First off, put them on their own network. Sure, this might clue the Zombie Master that something's happening, but maybe not.

Then, monitor the inbound/outbound traffic. If they're doing things like sending spam, block it. A DDoS attack? Block it.

Then work backwards to find the sites controlling the zombies.

It would probably be a LOT cheaper to do it that way tha

Re:

[plover]

The problem with this approach is it's borderline vigilantism.

I'd love it if ISPs would set snares for bot-infested computers, and technologically it's not hard: nobody at home-66-99-11-22.comcast.net should ever be forwarding packets from any external networks, let alone a hundred random networks a second. And some ISPs do trap that traffic and block it. But apart from DDoS attacks, what constitutes "legitimate" from "illegitimate" traffic? Connecting on odd ports to distant machines? That's how the

Think globally, act locally.

[khasim]

The problem is, there'll probably be too many jurisdictions involved.

And ... ?

There isn't any way to shut down all of the zombies. But our government CAN act to shut down the zombies here.

What happens when the controlling computer is in China, Russia, etc. Even if you do get the foreign government to cooperate and the controlling ISP, how do you know when it ends?

First off, there is NOTHING stopping our FBI from contacting law enforcement agencies in Russia or China. They may not help, but then again, they may help.

Then, you track the traffic back from that machine. And from the next machine. And from the next machine.

How do you really know that computer isn't compromised and being controlled from elsewhere.

Simple. The commands have to come from somewhere. You can monitor all inbound and outbound connections. That will tell you what machines that machine is communicating with. You just keep checking each of those to see whether the trail continues or ends.

And even if you do finally nail one guy running a botnet, how many others will take his place?

A lot. So?

Do we stop arresting criminals just because other criminals will perform the same crimes?

Its not like they'll be arresting guys day after day... this would take months or even years of investigation to properly prosecute a person.

Not really. There's no reason why it would take more than a week. If the zombies are not receiving commands, then they're not sending spam or doing DDoS attacks. In which case, the problem is already solved.

If they are receiving commands, then you've just gotten another link. Maybe more than one link.

In the meantime, the ISP's are limiting the damage caused by those zombies.

Re:

[Knara]

Not really. There's no reason why it would take more than a week.

Doesn't seem like you are all that familiar with the realities of red tape and bureaucracy, not to mention cost-benefit ratio for something like that.

Re:

[mikael]

Simple. The commands have to come from somewhere. You can monitor all inbound and outbound connections. That will tell you what machines that machine is communicating with. You just keep checking each of those to see whether the trail continues or ends.

Some Bot's were known to listen to IRC chat channels to receive commands. You then need to find out the ISP controlling the server. Then you have to find out the originator IP address of the person who sent out the commands. I wouldn't be suprised if they en

Re:

[yuna49]

The problem is, there'll probably be too many jurisdictions involved. What happens when the controlling computer is in China, Russia, etc.

Did you read the article? The three people cited as running massive botnets all lived in the United States.

From the FBI press release [fbi.gov] cited above: "To date, the following subjects have been charged or arrested in this operation with computer fraud and abuse in violation of Title 18 USC 1030, including:

• James C. Brewer of Arlington, Texas, is alleged to have opera

My conspiracy theory

[A nonymous Coward]

A. Everyone "knows" that the NSA is doing its utmost to listen to all internet traffic.

B. It would do the NSA no good to listen to everything without filtering out the 99.999% which is irrelevant. Ergo, they must have pattern filters.

C. Botnets must be a big part of the filtered traffic.

D. NSA must be aware of botnets, their patterns, their control channels, their zombie elements.

E. Yet botnets continue.

F. The NSA must want them to continue unmolested.

The NSA knows how botnets work, and could hijack them at any time. The only reason to do so is to keep them in reserve for their own use.

I suggest the NSA would hijack botnets for counterattack if the US nets were attacked by another country.

That's my conspiracy theory, I hope you like it.

Re:

[Hoi Polloi]

Maybe the NSA systems are part of a botnet too!

Re:

[A nonymous Coward]

OMG I hadn't thought of that .... one botnet to rule them all. Or maybe all the botnets got together to share the NSA botnet so none of them could take over all the others.

Criminy thsi is skk k kk ary.

Re:

[rthille]

Yeah, from what I've seen of day-to-day Government competency, I'd imagine most of the NSA machines are part of botnets.

Re:

[Adambomb]

The more who know how it works, the more likely it is to be compromised?

The assets required in terms of hardware and manpower are too costly for wide scale implementation?

Government agencies and hierarchies do not tend to play well together, so perhaps office a threw a hissy fit over office b demanding certain protocols be restricted to certain levels of access?

lots of possible reasons.

NSA?

[bill_mcgonigle]

D. NSA must be aware of botnets, their patterns, their control channels, their zombie elements.

E. Yet botnets continue.

The NSA has neither the jurisdiction nor capability to stop domestic botnets. And they're not going to be helping the overseas folks fer nuthin'.

Re:

[Nikker]

Once I think the cost of having a Government employee call, track and note every member of a bot-net this size, I start to think that it might be cheaper to subsidize a firewall/router.

Re:

[Dare nMc]

direct all web traffic to a page with information on how the customer can clean his machine

direct them to a site that they are now blocked from reaching, hmmm.
I know you would un-block that 1 site, but then hackers patch to block that 1 patch...

One got past our firewall also (email attachment actually) the ISP (Qwest) sent us a automated warning letter that we were about to get kicked, I did have it fixed before the letter was received. Imagine how difficult for a admin to track while all traffic is block

seems low

[wizardforce]

1 million in botnets/[100 million?] in at least the US so that works out to about 1% by crude estimation so does anyone else think these numbers are a bit low? especially since

Google's Ghost in the Browser study looked at over 4.5 million Web pages, and found that 10% of them were capable of activating malicious codes and 16% were suspected to contain codes that might be a threat to computers.

how many computer users dont patch/update their computers or use a very old version? how many of those wouldnt know if they were infected or have an infected computer as it is?

Re:

[sdnoob]

"over 1 million botnet crime victims."

only 1 million victims?? i do believe there are far more than 1 million addresses in these scumbags mailing lists. *everyone* who's gotten spam out of one of these botnets is (also) a victim... not just the poor saps who got winjacked(tm).

They didn't say that's *all* the zombies

[billstewart]

They said they'd found a million of the things - they weren't claiming to have caught all the zombies in the country or world. It's a good start, especially if they can get them cleaned up and watch for attempts at re-infecting them. It may be the low-hanging fruit, and they busted a couple of the zombie operators, which is good.

Of course, busting the operators also means there'll be some thousands of zombies out there who are waiting for Master to tell them what to do next, and some of them may get explo

Phishing opportunity

[Avatar8]

Who knows how the FBI will contact these victims, but by announcing that they will be contacting them, I foresee numerous phishing attempts from fbi.com (a blank site, last I checked).

Warn the kids and wake the neighbors. Be suspicious of any e-mail posing as the FBI and wanting a response by clicking an URL, fbi.gov or otherwise.

Solution

[LoyalOpposition]

Dear Computer Owner,

            Your computer has been determined to be infected by a malicious program that gives control to another person. Please double-click on the link to find out how to get your computer disinfected.

FBI

No. Really.

Re:Solution

[Novotny]

Where's the link? How can I click it if there's no link?

Re:

[trolltalk.com]

"Gartner predicts that by year-end 75% of enterprises 'will be infected with undetected, financially motivated, targeted malware that evaded traditional perimeter and host defenses.'"

Dear computer owner:

The computer industry has been determines to be infected by malicious 'analysts' who make a living out of regurgitating the same old news every year. God forbid they actually do something constructive for a change.

Re:

[mr100percent]

This brings up a serious question, what would the FBI recommend to disinfect the machines? AdAware? Windows Defender? Norton?

Re:

[blhack]

there is a tool i have heard of called "lunix" or something like that that is supposed to do that job.

But i've heard that you have to download it from those shady Pirate 2 Pirate networks, so its probably a virus!

Re:

[A nonymous Coward]

Are you seriously admitting you have no sense of humor?

Re:

[zCyl]

This brings up a serious question, what would the FBI recommend to disinfect the machines? AdAware? Windows Defender? Norton?

Thermite.

fdisk

[bill_mcgonigle]

what would the FBI recommend to disinfect the machines? AdAware? Windows Defender? Norton?

You can't disinfect a Windows machine with any reliability. Zero the drive, re-install, update offline, and reinstall all your apps and data. Repeat as necessary.

Re:

[dodobh]

This [openbsd.org]

"Victims" ?

[Anonymous Coward]

Is the victim the person whose computer is serving spam, or the person whose computer is receiving spam?

Who is the real victim here?

RIAA?

[Corporate Drone]

From TFA:

A botnet is a collection of compromised computers under the remote command and control of a criminal "botherder." Most owners of the compromised computers are unknowing and unwitting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware.

Hmm... I didn't realize that the FBI was investigating the RIAA an

Accountability

[blhack]

I have said it before here, and i will say it again. People really need to be held accountable for what damage is caused by their ignorance. If my car comes flying through your bedroom window at 30 miles an hour because I parked it at the top of a hill in neutral, should General Motors be responsible? No.

Likewise, if i leave a completely unprotected winbox up on the internet and it gets rooted, should Microsoft be held responsible (which seems to be what some of you think)?

In both cases harm has been caus

Re:

[swb]

What you leave out in your analogy is that bots are the result of third-party malicious action.

In your car analogy, the owner reasonably believed that when the car wasn't running, it wouldn't go anywhere and a THIRD PARTY pushed the car such that it rolled down the hill.

Ordinary users THINK that their machines aren't vulnerable and thus do nothing, which in and of itself isn't a problem until someone else breaks in and turns them into bots.

Re:

[blhack]

In your car analogy, the owner reasonably believed that when the car wasn't running, it wouldn't go anywhere and a THIRD PARTY pushed the car such that it rolled down the hill.

True. I suppose that the analogy could be changed to say: "if i leave my doors unlocked, and my house gets robbed, is it the contractor that installed the locks fault?"

better?

The mechanisms to prevent your computer from getting rooted are in place. People just don't use them.

Re:

[kalirion]

True. I suppose that the analogy could be changed to say: "if i leave my doors unlocked, and my house gets robbed, is it the contractor that installed the locks fault?"

better?

Quite often it's more like "If I have a standard lock on my front door and a burglar bumped [wikipedia.org] it, is it the fault of the contractor for installing an insecure lock? What if the lock company issued a recall on the locks because of said insecurity?

Re:

[Orlando]

If my car comes flying through your bedroom window at 30 miles an hour because I parked it at the top of a hill in neutral, should General Motors be responsible?

I don't agree that this is a fair analogy. A more appropriate analogy would be that General Motors sells you a car that you believe to be the most up to date, leading model, only for it to be stolen the next day by some 14 year old oik who knows that he can open the rear passenger door just by tapping on the lock with a screw driver.

I am fed up wit

Re:

[man_ls]

No computer user should be required to be responsible for the maintenance and security of their own system if they don't want to be responsible for it. Computers are tools, designed to allow humans to complete tasks they would not otherwise be able to complete in a timely fashion or at all.

This doesn't mean that nobody should be responsible for those aspects, however. This is the job of professionals. I'd advocate switching to a "sanitized network" model where, in order to obtain an external IP address from

Yes, and never forget Gartner predicted...

[dpbsmith]

...that OS/2 would be the dominant operating system by, IIRC, 1993 or thereabouts.

I just did some Googling on things like "bad Gartner predictions" and "missed Gartner predictions" or '"Gartner predictions" scorecard' hoping that someone had tried to keep tabs on them, but found to my disappointment virtually no relevant hits. Everyone discusses them in the months after they're released, nobody seems to check back even as recently as a year.

Of course, with predictions like these for 2002 [gartner.com]... "During 2002, leading-edge businesses will exploit application integration to generate business innovation...." how the heck would anyone ever figure out whether or not it was fulfilled?

I can't believe people pay Gartner for this stuff.

Re:

[Doctor Memory]

I can't believe people pay Gartner for this stuff.

Heh, pick up a copy of anything by Tom Peters or his ilk. People who buy those books also pay money for Gartner analysis reports. At least Tom Peters came right out and said that he had no idea what he was talking about [fastcompany.com] when he wrote his first book. I think it's going to take a lot of people screaming "The analysts have no clothes!" (clues?) before people start questioning Gartner, though.

"The analysts have no clothes!"

[6031769]

I have discovered a fantastic, accurate way to predict future trends in information technology. The basic principle is to find a Gartner quote on the subject matter in question and then take the opposite viewpoint. You will find that you are correct on average 98.724% of the time, which in such a fast-moving industry is a pretty good score.

On the flip side, you have to (grudgingly) admire them for making a successful enterprise funded exclusively by PHBs.

Re:

[PPH]

I can't believe people pay Gartner for this stuff.

They almost have to. Its a CYA tactic. If you do something stupid and you don't have a Gartner recommendation to back you up, you catch the blame. If you can back it up with a report, you can blame it on their bad advice.

I used to love the Gartner (and other analysts) material. I could always find something to back up my decisions.

Microsoft Windows, please stand up

[toby]

It's amazing people still write headlines and article summaries without mentioning the enabling technology in question.

When the monopoly is finally busted, I guess it will no longer be implicit that "We're talking about Windows, of course."

Re:

[Monkeyman334]

Yeah man, M$ is so slow at sending out patches, and even if they do make the patch, it doesn't mean people are going to download them. If they had just created it right from the start, they wouldn't have to do the crappy whack-a-mole. When is M$ going to fix their OS? Oh, 5 months ago? Oops...

It's good to see the FBI getting a clue.

[twitter]

That they are looking into the problem is a good start. Gmen reading are advised to consult with the Honeynet Project [honeynet.org] and regard vector vendor "help" with suspicion. It would also be nice to see them call a spade a spade and abandon the false OS neutrality that keeps them for doing so. This is a Windows problem and the relative risks should be published. Otherwise they are lying to us and keeping information we can all use locked away. Most importantly, though, they need to clean their own house.

Re:It's good to see the FBI getting a clue.

[dedazo]

This is a Windows problem and the relative risks should be published.

I don't know what "the relative risks" means, but since none of my Windows machines are in a botnet, and there are millions and millions of them that are not, this is not a Windows problem. It's a basic user education problem. Windows may have more attack vectors than other OSes, but that doesn't mean they are not known or are impossible to avoid. Simple common sense goes a long way. People get infected with botware because they download things they shouldn't or don't bother to keep their machines up to date by turning on automatic updates so they don't have to worry about anything.

If you think one chmod +x is an insurmountable obstacle to turning your shiny Linux or OS X box into a bot, remember that people get infected by executables in password protected ZIP files and that all of the most massively distributed worms have all required significant user intervention to propagate. Maybe one of these days you'll inherit 800 million completely clueless users, and maybe then you'll call it a "Linux problem"?

...none of my Windows machines are in a botnet

[Larry_Dillon]

As far as you know ... none of my Windows machines are in a botnet ;-)

Re:

[Macthorpe]

You are a busy bunny!

I'd believe you if you were running some other software to monitor your network activity, but that's beside the point.

Nice assumption, but the parent didn't say he wasn't running a network monitor. Considering I trust dedazo's opinion more than your clueless rantings, I would assume he is.

I think they have vastly underestimated the problem, that botnets are entirely Windoze driven and that most of the steps taken by people like you are ineffective

Have you ever heard of Q8bot or kaiten? Probably not, but they're Unix/Linux [honeynet.org] flavoured bots. So much for your 'all botnets are Windoze' FUD.

None of these things is really effective

Even though two of them are labeled as "Excellent anti-leak protection", and Comodo managed to pass every single test they tried? Where did you pull that 'fact' from?

using Microsoft's auto-update is the surest way to have your computer broken.

More Grad

Linux bots, seldom seen.

[twitter]

Irritating Windoze defender, Macthorpe, pretends there's a GNU/Linux botnet problem:

Have you ever heard of Q8bot or kaiten? Probably not, but they're Unix/Linux flavoured bots. So much for your 'all botnets are Windoze' FUD.

Well, no, I had not heard of such things. Ever helpful Macthorpe even offered a link [honeynet.org] to tell me why I don't hear about such things. They are listed under this heading:

Besides these three types of bots which we find on a nearly daily basis, there are also other bots that we see mor

Re:

[Macthorpe]

No, actually, a 'reasonable person' wouldn't conclude that when the article actually states:

Q8 Bots
Q8bot is a very small bot, consisting of only 926 lines of C-code. And it has one additional noteworthiness: It's written for Unix/Linux systems. It implements all common features of a bot: Dynamic updating via HTTP-downloads, various DDoS-attacks (e.g. SYN-flood and UDP-flood), execution of arbitrary commands, and many more. In the version we have captured, spreaders are missing. But presumably versions of th

Re:

[dedazo]

Irritating Windoze defender

http://plover.net/~bonds/adhominem.html [plover.net]

Re:

[dedazo]

I'd believe you if you were running some other software to monitor your network activity

You seem to know a lot about my setup. Perhaps you'd like my IP address to see what you'll find between my boxes and the interwebs? You might be surprised. And as long as we're all having fun proving negatives and questioning each other's network and security expertise, how about you show me proof that your Linux boxes are not rooted?

I think they have vastly underestimated the problem, that botnets are entirely Windoz

The advice they are giving home users.

[twitter]

The advice given to home users [us-cert.gov] (and this [cert.org]) is clearly Windows specific, even though Windows is not mentioned. They go through the usual laundry list of things which are failing corporate users, firewalls, "patches", anti-virus and so on and so forth. Way down in the glossary is a mention of "Linux" linked to the "webopedia" [cert.org].

As I said before, these are important first steps. The information presented may be useful to novice computer users, but it's incomplete because it does not include some of the most

Problem between keyboard and chair

[athloi]

While I am fond of the users I support, I find it takes a lot of education to get them to stop falling for the most common scams: funny email attachments, phishing, and phone calls asking for their credit card numbers. They're not stupid people. They're just a little clueless and disconnected from a world that, quite frankly, bores and intimidates them.

I would like to suggest that, whatever operating system we put on the desktop for the average person, there be some initiative to educate them in best practices computing, even if only for the 4-10 common tasks (email, websurfing, games, mp3s, pr0n, quicken, word processing) they will use. I volunteer to design and write the curriculum if there's some rational initiative to get it out there to the human herd.

Are They Allowed To Do This?

[Bob9113]

Is the FBI allowed to do this? Did they get special dispensation from the RIAA and MPAA to work on a project that appears to be completely unrelated to copyright infringement?

Gartner

[codepunk]

Gartner predicts that by year-end 75% of enterprises 'will be infected with undetected, financially motivated, targeted malware that evaded traditional perimeter and host defenses.'"

I think they are full of it, I am willing to bet with a linux box jacked into a mirrored port in the core that I can find bots and malware on more like 95% or better of windows based enterprises. There is not a network I have looked
at in the last two years that is not owned, botted etc in some fashion.

Not Sure what's Worse

[MrCopilot]

Finding out that my PC has been Zombified, Or the FBi informing me they found my PC zombified.

And dont forget....

[nurb432]

Once you are a member of a botnet, you have been compromised and could be sharing your music files and never even know it..

Hear that RIAA? Millions of people .. Millions.

Re:

[Anonymous Coward]

<crickets>chirp</crickets>

Re:Botnet

[Pojut]

Wrong, wrong, and wrong. Get your blind hatred out of the way for a second, and you might realize that there are more than just windows boxes hooked up to the tubes.

All the windows boxes dissapear, so the bot-lovers would start targeting linux and OSX.

Don't think that just because there isn't a very active threat against those platforms doesn't mean that one isn't possible.

Re:

[jfengel]

Not only possible, but some nifty new avenues, too. What a coup to slip a bit of malicious code into the code base of some important open-source project that accepts contributions (which is one of the big wins of open-sourced software). Obfuscating holes is so much easier than trying to get a buffer overrun to do more than crash the program (even if you have the source).

Re:

[dc29A]

Wrong, wrong, and wrong. Get your blind hatred out of the way for a second, and you might realize that there are more than just windows boxes hooked up to the tubes.

All the windows boxes dissapear, so the bot-lovers would start targeting linux and OSX.

Don't think that just because there isn't a very active threat against those platforms doesn't mean that one isn't possible.

I think you are wrong, well at least in part. Windows is a big bot problem. The main reason is because everyone and their dog runs Windo

Re:

[Knara]

If Windows or OS X had 90% of the desktop market, the same users that currently click "Okay" or "Yes" on everything would be entering in their root/admin password for those OSes. It's about social engineering at that point, not necessarily the technical merits of the OS itself.

Re:

[PitaBred]

But they don't run RPC services listening to the world running with administrator privileges on OSX/Linux, unless you configure it that way. The problem is that with Windows, the hurdles are exceptionally low. With Linux/OSX, they're higher. Not insurmountable, but more than trivially annoying, which will severely limit the impact and expansion of a botnet. And if you don't have enough bots, you don't have much of a net, so the whole thing just falls apart.

I understand that Linux and OSX don't offer per

Re:

[Knara]

Sorry I meant "Linux or OS X" not "Windows or OS X", though if you take it to mean "Regardless of whether Windows or OS X have 90%..." then it kind of works ;)

Re:

[Pojut]

Harder doesn't mean impossible.

Not to mention it presents a situation where people shift from one OS to another.

The OS they use doesn't matter. PEBKAC still applies, and will ALWAYS apply because people are generally fucking stupid.

Re:

[99BottlesOfBeerInMyF]

All the windows boxes dissapear, so the bot-lovers would start targeting linux and OSX.

That would be just fine. You see, the main reason Windows is not secure against these worms is because it is not profitable for MS to make Windows that way. Why would they bother? A worm makes your machine unusable. You throw the whole thing in the bin and go look for a new one. Everything in all the stores you look comes bundled with Windows. You buy an Acer with Windows and hope it is better than the last one, because as an average user, you assume the free market is operating and if there were better

MOD PARENT UP!

[Futurepower(R)]

Good analysis.

Re:

[Skrynesaver]

Unix and Linux machines may not be as plentiful, they are how ever high net worth targets, granted CS students run Linux on a home made boxin their bedroom, however large institutions run Unix and Linux on their servers and store data of real value on them, the reason windows boxes are targeted is that they are the low hanging fruit, relatively easy pickings

Re:

[dave562]

Exactly. My old boss was telling me about a client that he got. The guy had someone come in and setup a Linux box (Redhat I think) for him. The box got owned because the guy who set it up didn't secure it right. My boss sold the guy a Windows 2003 Server, firewall, AV and the whole deal. As far as that guy knows, Linux = unsecure, Windows = okay.

Despite the proliferation of computers these days, you still need some specialized knowledge to make them run properly. There isn't a sure fire, bullet proof

Re:Botnet

[DragonWriter]

Botnets were never a problem until Microsoft Windows became ubiquitous.

Windows was ubiquitous long before botnets became a problem.

Botnets became a problem as full-time internet access by unsophisticated home users became more ubiquitous, and Windows was the primary target because it was the main OS used by the targeted users. If there had been a Mac OS or Linux monoculture instead, people would have been tricked into install malicious software on those platforms instead.

Re:

[rob1980]

Yeah, and botnets were never a problem until the internet became ubiquitous, too.

Let's blame the internet!

Re:

[secPM_MS]

This is not a MS specific issue. An attacker can run a perfectly good botnet from a user-level compromise of an internet facing application. You don't need a system compromise. Given the difficulty of writing secure browsers and the easy with which a significant fraction of the public can be induced to click on links, there will always be a vast number of user-level compromises available. Look at the patch data for browsers, let alone OS's. Apple has been having to do more security patches than MS.

Due to

Re:

[codepunk]

iptraf is the one I use most often...I doubt the %75 percent figure I find it closer to 95% of the networks I have
inspected are owned.