Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Zombie Network Explosion 262

anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."
This discussion has been archived. No new comments can be posted.

Zombie Network Explosion

Comments Filter:
  • by account_deleted ( 4530225 ) on Wednesday September 03, 2008 @07:51AM (#24857561)
    Comment removed based on user account deletion
  • Interesting. (Score:5, Interesting)

    by scott_karana ( 841914 ) on Wednesday September 03, 2008 @07:54AM (#24857595)

    Interesting. Far more interesting to me, however, is speculating on how botnets quadrupled in the part three months.

    • Re:Interesting. (Score:5, Informative)

      by Neil Watson ( 60859 ) on Wednesday September 03, 2008 @08:00AM (#24857661) Homepage

      I've seen a large increase in SPAM with virus payloads.

      • by Lumpy ( 12016 ) on Wednesday September 03, 2008 @08:19AM (#24857889) Homepage

        That's odd.

        I mostly have a email box full of messages that simply state...

        BRAINS!!!!

        I hate Zombie explosions, leaves festering goo all over the place.

      • So where do the gray hat ethics come into play with fixing these? I'm tired of spam. I've seen a huge spike recently, if I could figure out how to deliver a playload to these computers that would 'fix' them I'd do it in a second.

        I can't imagine that there aren't more people out there with the know how that are annoyed by this.

        • by MrNaz ( 730548 ) on Wednesday September 03, 2008 @09:10AM (#24858559) Homepage

          Yea but if you write a virus to kill their viruses, then your virus could mutate into something malicious and then spread. Then you'd need a bigger virus to kill those, and then those. Pretty soon you'd be emailing out blocks of code the size of an operating system.

          It's like in Australia. The first farmers imported beetles to kill off the local locusts, then they found that the beetles didnt die and ate crops too. So they imported cane toads, which also ended up eating all the crops. They they tried cats, which ended up just running away and eating local fauna which were much tastier than cane toads, so they brought in foxes to prey on the cats. Then the foxes became a problem so they sent all the criminals there to kill the foxes. But the criminals got bored of that pretty quickly, and that's how we got Australian rules football.

          • by antifoidulus ( 807088 ) on Wednesday September 03, 2008 @09:18AM (#24858643) Homepage Journal
            Pretty soon you'd be emailing out blocks of code the size of an operating system.

            Dude, Ubuntu spam! Thats perfect! Just create an email virus that installs Ubuntu and the botnets will disappear!
          • I KNEW Microsoft was up to some new antivirus program [slashdot.org]. The logic is elegant, and brilliant:

            - Design a new OS, oh, call it a browser if you want

            - Make it a real heavyweight, more RAM used than the host, threads everywhere, screen candy layered over screen candy, shortcuts, you name it, all to consume cycles and starve the bot software (and the viruses, etc.)

            - Botnets wither from lack of nutrition. Herders go broke. In fact, no one gets anything else done on their puters any more. No more harm! NO MORE HA

          • by Whiteox ( 919863 )

            And that's why we sent possums to New Zealand because their flora and fauna weren't stuffed up at all!
            Makes sense doesn't it?

      • I've seen a large increase in SPAM with virus payloads.

        I assume you mean SPAM as per the currently common definition, unsolicited email. I'd like to add that I've seen a big increase in virus-laden spam (in the original electronic sense) in the form of postings to usenet binary groups.

        I don't like this at all.

    • Easy (Score:5, Funny)

      by Toreo asesino ( 951231 ) on Wednesday September 03, 2008 @08:08AM (#24857751) Journal

      They've become self-aware. Run for the hills!

      • Re:Easy (Score:5, Funny)

        by Missing_dc ( 1074809 ) on Wednesday September 03, 2008 @08:26AM (#24857939)

        They've become self-aware. Run for the hills!

        Won't help, you will be found, in a week we are launching a satelite that has 41 centimeter resolution. The rocket will even have a google logo on the side.

        (OK, que the "now they can see my penis(ego) from space" jokes)

        • Re: (Score:3, Informative)

          by stjobe ( 78285 )

          Cue. Cue the jokes.

          • Re:Easy (Score:5, Funny)

            by dkleinsc ( 563838 ) on Wednesday September 03, 2008 @10:01AM (#24859341) Homepage

            No, queue the jokes. I'll process them as quickly as a feel like, thank you.

          • Re: (Score:3, Funny)

            by somersault ( 912633 )

            Colonel? You'd better take a look at this radar..

            What is it, son?

            I dunno, sir.. but it looks like a giant-

            Dick!

            Yeah?

            Take a look out to starboard.

            Oh my god, it looks like a huuuuge-

            Pecker! Wait, that's not a woodpecker, it looks like someone's-

            PRIVATES! We have reports of an unidentified flying object! It has a long, smooooth shaft! Complete with-

            Two balls!

            What is that? It looks just like an enormous-

            Wang! Pay attention.

            I was distracted, by that enormous, flying-

            Willy!

            Yeah?

            What's that?

            Well, it looks like a g

    • Re:Interesting. (Score:5, Insightful)

      by v1 ( 525388 ) on Wednesday September 03, 2008 @08:12AM (#24857795) Homepage Journal

      Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.

      We're likely to see the number decline gradually as people patch up the hole. Trends like this have a sawtooth pattern to them. Sudden jump up, and then gradual decline over time back down to where they started, and then repeats with the next new vulnerability making the rounds.

      • by Amouth ( 879122 )

        i am sure everyone here remembers the code red worm.. few remember the code green worm (the one that spread the same way the code red did but it patched the infection and prevented further infection once it made it in)

        i honestly thing it would be a good idea to start doing this - to have a group write patchs that spread in the same way the viruses do

        • Re:Interesting. (Score:5, Insightful)

          by TheRaven64 ( 641858 ) on Wednesday September 03, 2008 @08:38AM (#24858123) Journal
          In theory, it's a good idea. In practice, what happens when there's a code orange worm, one which patches the old vulnerability and then creates a new one? What happens if you're DoS'd by a load of Code Green worms all looking for machines to disinfect?
          • Re: (Score:3, Interesting)

            by Amouth ( 879122 )

            yea i know it is almost a taboo thing.. everyone thinks about doing it .. but no one does.. but in reality.. if they can monitor these bot nets and the command and control servers.. why not hijack the command and control servers to distribute the patchs to the bots it controls.. use their own power to take them out.

            while the idea of spreading them in the wild seems bad because of the load on nutral or non effected hosts.. if they used the botnet to patch the botnet.. then that should elminate the issue wit

            • Re: (Score:3, Interesting)

              by Captain Spam ( 66120 )

              yea i know it is almost a taboo thing.. everyone thinks about doing it .. but no one does.. but in reality.. if they can monitor these bot nets and the command and control servers.. why not hijack the command and control servers to distribute the patchs to the bots it controls.. use their own power to take them out.

              A fair idea, but it's not that simple... modern botnets use encryption... the controller and bots share an encryption key... without proper encryption, the bot will ignore all orders because they know they didn't come from the original controller...

              So all the controller would need to do... is patch the problem that got them in the system in the first place... that'll stop others from exploiting it to put new instructions in... then, by encrypting all their commands... they ensure... insofar as they can do s

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          It's a poor idea because of liability issues, and the fact that altering the data in a computer without authorization is illegal. It also provides a defense for the bad guys (e.g. they write a "patch" with a subtle flaw in it, then claim it was with the best of intentions).

          What if a "benign" patch takes a server down and it was performing a critical function, and lives are lost (e.g. an ambulance routing service) - who is liable? Arguing that the server was vulnerable anyway to some other malware won't ge

        • Re:Interesting. (Score:4, Insightful)

          by Fex303 ( 557896 ) on Wednesday September 03, 2008 @09:06AM (#24858497)

          i am sure everyone here remembers the code red worm.. few remember the code green worm (the one that spread the same way the code red did but it patched the infection and prevented further infection once it made it in)

          i honestly thing it would be a good idea to start doing this - to have a group write patchs that spread in the same way the viruses do

          I'd never heard of Code Green, but I do recall Welchia [wikipedia.org].

          And that was terrible. It did bizarre things to some people's computers, crushed LANs as it tried to spread, and as bonus made up a substantial amount of net's traffic for a while.

          While it's a cool idea in theory, in practice it ends up very inelegant, very fast.

      • Re:Interesting. (Score:5, Insightful)

        by M1rth ( 790840 ) on Wednesday September 03, 2008 @08:37AM (#24858107)

        Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.

        Before someone jumps on the "everyone should use Linux" bandwagon, Windows has over 90% of the market. Windows also has much more of the casual user market and much less of the enthusiast market - and the casuals don't keep a hawklike watch on their system.

        Therefore, if you want to make a big botnet, compromising Windows is the way to go.

        Someone found a new vulnerability, but didn't publicize it. Or they're exploiting the same old vulnerabilities (PICNIC, blank admin passwords, etc) and just stepped up their efforts again.

        If your machine's admin password is blank and you're not behind a NAT, you are completely exposed. All the botnet guys have to do is get into the system through XP Pro's originally configured default drive shares and replace one commonly used file (say, a favorite new video game) with their payload. The user reinstalls the game figuring it got corrupted and it wipes out how they originally got in - but they're already in the system with a rootkit installed from the time the user tried to run your game, and it's a bot.

        The unfortunate reality is that the largest vulnerability is, and will be, the human element. They want their login to be "easy" - so anyone who gets physical access to the machine gets root access with no password credentials, or they use a trivially-cracked password. They want to "simplify" their security arrangements. They trust an email sent by their friends (or sometimes even spoofed to look like it came from themselves) or "system administrator at your domain."

        End result? More vulnerabilities.

        Unfortunately, the "solution" involves either telling a lot of crybabies "no, you can't have it this way" or else changing human nature. And it's not in human nature to stand up to the crybabies (actually, an actual corporation never would - it's "bad customer relations.")

        • >If your machine's admin password is blank and you're not behind a NAT, you are completely exposed.

          As of XP Service Pack 2, the built-in software firewall is on by default, and blank passwords disable network logins. Not that the security posture of the typical home machine is anything we'd consider decent, but it's not the same as running sshd with a blank root password would be.

      • Re: (Score:2, Informative)

        by bazonic ( 463550 )

        Probably safe to assume a new hole was found in something windows-ish and is making the rounds...

        Yep. It's called "users." If I had a dollar for every time a relative or friend downloaded free animated smileys or a free game that completely compromised their system, I'd be able to, well, buy an iPod Shuffle. "Why is my system running so slow?" And that's just the stuff they invited into their machines.

      • Re:Interesting. (Score:4, Insightful)

        by gad_zuki! ( 70830 ) on Wednesday September 03, 2008 @09:48AM (#24859123)

        Why would you need a hole? All you need to do is write the executable, put it on the web, and send out an email about "greeting cards" or "photos of hot chicks." When all users run as admin by default then there's really no reason to go for anything than a simple download. This is why companies take away admin access from their users and why XP is much, much worse than Vista, by default.

      • There's that new "antivirus XP" thing doing the rounds. I bet loads of people have been stupid enough to click on that.

    • Not really (Score:2, Troll)

      by WindBourne ( 631190 )
      THere is only one possible explanation; Vista is making inroads, and the botmasters have new openings on it. No other system is growing that fast (vista is being forced onto new systems by MS). And if it was an old base of some system (say XP), then it would grow MUCH MUCH faster.
  • by oldspewey ( 1303305 ) on Wednesday September 03, 2008 @07:54AM (#24857599)
    Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.
    • by John Hasler ( 414242 ) on Wednesday September 03, 2008 @07:57AM (#24857615) Homepage

      "if it's not running Linux it's zombied"

      It isn't that easy. It might also be running BSD.

      • Zombies are corpses that have been revived and BSD is said to be dying [[Netcraft citation needed]]. I'm pretty sure they can meet somewhere in the middle. ;-P

      • Re: (Score:2, Funny)

        by ksd1337 ( 1029386 )
        Ha. We have zombie computers with Windows, and we have demons with BSD. What next, cute little penguins with Linux com... oh wait, never mind.
    • by account_deleted ( 4530225 ) on Wednesday September 03, 2008 @07:57AM (#24857617)
      Comment removed based on user account deletion
      • by blueg3 ( 192743 ) on Wednesday September 03, 2008 @08:14AM (#24857823)

        With botnets, you can get a pretty good idea by comparing external network logs to user-initiated communication. If they're not talking to their C&C, they're not doing much.

      • Re: (Score:2, Interesting)

        Actually being able to turn off my modem by putting it on stand by, and using zonealarm to monitor outgoing traffic requests, lets me see what sort of traffic i have, if I am owned, then it will not be communicating, and I usually do a full reinstall from my backup cds every 3 months, so that in the event i did get owned, i will be only for a short time. At the 3 month interval i also change all the passwords to my accounts. So if someone did have access, they are cut off.

        Now however, I do use vmware, and a

    • by TheThiefMaster ( 992038 ) on Wednesday September 03, 2008 @07:57AM (#24857627)

      If their internet activity light is flashing when they're not doing anything.

      It's surprisingly accurate.

      • by ultranova ( 717540 ) on Wednesday September 03, 2008 @08:13AM (#24857809)

        If their internet activity light is flashing when they're not doing anything.

        How can you know that they're not "doing anything" ? They could be downloading patches, an e-mail client could be checking for new mail, an instant messenger client could be exchanging "are you still there" packets with the server, the DHCP client could be renewing the lease, etc.

        This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.

        • by TheRaven64 ( 641858 ) on Wednesday September 03, 2008 @08:43AM (#24858189) Journal

          This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.

          Not really. Most operating systems allow you to monitor disk activity in software. If this is showing nothing, but the disk light is on, then there's a good chance there's a rootkit hiding certain activity. Same with network usage. If your operating system thinks there's no activity, but the network card thinks there is, something very bad is probably going on. If your OS and your network card agree that there is network traffic, then you can try identifying it. Once you shut down everything that ought to be generating traffic, then you can analyse the rest quite easily (on a big network, expect around 10KB/s of multicast DNS).

          Of course, this doesn't help if it's an application that's been trojaned. You probably wouldn't notice if your IM client, for example, has been infected and patched to initiate secondary connections. You can try using something like netstat (no idea what the Windows equivalent is) and find every remote host each application is connecting to, and check them against what you expect (if your IM client is connecting anywhere other than your IM server in the background it's probably malware or skype, but I repeat myself).

        • Works well enough on a single non networked box, and apart from the DHCP the rest are easy enough to switch off for a few minutes. Had a similar concern a few days ago when I noticed a lot of traffic going through my router even though I knew I was not running anything that should be using it - process manager didn't show any of the usual culprits (auto updates) so I checked the network traffic with a network monitor. It showed a ton of traffic hitting my router on the port that my torrent client (which I h

    • by syousef ( 465911 ) on Wednesday September 03, 2008 @08:13AM (#24857803) Journal

      Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.

      No, but you could teach them quickly even if they didn't fully understand what they are doing. Simple recipe
      1. Turn off PC for half an hour
      2. Start it up, and start your network connection. Do not start web browsers or other happs
      3. Open up a command prompt from Start-Run
      4. Type netstat -a and look for connections
      5. Repeat step 4 several times over an one hour period

      Now some connections may be software updating (eg. antivirus) but discounting that if you have lots of open connections or they're regularly changing, you have to assume it's probably owned.

      • Re: (Score:3, Interesting)

        by HAKdragon ( 193605 )
        You can also add a number to the end of the netstat command to tell how netstat how often to update (in seconds). So "netstat -a 60" will update the stats ever minute.
    • by v1 ( 525388 ) on Wednesday September 03, 2008 @08:15AM (#24857833) Homepage Journal

      If you are only interested in actively used botnets (for DDoS and spam for example) then when you plug in the ethernet cable the router lights go mad, that's a good sign its pwned.

      You can't really look at the network usage using tools ON the machine, as rootkits are designed to hide all their activity from the system tools by modifying them. So the owned windows box may show little or no network traffic while your router is nearly catching on fire. But the lights on the switch/router don't lie.

    • Microsoft Update has periodic monthly tools that are supposed to give the user a feeling of security.

    • Spybot Search and Destroy is not difficult to run, though I would not recommend PS tools or Hijackthis to common folk.
    • by Cassini2 ( 956052 ) on Wednesday September 03, 2008 @10:42AM (#24860097)

      Speaking as someone that regularly works on number processing and real-time applications, I've given up on Windows machines. I just assume every Windows box is running ample code that is outside my control, and that code will make the machine much slower for any mathematically intensive computations, especially if they involve disk access or network access. All of the anti-virus code designed to stop viruses and bot-nets is killing Windows as a platform.

      One way or another, you pay your speed and uptime penalty. You either pay in downtime caused by the "bad" guys writing bot-nets, malware or viruses, or you pay in slow speed caused by the "good" guys like Microsoft, Symantec, and McAfee, who are trying to stop the bot-nets, malware and viruses. The modern "good" vs. "bad" arms race is resulting in anti-virus software that is so slow that it is strangling the Windows platform with endless code bloat. If you want to prove this to yourself, get an older PC with a fresh Windows installation. Start installing software on it, one package at a time. As the newer service packs are applied, the anti-virus software installed, and the software packages installed, the PC will actually slow down!

      Building better anti-virus software for Windows is self-defeating. It slows the computer down to the point that Windows is useless.

      Run Linux. Take control of your own computer.

  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Wednesday September 03, 2008 @07:56AM (#24857605)
    Comment removed based on user account deletion
  • by O('_')O_Bush ( 1162487 ) on Wednesday September 03, 2008 @07:57AM (#24857623)
    because it could mean that people who are vulnerable to these types of attacks are on the rise. You would have thought that after all this time and the numerous virus-by-email crises, people would have learned better.
    • by v1 ( 525388 )

      The latest hurricane has given birth to a variety of phishing sites, it wouldn't surprise me if better targets to redirect suckers to inspired them to ramp up their efforts, or perhaps these sites are hosting malware to retruit more zombies.

    • Never underestimate the predictability of stupidity.
    • Re: (Score:3, Insightful)

      Also keep in mind that in places like India, China, Vietnam etc., the number of people using the internet for the first time is skyrocketing. While it would be nice if all these people used secure OSs, more than likely its a pirated copy of Windows that may or may not be able to get software updates etc.
  • by gEvil (beta) ( 945888 ) on Wednesday September 03, 2008 @07:58AM (#24857629)
    Zombie Network Explosion? Wasn't that a Flash game on some site?
  • Vista's Security Rendered Completely Useless [slashdot.org] leading more machines (with Vista) open to drive by downloads, etc, becoming zombies?

    • I'm sure Microsoft will blame it on the fact that a massive number of machines shipped with Vista are getting upgraded to XP. Vista adoption numbers look great until you subtract all the those...

  • Vigilante developers (Score:4, Interesting)

    by kaunio ( 125290 ) on Wednesday September 03, 2008 @08:11AM (#24857789) Homepage

    I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.

    Of course, I see the problems with doing so (hasn't there been an article about this topic earlier?), but still, there are a lot of infected machines that have been so for ages are not likely to vanish. Bandwidth and cpu cycles can definitely be spent on better things than spam.

    • by Neoprofin ( 871029 ) <neoprofin@hotmai[ ]om ['l.c' in gap]> on Wednesday September 03, 2008 @08:37AM (#24858111)
      The problem is someone with the drive to do so would come to Slashdot and be told, in hundreds of angry posts, that he has no right to do that and he's just as bad as the zombie botnet overlords. Of course he should have just done it, prayed for the best, and hoped that history would look kindly upon what's been done.
    • by Amouth ( 879122 )

      code green .. was a vigilante patcher virus for code red.. it used the same exploite to infect and patch..

      i agree we need more of this realy.. cause damnit.. even if MS does patch all the holes people arn't going to install them.. even the OEM's arnt' going to do it.

      i recently got a laptop from dell that was running an over 1 year out of date on patchs image driectly from them.. there is no excuse for that.. they should be patching their images monthly at the least

    • by Joe U ( 443617 ) on Wednesday September 03, 2008 @08:49AM (#24858257) Homepage Journal

      I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.

      As a network admin, I would love to see someone write code to destroy the boot sector of an infected machine and then run a shutdown. (No data is lost, but the system is offline)

      As a system admin, I would hate to see code out there that does damage to any process on the system, infected or not.

      As a developer, I won't go anywhere near that type of software.

      As an end user, I want better antivirus with better alerting that doesn't require a full core of my processor to run.

  • by h2o2 ( 1222578 ) on Wednesday September 03, 2008 @08:15AM (#24857829)
    I noticed an incredible increase in DenyHosts alerts over the last three days to the extent that I had to turn off alert emails. This picture says it all: http://stats.denyhosts.net/stats.html [denyhosts.net]
    • ...upon looking at what DenyHosts is...

      Neat idea. Thanks!!

    • Re: (Score:3, Informative)

      by Megaweapon ( 25185 )

      Same here, for some reason one of our servers on our subnet is a frequent attack for distributed SSH attacks, and there has been an explosion of them in the past few days for us. I've been collecting IP addresses and locking them out via firewall, but more just keep coming.

  • What else!

  • Riddle me this... (Score:5, Interesting)

    by davmoo ( 63521 ) on Wednesday September 03, 2008 @08:25AM (#24857933)

    So if researchers can detect these things with apparent reliability in their process, why can't ISPs detect them the same way and cut the bastards off?

    If Comcast and ilk such as that were really interested in conserving network bandwidth, they'd be cutting off zombies instead of putting on bandwidth caps.

    • Re: (Score:2, Interesting)

      by SaDan ( 81097 )

      ISPs can, and it was something I used to do as an "added feature" at the wireless ISP I used to work for.

      It can be construed as an invasion of privacy, and I was yelled at plenty by some of my former customers. While a pain to administer, it had an incredible impact on our network's performance, and a decrease in customer complaints for individual towers being slow, etc.

      The same technology Comcast uses (used?) to throttle Bittorrent users most likely could kill off zombies and DoS attacks. It's a shame th

      • by blueg3 ( 192743 )

        The same technology couldn't be used to stop DoS attacks -- the connections are broken by forging TCP RST packets. Most DoS attacks don't use TCP. They're also doing a particular sort of network pattern detection that catches BitTorrent but won't necessarily catch a bot.

        Granted, there are methods for detecting bots and methods for silencing their traffic.

        • Re: (Score:2, Informative)

          by SaDan ( 81097 )

          By "technology", I was referring to the black box that sits inline with the uplink(s) to the internet.

          The system I used to maintain was such a beast, and it did everything from real-time AV scanning, SPAM scanning, and IDS/DoS functions. It could in fact be used to detect DoS attacks, and send alerts via SMS/email to us. I also used it to shape/limit Bittorrent and other P2P protocols.

          http://www.fortinet.com/ [fortinet.com] is where you can find one example of such "technology".

    • Re: (Score:3, Insightful)

      by Neil Watson ( 60859 )

      The cost of monitoring, administering, taking action and fielding the incoming support calls from irate customers who have had their service suspended is probably more than simply capping bandwidth and charging for over runs.

      • Re:Riddle me this... (Score:4, Interesting)

        by Missing_dc ( 1074809 ) on Wednesday September 03, 2008 @08:53AM (#24858319)

        The cost of monitoring, administering, taking action and fielding the incoming support calls from irate customers who have had their service suspended is probably more than simply capping bandwidth and charging for over runs.

        You are on to something, but take it up a notch...

        The bots are a potential revenue source. The zombie traffic could push normal users over the caps resulting in extra usage fees. How long till an ISP exploits this intentionally (hijack or buy a botnet and make them send files back and forth)?

    • So if researchers can detect these things with apparent reliability in their process, why can't ISPs detect them the same way and cut the bastards off?

      If Comcast and ilk such as that were really interested in conserving network bandwidth, they'd be cutting off zombies instead of putting on bandwidth caps.

      Oh come on, they are all evil, they leave em alone through professional courtesy!

    • by blueg3 ( 192743 )

      Botnets account for less traffic than P2P file sharing (a few percent).

      • by davmoo ( 63521 )

        How is that possible when I keep seeing figures, from supposedly reliable sources, that spam email accounts for anywhere from 60 to 80 percent (depending on who's figures you want to use) of net traffic? That's not coming from bots?

    • ...why can't ISPs detect them the same way and cut the bastards off?

      They can, and sometimes do.

      One time a friend of a friend brought her PC over for me to look at. She said it wasn't working well, and wanted me to fix it. I plugged it into my internet connection just to check a few things, and then went about reformatting it. Later, when I plugged my machine into the net and tried to access the web, I got a default ISP web page telling me to call network security. It turns out that her machine had sent out

    • "So if researchers can detect these things with apparent reliability in their process, why can't ISPs detect them the same way and cut the bastards off?"

      If they did, they risk cutting off their own spamVertisers, there's no money in protecting their own customers, it would break stuff, they can't be bothered ...
    • The P is for Provider, not for Police. It's not their problem, it's the responsibility of the developers making exploitable software, and credulous/careless users.
  • I don't doubt it (Score:5, Interesting)

    by Controlio ( 78666 ) on Wednesday September 03, 2008 @08:52AM (#24858313)

    I don't doubt it at all. My computer, which is usually the epitome of clean, caught a worm the other day. It was automatically downloaded and executed (no clicks or dialogs) from one of the top 10 mainstream news websites, no less. Most likely one of the injection attacks. Had to really dig into it to find out that it somehow got downloaded by prefetch in Firefox (which has been promptly disabled now).

    The ironic part... with all of the precautions I take, it wasn't detected at the router level nor the virus scan level. Windows firewall caught it before it could download its payload. As I manually removed it and restored from yesterday's registry copy, I had to chuckle a little.

    But now that I've seen first-hand an unrequested .exe not only downloaded into ./system32 but executed - both without user approval or so much as a dialog box - I can only imagine how many zombies have popped up in the last few weeks.

  • by rs232 ( 849320 ) on Wednesday September 03, 2008 @09:03AM (#24858453)
    correct headline ..
  • Sorry for being a uninformed moron, but what exactly is the definition of the "entropy of botnet infections"? Their infection rate? Their "healing" rate?
  • If things continue to get worse the year of the Linux desktop will come sooner than you'd expect. I know people who won't do a thing on their computer without worrying about viruses. I think at some point when the concerns and the solutions will have reached a certain point Windows will have irremediably lost its OS monopoly and it won't matter what OS you run anymore.

    Not like it matters much anymore for most people anyways, most of what they do involves just a web browser.

  • by Anonymous Coward on Wednesday September 03, 2008 @09:29AM (#24858787)

    Best band name ever!!

  • It's all because of Microsoft's new software release, WindowsXP Anti-Virus 2008. Everybody's getting it, microsoft sends them an email telling them to click a link to get the new download. The damn thing won't run on my linux box though, i feel left out... sigh.

    Oh, clients, why must you want the silly shit you want?

  • by Nonillion ( 266505 ) on Wednesday September 03, 2008 @06:24PM (#24866797)

    security, windows, brains. The three words that have the least in common.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...