New Mega-Botnet Discovered

yahoi writes "According to the DarkReading article, 'Researchers have discovered a major botnet operating out of the Ukraine that has infected 1.9 million machines, including large corporate and government PCs mainly in the US. The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains — 51 of which are in the US government. Researchers from Finjan who found the botnet say it's controlled by six individuals, and includes machines in major banks.'"

Can Help?

[arizwebfoot]

Can they fix the government? Infect AIG and get our money back?

Maybe this isn't such a bad thing after all.

Re:

[Daengbo]

Maybe this isn't such a bad thing after all.

Maybe it'll finally open the government's eyes to protecting their networks. They are generally in really bad shape. There are some exceptional sysadmins out there, but they are often hogtied by anti-security regulations and expectations.

Re:

[HockeyPuck]

Cue the response of the typical /. user:

"I use linux and firefox and noscript and noflash and adblock plus.... so therefore I should be able to surf ANY site I want to..."

Re:

[dov_0]

Actually I do have fun occasionally picking at malware and malicious websites, but I can't get them to infect my Linux machine. Even without noscript, noflash, nofun etc. At the present time, those with a reasonably secure Linux box at home are pretty safe from nearly all common attacks.

Re:Can Help?

[pwizard2]

Although Linux is better than most systems out there and is resistant to the various drive-by attack methods, nothing is completely impervious to malware. Linux can still get hit with a trojan if the user can be tricked into installing a tainted package as root.

Re:

[dov_0]

So the attackers for the main part have to fall back on social engineering. That's a pretty good advertisement for the software I reckon!

Re:Can Help?

[Bigjeff5]

Ever notice that 99% of trojan and virus attacks require user intervention?

Social Engineering is the primary attack risk to a computer network once basic protection measures are taken (firewall, AV, and current updates), because users are the primary vulnerability. That's why it is usually worth the trouble to simply give the user bare minimum rights to their machines. It helps limit the damage they can cause.

This is, however, inconvenient, and so is not done universally. There are even reasons not to do it that are sound, though requiring any kind of security generally makes low user rights a necessity.

Re:

[quanticle]

To be fair, though, that's the major attack vector for Windows users too. There aren't a whole lot of zero-day attacks out there for Windows; most worms, trojans, etc. propagate via users who haven't bothered to patch their machines.

Basically, it comes down to the fact that the Linux userbase is still more security conscious than the Windows userbase.

Re:Can Help?

[gad_zuki!]

This is true in windows too. Remember Storm? It was created with simple .exe files, not any exploits. I believe they just mass emailed 'greetingcard.exe.' Grandma ran it. Thats all it takes. It blows my mind mail servers are sending out executable to people in this day and age.

A computer is just as secure as its operator.

In fact

[WindBourne]

if windows ever gets their act together so that Windows is better than *nix (linux, mac, solaris, etc), then you can bet that the crackers, virus writers will turn to where it is easier.

Re:Can Help?

[speculatrix]

actually, computers can be made much more robust to viruses and trojans, however, there's fundamental problems with the x86 architecture and the way we program that are hard to overcome.

Let me take you back in time to when most computers were embedded systems. The program ran from ROM (or EEPROM) and could not be changed at all without physically switching out the non-volatile memory - in-system programming was a rarity. Moreover, many processor architectures had entirely separate executable and data spaces - you couldn't actually write to the executable memory, so even if it was flash or battery-backed static RAM, it wouldn't work. Thus no matter how corrupt the data became, it could only crash the software or make it misbehave; to restore operation you'd simply reset the CPU and everything would return to normal!

In contrast, the x86 usually boots the OS into RAM, even shadowing the BIOS into RAM (because it's faster), and it's possible to scribble all over executable code space - the obvious example being to overflow stack space to execute unauthorised code. The NX bit was added relatively recently to ameliorate these problems.

Sparc architecture has been more resilient to attack too, partly because of its relative obscurity, but mainly due to its relative immunity to stack smashing.

Re:Can Help?

[steveb3210]

Cue the response of the typical /. user:

"I use linux and firefox and noscript and noflash and adblock plus.... so therefore I should be able to surf ANY site I want to..."

Too bad you forgot to turn off images and just got pwned by the 0 day buffer overflow the hackers discovered in libjpeg.

Re:Can Help?

[Daengbo]

Lynx to the rescue! Lynx should be the only browser allowed on secure networks. Hehe.

Re:Can Help?

[steveb3210]

Lynx to the rescue! Lynx should be the only browser allowed on secure networks. Hehe.

Too bad you just got owned by the buffer overflow the hackers found in the VT100 emulator library.

Re:Can Help?

[Mia'cova]

Wow! I'm glad I have Windows!

Re:

[lord_sarpedon]

The fact that buffer overflows are even still possible is rather silly.

It's even sillier that a user's processes are allowed to run rampant with his or her privileges.

Re:

[Anonymous Coward]

It won't open eyes. It will encourage laws like the DMCA to sweep the problems under the rug. Security through obscurity doesn't work in the long haul, but in the short run, it is great.

I can see Draconian laws being passed banning ownership of "hacking tools" (debuggers come to mind) that might catch some clueless script kiddie from some junior high school, whom is promptly made an example with, having adult felony Federal charges pressed. However, the people in Elbonia will still be running their botne

Re:Can Help?

[Anonymous Coward]

Maybe it'll finally open the government's eyes to protecting their networks.

Oh, they realize it. There is a big push to have a standard [nist.gov] secure desktop to all of the Fed's computer. The standard is good. It does everything that you'd expect for a secure desktop. Restriction of services, and admin accounts, and blocking Active X controls. Lock down the ability to connect to Windows share willy-nilly. Make sure that all the patches to software are installed in a timely fashion. (IE: Conflicker should not be infecting Federal machines, if they were following these guidelines, they would have had the patch deployed in 10 days) And the best part is (in theory anyway, I have yet to see it actually happen) that if a software vendor wants to be on GSA, they need to certify that their application can run without admin rights. And if they don't they need to document exactly why.

The problem? It was supposed to be implemented February of 20088. And outside of a few big pilot programs, nobody has the thing 100% implemented yet.

Part of the problem is that if you implement everything, you're practically guaranteed to not be able to work in your environment, so one must find and document the exceptions. If you have a crappy network/desktop practices to begin with, you'll be screwed in your deployment. Our practices were good to begin with, scoring 80% compliance, and it didn't take much to get to 90%, but that last 3% to be in the green is proving to be a killer.

There are some exceptional sysadmins out there, but they are often hogtied by anti-security regulations and expectations.

The regulations generally aren't the problem (Though just last month it was announced that Entrust encrypted email is no longer acceptable to send PII through. You have to use an encrypted USB thumbdrive. And not just any drive, A Kanagaroo drive. No BlackBox Data Travellers, no IronKeys, just these colorful Kanagroo drives, so sometimes the regs don't make sense), it's the expectations. I'm always told that "The company (I work for a subcontractor to the feds) will do everything that they can to make sure that we meet Cyber's needs". Which is great until somebody with enough political clout is inconvenienced. Fortionatly, this is becoming more and more rare, as the Feds have been backing our decisions.

Support from software vendors also suck: "It works for us, why don't you give them admin rights, that'll fix it?" Uh, not just no, HELL NO

Re:

[Daengbo]

From the FAQ

What operating systems have FDCC settings?

Currently, FDCC settings are intended for Microsoft Windows XP Professional with Service Pack (SP) 2 or SP 3 and Microsoft Windows Vista Business, Microsoft Windows Vista Enterprise, and Microsoft Windows Vista Ultimate with SP 1.
...

The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration.

So ... to be in compliance, you can only run Windows desktops, is that correct? Wow! Way to feed the MS machine.

Re:

[Daengbo]

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Windows XP or Vista operating systems, nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software for which NIST has not developed a publication, security configuration checklist, or virtual testing environment. Although the FDCC currently applies to Windows XP and Vista, security guidance is available for other platforms. The OMB and GSA updated the Federal Acquisition Regulation (FAR) on February 28, 2008, Part 39 now reads as follows:

Nevermind. My first post was inaccurate.

Re:Can Help?

[PotatoFarmer]

So true. And so uncalled for here. Because surfing legitimate sites and catching a trojan is nothing that network security can do about.

How so? Network security in this context doesn't mean setting up a firewall and calling it a day, it means layered security of the entire network, including all the devices attached to it.

In the case of a trojan payload, properly patched machines along with restricted user accounts help quite a bit.

Re:

[muckracer]

> In the case of a trojan payload, properly patched machines
> along with restricted user accounts help quite a bit.

So why does the XP installer first create an Administrator account and then prompts you to create a "user" account, which ALSO has (to have) administrative access??

There's a few million infections right there...

Re:Can Help?

[thePowerOfGrayskull]

> In the case of a trojan payload, properly patched machines > along with restricted user accounts help quite a bit.

So why does the XP installer first create an Administrator account and then prompts you to create a "user" account, which ALSO has (to have) administrative access??

There's a few million infections right there...

We're not talking about home users, we're talking about sys admins who should know better than to allow this when they configure users in their domains; and when they mass-prepare their workstation images.

Re:

[PotatoFarmer]

Why would a competent sysadmin be using the XP installer instead of a locked down image? Again, we're talking about good security and network management practices here.

Re:Can Help?

[maxume]

Required for what exactly? There are probably government computers that legitimately need access to the internets.

Re:

[sexconker]

Yup, there sure are.
And there are tons that don't, yet do.

Important shit needs to be severed from the internet and the intranet and CDs/Flash Drives/etc by default, and access to each granted on a i-can-has? basis.

That aside, these stories always imply that OMG THEY GOT INTO THE MISSILE CONTROL SILO. No, they got into the computer of some office assistant at some university. That's a "government computer".

Re:Can Help?

[dimeglio]

Why would a competent sysadmin even design a network hooked to the general internet to begin with if security is an absolute must?

... maybe because of Internet banking? Risk, cost or convenience, pick two.

DingDingDing!

[Gription]

We have a winner!!!

The fact that the military discovered that they had lost terabytes of info on a new fighter tells me that they have no clue. A secure military network with any sort of internet link??? GAAAAK!

Anyone who says they can absolutely protect an internet connection is either lying or deluded. You can protect against known attacks. There is no way to be 100% protected against unknown attacks. The attacks to be worried about are always the unknown attacks.

Idiots with lots of your dollars at

Re:DingDingDing!

[jake-in-a-box]

The data was not lost from military systems, it was obtained by crackers who penetrated military contractor's commercial systems. Yes, that leads to a whole bunch of questions and is not by any means an absolution of the military's IT security. But your statement does not match the facts.

Re:DingDingDing!

[Randall311]

The data was not classified, just FOUO. Electronic copies exist for convince sake. It depends on the project, but there is usually no requirements for encryption of such documents. Expect that to change... soon.

Re:

[sexconker]

HOW THE FUCK is this offtopic?

If you want your shit secure you get it offline, lock it up, put a guy with a gun to watch people who access it, and put a dog to watch the guy with the gun.

Re:

[FlyingBishop]

He was talking about anti-security regulations. Like regulations requiring that software go through a several year government testing phase before it can be adopted, placing them horribly out of date.

Every machine in the LoC is using IE6, because they designed some proprietary crap 8 or 9 years ago that would be too expensive to upgrade to an infinitely more secure Firefox or even IE8-based system.

On the other hand, those were the most sandboxed terminals in the world, probably safe even with IE6 (there was

Re:Can Help?

[LostCluster]

Maybe it's unavoidable that when you let people download, they may get fooled. However, noticing you've got a botnet on your network is Network Security's job.

Big PC's!!!

[gandhi_2]

large corporate and government PCs

So small ones are mostly safe.

Re:

[Red Flayer]

So small ones are mostly safe.

Duh. Small PCs make small packets, which are far less likely to clog the tubes.

My question is, since when is 1.9 million PCs a megabotnet?

A botnet by definition needs at least four PCs (since otherwise it's a botpoint, botlinesegment, or bottriangle -- you can hardly catch fish with a "net" without cross-segments, which you need at least four nodes to make). So a megabotnet needs (1 million)*4 == 4 million PCs.

Sheesh.

Re:

[geekoid]

Actually it's 4194304

Re:Big PC's!!!

[Your Pal Dave]

Wouldn't that be a mebibotnet.

Mebibotnet, Mebibotnet... Now that just rolls off the tongue!

Re:

[Red Flayer]

Mebibotnet, Mebibotnet... Now that just rolls off the tongue!

Mebibotnet, mebibotnetnot -- only time will tell.

Re:

[Red Flayer]

Seriously, wtf? Insightful?

That was a complete tongue-in-cheek post...

Wish I could *whoosh* the moderator(s).

Transformers

[electrosoccertux]

Get off my lawn! Megabots are so 1980's. We had Transformers back before you whippersnappers were even born!

Re:

[droopycom]

Not to be pedantic but, really, your calculation are off...

Your definitions are correct: a botnet needs 4 botpoints, and is composed of 4 botlinesegments, and 4 bottriangle.

However, its easy to see that by adding only 1 botpoint to the botnet you can create a 4 additionals botnets and as scuh create a 5-botnets.

So you can create a 5-botnet with 5 PCs (if they all connect to each other).

Now its easy to see that 1.9M PC can be used to create a 1 MegaBotnet, and potentially much more if they were all interconn

Re:

[droopycom]

Your definitions are correct: a botnet needs 4 botpoints, and is composed of 4 botlinesegments, and 4 bottriangle.

Correction a botnet needs 4 botpoints, and is composed of 6 botlinesegments, and 4 bottriangles.

Re:Big PC's!!!

[Plutonite]

>My question is, since when is 1.9 million PCs a megabotnet?

Look sonny, in my day, we had to carry our megabotnets uphill both ways, in the snow, and we didn't complain, and the master nodes sent out instructions with punch cards that were sent via carrier pigeon. A million computers was something we doubted any deity could create, but we were wrong. I don't think I have to tell you to get off my lawn. Wait, you're still there? GET OFF MY F*CKING LAWN. Damn kids.

Re:

[Kingrames]

friggin marketers. 2^10, not 10^6.

Re:

[ColdWetDog]

Mega gets thrown around a lot. Here in Massachusetts, "Megabucks" sometimes has a jackpot of less than $1,000,000.

That's cuz you're state is so damned small. It's an insecurity thing. (See how I got back on topic?)

Guardian

[Tiger4]

It looks like Guardian [imdb.com] has finally been uncovered. Everybody act really friendly, no fast moves to the on/off switch.

Need I say more?

[udippel]

From the article:
Around 45 percent of the bots are in the U.S., and the machines are Windows XP.

On the other hand:
Nearly 80 percent run Internet Explorer; 15 percent, Firefox; 3 percent, Opera; and 1 percent Safari
What else does one expect? Since it is an infection spread through trojans on legitimate sites and XP the target, what can we expect the browser to do?

In the end, we might see all browsers running completely sandboxed on demand, that is: no interaction with the rest of the system; a 'browse-only' kiosk.

FTP?

[tepples]

In the end, we might see all browsers running completely sandboxed on demand, that is: no interaction with the rest of the system; a 'browse-only' kiosk.

Then what would people use to download and upload files? Would FTP come back into style?

Re:FTP?

[TubeSteak]

Then what would people use to download and upload files? Would FTP come back into style?

I already use a program called SandBoxie after seeing it mentioned on /.
You can either allow files to escape the sandbox on a case by case basis or setup default allows wherever you like.
And as a general comment, it's terribly easy to allow files into a sandbox, like when you want to upload something, but not allow any changes out.

P.S. FTP server/client software has terrible security. Even the most popular ones, which have been around for over a decade, still get hit with remote exploits.

Re:

[Anonymous Coward]

Sandboxie rules!! I don't use XP machines often but if I have to run something that I don't entirely trust *cough*keygen*cough* I just use it.

Something to note, as my wife painfully discovered: Sandboxie is useless with patches since it can't "technically" patch the real binary, and if it patches the binary with a trojan AND you move the patched binary out of the sandbox...you're fUx0R3d. Yeah, now she's using Linux and forbidden from playing any Windows games at all after that episode...and she was sitting

Re:

[Browzer]

File Transfer Protocol has been around since the early 1970s, and while most servers/clients FTP implementations have a history of exploits, their weakness is due not necessarily because of the exploits but rather because of the way the FTP protocol transfers information. FTP communication includes not only the transfer of files but also the transfer of authentication parameters. All this information is transferred in clear text. Clear text is also the way http transfer information/files. You can think

Re:

[Nimey]

Too bad SandboxIE doesn't work with 64-bit Windows.

Re:

[udippel]

As you may guess, I am aware of the consequences. Though it seems to make sense in many cases, when everything any anything that one downloads is just for rendering the site.

Would FTP come back into style?
I, actually, hope not. Not FTP. But maybe a new system where users click some 'I want to download this file' button and get the content via an e-mail? Oh, wait, that's only slightly better than FTP.
Still, yes, a separate channel for file transfer outside of that box, not using any http could be safer.

Re:FTP?

[Starayo]

But maybe a new system where users click some 'I want to download this file' button and get the content via an e-mail?

Right, because uninformed people opening attachments don't cause enough problems already...

Re:

[evilkasper]

Lets add to this email isn't designed for large file transfers.

Re:

[evilkasper]

I've been playing around with this a bit http://www.sandboxie.com/ [sandboxie.com] even though it puts your browser in a sandbox, you can move anything you downloaded to it to your system. I'm not sure how well it works I've only just found it.

Re:

[Zak3056]

In the end, we might see all browsers running completely sandboxed on demand, that is: no interaction with the rest of the system; a 'browse-only' kiosk.

Given the story a few posts down the main page about an exploit that can jailbreak out of a VM to attack other VMs and the host itself, or the one from a few months back that infected the BIOS to the point where the only possible repair was to pull and replace the the chip itself, I don't think that even a fully sandboxed browser will be good enough in the

Re:Need I say more?

[udippel]

If browsers become completely sandboxed, you might see botnets living in the browser's CPU/filesystem space that are active in the background

Sure. To me that's like in those cyber-cafés where the whole machine is riddled with crapware at the end of the day; when it will be wiped and receive a clean install from an image over the network. When the browser shuts down, all those botnets are gone. Assume, that history and cache are likewise. 'Kiosk', as I wrote.
Assuming sandbox is what it is supposed to be, we would see transient botnets. Which in itself would be a great improvement to the current resident ones.

Quick!

[anjilslaire]

Get Abby & the whole NCIS crew on the job. Everyone know a goth hacker chick will solve it!

Re:Quick!

[TheOtherChimeraTwin]

For the tough hacking cases, they have to call in McGee. For the really tough cases, it takes both Abbie and McGee, typing as fast as they can. And for a Mega-Botnet, it takes Gibbs delivering Abbie a Caf-Pow and whispering in her ear about a little something-something later on, and Gibbs slapping McGee on the back of the head and whispering in his ear about a little something-something later on too.

Re:Quick!

[Penguinshit]

I am ashamed that I understand your post. My wife forces me to watch that show.

Re:

[antdude]

No, get Chloe from 24. She can totally handle it.

Re:

[adavies42]

i'd prefer chloe from smallville, ideally from the period where she was infected with bits of brainiac

"can be used..."

[Destoo]

Have they used it yet, and have we seen an effect?
Within the past few days, I have seen an increase in spam volume.. It's been an interesting week so far.

One of four malware tools to find it...

[east coast]

I wonder if the AVG product they were using was the freeware version or one of the commercial products...

I think it's great that they find this kind of stuff but at the same time I have some misgivings about how they don't do much to point the public in the right direction as far as finding out if they're infected or what they can do to remedy the situation. It seems that a lot of security articles are lean on providing the details about helping yourself to a more secure system.

Re:

[mcrbids]

It seems that a lot of security articles are lean on providing the details about helping yourself to a more secure system.

If your system was more secure, you wouldn't need security experts to secure it.

So where's some real info?

[Plekto]

Blurred screen shots, off-handed mention of files and sites...

Why not at least release specifics so that we can avoid these sites?(or at least get them to clean up their act)? Why not give us details about the actual filenames and so on?

Or at least give us details on the actual control application and the files it is paid to infect the computers with so that we can avoid them.

Articles like this annoy me because they accomplish nothing constructive.

no definite article needed

[osvenskan]

It's just "Ukraine", not "the Ukraine".

Re:

[Nimey]

It's one of those habitual things. Some English-speakers (not sure if this is American-specific) refer to certain countries with the definite article, like the Ukraine or the Sudan.

I'm not sure where that came from.

New Mega-Botnet!

[geekoid]

Now with more Bot to boost your immune system!

Clean up botnets

[DragonDru]

How can we expect to clean up the botnets if the hosts are never contacted. I may think I am clean, but if I unknowingly lack the skills to know better, I would never know better, and would never do better. The big papers detailing botnets never provide enough details to know if *I* screwed up the internet.

Re:

[muckracer]

> The big papers detailing botnets never provide enough details to know
> if *I* screwed up the internet.

You did and we'll never forgive you! :-)

Re:

[shentino]

Bear in mind, the good guys have to follow the same rules the bad guys get away with breaking.

Re:Clean up botnets

[Barny]

I am on it, you see I have this great product called Antivirus 2009, don't worry, I have sent out over 2 billion emails detailing its advantages to people.

Also, I have these pills...

Re:

[Dadoo]

Personally, I think it's time we started fining people, when their computers are found in a botnet. Start small at, say, $10, then double it for each subsequent violation, until it reaches $160, or even $320. Then, Microsoft will either have to fix the problem, or people will start using more secure operating systems. Either way, it's a win for the Internet.

Coincedence?

[AnalPerfume]

I thought this article was about this story from the BBC about UK government PCs in botnets, is it a coincidence that two Windows based government botnet stories appear at the same time? Or is this just a sign of how fit Windows is for the job.

http://news.bbc.co.uk/1/hi/technology/8010729.stm

"All of the infected machines were Windows-based PCs and the vulnerability was targeting security holes in Internet Explorer and Firefox."

Virus devastates millions of complacent idiots

[David Gerard]

A computer worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough [today.com] to still think Windows is not ridiculously and unfixably insecure by design.

Despite many years' warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying "COME AND GET IT."

Microsoft cannot believe people have not applied the patch for the problem, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. "Don't they trust us?" sobbed marketing marketer Steve Ballmer.

Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. "There's a reason the Unix system on Mac OS X is called Darwin," said appallingly smug Mac user Arty Phagge.

"It can't be stupid if everyone else runs it," said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. "Macs cost more than Windows PCs."

"Yes," said Phagge. "Yes, they do."

Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can't say we care.

Ahh yes, those immune Macs

[Sycraft-fu]

Sure a good thing those Macs don't have an active botnet [arstechnica.com] out there or anything. Errr, well, ok but surely this will be the only one ever. If more people switch making the platform a larger target, there won't be any more, ever!

I get a little tired of this silliness of "Oh Windows is unfixably hackable!" That shows an amazing ignorance of computer security. Good admins realize that there is no such thing as perfect security, and no system that can't be broken in to. So the answer isn't the hunt for the per

Re:

[db32]

What? You mean that downloading illegal software and then installing "evil trojan" isn't safe? Hell those Mac users probably even got a nice dialog box asking them for their password to continue to install the trojan. Totally the same thing as the drive by installs so common in Windows.

Now I agree with most of what you say, but the OS design behind XP and friends IS inherently flawed. Defense in depth is the only sane approach to security, but the depth that you must go to is going to be influenced gre

Re:

[icannotthinkofaname]

The crowing on about Macs really makes me think of a home analogy: The Mac types have decided security comes from living in a gated community away from the "rabble". They pay to live in their special enclave, and figure the exclusivity keeps them safe. Over all, it does, they are a smaller target. However they are lax on their security because of this, they leave doors unlocked, valuable laying around and so on. However the security is all in appearances, it isn't real. Finally, someone decides to hit the community, and simply goes off road and bypasses the gate guard. They then have free run, because of the laxness of the users.

By the same analogy, Linux users moved some place where there was no town or civilized society of any sort, built their own community brick by brick, and the place isn't even on the map. But, they still aren't boneheaded enough to leave their doors unlocked. Linux users lock their doors using locks that they created, made their own latching systems to actually open the doors when unlocked, and know what their houses looked like when they left, so they can identify anything out-of-place when they return.

Re:

[David Gerard]

You guys really are stretching these days. PR budget not as healthy? Tomorrow's the financials [today.com]! Four failed quarters in a row! I'm sure you'll all be doing double duty.

Wow

[David Gerard]

For once, an article on botnets notes that the infected machines are in fact Windows. You don't see that often.

Re:

[Barny]

Thats because its normally assumed ;)

Only six?

[PPH]

Researchers from Finjan who found the botnet say it's controlled by six individuals,

We should be able to shut this one down with one clip in a .45.

Re:

[mjwx]

Researchers from Finjan who found the botnet say it's controlled by six individuals,

We should be able to shut this one down with one clip in a .45.

-1 inefficient, you should only need a revolver for this job.

what of the ISP's

[cdn-programmer]

What of the ISP's that host these botnets. Many of these botnets are used to spew spam. If they do then this is easily detected and IMHO the ISP uplink in question should simply pull the plug and advise their client that it looks as if their toilet is broken because there sure seems to be a lot of sh*t coming from them.

I know my ISP does this. I know because they have phoned me and I had to advise them its not my OpenBSD servers generating spew, but another of their clients on the subnet. We found it fairly quickly.

I've heard so many excuses. Some involve excuses it would breach service agreements. So lets look at that one. How many end users write service agreement contracts? How many end users even read them? I think the answer here is obvious. Pretty much anything reasonable can be written into the contracts so that sort of excuse doesn't hold much water.

The obvious answer is the ISP's in question actually might make money carrying this spew. They certainly made money when they provided connectivity to known spammers. They also make money when they charge extra for static IP's. Note that a static IP makes it much easier to trace and quarantine a bot.

If we want these problems to go away then one way to address the issue is to look at issues of an accessory either before or after the fact.

Let me provide an example. If someone digs a big hole in the road and someone else drives in and wreaks their car and many kills some people in the process, then the excuse of "I didn't know a car could fall into a hole" or "I didn't think anyone would drive their car down this road at night" or any other excuse that might be dreamed up is not likely going to carry much weight. If someone sees the hole and ignores it using the excuse that "Well, its not my hole", then that excuse also is not likely to hold much weight.

An ISP hosting infected machines should be just as liable as the client who owns it. Many of these botnets reveal themselves. We need to start asking for accountability.

Consider people like Conrad Black. Last I heard he's in jail. That is accountability. Any excuses he and his lawyers might have dreamed up didn't carry much weight.

Here is another example. In the movie called "Nuremburg", Alec Baldwin asks in one scene if "anyone in this country accepts responsibility for anything?". I think this says an awful lot. Only one person seemed to be responsible for the killing of millions.

So in this story we have over 1 million bots discovered and apparently 6 perpetrators and how many are responsible? These bots are identified, now what? I've had more than 50,000 bots attack my servers. Can I call the cops? If I provide IP addresses does anyone pull a plug?

We need to think on this.

Re:

[Fastolfe]

Why are you blaming the US government for (a) defects in software they didn't write; and (b) a malicious botnet created and operated by someone else? The only reason the US government is being singled out in this article is because it makes the story more sensational, which means more eyeballs, which means more ad revenue.

Re:

[Trogre]

I blame them for letting Microsoft get away with leveraging their low-security rubbish, and not taking them down when they had the chance.

Re:

[shentino]

For starters they let MS off the hook too easily, which could be the reason that Windows sucks so bad at security in the first place.

Re:is it really this bad?

[mea_culpa]

I think it is more widespread. I'll take my local bank as an example. I stop by to make a deposit, I notice the teller minimizing her facebook page as I glanced at the screen.
I am shocked that a bank would allow any www access on a machine that has direct access to accounts. Dollars to donuts there is some form of malware on that machine, or already throughout their network.
It was my belief that competent IT would only allow the necessary Intranet infrastructure to run the banks applications. But I would bet their policies get changed by ignorant management that are sold on 'security' appliances and software to protect themselves while granting www access.

Security stupidity...

[Anonymous Coward]

I am shocked that a bank would allow any www access on a machine that has direct access to accounts.

It is funny how people can spend a fortune on security and then do something like install a WEP protected Wifi access point in one of the offices that is trivial to crack and that gives you direct access to otherwise heavily fortified networks. Another thing that can guarantee a good laugh is wireless connected security cameras. I saw this interview on TV the other day with a guy whose child had some sort of chronic disease. Apparently he was something of a Nerd because had installed a camera in the back of

Re:Security stupidity...

[Techman83]

We used similar cameras to record our last road trip, several of the Road Houses we stopped were recorded by accident. Did get a good laugh from us.

Re:

[dbcad7]

I agree with you, for different reasons than you think. Facebook at work.. IM or personal email at work.. all bad.. I'm as much an internet junkie as anybody, but I have learned to separate my personal life and interests from my work life... I think more worrying than the bots, is the ease at which she could copy information and send it to herself.

As to mixing web access and banking.. well I do online banking all the time. I might be more paranoid about it I suppose, if I had to keep cleaning my machine of

Re:

[cboslin]

I do not know the exact law, exact regulation or a link or I would list it, but when I mention this, it will seem obvious to most.

I talked to a tech at a bank, he stated that there were laws on the books that made it illegal to connect up the banks private network that connects to other banks.

He also indicated that automatic updates (any and all) would be considered a violation of those same banking laws.

This is probably why nobody screams bloody murder and why the banks are so quick to eat losses due

Re:

[mlts]

That is a pretty sweeping statement, similar to saying that all American companies can't lock their doors down.

This varies by department, organization, and sysadmin. A lot of US government divisions have intelligent, alert, and aware employees who do a good job at what they do. However, these people don't make the news.

This is one of the things with IT. If you do a good job, nobody notices. Its only if stuff fails is when people notice. Same thing with this mess.

Re:

[deepershade]

How about not, and it's actually more a case of the consumer's fault for demanding an easy life instead of something that works without breaking everything, but hey, dont let me get in the way of a good bit of MS bashing.

Re:

[colinrichardday]

Did anyone hold a gun to Microsoft's head demanding that it pander to consumers? Indeed, some of Microsoft's defenders on this site praise its responsiveness to consumers.

As for bashing, why waste a good shell?

Re:

[Anonymous Coward]

no, they don't email me. they email you actually. thats why you get so much spam.

Re:

[Culture20]

Flash ad? Excel spreadsheet? PDF? It's all in the plugins.

security

[OrangeTide]

I've switched to lynx.