Slashdot Mirror

← Back to Stories (view on slashdot.org)

20,000 Zombie PCs -- $3000

Posted by samzenpus on from the but-I-wanted-30,000-computers dept.

Saint Aardvark writes "From F-Secure blog comes these links to two USA Today articles on spamming. The first gives an example of how a grandmother ended up becoming a security expert after Comcast cut her connection for spamming. The second quotes spammers advertising networks of Zombie PCs for sale. The price? $3000 for 20,000 machines."

11 of 423 comments (clear)

  1. Another story: Telenor takes down 'massive' botnet by AndroidCat · · Score: 3, Informative

    Telenor takes down 'massive' botnet (From the story, they didn't really take down the botnet, just rendered it headless for a little while.)

    --
    One line blog. I hear that they're called Twitters now.
  2. The reverse firewall defense ... by syrinje · · Score: 3, Informative

    Very few people realise that deploying a cheap effective reverse firewall will save them from being unwitting spam zombies (kinda sounds like sex slaves don't it? It sure is as demeaning!).
    Granny had the right ideas.
    Home users, please note - a. You need a firewall
    b. You need a reverse firewall
    c. You need to dump IE and use Firefox
    d. You need to try dumping windoze and move on - that puppy is probably crapping all over your machine.
    --

    --
    See that long UID - that's what you get for lurking too long
  3. Re:Whose fault? by Anonymous Coward · · Score: 5, Informative

    Actually, the problem is far worse than this.

    With the ability to register unicode domain names, you may indeed see www.citibank.com and have no idea that the "a" is from the russian alphabet and therefore points to a different server and IP, even though visually, right down to the pixel, they are identical.

    All browsers should show warnings for any domain containing characters from multiple languages, or not permit them at all. I can think of no legitimate use for them.

  4. Not so much actually by Sycraft-fu · · Score: 4, Informative

    We get Linux boxes in labs we don't manage hacked all the time. They usually aren't used for SPAM, they are instead used for warez, eggdrops or shells, but they get hacked all the same. Reason is the same too: someone fails to patch their system, and it gets exploited.

    Linux needs patching as well because OSS is not immune to security holes. SSH, BIND and even PNG are three off the top of my head that have had security problems in the past. If you run a Linux box that has an SSH server, and you don't patch it when an SSH venurability comes out, someone WILL hack it.

  5. Re:So, for 3 Grand... by ImaLamer · · Score: 2, Informative

    Not to nitpick...

    But this is against the distributed.net's policy, and they do pay for a winner.

    But really, it wouldn't do anything noticable to the user since it works during "idle" times only.

    I've always kept dnet up when doing CPU intensive work, it never interferes.

    --
    Get your Unix fortune now!
  6. Re:Rhetorical question: by pyros · · Score: 4, Informative
    You might think that Linux and Macs are more secure by default, but these are users who will open email with attachments, open the zip attachment, type in the password to open the executable in the zip attachment, run the executable. More warnings and barriers won't help.

    But unless they're running with root privileges (which most distributions don't do by default) you can't overwrite system binaries or executables, or run daemons on priviledged ports (like open smtp relays on port 25), etc. I know that the attacker could do things like use nonstandard ports or privilege escalation hacks like buffer overflows, but it's extra work the attacker needs to do, making it a less attractive target (and thus, more secure by default).

  7. Re:End Users are Stupid by hey! · · Score: 4, Informative

    Stupid? Well, people look at their home computers like their TV or their toaster. Is there any other consumer product that requires so much awareness to run?

    Probably only the the automobile. We make people take written and practical tests before they're allowed to drive unsupervised, and then in most places they are expected to get insurance to cover any damage their operation of the car may cause.

    Is that where you want to go?

    Using a computer on the Internet will never be as simple and relatively safe as using a TV, but it could be moved down the scale of complexity in that direction, by better engineering of Internet software and making ISP managed reverse firewalls part of the standard broadband service.

    Granny should be able to just turn on her computer to order to sell her crocheting on ebay or get email with pictures of her grandkids without having to research computer administration. And, when she's done, I think she should be able to flick a massive off switch (like on the old PC/XTs) and watch the CRT raster turn into a little dot, without having to worry that somebody is using her computer when she thinks it is idle. I for one would think that was cool.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  8. Bank account security is not based on secrets... by Otto · · Score: 2, Informative

    The security of my bank account is not based on secret codes or passwords or account numbers or any other blamed thing.

    Every check you writing contains the account number and the routing number and everything else needed to withdraw money from that account. If somebody creates a fake check using that info, and withdraws money from my account, then that is is no way my fault and I'm entitled to reimbursement of those funds.

    Likewise, somebody doing the same thing electronically is not my fault either. There is nothing essentially different in the transaction. Fraud is fraud.

    Bank accounts have never been based on secrets. It might not be smart for me to give out my account number to everybody, but it's something I do every time I write a check or use a debit card or use one of several forms of payment. I *must* give my account number to somebody I want to pay from my bank account.

    Is this a flaw in the system itself? Yes, absolutely. But until everybody moves towards public/private key authentication and so forth, it's just the way things are.

    The public-private key method is the only solution to this sort of thing that I'm aware of. To "write a check" or make a payment of any sort, I form a message that essentially says 'Pay so much to this person, using this transaction number, on this date' and encrypt it using my private key. Then I give it to that person. They give it to their bank. Their bank gets my public key from my bank (it's a public key, they can give it to anybody who asks for it), verifies the message is valid (since it's signed by my private key, my public key can decrypt it and it validates itself that way), and does the transaction. My bank also verifies the same message before releasing the cash from my account. Unforgeable money transfer accomplished.

    Sounds great? It's a long ways off.What's needed is:
    -Every account holder to have a public/private keypair.
    -Banks have the public key, people have the private key on some sort of device.
    -Device allows transfers of cash from one person to another, probably by simply plugging in a key or wirelessly or whatever. You can think of a thousand ways to do this.
    -Banks need a protocol to transfer public keys around, and all have to agree to some form of standard.
    -Etc, etc, ad infinitum. It gets more complex the more you think about it. If you assume that the electronic cash transfer happens in real time (eliminating "float"), then it's actually slightly easier. If not, then you get the concept of people transferring funds that was just transferred to them before telling the bank about it, and it gets hella complicated. But it's all doable with the crypto, it's just complex.

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  9. My Linux Box was a zombie... by sunbane · · Score: 3, Informative

    That is so true... thought I had security pretty tight on my Cobalt Qube running Linux... then my ISP called me up telling me I'd already used 30G upload and download for the month after two weeks... I normally have like 400MB for a month on my little family server. The spammers were using the Squid vulnerability to make my box a zombie remailer. Had to slap on greatly increased security onto my firewall! They never logged in to my box at all - simply routed their filthy spam through my open port. From all the hits I got googling my issue, I'd say this is way to common... this is one case where Linux is easier to abuse than windows!

  10. Re:Whose fault? by jpkunst · · Score: 4, Informative

    Do you have any links to examples or javascript that can actually do this?

    Firefox spoof demonstration. No padlock spoof, though, I believe.

    JP

  11. Broadband companies could help a little... by zerofoo · · Score: 2, Informative

    Broadband companies could do more to protect their users and the internet in general - here are a few suggestions:

    1. Block outbound port 25 from residential users that OBVIOUSLY have compromised machines sending out hundreds or thousands of emails a day.

    2. Provide cable/DSL modems with some NAT/Firewalling capability turned on by default. Tech savvy users will figure out how to forward ports or disable NAT if necessary.

    3. Provide free trial anti-virus software with their configuration software.

    4. During installation of supplied software, ask the user if they would like to turn on "automatic software updates".

    These steps would go a long way to securing 90% of non-tech savvy people. Geeks could ignore all this and go about their business.

    -ted