Slashdot Mirror

← Back to Stories (view on slashdot.org)

20,000 Zombie PCs -- $3000

Posted by samzenpus on from the but-I-wanted-30,000-computers dept.

Saint Aardvark writes "From F-Secure blog comes these links to two USA Today articles on spamming. The first gives an example of how a grandmother ended up becoming a security expert after Comcast cut her connection for spamming. The second quotes spammers advertising networks of Zombie PCs for sale. The price? $3000 for 20,000 machines."

20 of 423 comments (clear)

  1. Whose fault? by RollingThunder · · Score: 5, Insightful

    Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number. ...
    Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.

    Yes, it's her fault. She did something foolish.

    1. Re:Whose fault? by Renraku · · Score: 5, Insightful

      Scams are criminal acts. Thus, the money was removed from the bank due to a criminal act. A bank that loses money to a criminal act that refuses to reimburse its customers might well lose its status as a bank. They took from her, without her permission, money from her bank account. Which is stealing, fraud, etc, etc. Maybe it was her fault it got stolen, but the money was stolen, from the bank.

      --
      Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
    2. Re:Whose fault? by stratjakt · · Score: 5, Insightful

      Maybe technically, but that's not how the law works (thankfully).

      Or do you think every time you hand a credit/debit card to a cashier at K-mart, that gives them the right to start charging things to your account?

      Hell, your account number and routing info is on a cheque. So everyone you write a cheque to gets unlimited access to your chequing account?

      Thinking bigger, all I need is your SSN (easily obtained) to steal your identity and take out a few hundred thou in mortages.

      And it's all your fault! You gave it to me when you came to work for me! Hahahaha.

      If BoA allows any unauthorized person to remove money from my account, it is their fault.

      It doesn't matter how they came across my PIN or account number.

      --
      I don't need no instructions to know how to rock!!!!
    3. Re:Whose fault? by bfields · · Score: 4, Insightful
      If I walk up to you on the street and say "Hey, I'm from Bank of America, I need your bank account information." and then you proceed to give it to me, then it is indeed your fault.

      The closer analogy would be you walking up to me, saying "Hey, the Bank of America is over there", and giving me directions to an address where you have, overnight, erected an identical replica of a bank of america branch. (OK, perhaps the font on the logo is just slightly wrong if I think to look really closely.)

      In retrospect, I shouldn't have trusted directions from a random stranger, but by the time I'm standing there with the bank branch in front of me and the original referral already forgotten, it may not really cross my mind to doubt its legitimacy.

      The real idiocy here is all the banks setting up "secure" websites where you authenticate by sending them one secret (or maybe one of a few secrets), with the result that all it takes is for that secret to be compromised once, and your identity is compromised forever.

      Perhaps this will finally them that they need something better. (Surely some kind of USB dongle/smartcard-like thingy would be cheap enough now?)

      --Bruce Fields

  2. Security Expert? by rvw14 · · Score: 5, Insightful

    Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.

    It is quite sad that a person who just updates their computer and runs a virus scanner is now considered a "security expert."

  3. Re:No wonder... by jazman_777 · · Score: 4, Insightful
    So that's all it takes to be a security expert these days?

    A one-eyed man in the land of the blind is King.

    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
  4. Pay the $3k and clean house by jamezilla · · Score: 5, Insightful
    This sounds like a good deal for the authorities. For 3 grand you get:
    1. a list of machines that need to be cleaned up
    2. a bank account or other information that can be used to track down the spammers/crackers
    I guarantee $3k is cheaper than what it would actually cost tax payers if the authorities did their job with normal investigative work.
    1. Re:Pay the $3k and clean house by Anonymous Coward · · Score: 5, Insightful

      In an economics class I took, we were presented with a case where a bunch of missionaries got together for a project where they would collect alot of money, then go to a third world nation and buy some underage prostitutes, then bring them to the states to give them help, treatment, and a caring foster home to be raised up in.

      It all sounds good on paper until you look at the fact that the people that kidnapped the kids got paid, so they have incentive to repeat the process. The argument was that the better (albeit longer and harder) fight was to make child prostitution not profitable or try to arrest or contain the kidnappers somehow.

      Somehow I think the the spammers would figure out a way to get their money, cover their tracks, and sneak away. I don't think they really care what happens to the 20k zombies. They got their money, weather the zombieNet was used to clean house or actually send spam.

  5. Re:Article attaches no blame to Microsoft by NatasRevol · · Score: 4, Insightful

    Money? Lots and lots of money?

    --
    There are two types of people in the world: Those who crave closure
  6. ISPs could do *so* much here. by Samurai+Cat! · · Score: 4, Insightful

    Just start monitoring for bursts of spam from their clients, and simply *pick up the phone* and *call them.* "Sir, we've detected mass spam coming from your connection. Please clean up your computer. You have one week."

    --

    "People" using "unnecessary" quotes should be "shot".
  7. Re:Article attaches no blame to Microsoft by PhoenixFlare · · Score: 4, Insightful

    And one wonders why users do not recieve some of they blame they rightly deserve, either.

    First lady in the story - obviously had zero protection beforehand, and it took a major problem w/her connection being disconnected before she got some. If nothing else, at least it sounds like she has the concept of basic security down a little better now.

    Second lady mentioned - a single call to her bank for verification would have likely saved her any trouble. I have gotten several "phishing" mails myself, and they are incredibly easy to recognize - often from a bank I have no accounts with or that never sends mail otherwise, they contain grammatical/spelling errors that would never appear in a real mail, and ask for information that the real bank would have absolutely no reason to need verified.

    Third lady mentioned - more Microsoft's fault than the others, due to the security holes. Still, it sounds like she either didn't patch things, opened a nasty attachment, or otherwise brought the software on through her own action. Hard to tell since they don't mention anything by name.

    So yes, Microsoft is evil. But don't fool yourself into thinking that users aren't contributing their share of problems either.

  8. So where are the cops? by Jaywalk · · Score: 4, Insightful
    Breaking into someone else's computer without permission is illegal. A zombie network of 20,000 PCs means that someone has compromised 20,000 computers and, apparently, advertising that fact for personal gain. How hard would it be for a cop to shell out the $2000, then arrest spammer? Of course anyone who has read Sterling's The Hacker Crackdown realizes just how clueless law enforcement can be with technical issues, but this one looks like a no brainer:
    • The perpetrator (a spammer) is almost universally hated.
    • Spammers do real damage.
    • They are doing this damage for a pure profit motive.
    • They are operating out in the open, making for an easy arrest.
    So why are these bozos still in business?
    --
    ===== Murphy's Law is recursive. =====
  9. Re:End Users are Stupid by gorbachev · · Score: 4, Insightful

    How many who drive cars know how to fix it? I certainly don't, nor do I have any desire to learn to fix my car.

    It's not the end users' fault the majority of home computers are by default magnets for virii, trojans, worms and spyware.

    Certain OS manufacturer is at fault here, as well as the Dells and Gateways of the world, who insist on selling zombie networks when solutions to prevent them from occurring have been in place for quite a while.

    --
    In Soviet Russia, I ruled you
  10. Re:Rhetorical question: by einhverfr · · Score: 4, Insightful

    In the world of common users, Linux boxes are about as common as snowcones in hell, too. Macs are almost as common as snowcones in Florida...not quite.

    Insightful??? No. Funny??? Yes.....

    Funny thing is that the author seems to say that Macs are close to ubiquitous (snowcones seem to be likely to be common in Florida because they are a form of hot-weather refreshment) but Linux machines are nowhere.

    Worldwide, Linux machines probably marginally beat Macs in the desktop space. Domestically, Macs are a bit ahead, for now....

    In China, OTOH, legal copies of windows are much more rare than FreeBSD desktops in the US!!!

    --

    LedgerSMB: Open source Accounting/ERP
  11. Re:Rhetorical question: by Richard_at_work · · Score: 4, Insightful

    If the spams outgoing, you dont NEED to run anything on a privileged port, and standard user access will do. So long as the rooted system accepts mail in, even on a non standard port that you can configure your master host to connect to, then it can happily spam everyone else. The mailserver doesnt need to talk FROM port 25.

  12. Re:So, for 3 Grand... by MightyPez · · Score: 5, Insightful

    And I had no clue that in a time when a majority of middle aged and elderly people using PC's with just enough knowledge to turn them on, an elitist asshole could belittle someone who took time out of their life to learn nuances of security on the internet.

  13. Re:So, for 3 Grand... by Chazmati · · Score: 4, Insightful

    She's probably an expert within her peer group. It's all relative, isn't it? :)

  14. Disagree with the "utility" analogy. by mwillems · · Score: 4, Insightful
    "Consumers should demand what they do of other utilities," says Kip McClanahan, CEO of security firm Tipping Point. "When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable."

    Seems to me this is off the mark, and it typifies what is wrong with our telecom-oriented providers, as they too believe this all too often.

    The provider provides a connection. He does not provide content. ISDN was a gigantic failure because telco's thought they had to provide content, rather than just a reliable connection.

    If I want content, I will buy an AOL subscription. Otherwise, what I expect is not clean water but a reliable liquid movement mechanism. You don't call it a pipe for nothing. The liquid that comes out will be determined by me, not by the provider of pipes!

    MW

    --

    ---
    BDOS ERR ON A:>
  15. MOD PARENT UP by Darkman,+Walkin+Dude · · Score: 4, Insightful

    Oh if I had mod points, my friend, you would be more karma-ful than you are right now. I couldn't agree more. At least she did something about it, instead of sitting ignoring it, hoping it gets better, unlike the other 20,000 plus people mentioned.

    --
    What he can't kill, he has sex on. Trent.
  16. Re:So, for 3 Grand... by abirdman · · Score: 5, Insightful
    But don't you see? It doesn't require a "security expert" to keep a Windows machine clean and virus-free. All it requires is a little software and a clue. People don't purposely install software that will turn their computers into zombies. They do it because they don't understand that opening an email with that "free screensaver" or "hot picture" will infect their machine (and they're right, it shouldn't be that way!). They don't realize that random popups offering Viagra aren't built into the OS and normal, and that they're different from the random popups that Microsoft Update sends. I know and have observed several people (not stupid!) who just routinely close any popup window, don't read any of them, and assume everything is normal.

    If grandma figures that all out, and especially if she tells all her friends, then I have no problem with her calling herself an expert. Don't worry, no prospective employer is going to hire her over someone who knows something, unless maybe she's hired to train end-users in the humdrum tasks of everyday workstation security. Imagine, if you will, a Beowulf Cluster of "grannies-who-get-it" showing everyone they know the nuts and bolts of how not to infect their computers! How to manage Microsoft update, how to d/l, install and run SpyBot S&D, a virus scanner, a spam filter program like POPFile, and maybe even a more secure browser (read, one that doesn't automatically install and run whatever random piece of code it finds on the net). They would do more for overall Internet security than a batallion of security experts preaching arcane router strategies to tired and jaded Network Admins. There would still be occasional viruses, worms, and exploits, but those could be left to the experts. I see no reason to be cynical about this.

    /END OF RANT

    --
    Everything I've ever learned the hard way was based on a statistically invalid sample.