Slashdot Mirror
20,000 Zombie PCs -- $3000
Saint Aardvark writes "From F-Secure blog comes these links to two USA Today articles on spamming. The first gives an example of how a grandmother ended up becoming a security expert after Comcast cut her connection for spamming. The second quotes spammers advertising networks of Zombie PCs for sale. The price? $3000 for 20,000 machines."
GTRacer
- Things to do
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
I, for one, welcome our new security grandmother overlord. All bow to thee.
I wonder how the processing power would compare to WETA's supercomputer cluster and their pricing. It would be slower to coummunicate data among the computers and ensure data quality, but I wonder how it compares.
Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number. ...
Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.
Yes, it's her fault. She did something foolish.
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
So that's all it takes to be a security expert these days? No f'ing wonder there are so many security problems these days
Also, it lightens my heart and makes me feel all warm and fuzzy that it only took "as many as 70,000 pieces of mail" in a day to get Comcast to shut her down.
"When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable."
Not without some kind of sauce or dressing. Plain 1's and 0's taste like cardboard.
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
It is quite sad that a person who just updates their computer and runs a virus scanner is now considered a "security expert."
I didn't realize the zombies of voodoo legend were online.
Telenor takes down 'massive' botnet (From the story, they didn't really take down the botnet, just rendered it headless for a little while.)
One line blog. I hear that they're called Twitters now.
I have to say, I don't understand how people get into so much trouble.
Maybe I've been lucky, but I've ran a Windows XP system for about a year now (and a Windows 98SE system for about 2 years prior under the same conditions), doing the occasional patches from Windows Update, without a virus scanner or firewall. If I do something stupid that makes me suspect that I've contracted something, I'll drop over to http://housecall.antivirus.com/ and do a quick scan. This generally only happens when I'm trying to find a crack for something on a P2P network and the bastards have embedded a keystroke logger or some other little nasty in a trojan crack package.
Otherwise, I do an occasional glance-over at the list of processes running, and if my modem is lighting up like a Christmas tree I might fire up Sygate Personal Firewall or something just to see what's happening with the traffic, but I've never seen it give me real cause for concern. I still get some port traffic for the old Code Red worms and what not, but nothing that seems to have been really problematic.
As I said, maybe I'm just lucky. Then again, maybe I don't use Internet Explorer or Outlook Express, and maybe that helps a lot. Who knows.:-)
picpix image polls. create - share - vote. fun!
It's interesting that articles like this don't blame Microsoft. One wonders how Microsoft arranges that.
Very few people realise that deploying a cheap effective reverse firewall will save them from being unwitting spam zombies (kinda sounds like sex slaves don't it? It sure is as demeaning!).
Granny had the right ideas.
Home users, please note - a. You need a firewall
b. You need a reverse firewall
c. You need to dump IE and use Firefox
d. You need to try dumping windoze and move on - that puppy is probably crapping all over your machine.
--
See that long UID - that's what you get for lurking too long
Are these Scoobie Doo type zombies? They aren't all that bad it's just some guy with a mask. As long as it's not the new "Dawn of the Dead" uberzombies I think we'll all be ok, just walk around them.
...the ability to DoS SCO for the rest of the century...priceless.
There are some things money can't buy. For the rest, there's my Zombie Army of Evil.
adam b.
It's funny you should mention computer problems.
Whenever I view this it.slashdot.org site, everything on my screen is all washed-out.
Is this a symptom of being a zombie PC?
________________________________________________
suwain_2
- a list of machines that need to be cleaned up
- a bank account or other information that can be used to track down the spammers/crackers
I guarantee $3k is cheaper than what it would actually cost tax payers if the authorities did their job with normal investigative work.Just start monitoring for bursts of spam from their clients, and simply *pick up the phone* and *call them.* "Sir, we've detected mass spam coming from your connection. Please clean up your computer. You have one week."
"People" using "unnecessary" quotes should be "shot".
These people have The Will To Stupid, and cannot be stopped!
One line blog. I hear that they're called Twitters now.
- The perpetrator (a spammer) is almost universally hated.
- Spammers do real damage.
- They are doing this damage for a pure profit motive.
- They are operating out in the open, making for an easy arrest.
So why are these bozos still in business?===== Murphy's Law is recursive. =====
We get Linux boxes in labs we don't manage hacked all the time. They usually aren't used for SPAM, they are instead used for warez, eggdrops or shells, but they get hacked all the same. Reason is the same too: someone fails to patch their system, and it gets exploited.
Linux needs patching as well because OSS is not immune to security holes. SSH, BIND and even PNG are three off the top of my head that have had security problems in the past. If you run a Linux box that has an SSH server, and you don't patch it when an SSH venurability comes out, someone WILL hack it.
Yeah, it's nasty all right.
Wanna be more disgusted, though? Say we did get a good handle on one of them. Well, then the federal prosecutor has a hell of a job on his hands. All he has to do is make 12 people understand how spam works, how they found the guy, why their "searches" were legal, what he was doing, and why it's a crime. Which, if it were possible to make people understand, would have prevented the crime in the first place.
And, if he's really unlucky, the defendant waives jury trial and he instead has to convince one very conservative 70 year old man of all these things.
adam b.
But unless they're running with root privileges (which most distributions don't do by default) you can't overwrite system binaries or executables, or run daemons on priviledged ports (like open smtp relays on port 25), etc. I know that the attacker could do things like use nonstandard ports or privilege escalation hacks like buffer overflows, but it's extra work the attacker needs to do, making it a less attractive target (and thus, more secure by default).
I was going to root my GF's box last night..but she gets made when I refer to it as linux.
If spammers are scammers, can you really expect good value for your money?
I fully expect follow-up news stories on how someone who wanted to open a business online fell for a mass marketing scam, paying spammers thousands of dollars only to see the spammers vanish in thin air with their money.
Stupid? Well, people look at their home computers like their TV or their toaster. Is there any other consumer product that requires so much awareness to run?
Probably only the the automobile. We make people take written and practical tests before they're allowed to drive unsupervised, and then in most places they are expected to get insurance to cover any damage their operation of the car may cause.
Is that where you want to go?
Using a computer on the Internet will never be as simple and relatively safe as using a TV, but it could be moved down the scale of complexity in that direction, by better engineering of Internet software and making ISP managed reverse firewalls part of the standard broadband service.
Granny should be able to just turn on her computer to order to sell her crocheting on ebay or get email with pictures of her grandkids without having to research computer administration. And, when she's done, I think she should be able to flick a massive off switch (like on the old PC/XTs) and watch the CRT raster turn into a little dot, without having to worry that somebody is using her computer when she thinks it is idle. I for one would think that was cool.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
How many who drive cars know how to fix it? I certainly don't, nor do I have any desire to learn to fix my car.
It's not the end users' fault the majority of home computers are by default magnets for virii, trojans, worms and spyware.
Certain OS manufacturer is at fault here, as well as the Dells and Gateways of the world, who insist on selling zombie networks when solutions to prevent them from occurring have been in place for quite a while.
In Soviet Russia, I ruled you
In the world of common users, Linux boxes are about as common as snowcones in hell, too. Macs are almost as common as snowcones in Florida...not quite.
Insightful??? No. Funny??? Yes.....
Funny thing is that the author seems to say that Macs are close to ubiquitous (snowcones seem to be likely to be common in Florida because they are a form of hot-weather refreshment) but Linux machines are nowhere.
Worldwide, Linux machines probably marginally beat Macs in the desktop space. Domestically, Macs are a bit ahead, for now....
In China, OTOH, legal copies of windows are much more rare than FreeBSD desktops in the US!!!
LedgerSMB: Open source Accounting/ERP
If the spams outgoing, you dont NEED to run anything on a privileged port, and standard user access will do. So long as the rooted system accepts mail in, even on a non standard port that you can configure your master host to connect to, then it can happily spam everyone else. The mailserver doesnt need to talk FROM port 25.
Does anyone else wonder where MessageLabs gets their statistics? I can't help but wonder at their methodology (though I suspect rectal extraction). I get daily reports on SpamAssassin and my configured DNS block lists for the servers I manage. Their spam traffic doesn't start to approach 95% of inbound messages. After eliminating all internal email from the statistics, SpamAssassin flags about 20% of incoming email as suspicious and SpamHaus blocks another 10% or so. These are not confidential, hard-to-find addresses. These are university servers where staff and faculty are required to have valid email addresses posted on the department web pages. Any spider worth a damn should have harvested them long ago. I find it very hard to believe that this environment is getting 60% less spam than systems that don't provide a directory of valid addresses.
Spam is a problem, but it's time journalists (online and otherwise) start taking stats with a grain of salt. Too many organizations are willing to publish questionable numbers in an attempt to sound like they have thoroughly researched the issue.
Or in the MessageLabs case, to sell a product that will 'solve' the problem.
Using simple tools, I have watched the inbound connection attempts made to my personal computer. Many of these attempt simple http style requests on unregistered ports. The requests are in the form: ttp://www.helllllabs.com/cgi-bin/found_one.cgi or something like that.
Going to the website, I find its one that sells proxies of some form. Gee.
Now this seems like they are signing their own name to their evil deeds. Could this mean anything other than this company is scanning for proxies and registering them using their own website?
That is a leading question that seems typical of a smug linux zealot. A better question would be, 'What is the ratio of zombied linux boxes in proportion to it's total installed user base.' Since most people use Windows, it follows that most of the zombie boxes should be windows boxes.
Even that isn't totally informing, as how many of those people who run Windows would be less vunerable if they ran linux? Most of the problem isn't the OS, but the lack of understanding on how a computer works. If you aren't a skilled admin, you are going to get haxxored regardless of the OS.
I think Linux is a superior idea and platform, but win the argument with sound logic, not snyde comments.
HA! I just wasted some of your bandwidth with a frivolous sig!
Basically the Undead could have rights too, I suppose.
"Forgive us our trespasses, as we forgive those who trespass against us." -Jesus Christ The Lord's Prayer
A bank that loses money to a criminal act that refuses to reimburse its customers might well lose its status as a bank.
It didn't "lose" her money. It followed the proper security procedures involving the use of a login name, password, and bank account number.
They took from her, without her permission, money from her bank account.
That's the key: "They took from her." They didn't steal from the bank. There wasn't negligence on the part of the bank. The bank didn't leak her account number, login name, or password. She did. She fell for a scam through no apparent fault of the bank. And now we all pay for it in the form of higher fees, lower savings account interest, etc.
Suppose she was duped into giving her house key to some burglar posing as someone from a carpet cleaning service. Should the mortgage company have to pay when the burglar steals her stuff? Should the home builder? Should the maker of her door lock? Of course not. So why do we treat physical keys so differently than virtual keys (login credentials)? You'd never suggest that anyone but the homeowner was responsible for the loss if they gave their house key to some con artist. So why is the bank responsible when the customer gives away the "keys" to their bank account?
That is so true... thought I had security pretty tight on my Cobalt Qube running Linux... then my ISP called me up telling me I'd already used 30G upload and download for the month after two weeks... I normally have like 400MB for a month on my little family server. The spammers were using the Squid vulnerability to make my box a zombie remailer. Had to slap on greatly increased security onto my firewall! They never logged in to my box at all - simply routed their filthy spam through my open port. From all the hits I got googling my issue, I'd say this is way to common... this is one case where Linux is easier to abuse than windows!
One indication of the going rate for zombie PCs comes from a June 11 posting on SpecialHam.com, an electronic forum for spammers.
And you guys didn't put that link in the main Slashdot article?!?!?! Oh come on! If there's a site that deserves to be slashdotted, that one must be it.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
No. It didn't follow the proper security procedures. It followed its choice of security procedures. The success of this kind of phishing scam is evidence that those security procedures are not proper; they're inadequate because they're so easily defeated with a bit of social engineering. The bank needs to design a better security system- one that uses a time-dependent smart card, for instance- so that phishing doesn't work.
There's no point in questioning authority if you aren't going to listen to the answers.
Seems to me this is off the mark, and it typifies what is wrong with our telecom-oriented providers, as they too believe this all too often.
The provider provides a connection. He does not provide content. ISDN was a gigantic failure because telco's thought they had to provide content, rather than just a reliable connection.
If I want content, I will buy an AOL subscription. Otherwise, what I expect is not clean water but a reliable liquid movement mechanism. You don't call it a pipe for nothing. The liquid that comes out will be determined by me, not by the provider of pipes!
MW
---
BDOS ERR ON A:>
However it is your responsibility to make sure your car does not fall apart on the road, so you hire people to take care of it. Same thing should be done with home pc's.
Oh if I had mod points, my friend, you would be more karma-ful than you are right now. I couldn't agree more. At least she did something about it, instead of sitting ignoring it, hoping it gets better, unlike the other 20,000 plus people mentioned.
What he can't kill, he has sex on. Trent.
If it hadn't already been published that the list was available (Like it's still for sale now that it's public knowledge), this would be a perfect opportunity for Comcast etc to reclaim some bandwidth. They could team with the FBI/Scottland Yard/Interpol (who would be very interested in such fraud) then buy the list with something tracable.
.sig?
If the deal is a scam, follow the money and bust the crook. If it's real, follow the money and bust the crook then clean up the zombies on your network.
Basically it's a no lose opportunity.
Psst... Hey buddy, can you spare a
"Gee, I hate to break it to you, sweetheart, but it WAS your fault. YOU were the gullible one who clicked on the wrong link and gave thieves your username, password and account number!"
WHAT THE HELL???
It was NOT the woman's fault!
The fault rest solely with the theif. If somebody steals money from my bank account, it doesn't matter if they got it at gunpoint or with a fraudulent email, it is not my fault, it is not the bank's fault, it is the theif's fault.
But of course it's so much easier to blame the unsuspecting user. That's the way to get the problem solved -- get rid of the victims!
I hereby advocate the death penalty for assault victims.
(End of Rant)