Slashdot Mirror

← Back to Stories (view on slashdot.org)

20,000 Zombie PCs -- $3000

Posted by samzenpus on from the but-I-wanted-30,000-computers dept.

Saint Aardvark writes "From F-Secure blog comes these links to two USA Today articles on spamming. The first gives an example of how a grandmother ended up becoming a security expert after Comcast cut her connection for spamming. The second quotes spammers advertising networks of Zombie PCs for sale. The price? $3000 for 20,000 machines."

21 of 423 comments (clear)

  1. So, for 3 Grand... by GTRacer · · Score: 5, Funny
    ...Can I get folding@home running on those 20 thousand boxes?

    GTRacer
    - Things to do

    --
    Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    1. Re:So, for 3 Grand... by NotQuiteReal · · Score: 5, Funny
      No - but you can spam a lot of people and ask them if they would like to run folding@home.

      Probably a lot of them would, after all look how many people clicked on something to become a zombie in the first place...

      --
      This issue is a bit more complicated than you think.
    2. Re:So, for 3 Grand... by xmas2003 · · Score: 5, Funny
      I bet I get modd'ed down into oblivion, but rather than send Email to 20,000 people about my folding@home team, would it be OK if I posted it here for 20,000 Slashdotters to consider joining?!? ;-)

      BTW, I'm really surprised that the 20,000 PC's are "only" $3,000 - seems like you could have 'em do clicks on Google Ads or other affliiate type stuff and make a lot more than that ... assuming you don't get caught.

      --
      Hulk SMASH Celiac Disease
    3. Re:So, for 3 Grand... by MightyPez · · Score: 5, Insightful

      And I had no clue that in a time when a majority of middle aged and elderly people using PC's with just enough knowledge to turn them on, an elitist asshole could belittle someone who took time out of their life to learn nuances of security on the internet.

    4. Re:So, for 3 Grand... by abirdman · · Score: 5, Insightful
      But don't you see? It doesn't require a "security expert" to keep a Windows machine clean and virus-free. All it requires is a little software and a clue. People don't purposely install software that will turn their computers into zombies. They do it because they don't understand that opening an email with that "free screensaver" or "hot picture" will infect their machine (and they're right, it shouldn't be that way!). They don't realize that random popups offering Viagra aren't built into the OS and normal, and that they're different from the random popups that Microsoft Update sends. I know and have observed several people (not stupid!) who just routinely close any popup window, don't read any of them, and assume everything is normal.

      If grandma figures that all out, and especially if she tells all her friends, then I have no problem with her calling herself an expert. Don't worry, no prospective employer is going to hire her over someone who knows something, unless maybe she's hired to train end-users in the humdrum tasks of everyday workstation security. Imagine, if you will, a Beowulf Cluster of "grannies-who-get-it" showing everyone they know the nuts and bolts of how not to infect their computers! How to manage Microsoft update, how to d/l, install and run SpyBot S&D, a virus scanner, a spam filter program like POPFile, and maybe even a more secure browser (read, one that doesn't automatically install and run whatever random piece of code it finds on the net). They would do more for overall Internet security than a batallion of security experts preaching arcane router strategies to tired and jaded Network Admins. There would still be occasional viruses, worms, and exploits, but those could be left to the experts. I see no reason to be cynical about this.

      /END OF RANT

      --
      Everything I've ever learned the hard way was based on a statistically invalid sample.
  2. Obligatory by Anonymous Coward · · Score: 5, Funny

    I, for one, welcome our new security grandmother overlord. All bow to thee.

    1. Re:Obligatory by Rubberpants.net · · Score: 5, Funny

      "Now you listen here young man! The next time I catch you spoofing e-mail headers I'm not bringing you down milk and cookies!" *whack!*

  3. Whose fault? by RollingThunder · · Score: 5, Insightful

    Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number. ...
    Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.

    Yes, it's her fault. She did something foolish.

    1. Re:Whose fault? by Renraku · · Score: 5, Insightful

      Scams are criminal acts. Thus, the money was removed from the bank due to a criminal act. A bank that loses money to a criminal act that refuses to reimburse its customers might well lose its status as a bank. They took from her, without her permission, money from her bank account. Which is stealing, fraud, etc, etc. Maybe it was her fault it got stolen, but the money was stolen, from the bank.

      --
      Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
    2. Re:Whose fault? by stratjakt · · Score: 5, Insightful

      Maybe technically, but that's not how the law works (thankfully).

      Or do you think every time you hand a credit/debit card to a cashier at K-mart, that gives them the right to start charging things to your account?

      Hell, your account number and routing info is on a cheque. So everyone you write a cheque to gets unlimited access to your chequing account?

      Thinking bigger, all I need is your SSN (easily obtained) to steal your identity and take out a few hundred thou in mortages.

      And it's all your fault! You gave it to me when you came to work for me! Hahahaha.

      If BoA allows any unauthorized person to remove money from my account, it is their fault.

      It doesn't matter how they came across my PIN or account number.

      --
      I don't need no instructions to know how to rock!!!!
    3. Re:Whose fault? by Anonymous Coward · · Score: 5, Informative

      Actually, the problem is far worse than this.

      With the ability to register unicode domain names, you may indeed see www.citibank.com and have no idea that the "a" is from the russian alphabet and therefore points to a different server and IP, even though visually, right down to the pixel, they are identical.

      All browsers should show warnings for any domain containing characters from multiple languages, or not permit them at all. I can think of no legitimate use for them.

  4. From the article by Rubberpants.net · · Score: 5, Funny

    "When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable."

    Not without some kind of sauce or dressing. Plain 1's and 0's taste like cardboard.

  5. Security Expert? by rvw14 · · Score: 5, Insightful

    Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.

    It is quite sad that a person who just updates their computer and runs a virus scanner is now considered a "security expert."

  6. Re:No wonder... by bludstone · · Score: 5, Funny

    Holy crap. That makes me a secuirty expert! Time to update the resume!

    --

    no .sig
  7. Voodoo Legend by MikeMacK · · Score: 5, Funny
    And, much like zombies of voodoo legend, they mindlessly do the bidding of their masters and help commit crimes online.

    I didn't realize the zombies of voodoo legend were online.

  8. Odd. by nathan+s · · Score: 5, Interesting

    I have to say, I don't understand how people get into so much trouble.

    Maybe I've been lucky, but I've ran a Windows XP system for about a year now (and a Windows 98SE system for about 2 years prior under the same conditions), doing the occasional patches from Windows Update, without a virus scanner or firewall. If I do something stupid that makes me suspect that I've contracted something, I'll drop over to http://housecall.antivirus.com/ and do a quick scan. This generally only happens when I'm trying to find a crack for something on a P2P network and the bastards have embedded a keystroke logger or some other little nasty in a trojan crack package.

    Otherwise, I do an occasional glance-over at the list of processes running, and if my modem is lighting up like a Christmas tree I might fire up Sygate Personal Firewall or something just to see what's happening with the traffic, but I've never seen it give me real cause for concern. I still get some port traffic for the old Code Red worms and what not, but nothing that seems to have been really problematic.

    As I said, maybe I'm just lucky. Then again, maybe I don't use Internet Explorer or Outlook Express, and maybe that helps a lot. Who knows.:-)

    --
    picpix image polls. create - share - vote. fun!
  9. The price? $3000 for 20,000 machines... by Onimaru · · Score: 5, Funny

    ...the ability to DoS SCO for the rest of the century...priceless.

    There are some things money can't buy. For the rest, there's my Zombie Army of Evil.

    --
    adam b.
  10. Pay the $3k and clean house by jamezilla · · Score: 5, Insightful
    This sounds like a good deal for the authorities. For 3 grand you get:
    1. a list of machines that need to be cleaned up
    2. a bank account or other information that can be used to track down the spammers/crackers
    I guarantee $3k is cheaper than what it would actually cost tax payers if the authorities did their job with normal investigative work.
    1. Re:Pay the $3k and clean house by Anonymous Coward · · Score: 5, Insightful

      In an economics class I took, we were presented with a case where a bunch of missionaries got together for a project where they would collect alot of money, then go to a third world nation and buy some underage prostitutes, then bring them to the states to give them help, treatment, and a caring foster home to be raised up in.

      It all sounds good on paper until you look at the fact that the people that kidnapped the kids got paid, so they have incentive to repeat the process. The argument was that the better (albeit longer and harder) fight was to make child prostitution not profitable or try to arrest or contain the kidnappers somehow.

      Somehow I think the the spammers would figure out a way to get their money, cover their tracks, and sneak away. I don't think they really care what happens to the 20k zombies. They got their money, weather the zombieNet was used to clean house or actually send spam.

  11. Tired of inflated stats by shogarth · · Score: 5, Interesting
    In July, spam made up 94.5% of e-mail traffic, nearly double from a year before, says e-mail management firm MessageLabs.

    Does anyone else wonder where MessageLabs gets their statistics? I can't help but wonder at their methodology (though I suspect rectal extraction). I get daily reports on SpamAssassin and my configured DNS block lists for the servers I manage. Their spam traffic doesn't start to approach 95% of inbound messages. After eliminating all internal email from the statistics, SpamAssassin flags about 20% of incoming email as suspicious and SpamHaus blocks another 10% or so. These are not confidential, hard-to-find addresses. These are university servers where staff and faculty are required to have valid email addresses posted on the department web pages. Any spider worth a damn should have harvested them long ago. I find it very hard to believe that this environment is getting 60% less spam than systems that don't provide a directory of valid addresses.

    Spam is a problem, but it's time journalists (online and otherwise) start taking stats with a grain of salt. Too many organizations are willing to publish questionable numbers in an attempt to sound like they have thoroughly researched the issue.

    Or in the MessageLabs case, to sell a product that will 'solve' the problem.

  12. SpecialHam.com? by sdo1 · · Score: 5, Funny
    From the USA Today article...

    One indication of the going rate for zombie PCs comes from a June 11 posting on SpecialHam.com, an electronic forum for spammers.

    And you guys didn't put that link in the main Slashdot article?!?!?! Oh come on! If there's a site that deserves to be slashdotted, that one must be it.

    -S

    --
    --- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?