Slashdot Mirror
Zombie Networks On The Rise
A reader writes "
According to Symantec via the BBC online, Zombie PC nets are growing very fast. Of course, it should also note that Symantec may want those numbers to be as scary as possible. " ITMJ is part of OSTG, like Slashdot. There's also a NY Times story on the article as well.
You too can learn to link to the NYT without registering.
c ure.html?ex=1253419200&en=651229ed583b13bc&ei=5090 &partner=rssuserland
Here the reg free link...
http://www.nytimes.com/2004/09/20/technology/20se
This is another case where NAT should be used to protect our more feeble computer-using companions. Click here for my previous comment on the subject.
NAT really would stop all these type of things from happening by just purchasing a $50 dollar router for our friends and family. We're never going to be able to teach them, so just give in and recommend a hardware based solution they don't have to manage.
Chris
I mean, for example - on IRC people used to make spambots and run them off of their shells or even their own PCs. Now its zombified machines that do the spamming. There was (is?) a huge problem on Undernet not so long, for instance where miriads of hosts were used to promote a certain website under false pretenses, fooling people into accepting a DCC send request or even downloading a file of the said website and infecting their machine to have more spam bots.
There is also quite a different kind of firewall - the reverse one, ideally implemented outside the user's PC (cable modem/ISP router/etc) that blocks outgoing attacks in case the PC gets zombified. Too bad this is probably too costly to happen on a mass scale.
...you're not aware of what a zombie network, or zombie is then:
"A zombie computer is a computer attached to the Internet that has a hidden software program, a "backdoor". This backdoor allows the computer to be remote-controlled by others.
A Zombie Computer army can then be used for the purpose of Denial of Service attacks (DDoS).
A singe Zombie Computer can send unsolicited e-mails ( spamming).
Backdoors are often installed with spammed trojans or e-mail worms."
http://en.wikipedia.org/wiki/Zombie_computer
A Botnet [Zombie Network] is a collection hosts (bots) under a common command and control infrastructure. Often the command and control is an IRC server or a specific channel on a public IRC network. A bot typically has an agent client such as an IRC client and programs that are activated through the command and control infrastructure. Generally botnets are made up of compromised systems with scan, exploit and attack tools all used for nefarious purposes including denial of service attacks or sending of spam. Miscreants running these rogue botnets do so for reasons varying from fun to profit, with botnets often at war with each other. Popular botnet malware in 2004 include agobot, phatbot, rbot, rxbot and sdbot.
Spam attacks originating from a Botnet can be identified by passive os fingerprinting, a technique first introduced in OpenBSD in the venerable pf packet filter. Newer firewall equipment can be configured to take action when a botnet is attacking by using information obtained from passive os fingerprinting."
http://en.wikipedia.org/wiki/Botnet
That's all well and good if you can afford to update. A lot of people don't see the need to spend the money for a new PC if the one they have does what they need. Any machine running 98 will likely not be able run XP, and $500US for a cheap Dell is outside some peoples budget.
Personally I have made more money freelance in IT the past few months than ever before. I have a great recipie.
1 -uninstall whatever Virusscanner they have. Norton is absolute crap. antivir catches more nasties, uses far less resources, is 100% free, and overall is a better product. Install it and update it.
install adaware and update it, install spybot search and destroy and update it and then install hijackthis.
then reboot the windows machine into safe mode. this BLOCKS most spyware and bugs from running so you can eliminate them. run antivir full scan on all files, set to clean then delete and look for all unwanted types of programs.
after that is done, reboot bact to safe mode and run adaware, do what it want's to clean, then spybot search and destroy, do what it says, then finally hijacthis to look for the typical nasties that are left clinging around.
finally I install for the user startupmonitor tha twill give you a warning box every time ANYTHING tries to insert it's self in the registry to run as soon as the computer boots, and allows you to block that action.
Then after it's clean and i na normal boot I no longer detect any virus or crapware I give it back to the user with a list of what I did, what I added and how it works, and finally a note that this will not immunize them, but they can and will start getting this crap again the second they start hitting the net again. i tell them they can limit the re-infection rate if they install and use mozilla and mozilla mail.
They also get a CD with all the apps I installed plus the latest mozilla.
All that Get's me $150.00 a pop. I usually have 3 of them on my bench running my process every day.
local computer "experts" are charging $250.00 and only re-install the OS, they do not offer a cleaning.
needless to say, I'm cleaning up.
Do not look at laser with remaining good eye.
I've been troubleshooting slow network connections at two of our remote offices, and I found something very interesting. Both of the offices are connected to us via a Cisco VPN. Each of the offices is connected to the internet via a PIX firewall and cable modem. During the past year I've seen the performance of these links deteriorate to worse than ISDN speed performance - here's why:
It seems these cable modem networks are flooded with zombie machines constantly scanning networks for vulnerable hosts to infect. Cisco's floodguard freaks out and thinks that its internet connection is being ddos attacked and starts discarding packets it thinks are malicious.
Well, it seems that Cisco's algorithm for determining malicious packets isn't perfect, so it throws out the baby with the bath water....resulting in a REALLY slow connection.
After disabling floodguard the links were back up to 3 Mbps and 10 Mbps.
So if your networks are zombie free, and you can't figure out why your internet connection sucks and you are running floodguard, try disabling it and running some tests.
-ted
Yeah - lord knows that there are no free antivirus programs (AVG), or spyware removal tools (Spybot and AdAware).
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
I'll agree that running AntiVirus on all systems is a good practice, but the Samba share and the UNIX system aren't really to blame for obtaining the virus in the first place. The situation your describing looks like
MS Win32 system gets virus
MS Win32 system saves virus to network share
Other MS Win32 systems access saved virus file
MS Win32 systems compromised
Your right that a file server should run AntiVirus, but the real problem is allowing the virus onto your network in the first place.
get a virus that does keylogging, and they log in again...guess what...it did affect the *nix server.
True that the *nix server could be affected, but it's really due to a compromise on the MS Win32 system.
This is only partially true. IE vulnerabilities are numerous, but they aren't the most dangerous. To take advantage of them, the user has to load a malicious WWW page.
And you trust every web page you load, do you? Even though there are plenty of times a supposedly trustworthy website has been compromised?
I am a sys admin for a hosting comapny, I cannot tell you guys how many spam zombies are out there, they are growing and the are scary, they will target a domain and spew out thousands of alpha numeric combinations hoping to land one delivery. We had so much trouble wiht one customer, he had to change his domain name, it is really bad... I am now starting to support the trend of ISP blocking port 25 all together, and to only allow email out via their mail servers (so they can make sure their users are no spam zombies). Spam sux :(
photoplankton
I get a lot of sshd too.
Yesterday (19th Sept) it was 213.33.89.156 and 205.209.151.40---(OrgName: Managed Solutions Group, Inc. --- Ouch!!!)
On the 18th it was 64.163.55.45 and 62.193.232.55.
17th, 211.10.156.25
16th, 200.143.125.194
etc. etc.
They try a root, a bunch of names and I suspect default application passwords.
They seem to be cycling through IPs. There isn't much "interleave" between IPs so it looks like these boxen are part of a timed (coordinated) attack.
Using nmap, the look like RedHat boxen but nmap didn't know exactly which version. Haven't they heard of the great taste of Yum?
Cheers,
-b
It's the only 98 machine I use as all my other ones are Linux or XP. It's at my company's office running legacy DOS applications that don't run well under XP, much less Linux/BSD. I also use it for e-mail and web browsing. I've had zero trouble with viruses, worms, trojans, and all the other flavors of malware because I use a little common sense, don't use IE or OutLook, and do use the AVG virus scanner (which never goes off), Zone Alarm freebie firewall and Ad Aware.
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
that have nothing to do with the implementing programming language.
Remember the URL path hacks, esp. on Macs? foobar:/local/path links combined with location.href redirecting javascript... no buffer overflows there.
Many of the old outlook flaws that propogated some huge viruses and worms were because of how shittily it handled MIME-types and what attachments should be activated in the preview pane...
Again.
Sometimes the biggest problems aren't the much maligned buffer overflows but by people figuring out using features of software in ways that it was not intended.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
ClamAV or F-Prot are both good virus scanners for Linux, which are free for home use (Or completely open in the case of ClamAV). Both will scan your samba shares, and can be automated in a number of ways. Both seem to be maintained and updated quite frequently.
This bugger was really tough to remove. I tried the adaware and Panda and any other "auto removal" tools that I could find. These efforts got me to the point where the homepage was no longer being affected
But through the process, I got introduced to "HijackThis" and "FindNFix" which is (or was at the time) more of an analysis tool than a repair tool. Using these tools, I was able to see that my efforts were only partially successful. Even though my homepage was no longer changing, I continued to have a persistent BHO that I could not get rid of. Or rather, once removed, it would re-appear on each reboot, usually with a different name.
I came to the realization that I was infected by a dormant bot. And that any time I started my browser, the bot would "phone home" and receiving no instructions, would do nothing. I knew that the day was coming when this bot would be instructed to do something besides nothing, and my computer would be enlisted as a soldier in a "drone army".
Because the "phone home" occurs as an http request via port 80, it occurs almost undetectably (I could see it happening via tcpdump on my firewall) and it is essentially impossible to block, unless you block web browsing to your user population.
This is the new evil..
I don't know that we have seen these drone armies put to use yet. The possibilities are frightening.
I see many posts, by the uninformed, that say.. Patch em up. Scan em thouroughly and run your adaware. You'll be safe then. Don't be misled. This is infection is more stealthy than that.
In the end, it took me several hours to learn how to remove this infection. I used the tools listed above, and some procedures I found documented in the news groups. I had to disable recovery, boot into safe mode, move (rename) the file three times and only then did my diagnostics come up clean.
I don't want to needlessly frighten anyone, but this one really scares the bejeesus out of me.