Zombie Networks On The Rise

A reader writes " According to Symantec via the BBC online, Zombie PC nets are growing very fast. Of course, it should also note that Symantec may want those numbers to be as scary as possible. " ITMJ is part of OSTG, like Slashdot. There's also a NY Times story on the article as well.

Reg Free Link

[Davak]

You too can learn to link to the NYT without registering.

Here the reg free link...
http://www.nytimes.com/2004/09/20/technology/20sec ure.html?ex=1253419200&en=651229ed583b13bc&ei=5090 &partner=rssuserland

well, they ARE growing in numbers

[ATAMAH]

I mean, for example - on IRC people used to make spambots and run them off of their shells or even their own PCs. Now its zombified machines that do the spamming. There was (is?) a huge problem on Undernet not so long, for instance where miriads of hosts were used to promote a certain website under false pretenses, fooling people into accepting a DCC send request or even downloading a file of the said website and infecting their machine to have more spam bots.

Re:Is there any way...

[archeopterix]

A firewall ? Theo de Raadt just said that a firewall won't fix the windows security, for very good reasons.

This is what he said:

Microsoft's security problems have to do with its Web client which probably has 300 to 500 vulnerabilities in it which a firewall will never block as they are all in http, all inside a TCP session and a packet filter does not help you.

This is only partially true. IE vulnerabilities are numerous, but they aren't the most dangerous. To take advantage of them, the user has to load a malicious WWW page. More danger comes with open ports that let the hacker take control of any running Windows system with public IP regardless of the user actions and those CAN be blocked by a firewall.

There is also quite a different kind of firewall - the reverse one, ideally implemented outside the user's PC (cable modem/ISP router/etc) that blocks outgoing attacks in case the PC gets zombified. Too bad this is probably too costly to happen on a mass scale.

Re:Any bets?

[Tinik]

That's all well and good if you can afford to update. A lot of people don't see the need to spend the money for a new PC if the one they have does what they need. Any machine running 98 will likely not be able run XP, and $500US for a cheap Dell is outside some peoples budget.

Re:These buggers are getting more common

[Lumpy]

Personally I have made more money freelance in IT the past few months than ever before. I have a great recipie.

1 -uninstall whatever Virusscanner they have. Norton is absolute crap. antivir catches more nasties, uses far less resources, is 100% free, and overall is a better product. Install it and update it.

install adaware and update it, install spybot search and destroy and update it and then install hijackthis.

then reboot the windows machine into safe mode. this BLOCKS most spyware and bugs from running so you can eliminate them. run antivir full scan on all files, set to clean then delete and look for all unwanted types of programs.

after that is done, reboot bact to safe mode and run adaware, do what it want's to clean, then spybot search and destroy, do what it says, then finally hijacthis to look for the typical nasties that are left clinging around.

finally I install for the user startupmonitor tha twill give you a warning box every time ANYTHING tries to insert it's self in the registry to run as soon as the computer boots, and allows you to block that action.

Then after it's clean and i na normal boot I no longer detect any virus or crapware I give it back to the user with a list of what I did, what I added and how it works, and finally a note that this will not immunize them, but they can and will start getting this crap again the second they start hitting the net again. i tell them they can limit the re-infection rate if they install and use mozilla and mozilla mail.

They also get a CD with all the apps I installed plus the latest mozilla.

All that Get's me $150.00 a pop. I usually have 3 of them on my bench running my process every day.

local computer "experts" are charging $250.00 and only re-install the OS, they do not offer a cleaning.

needless to say, I'm cleaning up.

Cisco floodguard problems due to zombie scans

[zerofoo]

I've been troubleshooting slow network connections at two of our remote offices, and I found something very interesting. Both of the offices are connected to us via a Cisco VPN. Each of the offices is connected to the internet via a PIX firewall and cable modem. During the past year I've seen the performance of these links deteriorate to worse than ISDN speed performance - here's why:

It seems these cable modem networks are flooded with zombie machines constantly scanning networks for vulnerable hosts to infect. Cisco's floodguard freaks out and thinks that its internet connection is being ddos attacked and starts discarding packets it thinks are malicious.

Well, it seems that Cisco's algorithm for determining malicious packets isn't perfect, so it throws out the baby with the bath water....resulting in a REALLY slow connection.

After disabling floodguard the links were back up to 3 Mbps and 10 Mbps.

So if your networks are zombie free, and you can't figure out why your internet connection sucks and you are running floodguard, try disabling it and running some tests.

-ted

Re:Why blame the messenger?

[TykeClone]

Yeah - lord knows that there are no free antivirus programs (AVG), or spyware removal tools (Spybot and AdAware).

Re:waiter there's a computer virus in my soup!

[mtnharo]

ClamAV or F-Prot are both good virus scanners for Linux, which are free for home use (Or completely open in the case of ClamAV). Both will scan your samba shares, and can be automated in a number of ways. Both seem to be maintained and updated quite frequently.