Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zombie Networks On The Rise

Posted by Hemos on from the that-might-be-high-but-still dept.

A reader writes " According to Symantec via the BBC online, Zombie PC nets are growing very fast. Of course, it should also note that Symantec may want those numbers to be as scary as possible. " ITMJ is part of OSTG, like Slashdot. There's also a NY Times story on the article as well.

26 of 235 comments (clear)

  1. Of course they want the... by Dagny+Taggert · · Score: 4, Interesting

    ...numbers to be scary. And, they want the bad news to come from them. Otherwise, people would wake up and start using products like Panda or Kaspersky.

    --
    Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
    1. Re:Of course they want the... by Davak · · Score: 5, Interesting

      Surveys and public information releases like this are great free press.

      First, it makes you appear to be THE expert because you reported it first. Second, it links your name to someone that focuses on this problem.

      Why do you think we see the abc/new york times poll or whatever? It's because it's a cheap way to make news... it's a cheap advertising campaign.

      Is this bad? I don't think so...

      People get into the security business, for example, by reporting new viruses or exploits.

      You can't blame them for releasing press releases.... it's part of their business. As it shoud be...

  2. Is there any way... by rhsanborn · · Score: 5, Interesting

    ...to get people to realize that the internet is not a nice place? I applaud Microsoft's attempt to make their OS more secure, even if it isn't as comprehensive as it should be. As illegal as it is, I would love to see a zombie virus spread that locks down peoples computers, cleans them and installs a firewall. I certainly wouldn't put my head on the block for that one, but I'd love to see it happen. Hopefully it'd cut down on my spam.

    1. Re:Is there any way... by noselasd · · Score: 4, Interesting

      A firewall ? Theo de Raadt just said that a firewall won't fix the windows security, for very good reasons..

    2. Re:Is there any way... by jdwest · · Score: 5, Interesting

      ... but Microsoft is a part of this problem. Look at its marketing and advertising, from touting the user-friendliness of IE through it's MSN "Butterfly" logo and commercials, it's as if they've thrown the keys to a car to a ten-year old without explaining any of the dangers, responsibilities or precautions that need to be taken when behind the wheel.

      --

      Lorem ipsum dolor sit amet ...
    3. Re:Is there any way... by Finuvir · · Score: 2, Interesting

      Car companies go on about how safe their cars are all the time. It's government groups and non-profits that produce the "drive safely" ads and tell you to wear a seatbelt. People don't (often) die as a result of a Windows box being infected, so the push to get people to use their computers responsibly isn't too strong. But businesses are affected, so they should be coming together to push the proper use of networked machines. Big businesses should commision television ads, or something similarly visible, to press home the dangers of the Internet. It's in their benefit to limit the number and severity of attacks on the network.

      --
      Why is anything anything?
    4. Re:Is there any way... by Frizzle+Fry · · Score: 2, Interesting
      Both Unix and MS share equal blame in propagating this horribly flawed system.

      Historically, this was true. However, currently Microsoft is moving towards .Net "managed" code, and one of the reasons is to protect against buffer overruns, just as with Java and other higher-level languages you describe. OTOH, it seems that Unix will stay with C and its potential security problems forever.
      --
      I'd rather be lucky than good.
  3. These buggers are getting more common by Jarnis · · Score: 4, Interesting

    As a guy who gets to clean up these pieces of junk daily, the number of trojans around is growing. Earlier it was maybe one a week. Two or three if there was a major outbreak. Now its 1-2 a day. Good business as clueless lusers pay OK amounts for cleanup as long as they dont have to do the dreaded reinstall that their compaq/hp/dell support line offered as a solution.

    Whats annoying is that some of these buggers can really mess up the system. Simple 'pop in cd / go to free online web scanner and clean up' no longer works in some cases... Symantec should concentrate more on making their crappy AV software work better and resist disabling by virii better and stop issuing more sensationalist press releases.

    Its way too common to get a virus-filled computer with norton internet security installed. Some bug had just killed the whole AV software, leaving an empty 'shell' up that keeps telling the user everything is fine. They usually wake up when their ISP cuts their line and tells them to clean up and call back when their system is secured.

  4. Re:NAT !!! by lachlan76 · · Score: 2, Interesting

    It won't protect them from viruses coming from the inside (people with laptops, some guy connecting through their unsecured wireless lan, etc, etc)

  5. Zombies at the gate by AndroidCat · · Score: 5, Interesting
    There was some zombie network hammering on port 18128 yesterday. No amount of rejection would make them go away and they were coming from all over. (No, not a "stealthed" firewall.) The strange thing was that they all sent the string 0x13,"BitTorrent protocolex"...

    Seriously, most P2P protocols need to be improved in detecting that there is no one home, or someone is going to figure out how to inject IP addresses into their networks for DDoS attacks.

    --
    One line blog. I hear that they're called Twitters now.
  6. Go for the Zombie's brains.. by Anonymous Coward · · Score: 5, Interesting
    Zombie networks tend to get their DNS services from DNS servers which are themselves part of the zombie network. Because the network itself has multiple redundant systems and built-in fault tolerance (because of people's habit of.. I dunno.. wanting to shut down their PCs once in a while) this can make them difficult to kill. They key thing is to eliminate the DNS servers by deactiving the DNS-serving-domain.

    For example, spamwarez.biz gets name services from ns1.zombie-dns.biz thru ns7.zombie-dns.biz. zombie-dns.biz nameservers are *also* running on a Zombie network, and setting DNS servers in the domain registrar's control panel. If you can shut down zombie-dns.biz at the registrar and deactivate, then the entire zombie network collapses.

    Of course, most registrars don't give a damn about this, especially the Spam friendly ones, but I've successfully managed to shut down a small number of zombie networks by using various means.. not all of which might be considered ethical or even 100% legal.. but who cares?

  7. I'm not surprised. "Joe Job" in progress. by Chatmag · · Score: 4, Interesting

    Someone is sending spam using my email address as the return, and I'm getting hundreds of bounced emails.

    The originating IP's are all different, and I am assuming these are all compromised systems. I'm not going to email every ISP to let them know, as I've found out that most ISP's do not contact their clients to inform them their systems are compromised. All I can do is contact the upstream providers for the web site being spamvertised, and hope that the hosting provider shuts them down.

    --
    Pete Carr Owner Chatmag.com
    1. Re:I'm not surprised. "Joe Job" in progress. by Inda · · Score: 2, Interesting

      Are you getting genuine inquiries too?

      Reply to them stating that the product is stolen. It's what I did last week when I was Joe Jobbed. The personnel satisfaction was great.

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    2. Re:I'm not surprised. "Joe Job" in progress. by AndroidCat · · Score: 2, Interesting

      The mortgage lead business is as dirty as it gets. The companies that buy these "100% opt-in" lists of leads are either clueless or just don't care. Some people make it a hobby to salt their lists and see who bites. You could ask in news.admin.net-abuse.email. (On this topic, you would get a better reaction. ;)

      --
      One line blog. I hear that they're called Twitters now.
    3. Re:I'm not surprised. "Joe Job" in progress. by rthille · · Score: 2, Interesting


      While it won't help a 100% yet, you should start publishing SPF records to help stop Joe-Jobs. if you don't already.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  8. Isn't this criminal? by maximilln · · Score: 2, Interesting

    Isn't there a law someplace about knowingly compromising someone's computer for use without their explicit consent? Sabotage, or stalking, or just plain theft?

    Over the first six months, the number of monitored bot networks rose to more than 30,000, from fewer than 2,000.

    This is like saying that there's an increase in monitoring car dealerships which steal cars to resell to car rental agencies. Can we repo the cars which are within US borders? Are _ALL_ of the botnet owners somehow in other countries?

    With a significant portion of internet traffic running through Virginia shouldn't it be a pretty basic task to monitor and shut these down? I acknowledge that it would take time, and manpower, and some forensic skill but clearly it can't be impossible.

    --
    +++ATHZ 99:5:80
  9. Re:NAT !!! by lachlan76 · · Score: 3, Interesting

    It can stop the ones that exploit Windows security holes, which are the fast-spreading ones.

    NAT can protect, because if it doesn't know where to send the buffer-overflow to, it just drops the packet.

  10. Numbers mean jack by Turn-X+Alphonse · · Score: 2, Interesting

    Why do we HAVE to look at numbers? just kill all the PCs which have been turned "undead" and move onto the sequal already. Quoting numbers and writing down names is all fine and dandy but it's not preventing it.

    Force people to install security updates or sell the PCs with them all pre installed and make windows update automaticly run once a month.

    Install some open source virus scanners and such the same way. Make sure it is CLEARLY labeled that the PC will automaticly update all these files the first of each month by an update program. As and when possible (AKA soon aspossible).

    Tell the people it will prevent viruses, make things faster and generally help things. Is it really that difficult?

    --
    I like muppets.
  11. Re:waiter there's a computer virus in my soup! by Cat_Byte · · Score: 5, Interesting

    I don't know about that. I find it ironic that even on P2P networks people are so infected that their files aren't even usable. The irony is that you can download functioning copies from the same networks that they are participating in or at least can get a free version of some decent virus protection, yet they don't. So I think even if not one more single computer virus was made starting tomorrow it would take forever for them to disappear.

    Not trying to flame here but some of the worst havens I have seen are samba shares because people don't put antivirus on *nix servers. It is like pulling teeth trying to tell those admins that it DOES affect them. If their users are running windows, get a virus that does keylogging, and they log in again...guess what...it did affect the *nix server.

    --
    Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
  12. Block them by gilesjuk · · Score: 2, Interesting

    Minimum standards for connecting to the network would be preferable. Obselete versions of Windows (those not gaining security fixes) should be barred.

    Perhaps less experienced users would benefit from firewalling at the ISPs network too. I believe all the ISPs that appeal to inexperienced users (AOL) should provide this as standard.

  13. Re:waiter there's a computer virus in my soup! by Anonymous Coward · · Score: 3, Interesting

    I have seen are samba shares because people don't put antivirus on *nix servers.

    Any suggestions for a home user with Samba on Linux and a very small budget.
    As a simple but not as safe method. I use the W32 client antivirus software to scan the network shares. Better then nothing.
    On that note, the free version AntiVir for W32 does NOT scan anything on network drives at all. A good free solution for home users without network shares though.

  14. Re:Any bets? by Benedick · · Score: 5, Interesting
    Actually, I'm safer running Win98SE than WinXP. The new virues coming out attack the security holes built into XP. Since it's a very different code base than 98, those exploits rarely infect 98.

    I have talked to several people with XP boxes who have gotten infected while my 98SE box is just fine. Now, I protect that box with anti-virus, a hardware firewall, and using Mozilla and maybe that has something to do with it, or maybe I'm just lucky, but you have to admit that 98 is immune to many of the latest viruses.

  15. Re:Windows 95 and Windows 98 the biggest risk?? by BenjyD · · Score: 2, Interesting

    I wouldn't believe everything Steve Gibson says.

  16. Parent is ignorant... by Anonymous Coward · · Score: 1, Interesting

    These sort of zombie nets are as much a threat to Symantec as they are anyone else. Symantec exists to help (and admittedly to make money doing so) other corporations perform business securely. I think it ignorant and paranoid to state that any security firm wants to see more trouble on the internet.

  17. The market demands it by Vlad_Drak · · Score: 2, Interesting

    I remember Trinoo back in late 1998, also CDC's BackOrifice. It was very clear back then that zombies were going to be a problem. The unfortunate truth is that security companies, ISPs, and the like only focus on issues once they reach critical mass, so they can justify expenditure. By the time meetings have been had, strategy has been discussed, marketing has been massaged, etc, the problem has grown into an epidemic.

    The ISPs need to pick up the ball here, put up some IDS capable proxies in and start shutting down the shit they're spewing into the internet. Otherwise the problem is never going to go away if you expect grandma to buy something to solve a problem she doesn't understand.

  18. Re:The importance of the BHO Browser Helper Object by Arrogant-Bastard · · Score: 2, Interesting
    "I don't want to needlessly frighten anyone, but this one really scares the bejeesus out of me."

    I'm right there with you, for several reasons:

    1. None of the three entities which could seriously address this problem are doing so or have any plans to do so. (a) Their former owners either don't know or don't care (yes, there are happy exceptions, but they're rare). (b) The consumer broadband ISPs connecting them by the millions don't want to admit that the problem exists because then they'd have to accept some responsibility for doing something about it. (c) Microsoft is in the same position -- and here we are, what, 2+ years into their "focus on security"?

    2. There are tens of millions of zombies. We could argue endlessly about how many, but experienced and credible observers have pegged it at above 20 milllion and maybe as high as 100 million. Frankly, the exact number hardly matters: only a fraction of those are required to DDoS just about any network resource on the planet. (Think about that for a moment, and then try to work out a defense against an attack coming from, say, 3.5 million autonomous systems located on networks all over the planet.)

    3. Every time one of those end-user systems is upgraded or moved to a faster network connection... the Bad Guys get a performance increase.

    4. Compare size of the zombie networks to size of some of the larger distributed computing projects.

    5. Unused zombies are unlikely to be detected.

    6. Some zombies move around: they're laptops. This enables creation of additional inside firewalled networks thanks to people who carry them in.

    7. A lot of zombies move around: they're assigned IP addresses with DHCP and the like. The combination of 5, 6 and 7 means that just FINDING all the zombies is pretty hard.

    8. Spammers are of course all over this. Spammer web boards offer zombies for sale by the thousand, others offer DDoS attack services at so many $$/hour.

    9. Spammers are moving past spam via SMTP and getting into all kinds of other mischief -- after all, with that much horsepower at their disposal (at zero cost) they can afford to. Which is why mere anti-SMTP- spam measures are fast becoming obsolete.

    10. There are no signs that any of this will get better; every indicator we have says it will get worse. Arguably, the only way to REALLY make it better is to install an OS and application suite on those boxes that is at least minimally resistant to being zombied. But of course, as we all know, there is incredible resistance to that idea: people will cling to their Microsoft OS even when it's demonstrated to them that not only are they hosing themselves, but everyone they share a network with.