Slashdot Mirror
Zombie Networks On The Rise
A reader writes "
According to Symantec via the BBC online, Zombie PC nets are growing very fast. Of course, it should also note that Symantec may want those numbers to be as scary as possible. " ITMJ is part of OSTG, like Slashdot. There's also a NY Times story on the article as well.
...numbers to be scary. And, they want the bad news to come from them. Otherwise, people would wake up and start using products like Panda or Kaspersky.
Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
...to get people to realize that the internet is not a nice place? I applaud Microsoft's attempt to make their OS more secure, even if it isn't as comprehensive as it should be. As illegal as it is, I would love to see a zombie virus spread that locks down peoples computers, cleans them and installs a firewall. I certainly wouldn't put my head on the block for that one, but I'd love to see it happen. Hopefully it'd cut down on my spam.
You too can learn to link to the NYT without registering.
c ure.html?ex=1253419200&en=651229ed583b13bc&ei=5090 &partner=rssuserland
Here the reg free link...
http://www.nytimes.com/2004/09/20/technology/20se
Symantec's industry survives because of news article that promote security threats.
-------
artlu.net
As a guy who gets to clean up these pieces of junk daily, the number of trojans around is growing. Earlier it was maybe one a week. Two or three if there was a major outbreak. Now its 1-2 a day. Good business as clueless lusers pay OK amounts for cleanup as long as they dont have to do the dreaded reinstall that their compaq/hp/dell support line offered as a solution.
Whats annoying is that some of these buggers can really mess up the system. Simple 'pop in cd / go to free online web scanner and clean up' no longer works in some cases... Symantec should concentrate more on making their crappy AV software work better and resist disabling by virii better and stop issuing more sensationalist press releases.
Its way too common to get a virus-filled computer with norton internet security installed. Some bug had just killed the whole AV software, leaving an empty 'shell' up that keeps telling the user everything is fine. They usually wake up when their ISP cuts their line and tells them to clean up and call back when their system is secured.
How exactly would NAT protect them? A amjor control vector for these bot-nets is IRC, which can be used through NAT. The infection vector is e-mail, which is also useable through NAT.
If NAT became widespread, then the zombies will adapt. It is only a false sense of security.
I mean, for example - on IRC people used to make spambots and run them off of their shells or even their own PCs. Now its zombified machines that do the spamming. There was (is?) a huge problem on Undernet not so long, for instance where miriads of hosts were used to promote a certain website under false pretenses, fooling people into accepting a DCC send request or even downloading a file of the said website and infecting their machine to have more spam bots.
Seriously, most P2P protocols need to be improved in detecting that there is no one home, or someone is going to figure out how to inject IP addresses into their networks for DDoS attacks.
One line blog. I hear that they're called Twitters now.
For example, spamwarez.biz gets name services from ns1.zombie-dns.biz thru ns7.zombie-dns.biz. zombie-dns.biz nameservers are *also* running on a Zombie network, and setting DNS servers in the domain registrar's control panel. If you can shut down zombie-dns.biz at the registrar and deactivate, then the entire zombie network collapses.
Of course, most registrars don't give a damn about this, especially the Spam friendly ones, but I've successfully managed to shut down a small number of zombie networks by using various means.. not all of which might be considered ethical or even 100% legal.. but who cares?
A lot of good that will do when the trojan goes through your NAT/Firewall through that big hole we call "email."
Only a comprehensive approach will make a big enough difference. That includes patching, being skeptical of email attachments, firewalling, and virus scanning.
PC hygiene goes a long way too. People are slowly learning that you just can't install the "newest c00lest blah-blah of the day" anymore as it will be 99% spyware and 1% app. It will be poorly written and cause all sorts of problems.
These are just growing pains and even though the stats dont look good right now at least I can talk about spyware and viruses and have people understand what I'm saying.
Someone is sending spam using my email address as the return, and I'm getting hundreds of bounced emails.
The originating IP's are all different, and I am assuming these are all compromised systems. I'm not going to email every ISP to let them know, as I've found out that most ISP's do not contact their clients to inform them their systems are compromised. All I can do is contact the upstream providers for the web site being spamvertised, and hope that the hosting provider shuts them down.
Pete Carr Owner Chatmag.com
...when my PC started its habit of flashing the word "BRAAAIIINS" every few minutes.
Why bad-mouth Symantec for pointing out the reality of the situation? Would you be happier if it were CERT or someone else delivering the bad news?
Symantec and its tools are part of the solution. Not exclusively the solution, or the only solution, but a part of it. And, by letting people know that problems are out there, they're performing a service that is necessary; you didn't think someone like Microsoft was going to be issuing press releases to the media that put its products in a negative light, did you?
It's not even as if the other AV vendors that you mention are any different to Symantec: both Panda and Kaspersky are closed-source commercial products and both companies have prevalent virus activity and warning indicators on the homepages of their respective websites. And I bet they both send out press releases to the media highlighting large-scale infestations and particularly dangerous threats, so why crucify Symantec for being the company whose press release the BBC chose to focus on?
Bottom line: why blame the messenger if the message is accurate?
Just what's Symantec done here to warrant you being any more ticked off at them than anyone else? Do you have a legitimate reason for targetting them or are you just trolling?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
"The key challenge for Microsoft is not XP users," said Mr Beighton, "it's the Windows 98 and 95 machines."
Any bets that we'll still this line 5 or 10 years down the road? The "ain't broke, don't fix" mentality is above and beyond some individuals' concept of needing to update.
"Update? Why do'z I need to do'z dat? My solitare runz just fine ma!"
Some aim to please, I aim to tease.
To quote the fine article:
Don't think so. There are *far* fewer exploitable services running on Windows 95 and Windows 98, as compared to Windows 2000 and XP. I'd *much* rather use Windows 98 online than Windows 2000 or XP, in security terms. Most of the recent worms use exploits in services that never existed prior to Windows 2000 ...
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
That makes no sense. If you would normally receive a packet (e.g. because you provide web service, or have an IM port open or whatever) then the NAT router will rewrite the packets so that you still receive the trojan.
OTOH if you wouldn't normally receive something (e.g. it's an HTTP attack and you don't run a web server) then the NAT makes no difference, you still won't receive it. Big deal.
NATs are not magical protective charms. They're just a desperate hack to get around running out of IP addresses. If you want a firewall, install a firewall, not a NAT.
I don't know about that. I find it ironic that even on P2P networks people are so infected that their files aren't even usable. The irony is that you can download functioning copies from the same networks that they are participating in or at least can get a free version of some decent virus protection, yet they don't. So I think even if not one more single computer virus was made starting tomorrow it would take forever for them to disappear.
Not trying to flame here but some of the worst havens I have seen are samba shares because people don't put antivirus on *nix servers. It is like pulling teeth trying to tell those admins that it DOES affect them. If their users are running windows, get a virus that does keylogging, and they log in again...guess what...it did affect the *nix server.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
I've been troubleshooting slow network connections at two of our remote offices, and I found something very interesting. Both of the offices are connected to us via a Cisco VPN. Each of the offices is connected to the internet via a PIX firewall and cable modem. During the past year I've seen the performance of these links deteriorate to worse than ISDN speed performance - here's why:
It seems these cable modem networks are flooded with zombie machines constantly scanning networks for vulnerable hosts to infect. Cisco's floodguard freaks out and thinks that its internet connection is being ddos attacked and starts discarding packets it thinks are malicious.
Well, it seems that Cisco's algorithm for determining malicious packets isn't perfect, so it throws out the baby with the bath water....resulting in a REALLY slow connection.
After disabling floodguard the links were back up to 3 Mbps and 10 Mbps.
So if your networks are zombie free, and you can't figure out why your internet connection sucks and you are running floodguard, try disabling it and running some tests.
-ted
This zombie problem is worse than we thought! Check out the Zombie Infection Simulation!
- Bruzer
"Tempt not a desperate man" - Willy S.
ClamAV or F-Prot are both good virus scanners for Linux, which are free for home use (Or completely open in the case of ClamAV). Both will scan your samba shares, and can be automated in a number of ways. Both seem to be maintained and updated quite frequently.