Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over a Million Zombie PCs

Posted by Zonk on from the daaaaataaaa dept.

Doyle writes "A BBC article discusses new research revealing that over 1 million computers have been compromised and are being used in bot nets. From the article: 'The largest network spied on by the team was made up of 50,000 hijacked home computers.'"

18 of 564 comments (clear)

  1. Re:Why arent governments proacting agaisnt these n by maotx · · Score: 4, Informative

    and at least notifiy the owners of these machines?

    Something like that already exists.
    Feel free to contact any of the infected and cross them out.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  2. Re:Why arent governments proacting agaisnt these n by flumps · · Score: 5, Informative

    From honeypot FAQ:

    8. Do you prosecute the people that compromise systems within the Honeynet? No. The prime directive of the Honeynet Project is research and to share those lessons learn. It is not our goal to catch and prosecure blackhats. We do forward information about compromised systems to CERT so CERT can notify admins of compromised systems. We limit our contact with authorities only when the Project feels there is a critical need. If we were to become involved in a major legal case everytime a system was compromised, we would not have time for research, let alone our real jobs.

    read more about honeypot here. It seems they probably could, but are not going to.

    --
    "So there he is, risen from the dead. Like that fella, E. T." - Father Ted Crilly
  3. Re:Not surprising by dmf415 · · Score: 5, Informative

    Do you find that blocking machines with lots of simultaneous connections causes problems with bittorrent clients? (Or is that an intended side effect? :) )

    No, I think most legitimate traffic is under 5000 simultaneous connections =). When we see a machine with 10,000 , 20,000 , 30,000 (which has been detected). We know there's a problem =)

  4. Rent zombies online! by Animats · · Score: 5, Informative
    They're down today, but SpamForum.biz carries ads for zombies, open proxies, botnets, etc. Numbers available range from 1000 to 50,000.

    When they're up, they're very entertaining.

    An older spammer forum, SpecialHam.com is back up. With banner ads, even. "DarkMailer - not for newbies". "Blackbox Hosting - bulletproof hosting options" "SendSafe - bulk mail has never been this easy". "Bulkhost.com - the leader in bulk-friendly e-mail hosting".

    Sites like these are where the hackers and spammers meet, find deals, and scream about being ripped off by each other. The actual deals tend to take place on ICQ.

  5. Re:Not surprising by dmf415 · · Score: 2, Informative

    forgive me for asking, but i thought Snort was just an intrustion detection system, as i understand it all it does is detect and log intrusions not actually stop them like a firewall does, can i replace my servers firewall with a copy of Snort ?

    One of our student programmers wrote some code that lists the IPs snort detects based on its level of severity. He also wrote another page that uses commands on our packetshaper to determine which IPs are creating the most connections, and automatically blocks them at a 5 minute interval.

  6. Re:What can I use to detect a hijacked computer? by Foolomon · · Score: 4, Informative

    "netstat -a -o" will display all active connections and the processes that own them.

    Task Manager will show you the currently running processes. This is of limited usefulness since it doesn't show the path of the executable nor the arguments used to launch it. So SVCHOST.EXE will show up multiple times because it is used to by 2000/XP to run several different services.

    "Control Panel > Administration Tools > Computer Management" will run an applet that, among other things, will allow you to see the number of open shares and connections to your computer. There are some other useful things in there.

  7. Re:Not their responsibility by magarity · · Score: 2, Informative

    but I don't pay my ISP to protect me and my privacy. I pay my ISP to provide a pipe, and nothing more

    And your ISP pays *its* ISP by the MB. It is therefore in their interest to halt traffic generated by spam-bots and ddos-bots.

  8. Re:What I Want To Know Is... by Anonymous Coward · · Score: 1, Informative

    boot your machine, open your ms-dos prompt, and type: netstat -n, if you get a long long long list of connections without having any program that uses the internet (web browser, chat client etc.), then you are zombie !! ;)

  9. Re:Anyone know... by Foolhardy · · Score: 4, Informative
    Am I alone in wondering whether this truth extends to running Windows Limited Accounts, instead of Administrator logins?
    I'm sure it does extend to that. Users aren't used to dealing with computer security, on any operating system. It wasn't so important to a home user before the Internet, and it was impossible on 9x. Now they're using a different OS and are connected to a malicious network, but don't want to learn to adapt.

    As for resources, ask Google.
    noadmin.editme.com has a wiki about it, and also see Aaron Margosis' WebLog, aka the The Non-Admin blog, made by a Microsoft employee.
    Windows NT Security in Theory and Practice, a long-running set of MSDN articles about NT security is also interesting, espescially to developers.
    Also useful are FileMon and RegMon from SysInternals, to see what files/reg keys an app is hung up on trying to get unreasonable access to. (Remember that security is checked only on open/create, so set the filter to show opens only)

    Still, there is too little information about running stuff as non-admin. Part of the problem is that making a program run as non-admin when it wasn't designed for that, usually isn't easy.
  10. Re:Anyone know... by X0563511 · · Score: 2, Informative

    It's just harder to tell you are rooted because they arn't doing stupid shit with your box. Usually. (I have been rooted a couple times)

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  11. Re:Appliance by j1m+5n0w · · Score: 3, Informative

    Simpler than that, put the firewall at the ISP end of the connection so they can't get around it. (But I think users should still have the option of enabling incoming ports if they so choose.)

  12. Re:Why not ISPs by karnal · · Score: 2, Informative

    There are programs out there (freeware) that can list every process running on the box etc. Some will even show you what filename launched the process etc... much better than task mangler.

    Also, if you're privvy, before you clean the box up you should download ethereal and see what kind of traffic it is passing. Of course, you need to have a little bit of networking understanding, but it's not hard to look at and see all of the source/destinations that packets are traversing.

    In addition, I've found that MS Anti-spyware beta (google microsoft antispyware) works like a champ when it comes to getting rid of those last few things that Spybot and Adaware will not clean up....

    --
    Karnal
  13. My local one does sometimes by dlZ · · Score: 3, Informative

    I've had machines show up in my shop along with notes from Road Runner stating that they can't regain their service until they show proof the machine was repaired properly. These machines have always been so bad off, they were unusable, yet they were kept online constantly, to display popups and act as zombies.

    One case it was actaully not the customers machines, but his neighbor who was taking a free ride on their wide open wireless network. Turning on WEP immediatly fixed the problem. The customer couldn't figure it out, because they were a household of Macs, and were sure they couldn't get hijacked like that. They never even thought of the wide open network.

    --
    rm -rf ./evidence @ punkcomp
  14. Re:Why not ISPs by Anonymous Coward · · Score: 1, Informative

    go to MS and download quickslice

  15. Re:What can I use to detect a hijacked computer? by Suidae · · Score: 2, Informative

    That is a connection between your system and the box on the rogers network, but I can't tell you which side opened the connection.

    The last number is the process ID on your computer that holds the socket. Go to the task manager (right click on task bar or ctrl+alt+del) and select the Processes tab. If the PID column is not visible, select View|Columns and turn on the PID column.

    If you don't recognize what you find in the 'Image Name' column, you can usually do a google search and find it.

  16. Re:Must Be M$ Boxes Right ?? by Stormwatch · · Score: 3, Informative

    A huge difference: every major OS X update - believe it or not - IMPROVES performance on the same hardware, despite all the new features.

    --
    Circumcision is child abuse.
  17. Re:Why not ISPs by Anonymous Coward · · Score: 1, Informative

    Try working with Hijackthis to identify "hidden" processes on Windows.

  18. Recommend: Process Explorer by x2A · · Score: 4, Informative

    Google for "Process Explorer" - free download, shows all processes and CPU usage (there is also an option to show % fractions of CPU usage or context switches for being really precise). Shows processes in a tree also, so you can see what's started what. Also gives ability to pause (a la -SIGSTOP/CONT) processes, very handy lil download. Well done the creators.

    -2A

    --
    The revolution will not be televised... but it will have a page on Wikipedia