Over a Million Zombie PCs

Doyle writes "A BBC article discusses new research revealing that over 1 million computers have been compromised and are being used in bot nets. From the article: 'The largest network spied on by the team was made up of 50,000 hijacked home computers.'"

Re:Why arent governments proacting agaisnt these n

[maotx]

and at least notifiy the owners of these machines?

Something like that already exists.
Feel free to contact any of the infected and cross them out.

Re:Why arent governments proacting agaisnt these n

[flumps]

From honeypot FAQ:

8. Do you prosecute the people that compromise systems within the Honeynet? No. The prime directive of the Honeynet Project is research and to share those lessons learn. It is not our goal to catch and prosecure blackhats. We do forward information about compromised systems to CERT so CERT can notify admins of compromised systems. We limit our contact with authorities only when the Project feels there is a critical need. If we were to become involved in a major legal case everytime a system was compromised, we would not have time for research, let alone our real jobs.

read more about honeypot here. It seems they probably could, but are not going to.

Re:Not surprising

[dmf415]

Do you find that blocking machines with lots of simultaneous connections causes problems with bittorrent clients? (Or is that an intended side effect? :) )

No, I think most legitimate traffic is under 5000 simultaneous connections =). When we see a machine with 10,000 , 20,000 , 30,000 (which has been detected). We know there's a problem =)

Rent zombies online!

[Animats]

They're down today, but SpamForum.biz carries ads for zombies, open proxies, botnets, etc. Numbers available range from 1000 to 50,000.

When they're up, they're very entertaining.

An older spammer forum, SpecialHam.com is back up. With banner ads, even. "DarkMailer - not for newbies". "Blackbox Hosting - bulletproof hosting options" "SendSafe - bulk mail has never been this easy". "Bulkhost.com - the leader in bulk-friendly e-mail hosting".

Sites like these are where the hackers and spammers meet, find deals, and scream about being ripped off by each other. The actual deals tend to take place on ICQ.

Re:What can I use to detect a hijacked computer?

[Foolomon]

"netstat -a -o" will display all active connections and the processes that own them.

Task Manager will show you the currently running processes. This is of limited usefulness since it doesn't show the path of the executable nor the arguments used to launch it. So SVCHOST.EXE will show up multiple times because it is used to by 2000/XP to run several different services.

"Control Panel > Administration Tools > Computer Management" will run an applet that, among other things, will allow you to see the number of open shares and connections to your computer. There are some other useful things in there.

Re:Anyone know...

[Foolhardy]

Am I alone in wondering whether this truth extends to running Windows Limited Accounts, instead of Administrator logins?

I'm sure it does extend to that. Users aren't used to dealing with computer security, on any operating system. It wasn't so important to a home user before the Internet, and it was impossible on 9x. Now they're using a different OS and are connected to a malicious network, but don't want to learn to adapt.

As for resources, ask Google.
noadmin.editme.com has a wiki about it, and also see Aaron Margosis' WebLog, aka the The Non-Admin blog, made by a Microsoft employee.
Windows NT Security in Theory and Practice, a long-running set of MSDN articles about NT security is also interesting, espescially to developers.
Also useful are FileMon and RegMon from SysInternals, to see what files/reg keys an app is hung up on trying to get unreasonable access to. (Remember that security is checked only on open/create, so set the filter to show opens only)

Still, there is too little information about running stuff as non-admin. Part of the problem is that making a program run as non-admin when it wasn't designed for that, usually isn't easy.

Re:Appliance

[j1m+5n0w]

Simpler than that, put the firewall at the ISP end of the connection so they can't get around it. (But I think users should still have the option of enabling incoming ports if they so choose.)

My local one does sometimes

[dlZ]

I've had machines show up in my shop along with notes from Road Runner stating that they can't regain their service until they show proof the machine was repaired properly. These machines have always been so bad off, they were unusable, yet they were kept online constantly, to display popups and act as zombies.

One case it was actaully not the customers machines, but his neighbor who was taking a free ride on their wide open wireless network. Turning on WEP immediatly fixed the problem. The customer couldn't figure it out, because they were a household of Macs, and were sure they couldn't get hijacked like that. They never even thought of the wide open network.

Re:Must Be M$ Boxes Right ??

[Stormwatch]

A huge difference: every major OS X update - believe it or not - IMPROVES performance on the same hardware, despite all the new features.

Recommend: Process Explorer

[x2A]

Google for "Process Explorer" - free download, shows all processes and CPU usage (there is also an option to show % fractions of CPU usage or context switches for being really precise). Shows processes in a tree also, so you can see what's started what. Also gives ability to pause (a la -SIGSTOP/CONT) processes, very handy lil download. Well done the creators.

-2A