Slashdot Mirror
Over a Million Zombie PCs
Doyle writes "A BBC article discusses new research revealing that over 1 million computers have been compromised and are being used in bot nets. From the article: 'The largest network spied on by the team was made up of 50,000 hijacked home computers.'"
and at least notifiy the owners of these machines?
Something like that already exists.
Feel free to contact any of the infected and cross them out.
I'm a virgo and on Slashdot. Coincidence? Yes.
From honeypot FAQ:
8. Do you prosecute the people that compromise systems within the Honeynet? No. The prime directive of the Honeynet Project is research and to share those lessons learn. It is not our goal to catch and prosecure blackhats. We do forward information about compromised systems to CERT so CERT can notify admins of compromised systems. We limit our contact with authorities only when the Project feels there is a critical need. If we were to become involved in a major legal case everytime a system was compromised, we would not have time for research, let alone our real jobs.
read more about honeypot here. It seems they probably could, but are not going to.
"So there he is, risen from the dead. Like that fella, E. T." - Father Ted Crilly
Do you find that blocking machines with lots of simultaneous connections causes problems with bittorrent clients? (Or is that an intended side effect? :) )
No, I think most legitimate traffic is under 5000 simultaneous connections =). When we see a machine with 10,000 , 20,000 , 30,000 (which has been detected). We know there's a problem =)
When they're up, they're very entertaining.
An older spammer forum, SpecialHam.com is back up. With banner ads, even. "DarkMailer - not for newbies". "Blackbox Hosting - bulletproof hosting options" "SendSafe - bulk mail has never been this easy". "Bulkhost.com - the leader in bulk-friendly e-mail hosting".
Sites like these are where the hackers and spammers meet, find deals, and scream about being ripped off by each other. The actual deals tend to take place on ICQ.
"netstat -a -o" will display all active connections and the processes that own them.
Task Manager will show you the currently running processes. This is of limited usefulness since it doesn't show the path of the executable nor the arguments used to launch it. So SVCHOST.EXE will show up multiple times because it is used to by 2000/XP to run several different services.
"Control Panel > Administration Tools > Computer Management" will run an applet that, among other things, will allow you to see the number of open shares and connections to your computer. There are some other useful things in there.
As for resources, ask Google.
noadmin.editme.com has a wiki about it, and also see Aaron Margosis' WebLog, aka the The Non-Admin blog, made by a Microsoft employee.
Windows NT Security in Theory and Practice, a long-running set of MSDN articles about NT security is also interesting, espescially to developers.
Also useful are FileMon and RegMon from SysInternals, to see what files/reg keys an app is hung up on trying to get unreasonable access to. (Remember that security is checked only on open/create, so set the filter to show opens only)
Still, there is too little information about running stuff as non-admin. Part of the problem is that making a program run as non-admin when it wasn't designed for that, usually isn't easy.
Google for "Process Explorer" - free download, shows all processes and CPU usage (there is also an option to show % fractions of CPU usage or context switches for being really precise). Shows processes in a tree also, so you can see what's started what. Also gives ability to pause (a la -SIGSTOP/CONT) processes, very handy lil download. Well done the creators.
-2A
The revolution will not be televised... but it will have a page on Wikipedia