Over a Million Zombie PCs

Doyle writes "A BBC article discusses new research revealing that over 1 million computers have been compromised and are being used in bot nets. From the article: 'The largest network spied on by the team was made up of 50,000 hijacked home computers.'"

Why arent governments proacting agaisnt these nets

[panxerox]

If 1,000,000 computers can be identified as being zombie machines than 1,000,000 computer owners can be contacted. This is THE major problem afflicting the internet, why dont governments form a unit to identify and at least notifiy the owners of these machines? Will it take a major internet terrorist attack like bringing down a power grid to make governments act?. As net users we should advocate government involvment in a measured controlled way rather than the reaction that will come after an attack (patriot act?)

Hope

[Rosonowski]

Is it really only one million? When I think of how the average user ends up getting a machine infected, I think of a whole lot more than 1 million. 10 million, perhaps.

Not surprising

[dmf415]

At my university, we have to run snort at the head end of the network in order to control the havoc these compromised machines create. We also monitor the number of simultaneous connections each machine creates and block the ones at the very top.

Re:Not surprising

[gordyf]

Do you find that blocking machines with lots of simultaneous connections causes problems with bittorrent clients? (Or is that an intended side effect? :) )

Why not ISPs

[winkydink]

Better yet, why don't ISPs disconnect them until they can demonstrate they've been cleaned up?

Re:Why not ISPs

[SpaceLifeForm]

That would be a start. However, just because they 'cleaned up' won't prevent them from becoming a zombie again.

The ISP needs to force the user to at minimum to install a software firewall.

If the user has a windows box directly connected to the Internet and they don't have a software firewall, they should not be allowed to connect.

Re:Why not ISPs

[FriedTurkey]

Actually they do. My parents computer got disconnected from Roadrunner for being a spam bot. Spending next weekend cleaning it up. Argh.

Re:Why not ISPs

[swv3752]

So the answer is to start suing the ISPs and the customers. If it is more profitable to just sit back and do nothing, then we need to take away that profit incentive.

Re:Why not ISPs

[Just+Some+Guy]

Because it is not in the ISP's best (i.e. financial) interests to do so. Finding these machines, teaching users how to clean them up, and then reactivating their access would require a great deal of manpower and money. Since not doing it is consequence-free, there is no incentive to do it.

I don't think it's that bad:

1. Draft a standard letter / web page explaining why you're disconnecting a customer and how they can get re-connected.
2. Port scan.
3. Disconnect.
4. Get kickbacks from local computer repair shop.
5. Profit!

which beats the heck out of

1. Ignore the situation.
2. Pay $BIGNUM for the bandwidth you're using to broadcast your customers' computers' spam.
3. Lose legitimate customers who get tired of their outbound mail bouncing because your netblock is listed in every blackhole list on the planet.
4. Loss!

Either way, you will spend some money on the problem, either by proactively fixing it or by paying to repair the damages. Your call.

Re:Why not ISPs

[Grishnakh]

I agree, especially about suing the customers. If they can sue customers for using P2P applications, they can certainly sue customers for running malicious programs on their computers, knowingly (they've been informed), and performing illegal actions with them.

Harsh times call for harsh measures.

Re:Why not ISPs

[toddestan]

Once a computer becomes a zombie, just disable all traffic to that computer except port 80. 99% of the clueless types who let their computers become zombies would never notice, and then they can continue to live in their ignorant bliss. Problem solved.

The few who would notice are more likely be the more savvy ones who might be able to keep their computer clean next time - so once they disinfect their machine you could let them back on. Problem solved.

Re:Back when Windows was just a hole in the wall

Now the average user can't tell when they have a problem or not...

Yeah, it's hard to determine if their shiny new PC is getting slower because of Windows' normal cruft buildup, or because it's been pwned and is pumping out spam/participating in DDoS attacks/hosting phishing websites.

Actively Scanning

[forum__32]

So if 1 million machines are actively scanning for other machines with 200 threads. With ipv4 there should be 4211604225 theoretical public ips. If they were scanning with 200 threads/sec, they could cover the entire ipv4 address space in 21secs. Granted, I know not all 1 million are scanning, and I prolly screwed up in my ip calculations, but this still an astronomical number.

fix them

[roman_mir]

Now that the machines are known, their IPs are compiled into a list, what stops a good samaritan from setting up a script to patch them up?

It is probably quite complicated, technically speaking, because these machines now have to be scanned for every possible trojan, logger, virus in existance, but it's not impossible. Can an antivirus company, say, get a grant from a government to run a job like that?

Bullshit

[LiquidCoooled]

One machine can be infected by multiple trojans.
One machine can reconnect to the same botnet multiple times as the person reboots to try and clear the problem.
One machine gets multiple IP addresses every time her reboots.

not entirely user behavior...

[grassy_knoll]

from TFA:

Getting the machines hijacked was worryingly easy. The longest time a Honeynet machine survived without being found by an automatic attack tool was only a few minutes. The shortest compromise time was only a few seconds.

It's sad, but it seems the only way to mitigate this is to hold the OS vendor responisble for insecure code. Similar to cars, we hold the driver responsible if they ( say ) drive drunk, but the manufactorer responsible if while driving the wheels come off.

Next Step: Take them over.

[bigtallmofo]

I think the only plausible defense against a botnet of such a size is to use the botnet against itself. Allow one of your systems to be infected with the botnet - effectively join their network. Then sniff the network traffic to find out what IRC server and channel to join and any security codes that are necessary to control the botnet. Then upload a "virus" into the botnet that will patch the infected system and remove the botnet binaries. No more botnet.

The only thing that makes me think it might not work is that it's similar to the stereotypical way of ridding the world of aliens in almost every sci-fi movie. Come to think of it, I might have gotten this idea from Independence Day.

Re:Anyone know...

[dtfinch]

If Joe User started on Linux, or *BSD, then trying to use Windows would require taking time to learn.

You can tell that Windows is meant to be used as a tool and not just for hobby because in Office and the Explorer search pane they have dozens of these little characters that'll dance and do tricks and stuff without really helping you out in the process. And a bunch of the window actions can be animated to slow them down a bit. You've got connection limits and such to ensure that you only use your desktop for desktop stuff. Network authentication restrictions ensure that your intranet design fits a standard, well supported model, and that the right edition gets used for the right job. And the whole thing is pretty awesome for running games.

Linux must certainly be meant just for hobby because it comes with thousands of these little tools that just do their jobs without much in the way of glitter and animation to impress the user, or even a requirement that a user must be directly interacting with them.

In the end people just won't bother

in the UK now the earlier hacker key logging story has broken, newscasters are doing their very best to convince people the internet is safe but ultimatly that wont last forever and it will simply be "safer" not to use the internet at all, with rampant ID theft, viruses, extortion by botnets, spam, worms, viruses, spyware,malware,tracking, phishing, 419's,fraud sites, its just not worth the risk of doing anything serious on the net at all! and if the hostilities continues its trend of growth it will be very soon for security professionals to argue against disconnecting as this is will eliminate a substantial risk/cost factor for buisness/private users

people just cant be bothered anymore (or thats the feedback i get), its just too complex for the average joe who is currently overwhelmed with threats to his financial and personal wellbeing (look at list i just mentioned) its hard enough to protect your assets in the "real world" as it is from conmen,burglars etc, without worrying that a glass screened box in the corner is gonna ruin you and your families life forever if you click on the wrong thing

i know im getting fed up of it and im an IT professional !

... and they affect Linux too

[poopie]

My home machine's webserver gets regularly punished by bots that are sending buffer overflow URLs. I only have port 80 open, too. I use my home machine for mythtv, and I certainly notice when the bots start attacking me.

It's really annoying. I've thought about what I can do to shut down bots that are annoying me with excess traffic...

Does anyone have some good suggestions for keeping zombie PC traffic off of linux webservers either via firewall rules, apache config files, or ?

Perhaps a more interesting question is... if your machines is being attacked by a zombie PC, is it okay to attack it back (and try to take it offline?) - Isn't this sort of like 'self defense'?

Re:... and they affect Linux too

[alyandon]

I have a cron entry that runs a script to examine /var/log/http/access_log for any obviously abusive requests (requests that contain 0x90x90x90x90x90x90, system32, cmd.exe, etc) and adds the offending ip address to the firewall list. I do something similar for my ftpd and sshd services as well.

So basically my machine becomes invisible to the attacker and their ip address stays shitcanned forever.

Re:... and they affect Linux too

[alyandon]

Example script here:

http://www.exgenesis.com/banips.txt

Any better metrics on this?

[Weaselmancer]

The article says:

Many well-known vulnerabilities in the Windows operating system were exploited by 'bot net controllers to find and take over target machines.

That's the only mention of an OS. Any metrics on exactly which OS and version/patchlevel is the most responsible?

Re:Anyone know...

[winkydink]

If Joe User were required to start by using Linux or BSD, it would set computing back 10 years. It would however probably have the positive side-effect of vastly improving ther desktop experience much more quickly than it is now.

I'm not proposing Windows or Linux for that matter. The number speak for themseleves. Linux is getting adopted quickly in the server room because the people who manage are trained professionals in computer-related fields. Joe User, for the most part, is not.

Does anyone know if...

[bluprint]

bots that infect computers ever conflict with each other. Like Bot1 takes over a PC, then Bot2 comes along, and maybe they fight over that PC or its resources?

Re:Why arent governments proacting agaisnt these n

[Florian+Weimer]

This is THE major problem afflicting the internet, why dont governments form a unit to identify and at least notifiy the owners of these machines?

Why should they? It's the ISPs who make money by providing Internet access. They should be responsible for alerting their customers about compromised machines. Most of them don't because it costs too much money, and there's little liability even if you do absolutely nothing.

On the other hand, customers aren't willing to pay for a notification service, or accept the privacy implications (notifying customers requires a mapping from dynamically assigned IP addresses to customer accounts). What's worse, a large percentage of them will just switch to another ISP once you restrict their network access because of a compromise.

windows 2000 box: a zombie in ~ 5 minutes

[hurricaen]

My coworker is doing some of his own investigations into this stuff. He hooked up a freshly installed, but unpatched, windows2000 box to the net with a freebsd box in between to monitor traffic. Within minutes it was infected, and we could see IRC traffic: connecting to a hidden channel to await instructions. Not that I'm that outraged that an old unpatched windows 2000 box is vulnerable; it's just amazing how quickly a worm will get you if you are vulnerable! -K

Re:Before Everybody Blames Microsoft

[Dashing+Leech]

"Just remember that it is also the responsibility of the computer users to patch their systems in a timely manner..."

This is true, but I'd like to go one step even further. Is there software out there to check if your PC has been co-opted, like what honeynet has but for regular users (just an integrity check)? I have a server with a firewall, then a router with a firewall, then ZoneAlarm software firewall on my main home PC. I expect this should be safe, but I know I've gotten spyware and adware on it (from downloaded programs), so even removing that how is one to know if there's an exploit through one of the legitimate I/O routes (web browser, P2P, IM, etc.).

Re:Anyone know...

[enigmals1]

I agree they are most likely almost all Windows OS. However, that statistic really means nothing since that is a percentage of zombie PC's--this does not mean there are proportionately more affected Windows PC's than other OSes. Now get me the percentage/number of OS's that are zombies compared to the total percentage/number of those OSes in production around the world in general! ...then you'll have something.

GOD I am SO tired of this elitest crap on /. Personlly, I'm a Windows fan and I cannot WAIT until Linux really starts taking off so it would have just as many vulnerabilities and problems exposed. And I know they're there because of the inherent reliance on the single kernel just like Windows and the too-many-hands-in-the-pot factor.

"Zombies"

[Audigy]

Ah, thank you Steve Gibson from grc.com for that lovely nickname.

Appliance

[Straker+Skunk]

The ISP needs to force the user to at minimum to install a software firewall.

Simpler than that. Just give customers a firewall appliance with their modem, and warnings of the doom that will befall them if they don't hook it up between their modem and PC....

A fresh install solaris is just as vulnerable

[merreborn]

My father recieved his first couple of Sparc-based unix boxes about 4 years ago in the wake of the dot-com collapse. For one reason or another, he decided to reinstall (a somewhat old version of) solaris from a disc he got with the system.

A couple of days later, his cable-modem based lan was nigh unusable; lo and behold, the unpatched solaris box was sending out data as fast as it could. Neither of us had the technical expertise to figure out what exactly had happened, but the process that was causing all the trouble was sitting in a dir full of various tools that seemed to be doing some sort of IP range scaning and self propegation.

If there are enough systems out there with a given hole, someone will exploit it, reguardless of OS.

What is the control group?

[gelfling]

I have a bunch of Win XPhome, Pro and W2K boxes @ home, fully patched, personal firewalled, my router screens what it can, in fact it blocks most every port and tosses pings from both sides. There's antispyware and AV scanners running on all desktops. And brute force scans for virus and all other malware kick off weekly. The uplink is cable (shared). Am I contaminated? You betcha. I can run any spyware tool @ random and find something and once a month I trap a virus either in the browser cache or the jpi cache on one or all of these machines.

Shit I forgot why I wrote this - oh yeah. What is the definition of "GOOD"? So while there 1.2 globzigillion zombies out there, what is the likelihood you're actually clean? I'd say damn near zero.

Why don't ISPs use Firewalls?

[guru42101]

I work for a minor dialup in BFE, KY. We used to have large problems with our users getting hacked and zombiefied. But we decided since they weren't going to have a local firewall then we'd run one for them. Generally speaking Joe User doesn't need an internal SMTP server, http server, and so on. So we've got it set up now where they can connect to http, ftp, send their emails, send their IMs, play their games, and even use BT. But, alot of things that they'll never noticed are disabled for their own good. We'll occasionally have someone call about something not working and we'll then add in a rule to punch a hole for them. But I think that has been one person in the past year so far.

I'm surprised more ISPs don't do this as we used to be overloading our pipe due to the bots but now we're using half of our pipe durring peak times.

I could see this as a potential issue for some broadband ISPs but the saved money in bandwidth is much higher than the cost of manpower

Will never stop unless....

[Electric+Eye]

....a group of super smart nersd somehow figures out how to do the same thing to these millions of PCs, but in reverse. Somehow create a worm that turns on the XP firewall, installs MS Anti-Spy and SpyBot and whatever else is needed. Isn't this easy to do (for the geek crowd)? Every new client I get (I'm a home computer tech) is infected with massive amounts of spyware. They have NO idea. My last two clients had more than 10,000 files and programs that were deemed spyware (not including cookies). It took forever to clean these machines, esp with those damn trojans not wanting to leave. I've got years of experience so I know what to do. But 99.999% of Windoze users doesn't have the damndest clue. My clients can't even set up their own DSL connections. how are they going to prevent their computers from being turned into zombies? Hell, they don't even know what that means.

It's up to the benevolent hackers or MS. My $$ is on the geeks outside of Redmond.

Do NOT clean up Winboxen for free.

[Werrismys]

Do not clean up these boxes. Disconnect them from net and tell the relative in question to either PAY for the cleanup, get someone else to clean it, or get a Mac.

Bad PR but who the fuck cares.

tihihi I said boxen.

Re:Ethics be damned...

[Inda]

Kid next door?

Short story:

A mate of mine bought a new motherboard and graphics card. Be damned if we could get it all working properly. "I'm taking it to a computer shop" he said in a moment of frustration. The shop fixed it for him.

6 months later we were mucking around with something. The task manager showed Blaster was running - not that this was related to anything we were doing...

He uses his PC for playing games and nothing else. He doesn't even have an internet connection. Three guesses where he caught Blaster from?

P2P Nets

[nurb432]

So how many of these are being used for P2P serving?

"But Judge, I wasn't me that was sharing those files "

Before you laugh, I had a Linux 'router' broken into about 8 years ago. I of course caught it in nightly auditing, but it happened.

Turned my machine into a porn ftp server and a bridge to break into the next person.. If I hadn't been auditing, might have been months before discovery..

Honeynet

[smoker2]

From the Honeynet homepage:

More than 90% of these connection attempts were caused by a machine running Windows, whereas only about 3% could be identified as originating from Linux machines.

The first attempt to attack one of the honeypots was noticed about ten minutes after the whole honeynet was attached to the Internet. The system was systematically searched for weaknesses (port scan) and the attacker tried to exploit a known vulnerability in the Internet Information Server (IIS). After this short period of time, an unpatched version of this server would have been compromised.

The ports 445, 135, 137 and 139 - all belonging to Netbios, the protocol favored by the Microsoft Operating System family - see by far the most traffic.

Apparently they were using SUSE 8 Pro and Solaris 8 as the Honypots. My issue with the BBC article is that although (as can be seen from the Honeypot site) 90% of the attacks were aimed at, or originated from a Windows machine, the offending OS is mentioned only once.
They (the BBC) should spell it out, so that the general public actually gets notified officially, and thus make it a well known issue amongs non-IT literate people.

Re:Ethics be damned...

[WhitetailKitten]

I work phone support for a major ISP (hint: butterfly). I hear this a lot. "I don't want to install SP2, [OEM] told me not to."

I want to say, look, lady, just fucking install SP2. You have Service Pack nothing. Your computer is being chewed into a pulpy mass by viruses that received patches two years ago.

Instead I push them to their OEM and let their OEM deal with it, since it's their fault they don't have SP2.

Win95 box: Never bothered :-) RH6 - killed.

[billstewart]

A couple of years ago I got DSL in my lab, and left a couple of machines on it unprotected partly to experiment with and partly to see what would happen to them. One Linux box was running tcpdump continuously to sniff the network. The Win95 box was never bothered - it had anti-virus software, and I used Netscape rather than IE (and of course there was nothing useful on it to exploit because it was a Win95 box :-) The RedHat 6.x box typically lasted a week between crackings - I eventually named the machine "Kenny" because it kept getting brutally and senselessly killed every week. One of the crackers really didn't like it when I got rid of his Staecheldraht installation and reformatted the disk. So I installed a newer RedHat version, in a mode with no servers running, and people mostly left it alone other than basic doorknocking.

This *was* a few years ago, and crackers have gotten more sophisticated, and DSL and cable modem proliferation means there are lots more fast net connections for them to work with. At the time, Win95 was obsolete, RedHat was doing 7.x versions, and Staecheldraht attacks seemed to mostly come from universities (including Washington University, whose wu-ftpd was one of the main holes exploited by crackers, and a machine that looked like it was from MIT but was actually from somebody in Japan with a byte-order problem.)

Re:Anyone know...

[AbRASiON]

Well I've recently installed ubuntu on my laptop and personally I'm scared of being rooted because I don't know shit about linux - so I actually feel safer under XP.

It installed itself and I beleive I don't have root access but due to my lack of linux knowledge it's scary - I know a compromised linux box is a bad bad thing.

Fortunately I'm using NAT and there's no ports forwarded to the thing.