Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over a Million Zombie PCs

Posted by Zonk on from the daaaaataaaa dept.

Doyle writes "A BBC article discusses new research revealing that over 1 million computers have been compromised and are being used in bot nets. From the article: 'The largest network spied on by the team was made up of 50,000 hijacked home computers.'"

23 of 564 comments (clear)

  1. Why arent governments proacting agaisnt these nets by panxerox · · Score: 5, Interesting

    If 1,000,000 computers can be identified as being zombie machines than 1,000,000 computer owners can be contacted. This is THE major problem afflicting the internet, why dont governments form a unit to identify and at least notifiy the owners of these machines? Will it take a major internet terrorist attack like bringing down a power grid to make governments act?. As net users we should advocate government involvment in a measured controlled way rather than the reaction that will come after an attack (patriot act?)

    --
    "It's so convenient to have a system where everyone is a criminal" - A. Hitler
  2. Not surprising by dmf415 · · Score: 5, Interesting

    At my university, we have to run snort at the head end of the network in order to control the havoc these compromised machines create. We also monitor the number of simultaneous connections each machine creates and block the ones at the very top.

    1. Re:Not surprising by gordyf · · Score: 3, Interesting

      Do you find that blocking machines with lots of simultaneous connections causes problems with bittorrent clients? (Or is that an intended side effect? :) )

  3. Why not ISPs by winkydink · · Score: 5, Interesting

    Better yet, why don't ISPs disconnect them until they can demonstrate they've been cleaned up?

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:Why not ISPs by FriedTurkey · · Score: 3, Interesting

      Actually they do. My parents computer got disconnected from Roadrunner for being a spam bot. Spending next weekend cleaning it up. Argh.

    2. Re:Why not ISPs by swv3752 · · Score: 4, Interesting

      So the answer is to start suing the ISPs and the customers. If it is more profitable to just sit back and do nothing, then we need to take away that profit incentive.

      --
      Just a Tuna in the Sea of Life
    3. Re:Why not ISPs by Just+Some+Guy · · Score: 4, Interesting
      Because it is not in the ISP's best (i.e. financial) interests to do so. Finding these machines, teaching users how to clean them up, and then reactivating their access would require a great deal of manpower and money. Since not doing it is consequence-free, there is no incentive to do it.

      I don't think it's that bad:

      1. Draft a standard letter / web page explaining why you're disconnecting a customer and how they can get re-connected.
      2. Port scan.
      3. Disconnect.
      4. Get kickbacks from local computer repair shop.
      5. Profit!
      which beats the heck out of
      1. Ignore the situation.
      2. Pay $BIGNUM for the bandwidth you're using to broadcast your customers' computers' spam.
      3. Lose legitimate customers who get tired of their outbound mail bouncing because your netblock is listed in every blackhole list on the planet.
      4. Loss!
      Either way, you will spend some money on the problem, either by proactively fixing it or by paying to repair the damages. Your call.
      --
      Dewey, what part of this looks like authorities should be involved?
    4. Re:Why not ISPs by Grishnakh · · Score: 5, Interesting

      I agree, especially about suing the customers. If they can sue customers for using P2P applications, they can certainly sue customers for running malicious programs on their computers, knowingly (they've been informed), and performing illegal actions with them.

      Harsh times call for harsh measures.

  4. fix them by roman_mir · · Score: 3, Interesting

    Now that the machines are known, their IPs are compiled into a list, what stops a good samaritan from setting up a script to patch them up?

    It is probably quite complicated, technically speaking, because these machines now have to be scanned for every possible trojan, logger, virus in existance, but it's not impossible. Can an antivirus company, say, get a grant from a government to run a job like that?

    --
    You can't handle the truth.
  5. Bullshit by LiquidCoooled · · Score: 3, Interesting

    One machine can be infected by multiple trojans.
    One machine can reconnect to the same botnet multiple times as the person reboots to try and clear the problem.
    One machine gets multiple IP addresses every time her reboots.

    --
    liqbase :: faster than paper
  6. not entirely user behavior... by grassy_knoll · · Score: 5, Interesting
    from TFA:

    Getting the machines hijacked was worryingly easy. The longest time a Honeynet machine survived without being found by an automatic attack tool was only a few minutes. The shortest compromise time was only a few seconds.


    It's sad, but it seems the only way to mitigate this is to hold the OS vendor responisble for insecure code. Similar to cars, we hold the driver responsible if they ( say ) drive drunk, but the manufactorer responsible if while driving the wheels come off.
    --
    A Human Right
  7. Next Step: Take them over. by bigtallmofo · · Score: 4, Interesting

    I think the only plausible defense against a botnet of such a size is to use the botnet against itself. Allow one of your systems to be infected with the botnet - effectively join their network. Then sniff the network traffic to find out what IRC server and channel to join and any security codes that are necessary to control the botnet. Then upload a "virus" into the botnet that will patch the infected system and remove the botnet binaries. No more botnet.

    The only thing that makes me think it might not work is that it's similar to the stereotypical way of ridding the world of aliens in almost every sci-fi movie. Come to think of it, I might have gotten this idea from Independence Day.

    --
    I'm a big tall mofo.
  8. Re:Anyone know... by dtfinch · · Score: 5, Interesting

    If Joe User started on Linux, or *BSD, then trying to use Windows would require taking time to learn.

    You can tell that Windows is meant to be used as a tool and not just for hobby because in Office and the Explorer search pane they have dozens of these little characters that'll dance and do tricks and stuff without really helping you out in the process. And a bunch of the window actions can be animated to slow them down a bit. You've got connection limits and such to ensure that you only use your desktop for desktop stuff. Network authentication restrictions ensure that your intranet design fits a standard, well supported model, and that the right edition gets used for the right job. And the whole thing is pretty awesome for running games.

    Linux must certainly be meant just for hobby because it comes with thousands of these little tools that just do their jobs without much in the way of glitter and animation to impress the user, or even a requirement that a user must be directly interacting with them.

  9. ... and they affect Linux too by poopie · · Score: 3, Interesting

    My home machine's webserver gets regularly punished by bots that are sending buffer overflow URLs. I only have port 80 open, too. I use my home machine for mythtv, and I certainly notice when the bots start attacking me.

    It's really annoying. I've thought about what I can do to shut down bots that are annoying me with excess traffic...

    Does anyone have some good suggestions for keeping zombie PC traffic off of linux webservers either via firewall rules, apache config files, or ?

    Perhaps a more interesting question is... if your machines is being attacked by a zombie PC, is it okay to attack it back (and try to take it offline?) - Isn't this sort of like 'self defense'?

    1. Re:... and they affect Linux too by alyandon · · Score: 4, Interesting

      I have a cron entry that runs a script to examine /var/log/http/access_log for any obviously abusive requests (requests that contain 0x90x90x90x90x90x90, system32, cmd.exe, etc) and adds the offending ip address to the firewall list. I do something similar for my ftpd and sshd services as well.

      So basically my machine becomes invisible to the attacker and their ip address stays shitcanned forever.

  10. Does anyone know if... by bluprint · · Score: 3, Interesting

    bots that infect computers ever conflict with each other. Like Bot1 takes over a PC, then Bot2 comes along, and maybe they fight over that PC or its resources?

    --
    A modern day witchhunt.
  11. windows 2000 box: a zombie in ~ 5 minutes by hurricaen · · Score: 4, Interesting

    My coworker is doing some of his own investigations into this stuff. He hooked up a freshly installed, but unpatched, windows2000 box to the net with a freebsd box in between to monitor traffic. Within minutes it was infected, and we could see IRC traffic: connecting to a hidden channel to await instructions. Not that I'm that outraged that an old unpatched windows 2000 box is vulnerable; it's just amazing how quickly a worm will get you if you are vulnerable! -K

  12. A fresh install solaris is just as vulnerable by merreborn · · Score: 4, Interesting

    My father recieved his first couple of Sparc-based unix boxes about 4 years ago in the wake of the dot-com collapse. For one reason or another, he decided to reinstall (a somewhat old version of) solaris from a disc he got with the system.

    A couple of days later, his cable-modem based lan was nigh unusable; lo and behold, the unpatched solaris box was sending out data as fast as it could. Neither of us had the technical expertise to figure out what exactly had happened, but the process that was causing all the trouble was sitting in a dir full of various tools that seemed to be doing some sort of IP range scaning and self propegation.

    If there are enough systems out there with a given hole, someone will exploit it, reguardless of OS.

  13. What is the control group? by gelfling · · Score: 4, Interesting

    I have a bunch of Win XPhome, Pro and W2K boxes @ home, fully patched, personal firewalled, my router screens what it can, in fact it blocks most every port and tosses pings from both sides. There's antispyware and AV scanners running on all desktops. And brute force scans for virus and all other malware kick off weekly. The uplink is cable (shared). Am I contaminated? You betcha. I can run any spyware tool @ random and find something and once a month I trap a virus either in the browser cache or the jpi cache on one or all of these machines.

    Shit I forgot why I wrote this - oh yeah. What is the definition of "GOOD"? So while there 1.2 globzigillion zombies out there, what is the likelihood you're actually clean? I'd say damn near zero.

  14. Why don't ISPs use Firewalls? by guru42101 · · Score: 4, Interesting

    I work for a minor dialup in BFE, KY. We used to have large problems with our users getting hacked and zombiefied. But we decided since they weren't going to have a local firewall then we'd run one for them. Generally speaking Joe User doesn't need an internal SMTP server, http server, and so on. So we've got it set up now where they can connect to http, ftp, send their emails, send their IMs, play their games, and even use BT. But, alot of things that they'll never noticed are disabled for their own good. We'll occasionally have someone call about something not working and we'll then add in a rule to punch a hole for them. But I think that has been one person in the past year so far.

    I'm surprised more ISPs don't do this as we used to be overloading our pipe due to the bots but now we're using half of our pipe durring peak times.

    I could see this as a potential issue for some broadband ISPs but the saved money in bandwidth is much higher than the cost of manpower

  15. Will never stop unless.... by Electric+Eye · · Score: 4, Interesting

    ....a group of super smart nersd somehow figures out how to do the same thing to these millions of PCs, but in reverse. Somehow create a worm that turns on the XP firewall, installs MS Anti-Spy and SpyBot and whatever else is needed. Isn't this easy to do (for the geek crowd)? Every new client I get (I'm a home computer tech) is infected with massive amounts of spyware. They have NO idea. My last two clients had more than 10,000 files and programs that were deemed spyware (not including cookies). It took forever to clean these machines, esp with those damn trojans not wanting to leave. I've got years of experience so I know what to do. But 99.999% of Windoze users doesn't have the damndest clue. My clients can't even set up their own DSL connections. how are they going to prevent their computers from being turned into zombies? Hell, they don't even know what that means.

    It's up to the benevolent hackers or MS. My $$ is on the geeks outside of Redmond.

  16. Do NOT clean up Winboxen for free. by Werrismys · · Score: 4, Interesting
    Do not clean up these boxes. Disconnect them from net and tell the relative in question to either PAY for the cleanup, get someone else to clean it, or get a Mac.

    Bad PR but who the fuck cares.

    tihihi I said boxen.

    --
    'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
  17. Honeynet by smoker2 · · Score: 3, Interesting
    From the Honeynet homepage:
    More than 90% of these connection attempts were caused by a machine running Windows, whereas only about 3% could be identified as originating from Linux machines.
    The first attempt to attack one of the honeypots was noticed about ten minutes after the whole honeynet was attached to the Internet. The system was systematically searched for weaknesses (port scan) and the attacker tried to exploit a known vulnerability in the Internet Information Server (IIS). After this short period of time, an unpatched version of this server would have been compromised.
    The ports 445, 135, 137 and 139 - all belonging to Netbios, the protocol favored by the Microsoft Operating System family - see by far the most traffic.

    Apparently they were using SUSE 8 Pro and Solaris 8 as the Honypots. My issue with the BBC article is that although (as can be seen from the Honeypot site) 90% of the attacks were aimed at, or originated from a Windows machine, the offending OS is mentioned only once.
    They (the BBC) should spell it out, so that the general public actually gets notified officially, and thus make it a well known issue amongs non-IT literate people.