Slashdot Mirror
Over a Million Zombie PCs
Doyle writes "A BBC article discusses new research revealing that over 1 million computers have been compromised and are being used in bot nets. From the article: 'The largest network spied on by the team was made up of 50,000 hijacked home computers.'"
Maybe I should have sent THIS in afterall...
I'm a virgo and on Slashdot. Coincidence? Yes.
... the breakdown of that million by operating system?
You never know, it might be a nice bit of PR for some Apple/Linux/BSD organisation to casually slip into a Press Release.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Aren't zombies constantly searching for "brains" ?
compared to the millions of zombies in front of PCs.
:P
Come to think of it, the two just may be related.
If 1,000,000 computers can be identified as being zombie machines than 1,000,000 computer owners can be contacted. This is THE major problem afflicting the internet, why dont governments form a unit to identify and at least notifiy the owners of these machines? Will it take a major internet terrorist attack like bringing down a power grid to make governments act?. As net users we should advocate government involvment in a measured controlled way rather than the reaction that will come after an attack (patriot act?)
"It's so convenient to have a system where everyone is a criminal" - A. Hitler
Is it really only one million? When I think of how the average user ends up getting a machine infected, I think of a whole lot more than 1 million. 10 million, perhaps.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
At my university, we have to run snort at the head end of the network in order to control the havoc these compromised machines create. We also monitor the number of simultaneous connections each machine creates and block the ones at the very top.
*Connection Terminated Unexpectedly*
/dev/random
... a Beowulf Cluster of... oh wait...
(Hmm, can zombies be clustered? We all know from Night of the Living Dead that they DO cluster. Quite well, in fact...)
}#q NO CARRIER
Remmeber when viruses would just "format C:"? When you were infected, you knew it cause your HD was blank. Now the average user can't tell when they have a problem or not...
and at least notifiy the owners of these machines?
Something like that already exists.
Feel free to contact any of the infected and cross them out.
I'm a virgo and on Slashdot. Coincidence? Yes.
I know one thing: There's no way in hell they're ever gonna get passed my *ENLARGE YOUR PENIS* super leet windows 2003 install modded to look like xp *HELP RETRIEVE MY MILLIONS*. I even use IE7 beta, but I'm not scared cause I run McAfee *BUY SLIGHTLY USED PORN AT ROCK BOTTOM PRICES* firewall to protect my cable modem network. Let's see 'em try to get into THIS network! HA!
** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
Better yet, why don't ISPs disconnect them until they can demonstrate they've been cleaned up?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
No sane person should connect a critical piece of computer infrastructure, such as any computer dealing with the management of the electrical grid, to the internet.
Better thing would be to require by law that none can be connected instead.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
From honeypot FAQ:
8. Do you prosecute the people that compromise systems within the Honeynet? No. The prime directive of the Honeynet Project is research and to share those lessons learn. It is not our goal to catch and prosecure blackhats. We do forward information about compromised systems to CERT so CERT can notify admins of compromised systems. We limit our contact with authorities only when the Project feels there is a critical need. If we were to become involved in a major legal case everytime a system was compromised, we would not have time for research, let alone our real jobs.
read more about honeypot here. It seems they probably could, but are not going to.
"So there he is, risen from the dead. Like that fella, E. T." - Father Ted Crilly
Governments?, What about ISPs? They are the ones having to pay for the added bandwitdh on both sides. I'm surprised most ISPs dont run IDS that can detect Zoombie Networks and automatically send emails to its infected customers. This will not only pay for itself by reducing bandwidth, but also make the customers more happy.
mnewberg.com
So if 1 million machines are actively scanning for other machines with 200 threads. With ipv4 there should be 4211604225 theoretical public ips. If they were scanning with 200 threads/sec, they could cover the entire ipv4 address space in 21secs. Granted, I know not all 1 million are scanning, and I prolly screwed up in my ip calculations, but this still an astronomical number.
Now that the machines are known, their IPs are compiled into a list, what stops a good samaritan from setting up a script to patch them up?
It is probably quite complicated, technically speaking, because these machines now have to be scanned for every possible trojan, logger, virus in existance, but it's not impossible. Can an antivirus company, say, get a grant from a government to run a job like that?
You can't handle the truth.
One machine can be infected by multiple trojans.
One machine can reconnect to the same botnet multiple times as the person reboots to try and clear the problem.
One machine gets multiple IP addresses every time her reboots.
liqbase
This explains why my startup sound suddenly changed into a groaning voice saying "Braiinnnnnssss..."
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
It's sad, but it seems the only way to mitigate this is to hold the OS vendor responisble for insecure code. Similar to cars, we hold the driver responsible if they ( say ) drive drunk, but the manufactorer responsible if while driving the wheels come off.
A Human Right
Home PC users do not need to generate traffic on port 25 that's going anywhere other than their ISP's mailserver. ISP mailservers should use SMTP authentication. Of course these simple measures would mean support calls from users who need to reconfigure Outlook, and support calls cost money, so it'll never happen.
Nonetheless, these companies are proffiting while user machines get hijacked. Someone needs to make a little bit of effort, 'cause for now spreading these nets wider is way too easy.
Now many will call me a Microsoft basher and i unashamedly am and with a dammed good reason. The insecurity of microsoft OSs does not just effect those who want to use (or dont know they have other options)windows, but it effects me and my peers. ,HPUX,Solaris,OS X(maybe i should just include this in *BSD) and *BSD are not perfect and have some security issues , though nothing on this scale(my opinion ) , you can use the argument about if blah had blah monopoly then blah would be just as cracked (which i think is rubbish and doth not change the fact that it is only and if as it isnt so cant be proven) So as a user of the internet on my chosen Unix variants at home and at work I still have to suffer microsofts lackluster Network security through the set-up of botnets .
I know * linux
Spam - DDOS and freinds continue to plauge our internet services.
Fine blame the average user for not updating etc , the fact remains that a person who is skilled in other areas should not need to have the knowlidge level of a Tech or even System admin or developer just to be able to safely use a computer (Ease of use is a difrent kettle of fish)
Sorry for the rant , but I am rather narked off at Spam nets
The only things certain in war are Propaganda and Death. You can never be sure which is which though
Time for someone to write a worm that forces an update from Windows Update; downloads a copy of SpyBot Search & Destroy, runs it and then turns on the firewall.
-Charles
Learning HOW to think is more important than learning WHAT to think.
I think the only plausible defense against a botnet of such a size is to use the botnet against itself. Allow one of your systems to be infected with the botnet - effectively join their network. Then sniff the network traffic to find out what IRC server and channel to join and any security codes that are necessary to control the botnet. Then upload a "virus" into the botnet that will patch the infected system and remove the botnet binaries. No more botnet.
The only thing that makes me think it might not work is that it's similar to the stereotypical way of ridding the world of aliens in almost every sci-fi movie. Come to think of it, I might have gotten this idea from Independence Day.
I'm a big tall mofo.
in the UK now the earlier hacker key logging story has broken, newscasters are doing their very best to convince people the internet is safe but ultimatly that wont last forever and it will simply be "safer" not to use the internet at all, with rampant ID theft, viruses, extortion by botnets, spam, worms, viruses, spyware,malware,tracking, phishing, 419's,fraud sites, its just not worth the risk of doing anything serious on the net at all! and if the hostilities continues its trend of growth it will be very soon for security professionals to argue against disconnecting as this is will eliminate a substantial risk/cost factor for buisness/private users
people just cant be bothered anymore (or thats the feedback i get), its just too complex for the average joe who is currently overwhelmed with threats to his financial and personal wellbeing (look at list i just mentioned) its hard enough to protect your assets in the "real world" as it is from conmen,burglars etc, without worrying that a glass screened box in the corner is gonna ruin you and your families life forever if you click on the wrong thing
i know im getting fed up of it and im an IT professional !
My home machine's webserver gets regularly punished by bots that are sending buffer overflow URLs. I only have port 80 open, too. I use my home machine for mythtv, and I certainly notice when the bots start attacking me.
It's really annoying. I've thought about what I can do to shut down bots that are annoying me with excess traffic...
Does anyone have some good suggestions for keeping zombie PC traffic off of linux webservers either via firewall rules, apache config files, or ?
Perhaps a more interesting question is... if your machines is being attacked by a zombie PC, is it okay to attack it back (and try to take it offline?) - Isn't this sort of like 'self defense'?
I'm not the greatest security expert, but I follow the proper guidelines (running AV, firewall, patches etc) and I still find that my xp machine is constantly coming up with some sorts of odd processes or quirks. I am giving up on windows as a personal machine, simply because it's ridiculous to constantly be fighting off things like this. I'm not going to blame anyone but the virus/spam/malware writers. I do what I can to practice "safe computing" (sic) and don't download stuff willy nilly.
I think it's a shame that it has to be like this. Unfortunately the only real solution would be genetically modifying everyone to get rid of the gene that makes people think it's ok to spam/hack/whatever people's machines. Impossible as it is, the best solution would be to shut down the internet for about 2 months, then all the spammers would have to give back their money to the people that paid them (as if they would). Not likely to happen though.
"Will it take a major internet terrorist attack like bringing down a power grid to make governments act?."
Yes.
Of course it will.
I'm glad to be just part of the team!
<-[XP]-86840>: This message brought to you by Backdoor.Win32.Rbot.gen
SIGFAULT
The article says:
Many well-known vulnerabilities in the Windows operating system were exploited by 'bot net controllers to find and take over target machines.
That's the only mention of an OS. Any metrics on exactly which OS and version/patchlevel is the most responsible?
Weaselmancer
rediculous.
How many, out of that estimate, pertain to those who still didn't patch up that stupid RPC/DCOM vulnerability for 2000/XP?
"The ones who dont do anything are always the ones who try to pull you down" -- Henry Rollins
bots that infect computers ever conflict with each other. Like Bot1 takes over a PC, then Bot2 comes along, and maybe they fight over that PC or its resources?
A modern day witchhunt.
Comment removed based on user account deletion
Thank you, I could not have said it better myself. I use Linux everyday, and in all honesty I patch my Linux box more than I patch my Windows XP box. Sure, the Linux box is frequently getting simple app upgrades/patches, but there are a good number of security fixes in those patches as well. An admin I work with left his Red Hat box unpatched and for a year and it got nailed twice, just do the math. Linux might be more secure, but it is only as secure as the person who administrates the box.
I get nice little pop ups telling me my computer may be already infected all the time, don't you?
If you could reason with religious people, there would be no religious people
This is THE major problem afflicting the internet, why dont governments form a unit to identify and at least notifiy the owners of these machines?
Why should they? It's the ISPs who make money by providing Internet access. They should be responsible for alerting their customers about compromised machines. Most of them don't because it costs too much money, and there's little liability even if you do absolutely nothing.
On the other hand, customers aren't willing to pay for a notification service, or accept the privacy implications (notifying customers requires a mapping from dynamically assigned IP addresses to customer accounts). What's worse, a large percentage of them will just switch to another ISP once you restrict their network access because of a compromise.
...that all these botnets themselves seem to compromised that journalists and researchers can so easily get into them. If you're going to compromise other people's computers for whatever nefarious use, do you want your system itself wide open for someone to steal away from you or document your doings for law enforcement? The best back doors and holes are ones that no one sees until you're using them and it is too late.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
No sane person should connect a critical piece of computer infrastructure ... to the internet.
ROTFL...
Quickly! Disconnect the backbone from the internet! Unplug the DNS root servers! Take the routers offline! Cut the cables leading into Mae East! The internet is too dangerous!!!
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
But it IS Microsoft's fucking fault! Microsoft has ultimate control over almost every users' system... and almost ever users' system eventually gets compromised.
Microsoft's browser that gives developers every last inch of control over a user's PC is what inevitably led to developers just completely taking over users' PCs. Microsoft insists on certain features in Internet Explorer that make it a pain for even the smartest PC users to control what they see.
Here's some problems with IE:
- no real ability to disable popups (Completely disallowing all forms of popups is more secure and convenient for the USER. Fuck developers.)
- Install on demand (What a fucking trainwreck feature this is. Developer puts the 'yes' button behind the 'close' button nested 8 popups under the first one. User gets frustrated and clicks 7 close buttons and 1 button marked 'fuck me in the ass please')
- Patch-and-fix attitude.. It's somehow not Microsoft's fault if they allow 'get into my PC free' for two months if they eventually release a patch for it?
Here's how you fix Internet Explorer:
- get rid of 'install on demand' (Make it so users have to actively download and install what they want installed. This whole 'make things easier for flash to install itself and bombard you with ads' is stupid.
- SUE MICROSOFT. That's right. Consumer class-action large-scale - the type of lawsuit that puts them in the red for a quarter. How many billions has this cost Joe Consumer?
"Just remember that it is also the responsibility of the computer users to patch their systems in a timely manner as soon as they are available."
What if my computer is already fucked up, assface?
Ya, I'm pissed. I'm not an idiot computer user - I spend 8 hours a day on a computer. Yet, while typing this, I got a goddamn a.tribalfusion.bullshit popunder sitting there on my taskbar... and this is while I'm running a proxy filter, run Spybot, run Ad Aware.. And, if I'm having problems like this, Joe Consumer is getting raped.
Ya, you can call me stupid and say I browse the Internet wrong or whatever shit like that. But, this shit never happened back when Netscape was the dominant browser and it did not allow the developer to ad 'features' that work much like a virus.
These zombie PCs ARE by and large Microsoft's fault. Microsoft needs to implement features with the idea that developers will EXPLOIT at every turn possible for money and they need to focus on the consumer, for once. You can't tell me that Microsot doesn't know that Joe Consumer does not want 8 popups while browsing Slashdot.org.
BTW, if anyone has an easy, one-click fix for all the problems I have browsing (that is made by Microsoft, built-in to Internet Explorer), I will print out this post and EAT IT.
--- We need more Ron Paul!
Perhaps all these Zombie comps should be put to good use. Who cares if people don't want to participate in grid computing ... they can be forced!
My coworker is doing some of his own investigations into this stuff. He hooked up a freshly installed, but unpatched, windows2000 box to the net with a freebsd box in between to monitor traffic. Within minutes it was infected, and we could see IRC traffic: connecting to a hidden channel to await instructions. Not that I'm that outraged that an old unpatched windows 2000 box is vulnerable; it's just amazing how quickly a worm will get you if you are vulnerable! -K
When they're up, they're very entertaining.
An older spammer forum, SpecialHam.com is back up. With banner ads, even. "DarkMailer - not for newbies". "Blackbox Hosting - bulletproof hosting options" "SendSafe - bulk mail has never been this easy". "Bulkhost.com - the leader in bulk-friendly e-mail hosting".
Sites like these are where the hackers and spammers meet, find deals, and scream about being ripped off by each other. The actual deals tend to take place on ICQ.
Comment removed based on user account deletion
Bill Gates is using a robot net in building a spacecraft to return to his solar system.
Help end the use of Sigs. Tomorrow
This is true, but I'd like to go one step even further. Is there software out there to check if your PC has been co-opted, like what honeynet has but for regular users (just an integrity check)? I have a server with a firewall, then a router with a firewall, then ZoneAlarm software firewall on my main home PC. I expect this should be safe, but I know I've gotten spyware and adware on it (from downloaded programs), so even removing that how is one to know if there's an exploit through one of the legitimate I/O routes (web browser, P2P, IM, etc.).
Comment removed based on user account deletion
How long til they start using distributed hijacked PC networks to crack complex codes etc....
And people say that the largest computer cluster in the world runs Linux. Bah!
Of course it runs Windows! Go Microsoft!
*ugh*
"Where are we going?"
"Planet Ten!"
"When?"
"Real soon!"
I'm not good in groups. It's difficult to work in a group when you're omnipotent. - Q
Ah, thank you Steve Gibson from grc.com for that lovely nickname.
[an error occured while processing this directive]
The ISP needs to force the user to at minimum to install a software firewall.
Simpler than that. Just give customers a firewall appliance with their modem, and warnings of the doom that will befall them if they don't hook it up between their modem and PC....
iSKUNK!
The Internet is much too important to be connected to the Internet.
If corporations are people, aren't stockholders guilty of slavery?
My father recieved his first couple of Sparc-based unix boxes about 4 years ago in the wake of the dot-com collapse. For one reason or another, he decided to reinstall (a somewhat old version of) solaris from a disc he got with the system.
A couple of days later, his cable-modem based lan was nigh unusable; lo and behold, the unpatched solaris box was sending out data as fast as it could. Neither of us had the technical expertise to figure out what exactly had happened, but the process that was causing all the trouble was sitting in a dir full of various tools that seemed to be doing some sort of IP range scaning and self propegation.
If there are enough systems out there with a given hole, someone will exploit it, reguardless of OS.
"netstat -a -o" will display all active connections and the processes that own them.
Task Manager will show you the currently running processes. This is of limited usefulness since it doesn't show the path of the executable nor the arguments used to launch it. So SVCHOST.EXE will show up multiple times because it is used to by 2000/XP to run several different services.
"Control Panel > Administration Tools > Computer Management" will run an applet that, among other things, will allow you to see the number of open shares and connections to your computer. There are some other useful things in there.
but I don't pay my ISP to protect me and my privacy. I pay my ISP to provide a pipe, and nothing more
And your ISP pays *its* ISP by the MB. It is therefore in their interest to halt traffic generated by spam-bots and ddos-bots.
I have a bunch of Win XPhome, Pro and W2K boxes @ home, fully patched, personal firewalled, my router screens what it can, in fact it blocks most every port and tosses pings from both sides. There's antispyware and AV scanners running on all desktops. And brute force scans for virus and all other malware kick off weekly. The uplink is cable (shared). Am I contaminated? You betcha. I can run any spyware tool @ random and find something and once a month I trap a virus either in the browser cache or the jpi cache on one or all of these machines.
Shit I forgot why I wrote this - oh yeah. What is the definition of "GOOD"? So while there 1.2 globzigillion zombies out there, what is the likelihood you're actually clean? I'd say damn near zero.
Have your machine intentionally be part of the "zombies", and you get all the goodies, and look like a victim at the same time.
Don't tell my wife or my girlfriend.
I work for a minor dialup in BFE, KY. We used to have large problems with our users getting hacked and zombiefied. But we decided since they weren't going to have a local firewall then we'd run one for them. Generally speaking Joe User doesn't need an internal SMTP server, http server, and so on. So we've got it set up now where they can connect to http, ftp, send their emails, send their IMs, play their games, and even use BT. But, alot of things that they'll never noticed are disabled for their own good. We'll occasionally have someone call about something not working and we'll then add in a rule to punch a hole for them. But I think that has been one person in the past year so far.
I'm surprised more ISPs don't do this as we used to be overloading our pipe due to the bots but now we're using half of our pipe durring peak times.
I could see this as a potential issue for some broadband ISPs but the saved money in bandwidth is much higher than the cost of manpower
....a group of super smart nersd somehow figures out how to do the same thing to these millions of PCs, but in reverse. Somehow create a worm that turns on the XP firewall, installs MS Anti-Spy and SpyBot and whatever else is needed. Isn't this easy to do (for the geek crowd)? Every new client I get (I'm a home computer tech) is infected with massive amounts of spyware. They have NO idea. My last two clients had more than 10,000 files and programs that were deemed spyware (not including cookies). It took forever to clean these machines, esp with those damn trojans not wanting to leave. I've got years of experience so I know what to do. But 99.999% of Windoze users doesn't have the damndest clue. My clients can't even set up their own DSL connections. how are they going to prevent their computers from being turned into zombies? Hell, they don't even know what that means.
It's up to the benevolent hackers or MS. My $$ is on the geeks outside of Redmond.
Bad PR but who the fuck cares.
tihihi I said boxen.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
why dont governments form a unit to identify and at least notifiy the owners of these machines?
To paraphrase the late great Jerry Orbach playing Lenny Briscoe, "Sure, let's get the government involved. That'll solve everything."
And as far as the ISPs go, I've worked for ISPs that wouldn't even cut someone off for non-payment for fear of their subscriber numbers going down. Do you really think they have the manpower, resources, or interest in doing anything about this until they're forced to by business pressures? (eg, never.)
The only way to fix this problem is user education. And because most users refuse to be educated, or accept any form of responsibility for their own machines, I don't see this problem getting fixed. Ever.
Never underestimate the power of stupid people in large groups.
Remember, Linux is is the Insecure OS, not WIndows! http://linux.slashdot.org/article.pl?sid=05/03/16/ 1517207&tid=163&tid=1&tid=218
"If Joe User were required to start by using Linux or BSD, it would set computing back 10 years."
To a time before rampant SpambotNets and the DMCA. Sign me up! :-)
What? What?! NOW it's the ISP's responsibility?? Consistenty, Slashdot. Please. ISPs provide a connection to the Internet. It's the USER's responsibility to decide what they do with that connection. And it's the GOVERNMENT's (read: society's) responsibility to find and prosecute the sons of bitches who willfully and with malice inject our machines full of their garbage--be it bots, spyware, or spam. Casting [any] blame on the ISPs is akin to blaming P2P companies for copyright infringement or blaming Smith and Wesson for drive-by shootings. I could go on for hours, but I feel like I've made my point.
So how many of these are being used for P2P serving?
"But Judge, I wasn't me that was sharing those files "
Before you laugh, I had a Linux 'router' broken into about 8 years ago. I of course caught it in nightly auditing, but it happened.
Turned my machine into a porn ftp server and a bridge to break into the next person.. If I hadn't been auditing, might have been months before discovery..
---- Booth was a patriot ----
I've had machines show up in my shop along with notes from Road Runner stating that they can't regain their service until they show proof the machine was repaired properly. These machines have always been so bad off, they were unusable, yet they were kept online constantly, to display popups and act as zombies.
One case it was actaully not the customers machines, but his neighbor who was taking a free ride on their wide open wireless network. Turning on WEP immediatly fixed the problem. The customer couldn't figure it out, because they were a household of Macs, and were sure they couldn't get hijacked like that. They never even thought of the wide open network.
rm -rf
Apparently they were using SUSE 8 Pro and Solaris 8 as the Honypots. My issue with the BBC article is that although (as can be seen from the Honeypot site) 90% of the attacks were aimed at, or originated from a Windows machine, the offending OS is mentioned only once.
They (the BBC) should spell it out, so that the general public actually gets notified officially, and thus make it a well known issue amongs non-IT literate people.
That is a connection between your system and the box on the rogers network, but I can't tell you which side opened the connection.
The last number is the process ID on your computer that holds the socket. Go to the task manager (right click on task bar or ctrl+alt+del) and select the Processes tab. If the PID column is not visible, select View|Columns and turn on the PID column.
If you don't recognize what you find in the 'Image Name' column, you can usually do a google search and find it.
why dont governments form a unit to identify and at least notifiy the owners of these machines?
I think I would prefer my tax dollars go to the fixing of schools and highways or medical research or even the military before someone gets a government job notifying people that their comptuters are bothering people.
Google for "Process Explorer" - free download, shows all processes and CPU usage (there is also an option to show % fractions of CPU usage or context switches for being really precise). Shows processes in a tree also, so you can see what's started what. Also gives ability to pause (a la -SIGSTOP/CONT) processes, very handy lil download. Well done the creators.
-2A
The revolution will not be televised... but it will have a page on Wikipedia
This *was* a few years ago, and crackers have gotten more sophisticated, and DSL and cable modem proliferation means there are lots more fast net connections for them to work with. At the time, Win95 was obsolete, RedHat was doing 7.x versions, and Staecheldraht attacks seemed to mostly come from universities (including Washington University, whose wu-ftpd was one of the main holes exploited by crackers, and a machine that looked like it was from MIT but was actually from somebody in Japan with a byte-order problem.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks