Over a Million Zombie PCs

Doyle writes "A BBC article discusses new research revealing that over 1 million computers have been compromised and are being used in bot nets. From the article: 'The largest network spied on by the team was made up of 50,000 hijacked home computers.'"

Where have I heard this before?

[maotx]

Maybe I should have sent THIS in afterall...

Anyone know...

[gowen]

... the breakdown of that million by operating system?

You never know, it might be a nice bit of PR for some Apple/Linux/BSD organisation to casually slip into a Press Release.

Re:Anyone know...

Joe User will expect it to work just like Windows

There are blue screen screen savers available that show fake error messages randomly for Linux. "Joe User" should feel right at home.

Re:Anyone know...

[dtfinch]

If Joe User started on Linux, or *BSD, then trying to use Windows would require taking time to learn.

You can tell that Windows is meant to be used as a tool and not just for hobby because in Office and the Explorer search pane they have dozens of these little characters that'll dance and do tricks and stuff without really helping you out in the process. And a bunch of the window actions can be animated to slow them down a bit. You've got connection limits and such to ensure that you only use your desktop for desktop stuff. Network authentication restrictions ensure that your intranet design fits a standard, well supported model, and that the right edition gets used for the right job. And the whole thing is pretty awesome for running games.

Linux must certainly be meant just for hobby because it comes with thousands of these little tools that just do their jobs without much in the way of glitter and animation to impress the user, or even a requirement that a user must be directly interacting with them.

Re:Anyone know...

[Foolhardy]

Am I alone in wondering whether this truth extends to running Windows Limited Accounts, instead of Administrator logins?

I'm sure it does extend to that. Users aren't used to dealing with computer security, on any operating system. It wasn't so important to a home user before the Internet, and it was impossible on 9x. Now they're using a different OS and are connected to a malicious network, but don't want to learn to adapt.

As for resources, ask Google.
noadmin.editme.com has a wiki about it, and also see Aaron Margosis' WebLog, aka the The Non-Admin blog, made by a Microsoft employee.
Windows NT Security in Theory and Practice, a long-running set of MSDN articles about NT security is also interesting, espescially to developers.
Also useful are FileMon and RegMon from SysInternals, to see what files/reg keys an app is hung up on trying to get unreasonable access to. (Remember that security is checked only on open/create, so set the filter to show opens only)

Still, there is too little information about running stuff as non-admin. Part of the problem is that making a program run as non-admin when it wasn't designed for that, usually isn't easy.

Re:Anyone know...

[Grishnakh]

The only way to get a blue screen in them is to have a bad driver that will affect the system at the kernel level.

Even if this is true, you're seriously downplaying this problem. With Windows, in order to use your computer at all, you're probably going to have to install vendor-written drivers for something, because there are no community-maintained drivers as there are for OSS OSes. MS does include some basic drivers for very common hardware, but almost any computer will have at least something that will require a vendor driver. History has shown us that these vendor-written drivers have a very poor record, and are known to cause a lot of problems on Windows systems.

This alone is a good reason to avoid Windows. What good is it as an OS if you can't add various hardware (scanners, cameras, wireless ethernet, etc.) without expecting it to suddenly become unstable?

It doesn't matter how great Ford engines are if they keep sticking tread-separating Firestone tires on their vehicles.

Must Be M$ Boxes Right ??

Aren't zombies constantly searching for "brains" ?

Re:Must Be M$ Boxes Right ??

[Sj0]

He wasn't making an arguement. He was making a joke. This is critical to understand, because an arguement is a very particular subset of conversation, usually designed to be pursuasive in nature. As a result of this, it's structure and the terminology defined with such an element is different than the terminology defined for other conversational constructe, such as jokes.

Re:Must Be M$ Boxes Right ??

[Stormwatch]

A huge difference: every major OS X update - believe it or not - IMPROVES performance on the same hardware, despite all the new features.

That's still low...

[BeneathTheVeil]

compared to the millions of zombies in front of PCs.

Come to think of it, the two just may be related. :P

Why arent governments proacting agaisnt these nets

[panxerox]

If 1,000,000 computers can be identified as being zombie machines than 1,000,000 computer owners can be contacted. This is THE major problem afflicting the internet, why dont governments form a unit to identify and at least notifiy the owners of these machines? Will it take a major internet terrorist attack like bringing down a power grid to make governments act?. As net users we should advocate government involvment in a measured controlled way rather than the reaction that will come after an attack (patriot act?)

Not surprising

[dmf415]

At my university, we have to run snort at the head end of the network in order to control the havoc these compromised machines create. We also monitor the number of simultaneous connections each machine creates and block the ones at the very top.

Re:Not surprising

[gordyf]

Do you find that blocking machines with lots of simultaneous connections causes problems with bittorrent clients? (Or is that an intended side effect? :) )

Re:Not surprising

[dmf415]

Do you find that blocking machines with lots of simultaneous connections causes problems with bittorrent clients? (Or is that an intended side effect? :) )

No, I think most legitimate traffic is under 5000 simultaneous connections =). When we see a machine with 10,000 , 20,000 , 30,000 (which has been detected). We know there's a problem =)

bah

[ltwally]

bah, i run unsecured windows xp and i'm saf..FJEIOJFJIJS

*Connection Terminated Unexpectedly*

Imagine...

[RedMage]

... a Beowulf Cluster of... oh wait...

(Hmm, can zombies be clustered? We all know from Night of the Living Dead that they DO cluster. Quite well, in fact...)

Back when Windows was just a hole in the wall

[Kimos]

Remmeber when viruses would just "format C:"? When you were infected, you knew it cause your HD was blank. Now the average user can't tell when they have a problem or not...

Re:Why arent governments proacting agaisnt these n

[maotx]

and at least notifiy the owners of these machines?

Something like that already exists.
Feel free to contact any of the infected and cross them out.

well at least we're smarter than that [SPAM]

[peculiarmethod]

I know one thing: There's no way in hell they're ever gonna get passed my *ENLARGE YOUR PENIS* super leet windows 2003 install modded to look like xp *HELP RETRIEVE MY MILLIONS*. I even use IE7 beta, but I'm not scared cause I run McAfee *BUY SLIGHTLY USED PORN AT ROCK BOTTOM PRICES* firewall to protect my cable modem network. Let's see 'em try to get into THIS network! HA!

Why not ISPs

[winkydink]

Better yet, why don't ISPs disconnect them until they can demonstrate they've been cleaned up?

Re:Why not ISPs

[ArsonSmith]

Yea, they had the ability to disconnect me until I cleaned up some p2p software I had running. I'd say this is much more important than a few TV episodes.

Re:Why not ISPs

[eaolson]

Better yet, why don't ISPs disconnect them until they can demonstrate they've been cleaned up?

Because it is not in the ISP's best (i.e. financial) interests to do so. Finding these machines, teaching users how to clean them up, and then reactivating their access would require a great deal of manpower and money. Since not doing it is consequence-free, there is no incentive to do it. It's like dealing with hazardous waste; it's difficult and expensive. Without some outside force compelling companies to dispose of it appropriately, they would deal with it the cheapest and easiest way possible. That is, dumping it on the rest of us, like these ISPs do.

Re:Why not ISPs

[FriedTurkey]

Actually they do. My parents computer got disconnected from Roadrunner for being a spam bot. Spending next weekend cleaning it up. Argh.

Re:Why not ISPs

[BitwiseX]

They won't clean up, they will go to an ISP that doesn't care. I run a small ISP, I've called customers and informed them of these issues... nothing happens... threaten to cut them off... nothing happens... cut them off... they call angry say "Fine! Don't bother!" and a customer is lost. A customer lost, is a customer lost. Police != Profit unfortunately, and it's a fine line to walk.

Re:Why not ISPs

[destiny71]

Believe me, this is not the answer.

I work for my ISP as helpdesk/tech support. I get calls all the time, 'Yeah, I got this pop-up from Norton says that Internet Explorer is trying to access the internet, what should I do?'

If these PCs became zombies, than the users that operate them would have no clue how to operate a software firewall. Instead, they need AV software, and some computer training, and possibly a hardware firewall.

Easiest to implement would be a DSL/Cable modem and firewall combo that the ISP setup and configures. They can leave the documentation for the end user to configure ports and such if they can figure it out on their own, otherwise, it's full on blocking all incoming ports.

I'm all for the computer equivilent of a drivers license before they are allowed to hook up their PC to the internet.

Re:Why not ISPs

[budgenator]

I'd just like to know why taskmanager says CPU utilization is over 50%, the hard disk is thrashing, and the network light is on constantly, but task manger only list 3 processes using 2%? Nothing shows up on virus scans, nothing shows up on spyware scans and half the time it quits as soon as I open taskmanager.
At least in linux TOP shows you what process is sucking up the cycles, giving you a fighting chance. I'm not completely clueless, I've used windows since 3.11, cut my teeth on basic and dos batch scripts, installed Linux on a machine before win95 was released and still I know the wife's WinXP machine that's fully patched hardware and software firewalled is owned and can't find out how; what's Joe average going to do?

Re:Why not ISPs

[swv3752]

So the answer is to start suing the ISPs and the customers. If it is more profitable to just sit back and do nothing, then we need to take away that profit incentive.

Re:Why not ISPs

[Just+Some+Guy]

Because it is not in the ISP's best (i.e. financial) interests to do so. Finding these machines, teaching users how to clean them up, and then reactivating their access would require a great deal of manpower and money. Since not doing it is consequence-free, there is no incentive to do it.

I don't think it's that bad:

1. Draft a standard letter / web page explaining why you're disconnecting a customer and how they can get re-connected.
2. Port scan.
3. Disconnect.
4. Get kickbacks from local computer repair shop.
5. Profit!

which beats the heck out of

1. Ignore the situation.
2. Pay $BIGNUM for the bandwidth you're using to broadcast your customers' computers' spam.
3. Lose legitimate customers who get tired of their outbound mail bouncing because your netblock is listed in every blackhole list on the planet.
4. Loss!

Either way, you will spend some money on the problem, either by proactively fixing it or by paying to repair the damages. Your call.

Re:Why not ISPs

[Grishnakh]

I agree, especially about suing the customers. If they can sue customers for using P2P applications, they can certainly sue customers for running malicious programs on their computers, knowingly (they've been informed), and performing illegal actions with them.

Harsh times call for harsh measures.

Re:Why not ISPs

[tritonic]

I'd just like to know why taskmanager says CPU utilization is over 50%, the hard disk is thrashing, and the network light is on constantly, but task manger only list 3 processes using 2%?

I actually noticed this about half an hour ago on my windows 2000 machine. I disabled automatic update - problem solved! I don't know why the CPU usage wouldn't show up in task manager, though. Windows grr...

Re:Why arent governments proacting agaisnt these n

[flumps]

From honeypot FAQ:

8. Do you prosecute the people that compromise systems within the Honeynet? No. The prime directive of the Honeynet Project is research and to share those lessons learn. It is not our goal to catch and prosecure blackhats. We do forward information about compromised systems to CERT so CERT can notify admins of compromised systems. We limit our contact with authorities only when the Project feels there is a critical need. If we were to become involved in a major legal case everytime a system was compromised, we would not have time for research, let alone our real jobs.

read more about honeypot here. It seems they probably could, but are not going to.

Re:Why arent governments proacting agaisnt these n

[MatthewNewberg]

Governments?, What about ISPs? They are the ones having to pay for the added bandwitdh on both sides. I'm surprised most ISPs dont run IDS that can detect Zoombie Networks and automatically send emails to its infected customers. This will not only pay for itself by reducing bandwidth, but also make the customers more happy.

fix them

[roman_mir]

Now that the machines are known, their IPs are compiled into a list, what stops a good samaritan from setting up a script to patch them up?

It is probably quite complicated, technically speaking, because these machines now have to be scanned for every possible trojan, logger, virus in existance, but it's not impossible. Can an antivirus company, say, get a grant from a government to run a job like that?

Bullshit

[LiquidCoooled]

One machine can be infected by multiple trojans.
One machine can reconnect to the same botnet multiple times as the person reboots to try and clear the problem.
One machine gets multiple IP addresses every time her reboots.

I was wondering...

[justforaday]

This explains why my startup sound suddenly changed into a groaning voice saying "Braiinnnnnssss..."

not entirely user behavior...

[grassy_knoll]

from TFA:

Getting the machines hijacked was worryingly easy. The longest time a Honeynet machine survived without being found by an automatic attack tool was only a few minutes. The shortest compromise time was only a few seconds.

It's sad, but it seems the only way to mitigate this is to hold the OS vendor responisble for insecure code. Similar to cars, we hold the driver responsible if they ( say ) drive drunk, but the manufactorer responsible if while driving the wheels come off.

Re:Hope

[jayhawk88]

Well this is 1 million zombie-infected PC's, which are infected with specific types of trojans and such and presumably are actively being used in bot-nets.

I imagine there are quite a few more machines that are zombie infected that were not detected for whatever reason (turned off, firewalls, etc), plus all the millions of more machines that are "just" infected with viruses, spyware, or trojans that do not produce bot-net like activity.

What role for ISPs

[Albanach]

There has to be a role here for ISPs. Often these machines are either spitting out spam or worms, yet abuse reports to ISPs can take days or weeks to receive any attention.

Home PC users do not need to generate traffic on port 25 that's going anywhere other than their ISP's mailserver. ISP mailservers should use SMTP authentication. Of course these simple measures would mean support calls from users who need to reconfigure Outlook, and support calls cost money, so it'll never happen.

Nonetheless, these companies are proffiting while user machines get hijacked. Someone needs to make a little bit of effort, 'cause for now spreading these nets wider is way too easy.

Ethics be damned...

[chill]

Time for someone to write a worm that forces an update from Windows Update; downloads a copy of SpyBot Search & Destroy, runs it and then turns on the firewall.

-Charles

Next Step: Take them over.

[bigtallmofo]

I think the only plausible defense against a botnet of such a size is to use the botnet against itself. Allow one of your systems to be infected with the botnet - effectively join their network. Then sniff the network traffic to find out what IRC server and channel to join and any security codes that are necessary to control the botnet. Then upload a "virus" into the botnet that will patch the infected system and remove the botnet binaries. No more botnet.

The only thing that makes me think it might not work is that it's similar to the stereotypical way of ridding the world of aliens in almost every sci-fi movie. Come to think of it, I might have gotten this idea from Independence Day.

... and they affect Linux too

[poopie]

My home machine's webserver gets regularly punished by bots that are sending buffer overflow URLs. I only have port 80 open, too. I use my home machine for mythtv, and I certainly notice when the bots start attacking me.

It's really annoying. I've thought about what I can do to shut down bots that are annoying me with excess traffic...

Does anyone have some good suggestions for keeping zombie PC traffic off of linux webservers either via firewall rules, apache config files, or ?

Perhaps a more interesting question is... if your machines is being attacked by a zombie PC, is it okay to attack it back (and try to take it offline?) - Isn't this sort of like 'self defense'?

Re:... and they affect Linux too

[alyandon]

I have a cron entry that runs a script to examine /var/log/http/access_log for any obviously abusive requests (requests that contain 0x90x90x90x90x90x90, system32, cmd.exe, etc) and adds the offending ip address to the firewall list. I do something similar for my ftpd and sshd services as well.

So basically my machine becomes invisible to the attacker and their ip address stays shitcanned forever.

Part of the team

[dfj225]

I'm glad to be just part of the team!

<-[XP]-86840>: This message brought to you by Backdoor.Win32.Rbot.gen

Does anyone know if...

[bluprint]

bots that infect computers ever conflict with each other. Like Bot1 takes over a PC, then Bot2 comes along, and maybe they fight over that PC or its resources?

Re:Before Everybody Blames Microsoft

[bob670]

"If Linux had the the type of marketshare like Microsoft, there would still be plenty of zombie PCs to go around with unpatched systems."

Thank you, I could not have said it better myself. I use Linux everyday, and in all honesty I patch my Linux box more than I patch my Windows XP box. Sure, the Linux box is frequently getting simple app upgrades/patches, but there are a good number of security fixes in those patches as well. An admin I work with left his Red Hat box unpatched and for a year and it got nailed twice, just do the math. Linux might be more secure, but it is only as secure as the person who administrates the box.

Re:Why arent governments proacting agaisnt these n

[Brad1138]

I get nice little pop ups telling me my computer may be already infected all the time, don't you?

I find it interesting...

[suitepotato]

...that all these botnets themselves seem to compromised that journalists and researchers can so easily get into them. If you're going to compromise other people's computers for whatever nefarious use, do you want your system itself wide open for someone to steal away from you or document your doings for law enforcement? The best back doors and holes are ones that no one sees until you're using them and it is too late.

Re:Why arent governments proacting agaisnt these n

[Kaa]

No sane person should connect a critical piece of computer infrastructure ... to the internet.

ROTFL...

Quickly! Disconnect the backbone from the internet! Unplug the DNS root servers! Take the routers offline! Cut the cables leading into Mae East! The internet is too dangerous!!!

Re:Before Everybody Blames Microsoft

[brxndxn]

But it IS Microsoft's fucking fault! Microsoft has ultimate control over almost every users' system... and almost ever users' system eventually gets compromised.

Microsoft's browser that gives developers every last inch of control over a user's PC is what inevitably led to developers just completely taking over users' PCs. Microsoft insists on certain features in Internet Explorer that make it a pain for even the smartest PC users to control what they see.

Here's some problems with IE:
- no real ability to disable popups (Completely disallowing all forms of popups is more secure and convenient for the USER. Fuck developers.)
- Install on demand (What a fucking trainwreck feature this is. Developer puts the 'yes' button behind the 'close' button nested 8 popups under the first one. User gets frustrated and clicks 7 close buttons and 1 button marked 'fuck me in the ass please')
- Patch-and-fix attitude.. It's somehow not Microsoft's fault if they allow 'get into my PC free' for two months if they eventually release a patch for it?

Here's how you fix Internet Explorer:

- get rid of 'install on demand' (Make it so users have to actively download and install what they want installed. This whole 'make things easier for flash to install itself and bombard you with ads' is stupid.
- SUE MICROSOFT. That's right. Consumer class-action large-scale - the type of lawsuit that puts them in the red for a quarter. How many billions has this cost Joe Consumer?

"Just remember that it is also the responsibility of the computer users to patch their systems in a timely manner as soon as they are available."

What if my computer is already fucked up, assface?

Ya, I'm pissed. I'm not an idiot computer user - I spend 8 hours a day on a computer. Yet, while typing this, I got a goddamn a.tribalfusion.bullshit popunder sitting there on my taskbar... and this is while I'm running a proxy filter, run Spybot, run Ad Aware.. And, if I'm having problems like this, Joe Consumer is getting raped.

Ya, you can call me stupid and say I browse the Internet wrong or whatever shit like that. But, this shit never happened back when Netscape was the dominant browser and it did not allow the developer to ad 'features' that work much like a virus.

These zombie PCs ARE by and large Microsoft's fault. Microsoft needs to implement features with the idea that developers will EXPLOIT at every turn possible for money and they need to focus on the consumer, for once. You can't tell me that Microsot doesn't know that Joe Consumer does not want 8 popups while browsing Slashdot.org.

BTW, if anyone has an easy, one-click fix for all the problems I have browsing (that is made by Microsoft, built-in to Internet Explorer), I will print out this post and EAT IT.

Zombie.SETI@home

[mykroft42]

Perhaps all these Zombie comps should be put to good use. Who cares if people don't want to participate in grid computing ... they can be forced!

windows 2000 box: a zombie in ~ 5 minutes

[hurricaen]

My coworker is doing some of his own investigations into this stuff. He hooked up a freshly installed, but unpatched, windows2000 box to the net with a freebsd box in between to monitor traffic. Within minutes it was infected, and we could see IRC traffic: connecting to a hidden channel to await instructions. Not that I'm that outraged that an old unpatched windows 2000 box is vulnerable; it's just amazing how quickly a worm will get you if you are vulnerable! -K

Rent zombies online!

[Animats]

They're down today, but SpamForum.biz carries ads for zombies, open proxies, botnets, etc. Numbers available range from 1000 to 50,000.

When they're up, they're very entertaining.

An older spammer forum, SpecialHam.com is back up. With banner ads, even. "DarkMailer - not for newbies". "Blackbox Hosting - bulletproof hosting options" "SendSafe - bulk mail has never been this easy". "Bulkhost.com - the leader in bulk-friendly e-mail hosting".

Sites like these are where the hackers and spammers meet, find deals, and scream about being ripped off by each other. The actual deals tend to take place on ICQ.

Cluster

[EduardoFonseca]

And people say that the largest computer cluster in the world runs Linux. Bah!

Of course it runs Windows! Go Microsoft!

*ugh*

Obligatory Buckaroo Banzai:

[SmokeHalo]

"Where are we going?"
"Planet Ten!"
"When?"
"Real soon!"

A fresh install solaris is just as vulnerable

[merreborn]

My father recieved his first couple of Sparc-based unix boxes about 4 years ago in the wake of the dot-com collapse. For one reason or another, he decided to reinstall (a somewhat old version of) solaris from a disc he got with the system.

A couple of days later, his cable-modem based lan was nigh unusable; lo and behold, the unpatched solaris box was sending out data as fast as it could. Neither of us had the technical expertise to figure out what exactly had happened, but the process that was causing all the trouble was sitting in a dir full of various tools that seemed to be doing some sort of IP range scaning and self propegation.

If there are enough systems out there with a given hole, someone will exploit it, reguardless of OS.

Re:What can I use to detect a hijacked computer?

[Foolomon]

"netstat -a -o" will display all active connections and the processes that own them.

Task Manager will show you the currently running processes. This is of limited usefulness since it doesn't show the path of the executable nor the arguments used to launch it. So SVCHOST.EXE will show up multiple times because it is used to by 2000/XP to run several different services.

"Control Panel > Administration Tools > Computer Management" will run an applet that, among other things, will allow you to see the number of open shares and connections to your computer. There are some other useful things in there.

What is the control group?

[gelfling]

I have a bunch of Win XPhome, Pro and W2K boxes @ home, fully patched, personal firewalled, my router screens what it can, in fact it blocks most every port and tosses pings from both sides. There's antispyware and AV scanners running on all desktops. And brute force scans for virus and all other malware kick off weekly. The uplink is cable (shared). Am I contaminated? You betcha. I can run any spyware tool @ random and find something and once a month I trap a virus either in the browser cache or the jpi cache on one or all of these machines.

Shit I forgot why I wrote this - oh yeah. What is the definition of "GOOD"? So while there 1.2 globzigillion zombies out there, what is the likelihood you're actually clean? I'd say damn near zero.

Re:What is the control group?

[WalterGR]

I can run any spyware tool @ random and find something and once a month I trap a virus either in the browser cache or the jpi cache on one or all of these machines.

I wasn't looking over your shoulder when you performed this scan, so I don't know precisely what you saw, but finding things in the browser cache is not cause for alarm. For example, if I were to rename some virus-laden executable to have the JPEG extension, reference it in an img tag in an HTML file, and pop it on a website, all browsers would download the file - they don't know any better. It's not like they're then going to say, "Oh look, it's an executable! I better run it now." (At least, one would hope... :)

Just because you find something in your browser cache doesn't mean you're infected.

You've just described ...

[tomhudson]

I think the whole idea is extremely intriguing. Once you have a system set up like that, capable of accepting commands.. you can do whatever you want without ever having a trail come back to you. Having a machine tell another machine tell another machine what to do.

... the next version of p2p software that the **AA will have one hell of a time trying to combat.

Have your machine intentionally be part of the "zombies", and you get all the goodies, and look like a victim at the same time.

Why don't ISPs use Firewalls?

[guru42101]

I work for a minor dialup in BFE, KY. We used to have large problems with our users getting hacked and zombiefied. But we decided since they weren't going to have a local firewall then we'd run one for them. Generally speaking Joe User doesn't need an internal SMTP server, http server, and so on. So we've got it set up now where they can connect to http, ftp, send their emails, send their IMs, play their games, and even use BT. But, alot of things that they'll never noticed are disabled for their own good. We'll occasionally have someone call about something not working and we'll then add in a rule to punch a hole for them. But I think that has been one person in the past year so far.

I'm surprised more ISPs don't do this as we used to be overloading our pipe due to the bots but now we're using half of our pipe durring peak times.

I could see this as a potential issue for some broadband ISPs but the saved money in bandwidth is much higher than the cost of manpower

Will never stop unless....

[Electric+Eye]

....a group of super smart nersd somehow figures out how to do the same thing to these millions of PCs, but in reverse. Somehow create a worm that turns on the XP firewall, installs MS Anti-Spy and SpyBot and whatever else is needed. Isn't this easy to do (for the geek crowd)? Every new client I get (I'm a home computer tech) is infected with massive amounts of spyware. They have NO idea. My last two clients had more than 10,000 files and programs that were deemed spyware (not including cookies). It took forever to clean these machines, esp with those damn trojans not wanting to leave. I've got years of experience so I know what to do. But 99.999% of Windoze users doesn't have the damndest clue. My clients can't even set up their own DSL connections. how are they going to prevent their computers from being turned into zombies? Hell, they don't even know what that means.

It's up to the benevolent hackers or MS. My $$ is on the geeks outside of Redmond.

Do NOT clean up Winboxen for free.

[Werrismys]

Do not clean up these boxes. Disconnect them from net and tell the relative in question to either PAY for the cleanup, get someone else to clean it, or get a Mac.

Bad PR but who the fuck cares.

tihihi I said boxen.

Re:Why arent governments proacting agaisnt these n

[BVis]

why dont governments form a unit to identify and at least notifiy the owners of these machines?

To paraphrase the late great Jerry Orbach playing Lenny Briscoe, "Sure, let's get the government involved. That'll solve everything."

And as far as the ISPs go, I've worked for ISPs that wouldn't even cut someone off for non-payment for fear of their subscriber numbers going down. Do you really think they have the manpower, resources, or interest in doing anything about this until they're forced to by business pressures? (eg, never.)

The only way to fix this problem is user education. And because most users refuse to be educated, or accept any form of responsibility for their own machines, I don't see this problem getting fixed. Ever.

10 Year Setback Sounds Great!

[MooseByte]

"If Joe User were required to start by using Linux or BSD, it would set computing back 10 years."

To a time before rampant SpambotNets and the DMCA. Sign me up! :-)

Re:Appliance

[j1m+5n0w]

Simpler than that, put the firewall at the ISP end of the connection so they can't get around it. (But I think users should still have the option of enabling incoming ports if they so choose.)

My local one does sometimes

[dlZ]

I've had machines show up in my shop along with notes from Road Runner stating that they can't regain their service until they show proof the machine was repaired properly. These machines have always been so bad off, they were unusable, yet they were kept online constantly, to display popups and act as zombies.

One case it was actaully not the customers machines, but his neighbor who was taking a free ride on their wide open wireless network. Turning on WEP immediatly fixed the problem. The customer couldn't figure it out, because they were a household of Macs, and were sure they couldn't get hijacked like that. They never even thought of the wide open network.

Honeynet

[smoker2]

From the Honeynet homepage:

More than 90% of these connection attempts were caused by a machine running Windows, whereas only about 3% could be identified as originating from Linux machines.

The first attempt to attack one of the honeypots was noticed about ten minutes after the whole honeynet was attached to the Internet. The system was systematically searched for weaknesses (port scan) and the attacker tried to exploit a known vulnerability in the Internet Information Server (IIS). After this short period of time, an unpatched version of this server would have been compromised.

The ports 445, 135, 137 and 139 - all belonging to Netbios, the protocol favored by the Microsoft Operating System family - see by far the most traffic.

Apparently they were using SUSE 8 Pro and Solaris 8 as the Honypots. My issue with the BBC article is that although (as can be seen from the Honeypot site) 90% of the attacks were aimed at, or originated from a Windows machine, the offending OS is mentioned only once.
They (the BBC) should spell it out, so that the general public actually gets notified officially, and thus make it a well known issue amongs non-IT literate people.

Recommend: Process Explorer

[x2A]

Google for "Process Explorer" - free download, shows all processes and CPU usage (there is also an option to show % fractions of CPU usage or context switches for being really precise). Shows processes in a tree also, so you can see what's started what. Also gives ability to pause (a la -SIGSTOP/CONT) processes, very handy lil download. Well done the creators.

-2A