Slashdot Mirror
CA Warns Of Massive Botnet Attack
m4dm4n wrote to mention a story running on The Register which describes a coordinated malware attack designed to establish a massive botnet. From the article: "The attack involves three different Trojans - Glieder, Fantibag and Mitglieder - in a co-ordinated assault designed to establish a huge botnet under the control of hackers. Computer Associates reckons that access to the compromised PCs is for sale on a black market, at prices as low as five cents per PC."
It's cool in a way: very William Gibson-esqe or something. A new battlefront. I've moved my servers to OpenBSD due to their incredible security record, and I'm going to be moving my desktops/laptops to Mac/Linux soon. I don't want to be part of the problem.
Helping with organizational effectiveness is our job.
We have two people, both scumbags that the authorities would like to catch, who most likly would prefer to never meet of know each others names. Niether one is trustworthy (even with nasal mist).
They can't meet because they are likley in widely separated areas.
They can't use a electronic transfer because it leaves a paper trail.
how do they move the money around?
I used to have a cool sig, back when I cared
Just come to Zion LAN and you can have poeple for your network games of quake and unreal ;)
:P </shameless plug>
<shameless plug> Largest lan WI or IL have ever seen, all for charity, a ton of great prizes (graphics cards for UT2k4), blah blah blah... google it
There are a lot of places, principally former Soviet republics and china, where The Law has different priorities. The people sell these "services" probably reside in one of those countries, and the people buying may be equally outside the grasp of US law enforcement. I used to work for Seth Warshavsky, he used to sell his snake oil out of a glass tower in Seattle. Now he lives in Thailand, just try to arrest him, The Feds have been trying for the last 5 years or so, we'll see.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
This is really starting to smack of organized crime. A friend of mine forwarded an article to me on this last night.
If you are an end user who just wants to use your computer, it may be time to look at getting a Mac. The bar for information security in the face of this level of organization is getting too tall for your average end user.
If you are in an enterprise situation and have a usage policy that allows users to use corporate equipment for personal banking on breaks, you may want to reconsider that policy.
Oftentimes, computer usage is negotiated by labor unions and you cannot simply change computer use policy out from underneath users. In this case, I wonder what the legal responsibilities of the company are to exercise due dilligence in protecting its end users?
If you haven't already done so, it's time for a lesson in defense in depth. That means IDS, IPS, Firewalls, Antivirus, Spam blockers, AV web proxies, etc. And because perimeter defense is all but a quaint memory in today's more agressive world, you may want to look at host-based firewalls and other AntiWorm systems.
Good luck. We all need it.
-Peter
. Penguins Surely Ca
They weasled my wifes login, and loaded it onto her PC. I found out why the other day, because they were having trouble installing the "upgrade".
Trouble was, my wifes login no longer has "Administrator Access". So I elevated the privs, did the upgrade, and downgrade the privs.
Gunbound don't run.
So I uninstall, and try to delete the program folder, and get Access Denied.
Long story short, even after uninstall, Gunbound left a process running on the computer. This reeks of backdoor/trojan.
I look at their site/game and it is very sophisticated. Lots of great programming! How do they pay for all of this? There is no charge to play, and no advertisements.
My guess is....
Computer for Sale!
And of course a flood of spam will follow this like night follows day. This has been going on for some time; LURHQ wrote up some good articles about the virus/spam connection: Sobig.a and the Spam You Received Today, Sobig.e - Evolution of the Worm, and Sobig.f Examined.
Brent J. Nordquist N0BJN
I would suggest using user levels.
regular customers would get level 1 or level 0. (Web and mail access, no incoming ports, etc.)
Then it would be a customer's decision to apply for a higher level. maybe pass a test, portscan, etc. sign something that gives them responsability for the services running on their box.
They could even make higher levels cheaper, as an incentive for customers to educate themselves. like level 4's get 15% off their monthly bill.
I like the policy of my current ISP Andrews & Arnold (UK).
You have full access, with real IPs for all your machines, and no restrictions on running servers.
If they get any abuse reports you have 3 strikes - first and second report they'll e-mail you. Third report they'll kill your connection, and call you up to let you know what happened.
It's then up to you to fix the problem before they reconnect you.
Yes, you can secure a windows box.
But, does every end user need to be a damned security expert? Sorry, but the average Joe shouldn't have to know what the hell a host based firewall is, much less if it's a good one.
Sorry, cowboy, if you are looking for easy (Gentoo doesn't cut it) and reasonably secure, the Mac is a pretty good option.
Now, if you notice, the second part of my post dealt directly with defense in depth for enterprises that pay for real, professional security experts to mitigate the risks of running Windows. Windows can be managed, but it's expensive and requires more due dilligence than some other platforms that ship with a better default security posture.
Congrats on the purchase of your Venitian AMD64. When *you* get off your duff and provide support to *my* extended family's fleet of PCs at slash-rate prices, I'll list you as an alternative to buying an Apple.
Cheers!
-Peter
. Penguins Surely Ca
I'm a pretty good programmer. I program for a living, as well as being a hobby programmer.
I feel I have a very good understanding for how Windows and Linux works.
Yet, I have this uneasy feeling that my computer could be infected without me knowing it.
I'm good enough a programmer, that I know that I could program up a worm that someone like me couldn't easily detect.
How do I know that noone already did that?
Maybe I'm just paranoid.
Where can I buy tickets to view the fireworks? I'm gonna get some beers and stakeout at my local backbone uplink =^D
Sad but true is that this precisely gives governments the idea that they should limit and control international traffic. Freedom? not for long...
These PCs should be disconnected immediately by ISPs, non-complying ISPs should be blocked from major backbones.
The feasibility of building and maintaining such a list is debatable, but for most situations and kinds of malware behaviour that seem common (to me), I can think of solutions (a simple one being to buy the mentioned list on the black market...). In practice, it should not be much harder than maintaining a list of open (mail) relays, although more cooperation from ISPs (e.g. for snooping/logging malware traffic) is needed.
As a long-term solution, legislation should require ISPs to disconnect such problematic PCs immediately or be fined if damage is caused by them.
"I love my job, but I hate talking to people like you" (Freddie Mercury)
There's a money trail in normal, non-Internet organized crime, too, but even crime families in the U.S. have often taken years of inside work by informants and FBI agents to crack. Now we're talking about crime rings in Eastern Europe and Russia, where law enforcement is even less efficient at bringing down this sort of organization.
Because, of course, the person selling this will give you the IP addresses and information about what hack they used to infect the machines. "Here's the keys, kids. Have a nice time!"
Or, more likely, they'll act as a middleman. You given them the target, they'll handle getting the zombies to attack it for you. Or, if you want code run, they'll make sure to check it out first. Y'know, so they'll know that they still HAVE their zombies later to sell to someone else. Business models and such...
I wouldn't call it white hat, no. On the other hand, perhaps we shouldn't be so sympathetic to people who allow their computers to become platforms for attacking others. At the least, organizations with lots of machines that can do lots of damage ought to be held liable for the results. Maybe they'd welcome a bunch of wiped hard drives in place of a multi-million dollar lawsuit.