Slashdot Mirror
CA Warns Of Massive Botnet Attack
m4dm4n wrote to mention a story running on The Register which describes a coordinated malware attack designed to establish a massive botnet. From the article: "The attack involves three different Trojans - Glieder, Fantibag and Mitglieder - in a co-ordinated assault designed to establish a huge botnet under the control of hackers. Computer Associates reckons that access to the compromised PCs is for sale on a black market, at prices as low as five cents per PC."
Now witness the power of this fully operational botnet... :/
Welcome to Blackbeard's weapons emporium. You will see we have the finest collection of AK-47s, anti-aircraft missiles, and Airzookas. Oh, and over here we have wholesale zombie PCs.
Cops and robbers, all the time.
And in the meantime, technology gets more sophisticated. Progress eitherway.
It's cool in a way: very William Gibson-esqe or something. A new battlefront. I've moved my servers to OpenBSD due to their incredible security record, and I'm going to be moving my desktops/laptops to Mac/Linux soon. I don't want to be part of the problem.
Helping with organizational effectiveness is our job.
Do I have to buy the whole network at 5 cents a PC? Or can I just buy say a dollar's worth? I wouldn't mind having 20 PC's... I can force all those PCs to join my network games of Quake and Unreal... finally I'll have people to play with... gasp... maybe even online 'friends'! Mommy will be so happy... in fact I think I'll go upstairs right now and tell her the good news!
---
Programming is like sex... Make one mistake and support it the rest of your life.
Maybe the SETI program should invest in some of this cheap computing power...
Glieder, Fantibag, Mitglieder?
These guys shouldn't be writing code, they should be writing Harry Potter novels.
access to the compromised PCs is for sale on a black market, at prices as low as five cents per PC.
Heck, that's five cents more per PC than SETI@Home pays me, and they won't eat me when I find them like the aliens will.
We have two people, both scumbags that the authorities would like to catch, who most likly would prefer to never meet of know each others names. Niether one is trustworthy (even with nasal mist).
They can't meet because they are likley in widely separated areas.
They can't use a electronic transfer because it leaves a paper trail.
how do they move the money around?
I used to have a cool sig, back when I cared
Is 5 cents per PC the regular rate, or just the Memorial Day Weekend Sale price?
Erik
YOU ARE SAYING IMPUDENCE TO ME! THAT IS IMPUDENCE!
1. Get every compromised PCs to join the same botnet.
2. White-hat hack into the botnet.
3. Tell all compromised PCs to wipe their hard drives.
4. No more compromised PCs! Well... not for a while anyway!
... Bringing us this information.
0 .asp), someone needs to be held accountable, or no-one will fix their behavior.
Bah. Big Deal!
If you run Windows, you PC will be owned at some point. (Yes, yes, I know some of you out there are perfect, and haver *never* messed up *anything* security wise) This happens to me, this happens to less computer literate people, and this happens to large organizations with IT staffs, like the U of Chicago and Allstate.
The solution is the same as always. Switch OSs.
The hotfix is the same as always. Backup data, use your restore disk. Rinse, lather, repeat.
I don't understand why zombie networks are news. The only way that they should be news is when they are used to DDOS major targets. Then, someone should be held accountable. Software manufacturers? Zombie PC owners? ISPs?
I'm not sure. But just like the guy with the TV that summoned the coast guard, (http://www.syncmag.com/article2/0,1759,1781135,0
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Does this make anyone else think of the X-Files episode where they created AI by combining 12 different viruses on the net? Scarier still, does this mean that the first AI will appear on Windows!?! And am I just that old of a geek? Oh well, its Friday, give me a beer.
Give a man a fish and he'll eat for a day. Teach him to fish and he'll wipe out the species.
Most, if not all, ISPs need to lock down the end user's access to ports. Give them the basics ( outgoing 80, 110 and 143 ), but lock everything else down. In this case, I'd say everyone is guilty until proven innocent. Then, when someone calls in, you simply open the port they request.
This is more work for ISP support staff, but it would dramatically reduce network traffic; I bet it'd be an even flush as far as overall cost.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
...at five cents per computer, they do have a lower TCO after all!
Weaselmancer
rediculous.
There are a lot of places, principally former Soviet republics and china, where The Law has different priorities. The people sell these "services" probably reside in one of those countries, and the people buying may be equally outside the grasp of US law enforcement. I used to work for Seth Warshavsky, he used to sell his snake oil out of a glass tower in Seattle. Now he lives in Thailand, just try to arrest him, The Feds have been trying for the last 5 years or so, we'll see.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
This is really starting to smack of organized crime. A friend of mine forwarded an article to me on this last night.
If you are an end user who just wants to use your computer, it may be time to look at getting a Mac. The bar for information security in the face of this level of organization is getting too tall for your average end user.
If you are in an enterprise situation and have a usage policy that allows users to use corporate equipment for personal banking on breaks, you may want to reconsider that policy.
Oftentimes, computer usage is negotiated by labor unions and you cannot simply change computer use policy out from underneath users. In this case, I wonder what the legal responsibilities of the company are to exercise due dilligence in protecting its end users?
If you haven't already done so, it's time for a lesson in defense in depth. That means IDS, IPS, Firewalls, Antivirus, Spam blockers, AV web proxies, etc. And because perimeter defense is all but a quaint memory in today's more agressive world, you may want to look at host-based firewalls and other AntiWorm systems.
Good luck. We all need it.
-Peter
. Penguins Surely Ca
They weasled my wifes login, and loaded it onto her PC. I found out why the other day, because they were having trouble installing the "upgrade".
Trouble was, my wifes login no longer has "Administrator Access". So I elevated the privs, did the upgrade, and downgrade the privs.
Gunbound don't run.
So I uninstall, and try to delete the program folder, and get Access Denied.
Long story short, even after uninstall, Gunbound left a process running on the computer. This reeks of backdoor/trojan.
I look at their site/game and it is very sophisticated. Lots of great programming! How do they pay for all of this? There is no charge to play, and no advertisements.
My guess is....
Computer for Sale!
And of course a flood of spam will follow this like night follows day. This has been going on for some time; LURHQ wrote up some good articles about the virus/spam connection: Sobig.a and the Spam You Received Today, Sobig.e - Evolution of the Worm, and Sobig.f Examined.
Brent J. Nordquist N0BJN
In a recent survey of BotNet administrators, hosts running Microsoft Windows operating systems were found to have at least a 40% less TCO than a comparable Linux offering.
"With volume discounts and integrated tools, we can now offer "managed" remote hosts as low as 5 cents per unit."
one better than mcleodeight
Clearly I was wrong when I reckoned that the word "reckon" was most popularly used in the South.
They have a lower TCP: total cost of pwnz0rship.
You can hold down the "B" button for continuous firing.
As long as they keep getting elected and increasing the amount they take in tax money.
fast as fast can be. you'll never catch me.
And what happens when a free software box is owned? Who gets held responsible then? Red Hat? Linus?
Why doesn't Slashdot ever get slashdotted?
Could this be considered racketeering somehow? Prosecution under RICO would be interesting.
Crazy Cheap Domain Hosting!
So basically you want me to give my ISP a list of ports I may require so they can white list them for my machine?
I'm sure my ISP would love it if I would say ask for ports 4662 to 4672 and 6881 to be unlocked.
I wonder what they'd think I was planning with those...and I'm sure the new knoppix iso would not be their theory.
Now after having edonkey and bittorent work,
I'll only need
5800 for VNC
21 & 22 anybody?
How about this idea, everyone has complete access privileges. The isp notices for common characteristics of a bot net and common malware. If such is found on the user the ISPs gateway forces all HTTP connects to a URL that has detailed instructions on how to install spybot seach & destroy, ad aware etc. Kind of like a hotel sends you to a registration page to buy internet access for the day when you connect.
The last step is for the user to either call or through some other mechanism notify the ISP that his machine is (for now) clean. The ISP removes the user from its black list and not only do we now have a patched windows box, but also one with basic defenses for the future. It be kind of like catching the criminal pc, putting it into jail until the software is installed and then releasing it as a rehabilitated system
"Nimis exaltatus rex sedet in vertice - caveat ruinam!"
OK, these things need to be taken seriously, but any press release needs to be taken with a grain (or bag) of salt. Spyware is the threat flavor of the day, and the specialized programs (ad-aware/spybot/spy sweeper/etc.) are better at managing it than traditional A/V is (at least right now). Bots are scary. Need to reformat and reinstall (our instructions to students at this major university). Viruses you can just clean (mostly, but mytob is throwing a wrench into that clean division). You figure which is scarier.
CA is the only product which detects ALL three of the mentioned viruses as of this posting. Which is not to say that they're making this up, but I'd be more willing to believe it if it came from the Secret Service or CERT.
Yes, you can secure a windows box.
But, does every end user need to be a damned security expert? Sorry, but the average Joe shouldn't have to know what the hell a host based firewall is, much less if it's a good one.
Sorry, cowboy, if you are looking for easy (Gentoo doesn't cut it) and reasonably secure, the Mac is a pretty good option.
Now, if you notice, the second part of my post dealt directly with defense in depth for enterprises that pay for real, professional security experts to mitigate the risks of running Windows. Windows can be managed, but it's expensive and requires more due dilligence than some other platforms that ship with a better default security posture.
Congrats on the purchase of your Venitian AMD64. When *you* get off your duff and provide support to *my* extended family's fleet of PCs at slash-rate prices, I'll list you as an alternative to buying an Apple.
Cheers!
-Peter
. Penguins Surely Ca
Where can I buy tickets to view the fireworks? I'm gonna get some beers and stakeout at my local backbone uplink =^D
Sad but true is that this precisely gives governments the idea that they should limit and control international traffic. Freedom? not for long...
These PCs should be disconnected immediately by ISPs, non-complying ISPs should be blocked from major backbones.
The feasibility of building and maintaining such a list is debatable, but for most situations and kinds of malware behaviour that seem common (to me), I can think of solutions (a simple one being to buy the mentioned list on the black market...). In practice, it should not be much harder than maintaining a list of open (mail) relays, although more cooperation from ISPs (e.g. for snooping/logging malware traffic) is needed.
As a long-term solution, legislation should require ISPs to disconnect such problematic PCs immediately or be fined if damage is caused by them.
"I love my job, but I hate talking to people like you" (Freddie Mercury)
SpamForum
SpecialHam
And the new WildBiz.
WildBiz does not require registration; the other two do. Just enter the forums and look under "Proxy Lists". Typical ads:
First of all Hi to all of my seniorshooters here..
Having good collection of fresh Proxies and got DM ["Dark Mailer"
DM Latest version (Full) for $49
Fresh Proxies $50 for 500 proxies
dmandproxies@iamdns.com
61.246.226.69:3128@TUNNEL$GOOD$20297$Australia
81.33.4.70:3128@TUNNEL$GOOD$2953$Spain
61.246.226.69:3128@TUNNEL$GOOD$20297$Australia
218.208.247.81:3128@TUNNEL$GOOD$15219$Malaysia
219.144.194.74:1080@SOCKS4$GOOD$1125$China
66.154.54.215:80@TUNNEL$GOOD$4157$United States
66.154.54.224:80@TUNNEL$GOOD$1266$United States
We provide Hourly Updated Fresh Proxy Lists, which can be used for bulk mailing
That's how you market a botnet.
Yes, these operations are addressed to wannabe spammers. But the fact that they're advertised openly indicates how weak enforcement is.
There's a money trail in normal, non-Internet organized crime, too, but even crime families in the U.S. have often taken years of inside work by informants and FBI agents to crack. Now we're talking about crime rings in Eastern Europe and Russia, where law enforcement is even less efficient at bringing down this sort of organization.
Step 1 - Determine where the crime is taking place - location of hacker, zombie or target of attack?
Step 2 - explain crime to local law enforcement so they know who to arrest and what evidence to collect.
Step 3 - explain it again to DA, judge and grand jury so they know what to charge them with, if there is even a law that can be applied.
Step 4 - watch local lawyer demolish case because no-one can figure out who was injured or assign a monetary value to loss
Intron: the portion of DNA which expresses nothing useful.
I have 16,777,216 IPs for sale in the 127. range. 5 cents a peice Send cash and I can tell you how to access them.
I am talking about a whole network.
You can't just wake up one day and decide that you are going to switch all your network servers and workstations to a new OS over the course of a few days. These things take time.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Organized crime.
In the old days, virus authors were really just trying to see how much of a nuisance they could be. Now, however, the ability to combine stolen resources spread over a large geographical area makes it incredibly easy to do some serious crime for relatively low risk.
Try looking at it from a criminal's perspective. The resources to mount a massive attack are easy to come by; thanks to most folk's unwillingness/fear to learn anything about computer security. The police are perceived as being just as clueless as the victims with the cracked computers. The investigation has to start with the machines that were cracked, which gives the crakers more time to cover their tracks.
And this says nothing about the complexities of getting a conviction with the morass of International laws involved.
It's evil as hell, but a bit ingenious.
I'm not tense. I'm just terribly, terribly, alert.
Before they could sell these systems for 10, maybe even 15 cents a piece. But thanks to the latest Windows security holes and viruses, the market has been so flooded with cheap foreign zombies that the pirates can barely make a living selling their hard-earned bots for 5 cents a piece.
Its way too late, not to mention disingenious to do this. First off, most users are using p2p, bitorrent, IM, etc which all require open ports for full functionality. Shutting them out or just approving Kazaa and a handful of apps is silly. The phone traffic from someone wanting to open a port would be ridiculous. Imagine how many times a PC wants to listen legitimately. Warcraft update? Call your ISP. IM file receive? Call your ISP. etc.
If you read the article, its not the ports thats the problem its users opening these infected emails. Youre still allowing the biggest hole - email. Zombie software can easily be written so it doesnt have to keep a port open, it can simply initiate the connection to a server someplace on its own.
ISPs eventually will have to police their network, as some are doing right now. So are universities. They'll do port scans and traffic analysis, then shut down the offenders. If these people can't keep their machines clean then the ISP can kick these customers as I'm sure it costs more to keep them than to lose them. After that, lots of people will suddenly renew their AV subscriptions, learn how to patch, etc.
Not to mention better server side email attachment scanning; users shouldnt be getting this stuff to begin with. Or if the big players decided to just block all executable attachments. Sure, everyting will be zipped, but that'll discourage "the double click two-step."