Slashdot Mirror
Return of the Web Mob
Parore writes "eWeek is running a story about the return of the web mob, highlighting all the similiarities between the online attacks and the real-world mafia. From the article: "Black hat hackers have set up e-commerce sites offering private exploits capable of evading anti-virus scanners. An e-mail advertisement intercepted by researchers contained an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs. Skilled hackers in Eastern Europe, Asia and Latin America are selling zero-day exploits on Internet forums where moderators even test the validity of the code against anti-virus software."
There is obviously a problem with botnets, virii, and trojans, part of the problem comes from a 'not my problem' attitude from law enforcement and ISP's.
Dozens of times when networks I maintain have been attacked I have contacted ISP's with all the information they would need to trace the user performing the attack and notify them that their machine is infected, however, the response I usually recieve is, 'it is our policy not to blah blah blah', when I have had verified hack attempts on my systems and have notified the authorities about it, I have been transfered all over the place, put on hold, transfered a little more until I completely loose interest, when I do get to report something it never gets investigated.
Until the people that can actually do something about these zombie machines and malicious users, get off their asses the problem will just keep getting bigger.
GeekServ Unix Consulting Services (http://www.geekserv.com)
What did anyone expect?
The problem with anti-virus software is that it is 100% reactionary. The anti-virus companies don't release updates for viruses that they haven't seen yet.
That's why I view viruses/worms as a failure of the security model of the system.
Trojans are a different matter. But even with those there are ways to mitigate the effects. If nothing else, requiring a password before installing an app will solve most of the "naked pictures of celebrity" emails. There will always be a few idiots.
Thank God for the calming, lawful influences Mom's Apple Pie, Truth, Justice and Barry Bonds' adrenal glands.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
That $25 per 10,000 comps isn't bad....
One could do a lot with say... $250 worth.
Silence is golden... and duct tape is silver.
Let's see, the ISPs and other "authorities" can't do anything to stop the "black hat" hackers and mafia, or even refuse to do so.
Yet at the same time ATT is channelling massive amounts of customer traffic to the NSA for examination and interpretation.
Perhaps someone needs to define Mafia=Terrorist?
Three Squirrels
is that the email was sent including 27 of the most recent exploits and anyone included in the list is also included in a new undernet.
I got one this morning and so far not&&^*%%£""£[NO CARRIER]
liqbase
Cue yet another flood of FUD press on the evil "hackers who break into private and public systems, inserting viruses and exploit them to fulfill their own ends" while completely failing to mention the good guys on Bugtraq and such who have quietly been doing their thing for years.
Slashdot Burying Stories About Slashdot Media Owned
How about using the same exploit to alert the affected users; track down the originator and infect him (if he has a real terminal); raise money and send some tough guys to beat the crap out of the hackers?
Criminals used the horse. then the rifle, then the telegraph, phone, car, airplane, etc. What would be different about the Internet?
The web mob is back! We MUST stop them!
- Quick, To the TuxCave!
$25 to infect 10,000 pc's sure is cheap. If this guy can get only 25 bucks per 10,000, he must have competitors (read: there's a lot of people doing this), and it must be easy to do. These, of course, are not good signs.
However, it occurs to me that the best measure of Microsoft's success in security is the market price for 10,000 infections. For example, if Vista turns out to be an inpenatrible tank, we should see the price go up to 50 or 100 bucks, maybe more.
At the end of the day, until we all stop using the same operating system, we're doomed to a continual barrage of large-scale infections (remember the Irish potato famine?)
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
I think the most mafiaesque thing I've seen on the old HTTP lately would be the DDoS and demand for ransom money on milliondollarhomepage.com Here's an article on it, the blog on the site itself also details how it went down. http://www.techshout.com/internet/2006/19/ransom-s eeking-hackers-attack-uk-students-million-dollar-w eb-site/
My name is coaxeus, and I approve this message. In fact, I think it is awesome.
If it's good enough for SCO, Microsoft, and pretty much any other large computer industry player, then it's good enough for the black hats out there. I wonder if there's a yearly conference that all these folks go to? Oh yeah, it's called "ConCon". ;P
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Only kidding of course, well partially. How many botnets consist of linux or OS-X machines?
It does however show just how hopeless windows security is. Even criminals have costs so if they can make a profit after paying their hosting and electricity and hardware and man power with just 25 dollar per 10 thousand machines then the cost and labour of infecting a windows machine must truly be trivial.
Lets face it the mafia doesn't do it for penny profits. They are not supermarkets surviving on a 1 cent per sale profit. They want millions and they want them now.
How many times $25 does it take to intrest a mobster?
Frankly I don't think the problem is going to go away. The idea that MS is ever going to provide a secure OS is laughable and even if they did nothing helps against a dimwitted user who happily installs anything if it promises a nudie picture.
They only two easy solutions I see is to install a serious watchdog on the net. One who can kick off ISP's that host the mob AND users who let their PC's get infected.
Would that be workable? Even "respectable" western ISP's barely respond to complaints about attacks. We got a spam watchdog that already kicks of ISP off the email net when they misbehave and this just barely works. If the same was applied officially to the net as a whole entire parts of the world would be disconnected.
Perhaps it is just something we got to live with. The real live mafia never went away. Why should the net be any different. As long as their is money to made people will attempt to get it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Most law enforcement I've worked with are great at their job.. if they can see it. Example - someone commits a crime, they can investigate and arrest. However I'd say about 1/2 of general law enforcement people do not grasp the concepts of the "virtual" world, through no fault of their own.
:)
While Opping on irc, I noted a person claiming to sell laptops at 1/2 retail cost.. new ones. I pretended interest, and got some contact info.. forwarded this on to law enforcement for his area... within a week, the detective emailed me to say they'd busted a fraud ring. It was tangible, they could deal with it
Internet crimes still deal a lot in the virtual world, and if you haven't been trained on how to.. visualize and understand it, it's a tough concept. Not everyone gets it.
As with a lot of things, the key would be training. You're probably not going to get a small town sheriff trained, however some of the larger sheriff's departments would be excellent centers for this.. keep it to county level, forward to state or federal if needed.
{} ------ When I think of a good sig, I'll put it here
This is exactly why any and all security information should be released to the public immediately.
Public release will serve the following purposes:
1. To inform the consumer of a problem/vulnerability so that action can be taken sooner.
2. To kick the vendor in the ass and make him move on the issue.
3. To prevent underground organizations from creating secret exploits that might otherwise go unnoticed or unidentified.
3a. To prevent commercial gain by exploiting the knowledge of such secret/unknown security problems.
So........
When i went to purchase these 25,000 computers with my trusty Internet Explorer v4.0, I actually got A DEAL!. They tossed in a extra computer now I control 25,001. These guys are soo nice!.
Maybe it is in the best interest of the virus companies and the governments to keep the status quo. Remember the NSA KEY in Windows 2K? Could be they have an easier time when the software is so open. Could be that the Virus companies make MORE $ when things get through on occasion and there is the NEXT BIG SCARE. Remember, news, even bad news, is good news and helps drive sales of your products, like anti-virus software....
Ok, joke aside, I was wondering if these viruses wouldn't be spread so easily if we used Linux, but that's too much "slashdot thinking". After reading the story on Open Standards, I thought of something more interesting.
Will Microsoft be able to widthstand this wave of exploits using their current software methodology? Or is Open Source programming the ONLY way?
In other words: Is Microsoft losing the war against viruses?
So, if I gave these guys $25 to have 10,000 of their zombie computers all run SETI@Home, could I write it off as a tax deduction?
great analogy!
my password really is 'stinkypants'
[1] Those zero day exploits wouldn't exist (or, wouldn't be useful even if they existed) if Windows code was open to see and modify. For example, the most severe security bug (sudo password saved in plain text) I saw in Ubuntu was fixed and uploaded to the repositories in about 2-3 hours. Why would you want to buy any exploits that will become obsolete 3 hours after you used it?
Meh.
You can do more with a kind word and a gun than with just a kind word. -- Al Capone
AV software is akin to a kind word when it comes to combating the net mafia.
During the Wild West days when law enforcement was scarce, militias and posses were deputized to keep the peace. Today, police and government are stretched thin, so Congress should deputize 'white hats' to attack/track down virus writers. This has got to be better than the reactionary stuff we are legally permitted to use.
I read
Wow, what a bad analgy.
Ignorance is different from negligence. And ignorance is not necessarily a negative term. It just highlights the fact that somebody does not know how stuff works in this example.
Driving 150 km/h is already doing too much, knowingly. The problem is when people drive cars they believe to be secure, driving at speed limit, while not knowing that somebody came and slowly started loosening the bolts on the wheels. Until eventually the wheels come off, the person driving the car loses control and causes a multiple vehicle collision on a highway.
Yes, blah, blah, it is the responsibility of the owner of the vehicle to check the safety of his/her vehicle. Let me ask you, do you check your lugnuts each day? How about each time you drive?
The problems of PC maintenance are highlighted especially in the young kids demographic as well as novice computer users, older computer users (mom/pop, grandma/grandpa), or people who are not technologically adept.
I expect the next line to be that such people should not use computers... Let's talk realistically intead of dreaming.
You mean the hoax?
"An e-mail advertisement intercepted by researchers contained an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs"
Dear researches i would like to make you an even better offer recently my good friend the president of nigeria was killed and he had left me a huge amount of money but i need help getting it out of the country for pay the fee for all the legal paper work and transfers i will give you 20% of my 100 million inheretence
Visit my site @ http://www.madtorrent.com
You see the attacks from such countries because it is damn convenient to proxy the traffic through those countries. Every good cracker in The US or Europe does that to have a layer of security between himself and the authorities.
but you have to be careful listening to them.
Hypothesis: the mob are the buyers of botnets, not the sellers, and the sellers are in a worse negotiating position.
Hypothesis: supply of infected machines exceeds demand.
Hard to tell which is correct.
Zero-day exploit pricing is interesting too. I've seen numbers like $500 or $1000. If that reflects supply and demand then Windows machines are still pathetically vulnerable. In any event, that means that any stalker or divorce investigator could afford one.
Anyone seen an actual published survey of zero-day pricing?
Yeah, that's not qall of it, they even accept credit cards :)
The real problem with botnets is that they tend to draw attention to the exploit resulting in a patch. If it wasnt for botnets we could use the exploits for a longer period of time.
As if heuristic analysis were the key to stopping all the malware on the Internet. If it were, everyone would install AVG on their Windows PCs and all the malware would just go away.
However, reality bites us in the arse and then we realize that heuristic analysis only goes so far.
The key to having freedom from malware is to have operating systems which do not make it easy for malware to thrive. OSes should not default to having users logging in with administrative priveleges. Applications should not be able to be installed with a view lines of embedded scripting code in a Web page or an e-mail. E-mail software shouldn't allow attachments to be executed immediately upon clicking -- users should have to save the attachment and then launch it from the shell. This requires a little more thought process than "if I click here, I will see naked pictures of [insert celebrity]!"
Of course, the OS where all of these bad security models exist is Windows and the e-mail application in question is Outlook. We need to stop looking at the problem of malware as a user education problem and start seeing it for what it really is -- a broken OS issue caused by the greed and stupidity of the largest software company in the world.
My blog
Damn, that is a cheap cluster. $25 per 10,000 machines. I wonder what kind of turnover you'd have if you used them for things unlikely to draw attention to yourself (that is, if you don't use them to DDOS IRC lamers)...
See that "Preview" button?
This references users primarily in the US. Other cultures & nations may be different, YMMV. Accept it, most US users want to use a computer like they use their car. No effort, no learning after the inital bit; use it (the car) when desired, ignore it when not using it. Most people in the US don't check for recall's or tech bulletins on their cars! This is despite the fact the user can die, from a failure to follow a recall notice or technical bulletin (especially with their poor driving habits). If the average US user won't put an effort into preserving their life; why should a sane individiual expect them to take any better care of their computer?!!
suppose someone took you up on your offer, how would you handle billing? What are the chances of someone not being good for their money in a situation like that? I know this is the least important aspect of this; but I cannot help but be curious.
You presume that Joe or Jane Consumer will necessarily:
a) Hear
b) Pay attention
c) Understand
d) Be able to do something
e) Do something
Color me skeptical.
3. To prevent underground organizations from creating secret exploits that might otherwise go unnoticed or unidentified.
No, this only means that when someone else finds the hole, you can check if their have been black hats using it. A few of the Black Hat groups are skilled enough to find holes, and clever enough to exploit them without telling anyone else.
//Information does not want to be free; it wants to breed.
No, it's not remotely legal; it's not even vaguely close to ethical. However, it might work. Consider it akin to giving software makers only FOO weeks before the exploit is disclosed; users get only FOO weeks to apply patches against remote exploits before Grey Hats shove the patch up their computer's ass...embly, whether the user wants it or not. Perhaps do something like set the desktop background to a .gif saying "PATCH ME, MORON!" for good measure.
//Information does not want to be free; it wants to breed.
Holding Joe Sixpack responsible for his computer's actions? Doubt it.
Remember that he's the one that generates money for the ISPs. He's not downloading Terabytes of movies.
He is the one that buys the crappy "download accelerators" and other useless programs.
He is the one that uses online banking.
He is the one that buys at Amazon.com and EBay.
Let's face it, he is the one they shape the internet for! The 'net ain't our net anymore. Hasn't been for well over 10 years now.
Now imagine he's held responsible for what happens out of his box. He doesn't know jack about his PC. He doesn't know he has a zillion dialers, trojans, adbots and whatnot, from klicking EVERYTHING presented to him. He only knows that "the net" somehow "did this" to his PC.
What is he going to do? Learn how to use it? Or stop using it altogether?
Which one is more likely? And would the industry like that reaction?
So will he ever be held responsible?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I've installed and run investigative workstations for my employer. It ain't easy. Our methodology is to set up workstations that are as bulletproof as we can make them (considering the places we're going to visit, that's a given) and then let specialists try to develop leads. We have procedures to allow non-LEO personnel do the initial legwork; they surf and chat and poke around, extensively logging everything. When something interesting pops up, they're free to dig deeper. Eventually, when they think they have enough information to write up a report, they do so and turn it over for review. If it's picked up for serious investigation, either on the criminal or civil side, it passes from their hands and they never really know what becomes of it. That's fine with me; the initial lead development is what's fun, anyway. I'm one of the few people I know who can say he's spent a great deal of time being paid by Uncle Sam to surf porn (and other unsavory stuff).
What bugs me are the amateurs. There's a certain nexus between the sleazy side of the porn world and financial crimes, so I've spent a bunch of time in places that, at first blush, might seem more titillating than profitable. You would not believe how many transparently fake attempts are made by local, often small-town cops to entice people into illegal behavior. By far, the most common problem is the "I'm a 12-year-old girl. Would you like to talk to me about sex?" thing. Yes, some of them are that crude. Apparently, there are a bunch of Barney Fifes out there who have convinced their bosses to set up an AOL account for them in a back room at the police station for the purpose of generating a few easy, cheap, and sensational arrests that'll get the name of the local DA in the paper before the next election.
I used to wish they'd just go away, but afaik perhaps they already have. I haven't worked in lead generation for several years so I haven't been in any of those places in quite a while.
Anybody have any recent experience with this? Are there still woefully clueless LEOs out there popping up at inappropriate places pretending to be hot-to-trot preteens? God, I hope not; they were a royal pain in the ass.
The internet is a wonderful thing, for it has no borders. Unfortunately, the real world does and that's the inherent problem of this all: Getting international police forces to work together takes a hell lot of time. If possible at all.
The problem lies in the placement of the criminal. In a normal, tangible crime, the criminal has to go to the place of his crime. You want to steal my car, you have to go to my car and steal it. You want to break into my home, you have to come to me and crowbar my door. You want to rob a bank, you have to go into the bank and withdraw with your iron CC. In any case, you have to go to the place of action, physically, and thus get into the reach of local law enforcement.
In the virtual world, you don't. You can be anywhere on this planet. Preferably in a country that has better problems to deal with than whether some guy in a foreign country loses some money. You can steal across borders, thus you don't get into reach of the local LEAs.
And quite suddenly, the legal problems of other countries, their lack of stability that was so convenient when dealing with them, because they could simply dump waste anywhere or don't have any problems with poor working conditions (and thus have CHEAP labour), those problems become yours.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Maybe I've seen too many movies, but these blackhats don't *sound* like the mob.
I'd think the mafia would build enterprise-ready e-commerce sites and then "persuade" businesses to purchase hosting from them. You know, the old protection racket.
None of this $25 a pop retail sales stuff. That's just monkey business.
I thought webmobs are like flashmobs, but on the web as they write in the webmobs manifesto http://www.webmobs.de/manifesto.html. There seem to be 2 different meanings of the same word.
It is clear that the author of this article has absolutely no understanding of the real web "mob" (which isn't even called that BTW). This article is total BS and probably some kind of government set up.
For people who want to understand the "real" "mob", they need to understand the Underground Economy (UE). What they need to understand is business and commerce. 90% of UE transactions is just regular business trying to aviod taxes and regulations. They have an elaborate offshore finance network that can transfer money arround the world faster than governments can track it. Most of the money is gained thru (some) female services, hotels, casinos, people smuggeling, and (some) drugs, and the biggest one - tax free duty free trade - and not thru online hacking nor thru draining peoples bank accounts or even defrauding people. In fact, they try to distance themselves from these activities because they want return customers built on a trust relationship. Most fortune 500 companies have regular dealings in the UE.
It is highly factioned, and some people do try to blackmale, eg (give us money, or don't report us when we rob you or else such and such government will find out about your hidden transactions) - but this is mostly on a rogue individual level and not a large commercial level. In fact, when the FBI trackes these people down - it helps the UE, because it lowers their transaction costs and liabilities. Also, if they need access to secure systems, they don't need to hack into them. They have a lot of high level bank officers and government officials in their pockets. The real UE also hates terrorisim which in the last few years has increased their transaction costs several fold. The goal is to hide financial transactions from taxes, regulation, and rogue lawsuits, not to hide finances for terrorisim. Also most of the UE is split between drugs. Many try to distance themselves from the drug trade to avoid the higher costs of business, but the money is so big that it can't be ignored all together.
Another thing that most people don't understand is that the war on drugs and the financial part of the war on terrorisim is really just an excuse to wage war on the UE. When corporate money associates the UE with drug lords and terrorisim, then they tend to keep their money at home more where their respective governments can tax the living daylights out of them. Given the costs of the war on terror, the big welfare states of most governments, and really really bad fundamentals of the US dollar lately - this has become a high proiroty for the US government in recent times.
One more thing, the US dollar is in deep deep shit. The US economy can't pay off it's debts without watering down the dollar (or default which they can't do because it will cause a cascading chain of defaults), but they cant water down the dollar without sparking a stagflation spiral. When it spirals out of controll it will cause hell in the US and every country in the world. Anyone who doesn't have precious metals is either stupid, poor, or going to be poor. It used to be that the dollar was the currency of choice for the UE, then when the dollar devalued the currency of choice became the Euro, now the currency of choice has been moving quickly torard Gold.
I don't know how many people actually look through their logs for ssh attempts, but for the past (???) months I've been keeping track of machines that dump a whole mess of bruteforce ssh attempts. Oddly enough I have not seen any duplicates yet (as in, a machine that has tried twice on two different days)!!! I'm tempted to log account+password someday to see what kinds of passwords they're trying.
There's not enough "good guys" out there. The few at securityfocus/bugtraq can't fix everyone's machines - they have no access to everyone's machines. Everyone, including those who just buy a computer to surf the web, play mp3s, view pictures of grandchildren, needs to be aware of the problem and proactively checking and cleaning up any mess found. I have a fear of my elderly father who says "I'm old now, I don't want to be troubled by these problems, I just want to use the computer to do what I want, who cares if it does [botnet] stuff with my computer as long as it still works for me. I don't do internet [commerce] so they can steal whatever they want off my computer." -- wrong attitude, and I bet a lot of people feel the same way not just him.
As much as I blame these people who don't care I have to also blame that company who writes software with so many new _UNNECESSARY_ features that aren't checked thoroughly for security issues. Reduce the feature set. Run code on server, not client. I long for the days for html is html, not plugin-ridden activex java mpeg viewer...
I'm appaled by the multitude of skript kiddies out there who have access to large pipe machines to flood people off the network who they want to "pwn"... There's not enough effort out there to prevent people to have access to these machines, server farms, you name it. And they don't even need root...
I'm pretty much against the poster when it comes to gratuitous Bill-bashing. But your defense in this particular case is ill-founded; both Bill's company and the ISPs are at considerable fault in this case.
It's called "an attractive nuisance", and that's what Bill's company has created in millions upon millions of homes and offices around the world.
http://en.wikipedia.org/wiki/Attractive_nuisance
The description in Wikipedia is particularly apt in this case. Bill and the ISPs are the landowners -- "the condition must be one of which the landowner is or reasonably should be aware, and the landowner should also have reason to know that children might be in the area" -- and the people whose machines are getting infected are the trespassing children "who are unable to appreciate the risk posed by the object or condition".
-- Terry
Sure, they offer you 10,000 compromised PC for $25, but they probably offer those same 10,000 PCs to every other schmuck with $25 bucks. And all of them probably have CSW, Smitfraud, VX2 and Virtumunde up the wazoo!
So they probably aren't good for too much, unless you're a good enough hacker to disable all the other malware living on them, and then defend them from all the other hackers who are shooting at the same target.
Fundamentalism is a crime against humanity