Return of the Web Mob

Parore writes "eWeek is running a story about the return of the web mob, highlighting all the similiarities between the online attacks and the real-world mafia. From the article: "Black hat hackers have set up e-commerce sites offering private exploits capable of evading anti-virus scanners. An e-mail advertisement intercepted by researchers contained an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs. Skilled hackers in Eastern Europe, Asia and Latin America are selling zero-day exploits on Internet forums where moderators even test the validity of the code against anti-virus software."

People that matter don't care

[liliafan]

There is obviously a problem with botnets, virii, and trojans, part of the problem comes from a 'not my problem' attitude from law enforcement and ISP's.

Dozens of times when networks I maintain have been attacked I have contacted ISP's with all the information they would need to trace the user performing the attack and notify them that their machine is infected, however, the response I usually recieve is, 'it is our policy not to blah blah blah', when I have had verified hack attempts on my systems and have notified the authorities about it, I have been transfered all over the place, put on hold, transfered a little more until I completely loose interest, when I do get to report something it never gets investigated.

Until the people that can actually do something about these zombie machines and malicious users, get off their asses the problem will just keep getting bigger.

Re:People that matter don't care

[Moby+Cock]

The day will come when the owners of the infected computers will be responsible. This is of course insane, but it is an easy way to assign blame. The real culprit, of course, is too difficult to track.

Re:People that matter don't care

[liliafan]

We know the people responsible are mean vicious hacker types, my point is that an ISP has a responsbility to not just protect its users from the internet but to also protect the internet from the user, if an ISP recieves a report that one of their users is doing something wrong they should take the time to check this, the same goes for law enforcement.

Users should take responsbility but you are right this will never happen, and a long as it is profitable the malicious users will continue to write their infections, the impact can be minimalised if ISPs take some responsibility for the users they allow to connect.

Re:People that matter don't care

[gowen]

The day will come when the owners of the infected computers will be responsible

Presumably, this will be the same day that women in short skirts will be responsible for their own rapes?

No matter how tempting a target I make myself, the responsibility for the crime will always remain with the criminal.

Re:People that matter don't care

[giorgiofr]

I don't think it's as insane as you think. It's quite akin to hold passengers responsible for whatever some ill-intentioned guy put in their luggage without their knowledge. After all, it's your duty to know the dangers of the machine you're operating: people are responsible for the damage if they drive at 150 km/h into a building and lose control of the car, even if they "did not know" that it was dangerous to do so.
Besides... responsible people are always the ones who have to pay for everyone else. If I keep my machine clean and safe, why do I have to suffer because you can't keep yours as mine? Is it my fault if you're stupid/misinformed/uninterested? Clearly it is not. On the contrary, I will think you are responsible for any damage (probably just some wasted bandwidth, but still) your machine is causing.

Re:People that matter don't care

[giorgiofr]

the responsibility for the crime will always remain with the criminal

and if, after being the victim, you start being the criminal, you will be held responsible for your crimes. for example: if you get HIV while being raped (btw... that's sad in so many ways I cannot count them) and you later go around merrily spreading it, you are certainly not responsible for being raped but you are for spreading the disease.

Re:People that matter don't care

[geekboy642]

Actually, that is a marvelously apt analogy.

It is something akin to the violation of privacy and destruction of rights of rape, to have ones personal computer invaded by a virus or other malicious code. (yes I know, the severity level is vastly different, but it's the same type). Afterwords, if this personal computer wanders around the Internet having unprotected HTTP with other servers, any who don't have the vaccination are going to pick up whatever it's got.

Re:People that matter don't care

[gowen]

If you get HIV while being raped (btw... that's sad in so many ways I cannot count them) and you later go around merrily spreading it

Throw the word "knowingly" in there, and I agree.

Is anyone really surprised?

[khasim]

What did anyone expect?

The problem with anti-virus software is that it is 100% reactionary. The anti-virus companies don't release updates for viruses that they haven't seen yet.

That's why I view viruses/worms as a failure of the security model of the system.

Trojans are a different matter. But even with those there are ways to mitigate the effects. If nothing else, requiring a password before installing an app will solve most of the "naked pictures of celebrity" emails. There will always be a few idiots.

Things That Make You Go Hmmmm...

[rueger]

Let's see, the ISPs and other "authorities" can't do anything to stop the "black hat" hackers and mafia, or even refuse to do so.

Yet at the same time ATT is channelling massive amounts of customer traffic to the NSA for examination and interpretation.

Perhaps someone needs to define Mafia=Terrorist?

Paging Agent Gill...

[Rob+T+Firefly]

Cue yet another flood of FUD press on the evil "hackers who break into private and public systems, inserting viruses and exploit them to fulfill their own ends" while completely failing to mention the good guys on Bugtraq and such who have quietly been doing their thing for years.

Some don't care, some don't understand...

[trazom28]

Most law enforcement I've worked with are great at their job.. if they can see it. Example - someone commits a crime, they can investigate and arrest. However I'd say about 1/2 of general law enforcement people do not grasp the concepts of the "virtual" world, through no fault of their own.

While Opping on irc, I noted a person claiming to sell laptops at 1/2 retail cost.. new ones. I pretended interest, and got some contact info.. forwarded this on to law enforcement for his area... within a week, the detective emailed me to say they'd busted a fraud ring. It was tangible, they could deal with it :)

Internet crimes still deal a lot in the virtual world, and if you haven't been trained on how to.. visualize and understand it, it's a tough concept. Not everyone gets it.

As with a lot of things, the key would be training. You're probably not going to get a small town sheriff trained, however some of the larger sheriff's departments would be excellent centers for this.. keep it to county level, forward to state or federal if needed.

And people wonder...

[John+Hansen]

... why other people can take advantage of their computers?

I run a network in a medium-sized business. When I came in, there was no IT staff to speak of. All the workstations were Dell computers, mostly running the default installations of Windows XP. There was a Windows 2000 domain controller set up, but most of the computers were not set up for the domain, meaning that there were no default security policies. The E-mail server had an antivirus scanner installed but it wasn't updating its definitions.

Since I came in, I've had to reformat & reinstall at least half of the workstations because they've been infected with spyware and viruses. This is because, despite having virus scanners, spybot scanners (Microsoft Anti-Spyware, Spybot, and Ad-Aware), and Firefox installed, the absence of IT staff meant that the company staff were ignoring spybot warnings, the antivirus was not up to date, and they were browsing the web with Internet Explorer.

I'm still fighting the use of Internet Explorer, since we have no real reason to be using it -- most all of the websites we access are Firefox friendly. However, the momentum means that I can't just block out access to it in the domain policy. People need to migrate their bookmarks and preferences over, and that isn't done overnight. It's maddening.

So who do I blame when I see headlines like this, or when I look at the company I work at and see a mess? My first point of blame lies with Microsoft for creating such a vulnerable infrastructure to begin with. And that's not because I'm an anti-MS or Linux zealot. It's true, I run Linux at home on every computer. It's also true that since coming in, I've set up a number of Linux servers and a Linux firewall. I know how to work with Microsoft products and lock them down to a reasonable state. It's just that it frustrates the hell out of me when a product built-in to the operating system has so many vulnerabilities, and it's a freaking product used to browse the web! Not something essential to the system like the kernel (which has problems too)... a web browser! Something that should have no system access!

So yes, I lay most of the blame for this kind of travesty at Microsoft's feet. Had they actually thought their design through before they started coding, I can almost assure you that we would not be having this kind of problem to begin with. There would be viruses for Windows, yes. There would be worms for Windows, yes. But I find it unlikely that a properly-designed Windows would have made it possible for there to be millions of zombie PCs across the world, able to be bought by the highest bidder.

The rest of the blame I lay on user education. Most people with computers are totally oblivious about what's on the Internet. They just click on the big 'e' and surf their favorite porn sites, check email for funny comments, et cetera. And then they wonder why they get hundreds of popups and their computer runs slow as frozen molasses. Some of this could be stopped if network admins took some effort to educate their users in a business environment (herculean but possible, and I know some organizations actually do so). Which leaves the home PC users. What do you do about them? Well, I think that's more Microsoft's responsibility, since they're the ones who created the product.

In the meantime, I'm setting up Ubuntu for people who want it, or giving out CDs with it on them and directions. And most people I've switched have been quite happy with it, since their main needs are web browsing and Email and it covers those. So until Microsoft produces a product that I can actually recommend to my mother, I cannot recommend Windows.

bad analogy

[1800maxim]

Wow, what a bad analgy.

Ignorance is different from negligence. And ignorance is not necessarily a negative term. It just highlights the fact that somebody does not know how stuff works in this example.

Driving 150 km/h is already doing too much, knowingly. The problem is when people drive cars they believe to be secure, driving at speed limit, while not knowing that somebody came and slowly started loosening the bolts on the wheels. Until eventually the wheels come off, the person driving the car loses control and causes a multiple vehicle collision on a highway.

Yes, blah, blah, it is the responsibility of the owner of the vehicle to check the safety of his/her vehicle. Let me ask you, do you check your lugnuts each day? How about each time you drive?

The problems of PC maintenance are highlighted especially in the young kids demographic as well as novice computer users, older computer users (mom/pop, grandma/grandpa), or people who are not technologically adept.

I expect the next line to be that such people should not use computers... Let's talk realistically intead of dreaming.

Re: email advertisment

[romka1]

"An e-mail advertisement intercepted by researchers contained an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs"

Dear researches i would like to make you an even better offer recently my good friend the president of nigeria was killed and he had left me a huge amount of money but i need help getting it out of the country for pay the fee for all the legal paper work and transfers i will give you 20% of my 100 million inheretence

Prices tell a story

[Beryllium+Sphere(tm)]

but you have to be careful listening to them.

Hypothesis: the mob are the buyers of botnets, not the sellers, and the sellers are in a worse negotiating position.
Hypothesis: supply of infected machines exceeds demand.

Hard to tell which is correct.

Zero-day exploit pricing is interesting too. I've seen numbers like $500 or $1000. If that reflects supply and demand then Windows machines are still pathetically vulnerable. In any event, that means that any stalker or divorce investigator could afford one.

Anyone seen an actual published survey of zero-day pricing?

Re:Look at the Price!

[chadamir]

I feel as though I should give the 25 dollars and have the computers run folding@home for a day.

Re:Regarding Linux...

[Cromac]

Ok, joke aside, I was wondering if these viruses wouldn't be spread so easily if we used Linux, but that's too much "slashdot thinking".

Most likely, yes. "we" aren't the ones spreading virius and unknowingly joining botnets. It's the uneducated person who went to CompUSA or Dell and bought their PC. Those people wouldn't put up with the heightened security of a secure Linux box any more than they would with a secure Windows machien. They would still fall victem to the same trojans. Some virus and worms would probably spread more slowly but overall the situation would be pretty much the same because the common computer user doesn't want to deal with everything that goes along with a locked down, secure, system.

Release isn't understanding

[abb3w]

1. To inform the consumer of a problem/vulnerability so that action can be taken sooner.

You presume that Joe or Jane Consumer will necessarily:
a) Hear
b) Pay attention
c) Understand
d) Be able to do something
e) Do something

Color me skeptical.

3. To prevent underground organizations from creating secret exploits that might otherwise go unnoticed or unidentified.

No, this only means that when someone else finds the hole, you can check if their have been black hats using it. A few of the Black Hat groups are skilled enough to find holes, and clever enough to exploit them without telling anyone else.

Not exactly mafia tactics

[psydeshow]

Maybe I've seen too many movies, but these blackhats don't *sound* like the mob.

I'd think the mafia would build enterprise-ready e-commerce sites and then "persuade" businesses to purchase hosting from them. You know, the old protection racket.

None of this $25 a pop retail sales stuff. That's just monkey business.