Slashdot Mirror
Is the Botnet Battle Already Lost?
An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."
this whole thing is just ridiculous. yes, sure if you treat existing poorly engineered systems as inviolate and try to work around them its a never ending battle. but the basic tools to provide systemic distributed security have been published for quite some time. fix the problem at its source and stop screwing around.
yes, pkis are not flawless, but it would be a huge step above this kind of flailing
"Resistance is futile. You will be assimilated."
use a big stick. Didn't we learn anything in American History? Roosevelt pwned.
I don't think that bots are invited. This wouldn't make sense from an administrative view. The channels are probably password-protected. Nothing a little sniffing can't fix.
After all, the bot is code running locally. So if it contains any channel names, channel keys or cryptographic keys, you can get to them.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
One can always create reverse honey-pot servers that connect to the chat channel and when given a command, reply with "I am sorry Dave, I cannot do that..." and then recite some multi-gigabyte random poem into the channel :)
The key here is "unpatched server" and of course it happens to be a windows box... hmmm...
check if there is a "start" icon in your left lower corner of the screen. if so - yes, chances are you have caught a virus, and your computer is taken over and controled by the dark forces.
Firewalls are useful for monitoring traffic. The best way to detect a zombie computer is to look at the traffic coming in and out, checking for anomalies (such as excessive traffic to places nobody would be going to). Security Now is a great podcast that deals with security issues and locking down your systems. Episodes 3, 8, and 4 are particularly relevant. It can get technical at times but all-in-all it's a great explanation of how things work and what can be done to secure them.
Why hasn't anybody created a "good" trojan that uses as many common exploits as possible to infect these already infected machines with a port-80 restrictive firewall? I think for every somewhat bright for-profit trojan creator, there are thousands of brighter people that can come up with an intelligent plan to do this effectively. Use all spreading techniques that the best of the worst use, but minimize the wasted & bloated traffic, while fixing as many computers as possible. Should be simple!!
Only issue I see is legality. Technically however, I see this as very feasible.
You have no idea how depressing it is that I can't decide if the above comment should be modded flamebait, funny, informative or insightful.
What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.
Meanwhile, we may need some brutal firewalls:
We're probably going to see some companies going to a locked down firewall like that.
Modern botnets clients are pretty adaptable; they will download patches, modifying themselves to beat disinfectors. With care, and unless the net manager has taken extreme measures to prevent it, one can induce the clients to remove or disable themselves, rather than just trying to kill the control channel. Should that fail, one should be able to determine what fallback channels the botnet clients use and disable those before killing the current command channel.
What we need is a large number of ISPs to get together and say, "We trust each other to deal with botnets." Then, with a single command, any trusted ISP within the network could instantly send a command to another ISP to shutdown a site or server that is running a botnet. All of these actions would be logged and would be reviewed to make sure that it is only being used against botnets; any sort of abuse (like using it to shut down protest sites or copyright violation sites) would result in an instant revocation of privileges. This system would be much better than what we currently have: trying to call the other ISP, trying to get them to listen to you, trying to get them to trust you ... it can take days, if ever, to shut down a botnet on another network.
Cyde Weys Musings - Scrutinizing the inscrutable
Why not just physically unplug your computer from the network?
... but I honestly don't see this as such a big issue.
Basically this is a problem with people owning computers who don't know how to maintain them properly, and with MS making it unreasonably difficult, expensive, and time-consuming to maintain a Windows machine properly.
But as someone who doesn't run Windows, I don't really care. I'm sure some of the spam I get is from these bots, but spam would exist with or without botnets, and without a major redesign of the e-mail infrastructure and standards, spam can only be mitigated, not cured. My mitigation measures work for me.
Another theoretical possibility is that I could get extorted by somebody carrying out a DDOS attack. But in reality, that seems more like a worry for a big corporation, not an individual like me.
Another possibility is that somebody I do business with could get their machines owned, and gangsters could steal my identity. Well, it hasn't happened to me yet, and it hasn't happened to anyone I know.
I'm a lot more worried about global warming and nuclear proliferation.
Find free books.
If you can check it, therein lies the problem. The paradox is in its mere existence, it thinks, therefore it already has. ___________________________________ LunarLodge: "The Last Best Space"®
I feel your pain. Alas, we have already commented.
Now, back to meditation!
I have nothing to say.
Botnet, Skynet, whatever... We effectively lost the war against the robots when we first invented computerization, thus creating the posibility for the future war against the robots.
SOS
I am no expert in this area, but a thought occurs.
Why isn't it possible to simply identify the exploit being used to spread a particular botnet, and write software that uses the same exploit to travel throughout the net before activating (perhaps at some specific time) to both wipe out the botnet software and seal off the exploit?
It seems that as soon as you have the original botnet software, re-engineering it for this purpose would be relatively trivial. Plus there would be the immense satisfaction of fighting fire with fire. The software could even remove itself as its final act, saying "I know now why you cry, but it is something I can never do" (although someone else might have to press the button to lower it into molten metal - "I cannot self-terminate").
The only reason I can think that this wouldn't work is that the 'antidote' software would be breaching computer security all over the place - basically doing the precise thing we are trying to stop. However, surely some sort of 'good samaritan' clause could be worked into the law - or the government could adopt responsibility for this process, or at least for pushing the button that sets each counter-botnet loose in the wild.
Of course this may already be the approach taken - I don't know much about the field, as I say.
Read Pynchon.
Useful in theory but how much time does it actually take to monitor this. There is generally so much ARP and other traffic going on that I've found it's extremely difficult in practice to actually discover such a trend. iptraf and some other tools ease the burden by allowing device and port specific analysis but still you really have to pay attention on a real-time basis or do a lot of data-mining. Who's going to spend this time on home network much less a general business environment where system administrators are already overstreached and security administrators are still the CFO's favorite line item veto?
There is no easy solution
http://images.slashdot.org/hc/07/4a6fece962b0.jpg
[Fuck Beta]
o0t!
Of course this stuff is all over. My sister's PC was infested with malware and a member of a botnet. She has a teenage daughter that clcks on everything sent her way. I discovered, before a complete system wipe, two processes that run on start up using telnet, at least three many pop-up services, two browser tool-bars, a page hijack stacked upon another page hijack that got had it's registry keys still intact, but was disabled by the other hijack, and the system had Python installed and was compiling source code! After all that, they better change their browser habits. I only hope my sister dosen't make her daughter stop using the PC or the web altogether. That's the wrong answer, and hopefully I can educate them and give them an alternative.
The eternal struggle of good vs. evil begins within one's self.
So, err, do we need some kind of international police force to keep the Internet clear of botnets? Should the UN run it? Do they get cool blue suits and have their own swat teams around the world?
How we know is more important than what we know.
The so-called botnet battle is no different than the war on spam or the anti-virus front, or any of the others.
It's not a failure of technology. It's BAD PEOPLE, exploiting BAD SOFTWARE, who aren't being dealt with because of BAD EXECUTION of BAD LAWS. Fix the software, the law, and the enforcement of the law (esp. jurisdiction), and you'll neutralise 95+% of the bad people.
This crap is criminal. Crimes like this are sheltered by discussions about philosophy, politics, jurisdiction, and technology. If people would stop discussing and arguing, and start working together on the problem, it could be eliminated in under 24 months.
But convincing people to work together is impossible, so we might as well get used to it.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
The simple problem with the fight against botnets is that it's asymmetric, and not in our favor. The bots are in a place that is particularly difficult for someone attempting to dismantle the network to reach, the property of someone else. It's not the technical problems that make a botnet so difficult to dismantle, but the legal ones.
The botnet creators don't give a damn, their objective involves breaking the law (where there is one) in order to hijack someones computer. Someone attempting to destroy the botnet is likely to be atempting to operate within the law, which requires notifying and enlisting the support of the owners of the compromise machines, many of which:
a) are difficult or impossible to contact
b) don't speak your language
c) don't understand anything about the problem
d) don't care
Any single instance of a botnet may have weaknesses that permit its demise without running into potential legal problems (such as a poorly-secured disable command), however botnets as a concept have no real theoretical weakness given the appropriate cryptography and care of construction. Decentralised, failure resistant networks of cooperating nodes is a well researched area and at the level botnets operate, barely constitute a challenge to anyone with the necessary knowledge of protocols, cryptography and programming.
They're here to stay, there is no practical non-desperate legal changes or technical tricks which will kill the concept entirely. Even if the general level of internet security increased 10-fold, there'd still be more than enough vulnerable computers to support botnet operators, and lets face it, that level of security change is not going to happen. Even if the general OS level improves, old and embedded (non-patchable) devices are still plentiful, and there will be more no-patch applicance like systems in the future which will continue to be exploited.
As a systems administrator or someone otherwise concerned with the impact, the rules are simple. Stay patched, Stay vigilant. If a large botnet decides to get you, hope your ISP subscribes to something like tipping-point that will give them a head start on deflecting the inbound traffic. That's about it.
You can't win a fight.
Bah, should be episode 46, not 4. Yay for proof reading.
Run for your lives! Oh... wait.
This has been discussed on Slashdot before, but it seems relevant here. If it proves impossible to stop self-replicating worms by patching holes, you can either have mandatory auto-updates provided by a "trusted" source (your friendly OS provider), or launch active defenses: white-hat worms whose payload is the patch itself. Or an anti-botnet which DOS'es infected hosts (similar to what BlueFrog tried to do for spam). Of course these cause problems and can be gamed (someone spoofs an attack as coming from you, bringing the anti-botnet to bear against you, etc.)
The basic problem is: manual patching is never going to keep up with automated discovery of vulnerable machines. You either need an automated fixing process (immune system), or you need to clamp down heavily on allowed interaction (boy-in-a-bubble style).
What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.
Sue the IRC networks first; that's what makes it dumb shit easy for these guys to set up their botnets.
I had a machine hacked by a german movie filesharing group, and they incldued a bot which logged into their channel on Rizon. Like a good little admin, I logged into rizon, checked out the channel. It had several thousand users, a whole slew of fserves...and ZERO conversation. None.
I went to #help and reported the botnet attack and the response was: "hey, you want us to shut down one of the most popular channels here because of a evidenceless accusation that you were hacked by them and used as one of their fserves? LOL ZOMG GET SECURITY AHAHAHAHAHA LUSER P0WNZORED" etc. etc.
It is patently obvious that the Rizon admins are FULLY aware that they have dozens, if not hundreds, of illegal filesharing groups that are using botnets to set up fserves, attack other systems for more bots, etc. They're doing jack shit about it (and in fact, they're making it easier- they now support SSL connections) and I think it's time someone sued them to hell and back. It's time IRC operators were taught that you can't knowingly support criminal activity, and that if users report hackings- they need to look into said reports and act on them. I also think it's time IRC traffic was considered "highly suspicous" and monitored by ISPs for fserve commands and such; fserves have no real legitimate purpose today, except illegal filesharing.
PS: Next time you download a movie or program, bittorrent or IRC DCC....realize that it was distributed, most likely, by a group that hacked unix systems. Those systems were owned and administered by people just like you, and that person is going to have to deal with the damage and headaches. Just like you will, some day.
Please help metamoderate.
Set up a bridge without an IP address and install Snort on it. On FreeBSD or OpenBSD, this procedure is a snap. Your mileage may vary, query Google for assistance.
Snort identifies traffic by signatures, so instead of you eyeballing suspicious patterns, it can tell you if certain phrases are used, certain protocols, or what-have-you. Writing your own signatures are a piece of cake and the process is well-documented.
The bridge sits at the mouth of your network (behind your firewall) and can be used to identify what is getting past the firewall.
For the crafty -- use Snort2pf to automatically block inappropriate traffic. I used this to discourage eDonkey usage on school system's computer network and it worked like a dream.
The botnets aren't using public IRC servers, they're using servers specifically set up to control botnets.
ResidntGeek
This isn't a battle for/against botnets. They're just the symptoms. What this really means is that the battle to have secure home PCs is lost. I won't even get into the Windos vs. Real OS discussion. The point is deeper still: Our homes are safe from burglars because those with the great skills and expert tools don't break into homes, they break into banks.
Not so on the Internet. Due to automation you can play the numbers game, and taking over 100,000 machines is feasable, less risky yet possibly just as profitable as breaking into one bank.
The best non-computer equivalent I can think of is the plague. Welcome to the crowded cities of the middle ages. Even if you, personally, are safe, you're still affected. Think about it.
Assorted stuff I do sometimes: Lemuria.org
Because every now and then there's a vulnerability in PNG.
No shit. Simply decompile the exec, get the password (shouldent be hard, unless it is encrypted, usually isnt), get the server ip/port/password/channel and possibly channel key, join the channel, login to the bots (.l password or what ever) and do
Now now. I am a Linux fan and such, but blaming Microsoft here is just stupid! You know why? Because usaully the thing is exploited hasent been patched yet. Every program has bugs, thats just how it is. Get over it. And how is it expensive to maintain windows machines properly? Windows Update is free, no?
While *nix botnets arent nearly as prevalent as Windows botnets, there are still ones out there...Dont think you are exempt.
Its very easy to get your identity stolen these days..Simply do some SQL injection on a pron site or what ever, then boom, you got yourself 5k credit cards. Were you dropped a child? On Windows, you cant delete a exec if its running..and most botnet execs fuck up things like the task manager and have backups of themselfs on your box. Easier said than done. How does your 'software' know what on the machine is a trojan? That wouldent be very good would it if your 'software' illegally compromised hosts trying to get rid of the trojans and accidently got some guys stuff that isnt infected? Also consider, when ever a new exploit is leaked in to the wild, all of the current botnet trojans are updated with it...There are widely diffrent...there is no plasuable way to just rid of all hosts comprimised with hole ____
Seriously. Does this beowulf botnet run linux? Are linux hosts being deprived of the global machine endeavor to sell us more v1agra and inform us of opportunities to participate in online gaming? Can we not assist in the provision of "bulletproof hosting"? Does *BSD not deserve to take it's place in the pantheon of truly "highly available, totally reliable, even if netops doesn't want to run them" services? I say if an open source OS can't support these services, what good is it? This is the future of clustering I tell you!
TFA says only this:
Surely something can be done to get our linux and BSD boxen involved in this noble global effort! Sure, with their limited user base all ten of the OSS servers on these internets would hardly make a splash in the ocean of Windows boxes, but every little bit helps. Something must be done. Somebody start a project or six on Sourceforge and do something about this.
Help stamp out iliturcy.
This was the subject of "As the worm turns", in the first Stealing the Network (an AWESOME book). The protagonist disassembles a worm and then figures out how to fix, with some unintended consequences. A great read, the story is fictional but the technology is VERY real. Almost a HOWTO in fact.
"Chinese Amazons, power armor, laser swords.... things just meant to be." - Shampoo, A Very Scary Bet
ARP should not matter on the firewall.
Anyway, the easiest way is to monitor traffic by IP address, at the firewall, during times when no one should be using the computer with that address. If the machine is doing anything that goes through the firewall at 1 am, you should investigate.
On a home network? Probably no one.
On a business's network, that's completely different. If you leave your network open and are cracked and you lose you credit card numbers, that's between you and the bank. If a business leaves its network open and is cracked and loses YOUR credit card number, they can be sued.
The problem is that not many "network administrators" really know anything about their network or security. There are an almost infinite number of things you can that will take time and money but that will not actually increase the security of your systems.
Education is the beginning.
ISPs that tolerate insecure computers need to get blocked. Blocked from everything. It COULD happen, if Comcast and AT&T both decide they've had enough.
This would have the added benefit of stopping a lot of spam.
Yes, RBLs didn't get rid of spam. But they sure did (do) help. And a good part of the reason they don't work better is botnets. (remember Blue Security?
-Daniel
Ownyourphone.com. Custom ringtones, cheap and easy
My Start icon is in the left upper corner...does it mean that I am safe? Maybe I can confuse the dark forces....
If you do not know how to check, I can assure you that your network is fully owned.
Got Code?
There have been attempts at doing so with worms
In theory, there is nothing stopping the "researchers" from having the zombies identify their OS's, download any patches, install a personal firewall and automatically updating anti-virus program and then removing the original infection.
Sure, many would be re-created due to the user's ignorance, but this is the only way to "deal" with the zombie problem at the "researcher's" level.
No need for a trojan / worm / virus. They should have sufficient control of the zombies that a script could do it.
Slashdot needs a mod option: +1, Whatever.
Given where you work, I would suggest security is a state of mind. Do not trust what people put forth as "secure". However it is almost certainly not your problem. If it is your problem, then no matter how small or large your instalation is, I have this to say:
Hire contarctors to evuate your installation. They need not have real access, in fact they should be able to propose possible vulnerabilities without real access, assuming they can ask questions. So you hire them to ask questions, you take note of the questions they ask. Maybe you hire one or two and maybe you hire none. You have just paid people to ask questions about your system. If it were me, in your shoes, and assuming you have power, I would call back the ones that asked really good questions, and explain to them you want more. And then pay those guys.
And then fix your shit. You will end up with some pretty good analysis (first level only) and its on you to decide who you want to invite back. It is OK to initially invite local contractors, but only give out information if they give you a "good vibe".
So back to your original statement "I work at a hospital. Sometimes I wonder whether our computers really are as secure as they should". If you have to ask, then you do not have a qualified team to deal with this. Your second thing is more pointed: "All the computers have AVG installed, but is there something else I can do to check?". I am sorry, if you are really in charge you need to hire someone who can deal with this ASAP. It will take too much time for you to come up to speed. I have many times heard the arguement "but we are small" however you gave the word 'hospital'. Secure your data. If you have lack of funding then get the funding. It seems I cannot stress this enough. You expect the doctors to "do it right", your patients expect your entire facility to "do it right".
On a last note: Bringing someone in who knows more than you does not threaten your position, it only means your a decent manager.
Also, not to be critical, but you mention "AVG" in the hospital [record?] context. I will not say you have no clue, however you have no idea what your dealing with. The world is far more sinister than you know. AVG is a method of turning a 'blind eye'.
If you truelly are involved with IT at a hospital, I would be willing to hook you up with a clinic that has won multiple state and national awards for its handling of IT. They would be willing to help for free, its the way they roll. They do it up right. However, I would have to make sure your for real before I bother them, with you.
I am not sure how we would do that, here on slashdot. Tell you what, you give me an inclination via response and I will figure the mechanics out.
No hospital (or clinic, or eye doctor) should be without real protection.
--dant
I think you underestimate just how much I just dont care.
What does it matter, really, if you've been rooted?
The sad fact is that no matter how often you're rooted, as the other post quite clearly pointed out, you're never going to get approval to remove the defective software that allowed it. If knowing creates willful negligence but not knowing doesn't, there's a certain advantage in not looking.
Just watch your netops keep uninstalling the more obvious malware and reimaging your boxes every few years and pretending everything is ok. Nod when they call the AV and the firewall edge box due diligence and don't watch those road warriors connect their notebooks to your localnet. You never get documents with executable content in email from outside your network anyway and if you did the virus scanner would stop it before delivery, wouldn't it?. Nobody on your network would click a suspicious link. These are not the rootkits you're looking for. Repeat after me: "I am so shocked! Gosh those hackers are clever. I hope they go to prison for a long time if they're ever caught using their completely anonymous fault tolerant botnet."
Now go heal some sick people, and never get admitted to your hospital under your own name.
Help stamp out iliturcy.
Obligatory http://grcsucks.com/ link, because Steve Gibson ... well, he sucks.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
Unitl people are punished for their system's behavior, nothing is ever going to happen. Yeah it's annoying for most people to get rooted, but other than that, why should they care? Now if you were legally liable for the damages your system did, regardless of whether or not it was rooted, we'd see a major change in botnets, and a LOT less people with rooted machines.
People only react to that which causes them difficulty, punish them for not taking care of their responsibilities and things will get better. But until then, it will only get worse.
You're part of a botnet? Pay a fine! Didn't know? Too bad. Just like your dog getting out and destroying property, if you don't care enough to protect others from your wanton disregard, it's going to cost you.
Nowdays - a lot as it is mostly manual.
In the near future - none. Most security "usual suspects" are working on network admission systems and how they fit in a business network. Some ISPs are looking to roll them out on public networks as well.
The general idea is that you do deep packet inspection on anything going in and out and any PC that suddenly exhibits abnormal behaviour is removed from the network proper and is put on the "naughty step" until it is fixed. Similarly, you can move any PC on your network to and from a naughty step area automatically based on a set of conditions.
Most elements to do that are already there so it is only a matter of time until this becomes the de-facto network design standard for LANs and access networks.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
when high technology was its own idiot filter are long gone.
It is illegal to drive a car on any public road without a drivers licence, for the safety of other road users. Why shouldn't it be illegal to connect a computer to the internet without the proper qualifications, again for the common good? Keep all the stupid off the internet and the situation is bound to improve because there will be less opportunity for the greedy to exploit them.
If companies know the means of advertising (i.e. malware) are illegal, why aren't we going after the companies that use such methods? Admittedly, some viagra knock off company in Mexico is difficult to go after, but wouldn't it be easier to get rid of these intrusive networks by cutting off any reason for them to exist?
Publicly executing a few dozen botherders would be a good next step.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
It's going to hurt. It's going to be painful. But when you're losing a war, you have to take defensive steps that work.
Sue the IRC networks first; that's what makes it dumb shit easy for these guys to set up their botnets.
That's like saying "sue the website networks for distributing illegal content". IRC is a chat protocol. Anybody can run it. It is also widely used for open source development and other legitimate services. Apparently, your mind has been warped so badly by Instant Messaging services that you think any such service needs to be controlled by some big corporate entity.
I had a machine hacked by a german movie filesharing group, [...] by a group that hacked unix systems.
I strongly suspect you're just spreading FUD: you don't sound like you're in any position to run a UNIX system, and even if you are, based on your comments, you don't sound capable of securing it, so it's no surprise that you got hacked.
it all points back to Microsoft Windows, since the MS-EULA only gives the end user the right to use the software and not own it then Microsoft is responsible for the vulnerabilities in thier products...
Politics is Treachery, Religion is Brainwashing
Now if you were legally liable for the damages your system did, regardless of whether or not it was rooted, we'd see a major change in botnets,
You'd see a major change in government and the law swiftly gone is what you'd see. Well, in any democracy, anyway. This simply won't resonate with people's sense of justice; to most people it would seem like holding you responsible for what any maniac does with your stolen property. And I'm not even talking about stolen weapons here, but any stolen car, hammer or length of rope.
But there could be a kind middle ground: require ISPs to quarantine infected machines, and fine _them_ if tey don't. Just like regular quarantine: not punishment, just necessary protection until the threat is gone, even if the individual is not at fault. The hard part would be motivating the ISPs to follow the rules, i.e. the technical ability to check if they're doing it properly, having the capacity to perform those checks, and suitable readctions if they don't.
Of course, both these strategies have the gaping flaw that they only work within each legislastion, which the internet famously does not.
sudo ergo sum
I'm sorry, but when i saw the following in the little slide show linked to in the summary:
This is an example of the welcome message from a live botnet IRC session. This is what a victim machine would see -- lots of cryptic data (potentially code), an IRC connect message
i'm seriously starting to doubt the guy that set up the slide show. Maybe it's cryptic to him, but to anyone that has actually taken a look at how irc works it's plainly obvious that these are simply the server reporting what it can and cannot support in terms of modes for channels and nicks.
People replying to my sig annoy me. That's why I change it all the time.
No. We can stop this war from happening.
All we need to do is send a single person back in time to the year 1955 (perhaps powered by some combintaion of The Wayback Machine and Google's Solar Panels to assassinate Sara^H^H^H^HMary Gates before Bill is born, this will prevent the formation of Microsoft, stopping the PC timeline with Tim Paterson's QDOS and relegating Steve Baller to a life as CEO of a frozen yogurt chain. Windows will never get written and Botnet will never be able to replicate and come online!
Want to find and fix any infected machines at work? Build a tool for your sysadmins to find them with, do an audit of the machines that need cleaning to find the *other* things wrong with them as well as identifying those that are running potentially critical activities that need to be salvaged carefully instead of by scorched-earth, and let them use whatever tools are appropriate to fix the holes it finds.
Want to find and fix the buggy machines on your cable-modem company's network? Build the tool and sell it to them, or give it to them and teach them how to run it. Don't go looking like Yet Another Zombie-Master who's trying to maintain some pretense of legitimacy - if you're going to be legit, be legit, and if your cable company's too clueless to accept your 1337-k3wl program, then build a different program to block packets from your fellow customers or get yourself an ISP that's clueful enough that they don't need your program.
Want to fix the buggy machines in Korea or the spammer-friendly hosting in China? Go ahead, make their day, but don't tell them *I* said it was a good idea.... And besides, it's really easy to blackhole-route them so you and any machines you control simply don't get packets from there and can't send packets back.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You seem to have caught the W32.TaskBar virus, specifically W32.TaskBar.Top variant.
The most effective way I have found in fighting the botnet pandemic is quite simply educating people about the threat, and convincing them not to download stupid shit.
I caught the Mountain Wumpus! He gave me his treasure chest ($100) to let him go free again.
The battle is not lost. Some online casinos fought and won the battle.
Read here here.
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
Most people, including extremely technical people, don't know exactly what is going on on their systems at all times, be those Windows, Mac, or Unix systems, or anything else. Why don't you tell us your foolproof method for knowing exactly what code is running on a system in the presence of rootkits and thread injection?
Your dog analogy is broken: a good dog owner knows what the dog is doing at any moment in which it could cause harm to someone else's property. Even a competent technical person has no idea what's going on on their computer with a rootkit cloaking the traces.
Guess what? I've been a professional reverse engineer for three years, and I still say this.
Picture 2 and 3 are really just normal IRC connect picutures and an abandoned channel with X still in it. Any body who knows a bit about IRC knows that X is NOT a "cryptic controller" but just a function of the IRC network that protects a channel from rogue takeovers. Picture 7 ain't really thousands upon thousands of bots, just the "eavesdropper" and two regular operators. And it is the eavesdropper that is isuing the commands?
Please o please, let me have some security proffesionals who knows what they are talking about.
Will work for bandwidth!
``Is the Botnet Battle Already Lost?''
No. There are measures that will completely eliminate botnets. The question is: how far do we want to go? There comes a point at which the cost of botnets is less than the cost of the countermeasures. For many amateur admins, that point is right now; they don't notice if their machines are compromised, so they don't have much of an incentive to secure them properly. That's why we're losing the war.
Please correct me if I got my facts wrong.
I work at a hospital. Sometimes I wonder whether our computers really are as secure as they should. All the computers have AVG installed, but is there something else I can do to check?
Set a network switch or hub right behind your keyboard so you can see the status lights. If it seems a little busy when you are not doing anything, somebody may be using your computer remotely. I think more computers need the NIC status lights on the front of the monitor, not the back of the PC.
The truth shall set you free!
The screenshots in the article slideshow indicate that the particular live botnet operation they used as illustration is most likely serbian.
The word "KPAJNHA" occurring in a IRC server name is actually the serbian word "KRAJINA" writen in cyrillic, using latin alphabet characters to represent similar cyrillic characters (P for R, N for I, H for N). "krajina" translates roughly to "shire" or "county" in serbian and "Krajina" with capital K was also the name of the ill-fated rogue serbian republic that existed on croatian soil between 1991-1995. In another screenshot we see an IRC channel named "armija" which is serbian for "army" -- I can imagine an operator would name his swarm of bots an "army".
Sig erased via substitution of an identical one.
"BANG!" goes the ClueHammer
parent links to a shock-site...
a port-80 restrictive firewall
And how would this prevent exploits in applications that can use the port 80, like browsers ?
Sites like http://secunia.com/ are full of reasons why a restrictive firewall is clearly not enough.
BANG!" goes the ClueHammer
On the shelf right above my monitor is my printer shelf with the LAN switch and router. If something starts spewing, it gets noticed. Client/server traffic is easy to spot as only two ports have a burst of high traffic. Something port scanning tends to light up the switch between the bot and the WAN. If I get slow net response to loading pages, I make it a point to check the switch first and the router second. From there I walk over to the busy computer to see if it's a user download of media, patches, VOIP, or something else.
If an idle computer is spewing, it gets unplugged to free up bandwidth and left unplugged from the net until it is analyzed and fixed.
The truth shall set you free!
If you're running windows, you don't get rooted. Instead you get administered.
"We are all geniuses when we dream"
- E.M. Cioran
If you can spare any keyboard LEDs. This little tool might help.
__________________________________
Free your mind - Flush your toilet
I appreciate the work these people are doing in trying to stop the botnets, but in order to fix something in many cases there needs to be a disaster. I say let the botnets do their thing. When 100,000 people get together for a class action lawsuit to sue an OS or application vendor for poor security that allowed their computer to get zombified and participate in illegal activity the world will wake up.
That works only in the smallest and most simplistic installations. In the real business world, you usually have more than one switch, and they most likely sit in a rack in a closet or server room, and not on a shelf in an office. Hell, I even use a rack in the basement of my HOUSE.
The REAL answer, in a comment by another user, is to run Snort (or other IDS) on a bridge.
Trying to stop botnets by taking-down servers is like trying to stop rock-throwing by confiscating rocks.
An exercise in futility.
You stop rock-throwing by going after the throwers. If these propeller-heads would stop playing with their toys long enough to spend fifteen minutes talking to the nearest cop they would realize this.
Ignore the silly botnets and invest the resources to find and punish their creators. Criminal behavior declines only when there is substantial risk of substantial punishment. Until that risk exists, you're just wasting everyone's time.
'Nuff said.
Regards;
"How about installing a botnet that you use to target the computer systems of the bad guys?"
Unfortunately, the world does not work this way. These guys create botnets because they have a greater knowledge of computers than the average joe, and I'm willing to speculate, most or all of them know how to secure their own computers from hacking attempts.
---FourChannel---
... or boot into a second "bare bones" installation of Windows on a different partition so that you can do maintenance on the primary Windows installation. Doing so makes it trivially easy to backup the Windows2000 registry for example. Simply copy the "system32\config" directory and its contents to a backup location. I also use the second copy of Windows to degrag and run virus scans of the primary Windows installation, and to delete problematic files.
That's one of my complaints about Linux; ie, why can't I have two or more installations of Linux on the same machine just like I can with Windows 2000? At present I have a triple boot system that can boot into either one of two versions of windows or one version of Linux (Mandriva at the moment).
9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
You forgot Redundant.
Web 2.0 == Giant Blogspam Circle Jerk
I think the general solution is to not have people with full-function read-write OS and filesystems. 99% of people don't need a full blown "computer". They surf the web and do email and that's it. What they need is something like an X-terminal where there is a browser and email software in firmware, and that's it. Updates could be done but everything would be signed digitally and come from a secure location, or done manually, and never without operator approval.
It's certainly not informative nor insightful. It should be modded either offtopic or flamebait, yet some still mod it funny after the 10 thousandth time it's been posted. Apparently a cheap shot at Windows never goes out of style.
If IRC went away tomorrow, botnets would be back in maybe a week at most. There are plenty of options for them. Peer to Peer command and contro, setting up their own IRC servers on someof the compromised machines in the botnet, etc.
If you mod me down, I shall become more powerful than you could possibly imagine.
If "tubgirl" is anywhere nearly as disgusting as "goatse", I feel very fortunate to have never viewed it.
9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
That works only in the smallest and most simplistic installations.
Yup.. Where are the most bots? They are on a home LAN on a cable modem where children collect all the cute toys.
I gave up on the kids machine from too many reformats in two years and stuck on Ubuntu. No major problems since. They are waiting for Flash 9 for Linux to use on MySpace.
The truth shall set you free!
What OS are the vast majority of the nodes on these botnets running? How would botnets be possible without a readily available supply of easly compromised Desktops.
"Next time you download a
It's not necessary to hack an IRC server to set up a botnet just set up your own channel. Tell us what are the names of these hacked Unix servers running botnets.
re Re:Sue/address the IRC networks, first.
davecb5620@gmail.com
this whole thing is just ridiculous... but the basic tools to provide systemic distributed security have been published for quite some time
What's ridiculous is that these systems are getting so damned complex that now we've got pwning via buffer overflows in video card drivers.
When you can't even trust your own hardware not to betray you, then who you gonna call? Ghost busters?
You have no idea how depressing it is that I can't decide if the above comment should be modded flamebait, funny, informative or insightful.
I knew I should have copyrighted my sig.
I can't decide if this post is interesting, funny, insightful, or flamebait.
I prefer to use a mirrored port on my switch. This keeps me from having to unplug the entire network to slip the bridge in place.
Cheap storage VM.
Yeah...that's all well and good as long as the traffic isn't encrypted (it probably will be)..or it it's not, you know what to look for to write sigs for (you probably won't)...or you know which domains people in your network shouldnt be going to and youre watching dns logs (you probably won't). With all of the custom and targeted attack vectors, the fact that so many attacks have moved up the stack to layer 7 and above (humans), Network IDS's have passed their due date. The only thing that can really help is to engineer your host systems, create well defined policies, and install local host system monitoring software (HIDS, etc.), and secure those logs from tampering. Network security monitoring at this point is really a lot like airport security: It gives people a warm and fuzzy, but it doesn't accomplish much and the effort is better spent elsewhere.
Nice to see that Eweek and Slashdot editors failed to note Gadi's hobby as NANOG troll. His chicken little ravings about botnets aren't taken seriously there, nor should they here.
I always thought the botnet problem stemmed from a fundamental problems in Windows security. With Windows NT, we could secure the file system, secure printers, and secure network shares. We still could not secure the processor. The processor would run whatever code that happened to be loaded. Internet Explorer allows anyone that can figure out how to get the smallest piece of executable code onto your system a chance to run it.
Since Windows NT, we have Windows 2000 and Windows XP. Each seemed to progressively water down the security model until today, where every XP user is pretty much logged in with Admin rights.
We can secure the file system. Why can't we effectively limit what code the CPU executes?
I have a lovely wife who surfs the internet constantly. She has a bot on her Windows Box. I noticed it when we sent out 86 thousand emails in one day. (it helps to monitor your port 25!!). Okay.. so she is compromised.
Norton, Spybot, etc CANNOT detect what she has. Netstat shows the connection but taskmanager etc does not. I block port 25 from her computer as a precaution and the darn computer starts searching for smtp servers on the local network. I use qmail-auth and it prevents it.. however I have no trust that it cant use UPnP or something else to change my main router.
So.. HOW IN THE HECK do you REMOVE stuff that you cant find? I really.. REALLY.. dont want to reformat and reinstall because there is no way this should be hidden to adminstrator on Windows XP.. but it IS!
I can program myself out of a Hello World Contest!!
Are security costs an external cost related to running Windows?
If security costs had to be borne by Windows users, would we live in a different computing world?
Hold users accountable for the damaged caused by botnets. If I leave dangerous crap on my lawn, it's my fault. If I leave a gun on my porch, and someone uses it to rob a bank, I'm accountable. If my company runs an open SMTP relay, and people get spammed, it's my fault.
Why should an insecure computer be any different?
It's not like you don't have a choice. De facto, purchasing a Mac or Linux computer renders you 100% invulnerable to this kind of crap, with only theoretical vulnerabilities out there.
Use a Windows computer, don't secure it? Pay the price. If you don't want to risk your system becoming a bot, run something that doesn't get rooted.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
No, a competent technical person should damn well be able to know what THEIR computer is doing at all times, at least as far as network access is concerned, and that's the concern when it comes to botnets.
If you lack the ability or knowledge to monitor what your computer is doing on a network it's connected to, you've got no business being called technical. A packet sniffer on the network isn't affected by a rootkit on . Simple access rules on a consumer grade router can cut off access to any particular IP space you don't personally use or find suspicious, and are utterly unaffected by a rootkit on its local network.
No, Joe Average can't do that, but any reasonably computer savvy person can install Linux on a junked PC, run ethereal, see what's going where, and close off access in their router.
that most people don't care a shit. And people who do care either have to learn to live with banging their heads into major walls, or just give up. Most things that sound sensible, for example disconnect infected computers when reported and only reconnected them when they are guaranteed clean, and have the owner pay a reconnection fee, are not going to work for several reasons like customers move to the next ISP which doesn't care, or the overhead of such measurements. And so we will live in the Wild, Wild, West of the Internet for probably 10-20 years more, letting the criminals get (even more) firm roots.
Perl Programmer for hire
The combover is ALIVE i tell you, ALIVE! Hooray for Patrick Jordan!
once again a blanket statement that is incorrect. GENERALLY botnets aren't using public IRC servers. However ive seen several botnets run on servers that I have had oper rights on.
Hey, I attended a computer engineering graduate seminar at my school (University of Central Florida) last week, and the topic was about Modeling and Measuring botnets. Dr. Cliff C. Zou had some novel ideas and has recieved a grant from the NSF to further his research. His published works can be found by searching google scholar (I just checked).
We weren't talking about flow based monitoring at all. We were talking about snort and signature based network IDS directly, and by originating implication, "finding rooted boxes" and botnets. Ive used Cisco, Dragon, ISS, Sourcefire, Snort, Intrushield, and others in more than a couple of environments. The vendor is immaterial, it's the base technology in question that is the problem. Signature based network IDS's are a waste of time and energy. There are more efficient and better equipped ways of accomplishing the same thing.
As far as flow data goes, yes, you can see on a large scale that bad stuff is happening. Chances are, though, that most of the time youve already figured that out from other indicators that are better placed than on the network.
the other problem, and this is (and it's a big one) is that the attacks are moving so far up the stack and are so much less about massive waves of activity that flow data is simply become completely generic...like watching US highways from space without looking for specific cars...yes, if there is a pile-up you might see it. But...so what? You sstill have to go down to groundlevel to find out why...and you wouldve found out about the pile-up without viewing it from space.
As far as the darkspace goes, no one had yet (VzB, Im looking at you) done the right thing and used data compared from globally distributed HOST sensors grouped into profiled system classes to compare against dark IP space...they haven't even compared dark space to endpoint network sensors. To just look at dark space without tying it back to the endpoints is just to be able to say "Yes, theres more traffic there --->". Without that additional data, anything more is pure speculation...which ends up costing money and effort to verify. In the effort and money gone through to verify, the endpoints may have well dont it themselves and skipped the ISP's data altogether. This is because to make the ISP data useful, the endpoints have to still go through the effort and cost that they thought they were saving by using the ISP for this information anyway.
As far as worm activity goes, that is more efficiently mitigated at a managed host level and can do things the network level mitigations CAN do and things network level mitigations CANT do. To do those things at both is duplication of cost and effort.
As far as "known signatures for malware" for NIDS go, if you have known signatures you probably also have "known signatures" for AV...so why spend money and time on both? You have to put the sigs on the endpoints regardless, so why not spend the money you would have spent on NIDS on making the endpoint security better? You lose no functionality, but youve saved time and money.
Meh, but doing it the right way would sell less toys...
(please pardon the very large number of typo's there, this keyboard is NOT what Im used to typing on)
The problem is, it's accurate...well, sort of.
It's not really accurate, as it's quite possible to have an uninfected NSWind machine. I've got an uninfected MSWind95 box. It never connects to the internet. This SHOULD be the answer for most hospital computers, though I would bet that it isn't, as it would require a separated LAN, and that no box that ever connected to the net was later connected to the LAN. Difficult to enforce.
At any particular time there is, or may be, a secure way to connect a particular version of MSWind to the net. Unfortunately, there are so many exploits, that it's essentially impossible to follow them all, and the virus protection companies have PROVEN themselves more interested in collecting money than in protecting their customers. (Consider the recent Sony rootkit...known by all the virus protection companies, and detected by NONE of them.)
So. The simple way of saying this is "If you've got MSWind installed, presume that you are infected." This isn't guaranteed to be correct, but it's the safest presumption and it has a quite high likelihood. Indirect connections (firewalls, etc.) can be tunneled through. They increase the feeling of security to a much greater extent than they truly justify.
That's why the jokes. It's a kind of bitterness at the situation that people are forced to live with and deal with...and which the end-users insist upon, largely because of ignorance. They don't, and WON'T, consider the risks that they are taking. They are a mix of ignorant and willfully ignorant. (You think they're alone? Consider programmers and legal matters. Or social.)
We live in a society that's too complex for anyone to understand. So different people understand different parts of it. This tends to lead to frictions between parts that NEED to work together.
I think we've pushed this "anyone can grow up to be president" thing too far.
I have to disagree with you on all counts. I check my systems regularly, of course my systems are pretty iron clad at this point, mainly because having one of the older domains on the internet hacking attempts occur almost hourly on my system. If you're going to have a windows box attached to the internet, and you're not keeping an eye out for attacts, then you should at least be running some sort of virus protection on a daily basis. I have my destop system buried behind multiple layers and I still check its traffic daily and run regular virus, spyware, and adware checks on it.
If you're going to run on the information super highway, you need to take at the very least the basic precautions. Otherwise you're as guilty as the dog owner who lets his dog run wild in the neighborhood cause he didn't bother building a fence. And just as guilty.
I'm not talking about the good owners after all, I'm talking about the bad ones. Which on the internet is a rather large number. Otherwise there would be no financial incentive for spammers in the first place, correct? And the Botnets would be small or non-existant, right?
That's not the hardware. That's residual closed-source software.
Maybe I WILL go with Intel the next system I buy. They seem to be the only Open-Source option. (Matrox seems to only sell multi-headed systems.)
Hey, AMD! Are you listening to me? I've spec'd you for my last several systems, but this is a big enough deal to make me change my mind. It's not the performance, I have Intel down as being charged a 20% penalty for bad corporate behavior. It's having Open-Source code. That's worth around 25% just by itself.
I don't do fancy graphics manipulation. I just want a high reslolution screen...with open source drivers. Unfortunately, the nv drivers won't go very high, and the reason for this is fairly clearly laid at NVidia's feet. ATI is reported not to be any better. This isn't my area of specialty...I just know how I want my screen to look. 1280x1024 is fine. 1024xWhatever isn't. (Were I to get a larger screen, I might want a higher resolution.)
I think we've pushed this "anyone can grow up to be president" thing too far.
How could we tell you from the other bad guys?
I mean, YOU may know that your heart is pure, but how could we know that?
I think we've pushed this "anyone can grow up to be president" thing too far.
"...but we're only now figuring out how they really work"
it's not like it's an alien virus.
Jeez, they're created by people, I suspect that they know how they work.
The Kruger Dunning explains most post on
it's the best post of this millenium!
The Kruger Dunning explains most post on
I'm glad that you mentioned flow-based monitoring. I'm not involved with the project at all, but using http://www.ntop.org/">NTop to monitor NetFlow/SFlow and MRTG/Cricket to monitor traffic crossing switches is a good way to detect illicit file sharing.
It looks like good things are coming from the Prelude project as well, though I haven't used it so if anyone has anything to say about it, I'd love to hear it.
And this is why one should preview their comments.
It doesn't even matter. As far as I know IRC is only used because it's an easy protocol to write, and server code is widely available. If security companies magically make botnet operators stop using IRC they'll just switch to more direct custom protocols, which will have to be reverse-engineered.
ResidntGeek
"The problem is, it's accurate...well, sort of."
Perhaps, but off-topic to the discussion at hand.
"...as it would require a separated LAN..."
Businesses have separated LANs connected to to other LANs and the internet through firewalls. It's not like this is a revalation nor is it sufficient to protect machines. The highest security applications don't connect to the internet or to a LAN at all, they lock down physical access and prevent unapproved software from being installed. This is not new.
"(Consider the recent Sony rootkit...known by all the virus protection companies, and detected by NONE of them.)"
It requires the user to run an untrusted app off of media installed in the drive. Hardly an internet concern.
"If you've got MSWind installed, presume that you are infected."
OK, as long as you extend that to Linux, OS X, etc. I don't presume what you say at all, as you are suggesting that essentially 100% of the systems out there are compromised. Can you prove that?
"That's why the jokes."
No, that's not why the jokes.
"It's a kind of bitterness at the situation that people are forced to live with and deal with...and which the end-users insist upon, largely because of ignorance."
No one's forcing you, and there are plenty that consider your views to be due to ignorance, me among them.
"They don't, and WON'T, consider the risks that they are taking. They are a mix of ignorant and willfully ignorant."
Bullshit. The market is inherently going to adopt what it considers the preferable platform and that platform will inherently present the biggest target for abusers. The ignorant are those that believe that replacing Windows with something else is going to change that.
Officer - "Your knife killed the man, you're charged with murder"
Homeowner - "But I didn't know it was missing!"
Officer - "Doesn't matter, the murderer stole it from your house."
We need to figure out the protocols botnets use, crack them to destroy themselves and reveal the owner, then torch the owner's house. Then we torch the owner. And then we sue the family for damages, including the cost of the blowtorch. Yes, I'm kidding, I just wanna see one of those charts for this solution.
Please, for the good of Humanity, vote Obama.
Remember those Windows Messenger Service spam messages that became popular with Windows XP? When you get attacked by a botnet, try to send a WMS message to each of the attacking IPs. e.g. "You are infected with botnet software. Please remove it." I know that most XP machines have the WMS service turned off by now, but the cost to trying to send a message is negligable and I'd be willing to bet that there is considerable overlap between unpatched XP systems and systems with WMS on.
Your post, in fact this whole discussion, scares me.
Thank you.
Revive the Constitution.