Slashdot Mirror
Is the Botnet Battle Already Lost?
An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."
I don't think that bots are invited. This wouldn't make sense from an administrative view. The channels are probably password-protected. Nothing a little sniffing can't fix.
After all, the bot is code running locally. So if it contains any channel names, channel keys or cryptographic keys, you can get to them.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
check if there is a "start" icon in your left lower corner of the screen. if so - yes, chances are you have caught a virus, and your computer is taken over and controled by the dark forces.
Firewalls are useful for monitoring traffic. The best way to detect a zombie computer is to look at the traffic coming in and out, checking for anomalies (such as excessive traffic to places nobody would be going to). Security Now is a great podcast that deals with security issues and locking down your systems. Episodes 3, 8, and 4 are particularly relevant. It can get technical at times but all-in-all it's a great explanation of how things work and what can be done to secure them.
Why hasn't anybody created a "good" trojan that uses as many common exploits as possible to infect these already infected machines with a port-80 restrictive firewall? I think for every somewhat bright for-profit trojan creator, there are thousands of brighter people that can come up with an intelligent plan to do this effectively. Use all spreading techniques that the best of the worst use, but minimize the wasted & bloated traffic, while fixing as many computers as possible. Should be simple!!
Only issue I see is legality. Technically however, I see this as very feasible.
You have no idea how depressing it is that I can't decide if the above comment should be modded flamebait, funny, informative or insightful.
What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.
Meanwhile, we may need some brutal firewalls:
We're probably going to see some companies going to a locked down firewall like that.
Modern botnets clients are pretty adaptable; they will download patches, modifying themselves to beat disinfectors. With care, and unless the net manager has taken extreme measures to prevent it, one can induce the clients to remove or disable themselves, rather than just trying to kill the control channel. Should that fail, one should be able to determine what fallback channels the botnet clients use and disable those before killing the current command channel.
What we need is a large number of ISPs to get together and say, "We trust each other to deal with botnets." Then, with a single command, any trusted ISP within the network could instantly send a command to another ISP to shutdown a site or server that is running a botnet. All of these actions would be logged and would be reviewed to make sure that it is only being used against botnets; any sort of abuse (like using it to shut down protest sites or copyright violation sites) would result in an instant revocation of privileges. This system would be much better than what we currently have: trying to call the other ISP, trying to get them to listen to you, trying to get them to trust you ... it can take days, if ever, to shut down a botnet on another network.
Cyde Weys Musings - Scrutinizing the inscrutable
Why not just physically unplug your computer from the network?
I am no expert in this area, but a thought occurs.
Why isn't it possible to simply identify the exploit being used to spread a particular botnet, and write software that uses the same exploit to travel throughout the net before activating (perhaps at some specific time) to both wipe out the botnet software and seal off the exploit?
It seems that as soon as you have the original botnet software, re-engineering it for this purpose would be relatively trivial. Plus there would be the immense satisfaction of fighting fire with fire. The software could even remove itself as its final act, saying "I know now why you cry, but it is something I can never do" (although someone else might have to press the button to lower it into molten metal - "I cannot self-terminate").
The only reason I can think that this wouldn't work is that the 'antidote' software would be breaching computer security all over the place - basically doing the precise thing we are trying to stop. However, surely some sort of 'good samaritan' clause could be worked into the law - or the government could adopt responsibility for this process, or at least for pushing the button that sets each counter-botnet loose in the wild.
Of course this may already be the approach taken - I don't know much about the field, as I say.
Read Pynchon.
Useful in theory but how much time does it actually take to monitor this. There is generally so much ARP and other traffic going on that I've found it's extremely difficult in practice to actually discover such a trend. iptraf and some other tools ease the burden by allowing device and port specific analysis but still you really have to pay attention on a real-time basis or do a lot of data-mining. Who's going to spend this time on home network much less a general business environment where system administrators are already overstreached and security administrators are still the CFO's favorite line item veto?
There is no easy solution
http://images.slashdot.org/hc/07/4a6fece962b0.jpg
[Fuck Beta]
o0t!
Basically this is a problem with people owning computers who don't know how to maintain them properly
The cry of "I know, let's invent a computer that is smart enough to maintain itself!" was heard in the boardroom, and thus SkyNet was born - with the dual mission of perfecting itself and eradicating the useless humans that weren't even able to maintain it!
Seven puppies were harmed during the making of this post.
The so-called botnet battle is no different than the war on spam or the anti-virus front, or any of the others.
It's not a failure of technology. It's BAD PEOPLE, exploiting BAD SOFTWARE, who aren't being dealt with because of BAD EXECUTION of BAD LAWS. Fix the software, the law, and the enforcement of the law (esp. jurisdiction), and you'll neutralise 95+% of the bad people.
This crap is criminal. Crimes like this are sheltered by discussions about philosophy, politics, jurisdiction, and technology. If people would stop discussing and arguing, and start working together on the problem, it could be eliminated in under 24 months.
But convincing people to work together is impossible, so we might as well get used to it.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
The simple problem with the fight against botnets is that it's asymmetric, and not in our favor. The bots are in a place that is particularly difficult for someone attempting to dismantle the network to reach, the property of someone else. It's not the technical problems that make a botnet so difficult to dismantle, but the legal ones.
The botnet creators don't give a damn, their objective involves breaking the law (where there is one) in order to hijack someones computer. Someone attempting to destroy the botnet is likely to be atempting to operate within the law, which requires notifying and enlisting the support of the owners of the compromise machines, many of which:
a) are difficult or impossible to contact
b) don't speak your language
c) don't understand anything about the problem
d) don't care
Any single instance of a botnet may have weaknesses that permit its demise without running into potential legal problems (such as a poorly-secured disable command), however botnets as a concept have no real theoretical weakness given the appropriate cryptography and care of construction. Decentralised, failure resistant networks of cooperating nodes is a well researched area and at the level botnets operate, barely constitute a challenge to anyone with the necessary knowledge of protocols, cryptography and programming.
They're here to stay, there is no practical non-desperate legal changes or technical tricks which will kill the concept entirely. Even if the general level of internet security increased 10-fold, there'd still be more than enough vulnerable computers to support botnet operators, and lets face it, that level of security change is not going to happen. Even if the general OS level improves, old and embedded (non-patchable) devices are still plentiful, and there will be more no-patch applicance like systems in the future which will continue to be exploited.
As a systems administrator or someone otherwise concerned with the impact, the rules are simple. Stay patched, Stay vigilant. If a large botnet decides to get you, hope your ISP subscribes to something like tipping-point that will give them a head start on deflecting the inbound traffic. That's about it.
You can't win a fight.
What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.
Sue the IRC networks first; that's what makes it dumb shit easy for these guys to set up their botnets.
I had a machine hacked by a german movie filesharing group, and they incldued a bot which logged into their channel on Rizon. Like a good little admin, I logged into rizon, checked out the channel. It had several thousand users, a whole slew of fserves...and ZERO conversation. None.
I went to #help and reported the botnet attack and the response was: "hey, you want us to shut down one of the most popular channels here because of a evidenceless accusation that you were hacked by them and used as one of their fserves? LOL ZOMG GET SECURITY AHAHAHAHAHA LUSER P0WNZORED" etc. etc.
It is patently obvious that the Rizon admins are FULLY aware that they have dozens, if not hundreds, of illegal filesharing groups that are using botnets to set up fserves, attack other systems for more bots, etc. They're doing jack shit about it (and in fact, they're making it easier- they now support SSL connections) and I think it's time someone sued them to hell and back. It's time IRC operators were taught that you can't knowingly support criminal activity, and that if users report hackings- they need to look into said reports and act on them. I also think it's time IRC traffic was considered "highly suspicous" and monitored by ISPs for fserve commands and such; fserves have no real legitimate purpose today, except illegal filesharing.
PS: Next time you download a movie or program, bittorrent or IRC DCC....realize that it was distributed, most likely, by a group that hacked unix systems. Those systems were owned and administered by people just like you, and that person is going to have to deal with the damage and headaches. Just like you will, some day.
Please help metamoderate.
Set up a bridge without an IP address and install Snort on it. On FreeBSD or OpenBSD, this procedure is a snap. Your mileage may vary, query Google for assistance.
Snort identifies traffic by signatures, so instead of you eyeballing suspicious patterns, it can tell you if certain phrases are used, certain protocols, or what-have-you. Writing your own signatures are a piece of cake and the process is well-documented.
The bridge sits at the mouth of your network (behind your firewall) and can be used to identify what is getting past the firewall.
For the crafty -- use Snort2pf to automatically block inappropriate traffic. I used this to discourage eDonkey usage on school system's computer network and it worked like a dream.
The botnets aren't using public IRC servers, they're using servers specifically set up to control botnets.
ResidntGeek
However, maintaining my WinXP machines consists of checking the radio button labelled "Automatic (Recommended)" in the Automatic Updates dialog. It's not difficult, it's not expensive and it's not time-consuming.
A serious question, then: what do you think makes your outcome different from the outcome experienced by the people who are getting their machines owned? I don't know the answer, because I don't run Windows, but I could speculate:
Is it because they intentionally download stuff that infects their machine with spyware? If so, then maybe security is too difficult for them, because they aren't technologically sophisticated enough to realize that this is a bad idea, and maybe MS is helping to make it too difficult for them, by creating a culture where it's normal for every user to run with unlimited privileges.
Another possibility is that they aren't sophisticated to realize that the simple, commonsense measures you've taken (a router/firewall, doing updates) would be more sensible than measures such as buying anti-virus software, or taking their computer to Circuit City to get it fixed when it "gets slow."
I think the real problem is that a lot of people own more computer than they need. All they really need is a word processor, e-mail, and a web browser. They really don't need a general-purpose computer at all, and don't have the skills needed to maintain one. They might be better off with an internet appliance, or a thin client. The problem is that they don't understand how much they don't understand. It's like the people who have to own a Harley Davidson because it's cool, even though it's an utterly impractical motorcycle for what they want to do.
Find free books.
This isn't a battle for/against botnets. They're just the symptoms. What this really means is that the battle to have secure home PCs is lost. I won't even get into the Windos vs. Real OS discussion. The point is deeper still: Our homes are safe from burglars because those with the great skills and expert tools don't break into homes, they break into banks.
Not so on the Internet. Due to automation you can play the numbers game, and taking over 100,000 machines is feasable, less risky yet possibly just as profitable as breaking into one bank.
The best non-computer equivalent I can think of is the plague. Welcome to the crowded cities of the middle ages. Even if you, personally, are safe, you're still affected. Think about it.
Assorted stuff I do sometimes: Lemuria.org
No shit. Simply decompile the exec, get the password (shouldent be hard, unless it is encrypted, usually isnt), get the server ip/port/password/channel and possibly channel key, join the channel, login to the bots (.l password or what ever) and do
Now now. I am a Linux fan and such, but blaming Microsoft here is just stupid! You know why? Because usaully the thing is exploited hasent been patched yet. Every program has bugs, thats just how it is. Get over it. And how is it expensive to maintain windows machines properly? Windows Update is free, no?
While *nix botnets arent nearly as prevalent as Windows botnets, there are still ones out there...Dont think you are exempt.
Its very easy to get your identity stolen these days..Simply do some SQL injection on a pron site or what ever, then boom, you got yourself 5k credit cards. Were you dropped a child? On Windows, you cant delete a exec if its running..and most botnet execs fuck up things like the task manager and have backups of themselfs on your box. Easier said than done. How does your 'software' know what on the machine is a trojan? That wouldent be very good would it if your 'software' illegally compromised hosts trying to get rid of the trojans and accidently got some guys stuff that isnt infected? Also consider, when ever a new exploit is leaked in to the wild, all of the current botnet trojans are updated with it...There are widely diffrent...there is no plasuable way to just rid of all hosts comprimised with hole ____
But as someone who doesn't run Windows, I don't really care. Well, I do care, because a lot of the bandwidth I pay for is crowded by the spam that my hosts filter for me. Not to mention, the bandwidth wasted and the increased cost of network service that comes from millions of unsecurable windows machines trying to infect each other with the malware of the minute. If anyone ever sets up a "no windows allowed" ISP, I'd be a customer in a heartbeat. -jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
ARP should not matter on the firewall.
Anyway, the easiest way is to monitor traffic by IP address, at the firewall, during times when no one should be using the computer with that address. If the machine is doing anything that goes through the firewall at 1 am, you should investigate.
On a home network? Probably no one.
On a business's network, that's completely different. If you leave your network open and are cracked and you lose you credit card numbers, that's between you and the bank. If a business leaves its network open and is cracked and loses YOUR credit card number, they can be sued.
The problem is that not many "network administrators" really know anything about their network or security. There are an almost infinite number of things you can that will take time and money but that will not actually increase the security of your systems.
Education is the beginning.
ISPs that tolerate insecure computers need to get blocked. Blocked from everything. It COULD happen, if Comcast and AT&T both decide they've had enough.
This would have the added benefit of stopping a lot of spam.
Yes, RBLs didn't get rid of spam. But they sure did (do) help. And a good part of the reason they don't work better is botnets. (remember Blue Security?
-Daniel
Ownyourphone.com. Custom ringtones, cheap and easy
Oh wait, this is slashdot. Nevermind.
Correct. The sweetheart in question HERE is probably an overclocked dual core Athlon chip that would handle that poem in a few milliseconds.
Seven puppies were harmed during the making of this post.
If you do not know how to check, I can assure you that your network is fully owned.
Got Code?
I must agree with you that people intentionally download things that will harm their machine. I do computer support and I have had more than one client say "But the included smilies aren't good enough, why did you remove my other ones?" after they ask me to make their machine run faster. As long as spyware/adware/botnet software can be distributed with "free" software that users want the problem isn't going anywhere. Once Vista arrives the UAC stuff will help with remote exploits but people wont understand the importance of that "Enter your password to continue" screen and will happily do it if it gets them some new smileys. This is how Linux is so secure, most users understand the importance of their root password and would never enter it into the brower, other than during the initial install.
On a corporate system where users don't have admin access botnets aren't much of a problem. But on home machines were every user has admin no technological measures will help as long as they can be lowered. As a power user I want to keep my own machine but for many users a subscription PC would be the best idea. They pay per month, don't have admin, and an admin employed by the company you rent the machine from takes care of security. It would be like extending the corporate world into the home. People don't care about security and they're not going to start anytime soon, they don't understand the connection between those smileys and the spam in their inbox.
It's not surprising people can't fix their own machine, how many people can fix their own car? How many people can even change the oil in their own car? The other option would be for computers to be more like cars. People don't install things in their car, and if they want something installed they take it to the dealer. That would work for most people, pick the software you want with the machine, and take it to authorized service center when you want upgrades. There are people that install things in their own cars, just like there will be people that buy non-locked PCs, but users want easy above all else and if a company could do that by pre-installing everything I think most users would get it.
The botnet problem wont dissapear but it can be significantley reduced so it wont be a problem.
There have been attempts at doing so with worms
In theory, there is nothing stopping the "researchers" from having the zombies identify their OS's, download any patches, install a personal firewall and automatically updating anti-virus program and then removing the original infection.
Sure, many would be re-created due to the user's ignorance, but this is the only way to "deal" with the zombie problem at the "researcher's" level.
No need for a trojan / worm / virus. They should have sufficient control of the zombies that a script could do it.
Slashdot needs a mod option: +1, Whatever.
Given where you work, I would suggest security is a state of mind. Do not trust what people put forth as "secure". However it is almost certainly not your problem. If it is your problem, then no matter how small or large your instalation is, I have this to say:
Hire contarctors to evuate your installation. They need not have real access, in fact they should be able to propose possible vulnerabilities without real access, assuming they can ask questions. So you hire them to ask questions, you take note of the questions they ask. Maybe you hire one or two and maybe you hire none. You have just paid people to ask questions about your system. If it were me, in your shoes, and assuming you have power, I would call back the ones that asked really good questions, and explain to them you want more. And then pay those guys.
And then fix your shit. You will end up with some pretty good analysis (first level only) and its on you to decide who you want to invite back. It is OK to initially invite local contractors, but only give out information if they give you a "good vibe".
So back to your original statement "I work at a hospital. Sometimes I wonder whether our computers really are as secure as they should". If you have to ask, then you do not have a qualified team to deal with this. Your second thing is more pointed: "All the computers have AVG installed, but is there something else I can do to check?". I am sorry, if you are really in charge you need to hire someone who can deal with this ASAP. It will take too much time for you to come up to speed. I have many times heard the arguement "but we are small" however you gave the word 'hospital'. Secure your data. If you have lack of funding then get the funding. It seems I cannot stress this enough. You expect the doctors to "do it right", your patients expect your entire facility to "do it right".
On a last note: Bringing someone in who knows more than you does not threaten your position, it only means your a decent manager.
Also, not to be critical, but you mention "AVG" in the hospital [record?] context. I will not say you have no clue, however you have no idea what your dealing with. The world is far more sinister than you know. AVG is a method of turning a 'blind eye'.
If you truelly are involved with IT at a hospital, I would be willing to hook you up with a clinic that has won multiple state and national awards for its handling of IT. They would be willing to help for free, its the way they roll. They do it up right. However, I would have to make sure your for real before I bother them, with you.
I am not sure how we would do that, here on slashdot. Tell you what, you give me an inclination via response and I will figure the mechanics out.
No hospital (or clinic, or eye doctor) should be without real protection.
--dant
I think you underestimate just how much I just dont care.
What does it matter, really, if you've been rooted?
The sad fact is that no matter how often you're rooted, as the other post quite clearly pointed out, you're never going to get approval to remove the defective software that allowed it. If knowing creates willful negligence but not knowing doesn't, there's a certain advantage in not looking.
Just watch your netops keep uninstalling the more obvious malware and reimaging your boxes every few years and pretending everything is ok. Nod when they call the AV and the firewall edge box due diligence and don't watch those road warriors connect their notebooks to your localnet. You never get documents with executable content in email from outside your network anyway and if you did the virus scanner would stop it before delivery, wouldn't it?. Nobody on your network would click a suspicious link. These are not the rootkits you're looking for. Repeat after me: "I am so shocked! Gosh those hackers are clever. I hope they go to prison for a long time if they're ever caught using their completely anonymous fault tolerant botnet."
Now go heal some sick people, and never get admitted to your hospital under your own name.
Help stamp out iliturcy.
Obligatory http://grcsucks.com/ link, because Steve Gibson ... well, he sucks.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
Unitl people are punished for their system's behavior, nothing is ever going to happen. Yeah it's annoying for most people to get rooted, but other than that, why should they care? Now if you were legally liable for the damages your system did, regardless of whether or not it was rooted, we'd see a major change in botnets, and a LOT less people with rooted machines.
People only react to that which causes them difficulty, punish them for not taking care of their responsibilities and things will get better. But until then, it will only get worse.
You're part of a botnet? Pay a fine! Didn't know? Too bad. Just like your dog getting out and destroying property, if you don't care enough to protect others from your wanton disregard, it's going to cost you.
Nowdays - a lot as it is mostly manual.
In the near future - none. Most security "usual suspects" are working on network admission systems and how they fit in a business network. Some ISPs are looking to roll them out on public networks as well.
The general idea is that you do deep packet inspection on anything going in and out and any PC that suddenly exhibits abnormal behaviour is removed from the network proper and is put on the "naughty step" until it is fixed. Similarly, you can move any PC on your network to and from a naughty step area automatically based on a set of conditions.
Most elements to do that are already there so it is only a matter of time until this becomes the de-facto network design standard for LANs and access networks.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
when high technology was its own idiot filter are long gone.
It is illegal to drive a car on any public road without a drivers licence, for the safety of other road users. Why shouldn't it be illegal to connect a computer to the internet without the proper qualifications, again for the common good? Keep all the stupid off the internet and the situation is bound to improve because there will be less opportunity for the greedy to exploit them.
If companies know the means of advertising (i.e. malware) are illegal, why aren't we going after the companies that use such methods? Admittedly, some viagra knock off company in Mexico is difficult to go after, but wouldn't it be easier to get rid of these intrusive networks by cutting off any reason for them to exist?
It's going to hurt. It's going to be painful. But when you're losing a war, you have to take defensive steps that work.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Want to find and fix any infected machines at work? Build a tool for your sysadmins to find them with, do an audit of the machines that need cleaning to find the *other* things wrong with them as well as identifying those that are running potentially critical activities that need to be salvaged carefully instead of by scorched-earth, and let them use whatever tools are appropriate to fix the holes it finds.
Want to find and fix the buggy machines on your cable-modem company's network? Build the tool and sell it to them, or give it to them and teach them how to run it. Don't go looking like Yet Another Zombie-Master who's trying to maintain some pretense of legitimacy - if you're going to be legit, be legit, and if your cable company's too clueless to accept your 1337-k3wl program, then build a different program to block packets from your fellow customers or get yourself an ISP that's clueful enough that they don't need your program.
Want to fix the buggy machines in Korea or the spammer-friendly hosting in China? Go ahead, make their day, but don't tell them *I* said it was a good idea.... And besides, it's really easy to blackhole-route them so you and any machines you control simply don't get packets from there and can't send packets back.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The incident described in CSO magazine is the exception that proves the rule. How did the online casino "defeat" the botnet attack? By spending a million dollars on bandwidth and equipment; they outscaled the attack. That sort of approach may (or may not) work for companies with millions of dollars in web revenue, but it is simply not a feasible way for most online entities to deal with an attack. There are hundreds of thousands of online businesses that, if faced by even a small botnet attack, would have to either pay the exortion money or go out of business.
The outscaling approach is doomed to failure, too. Botnets will increase in size faster than server hardware will improve. It's like throwing an O(n) algorithm against an O(log n) algorithm -- the O(n) may win a few battles early on, but past a certain point the O(log n) algorithm will win every time. Given a large enough botnet, even Google or Yahoo or Microsoft could be taken down.
I work at a hospital. Sometimes I wonder whether our computers really are as secure as they should. All the computers have AVG installed, but is there something else I can do to check?
Set a network switch or hub right behind your keyboard so you can see the status lights. If it seems a little busy when you are not doing anything, somebody may be using your computer remotely. I think more computers need the NIC status lights on the front of the monitor, not the back of the PC.
The truth shall set you free!
and will happily do it if it gets them some new smileys. This is how Linux is so secure,
No, Linux is more secure because you don't get those smiley packs for it. That and Linux users aren't generally using it for the smileys and assorted mass-consumer crap that is targetted at Windows users.
However, if someone produced a tool that the average linux user wanted to use (say, for example a new fancy bittorrent client) that contained some kind of malware, you'd start to see the exact same problems that the windows users have - that you end up deliberately installing the malware. The security risk here is the human aspect, if the attackers find the right buttons to push for linux users, they'll own you just as easily.
That's just for consumers, admins can be just as bad - I read a web-hosting forum, the number of "my server was hacked and I don't know what to do" posts is appalling, as is the number of questions like "is there any webhost that allows IRC servers?".
BANG!" goes the ClueHammer
On the shelf right above my monitor is my printer shelf with the LAN switch and router. If something starts spewing, it gets noticed. Client/server traffic is easy to spot as only two ports have a burst of high traffic. Something port scanning tends to light up the switch between the bot and the WAN. If I get slow net response to loading pages, I make it a point to check the switch first and the router second. From there I walk over to the busy computer to see if it's a user download of media, patches, VOIP, or something else.
If an idle computer is spewing, it gets unplugged to free up bandwidth and left unplugged from the net until it is analyzed and fixed.
The truth shall set you free!
If you're running windows, you don't get rooted. Instead you get administered.
"We are all geniuses when we dream"
- E.M. Cioran
If you can spare any keyboard LEDs. This little tool might help.
__________________________________
Free your mind - Flush your toilet
Trying to stop botnets by taking-down servers is like trying to stop rock-throwing by confiscating rocks.
An exercise in futility.
You stop rock-throwing by going after the throwers. If these propeller-heads would stop playing with their toys long enough to spend fifteen minutes talking to the nearest cop they would realize this.
Ignore the silly botnets and invest the resources to find and punish their creators. Criminal behavior declines only when there is substantial risk of substantial punishment. Until that risk exists, you're just wasting everyone's time.
'Nuff said.
Regards;
Yeah...that's all well and good as long as the traffic isn't encrypted (it probably will be)..or it it's not, you know what to look for to write sigs for (you probably won't)...or you know which domains people in your network shouldnt be going to and youre watching dns logs (you probably won't). With all of the custom and targeted attack vectors, the fact that so many attacks have moved up the stack to layer 7 and above (humans), Network IDS's have passed their due date. The only thing that can really help is to engineer your host systems, create well defined policies, and install local host system monitoring software (HIDS, etc.), and secure those logs from tampering. Network security monitoring at this point is really a lot like airport security: It gives people a warm and fuzzy, but it doesn't accomplish much and the effort is better spent elsewhere.
I have a lovely wife who surfs the internet constantly. She has a bot on her Windows Box. I noticed it when we sent out 86 thousand emails in one day. (it helps to monitor your port 25!!). Okay.. so she is compromised.
Norton, Spybot, etc CANNOT detect what she has. Netstat shows the connection but taskmanager etc does not. I block port 25 from her computer as a precaution and the darn computer starts searching for smtp servers on the local network. I use qmail-auth and it prevents it.. however I have no trust that it cant use UPnP or something else to change my main router.
So.. HOW IN THE HECK do you REMOVE stuff that you cant find? I really.. REALLY.. dont want to reformat and reinstall because there is no way this should be hidden to adminstrator on Windows XP.. but it IS!
I can program myself out of a Hello World Contest!!