Bot Infestations Reach Nearly 1.2M

mengel writes "According to the folks at SecurityFocus the number of bot-infested systems has surged to nearly 1.2 million. This after a big drop in December when lots of people replaced/upgraded systems. Time to upgrade your spam filtering software, the onslaught is coming."

Tweaking liability laws

[Harmonious+Botch]

These bots could be greatly limited with proper tweaking of liability laws. Under current laws, if I leave a pool or a car unsecured and somebody else gets injured or killed, I can be found totally or partially liable. But if I leave my computer unsecured and someone else uses it to cause harm to third parties, I'm in the clear.

Re:Tweaking liability laws

[Watson+Ladd]

It would be hard to determine what constitutes appropriate security. And how are you supposed to know about a zero-day or a subtle misconfiguration? A pool is easy to secure. A car is easy to secure: Both have small threat models and physical protection is all you need. A computer is much harder to secure.

Re:Tweaking liability laws

True but life is hard. This is the solution to this "problem", just as having a 1 cent cost per an email sent is the solution to the spam "problem".

ISPs should immediately pull the plug too on infested machines to limit damages.

There's no reason to let innocent bystanders to suffer from the criminal neglect of some.

Re:Tweaking liability laws

[NeverVotedBush]

But if I leave my computer unsecured and someone else uses it to cause harm to third parties, I'm in the clear.

You would think the legal case could also be made to hold Microsoft liable for stolen personal information, illegal charges to credit cards, raided bank accounts, etc., when known but unpatched (i.e. no patch available) exploits to their software allow people's computers to be compromised.

Re:Tweaking liability laws

[mrbluze]

if I leave my computer unsecured and someone else uses it to cause harm to third parties, I'm in the clear

But if you have a car which injures people because the manufacturer put in lousy breaks, lousy locks, lousy steering etc, then the car manufacturer is in trouble, right?

Whilst I agree with you, the liability laws need changing, "reasonable" attempts at securing a Windows PC (eg: using antivirus software) have proven to be a waste of time, so the onus should be on the manufacturer.

Re:Tweaking liability laws

[1u3hr]

These bots could be greatly limited with proper tweaking of liability laws.

There are hundreds, perhaps thousands, of known spammers in the US. (See the ROKSO list, eg.) Barely a handful are ever prosecuted. One or two have been sentenced, trumpeted here as a victory against spammers, but really showing that being caught and punished for deliberate spamming is a very rare event. Considering that, what could a "negligent" spammer get?

ISPs can easily detect and cut off spam spewing robots. They have the right to do so in their TOS, but are just too complacent or perhaps concerned they'd have to deal with hundreds of clueless users complaining about it.

Forget the spam filters...

[ShaunC]

..It's more like "time to put an ad in the paper, an onslaught of new customers is coming!" I wish I still had time to do spyware removals and clean up infested computers. Easy money for those who have the time and are willing to make housecalls.

"systems" euphemism

[allin]

The article speaks of "bot-infested systems". Call a spade a spade. These
are bot-infested PCs running MS Windows. They make life hell for the rest of
us.

An easy fix

[davmoo]

In another reply I saw someone suggest ISPs sending automated snail mail notices to users who's machines have been owned.

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.

I fail to see why it seems to hard to detect these things. When an ISP sees a machine go from sending out 4 or 5 emails a day to spitting out thousands of emails every hour, it should be obvious there's a problem.

Also, close the damn mail ports off. If a customer wants to host their own email server at home, fine...but make them call in and request that the port be opened. And make it clear that if their machine gets owned, they get cut off and fined before access will be reconnected.

And finally, spam has been a problem for years...how come the MTAs haven't been rewritten to not allow header forging, etc, in all that time? Isn't this supposed to be one of the big advantages of open source and open protocols?

Re:An easy fix

[metlin]

In another reply I saw someone suggest ISPs sending automated snail mail notices to users who's machines have been owned.

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.

That's not really fair.

Most users are not technically sophisticated to do anything, even if they were told that their computers were affected.

Computers and the internet are far too prevalent today to simply cut somebody off because their boxes were compromised. If you must, blame the manufacturers for designing systems that can so easily be taken over by bots and viruses.

Most people don't really care, because to them the computer is just like the TV or the microwave - a tool that lets them do something. If the tool gets messed up and causes problems because of something, they can't be held responsible because face it, they have no clue whatsoever. If you are designing a system that you think even an idiot can use, then make sure that it is idiot-proof.

But companies want to sell $OS to your grandma, but do not want to take responsibility for what happens when things go to hell. If you are selling something to grandma, make it grandma-proof. She will open attachments, she will not have a clue about what's out there on the web -- if you are selling her a tool, make sure that it is protected against the mistakes she most likely will make.

Somehow, in the software industry, it is considered acceptable to call the users idiots and let go. Now here's the thing -- even some of the very smart people have trouble using computers simply because it is not their thing. Not everybody can be a computer geek, and nor should they expected to be.

If anything, the software manufacturers should be held responsible. Stop blaming the users already, please.

Re:An easy fix

[mysticgoat]

I agree with parent.

I also want to point out that the automotive industry went through a similar period about 35 years ago, when new cars were required to have pre-installed seat belts. It is now generally accepted that seatbelts, airbags, and less visible things like collapsing steering columns and controlled crumpling are GOOD THINGS TO HAVE IN A CAR. But at the time these were introduced, the sometimes strong argument against them was that none of these things were necessary for a well trained driver. Whatever your opinion about that, the truth of that time was that driving had become a necessary daily activity for a lot of people who had no real desire to do the training: they just wanted to get the kids to the soccer game; do the shopping; get to and from work without having to sit among the coughers and hackers in a germbox (bus)...

Computing is at this same place now. The number of people who have to use a computer to get things done, but who have zero interest in the computers themselves, now far outnumbers the number who are willing to do any training.

It is time to use some legal enforcement to make the network environment safe for the computing public. I think this could be done by applying existing laws regarding reckless endangerment, indiscriminate distribution of attractive nuisances, and so forth to the software industry.

Where is Ralph Nader when we need him? Preparing to run for President again?

Re:An easy fix

[repvik]

If anything, the software manufacturers should be held responsible. Stop blaming the users already, please.

Sure, the software manufacturers have some fault in this. But ignorance from the user doesn't help.
I would propose the following to an ISP:

1. Firewall the infestation from the internet
2. Give the user access to the mailserver to *download mail only*
3. Redirect all browsing attempts to a local server that serves step-by-step guides and ready-packaged tools to remove any virus infections/malware. Put up a helpful "send us a mail if these instructions doesn't help" form and leave any phone no. clearly visible.

Re:An easy fix

That's not really fair. It doesn't need to be fair. During an epidemic you wouldn't want the Department of Health to be fair, you'd want them to stop the disease from spreading, and if they need to isolate some of the population to prevent any further damage, then so be it. It is not fair for the victims or their families, but it is also not fair for the rest of us to remain at risk when something can actually be done about it. Just like most users are technically challenged, most people are not doctors, dentists, etc, but we know enough of the basics to care for ourselves.

The suggested idea would actually force users to care more about security. Instead of shutting out affected users completely, I'd suggest they'd be redirected to a site providing them with information and software so they can protect themselves in the future.

Its probably not the ISPs fault, and the user shouldn't be to blame because (s)he usually has no idea of what's going on, so when things go bad...blame Microsoft :)

Re:If only more ISPs added their net blocks to PBL

[bcc123]

Absolute majority of spam now comes from desktops infected with mailing software. So no, in this case, the spammer won't simply relay through the ISP's mail servers. The reason they infect boxes in the first place is so that they can mail directly from all those IPs. The reasoning in your link is really outdated.

Re:Open Source Virus Protection

[Gareth+Williams]

I run a gnu/linux based operating system, and I don't forsee that I will ever run antivirus software on it. Yes, even if people actually start writing viruses that target it.

I don't look at automated breaches of security as any special case. A security breach is a security breach. Crack attempts, spyware, adware, malware, viruses, trogans, blah blah... it's all the same problem: stopping unauthorised code running on your machine.

If my mail client has a bug that allows remote code execution, the mail client is faulty and must be patched. If my browser has a bug that allows a remote site to snatch files off my local filesystem, then my browser is faulty as must be patched. If I, FSM forbid, stupidly download and run some malicious application then I am faulty and must be "patched".

I have all non-essential services turned off, I run a firewall, I keep all my applications up to date with security patches, and I only install software from my distribution's repositry.

I don't care how much money they are making for some big security companies, these "anti-virus" applications that people are so obsessed with running on windows are just an ambulance at the bottom of the cliff.

There is something fundamentally flawed with the idea of waiting until your security has already been breached and then trying to clean up after the fact. Once it's breached that's it, game over - reformat, reinstall O/S, and replace data with last known good backup.