Slashdot Mirror
Two Worm "Families" Make Up Most Botnets
JMoon writes "HNS has an article about the Sdbot and Gaobot families which are responsible for most botnets worldwide. These two families were responsible for 80 percent of detections related to bots during the first quarter of 2007. Other culprits, although on a much lesser scale, included Oscarbot, IRCbot or RXbot."
viruses kinda runs in the family...
Recently, I had to put an SP1 WinXP online to demonstrate that it's (still) insecure to do that. I was expecting that the blaster menace has somewhat dwindled since its outbreak, simply 'cause it's been a while since its outbreak.
Boy, was I wrong!
It took 10 seconds for the FTP to go berserk, a minute later I was a happy member of the still strongly going family of wormspreaders.
People simply don't update their systems. It's amazing, that thing is afaik about 5 years old now, and still there are a LOT of machines existing that still blow the worm through the net.
We're not talking about an unfixable problem, or at least one where the user has to be dumb enough to open the can for the worm (ok, bad pun). It's as simple as updateing to SP2, something that works automatically.
You actually have to disable MS Messenger to at least cease to get those annoying popup messages, so why can people disable that but not update their systems? That's simply beyond my comprehension.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Q1 2007: 80% from two families.
2006: 74% from these families.
Hmm. Too bad bots reproduce asexually, otherwise we could hope for inbreeding to take them out.
Seriously, though, is the decreased diversity in bot "heritage" a good thing -- does it mean that bot infections are easier to detect and treat?
Or does it not make any bit of difference until the typical user learns to protect their PC?
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I say we rename them.
One should be "Curious Yellow"
the other "Curious Blue"
http://blanu.net/curious_yellow.html
Any information on non-Windows bots? I know bots are forever trying to get into SSH, so that must means non Windows machines are being targeted, but I am curious as to the success-rate.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
If you are stuck with dialup, get a friend to download the SP2 CD and burn it for you.
If you have DSL or Cable and nothing else on your LAN is infected, your NAT or other firewall should protect you from "out of the box" threats. As long as you stick to known-safe web sites like windowsupdate and most security-software vendors, you should be OK long enough to get updated.
What's that? You are on DSL or Cable and do NOT have a firewall? Spend a few bucks and get one!
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
SDBot is incredibly popular because it's open source and easily modified to sneak past most AV software with minor changes. It also has an extremely wide array of features, and tends to be very reliable.
People without the knowledge to code their own trojan/bot from scratch will naturally gravitate towards tools which allow them to make their money more easily, and it's a real time saver.
Or so I hear.
Not sure if the article wants me to be surprised by this. What percent of all virii in humans are in the family of the common cold or influenza?
;p
There has to be some kind of parallel here.
Weird, but as I was writing this something tried to change my default search page. Usually I wouldn't say this, but I hope it was Microsoft
TLF
I do not respond to cowards. Especially anonymous ones.
I'm not sure if botnets have "signature" activity that's easy for an ISP to spot or not.
If they do, then getting ISPs to proactively monitor their customers for botnet-specific activities and phone them when they see suspicious activity will go a long way toward eliminating these particular threats.
Imagine if your mother getting this answering-machine message from her DSL provider:
"Hello Ms. Jones. You've heard of computer viruses? Our engineers are seeing signs of a virus on one of your computers. Please visit our security web site at http://www.momsisp.com./ This same web site is printed on your billing statement. In the meantime, we are taking steps to keep the virus from spreading. This may affect your connection. We will remove these blocks automatically when we see your system is clean. If you have any questions, call us at 1-800-MOM-SISP. Thank you."
Her next call will probably be to you. Problem solved.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I miss good old days, when all bots did was greet you, spit out dumb jokes, or print trite quotes on IRC. !spin !acro !seen Bananarama !cook me some bacon and eggs bitch
If you write a piece of code that's going to spread through unpatched computer networks you're creating a worm. Not only that, but if you make a mistake and this piece of code somehow (unforeseeably) damages any thing you will be in a world of hurt.
Either way, the law doesn't look to kindly on computer trespass even if (you *claim*) your intentions are good.
Quack, quack.
A large fraction of the problem can be taken care of by using a hardware firewall in front of your PC from the moment you first plug it in, which'll usually keep you safe long enough to get the current security upgrades. That's not fool-proof - there are bad guys hunting for flaws in popular firewall boxes - but it's a good start.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Though he did not get jail time, he still was convicted. http://www-swiss.ai.mit.edu/6805/articles/morris-w orm.html
Fight Spammers!
Thought this would be an interesting point to add about botnets and security.
....
2 years ago I almost gave our security people a heart attack when I suggested an internal botnet.
We have most of our servers plugged into a tightly controlled IRC server.
All servers run a custom bot with limited access that pipe all critical files into specific IRC channels.
Response bots monitor the channels and take appropriate action, signaling the bots to run specific commands, paging, emailing, etc.
It allows NOC to run things like 'uptime' and have dozens of servers reply at once.
Security it tightly controlled at the bot and server level, using a custom hacked and very locked down UnlreaIRCd.
For our security at least, it was the first example of a useful IRC setup that allowed easy monitoring and limited control of servers.
As bad as botnets are, they are very good at what they do.
Good example of allowing totally unrelated applications to communicate with each other, as basically all programming languages have IRC support.
And a funny side note, my slashdot "verification image" is "misuse"
I have a few comments and one will answer some of the previous questions to some degree.
.scan 10.0.0.0/8 then there's a pretty good chance the machine in question is an infected bot and most likely with one of the aforementioned variants. Now most home users won't have insight into this type of activity. And funny enough there's not much "big brother" by way of ISPs caring much for this. Unless reported to them they most likely won't do anything. Even then they still might not do anything. http://www.shadowserver.org/ keeps a list of good/responsive ISPs. This might be more in the case of a malicious host housing an IRCD, but that's beside the point.
First, the majority of these trojans, specifically these are all IRC based. They are very easy to spot, especially in corporate environments. Why? Well because most people do not use IRC while they are at work. Not to mention many companies will have policies against it. This makes intrusion detection for these kinds of bots very easily. Since most of these servers housing the bots are just standard Unreal IRCD (generally hacker-installed) or whatever IRCD undernet/efnet/etc. run on, they are not encrypted. This means when a machine connects, traffic with "NOTICE", "PRIVMSG", "JOIN #" etc is all sent in the clear. There have been snort/bleeding snort rules to look for this type of activity for years and they haven't had to change much. Sure the ports might not always be 6667-6669/7000, but looking for activity like this on a certain port is dumb to do anyway.
A simple analysis of most IRC traffic should you have real-time peaks or capture logs will tell you pretty quick if it's malicious. If you see a nick change to XP|24249429 or USA|2942949 and it joins a channel called #owned with a topic of
Now finally these two are quite popular. Why? Well it has been said already. The source for them is our there and they are readily available. People frequently update and modify them to avoid AV detection. Hell, many people don't update and modify them. So many people are running without [updated] AV that it doesn't seem to matter much. If you notice how most people get infected, it's the same old thing. IM worm, e-mail worm, malicious website, or a scan for the 2 year old dcom exploit. Every time some new IE/Firefox/etc vulnerability is released, someone quickly makes it download their trojan.
These variants have been around for years. Luckily the people using them are pretty dumb. It's just a matter of time before worms/viruses/etc turn to web-based (not IRC) and encryption as the norm.
You are supposed to check the Post Anonymously box when you talk like that :)
No ISP is going to shut off an account because of an infected computer. They might throttle it somewhat, but it is the site administrator's responsibility to deal with infected computers. What? Your parents don't have a "site administrator" overseeing their computers? (((except when you are there... ha ha))) Well, that sounds like a real problem, doesn't it?
What we have are general-purpose computers that people install random software on without thinking about where it came from, what it might do and the consequences of having that happen. Then, they don't check to see what their computer is doing when it is supposedly idle and thrashing around on the hard drive or is really slow. Well, maybe it is just getting old and needs to be replaced. Right.
So we have the equivalent of handing a loaded revolver to a three-year-old and leaving the room. We have seen how they can hurt themselves with it. We can see how they hurt others with it. And about all that is done is giving them some more bullets.
Let's be clear about one thing here. Windows "security" or the lack of it is not the problem. If the machine is locked down utterly so that nothing can be installed, removed or modified Windows security is perfectly adequate. Unfortunately, nobody seems to want to run their computer this way. There is no security if the "user" can simply install any old thing they want, be it some new flash player with a bug in it, WeatherBug or a bot trojan. Signing code is not the answer - people aren't reading the messages that are displayed. You could have a page of text displayed when a trojan is installed that says in eight different ways "this will take over your computer and make it ours" and people would install it.
The answer is pretty clear. General purpose computers that can have software installed are a tool that must be monitored, controlled and administered. Giving one to a user and leaving them alone with it is a reciepe for disaster. Just like the disaster with spam, botnets and viruses we are seeing right now.
Though you may have learned that the plural of 'octopus' is 'octopi' and the plural of 'cactus' is 'cacti', the plural of 'virus' is viruses, not 'virii'. In fact, the -i pluralization is optional; the -es pluralization is standard.
Refer to:
Would a botnet by any other name smell just as sour?
Probably not.
If you'd called it a distributed asset-monitoring and -control system and given it a fancy acronym like DAMACS or something, it would've been a better sell.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
What about the Gambino family?
(A/C b/c I don't want to go phishing wearing cement shoes;)
attn mods: this is not offtopic, troll, or flamebait. Mod me as such and Vinny will have ta see youse, capish? Noce kneecaps yo' momma got there, shame if anything was ta happen to 'em...
I thought they were Symantec and AVG.
Oh, you mean *PUBLICLY* acknowledged virus writers?
Although Wikipedia states that:
The less frequent variations viri and virii are virtually unknown in edited prose, and no major dictionary recognizes them as alternative forms , Hackers like to use "virii" as the plural form of virus, even if Latin scholars object that this invented term does not follow standard patterns in that language - just to refer to the plural of computer viruses opposed to the plural of biological viruses.So, although you are correct in terms of edited prose, I still use the term virii in order to refer to the plural of computer viruses.
Just out of curiosity, has anyone ever attempted to put together malware-like programs that actually FIX the problems that real malware exploits? Maybe even expunging already-installed malware in the process? It sure seems leaving security up to the users isn't working.
I run in to two groups that make up the majority of "not updated" systems:
1) People who won't do any manual steps at all to update. Every so often, Windows has an update that needs you to interact with it. Rather than autoinstalling it'll just put the little "You've got updates" icon in your sys tray and pop up a bubble about it from time to time. However some people just refuse to deal with that. A couple clicks is more than they are willing to do. Totally automated is ok, but they can't be bothered to do anything more.
2) However an even larger number don't want their system to reboot. Tons of those at work. They have something or other running continuously that they can't be bothered to save the state on. So they turn off the updates so that it won't reboot. Yes, really.
That accounts for at least 90% of the no-update people I run across. There's a small percentage that won't do it because they read on some forum that some guy had a problem with an update and they are convinced Microsoft will break their system, but most are just lazy as hell.
Whats the simplest down and dirty way of detecting a worm infection?
Assuming the worm is smart and disables any/all preventative measures on the host system - can one observe certain network activity behavior that would give the worm away?
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
Cox (cable company) will. Back a few years ago I had a Cox connection and one day I found it not working. Called tech support, and they referred me over to the abuse department. Turns out my roommate had gotten his system infected. Once I'd confirmed I'd cleared it up, they turned the connection back on.
ISPs should, and some do, look for infected machines and shut down the connections.
Given that these buggers usually have abilities like "download updates" why doesn't someone hack the bot networks and download an uninstall+patch program?
Unlike what others have said, it wouldn't be a "worm" because the patch would be unable to spread on its own. It would only be downloaded by those infected bots who are getting instructions over IRC.
"This is your Internet company. Our engineers are seeing signs of a virus on one of your computers. Please visit our security web site at $malware_site. In the meantime, we are taking steps to keep the virus from spreading. This may affect your connection. We will remove these blocks automatically when we see your system is clean. If you have any questions, call us at $premium_rate_engaged_tone_recording. Thank you."
Of course, I don't know whether the return is high enough to justify this sort of tactic, but it could happen.
Those SSH password attacks spread Linux based Spambots. I have repaired a handful of servers in the USA and Singapore that suffered infections. The Redone spambot targets the tens of thousands of indentical systems on server farms, of which some are sure to have bad passwords. Once it has set up shop it spewes out enormous amounts of spam. It is managed through IRC.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Seriously, though, is the decreased diversity in bot "heritage" a good thing -- does it mean that bot infections are easier to detect and treat? Or does it not make any bit of difference until the typical user learns to protect their PC?
The limited heritage diversity suggests that one might make a dramatic impact on the non-technical aspects of the problem with a carefully applied use of hardware. Unfortunately, that's a very short-term solution most likely to only result in rediversification and speciation, rather than any broader environmental shift in the culture leading to permanent extinction.
//Information does not want to be free; it wants to breed.
Sure dialup users can install a non-Microsoft firewall, but is that really "independent" of Microsoft?
An external modem plus external firewall box that hooks to it isn't cheap, not on the new market anyways.
With newer motherboards and CPUs, you can run a stripped-down Linux that just dials and launches Windows XP or a VM-legal version of Vista in a VM. But what non-techie consumer wants to do that?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
and Ouch!
How shitty is that? And why didn't they sue MS or something like that, demand a new version of Windows, instead of throwing more money at the company that totally ripped them off and left them with NO FRICKING OPERATING SYSTEM AT ALL, even though they legally paid for it?
I'm not using Windows anymore (used to run Mac OS after a while on Linux and XP, now I'm a happy Ubuntu user), but this is really the nail in the coffin. I'd tell that company such a big Fuck You that the mountains would shake.
Percentages are meaningless if you don't have the total number. It can well mean that those 2 families spread incredibly fast while other worms spread more slowly.
I would not necessarily call that a good sign. Actually, I'd take it as an alarming signal. People are still as stupid as last year, so I wouldn't say that it's harder to infect machines.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
At least here, many pay per MB transfered. Now, a transfer in the local net of the ISP doesn't cost much (while they can charge you through the nose for it). Most bots spam mostly into the local net (/24 or /16).
And now again, do you REALLY expect ISPs to have a keen interest to shut them down? They are their cash cows!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The problem as I see it is that ISPs don't want to be responsible for net security.
An ISP could detect bot IRC traffic and notify a customer who is originating bot commands. It's not that hard. All these bots use IRC. The IRC traffic is sent in plain text using well known commands. Even the most of the channel names are well known. Every ISP knows the email address (and billing details) associated with every active IP address on their network. It's basic logging.
But if an ISP were to "offer this service" of bot detection, it would give the expectation that ISPs are responsible for network security. ISPs do not want to be responsible for network security. They don't even want to be perceived as being responsible for network security. There is no money in it for them. Even though every ISP has a AUP (acceptable use policy), there is little incentive for them to spend any money or effort (same thing) to enforce it.
Responsibility - Authority - Money : You can only have one, which one would you want?
you do this manually? Wow. You might want to take a look at denyhosts
605413? Yes, it's a prime.
As in tell Windows not to update at all.
do not click above link unless you want your browser hijacked - very nasty!
Maybe I wasn't clear. I meant a NAT hardware firewall router, or any other external firewall.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I don't think you're the first to be thinking along those lines. Corporations have been making attempts to restrict what types of media can play on a computer, under what terms, to the point of Sony's installing rootkits on its customers' computers. On the hardware side, the Trusted Computing concept helps limit users' anonymity. In politics, the free world is toying with laws requiring monitoring of innocent Net users to fight terrorism/porn/drugs, and countries like China are doing massive censorship. In looking at other hardware, we know that there's at least one US-government-mandated design feature -- the V-Chip for televisions -- and supposedly the Secret Service has subverted several brands of printer. Japan has even issued some draft guidelines for robot regulation.
What we're seeing is a convergence of trends towards locking down computers, making it illegal to build or sell a machine with the full power and freedom of a Turing Machine. Some argue (Okay, it's not a great source; just did a quick search) that restrictions like this are equivalent to Soviet Russian restrictions on the use of photocopiers.
The various restrictions being placed on computer users for various reasons threaten our use of an important tool, and are oppressive and insulting. Even if you personally are a savvy computer user, are you prepared (based on your proposal) to be charged a fee, photographed, fingerprinted, licensed, monitored, and otherwise treated like a criminal, because you weren't content with the toys your government allows lesser geeks to use?
Revive the Constitution.
I believe Guiness has reserved this title for Microsoft.
boycott slashdot February 10th - 17th check out: altSlashdot.org
maybe stop using an insecure web browser and OS?
You can't take the sky from me.
Comment removed based on user account deletion
Comment removed based on user account deletion
All the comments above say "get a firewall, install SP2 etc"...guys, the average computer user does not know what all these things are! people that want to use email, surf the web, manage their photos, manage their bills with a computer have no idea what a firewall is and why a service pack is required.
From this perspective, Microsoft has totally flopped: Windows requires much technical knowledge of computers to operate.
To my ears, anyhow.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
If you're using firefox, enable Javascript and click on that link; then come back here and talk about insecure browsers.