Two Worm "Families" Make Up Most Botnets

JMoon writes "HNS has an article about the Sdbot and Gaobot families which are responsible for most botnets worldwide. These two families were responsible for 80 percent of detections related to bots during the first quarter of 2007. Other culprits, although on a much lesser scale, included Oscarbot, IRCbot or RXbot."

Re:And that won't change soon

It's as simple as updateing to SP2, something that works automatically.

Updating to SP2 isn't simple though. It's a massive download if you're on dailup or even a slow DSL connection. On top of that it takes up a lot of disk space/RAM and if you have anything but latest high-speed machine you're going to be sitting there waiting a long time while it installs.

Make a CD

[davidwr]

If you are stuck with dialup, get a friend to download the SP2 CD and burn it for you.

If you have DSL or Cable and nothing else on your LAN is infected, your NAT or other firewall should protect you from "out of the box" threats. As long as you stick to known-safe web sites like windowsupdate and most security-software vendors, you should be OK long enough to get updated.

What's that? You are on DSL or Cable and do NOT have a firewall? Spend a few bucks and get one!

Re:Make a CD

[EsbenMoseHansen]

What's that? You are on DSL or Cable and do NOT have a firewall? Spend a few bucks and get one!

That one bears repeating. If you want to run windows, you are simply going to have to run it behind an idenpendent firewall, unless you enough of a security expert to be able to outline a IP packet without looking at the books. If you are too cheap or poor to get one, (k)ubuntu is right over there. CD's to be had for a couple of euros, and with the refund for the windows license, you're even going to save a few dollars or euros.

This goes for Windows up to and including the XP. Never been near Vistas, but from I hear, it's the same deal.

Re:Make a CD

[Ephemeriis]

If you are too cheap or poor to get one, (k)ubuntu is right over there.

The various Linux distros are certainly more secure than Windows, but I'm not sure I'd trust them on a naked broadband connection either. There are still vulnerabilities for people to take advantage of - fewer, certainly, but they're still there.

Dialups aren't good Bot fodder anyway

[billstewart]

If you're on a slow DSL, yes, it'll take a while to download SP2. Big deal - run it at night, and you've now *had* a couple of years, so realistically what you're talking about is installing an upgraded OS on your upgraded PC, so you could do the download on your old machine before you plug the new one in.

A large fraction of the problem can be taken care of by using a hardware firewall in front of your PC from the moment you first plug it in, which'll usually keep you safe long enough to get the current security upgrades. That's not fool-proof - there are bad guys hunting for flaws in popular firewall boxes - but it's a good start.

Re:And that won't change soon

[Opportunist]

Hmm... then to fix that bot problem, all we'd have to do is report the IP Addresses hammering against our firewalls as potential pirates? In the current hype and the leeway IP holders get when filing suits and pressing Names from the ISPs, it should be easy to instill enough fear in those upgrade-resistant people ...

I have a plan. Thanks for helping me on the track.

ISP's half the problem

[cdrguru]

No ISP is going to shut off an account because of an infected computer. They might throttle it somewhat, but it is the site administrator's responsibility to deal with infected computers. What? Your parents don't have a "site administrator" overseeing their computers? (((except when you are there... ha ha))) Well, that sounds like a real problem, doesn't it?

What we have are general-purpose computers that people install random software on without thinking about where it came from, what it might do and the consequences of having that happen. Then, they don't check to see what their computer is doing when it is supposedly idle and thrashing around on the hard drive or is really slow. Well, maybe it is just getting old and needs to be replaced. Right.

So we have the equivalent of handing a loaded revolver to a three-year-old and leaving the room. We have seen how they can hurt themselves with it. We can see how they hurt others with it. And about all that is done is giving them some more bullets.

Let's be clear about one thing here. Windows "security" or the lack of it is not the problem. If the machine is locked down utterly so that nothing can be installed, removed or modified Windows security is perfectly adequate. Unfortunately, nobody seems to want to run their computer this way. There is no security if the "user" can simply install any old thing they want, be it some new flash player with a bug in it, WeatherBug or a bot trojan. Signing code is not the answer - people aren't reading the messages that are displayed. You could have a page of text displayed when a trojan is installed that says in eight different ways "this will take over your computer and make it ours" and people would install it.

The answer is pretty clear. General purpose computers that can have software installed are a tool that must be monitored, controlled and administered. Giving one to a user and leaving them alone with it is a reciepe for disaster. Just like the disaster with spam, botnets and viruses we are seeing right now.

Re:ISP's half the problem

[tppublic]

The answer is pretty clear. General purpose computers that can have software installed are a tool that must be monitored, controlled and administered. Giving one to a user and leaving them alone with it is a reciepe for disaster. Just like the disaster with spam, botnets and viruses we are seeing right now.

I'm sure there are many large companies - ones that would love to protect the status quo - that would greatly support your proposal.

I think what you propose is crazy.

You have failed to follow through the implementation and resulting consequences of this action.

The problem isn't only general purpose computers, it is general purpose processors running general purpose operating systems. Making it 'embedded' doesn't necessarily solve the problem. For example, there have been vulnerabilities in various routers over the past few years, and your action would not solve those issues. You provide no evidence that preventing user installation will protect the system in any fashion. The system would still have underlying x86, PPC, ARM or MIPS processor which could run arbitrary code.

First, how do you allow people to get a system where they can write software? It is both systematically difficult, and is a practical impossibility with current systems. Given that many products have some form of scripting built in (including Microsoft Office, and about every version of *nix there is), it is difficult to prevent someone who is even marginally capable from writing software. For example, when I was a university student, there were strict policies that prevented the compilation of software on the community Unix system (Sun servers at the time). However, given that sh, csh, and tcsh were all available on the system, I could perform just about any action I wanted on that system, as far as software is concerned. That's not to say it wasn't slow compared to a compiled program (it WAS), but it was almost impossible for them to detect or prevent.

One potential (and partial) solution to this is so-called the 'trusted computing' model, which would only allow 'certified' software to run on a computer. I posit without proof that the challenge of preventing ANY method of forging electronic certifications is very difficult. Computational infeasibility can be worked around simply by having one person in the system walk off with a legal certificate. Look at how the Mongolians eventually got through the Great Wall of China. If I recall the stories correctly, they simply bribed some guards. Reducing the system leakage to zero is not practical (nor is it beneficial, given that there are countless 'business people' working in marketing and finance who develop their own scripts to automate their work).

Also, software development is valuable and available world-wide. The ability to go overseas to get work done is completely possible in the software engineering world. If only one country or region places the restriction you propose (I guarantee developing countries will ignore your restriction), then those countries are at a competitive disadvantage. Their next generation will ALSO be at a competitive disadvantage, because they will not develop the appropriate skills. Some of the best programmers do NOT come from formal education in computer science.

The problem we actually have is the lack of incentive to fix the problem.

The user who's machine is infected has no large incentive to help the problem. ... and the ISP just ignores the issue. So we need there to be penalties to having an infected machine. The ISPs can then sell a form of monitoring (effectively insurance, a wildly profitable business) to users who do not want to or have the skills to do their own monitoring. I recognize the challenge of dealing with international sites remains.

The companies have no incentive to change, either. The pressures that exist to release software combined with the lack of any material negative effect on software vendors for producing bad software c

Don't call it a botnet

[davidwr]

Would a botnet by any other name smell just as sour?

Probably not.

If you'd called it a distributed asset-monitoring and -control system and given it a fancy acronym like DAMACS or something, it would've been a better sell.

Re:And that won't change soon

[bogjobber]

That might be part of the problem, but I'm sure there are more people out there that simply don't upgrade. Every time I visit my sister and/or parents house I make sure to do it, because they never download or install updates. If it wasn't for me I doubt they'd have gotten SP2.

Laziness as far as I can tell

[Sycraft-fu]

I run in to two groups that make up the majority of "not updated" systems:

1) People who won't do any manual steps at all to update. Every so often, Windows has an update that needs you to interact with it. Rather than autoinstalling it'll just put the little "You've got updates" icon in your sys tray and pop up a bubble about it from time to time. However some people just refuse to deal with that. A couple clicks is more than they are willing to do. Totally automated is ok, but they can't be bothered to do anything more.

2) However an even larger number don't want their system to reboot. Tons of those at work. They have something or other running continuously that they can't be bothered to save the state on. So they turn off the updates so that it won't reboot. Yes, really.

That accounts for at least 90% of the no-update people I run across. There's a small percentage that won't do it because they read on some forum that some guy had a problem with an update and they are convinced Microsoft will break their system, but most are just lazy as hell.

Re:Automated Trolling System

[stonedcat]

maybe stop using an insecure web browser and OS?

Re:And that won't change soon

[Heembo]

It's the duty of every user of the internet to keep his machine from being a danger to it. With respect, I disagree. Do you really expect grandma to understand the necessity of patching their operating system? No way! It's the duty of OPERATION SYSTEM VENDORS to build products that auto-patch in a robust way. Sadly, Windows update is one of the best out there - but still, we need a lot more work in this direction.