Two Worm "Families" Make Up Most Botnets
JMoon writes "HNS has an article about the Sdbot and Gaobot families which are responsible for most botnets worldwide. These two families were responsible for 80 percent of detections related to bots during the first quarter of 2007. Other culprits, although on a much lesser scale, included Oscarbot, IRCbot or RXbot."
Q1 2007: 80% from two families.
2006: 74% from these families.
Hmm. Too bad bots reproduce asexually, otherwise we could hope for inbreeding to take them out.
Seriously, though, is the decreased diversity in bot "heritage" a good thing -- does it mean that bot infections are easier to detect and treat?
Or does it not make any bit of difference until the typical user learns to protect their PC?
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Any information on non-Windows bots? I know bots are forever trying to get into SSH, so that must means non Windows machines are being targeted, but I am curious as to the success-rate.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
If you write a piece of code that's going to spread through unpatched computer networks you're creating a worm. Not only that, but if you make a mistake and this piece of code somehow (unforeseeably) damages any thing you will be in a world of hurt.
Either way, the law doesn't look to kindly on computer trespass even if (you *claim*) your intentions are good.
Quack, quack.
Thought this would be an interesting point to add about botnets and security.
....
2 years ago I almost gave our security people a heart attack when I suggested an internal botnet.
We have most of our servers plugged into a tightly controlled IRC server.
All servers run a custom bot with limited access that pipe all critical files into specific IRC channels.
Response bots monitor the channels and take appropriate action, signaling the bots to run specific commands, paging, emailing, etc.
It allows NOC to run things like 'uptime' and have dozens of servers reply at once.
Security it tightly controlled at the bot and server level, using a custom hacked and very locked down UnlreaIRCd.
For our security at least, it was the first example of a useful IRC setup that allowed easy monitoring and limited control of servers.
As bad as botnets are, they are very good at what they do.
Good example of allowing totally unrelated applications to communicate with each other, as basically all programming languages have IRC support.
And a funny side note, my slashdot "verification image" is "misuse"
It's an idea, but I'd recommend against it. So many legitimate license keys have been disabled by Microsoft that it would affect a huge number of innocent users who've had their key disabled because MS felt like it.
I have seen firsthand and heard countless confirmations of people re-installing XP on their OEM system using the license key from the sticker that was glued to their system case, and being rejected by Microsoft's Product Activation. I'm not sure the reason behind this, but I'd guess that most likely some keygen hacker program ended up randomly generating the same key and was used enough times that MS decided to distrust that key anymore.
In my case, I was helping out a friend of the family with getting their laptop back in service after it had been hopelessly compromised by malware. I entered the key from the sticker on the bottom of their laptop, and Product Activation failed. I called the 1-800 number that Microsoft said to call, and went through all their steps to generate a new number, but it just told me that I was rejected and that my number was in fact really no good. I had no recourse, no appeal, no live body to talk to on the phone. So I did the only thing I could do to return the system to service, and used a Corporate license key that didn't need to be run through Product Activation and would not trip of on WGA.
Now, you might say that pissing off all these legitimate users would actually be a good thing, because it will ultimately help Microsoft to shoot its foot clean off by enraging masses of legitimately licensed end users who've been disconnected from the net because they couldn't maintain their systems properly because MS couldn't validate their license even though it wasn't pirated. But I don't think it's quite fair to say that every license key that fails to pass WGA is ipso facto a pirate user. If you block everyone on suspicion of running an unpatched, compromised, pirated OS, you're going to affect a lot of screwed paying customers. As long as they rightfully blame Microsoft for being the cause of their woes, you should be in the clear. If the collateral damage is worth it, then I guess it's not a bad plan.
You see? You see? Your stupid minds! Stupid! Stupid!