Two Worm "Families" Make Up Most Botnets

JMoon writes "HNS has an article about the Sdbot and Gaobot families which are responsible for most botnets worldwide. These two families were responsible for 80 percent of detections related to bots during the first quarter of 2007. Other culprits, although on a much lesser scale, included Oscarbot, IRCbot or RXbot."

And that won't change soon

[Opportunist]

Recently, I had to put an SP1 WinXP online to demonstrate that it's (still) insecure to do that. I was expecting that the blaster menace has somewhat dwindled since its outbreak, simply 'cause it's been a while since its outbreak.

Boy, was I wrong!

It took 10 seconds for the FTP to go berserk, a minute later I was a happy member of the still strongly going family of wormspreaders.

People simply don't update their systems. It's amazing, that thing is afaik about 5 years old now, and still there are a LOT of machines existing that still blow the worm through the net.

We're not talking about an unfixable problem, or at least one where the user has to be dumb enough to open the can for the worm (ok, bad pun). It's as simple as updateing to SP2, something that works automatically.

You actually have to disable MS Messenger to at least cease to get those annoying popup messages, so why can people disable that but not update their systems? That's simply beyond my comprehension.

Re:And that won't change soon

It's as simple as updateing to SP2, something that works automatically.

Updating to SP2 isn't simple though. It's a massive download if you're on dailup or even a slow DSL connection. On top of that it takes up a lot of disk space/RAM and if you have anything but latest high-speed machine you're going to be sitting there waiting a long time while it installs.

Re:And that won't change soon

[Junior+J.+Junior+III]

Probably so many XP users are on license keys that have been disabled by Microsoft Genuine Advantage so that they can't upgrade to SP2, so they're left compromised and unable to defend themselves by remaining patched by Automatic Updates.

Re:And that won't change soon

[Junior+J.+Junior+III]

It's an idea, but I'd recommend against it. So many legitimate license keys have been disabled by Microsoft that it would affect a huge number of innocent users who've had their key disabled because MS felt like it.

I have seen firsthand and heard countless confirmations of people re-installing XP on their OEM system using the license key from the sticker that was glued to their system case, and being rejected by Microsoft's Product Activation. I'm not sure the reason behind this, but I'd guess that most likely some keygen hacker program ended up randomly generating the same key and was used enough times that MS decided to distrust that key anymore.

In my case, I was helping out a friend of the family with getting their laptop back in service after it had been hopelessly compromised by malware. I entered the key from the sticker on the bottom of their laptop, and Product Activation failed. I called the 1-800 number that Microsoft said to call, and went through all their steps to generate a new number, but it just told me that I was rejected and that my number was in fact really no good. I had no recourse, no appeal, no live body to talk to on the phone. So I did the only thing I could do to return the system to service, and used a Corporate license key that didn't need to be run through Product Activation and would not trip of on WGA.

Now, you might say that pissing off all these legitimate users would actually be a good thing, because it will ultimately help Microsoft to shoot its foot clean off by enraging masses of legitimately licensed end users who've been disconnected from the net because they couldn't maintain their systems properly because MS couldn't validate their license even though it wasn't pirated. But I don't think it's quite fair to say that every license key that fails to pass WGA is ipso facto a pirate user. If you block everyone on suspicion of running an unpatched, compromised, pirated OS, you're going to affect a lot of screwed paying customers. As long as they rightfully blame Microsoft for being the cause of their woes, you should be in the clear. If the collateral damage is worth it, then I guess it's not a bad plan.

Reduced diversity.

[Red+Flayer]

Q1 2007: 80% from two families.

2006: 74% from these families.

Hmm. Too bad bots reproduce asexually, otherwise we could hope for inbreeding to take them out.

Seriously, though, is the decreased diversity in bot "heritage" a good thing -- does it mean that bot infections are easier to detect and treat?

Or does it not make any bit of difference until the typical user learns to protect their PC?

Non Windows Bots

[pembo13]

Any information on non-Windows bots? I know bots are forever trying to get into SSH, so that must means non Windows machines are being targeted, but I am curious as to the success-rate.

Re:Non Windows Bots

[Anon-Admin]

I don't think those are bots.

I noticed my servers SSH port being hit a few years ago. I moved it to another port, locked the port down, then set up an SSH honey pot on the standard port. The honey pot attempts to ID people from programs using a verity of methods such as space between key strokes and use of the backspace or delete key.

I found that once the attacking software appeared to have access to the server, A person would login and check it out. Most of them attempted to use wget to dump a root kit onto the server. I have grabbed copies of the software they attempt to down load and checked it out.

It normally consists of a root kit, network scanner, packet sniffer, and the scanning software to scan and hack SSH.

I think these are wannabe hacker kids trying to get in.

Re:Non Windows Bots

[Anon-Admin]

For you or anyone who wants to know more about the software and setup. Go to my website, http://www.xganon.com/ and send me an e-mail. Just select the "Contact Us" button and fill out the info. Ill e-mail you back and we can go over the software (open source) and how to set it up.

I am always willing to help people secure a system. :)

Make a CD

[davidwr]

If you are stuck with dialup, get a friend to download the SP2 CD and burn it for you.

If you have DSL or Cable and nothing else on your LAN is infected, your NAT or other firewall should protect you from "out of the box" threats. As long as you stick to known-safe web sites like windowsupdate and most security-software vendors, you should be OK long enough to get updated.

What's that? You are on DSL or Cable and do NOT have a firewall? Spend a few bucks and get one!

Re:Make a CD

[EsbenMoseHansen]

What's that? You are on DSL or Cable and do NOT have a firewall? Spend a few bucks and get one!

That one bears repeating. If you want to run windows, you are simply going to have to run it behind an idenpendent firewall, unless you enough of a security expert to be able to outline a IP packet without looking at the books. If you are too cheap or poor to get one, (k)ubuntu is right over there. CD's to be had for a couple of euros, and with the refund for the windows license, you're even going to save a few dollars or euros.

This goes for Windows up to and including the XP. Never been near Vistas, but from I hear, it's the same deal.

There's a reason for that.

[Spazntwich]

SDBot is incredibly popular because it's open source and easily modified to sneak past most AV software with minor changes. It also has an extremely wide array of features, and tends to be very reliable.

People without the knowledge to code their own trojan/bot from scratch will naturally gravitate towards tools which allow them to make their money more easily, and it's a real time saver.

Or so I hear.

Liability...

[msimm]

If you write a piece of code that's going to spread through unpatched computer networks you're creating a worm. Not only that, but if you make a mistake and this piece of code somehow (unforeseeably) damages any thing you will be in a world of hurt.

Either way, the law doesn't look to kindly on computer trespass even if (you *claim*) your intentions are good.

Re:Liability...

[fm6]

No, they are living very well in Russia from their ill-gotten gains. So if I write a counter-bot, I get to go live in Russia? What an incentive!

Re:Liability...

[bcattwoo]

Yes, you are going to be in the same position as the folks that create botnets. We see every day how these people are treated.

Are they arrested in thrown in jail? No, they are living very well in Russia from their ill-gotten gains.

There is no liability unless you are a complete idiot. Or don't want to live in Russia.

Ask Robert Morris

[www.sorehands.com]

Though he did not get jail time, he still was convicted. http://www-swiss.ai.mit.edu/6805/articles/morris-w orm.html

The Same Old Bots

[madsheep]

I have a few comments and one will answer some of the previous questions to some degree.
First, the majority of these trojans, specifically these are all IRC based. They are very easy to spot, especially in corporate environments. Why? Well because most people do not use IRC while they are at work. Not to mention many companies will have policies against it. This makes intrusion detection for these kinds of bots very easily. Since most of these servers housing the bots are just standard Unreal IRCD (generally hacker-installed) or whatever IRCD undernet/efnet/etc. run on, they are not encrypted. This means when a machine connects, traffic with "NOTICE", "PRIVMSG", "JOIN #" etc is all sent in the clear. There have been snort/bleeding snort rules to look for this type of activity for years and they haven't had to change much. Sure the ports might not always be 6667-6669/7000, but looking for activity like this on a certain port is dumb to do anyway.

A simple analysis of most IRC traffic should you have real-time peaks or capture logs will tell you pretty quick if it's malicious. If you see a nick change to XP|24249429 or USA|2942949 and it joins a channel called #owned with a topic of .scan 10.0.0.0/8 then there's a pretty good chance the machine in question is an infected bot and most likely with one of the aforementioned variants. Now most home users won't have insight into this type of activity. And funny enough there's not much "big brother" by way of ISPs caring much for this. Unless reported to them they most likely won't do anything. Even then they still might not do anything. http://www.shadowserver.org/ keeps a list of good/responsive ISPs. This might be more in the case of a malicious host housing an IRCD, but that's beside the point.

Now finally these two are quite popular. Why? Well it has been said already. The source for them is our there and they are readily available. People frequently update and modify them to avoid AV detection. Hell, many people don't update and modify them. So many people are running without [updated] AV that it doesn't seem to matter much. If you notice how most people get infected, it's the same old thing. IM worm, e-mail worm, malicious website, or a scan for the 2 year old dcom exploit. Every time some new IE/Firefox/etc vulnerability is released, someone quickly makes it download their trojan.

These variants have been around for years. Luckily the people using them are pretty dumb. It's just a matter of time before worms/viruses/etc turn to web-based (not IRC) and encryption as the norm.

ISP's half the problem

[cdrguru]

No ISP is going to shut off an account because of an infected computer. They might throttle it somewhat, but it is the site administrator's responsibility to deal with infected computers. What? Your parents don't have a "site administrator" overseeing their computers? (((except when you are there... ha ha))) Well, that sounds like a real problem, doesn't it?

What we have are general-purpose computers that people install random software on without thinking about where it came from, what it might do and the consequences of having that happen. Then, they don't check to see what their computer is doing when it is supposedly idle and thrashing around on the hard drive or is really slow. Well, maybe it is just getting old and needs to be replaced. Right.

So we have the equivalent of handing a loaded revolver to a three-year-old and leaving the room. We have seen how they can hurt themselves with it. We can see how they hurt others with it. And about all that is done is giving them some more bullets.

Let's be clear about one thing here. Windows "security" or the lack of it is not the problem. If the machine is locked down utterly so that nothing can be installed, removed or modified Windows security is perfectly adequate. Unfortunately, nobody seems to want to run their computer this way. There is no security if the "user" can simply install any old thing they want, be it some new flash player with a bug in it, WeatherBug or a bot trojan. Signing code is not the answer - people aren't reading the messages that are displayed. You could have a page of text displayed when a trojan is installed that says in eight different ways "this will take over your computer and make it ours" and people would install it.

The answer is pretty clear. General purpose computers that can have software installed are a tool that must be monitored, controlled and administered. Giving one to a user and leaving them alone with it is a reciepe for disaster. Just like the disaster with spam, botnets and viruses we are seeing right now.