FBI Releases Results of Operation Bot Roast

coondoggie writes to tell us that the FBI has released the findings of their recent botnet study and have identified over 1 million botnet crime victims. "The FBI is working with industry partners, including the Computer Emergency Response Team Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Microsoft and the Botnet Task Force have also helped out the FBI. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity, the FBI said in a statement.Bots are widely recognized as one of the top scourges of the industry. Gartner predicts that by year-end 75% of enterprises 'will be infected with undetected, financially motivated, targeted malware that evaded traditional perimeter and host defenses.'"

Skip the spammy site

and go straight to the source
http://www.fbi.gov/pressrel/pressrel07/botnet06130 7.htm

Re:Skip the spammy site

[easyTree]

The majority of victims are not even aware that their computer has been compromised or their personal information exploited,

Indeedy, I seem to recall, a while back, 'hearing' of someone running an xdcc server on an fbi box..

If it wasn't for spam and advertisers..

[QuantumG]

There would be an RFC for getting an email address for an ip address and it wouldn't take an expert to figure out how to contact the right person when you see a machine doing something it shouldn't.

Why not shut them down?

[DamonHD]

I would have thought that a nice call from the FBI to the CxOs of the main appropriate ISPs and a selection of those users on the fastest connections (ie with the most capacity to be damaging) would have a salutary effect.

And then a follow up with negligence-related charges for those who refused to give a f**k maybe?

Rgds

Damon

Re:Why not shut them down?

[dropadrop]

I would have thought that a nice call from the FBI to the CxOs of the main appropriate ISPs and a selection of those users on the fastest connections (ie with the most capacity to be damaging) would have a salutary effect.

You mean make a quick way for the FBI to shut down anyones internet connection without studying the case any further? I would much prefer somebody developing applications that would manage to trace suspicious traffic, and if reliable enough direct all web traffic to a page with information on how the customer can clean his machine (the last part is actually a normal procedure for some ISP's here in Finland).

The main problem is, that I believe connections are "jammed" based on complaints, not automatically. This requires a lot of resources from the ISP, as does receiving calls from people who have no idea what is meant by an "infected machine". Of course the application detecting suspicious activity would have to be very reliable, and it would have to be very anonymous...

Re:Why not shut them down?

[Dare+nMc]

direct all web traffic to a page with information on how the customer can clean his machine

direct them to a site that they are now blocked from reaching, hmmm.
I know you would un-block that 1 site, but then hackers patch to block that 1 patch...

One got past our firewall also (email attachment actually) the ISP (Qwest) sent us a automated warning letter that we were about to get kicked, I did have it fixed before the letter was received. Imagine how difficult for a admin to track while all traffic is blocked, so the bot is hibernating. Since the blocking could easily cause much greater financial harm (assuming the most valuable of assets hasn't been compromised)

Such as our case, it was a PC with internet access, but not VPN access to anything too important. It would have severed our VOIP to the main offices, and hampered my research into multiple options to fix the issue. Not to mention how many projects missing data would be put on hold. In my case I first got all the virus definitions up to date (also a laptop with its first day on the network in several months.) So it would be impolite to block norton, mcafee, what about clamwin, etc, etc? When I am not in office everything is remote admin from offsite (kill that also?)

so the first time our ISP shutdown our traffic due to a burst of virus like traffic we would be ISP shopping.

Re:Why not shut them down?

[Nikker]

Once I think the cost of having a Government employee call, track and note every member of a bot-net this size, I start to think that it might be cheaper to subsidize a firewall/router.

Re:Why not shut them down?

[DamonHD]

Hi,

I don't for a moment suggest *every*.

Just some of the bigger ISPs and users to maximise benefit and awareness in the meeja...

Rgds

Damon

seems low

[wizardforce]

1 million in botnets/[100 million?] in at least the US so that works out to about 1% by crude estimation so does anyone else think these numbers are a bit low? especially since

Google's Ghost in the Browser study looked at over 4.5 million Web pages, and found that 10% of them were capable of activating malicious codes and 16% were suspected to contain codes that might be a threat to computers.

how many computer users dont patch/update their computers or use a very old version? how many of those wouldnt know if they were infected or have an infected computer as it is?

Re:seems low

[sdnoob]

"over 1 million botnet crime victims."

only 1 million victims?? i do believe there are far more than 1 million addresses in these scumbags mailing lists. *everyone* who's gotten spam out of one of these botnets is (also) a victim... not just the poor saps who got winjacked(tm).

Phishing opportunity

[Avatar8]

Who knows how the FBI will contact these victims, but by announcing that they will be contacting them, I foresee numerous phishing attempts from fbi.com (a blank site, last I checked).

Warn the kids and wake the neighbors. Be suspicious of any e-mail posing as the FBI and wanting a response by clicking an URL, fbi.gov or otherwise.

And here come the phishers....

[HTH+NE1]

Anyone else think this will start a new wave of phishing where botnet controllers send e-mail messages out forged as coming from FBI.gov to people telling them their machines are infected with bots (linking to the URL in parent) and that they need to install the program attached to the e-mail that is claimed to remove the offending software but in fact turns your machine into another zombie?

Re:And here come the phishers....

[yuna49]

It wouldn't get too far in our mail system. We don't accept mail with From addresses in fbi.gov or irs.gov unless they originate on those agencies own servers. Mail coming from a server in rr.com claiming to be "From: fixyourcomputer@fbi.gov" is going to be dropped on the floor.

There have already been tons of viral messages from these two domains over the past few years. One of the big Windows worms ("Slammer," if I recall correctly) was often mailed out with an fbi.gov From address. Forging irs.gov messages is common among phishers.

Re:And here come the phishers....

[bob_herrick]

FTFA

The FBI will not contact you online and request your personal information so be wary of fraud schemes that request this type of information, especially via unsolicited emails. To report fraudulent activity or financial scams, contact the nearest FBI office or police department, and file a complaint online with the Internet Crime Complaint Center, www.ic3.gov.

Re:And here come the phishers....

[JohnnyBigodes]

Basically, what the parent is talking about is SPF - Sender Policy Framework

Re:And here come the phishers....

[yuna49]

In our case, we instituted these rules for fbi.gov and irs.gov long before SPF came into being, but yes, SPF would help alleviate this problem nowadays.

Re:And here come the phishers....

[Intron]

Nope, no spf on fbi.gov or irs.gov.

dig -t TXT fbi.gov
QUERY: 1, ANSWER: 0

dig -t TXT irs.gov
QUERY: 1, ANSWER: 0

Re:And here come the phishers....

[JohnnyBigodes]

I didn't say those hosts had SPF records, what I was saying is that what the parent is doing is basically a simple form of SPF.

And yes, they should have those records. There are naysayers about SPF's effectiveness with valid arguments, but I think the "big fish" on the Internet should have records on their hosts.

Re:And here come the phishers....

[HTH+NE1]

FTFA

The FBI will not contact you online and request your personal information

But you don't need to provide any personal information to install a trojan.

Re:And here come the phishers....

[yuna49]

Not too long ago one of our clients was unable to receive mail from some fellow attorneys in the IRS. Turns out that their outbound server not only doesn't have an SPF record, it didn't even have reverse DNS resolution configured! So all the mail from the attorney at the IRS was blocked by our irs.gov rule. I now have a special whitelisting rule for the subnet in which that server resides.

I was impressed by the level of incompetence displayed here. Hell, some major email services like AOL won't usually accept anything from a server without reverse-resolution configured. Here a server without reverse-DNS gets a goodly number of SpamAssassin points right off the top. Any other spammy features will usually lead to such messages being tagged as spams here.

Re:And here come the phishers....

[Em+Adespoton]

We don't accept mail with From addresses in fbi.gov or irs.gov unless they originate on those agencies own servers.

Well, based on the report, it is entirely possible that the messages WILL originate on those agencies' own servers.

Re:And here come the phishers....

[Adam9]

FWIW, here's the email I received from Microsoft with certain information removed.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

VIA EMAIL:

Date: --- May 2007

URL address: IRC://----/#----

Dear Sir or Madam,

Microsoft Corporation has received information that a host/domain name registered to/by your company is acting as an IRC server controlling a network of computers compromised with an unauthorized backdoor, commonly referred to as a 'botnet'. Botnets are often controlled in violation of criminal laws and commonly engage in distributed denial of service attacks or the distribution of malware without authorization.

Specifically, the following information details the botnet hosted on your network:

IRC Server Hostname: ---
Server Port Number: ---
IRC Channel Name: ---

We request that you investigate and take action subject to your Terms of Service. Since botnets typically connect to hostnames embedded in malware, you may consider redirecting the DNS entry for this hostname to an abuse site. Otherwise the person(s) controlling this botnet can simply redirect the DNS entry to another IP Address.

If you have any questions, please contact us by replying to this email. We appreciate your prompt cooperation in this matter. Please advise us regarding what actions you take.

Yours sincerely,

----
Internet Investigator

on behalf of Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
United States of America

Re:And here come the phishers....

[HTH+NE1]

My ISP has a policy to immediately cut off any user it finds running bots on IRC. A quick Google search for some of the phrases in it shows that it is a common ToS/AUP.

Solution

[LoyalOpposition]

Dear Computer Owner,

            Your computer has been determined to be infected by a malicious program that gives control to another person. Please double-click on the link to find out how to get your computer disinfected.

FBI

No. Really.

Re:Solution

[Novotny]

Where's the link? How can I click it if there's no link?

Re:Solution

[trolltalk.com]

"Gartner predicts that by year-end 75% of enterprises 'will be infected with undetected, financially motivated, targeted malware that evaded traditional perimeter and host defenses.'"

Dear computer owner:

The computer industry has been determines to be infected by malicious 'analysts' who make a living out of regurgitating the same old news every year. God forbid they actually do something constructive for a change.

Re:Solution

[mr100percent]

This brings up a serious question, what would the FBI recommend to disinfect the machines? AdAware? Windows Defender? Norton?

Re:Solution

[blhack]

there is a tool i have heard of called "lunix" or something like that that is supposed to do that job.

But i've heard that you have to download it from those shady Pirate 2 Pirate networks, so its probably a virus!

Re:Solution

[A+nonymous+Coward]

Are you seriously admitting you have no sense of humor?

Re:Solution

[Faylone]

That's practically begging for a goatse link

Re:Solution

[berashith]

i read your post to see how creative a link to goatse was going to be this time.

Re:Solution

[zCyl]

This brings up a serious question, what would the FBI recommend to disinfect the machines? AdAware? Windows Defender? Norton?

Thermite.

Re:Solution

[dodobh]

This

Re:Solution

[n3tcat]

The link is here.

That's easy to do.

[khasim]

Every IP address belongs to a block that has been assigned to some ISP.

Simply find the block containing that IP address and then find the ISP controlling that block.

Now, whether the ISP is going to spend any time (time == money) on dealing with the problem is the next issue.

Re:That's easy to do.

[Distortal]

One of the easiest ways to notify someone would be for an ISP to check the FBI's list of IPs for some of their own, and redirect anyone browsing from those IPs to a page explaining the problem. You would only have to redirect them once an hour for the message to get through.

That said, they probably don't want to deal with technically incompetent customers calling to complain that someone keeps hacking their internets.

Anyone else?

[jadin]

Raise of hands for who read that as Operation Pot Roast?? /raises hand

Re:Anyone else?

chirp

Re:Anyone else?

[jadin]

You mean that was _intended_? Lame.

Re:Anyone else?

[patrikor_007]

/raises hand

I immediately imagined some sort of covert FBI pot luck.

"Victims" ?

Is the victim the person whose computer is serving spam, or the person whose computer is receiving spam?

Who is the real victim here?

Re:"Victims" ?

[BosstonesOwn]

The real victim here is the people like me who stop getting the email links on where to my Vi/-\gR/-\ cheap.

Really can't we just solve this issue by cutting off the funding ? Let's see company XXX does a back door deal with YYY to get out on spam lists. We go to company XXX and say we are fining you $500,000 a day per day until you stop spamming your crap out to the world. They move off shore then you go after the people selling the stuff to hawk to company XXX and if they go off shore you go up the chain until your done.

Cutting off funding is what will eventually stop it from being main stream. And Bot herders deserve to be processed per system they infect.

Or another approach.

[khasim]

Since the FBI can identify the machines to the ISP, it should be simple for the ISP and FBI to work together to track traffic to/from those machines.

First off, put them on their own network. Sure, this might clue the Zombie Master that something's happening, but maybe not.

Then, monitor the inbound/outbound traffic. If they're doing things like sending spam, block it. A DDoS attack? Block it.

Then work backwards to find the sites controlling the zombies.

It would probably be a LOT cheaper to do it that way than to try to get a MILLION people to clean their machines AND maintain them in the future.

Re:Or another approach.

[Nos.]

Then work backwards to find the sites controlling the zombies.
It would probably be a LOT cheaper to do it that way than to try to get a MILLION people to clean their machines AND maintain them in the future.

If only it were that simple. The problem is, there'll probably be too many jurisdictions involved. What happens when the controlling computer is in China, Russia, etc. Even if you do get the foreign government to cooperate and the controlling ISP, how do you know when it ends? How do you really know that computer isn't compromised and being controlled from elsewhere.

And even if you do finally nail one guy running a botnet, how many others will take his place? Its not like they'll be arresting guys day after day... this would take months or even years of investigation to properly prosecute a person.

Re:Or another approach.

[yuna49]

The problem is, there'll probably be too many jurisdictions involved. What happens when the controlling computer is in China, Russia, etc.

Did you read the article? The three people cited as running massive botnets all lived in the United States.

From the FBI press release cited above: "To date, the following subjects have been charged or arrested in this operation with computer fraud and abuse in violation of Title 18 USC 1030, including:

• James C. Brewer of Arlington, Texas, is alleged to have operated a botnet that infected Chicago area hospitals. This botnet infected tens of thousands of computers worldwide. (FBI Chicago);
• Jason Michael Downey of Covington, Kentucky, is charged with an Information [sic] with using botnets to send a high volume of traffic to intended recipients to cause damage by impairing the availability of such systems. (FBI Detroit); and
• Robert Alan Soloway of Seattle, Washington, is alleged to have used a large botnet network and spammed tens of millions of unsolicited email messages to advertise his website from which he offered services and products. (FBI Seattle)"

I don't disagree that the global nature of the Internet makes investigation and prosecution of such actions difficult. But there are probably enough botnet operators here in the States to keep the FBI busy for some time to come.

Re:Or another approach.

[plover]

The problem with this approach is it's borderline vigilantism.

I'd love it if ISPs would set snares for bot-infested computers, and technologically it's not hard: nobody at home-66-99-11-22.comcast.net should ever be forwarding packets from any external networks, let alone a hundred random networks a second. And some ISPs do trap that traffic and block it. But apart from DDoS attacks, what constitutes "legitimate" from "illegitimate" traffic? Connecting on odd ports to distant machines? That's how the internet works!

So the ISPs can identify them. Botnet investigators can identify some of them, too. But the computer still belongs to the owner. Neither the ISP nor the botnet investigators nor the FBI have the right to "hack into" the machine to try to fix it -- even if it would be best for everyone, even if the owner would appreciate the effort, they can't touch it unless they have explicit permission from the owner. Otherwise they're violating the law just as much as the original infector. So they will have to go to the machine owners, one at a time, and ask them to clean them up. With a million machines, and a million clueless users, that's a lot of work.

I think it would be easier to have the ISPs examine their terms of service, then reroute all traffic from any bot-infested address to termsofservice.random-isp.com and wait for their owners to complain to their ISP. Have the ISP tell the owners "Your computer is violating your Terms of Service agreement. You must fix it before we will reconnect you to the internet. If you need help, " ... blah blah blah. It would be a lot easier to contact a thousand ISPs than a million clueless users, and the ISPs would probably be more willing and able to help than the users.

This solves the problems of distributing fixes AND the legal issues. You have no constitutional right to connect to the internet, and most contracts for ISP service include stipulations against operating malicious software, which gives the ISPs the right to disconnect you for violating their TOS. It'd still be a pain in the butt, but at least it would be a manageable pain in the butt.

RIAA?

[Corporate+Drone]

From TFA:

A botnet is a collection of compromised computers under the remote command and control of a criminal "botherder." Most owners of the compromised computers are unknowing and unwitting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware.

Hmm... I didn't realize that the FBI was investigating the RIAA and their anti-P2P tactics!

RFC 1491: you CAN get an email for an IP

[artifex2004]

IPs resolve by WHOIS if they have been properly SWIPed.

Re:Botnet

[Pojut]

Wrong, wrong, and wrong. Get your blind hatred out of the way for a second, and you might realize that there are more than just windows boxes hooked up to the tubes.

All the windows boxes dissapear, so the bot-lovers would start targeting linux and OSX.

Don't think that just because there isn't a very active threat against those platforms doesn't mean that one isn't possible.

Accountability

[blhack]

I have said it before here, and i will say it again. People really need to be held accountable for what damage is caused by their ignorance. If my car comes flying through your bedroom window at 30 miles an hour because I parked it at the top of a hill in neutral, should General Motors be responsible? No.

Likewise, if i leave a completely unprotected winbox up on the internet and it gets rooted, should Microsoft be held responsible (which seems to be what some of you think)?

In both cases harm has been caused by my negligence, and i should be held accountable for both.

Re:Accountability

[Nilych]

You a valid point. Same with the suggestion that people must be licensed to drive cars, why not computers. Both are valid points, to a degree. People aren't required to be certified as mechanics before getting a driver's license. Should the average user be at least somewhat computer savvy and trained in basic usage and protections (antivirus, security updates, etc)? Absolutely. What about the botnets and various infections that occur with almost no outward sign? Even the basically savvy user isn't going to know what to do if all the rest of their software doesn't do something about the zombification. I've worked with a number of computer literate people who exercised common sense, didn't open fake bank emails, didn't click spam links, didn't download adult movies, didn't pirate, and still got a number of worms. Explaining to them the nature of the beastly Internet and the constantly-escalating arms race between botnet ops/hackers/virus programmers/spammers and Microsoft/Symantec/etc led to a nearly universal response from them: They turned their computers off. Maybe that's the safest solution, but they didn't leave theirs off for more than a few days, and I wouldn't expect any other user to do differently. People have short memories, and shorter attention spans. Car manufacturers equip cars with a wide variety of safety features. Seat belts, shatterproof glass, airbags practically surrounding the driver/passengers, anti-lock brakes, etc. So maybe there's a future in making such things for computers - both tools that help keep the user from crashing their computer, and protections to keep the user relatively unharmed when it almost inevitably does.

Re:Accountability

[swb]

What you leave out in your analogy is that bots are the result of third-party malicious action.

In your car analogy, the owner reasonably believed that when the car wasn't running, it wouldn't go anywhere and a THIRD PARTY pushed the car such that it rolled down the hill.

Ordinary users THINK that their machines aren't vulnerable and thus do nothing, which in and of itself isn't a problem until someone else breaks in and turns them into bots.

Re:Accountability

[eqreed]

That's a bad analogy. What if parked my car at the top of a hill in a bad neighborhood, leave my car unlocked, and someone else "breaks" into it and puts it into neutral. Am I still responsible?

What if I locked my doors?

What if I didn't "upgrade" my new locks to stronger more secure locks? I've seen a tow truck driver pick my door lock in seconds.

Re:Accountability

[blhack]

In your car analogy, the owner reasonably believed that when the car wasn't running, it wouldn't go anywhere and a THIRD PARTY pushed the car such that it rolled down the hill. True. I suppose that the analogy could be changed to say: "if i leave my doors unlocked, and my house gets robbed, is it the contractor that installed the locks fault?"

better?

The mechanisms to prevent your computer from getting rooted are in place. People just don't use them.

Re:Accountability

[z80kid]

Frist car psot!

Re:Accountability

[Orlando]

If my car comes flying through your bedroom window at 30 miles an hour because I parked it at the top of a hill in neutral, should General Motors be responsible?

I don't agree that this is a fair analogy. A more appropriate analogy would be that General Motors sells you a car that you believe to be the most up to date, leading model, only for it to be stolen the next day by some 14 year old oik who knows that he can open the rear passenger door just by tapping on the lock with a screw driver.

I am fed up with this attitide that it's the fault of the user who should know better. Utter rubbish. The product is faulty, pure and simple, and the fault is with the manufacturer, Microsoft in this case for making insecure software. They've known about the problems for years, and have done little or nothing to fix them.

I bought a Mac for my parents a couple of years ago. It runs OSX. Apart from a bit of help with the network settings I didn't have to do anything else to get them online SECURELY. Why is that? Because the machine comes with a firewall, built in, and turned on by default, and the OS is written with security as one of the primary goals. I have full confidence that they are now as secure as they need to be, and that if I'd bought them a PC instead the machine would be riddled with viruses and spyware by now.

Re:Accountability

[kalirion]

True. I suppose that the analogy could be changed to say: "if i leave my doors unlocked, and my house gets robbed, is it the contractor that installed the locks fault?"

better?

Quite often it's more like "If I have a standard lock on my front door and a burglar bumped it, is it the fault of the contractor for installing an insecure lock? What if the lock company issued a recall on the locks because of said insecurity?

Re:Accountability

[thejynxed]

Ask and ye shall receive:

http://blog.washingtonpost.com/securityfix/2006/03 /when_macs_attack.html

http://lwn.net/Articles/222153/

http://www.networkworld.com/community3/?q=node/534 4

http://blogs.securiteam.com/index.php/archives/304

http://www.shadowserver.org/

I can continue for pages and pages if you wish. You know, search engines are useful tools at times ;) Now granted, most of it comes from exploits in 3rd-party apps, such as Apache, PHP, SQL, etc. But...knowing this, and how there are botnets running with Apache priviledge levels.....kind of dumps that whole "don't run as root in *nix" argument right into the toilet. As long as people are people, they can be socially-engineered to offer up their passwords for whatever reason (I'm looking at you, OSX users). Relying on a popup password entry box for security is just as silly as allowing a Windows machine to sit un-patched on the internet.

I am actually quite surprised that more OSes don't have some sort of application firewalling/sandboxing built into them, instead of relying on concepts like UAC or root permissions that are worthless if all it takes to bypass them is someone typing a password into a popup box, clicking Allow (and how many people do we know that use blank or short, all alphabetical passwords, hmmmm?), or running insecure application software that is always accessible via the internet.

Re:Accountability

[man_ls]

No computer user should be required to be responsible for the maintenance and security of their own system if they don't want to be responsible for it. Computers are tools, designed to allow humans to complete tasks they would not otherwise be able to complete in a timely fashion or at all.

This doesn't mean that nobody should be responsible for those aspects, however. This is the job of professionals. I'd advocate switching to a "sanitized network" model where, in order to obtain an external IP address from your provider, you would need to be running something to the effect of Clean Access Agent that talked to whatever core routers they had set up. Build a version for Linux, OSX, etc.

Forcing more responsibility onto people who aren't apt to handle it is not the solution to the problem. The solution is to leverage the development of technology in this regard to let a handful of people maintain the security of everyone on their network, even at a distance.

Re:Accountability

[wilec]

"If my car comes flying through your bedroom window at 30 miles an hour because I parked it at the top of a hill in neutral, should General Motors be responsible?"

If you are going to use a car analogy here at least make it accurate. If the car indicated it was in park but was really in neutral, the entire industry including the manufacturer and yourself knew the shift indication mechanism was unreliable then I would say both you and the manufacturer should be liable for damages.

"Likewise, if i leave a completely unprotected winbox up on the internet and it gets rooted, should Microsoft be held responsible (which seems to be what some of you think)?

In both cases harm has been caused by my negligence, and i should be held accountable for both."

There are three parties that should be held responsible for this situation, A: The cracker thief that rooted your box, Microsoft for selling defective software, AND you for not taking action to correct the situation.

Now the real question is just how would YOU prefer to see the liability for damages divided. In an perfect world the cracker would be caught and forced to make full restitution for all damages. But lets stay within the confines of your car analogy where there was no primary or actionable party only the accessory or supporting parties. In such a case with your 'winbox' that leaves YOU and Microsoft.

If you are a windows networking tech guru I would agree that you have committed a act of omission in you responsibility. However for your pop, granny or other non tech expert whose windows networking skills are at a level less than your own, the level of responsibility cannot not be the same.

As for Microsoft who portray themselves as the tech gurus of all time, indeed as the technology saviors of the western world but continue to knowingly go to market with a defective product I see the same or higher level of responsibility as for you the guru. So I will agree that there should be accountability for the parties at fault here. I just can't see how you think Microsoft should not be held accountable for their omissions.

This is not to say I wish to see a legal quagmire where every possible omission by Microsoft or anyone else is acted upon with a judicial sledge hammer, this would be horrible for the progress of technology. What I would like to see are a few things like: The honest appraisal of Microsoft products by the pundits, which at least seems to be getting better as the products get worse relative to the alternatives. Real legal action on the monopolistic commissions by Microsoft, Exxon, BP, AT&T, the MPAA, the RIAA and others like big pharma corps. Cleanup in goverment agencys like the USJD, FCC, FDA, and especially Kellogg Street lobbyists.

What I would like to see more than anything is for people to pull their heads out of thier asses and see what is being done to the world, especially to and by this nation, and then that they should vote in an informed manner with both thier ballot and pocket.

Wabi-Sabi
Matthew

Re:Accountability

[DeadChobi]

Wait, secure access agent which is similar to Trusted Computing? Why don't we just repurpose TC to its original purpose which was to allow the user hardware-level control over what is and isn't allowed to run on their computer?

Re:Accountability

[blhack]

so how about if i go out and buy myself a shiny new race car. I have NEVER had to handle a car with that much power, so i end up ramming it into a farmers market.

The car is not defective in any way, so long as you have the skills to operate it.

I should be held responsible for being a jackass and buying a race car.

Granted, windows == race car is not a very good comparison, but I still think that it works for the analogy.

Re:Accountability

[wilec]

"so how about if i go out and buy myself a shiny new race car. I have NEVER had to handle a car with that much power, so i end up ramming it into a farmers market."

A race car and a farmers market? A 'race car' is built for a 'race track' not a public thruway adjacent to a farmers market. A 'race car' is not able to be licensed for operation on public roads. Now if you mean simply a 'high performance car', yea it seems to me that you simply acted in a reckless manner.

"The car is not defective in any way, so long as you have the skills to operate it."

So do you mean to imply that Windows is not defective in any way as long as you have the skills to operate it? My view is that sufficient skills in using an operating system allow one to circumvent or otherwise negate the defects that are inherent in ANY of them, especially in Windows. In fact the closed source nature and the excessively applied license restrictions on circumventions of the limitations in Windows interferes in ones ability to negate the defects that exist in all operating system code, again especially in Windows.

"I should be held responsible for being a jackass and buying a race car."

No you should be held responsible for operating a 'race car' on a public road and/or possibly reckless operation of the vehicle.

"Granted, windows == race car is not a very good comparison, but I still think that it works for the analogy."

Yea and I don't think it is an especially apt analogy either. Again I am not arguing for direct legal liability for Microsoft or any other software developer in respect to the security or reliability of the code in a consumer use area like desktop/internet functions. And yes I also believe that the user of such software is to some degree responsible for its proper operation. My view is that the whole industry, marketing or development houses and those that review them should be more responsible in what they promote, produce and how they review these products.

I would much prefer an honest market driven demand determine the direction of this technology than some horrible legal quagmire where we all lose. The technology of both computer hardware and software is in its infancy. We have much to learn and legal methods of interference in this process need to be mostly contained to the conventional aspects of the business. There is no such thing as perfect code and probably never will be. To be too aggressive in the requirements concerning its reliability would be a mistake that could bring the advancement of this technology to a halt. The same type of mess that can be seen today in regard to areas like patent and copyright issues. What can and should be done is to actually apply the existing legal framework to the marketing and business aspects of how these companies are run.

What ticks me off is the dishonest manipulation of the market with misinformation and disingenuous legal bush wacking. I see more of this type of behavior coming from Microsoft than anyone else. And BTW I was quite the Microsoft fan at one time, that is until I got bit by misinformation one time to many. The case that broke it for me concerned issues of scalability and reliability of the the MS Jet database engine implementation in MSAccess. I don't wish to see Microsoft gone, ruined or any such nonsense. I would like to see this party crashing 800 lb gorilla of a corporation legally tranked and caged until it can learn to enjoy the party with the rest of us in an honest and civilized manner. And as I noted in my other post they are far from the only corporation that needs a good judicial bitch slapping, maybe not even the one in most need of it.

Wabi-Sabi
Matthew

Yes, and never forget Gartner predicted...

[dpbsmith]

...that OS/2 would be the dominant operating system by, IIRC, 1993 or thereabouts.

I just did some Googling on things like "bad Gartner predictions" and "missed Gartner predictions" or '"Gartner predictions" scorecard' hoping that someone had tried to keep tabs on them, but found to my disappointment virtually no relevant hits. Everyone discusses them in the months after they're released, nobody seems to check back even as recently as a year.

Of course, with predictions like these for 2002... "During 2002, leading-edge businesses will exploit application integration to generate business innovation...." how the heck would anyone ever figure out whether or not it was fulfilled?

I can't believe people pay Gartner for this stuff.

Re:Yes, and never forget Gartner predicted...

[Doctor+Memory]

I can't believe people pay Gartner for this stuff. Heh, pick up a copy of anything by Tom Peters or his ilk. People who buy those books also pay money for Gartner analysis reports. At least Tom Peters came right out and said that he had no idea what he was talking about when he wrote his first book. I think it's going to take a lot of people screaming "The analysts have no clothes!" (clues?) before people start questioning Gartner, though.

Re:Yes, and never forget Gartner predicted...

[PPH]

I can't believe people pay Gartner for this stuff.

They almost have to. Its a CYA tactic. If you do something stupid and you don't have a Gartner recommendation to back you up, you catch the blame. If you can back it up with a report, you can blame it on their bad advice.

I used to love the Gartner (and other analysts) material. I could always find something to back up my decisions.

Re:Yes, and never forget Gartner predicted...

[AncientPC]

Gartner Group predicts IBM losing control - research firm questions IBM's marketing strategy for OS/2

****GARTNER GROUP PREDICTS IBM LOSING CONTROL 04/18/91 STAMFORD, CONNECTICUT, U.S.A., 1991 APR 18 (NB) -- Gartner Group predicts that IBM will not be successful in its efforts to encourage a majority of users to migrate to OS/2. The information technology industry research, analysis and consulting firm says that by 1995, OS/2's market share will only be half that of Windows. The prediction is based on a recent personal computing conference held by the Gartner Group.

Off topic, I just found out that even if you preview a post with HTML tags as "Plain Old Text" it still renders the HTML tags properly. On the other hand, regular text still works fine in "Plain Old Text" mode so why isn't this mode used as default?

Re:Yes, and never forget Gartner predicted...

[cswiger]

Off topic, I just found out that even if you preview a post with HTML tags as "Plain Old Text" it still renders the HTML tags properly. On the other hand, regular text still works fine in "Plain Old Text" mode so why isn't this mode used as default?

It's actually a per-user preference.

Click on Preferences from the top nav bar, click on Comments, look down for "Comment Post Mode" to change the default mode that your posts are sent out as. And yes, if you use normal HTML tags from the "allowed" list, then your browser will typically interpret those even within posts sent as "Plain Old Text", but might screw up things like greater-than and less-than signs, too.

Re:Botnet

[DragonWriter]

Botnets were never a problem until Microsoft Windows became ubiquitous.

Windows was ubiquitous long before botnets became a problem.

Botnets became a problem as full-time internet access by unsophisticated home users became more ubiquitous, and Windows was the primary target because it was the main OS used by the targeted users. If there had been a Mac OS or Linux monoculture instead, people would have been tricked into install malicious software on those platforms instead.

Microsoft Windows, please stand up

[toby]

It's amazing people still write headlines and article summaries without mentioning the enabling technology in question.

When the monopoly is finally busted, I guess it will no longer be implicit that "We're talking about Windows, of course."

Re:Microsoft Windows, please stand up

[Monkeyman334]

Yeah man, M$ is so slow at sending out patches, and even if they do make the patch, it doesn't mean people are going to download them. If they had just created it right from the start, they wouldn't have to do the crappy whack-a-mole. When is M$ going to fix their OS? Oh, 5 months ago? Oops...

Re:Accountability -in closed source?

Step 1: MS makes a flawed product, even after all patches and security advisories are followed.

Step 2: We (et all) are unable to make the product better, due to closed source.

MS has the only means and thus sole responsibility to improve their product.
Therefore, the user cannot be held liable for MS flaws.

Step 3: Sue the big red M for negligence, damages, and force them to release the source.. (not cracked yet?)

Step 4: Profit. No, really. They will settle.

It's good to see the FBI getting a clue.

[twitter]

That they are looking into the problem is a good start. Gmen reading are advised to consult with the Honeynet Project and regard vector vendor "help" with suspicion. It would also be nice to see them call a spade a spade and abandon the false OS neutrality that keeps them for doing so. This is a Windows problem and the relative risks should be published. Otherwise they are lying to us and keeping information we can all use locked away. Most importantly, though, they need to clean their own house.

Re:It's good to see the FBI getting a clue.

[dedazo]

This is a Windows problem and the relative risks should be published.

I don't know what "the relative risks" means, but since none of my Windows machines are in a botnet, and there are millions and millions of them that are not, this is not a Windows problem. It's a basic user education problem. Windows may have more attack vectors than other OSes, but that doesn't mean they are not known or are impossible to avoid. Simple common sense goes a long way. People get infected with botware because they download things they shouldn't or don't bother to keep their machines up to date by turning on automatic updates so they don't have to worry about anything.

If you think one chmod +x is an insurmountable obstacle to turning your shiny Linux or OS X box into a bot, remember that people get infected by executables in password protected ZIP files and that all of the most massively distributed worms have all required significant user intervention to propagate. Maybe one of these days you'll inherit 800 million completely clueless users, and maybe then you'll call it a "Linux problem"?

Re:It's good to see the FBI getting a clue.

[dodobh]

since none of my Windows machines are in a botnet,

That you know of.

Re:Botnet

[rob1980]

Yeah, and botnets were never a problem until the internet became ubiquitous, too.

Let's blame the internet!

Think globally, act locally.

[khasim]

The problem is, there'll probably be too many jurisdictions involved.

And ... ?

There isn't any way to shut down all of the zombies. But our government CAN act to shut down the zombies here.

What happens when the controlling computer is in China, Russia, etc. Even if you do get the foreign government to cooperate and the controlling ISP, how do you know when it ends?

First off, there is NOTHING stopping our FBI from contacting law enforcement agencies in Russia or China. They may not help, but then again, they may help.

Then, you track the traffic back from that machine. And from the next machine. And from the next machine.

How do you really know that computer isn't compromised and being controlled from elsewhere.

Simple. The commands have to come from somewhere. You can monitor all inbound and outbound connections. That will tell you what machines that machine is communicating with. You just keep checking each of those to see whether the trail continues or ends.

And even if you do finally nail one guy running a botnet, how many others will take his place?

A lot. So?

Do we stop arresting criminals just because other criminals will perform the same crimes?

Its not like they'll be arresting guys day after day... this would take months or even years of investigation to properly prosecute a person.

Not really. There's no reason why it would take more than a week. If the zombies are not receiving commands, then they're not sending spam or doing DDoS attacks. In which case, the problem is already solved.

If they are receiving commands, then you've just gotten another link. Maybe more than one link.

In the meantime, the ISP's are limiting the damage caused by those zombies.

Re:Think globally, act locally.

[Knara]

Not really. There's no reason why it would take more than a week. Doesn't seem like you are all that familiar with the realities of red tape and bureaucracy, not to mention cost-benefit ratio for something like that.

Re:Think globally, act locally.

[mikael]

Simple. The commands have to come from somewhere. You can monitor all inbound and outbound connections. That will tell you what machines that machine is communicating with. You just keep checking each of those to see whether the trail continues or ends.

Some Bot's were known to listen to IRC chat channels to receive commands. You then need to find out the ISP controlling the server. Then you have to find out the originator IP address of the person who sent out the commands. I wouldn't be suprised if they encrypted the commands as well.

Re:Think globally, act locally.

[hesaigo999ca]

On slight problem, is that you are ruling out about 80% of the botnet population who have taken this one step further. If your IE is compromised using port 80 would not show up as any devious traffic...
hell I could post a webpage with encrypted data inside a picture and it would be
looked at by a ghost IE running in the background...hence the only traffic you would see is the page being downloaded while YOU are viewing the internet...showing up as regular traffic. Once decrypted, the actions decreed by the webpage tell your machine to do something...and hence again all the spam is sent...unless like me you block outlook and smtp all together!

The advice they are giving home users.

[twitter]

The advice given to home users (and this) is clearly Windows specific, even though Windows is not mentioned. They go through the usual laundry list of things which are failing corporate users, firewalls, "patches", anti-virus and so on and so forth. Way down in the glossary is a mention of "Linux" linked to the "webopedia".

As I said before, these are important first steps. The information presented may be useful to novice computer users, but it's incomplete because it does not include some of the most effective options. We can only hope they follow up on this start.

Re:Botnet

[jfengel]

Not only possible, but some nifty new avenues, too. What a coup to slip a bit of malicious code into the code base of some important open-source project that accepts contributions (which is one of the big wins of open-sourced software). Obfuscating holes is so much easier than trying to get a buffer overrun to do more than crash the program (even if you have the source).

Re:Botnet

[dc29A]

Wrong, wrong, and wrong. Get your blind hatred out of the way for a second, and you might realize that there are more than just windows boxes hooked up to the tubes.

All the windows boxes dissapear, so the bot-lovers would start targeting linux and OSX.

Don't think that just because there isn't a very active threat against those platforms doesn't mean that one isn't possible.

I think you are wrong, well at least in part. Windows is a big bot problem. The main reason is because everyone and their dog runs Windows as administrator. It is much harder to root a Linux/Mac machine because those users don't use their PCs as root/administrators.

Re:Botnet

[Knara]

If Windows or OS X had 90% of the desktop market, the same users that currently click "Okay" or "Yes" on everything would be entering in their root/admin password for those OSes. It's about social engineering at that point, not necessarily the technical merits of the OS itself.

Problem between keyboard and chair

[athloi]

While I am fond of the users I support, I find it takes a lot of education to get them to stop falling for the most common scams: funny email attachments, phishing, and phone calls asking for their credit card numbers. They're not stupid people. They're just a little clueless and disconnected from a world that, quite frankly, bores and intimidates them.

I would like to suggest that, whatever operating system we put on the desktop for the average person, there be some initiative to educate them in best practices computing, even if only for the 4-10 common tasks (email, websurfing, games, mp3s, pr0n, quicken, word processing) they will use. I volunteer to design and write the curriculum if there's some rational initiative to get it out there to the human herd.

Re:Problem between keyboard and chair

[Truesilver]

"...and our next lesson will be: The proper way to download pornography...admit it, everyone does it..."

My conspiracy theory

[A+nonymous+Coward]

A. Everyone "knows" that the NSA is doing its utmost to listen to all internet traffic.

B. It would do the NSA no good to listen to everything without filtering out the 99.999% which is irrelevant. Ergo, they must have pattern filters.

C. Botnets must be a big part of the filtered traffic.

D. NSA must be aware of botnets, their patterns, their control channels, their zombie elements.

E. Yet botnets continue.

F. The NSA must want them to continue unmolested.

The NSA knows how botnets work, and could hijack them at any time. The only reason to do so is to keep them in reserve for their own use.

I suggest the NSA would hijack botnets for counterattack if the US nets were attacked by another country.

That's my conspiracy theory, I hope you like it.

Re:My conspiracy theory

[Hoi+Polloi]

Maybe the NSA systems are part of a botnet too!

Re:My conspiracy theory

[A+nonymous+Coward]

OMG I hadn't thought of that .... one botnet to rule them all. Or maybe all the botnets got together to share the NSA botnet so none of them could take over all the others.

Criminy thsi is skk k kk ary.

Re:My conspiracy theory

[rthille]

Yeah, from what I've seen of day-to-day Government competency, I'd imagine most of the NSA machines are part of botnets.

Re:My conspiracy theory

[charlesnw]

Um no. What you see as a frontline consumer of government services (ala DMV/IRS) is nothing like what you would see if you had the appropriate clearance and access to the backend portions of both agencies directly serving the public, and the national security establishment. Government security for classified systems (and backend systems that handle non classified data) is incredibly well thought out and executed.

Re:My conspiracy theory

[jamar0303]

And this "incredibly well thought out and executed" security is only applied to the backend because...?

Re:My conspiracy theory

[Adambomb]

The more who know how it works, the more likely it is to be compromised?

The assets required in terms of hardware and manpower are too costly for wide scale implementation?

Government agencies and hierarchies do not tend to play well together, so perhaps office a threw a hissy fit over office b demanding certain protocols be restricted to certain levels of access?

lots of possible reasons.

Re:My conspiracy theory

[rthille]

Well, I wasn't really being serious, and I'll bet the NSA has some really bright people working there, but from my days contracting to the Navy on F-14 software, I'd say that the best and the brightest in the country are not all working on 'secret' classified projects. "Top Secret" maybe, but not on 'secret' stuff.

Re:Botnet

[Knara]

Sorry I meant "Linux or OS X" not "Windows or OS X", though if you take it to mean "Regardless of whether Windows or OS X have 90%..." then it kind of works ;)

Re:Botnet

[Pojut]

Harder doesn't mean impossible.

Not to mention it presents a situation where people shift from one OS to another.

The OS they use doesn't matter. PEBKAC still applies, and will ALWAYS apply because people are generally fucking stupid.

I thought I knew what I was doing too

[elrous0]

I thought of myself as an expert until a few months ago. I have good antivirus/malware software, only use Firefox, never do stupid things like opening attachments with executable extensions, etc. Hell, I even have a wired network in my house to protect against wardrivers.

Then a few months back I get word from my credit card company that someone had hacked into my account online (using my username and password), changed my billing address to someplace in NJ, then proceeded to try to charge a bunch of stuff on the account (luckily the CC company caught on to them and locked it down). I couldn't figure out how they did it.

Then a few months after that, I started to notice my computer acting strange. My router would be showing HEAVY activity even when I wasn't doing anything and Windows wasn't downloading updates. Eventually, I realized that someone must had botted my computer (still don't know exactly what they were up to, but I'm sure it involved sending out letters from an innocent Nigerian official just wanting people to help him transfer some money). That's how they got my account info for my credit card.

Anyway. I wiped the whole system clean (even tried out Linux for a while, but didn't care for it) and now the problem is gone. But it still makes me nervous as Hell. What drives me crazy is that I can't figure out how they did it. But, as a hacker friend once said: If it's on a network, it can be hacked--period.

Re:I thought I knew what I was doing too

[PitaBred]

Oohh, oooh, analogy time!

"I accidentally got my girlfriend pregnant by pulling out too late. After giving the kid up for adoption, we tried using a condom, but I didn't care for it, so now I'm back to pulling out, and hoping she doesn't get pregnant, because I really don't know what happened the first time."

Re:I thought I knew what I was doing too

[Intron]

What mail client do you use?

As the magic 8-ball says: "Outlook not so good"

Re:I thought I knew what I was doing too

[Bearhouse]

Yup, seems the only thing to do is to keep your data on another physical / logical drive and reinstall frequently.

I do it once a month.

Slipstreamed and updated DVDs (keep up to date by using a Linux partition / virtual machine) ease the pain.

Oh, a decent firewall (not M$) helps too... You'll (probably) spot the nasty stuff trying to get out.

Before the 'use a virtual machine to surf' fanboys jump all over me - yeah, I do that too...

Re:I thought I knew what I was doing too

[crabpeople]

You didnt whipe your computer when you found out your online bank account was hacked. wow.

This is why there will always be botnets out there. People like the parent that just dont care.

Re:I thought I knew what I was doing too

[bill_mcgonigle]

only use Firefox

Do you use NoScript? There have been some Firefox vulnerabilities of late, and everything has zero-days in it.

You also don't mention your firewall/NAT setup. I assume you know one doesn't run a Windows machine naked on the Internet.

Re:I thought I knew what I was doing too

[camperslo]

Many reasonably well managed Windows machines still get hit. It is also possible to be infected with something not detected by standard antivirus programs, or by something that does not currently show any obvious side-effects. To lower risk as far as possible, avoid using any Windows machines for browsing or accessing any internet applications.

If you must access the internet from a machine on the same network as a Windows computer, consider doing so only from one running another OS. Use of browser plugins to restrict browser use of javascript, JAVA, and Flash to only essential sites that need them reduces the number of possible areas of exposure. A "fired if caught using Explorer" policy helps but isn't enough since all browsers will have some vulnerabilities on any platform. It is best to use a machine with as little data as possible on it.
An old Pentium III with 256 MB or better RAM can run and browse fine from a Ubuntu CD (known as live mode). A fast optical drive matters more than CPU speed when it comes to the bootup time. No hard drive is needed. Many PCs now commonly sent to thrift stores and recyclers are adequate for this. Where I am such systems sell for about $5. U.S. A months' energy use could cost more than the hardware. A Pentium III system will generally use much less energy than most Pentium IV systems, so those are best avoided unless you really need the performance for something else. Use basic onboard video or video cards if possible. Gaming-class cards are energy hungry.
With a live-cd booted system if something hostile does gets into memory, it'll be gone when you reboot. An infection present under a different OS is also less likely to spread to other machines also inside the firewall.

Of course you can dual boot or use live cd mode from a machine that is also occasionally used for Windows.
If your firewall supports blocking specific machines from the net, it is best to lock out the Windows machines or at least restrict the ports with access. Depending on your application, Macs may also be a good option. If the hardware cost is slightly higher (which is not always the case), bear in mind it may still be offset by savings from not having to buy and maintain antivirus utilities, or do frequent rebuilds of contaminated systems.

I'd like to find good email clients that can be forced to run in text-only mode. That'd avoid any email exposure to browser-type vulnerabilities and privacy issues like web-bugs (or web beacons as Yahoo likes to call them).

Much of what remains involves user behavior. Most users should not have access to systems that allow installing anything without an admin password. Even Mac users would be wise to add/use accounts with reduced permissions.

Our carbon-dioxide buildup routine may eventually eliminate the problems brought by the current two-legged carbon-based life form infestation, but disinfecting the global environment is a slow process.

Re:I thought I knew what I was doing too

[dsmall]

I usually have an old Linux laptop running tcpdump on a hub with all the computers on my home network. It scrolls and scrolls, but over time a certain pattern develops. When only one machine is on, the pattern is one pattern, generally Comcast saying, "Who's Online?" every few seconds. When surfing the Web and pulling up WWW pages, lots of activity, and so forth. The point is, it's a lot more *visual* information than a blinking router light.

Now if I wander by at 2 AM and one idle machine is on, and there's lots of activity, that's generally bad. (If I wasn't so lazy, I could FIFO the data and record people trying to break in. But the truth is, I'm that lazy.)

Couple of things --

Remember, ya have to use a hub, not a switch -- switches don't let the data get to the laptop. It's getting harder to find hubs. (Yes, you sure could shoot the data through the laptop, if you have two network interfaces).

I tried to interest a local TV news guy in the story about botnets, basic theme: don't plug your computer into the Internet until its firewall was turned on, or you're screwed. It got shot down at the story meeting "by their IT guy". This was two years ago. *sigh*

I wonder if I should email him with the FBI story and ask him to forward it to his all-knowing IT guy...

Thanks,
Dave


p.s. Is a Linux laptop a GNU/Linux laptop? Or a Linux GNU Laptop? Or a Linux Lap GNU Top? Or ...

Re:I thought I knew what I was doing too

[DeadChobi]

If you're running Windows, just use DeepFreeze. Reimages your hard drive every login.

Re:I thought I knew what I was doing too

[elrous0]

No, condoms don't have trouble recognizing my video card.

Re:I thought I knew what I was doing too

No, condoms don't have trouble recognizing my video card.

Whoah! What kind of a video card do you use?!

Re:I thought I knew what I was doing too

[macdaddy]

What is this girlfriend entity that you speak of?

You must be new here.

Re:I thought I knew what I was doing too

[Walter+Carver]

I am a Linux advocate but Linux isn't a panacea. It's trivial to send a file that will simply display a gksudo prompt and screw the system.

Re:I thought I knew what I was doing too

[Walter+Carver]

ASUS's site, asus.com, has been hacked to use the animated cursor exploit. You don't have to visit a warez or porn site, any other site will do.

Tools for checking for Bot activity

[orb_fan]

So what tools are available to check for bot activity on your network? From what I've read, it seems to be to monitor port 6667 (IRC) for non-human readable text.

Re:Tools for checking for Bot activity

[codepunk]

iptraf is the one I use most often...I doubt the %75 percent figure I find it closer to 95% of the networks I have
inspected are owned.

Re:Tools for checking for Bot activity

[charlesnw]

I am curious as to the source of your number here (95%). Is this just an off the cuff number, or do you have some sort of metric based tracking you use in your investigations? Also you don't give any information about the types of companies you are investigating. Or how many you have looked at.

For all I know, your some 22yo who has done a security audit at a couple mom and pop shops. (Not that I have anything against 22yo as thats how old I am). I just happen to have quite a bit of experience and versatility for my age (see my website and resume or talk to anyone who uses Linux in the SoCal area).

Re:Botnet

[secPM_MS]

This is not a MS specific issue. An attacker can run a perfectly good botnet from a user-level compromise of an internet facing application. You don't need a system compromise. Given the difficulty of writing secure browsers and the easy with which a significant fraction of the public can be induced to click on links, there will always be a vast number of user-level compromises available. Look at the patch data for browsers, let alone OS's. Apple has been having to do more security patches than MS.

Due to its ubiquity, MS is attacked much more than other systems, but the assumption that other systems are by default more secure is a statement of belief, not fact. How is your system configured? It makes a big difference. MS systems can be configured for many different security environments. The locked down deployments are very secure (their intended usage is Department of Defense deployments, etc). Wide open rich functionality client deployments are more functional, but less secure. The same tradeoffs exist in the Linix and BSD worlds. The current CERT and related vulnerability databases do not show that the *nix world has a clear superority over current comparable Windows products.

Web 2.0 is all but identical to cross-site scripting as a feature. The vulnerabilities here are so pervasive that users have virtually no way of protecting themselves if they want to have the rich web-based functionality. This is not MS specific.

Re:Botnet

[99BottlesOfBeerInMyF]

All the windows boxes dissapear, so the bot-lovers would start targeting linux and OSX.

That would be just fine. You see, the main reason Windows is not secure against these worms is because it is not profitable for MS to make Windows that way. Why would they bother? A worm makes your machine unusable. You throw the whole thing in the bin and go look for a new one. Everything in all the stores you look comes bundled with Windows. You buy an Acer with Windows and hope it is better than the last one, because as an average user, you assume the free market is operating and if there were better options, they'd be in the stores. MS's failure has made them money, not lost them money. Why would they want to change that?

When bot lovers start targeting Linux and OS X they'll find slightly harder targets for the most part, but not enough to make a huge difference. The real difference is what happens next. Instead of sitting on their hands Linux and OS X developers start making real improvements and soon that 99% of the low hanging fruit is gone and botnets are back to being a minor annoyance and fighting a constant battle against OS providers instead of being ignored by them. Why you ask? Because since Apple doesn't have a monopoly and Linux is a project that can never wield monopoly influence more or less by design. Both of them will need to offer security to compete with one another.

The insecurity in the desktop OS market is not directly because of Windows, it is because the market is monopolized, thus innovation in that market is no longer motivated by normal, free market economics. It's like a socialist run industry. Basically it sucks and innovation is not motivated by making customers happy in exchange for money, but by figuring out how to gouge them for more yet and take over a different market. End the monopoly and botnets will go away.

Are They Allowed To Do This?

[Bob9113]

Is the FBI allowed to do this? Did they get special dispensation from the RIAA and MPAA to work on a project that appears to be completely unrelated to copyright infringement?

Gartner

[codepunk]

Gartner predicts that by year-end 75% of enterprises 'will be infected with undetected, financially motivated, targeted malware that evaded traditional perimeter and host defenses.'"

I think they are full of it, I am willing to bet with a linux box jacked into a mirrored port in the core that I can find bots and malware on more like 95% or better of windows based enterprises. There is not a network I have looked
at in the last two years that is not owned, botted etc in some fashion.

...none of my Windows machines are in a botnet

[Larry_Dillon]

As far as you know ... none of my Windows machines are in a botnet ;-)

Re:getting a clue.

[Macthorpe]

You are a busy bunny!

I'd believe you if you were running some other software to monitor your network activity, but that's beside the point. Nice assumption, but the parent didn't say he wasn't running a network monitor. Considering I trust dedazo's opinion more than your clueless rantings, I would assume he is.

I think they have vastly underestimated the problem, that botnets are entirely Windoze driven and that most of the steps taken by people like you are ineffective Have you ever heard of Q8bot or kaiten? Probably not, but they're Unix/Linux flavoured bots. So much for your 'all botnets are Windoze' FUD.

None of these things is really effective Even though two of them are labeled as "Excellent anti-leak protection", and Comodo managed to pass every single test they tried? Where did you pull that 'fact' from?

using Microsoft's auto-update is the surest way to have your computer broken. More Grade A bullshit. Auto-Update has not broken or even affected any of the machines that I have built for various friends, family and others. None of them.

Free software welcomes the people you and M$ despise It's only ever you that talks about 'hatred' and 'despising' users. Something you want to share?

Why not simply list them as viruses?

[BobMcD]

If bots are the new viruses, why not let the established tools treat them as such? Can't the FBI just turn the entire codebase over to Symantec, McAffee, etc, etc, etc? Seems like this would help a lot of people in the short term...

Or, if this is already being done and the users aren't using any kind of AV software, I would think they have chosen this route, have they not?

Would the study then be saying that 75% of companies aren't using up-to-date virus software? Or even 95% as a poster above suggests? I'd think the reverse is more likely, that AV is being run, but isn't effective at detecting the botware.

Stuff like that already happens

[billstewart]

Usually it's pretending to be from Microsoft or AOL or your ISP or McAfee (though some of the mail I get claiming to be from McAfee is because I'm using a different anti-virus product at home this year :-) So the FBI is another authority that scammers can tell the gullible that they're working for.

If enough different authorities get forged, maybe the gullible will believe them less often...

Re:Stuff like that already happens

[cibyr]

Or if everyone used SPF, it wouldn't be a problem. And it's not like it's very hard to set up either...

Not Sure what's Worse

[MrCopilot]

Finding out that my PC has been Zombified, Or the FBi informing me they found my PC zombified.

They didn't say that's *all* the zombies

[billstewart]

They said they'd found a million of the things - they weren't claiming to have caught all the zombies in the country or world. It's a good start, especially if they can get them cleaned up and watch for attempts at re-infecting them. It may be the low-hanging fruit, and they busted a couple of the zombie operators, which is good.

Of course, busting the operators also means there'll be some thousands of zombies out there who are waiting for Master to tell them what to do next, and some of them may get exploited by other people. But it's still a good start.

Re:They didn't say that's *all* the zombies

[philpalm]

All hail the bot-ridden overlords with their poor security systems..... For they provide the perfect patsies for spam and future jobs for all the internet protection rackets.

Re:Botnet

[Skrynesaver]

Unix and Linux machines may not be as plentiful, they are how ever high net worth targets, granted CS students run Linux on a home made boxin their bedroom, however large institutions run Unix and Linux on their servers and store data of real value on them, the reason windows boxes are targeted is that they are the low hanging fruit, relatively easy pickings

Linux bots, seldom seen.

[twitter]

Irritating Windoze defender, Macthorpe, pretends there's a GNU/Linux botnet problem:

Have you ever heard of Q8bot or kaiten? Probably not, but they're Unix/Linux flavoured bots. So much for your 'all botnets are Windoze' FUD.

Well, no, I had not heard of such things. Ever helpful Macthorpe even offered a link to tell me why I don't hear about such things. They are listed under this heading:

Besides these three types of bots which we find on a nearly daily basis, there are also other bots that we see more seldom. Some of these bots offer "nice" features and are worth mentioning here:

In the description, they note they have yet to find the mechanism of spread. A reasonable person will conclude that Botnets are a Windoze created problem and not something to worry about. After all, study after study shows the average time it takes to break a Windoze box is on the order of minutes, but a GNU/Linux box will last for months out of the box. A paranoid person will wonder if M$ has not honeynetted honeynet themselves with bogus infected GNU/Linux machines.

Re:Linux bots, seldom seen.

[Macthorpe]

No, actually, a 'reasonable person' wouldn't conclude that when the article actually states:

Q8 Bots
Q8bot is a very small bot, consisting of only 926 lines of C-code. And it has one additional noteworthiness: It's written for Unix/Linux systems. It implements all common features of a bot: Dynamic updating via HTTP-downloads, various DDoS-attacks (e.g. SYN-flood and UDP-flood), execution of arbitrary commands, and many more. In the version we have captured, spreaders are missing. But presumably versions of this bot exist which also include spreaders.

Emphasis mine.

So these 'reasonable people' who know far more about computer security than you ever will actually assume the exact opposite of what you do. Nice try at misrepresenting the linked document though, you almost got me there.

A paranoid person will wonder if M$ has not honeynetted honeynet themselves with bogus infected GNU/Linux machines. No, not even paranoia stretches that far.

Irritating Windoze defender If that's a label that I apparently have to assume to tell the truth around here, then I'll take it with gusto.

Re:Linux bots, seldom seen.

[dedazo]

Irritating Windoze defender

http://plover.net/~bonds/adhominem.html

Re:Linux bots, seldom seen.

[HiggsBison]

>>A paranoid person will wonder if M$ has not honeynetted honeynet themselves with bogus infected GNU/Linux machines.

> No, not even paranoia stretches that far.

This is the same Microsoft who introduced a rigged demo into evidence in a court of law. Publicly traded corporations are inherently sociopathic. Bill Gates and Steve Ballmer have been known to display sociopathic behavior. They are not about making money so much as they are about winning at all costs. Open your reasonable, rational eyes a bit and adjust your level of paranoia accordingly.

Re:getting a clue.

[dedazo]

I'd believe you if you were running some other software to monitor your network activity

You seem to know a lot about my setup. Perhaps you'd like my IP address to see what you'll find between my boxes and the interwebs? You might be surprised. And as long as we're all having fun proving negatives and questioning each other's network and security expertise, how about you show me proof that your Linux boxes are not rooted?

I think they have vastly underestimated the problem, that botnets are entirely Windoze driven

We've been through this before. No one is contesting that the vast majority of machines in botnets run Windows (oh, "Windoze", HAHAHA!). But the implication that all botnets are completely made up of nothing but Windows machines is a lie that is easily debunked. In fact it has, but you conveniently choose to ignore that.

using Microsoft's auto-update is the surest way to have your computer broken.

Wow, we're in full-fledged FUD mode now!

Free software welcomes the people you and M$ despise

If free software is populated by pathological liars, psychotic haters and FUDsters like you, I'd rather they just stay with "M$ Windoze". Freedom at the expense of sanity is no freedom at all.

And dont forget....

[nurb432]

Once you are a member of a botnet, you have been compromised and could be sharing your music files and never even know it..

Hear that RIAA? Millions of people .. Millions.

Who are you?

Does Microsoft pay you to discredit free software and open source?

Found your problem

[symbolset]

... and Windows wasn't ...

It's right here.

... I wiped the whole system clean ...

That's a good start. If you're going to insist on using Windows, wiping and reinstalling on a regular basis is a must. I recommend at least annually. More often if you use Yahoo search, flash games or shareware. If you use AOL or MSN and chat or IRC, you may as well boot from the Windows install CD each day.

Getting it set up the way you like it, and creating an "image" file of that setup with Symantec Ghost or something like it makes the process a lot less painful.

Or you could try actually solving the problem, but I note from your post you don't care for that answer for some non-specified reason.

If you do ecommerce from a platform you know to be insecure, don't expect everyone here to lobby for legal solutions to your technical problem.

Re:Found your problem

[ozmanjusri]

If you're going to insist on using Windows, wiping and reinstalling on a regular basis is a must.

From TFA

Microsoft and the Botnet Task Force have also helped out the FBI. It's nice to see Microsoft hasn't taken sides on this issue. They're helping the FBI too.

Re:Botnet

[PitaBred]

But they don't run RPC services listening to the world running with administrator privileges on OSX/Linux, unless you configure it that way. The problem is that with Windows, the hurdles are exceptionally low. With Linux/OSX, they're higher. Not insurmountable, but more than trivially annoying, which will severely limit the impact and expansion of a botnet. And if you don't have enough bots, you don't have much of a net, so the whole thing just falls apart.

I understand that Linux and OSX don't offer perfect security. But it's still a hell of a lot harder to get around it than it is on Windows.

Re:Botnet

[dave562]

Exactly. My old boss was telling me about a client that he got. The guy had someone come in and setup a Linux box (Redhat I think) for him. The box got owned because the guy who set it up didn't secure it right. My boss sold the guy a Windows 2003 Server, firewall, AV and the whole deal. As far as that guy knows, Linux = unsecure, Windows = okay.

Despite the proliferation of computers these days, you still need some specialized knowledge to make them run properly. There isn't a sure fire, bullet proof by default OS out there, although OSX comes pretty damn close. I can pretty much guarantee that if OSX had 90% market share, there would be more exploits for it. People would be breaking iChat wide open, and looking for vulnerabilities in Safari. Before the flames start, I'm not saying that obscurity is the only security that OSX. It has a well designed security model. But no security model is bullet proof. There will always be some coder out there who thinks outside of the box and ponders, "I wonder what will happen if I ask the computer to execute this.."

NSA?

[bill_mcgonigle]

D. NSA must be aware of botnets, their patterns, their control channels, their zombie elements.

E. Yet botnets continue.

The NSA has neither the jurisdiction nor capability to stop domestic botnets. And they're not going to be helping the overseas folks fer nuthin'.

fdisk

[bill_mcgonigle]

what would the FBI recommend to disinfect the machines? AdAware? Windows Defender? Norton?

You can't disinfect a Windows machine with any reliability. Zero the drive, re-install, update offline, and reinstall all your apps and data. Repeat as necessary.

Also, ZoneAlarm is your friend...

...and the basic version is FREE (as in beer) too. It's pretty damned good at stopping malwares from sending network packets from your Winblows PC to the outside world.

Re:Also, ZoneAlarm is your friend...

[AnyoneEB]

Or you could use Core Force (Wikipedia article) where the full version is free as in beer and supports per application file system and registry checks as well as network connections. And also can be uninstalled if you wish unlike ZoneAlarm.

Re:Botnet

[Noga+Rosenthal]

You're blaming the wrong party here. Those who install malicious code on the computers of unsuspecting users are the problem. Of course microsoft should do everything they can to prevent such abuses, but the ultimate blame is on the abuser. - Noga Rosenthal

"The analysts have no clothes!"

[6031769]

I have discovered a fantastic, accurate way to predict future trends in information technology. The basic principle is to find a Gartner quote on the subject matter in question and then take the opposite viewpoint. You will find that you are correct on average 98.724% of the time, which in such a fast-moving industry is a pretty good score.

On the flip side, you have to (grudgingly) admire them for making a successful enterprise funded exclusively by PHBs.

The debate has moved on

[RedToad]

Having scanned through the entries in this topic, I see it has moved on from the tired old "bash Microsoft" and "extol Linux" rot. Then there are a few suggestions about how to track botnets and shut them down. The FBI 1 million infections number has been quoted as a US-centric benchmark.

A few months back a botnet herder in Europe went down for running ONE 1.5 million seated botnet. The global botnet infection numbers are therefore in the tens to hundreds of millions of infected machines. Forget about what platform they run on. Obviously the numerical majority of infections will always be on the OS that has the most prevalence. And it will never be the same percentage for higher use as lower use OS. That's because higher use attracts a much higher level of interest by the infection writers. So let's climb down off the hackneyed hobby-horses.

Now to come to the point - shutting down botnets.

Does anyone imagine for one moment that none of the millions of infected machines are sitting under the watchful eyes of law enforcement, botnet tracking operations, and university labs? Who do you think first knows (after the perpetrator) when a spam-bot turns into a DDOS bot? Who thinks that nobody is watching and tracking the CC&C IRC commands coming down to the watched bots?

Catch up with reality. The FBI is working on very specific intelligence from some very intelligent researchers.

IE says it right in the window title

[KeyboardMonkey]

Slashdot | FBI Releases Results of Operation Bot Roast - Microsoft Internet Explorer

MOD PARENT UP!

[Futurepower(R)]

Good analysis.

Re:M$

[mjwx]

I can see the M$/FBI exchange now.

FBI - wait what's this,
Microsoft - Just ignore that one,
FBI - but it keeps sending information about the users computer without the users permission,
Microsoft - It's nothing just ignore it,
FBI - wait, it seems to have a name, w.. g.. a..
Microsoft - /looks angrily at FBI,
FBI - OK, OK ignoring it, moving on.

Re:Botnet - Windows bad, Unix good

[ancientt]

Durn Winder's boxes, sucking up the tubes. I say write a really nasty doomsday type virus that wipes out their internet connectivity. Get it propagated using the bot-net's own systems and any other venue that seems convenient and take em all down so that the virus writers can aim at Unix/Linux/BSD for a while and get us toughened up too. I'm tired of Windows getting all the exercise and leaving Nix fat and lazy.

</humor>

clueless users...

[Sfing_ter]

I worked on a machine the other day that had trojan.banker on it. Nasty little bugger. Interesting thing is they had a working Norton Anti-virus using IE7 and were up to date on patches from the almighty MS. I ran 2 different rootkit programs on it but the thing still kept cropping up (it became a mission to find out what/where/how). Finaly I booted from Helix Boot CD http://www.e-fense.com/helix/ and running ClamAV discovered the Windows pagefile.sys was infected. Each time the machine rebooted anything cleaned in a non-boot sweep (ususal practice is to remove the drive and AV/Anti-Spy from a clean machine) would be reinfected, 24 AT jobs would be created to hourly check to see if it was installed, it would see if it was connected and get the software. Average people cannot deal with this; they had no clue other than the computer was slow and thought they might need a new one.... ahem.

Re:Botnet

[Azuma+Hazuki]

In all fairness, it would be harder to create a nationwide botnet if there really was a Linux monoculture. I don't believe Linux makes you invincible -- beyond the inevitable buffer overflows, etc., in programs, there's the social engineering angle, which is really the main attack vector in Windows too. There's just no patch for human stupidity.

The thing about Unix-like OSes isn't that they protect you from malicious programs so much as that they limit the damage that can be done by them without user input (though if your account has cron privileges or other means of auto-running programs and you get taken over you personally are screwed anyway). Barring a privilege-escalation exploit, the worst most things can do is turn your personal account into a radioactive wasteland, or possibly a black hole.

I see the botnet problem as one more of ignorance and social engineering than of poor programming. The latter affects what happens when a computer is compromised, but the former is what causes most infections in the first place.

Re:Botnet

[msi]

Botnets were never a problem until fast internet connections became ubiquitous. That and the fact that fast internet connections are a huge security hole, is what has allowed the botnets and spam to proliferate.

If all the internet was disconnected , the problems would disappear.

Re:Botnet

[HappySmileMan]

The bot-lovers may start targeting Mac and Linux but they may not be successful, I've seen many many reports explaining, in great technical, verifiable detail explaining why linux is in general safer in every way and harder to infect. And while I don't use a Mac I'm sure it has a lot more in common with Linux than with Windows

Without mentioning the OS

[Zoxed]

Is it me, or is it strange, that both this article, and the BBC version fail to mention what operating system these botnets are running on. I have my suspicions they all run on OS from the same company :-)

Re:Botnet

[GWBasic]

The thing about Unix-like OSes isn't that they protect you from malicious programs so much as that they limit the damage that can be done by them without user input (though if your account has cron privileges or other means of auto-running programs and you get taken over you personally are screwed anyway). Barring a privilege-escalation exploit, the worst most things can do is turn your personal account into a radioactive wasteland, or possibly a black hole.

Many users are commenting that there are botnets that require user intervention to actually infect the machine. For example, the user will be sent a password-protected zip file with instructions to enter the password.

If *nix were the dominant OS, you'd see botnet emails that say things like, "Enter your root password". Granted, there would be less drive-by-downloads; but *nix isn't going to magically protect people from social engineering.