Top Botnets Control Some 1 Million Hijacked Computers

Puskas writes "Joe Stewart is the director of malware research at SecureWorks, and presented a dire view of the current botnet landscape at the RSA conference this week. He conducted a survey of the top spamming 'nets, extrapolating their size from the volume of emails that flow across the internet. By his calculations, the top 11 networks control just over a million machines, hitting inboxes with some 100 billion messages a day. 'The botnet at the top of the chart is Srizbi. According to Stewart, this botnet — which also goes by the names "Cbeplay" and "Exchanger" — has an estimated 315,000 bots and can blast out 60 billion messages a day. While it may not have gotten the publicity that Storm has during the last year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart's list.'"

Let's see some truthful tagging

[toby]

Start with "microsoft" and "windows" as the technologies which bring you the largest, most profitable botnets!

Re:Let's see some truthful tagging

[Jeremiah+Cornelius]

Here I go again. Every time I point out real shortcomings of an Apple product, I get modded to oblivion - "There are none so blind as those who will not see." Posted from my MacBook, BTW.

'Tis no mere canard or straw man. Simple economies of scale keep the Macs out of the botnets - not Cupertino prowess.

Microsoft is Swiss Cheese, that's wrapped in foil.

Apple is Swiss Cheese labeled as "Ementhaler" - believing that the luxury branding will ward off serious scrutiny, but leaving those holes exposed.

Lo! http://www.news.com/8301-13579_3-9905095-37.html

It's like this every year. Apple leaves vulnerabilities wide enough to drive a truck through, and I've lost count of the number of these things given away as prizes to the cracking teams.

Apple patch the OS like Microsoft used to, before Slammer. The ususal culprits? QuickTime and Safari.

The guys who cracked the MacBook Air need only have coupled this with the DNS flaw in AT&T customer TwoWire routers, and a very bad situation would exist in the wild. Not trivial - but not too difficult. The hard part was finding the flaw - now it's an exercise for the Kid33z. If there were an economically feasible number of Macs to do this, you can bet it would be crime syndicates and not kids - and you'd have a happy, Apple botnet.

Re:How do I tell...?

[Volante3192]

Put a good firewall in front of it and watch the packets go in and out. Any rogue port 25 traffic would be a big clue.

Re:How do I tell...?

[maxume]

Short of a firewall, you can use something like TCPView to look for unexplained network activity:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

A rootkit can hide its activity, so this isn't as good as a firewall, but it is easier, and you'll at least be able to figure out if you have a non-rootkit infection.

Re:How do I tell...?

[Technician]

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

As a smart software developer, you know not to trust a box that may be untrustworthy. You packets leave the untrusted box and must pass elsewhere where they can be monitored. Do you monitor your router traffic? That's number 1. Windows Updates may cause unexpected traffic, but the addresses will let you know if it's outgoing spam or request for updates from Microsoft.

For example my recent URL's from my router log show the following..
192.168.1.81 168.143.175.215 www
192.168.1.81 74.125.47.164 www Google
192.168.1.81 210.50.7.243 www Doubleclick --- I'm going to have to add this to my hosts file..
192.168.1.81 8.14.216.9 www
192.168.1.81 74.125.47.164 www Google
192.168.1.81 203.34.47.165 www IDG publications
192.168.1.81 210.50.7.243 www Doubleclick
192.168.1.81 210.247.196.12 www www.facilitatedigital.com/
192.168.1.81 217.20.16.80 www
192.168.1.81 209.27.52.115 www Doubleclick
192.168.1.81 66.35.250.151 www Slashdot
192.168.1.81 209.62.176.153 www Doubleclick
192.168.1.81 74.125.47.164 www Google
192.168.1.81 74.125.47.103 www Google

It's all WWW traffic and no unexpected port 25 traffic. A simple Linksys router can give you this information. Take the addresses given and plug them in to the URL bar in your browser to see if there is any unexpected traffic. Don't trust a possibly owned machine. Go upstream and look at the traffic. Most routers will log some incomming and outgoing traffic. Check it once in a while. You machine might be clean, but the kids may have problems. The kids are at school so all recent traffic is mine. If my wife's desktop was spewing traffic, I would see the traffic from another machine's IP address.

And yes, that is my real IP address for today. I'm glad media sentry isn't in the list. ;-)

Re:How do I tell...?

[Beardo+the+Bearded]

Linux boxes are the sergeants in the Botnet army.

If you think you're immune just because you're running Linux, then you're part of the problem.

You're just as bad as someone with an unpatched HP-branded WinXP system fresh from Office Depot.

Re:Block outgoing TCP port 25 at ISP border router

[Jeremiah+Cornelius]

Bull.

I have a legitimate right to send SMTP from my machine - and I do so. I also run an SMTP server at home - have since 1993, when I got off of uucp.

I have never been an open relay, and access is passwd. I already have assholes at AT&T blacklisting me for no reason - and suffering their ridiculous petition process to get off their RBL.

This is the Internet. A collection of networks. ISPs are not cops, nor should they be. When you mandate this on common carriers, they become something else - and any slim protections we still have remaining will be long gone.