Top Botnets Control Some 1 Million Hijacked Computers

Puskas writes "Joe Stewart is the director of malware research at SecureWorks, and presented a dire view of the current botnet landscape at the RSA conference this week. He conducted a survey of the top spamming 'nets, extrapolating their size from the volume of emails that flow across the internet. By his calculations, the top 11 networks control just over a million machines, hitting inboxes with some 100 billion messages a day. 'The botnet at the top of the chart is Srizbi. According to Stewart, this botnet — which also goes by the names "Cbeplay" and "Exchanger" — has an estimated 315,000 bots and can blast out 60 billion messages a day. While it may not have gotten the publicity that Storm has during the last year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart's list.'"

How do I tell...?

[AdamTrace]

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

I don't necessarily trust that a clean-virus scan means a whole lot.

What's the best way to make this determination?

Re:How do I tell...?

[Volante3192]

Put a good firewall in front of it and watch the packets go in and out. Any rogue port 25 traffic would be a big clue.

Re:How do I tell...?

[spun]

You know what destroys infection? FIRE! Good old cleansing fire. Simply stuff your computer full of old newspapers, douse it with gasoline, and light it on fire, and I guarantee that it will be free from infection.

If this either seems to drastic or fails to do the trick, just squirt a syringe full of penicillin directly into the power supply while the computer is running, that should help.

Re:How do I tell...?

[Beardo+the+Bearded]

You can't.

Not even Linux boxes are safe from hacking.

An anti-virus scan is totally worthless. In fact, most systems slow your machine down so badly that they're worse than useless. Norton slows your machine down by thousands of percent!

Let's be honest here. In my lifetime, I've spent less than $100 (one hundred dollars) on my security systems. That gives me a D-Link firewall, Avast!, and Spybot. The hackers have access to the same materials. If they want to write a program that gets around my meager defences, then they can. I live only by my obscurity, enhanced by my slight tweaks to my firewall. (Dropping pings, blocking port 113, etc.) As far as a passive scan goes, I don't exist. I simply wouldn't survive a concentrated attack.

That's probably okay, though - it's like when I lock up my bike. I have a kryptonite U-lock that I put through both wheels and the frame. I also take the seat with me and remove all the shiny bits. (It also has a VHF transmitter, but that's another story.) It would take someone with a plasma torch two or three seconds to cut the bike rack and put my bike into a truck. However, that's not worth your average meth-headed bike thief's time. It's easier for him to take another bike that's not as secure. If a dedicated professional wants my bike, then he's going to get it.

The major problem with Windows is that when you take your machine home and plug it in, it can be easily compromised. The same is true with a lot of commercial-grade routers with firewalls. The default settings leave a lot to be desired. Your firewall still sort of works, but you're not getting the same level of protection that you'd get by changing some settings. Just two days ago, we had an article about the 2-wire security holes, showing that a large percentage of IDSN home users in North America are wholly unprotected against external attacks.

So why do we have what we have? It's simple. We have a lot of programs written by people who simply do not understand security issues. Windows, for example, is perfectly stable until you start to put 3rd-party software on it. Then it starts to crash because the memory is being used in two or more different ways. Take a look at some of the snippets on thedailywtf to see what sort of quality work you end up with when you have people who "can program" and can't understand basic math (if you work unpaid overtime, that's you.) writing important code for important systems.

What's required to fix it is a wholesale change in CPU architecture along with mandatory licencing and regulation for anyone who wants to program anything in any language and sell it. (If you put up a dividing wall in your house, you can get the supplies at Home Depot and DIY. If you want to sell a wall-building service to the public, you have to be licenced.)

Only once we take programming as seriously as we take bridge construction and land surveying will we start to see safer computing.

Re:How do I tell...?

[vimh42]

You had a great post up until the end.

"What's required to fix it is a wholesale change in CPU architecture along with mandatory licencing and regulation for anyone who wants to program anything in any language and sell it. (If you put up a dividing wall in your house, you can get the supplies at Home Depot and DIY. If you want to sell a wall-building service to the public, you have to be licenced.)

Only once we take programming as seriously as we take bridge construction and land surveying will we start to see safer computing."

Such suggestions are worse than the problem. Suggesting that people should need a licence to program and comparing it to bridge builders and surveyors is like suggesting people should have to get a licence to walk, just like they need a licence to drive a car.

Why don't the ISPs do something?

[pembo13]

They obviously don't have a problem with tracking down and monitoring people. And they apperantly have bandwidth issue. Why don't they basically mail merge to SELECT * FROM `customers` WHERE `customers`.isinfected? Simple, cheap snail mail... nothing fancy.

My wife's notebook is one of them

[should_be_linear]

God knows I installed on that notebook each and every Anti-Spyware, Antivirus, Anti-everything in order to get rid of it. I traveled each and every "advisory" site with my HijackThis logs, removed numerous keys from registry. Still, every now and then goddamn popup window with site "pc-on-internet.com" appears. I spent altogether perhaps 3 working days trying to remove stupid thing, there is lot of data and SW installed so I am trying to avoid re-installation. Now I am in sitting-in-the-corner-and-crying phase.

Hmmm....

[Otter]

Stewart and others at SecureWorks believe Damballa has simply rebranded the older Bobax, which has several other nicknames besides Kraken, including "Bobic," "Oderoor," "Cotmonger" and Hacktool.Spammer."

Be that as it may, "Kraken" is a superb name (as is "Damballa" itself.). "Bobic", "Oderoor" and "Bobax" sound like open-source CMSs. "Cotmonger" sounds like a word Bart Simpson would use when suddenly breaking into a unfunny Cockney accent for no reason.

I had a botnet once

[TheRealMindChild]

I had a botnet once... didn't catch very many bots, but I got a shitload of dolphins :(

Re:Take away their licenses

[Sciros]

Please fwd me some spam selling whatever it is you're smoking.

If Windows weren't so dominant an OS then botnets would operate on other systems as well (or in its place). It's a question of ROI, nothing else.

That said, it's also not a question of an "offending operating system." It's a question of uninformed (or incompetent, or both) users. If they can't be trusted to not double-click on an xxxxx.jpg.exe file in an email, they are likely to have problems with identity theft and other non-Windows-exclusive security issues. Rather than taking away Windows, these users need to receive training in basic computer security.

Using Windows is NOT a privilege, by the way. If the user paid for it, they have a right to use it.

Cutting off internet and then asking for demonstration that... they've bought a Mac? Will this be demonstrated using ninja magic? A photo via mail?

I can't tell whether you're a Windows elitist, a Mac fanboy, or just plain mental.

This is a job for goons

[Animats]

The industry is going at this all wrong. There are only a few players left, and they're all crooks. We need a consortium of companies with spam problems to hire Kroll, Blackwater, or one of the other big international security companies to deal with the people behind the problem.

If 5% of the money spent on dealing with spam went into finding the people behind it and making them go away, the problem would go away.

Re:Let's see some truthful tagging

[geminidomino]

I like to bash MS as much as the next, but the only reason Windows is the largest botnet host is because it has the largest market share. When you're creating a botnet, you're going for volume. If macs ever get significant market share they'll be targeted as well. Every time windows proves what a swiss-cheese POS it is, someone trots out this old canard.

That's the same reason NIMDA went after Apache, Slammer hit LAMPs... Oh, wait, they didn't.

Repair is not an option

[symbolset]

Once you know the PC is compromised you cannot get it back to a known good state. The best you can hope for with the various utilities is to get it workable enough to offload your data, build your recovery media and record your settings. You're actually better off removing the hdd to an external enclosure and installing fresh on a new one. You could then scan the removable device before carefully recovering the data from it. The worst possible thing you could do is eliminate the visible problems and pretend that means you have a good PC on which to do work.

What is pwned cannot be unpwned. Reinstall. Somewhere in my journal may be some helpful instructions for getting the reinstall done without becoming compromised in the process. You're not the first (or the ten thosandth) person here this has happened to.

Somebody else here will have suggested you try Linux by now, or Apple. There are no Linux or Apple botnets so they don't have this problem. The do have security vulnerabilities too, but compromising one of them is a retail, rather than a wholesale, endeavor and so less fruitful for the botmasters.

Re:Take away their licenses

[Sloppy]

That said, it's also not a question of an "offending operating system." It's a question of uninformed (or incompetent, or both) users. If they can't be trusted to not double-click on an xxxxx.jpg.exe file in an email, they are likely to have problems with identity theft and other non-Windows-exclusive security issues.

Yes, they'll have other security-related problems, so I won't dispute that users are a huge part of the problem. BUT: Windows really is a special case. Give a clueless user another OS, and they will run malware or otherwise join botnets far less often, and not because of ROI or what platforms that malware authors choose to target. Outside of Windows, most naive users do not know how to even deliberately execute an email attachment. They wouldn't just have to click on xxxx.jpg.exe; they'd have to save it and chmod +x it first, since (AFAIK) no email clients go to extra trouble to help users execute malware.

Windows and its applications have an unusual amount of "support" for running malware. (Executable-by-default is just one feature; there's also autorun, ActiveX, and fuck-knows-what-else.) These are technical (not marketshare-related) "features" of the platform, which most other OS creators have not elected to implement. Windows would be attractive to malware authors even if it had a small marketshare, because the platform is malware-friendly.

Re:Let's see some truthful tagging

[Jeremiah+Cornelius]

Here I go again. Every time I point out real shortcomings of an Apple product, I get modded to oblivion - "There are none so blind as those who will not see." Posted from my MacBook, BTW.

'Tis no mere canard or straw man. Simple economies of scale keep the Macs out of the botnets - not Cupertino prowess.

Microsoft is Swiss Cheese, that's wrapped in foil.

Apple is Swiss Cheese labeled as "Ementhaler" - believing that the luxury branding will ward off serious scrutiny, but leaving those holes exposed.

Lo! http://www.news.com/8301-13579_3-9905095-37.html

It's like this every year. Apple leaves vulnerabilities wide enough to drive a truck through, and I've lost count of the number of these things given away as prizes to the cracking teams.

Apple patch the OS like Microsoft used to, before Slammer. The ususal culprits? QuickTime and Safari.

The guys who cracked the MacBook Air need only have coupled this with the DNS flaw in AT&T customer TwoWire routers, and a very bad situation would exist in the wild. Not trivial - but not too difficult. The hard part was finding the flaw - now it's an exercise for the Kid33z. If there were an economically feasible number of Macs to do this, you can bet it would be crime syndicates and not kids - and you'd have a happy, Apple botnet.

Re:Why?

[v1]

If it costs you $500 to rent a chunk of botnet bandwidth for a few days. It blasts 1,000,000 of your spam. 25,000 of them survive all the layers of filtering (2.5%) and are viewed. 1000 of those (4%) get their link clicked on. 100 of those people (10%) actually buy the product, netting you $15 each, for a total of $1,500 in untaxable income. That's $1,000 total profit for your 30 minutes of work.

So of that 1,000,000 spam you sent, only 100 had to be actually bought for you to turn a big buck. (1-100th of 1%)

Do the math, that's why it works. Spam works due to cheap volume. Anything works if you can have cheap volume.