Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zombie Network Explosion

Posted by CmdrTaco on from the want-braaains dept.

anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."

15 of 262 comments (clear)

  1. Re:Interesting. by Neil+Watson · · Score: 4, Informative

    I've seen a large increase in SPAM with virus payloads.

    --
    UNIX/Linux Consulting
  2. Re:How can you tell if a box is zombied? by syousef · · Score: 4, Informative

    Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.

    No, but you could teach them quickly even if they didn't fully understand what they are doing. Simple recipe
    1. Turn off PC for half an hour
    2. Start it up, and start your network connection. Do not start web browsers or other happs
    3. Open up a command prompt from Start-Run
    4. Type netstat -a and look for connections
    5. Repeat step 4 several times over an one hour period

    Now some connections may be software updating (eg. antivirus) but discounting that if you have lots of open connections or they're regularly changing, you have to assume it's probably owned.

    --
    These posts express my own personal views, not those of my employer
  3. Insane increase in SSH attacks by h2o2 · · Score: 5, Informative

    I noticed an incredible increase in DenyHosts alerts over the last three days to the extent that I had to turn off alert emails. This picture says it all: http://stats.denyhosts.net/stats.html

    1. Re:Insane increase in SSH attacks by Megaweapon · · Score: 2, Informative

      Same here, for some reason one of our servers on our subnet is a frequent attack for distributed SSH attacks, and there has been an explosion of them in the past few days for us. I've been collecting IP addresses and locking them out via firewall, but more just keep coming.

      --
      I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
  4. Re:clear sign that by shaka · · Score: 2, Informative

    I wonder if it has more to do with bored students writing malicious code, or bored students downloading "suspicious" content.

    I'm pretty sure it isn't the latter, these botnets are not the work of "bored students", they are controlled by organized crime and their ilk.

    --
    :wq!
  5. Re:Easy by stjobe · · Score: 2, Informative

    Cue. Cue the jokes.

    --
    "Total destruction the only solution" - Bob Marley
  6. Re:How can you tell if a box is zombied? by TheRaven64 · · Score: 4, Informative

    This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.

    Not really. Most operating systems allow you to monitor disk activity in software. If this is showing nothing, but the disk light is on, then there's a good chance there's a rootkit hiding certain activity. Same with network usage. If your operating system thinks there's no activity, but the network card thinks there is, something very bad is probably going on. If your OS and your network card agree that there is network traffic, then you can try identifying it. Once you shut down everything that ought to be generating traffic, then you can analyse the rest quite easily (on a big network, expect around 10KB/s of multicast DNS).

    Of course, this doesn't help if it's an application that's been trojaned. You probably wouldn't notice if your IM client, for example, has been infected and patched to initiate secondary connections. You can try using something like netstat (no idea what the Windows equivalent is) and find every remote host each application is connecting to, and check them against what you expect (if your IM client is connecting anywhere other than your IM server in the background it's probably malware or skype, but I repeat myself).

    --
    I am TheRaven on Soylent News
  7. Uh, no by phorm · · Score: 4, Informative

    Because plenty of windows core services still send traffic even if there's not an obvious "app" in charge of them (there are a bunch of normal system processes that tend to run services underneath them, some of which involve networking).

    And that doesn't count traffic on your network as well. Even if your computer isn't sending anything out, it may be responding to other traffic on the network depending on how things are configured, even if it's just to say "this is not the machine you're looking for."

  8. Re:Interesting. by bazonic · · Score: 2, Informative

    Probably safe to assume a new hole was found in something windows-ish and is making the rounds...

    Yep. It's called "users." If I had a dollar for every time a relative or friend downloaded free animated smileys or a free game that completely compromised their system, I'd be able to, well, buy an iPod Shuffle. "Why is my system running so slow?" And that's just the stuff they invited into their machines.

  9. Microsoft Windows Zombie Network Explosion by rs232 · · Score: 3, Informative

    correct headline ..

    --
    davecb5620@gmail.com
  10. Re:How can you tell if a box is zombied? by Spatial · · Score: 4, Informative

    netstat (no idea what the Windows equivalent is)

    It's the same. You can even use "netstat -b" to see which processes are using which connections, which can be quite handy.

  11. Re:Riddle me this... by SaDan · · Score: 2, Informative

    By "technology", I was referring to the black box that sits inline with the uplink(s) to the internet.

    The system I used to maintain was such a beast, and it did everything from real-time AV scanning, SPAM scanning, and IDS/DoS functions. It could in fact be used to detect DoS attacks, and send alerts via SMS/email to us. I also used it to shape/limit Bittorrent and other P2P protocols.

    http://www.fortinet.com/ is where you can find one example of such "technology".

  12. Re:How can you tell if a box is zombied? by maxume · · Score: 2, Informative

    Watching something like Tcpview:

    http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

    or Currports:

    http://www.nirsoft.net/utils/cports.html

    may work better for a lot of users (anybody who can manage to download and extract a zip file...). A rootkit could still be hiding the traffic, but the approach you outline is better than nothing.

    --
    Nerd rage is the funniest rage.
  13. Re:Interesting. by Anonymous Coward · · Score: 1, Informative

    They tried this with Welchia. Welchia broke into computers the same way as Blaster did, then downloaded patches and removed a few viruses and rebooted. It did fix the problem, but also generated massive amounts of traffic and made systems unstable.

  14. Not quite THAT bad by Beryllium+Sphere(tm) · · Score: 2, Informative

    >If your machine's admin password is blank and you're not behind a NAT, you are completely exposed.

    As of XP Service Pack 2, the built-in software firewall is on by default, and blank passwords disable network logins. Not that the security posture of the typical home machine is anything we'd consider decent, but it's not the same as running sshd with a blank root password would be.