Zombie Network Explosion

anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."

Re:Interesting.

[Neil+Watson]

I've seen a large increase in SPAM with virus payloads.

Re:How can you tell if a box is zombied?

[syousef]

Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.

No, but you could teach them quickly even if they didn't fully understand what they are doing. Simple recipe
1. Turn off PC for half an hour
2. Start it up, and start your network connection. Do not start web browsers or other happs
3. Open up a command prompt from Start-Run
4. Type netstat -a and look for connections
5. Repeat step 4 several times over an one hour period

Now some connections may be software updating (eg. antivirus) but discounting that if you have lots of open connections or they're regularly changing, you have to assume it's probably owned.

Insane increase in SSH attacks

[h2o2]

I noticed an incredible increase in DenyHosts alerts over the last three days to the extent that I had to turn off alert emails. This picture says it all: http://stats.denyhosts.net/stats.html

Re:How can you tell if a box is zombied?

[TheRaven64]

This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.

Not really. Most operating systems allow you to monitor disk activity in software. If this is showing nothing, but the disk light is on, then there's a good chance there's a rootkit hiding certain activity. Same with network usage. If your operating system thinks there's no activity, but the network card thinks there is, something very bad is probably going on. If your OS and your network card agree that there is network traffic, then you can try identifying it. Once you shut down everything that ought to be generating traffic, then you can analyse the rest quite easily (on a big network, expect around 10KB/s of multicast DNS).

Of course, this doesn't help if it's an application that's been trojaned. You probably wouldn't notice if your IM client, for example, has been infected and patched to initiate secondary connections. You can try using something like netstat (no idea what the Windows equivalent is) and find every remote host each application is connecting to, and check them against what you expect (if your IM client is connecting anywhere other than your IM server in the background it's probably malware or skype, but I repeat myself).

Uh, no

[phorm]

Because plenty of windows core services still send traffic even if there's not an obvious "app" in charge of them (there are a bunch of normal system processes that tend to run services underneath them, some of which involve networking).

And that doesn't count traffic on your network as well. Even if your computer isn't sending anything out, it may be responding to other traffic on the network depending on how things are configured, even if it's just to say "this is not the machine you're looking for."

Microsoft Windows Zombie Network Explosion

[rs232]

correct headline ..

Re:How can you tell if a box is zombied?

[Spatial]

netstat (no idea what the Windows equivalent is)

It's the same. You can even use "netstat -b" to see which processes are using which connections, which can be quite handy.