Slashdot Mirror
Zombie Network Explosion
anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."
can only mean one of two things:
the machines are starting to take over
people arent getting any more intelligent with pc's than they are savvy. job security!
Good people go to bed earlier.
If their internet activity light is flashing when they're not doing anything.
It's surprisingly accurate.
Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.
We're likely to see the number decline gradually as people patch up the hole. Trends like this have a sawtooth pattern to them. Sudden jump up, and then gradual decline over time back down to where they started, and then repeats with the next new vulnerability making the rounds.
I work for the Department of Redundancy Department.
How can you know that they're not "doing anything" ? They could be downloading patches, an e-mail client could be checking for new mail, an instant messenger client could be exchanging "are you still there" packets with the server, the DHCP client could be renewing the lease, etc.
This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
With botnets, you can get a pretty good idea by comparing external network logs to user-initiated communication. If they're not talking to their C&C, they're not doing much.
If you are only interested in actively used botnets (for DDoS and spam for example) then when you plug in the ethernet cable the router lights go mad, that's a good sign its pwned.
You can't really look at the network usage using tools ON the machine, as rootkits are designed to hide all their activity from the system tools by modifying them. So the owned windows box may show little or no network traffic while your router is nearly catching on fire. But the lights on the switch/router don't lie.
I work for the Department of Redundancy Department.
Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.
Before someone jumps on the "everyone should use Linux" bandwagon, Windows has over 90% of the market. Windows also has much more of the casual user market and much less of the enthusiast market - and the casuals don't keep a hawklike watch on their system.
Therefore, if you want to make a big botnet, compromising Windows is the way to go.
Someone found a new vulnerability, but didn't publicize it. Or they're exploiting the same old vulnerabilities (PICNIC, blank admin passwords, etc) and just stepped up their efforts again.
If your machine's admin password is blank and you're not behind a NAT, you are completely exposed. All the botnet guys have to do is get into the system through XP Pro's originally configured default drive shares and replace one commonly used file (say, a favorite new video game) with their payload. The user reinstalls the game figuring it got corrupted and it wipes out how they originally got in - but they're already in the system with a rootkit installed from the time the user tried to run your game, and it's a bot.
The unfortunate reality is that the largest vulnerability is, and will be, the human element. They want their login to be "easy" - so anyone who gets physical access to the machine gets root access with no password credentials, or they use a trivially-cracked password. They want to "simplify" their security arrangements. They trust an email sent by their friends (or sometimes even spoofed to look like it came from themselves) or "system administrator at your domain."
End result? More vulnerabilities.
Unfortunately, the "solution" involves either telling a lot of crybabies "no, you can't have it this way" or else changing human nature. And it's not in human nature to stand up to the crybabies (actually, an actual corporation never would - it's "bad customer relations.")
If you can read this sig, congratulations, you have your glasses on!
In theory, it's a good idea. In practice, what happens when there's a code orange worm, one which patches the old vulnerability and then creates a new one? What happens if you're DoS'd by a load of Code Green worms all looking for machines to disinfect?
I am TheRaven on Soylent News
The cost of monitoring, administering, taking action and fielding the incoming support calls from irate customers who have had their service suspended is probably more than simply capping bandwidth and charging for over runs.
UNIX/Linux Consulting
I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.
As a network admin, I would love to see someone write code to destroy the boot sector of an infected machine and then run a shutdown. (No data is lost, but the system is offline)
As a system admin, I would hate to see code out there that does damage to any process on the system, infected or not.
As a developer, I won't go anywhere near that type of software.
As an end user, I want better antivirus with better alerting that doesn't require a full core of my processor to run.
It's a poor idea because of liability issues, and the fact that altering the data in a computer without authorization is illegal. It also provides a defense for the bad guys (e.g. they write a "patch" with a subtle flaw in it, then claim it was with the best of intentions).
What if a "benign" patch takes a server down and it was performing a critical function, and lives are lost (e.g. an ambulance routing service) - who is liable? Arguing that the server was vulnerable anyway to some other malware won't get you very far.
Further, regardless of the legalities, if an administrator discovers their machine has been changed without their knowledge, they basically have to wipe it and start again, whether the patch was well intentioned or not (how can they be sure?), so it still causes economic damage.
i am sure everyone here remembers the code red worm.. few remember the code green worm (the one that spread the same way the code red did but it patched the infection and prevented further infection once it made it in)
i honestly thing it would be a good idea to start doing this - to have a group write patchs that spread in the same way the viruses do
I'd never heard of Code Green, but I do recall Welchia.
And that was terrible. It did bizarre things to some people's computers, crushed LANs as it tried to spread, and as bonus made up a substantial amount of net's traffic for a while.
While it's a cool idea in theory, in practice it ends up very inelegant, very fast.
If Comcast and ilk such as that were really interested in conserving network bandwidth, they'd be cutting off zombies instead of putting on bandwidth caps.
But you see, if they cut off all the p0wned illiterate computer users' machines, they'd get flooded with calls to tech support.
That costs lots of money.
Also keep in mind that in places like India, China, Vietnam etc., the number of people using the internet for the first time is skyrocketing. While it would be nice if all these people used secure OSs, more than likely its a pirated copy of Windows that may or may not be able to get software updates etc.
Monstar L
Why would you need a hole? All you need to do is write the executable, put it on the web, and send out an email about "greeting cards" or "photos of hot chicks." When all users run as admin by default then there's really no reason to go for anything than a simple download. This is why companies take away admin access from their users and why XP is much, much worse than Vista, by default.