Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zombie Network Explosion

Posted by CmdrTaco on from the want-braaains dept.

anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."

7 of 262 comments (clear)

  1. Re:How can you tell if a box is zombied? by TheThiefMaster · · Score: 4, Insightful

    If their internet activity light is flashing when they're not doing anything.

    It's surprisingly accurate.

  2. Re:Interesting. by v1 · · Score: 4, Insightful

    Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.

    We're likely to see the number decline gradually as people patch up the hole. Trends like this have a sawtooth pattern to them. Sudden jump up, and then gradual decline over time back down to where they started, and then repeats with the next new vulnerability making the rounds.

    --
    I work for the Department of Redundancy Department.
  3. Re:How can you tell if a box is zombied? by ultranova · · Score: 4, Insightful

    If their internet activity light is flashing when they're not doing anything.

    How can you know that they're not "doing anything" ? They could be downloading patches, an e-mail client could be checking for new mail, an instant messenger client could be exchanging "are you still there" packets with the server, the DHCP client could be renewing the lease, etc.

    This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  4. Re:How can you tell if a box is zombied? by v1 · · Score: 5, Insightful

    If you are only interested in actively used botnets (for DDoS and spam for example) then when you plug in the ethernet cable the router lights go mad, that's a good sign its pwned.

    You can't really look at the network usage using tools ON the machine, as rootkits are designed to hide all their activity from the system tools by modifying them. So the owned windows box may show little or no network traffic while your router is nearly catching on fire. But the lights on the switch/router don't lie.

    --
    I work for the Department of Redundancy Department.
  5. Re:Interesting. by M1rth · · Score: 5, Insightful

    Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.

    Before someone jumps on the "everyone should use Linux" bandwagon, Windows has over 90% of the market. Windows also has much more of the casual user market and much less of the enthusiast market - and the casuals don't keep a hawklike watch on their system.

    Therefore, if you want to make a big botnet, compromising Windows is the way to go.

    Someone found a new vulnerability, but didn't publicize it. Or they're exploiting the same old vulnerabilities (PICNIC, blank admin passwords, etc) and just stepped up their efforts again.

    If your machine's admin password is blank and you're not behind a NAT, you are completely exposed. All the botnet guys have to do is get into the system through XP Pro's originally configured default drive shares and replace one commonly used file (say, a favorite new video game) with their payload. The user reinstalls the game figuring it got corrupted and it wipes out how they originally got in - but they're already in the system with a rootkit installed from the time the user tried to run your game, and it's a bot.

    The unfortunate reality is that the largest vulnerability is, and will be, the human element. They want their login to be "easy" - so anyone who gets physical access to the machine gets root access with no password credentials, or they use a trivially-cracked password. They want to "simplify" their security arrangements. They trust an email sent by their friends (or sometimes even spoofed to look like it came from themselves) or "system administrator at your domain."

    End result? More vulnerabilities.

    Unfortunately, the "solution" involves either telling a lot of crybabies "no, you can't have it this way" or else changing human nature. And it's not in human nature to stand up to the crybabies (actually, an actual corporation never would - it's "bad customer relations.")

    --
    If you can read this sig, congratulations, you have your glasses on!
  6. Re:Interesting. by TheRaven64 · · Score: 4, Insightful

    In theory, it's a good idea. In practice, what happens when there's a code orange worm, one which patches the old vulnerability and then creates a new one? What happens if you're DoS'd by a load of Code Green worms all looking for machines to disinfect?

    --
    I am TheRaven on Soylent News
  7. Re:Vigilante developers by Joe+U · · Score: 4, Insightful

    I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.

    As a network admin, I would love to see someone write code to destroy the boot sector of an infected machine and then run a shutdown. (No data is lost, but the system is offline)

    As a system admin, I would hate to see code out there that does damage to any process on the system, infected or not.

    As a developer, I won't go anywhere near that type of software.

    As an end user, I want better antivirus with better alerting that doesn't require a full core of my processor to run.