Zombie Network Explosion

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Wednesday September 3, 2008 @12:50AM from the want-braaains dept.

anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."

20 of 262 comments (clear)

Min score:

Reason:

Sort:

Interesting. by scott_karana · 2008-09-03 00:54 · Score: 4, Interesting

Interesting. Far more interesting to me, however, is speculating on how botnets quadrupled in the part three months.
1. Re:Interesting. by Amouth · 2008-09-03 02:39 · Score: 2, Interesting
  
  yea i know it is almost a taboo thing.. everyone thinks about doing it .. but no one does.. but in reality.. if they can monitor these bot nets and the command and control servers.. why not hijack the command and control servers to distribute the patchs to the bots it controls.. use their own power to take them out.
  while the idea of spreading them in the wild seems bad because of the load on nutral or non effected hosts.. if they used the botnet to patch the botnet.. then that should elminate the issue with the nutral hosts.
  
  --
  '...if only "Jumping to a Conclusion" was an event in the Olympics.'
2. Re:Interesting. by Captain+Spam · 2008-09-03 03:16 · Score: 3, Interesting
  
  yea i know it is almost a taboo thing.. everyone thinks about doing it .. but no one does.. but in reality.. if they can monitor these bot nets and the command and control servers.. why not hijack the command and control servers to distribute the patchs to the bots it controls.. use their own power to take them out.
  A fair idea, but it's not that simple... modern botnets use encryption... the controller and bots share an encryption key... without proper encryption, the bot will ignore all orders because they know they didn't come from the original controller...
  So all the controller would need to do... is patch the problem that got them in the system in the first place... that'll stop others from exploiting it to put new instructions in... then, by encrypting all their commands... they ensure... insofar as they can do so without new vulnerabilities... that they will be the only ones ordering their own bots around...
  I think something similar to this has been tried before, but it didn't work out right. Maybe not on the botnet level, but effectively an anti-virus virus (or anti-worm worm, or any combination of the two) that caused more problems than it solved, partly due to hefty bandwidth use, but also due to flaws in the anti-virus virus program that didn't clean itself up properly, so it just kept looking around for the virus. It'd be a bit too big a risk.
  
  --
  Demanding constant attention will only lead to attention.
3. Re:Interesting. by somersault · 2008-09-03 04:06 · Score: 2, Interesting
  
  It did fix the problem, but also generated massive amounts of traffic and made systems unstable.
  That's pretty much what all the spam and viruseseseses are doing already though. I'd be happy for a few days of slow 'net access every 6 months if it meant everyone was all patched up after that week. Would make it much more difficult for the spammers to get anything done, and most of them would hopefully give up anyway.
  Reactive solutions are still not as good as actively educating computer users though. Before people are allowed to use guns and cars they generally have to get a license - well, computers can be just as damaging to people as a physical accident, if they end up being used as part of a scheme to steal someone's identity. We need more training on basics like phishing, not running random code that someone sends you, etc. Basically just making people less gullible.
  
  --
  which is totally what she said
How can you tell if a box is zombied? by oldspewey · 2008-09-03 00:54 · Score: 5, Interesting

Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.

--
If libertarians are so opposed to effective government, why don't they all move to Somalia?
1. Re:How can you tell if a box is zombied? by Anonymous Coward · 2008-09-03 01:41 · Score: 1, Interesting
  
  of course, that is the very important question, and if there were an easy answer, botnets would not be such a problem.
  here is what I would do:
  get a cheap, used, good old HUB (not a switch) and connect known clean (Linux?) PC together with suspicious one. Then start some sniffer on clean PC, like Wireshark..
2. Re:How can you tell if a box is zombied? by houghi · 2008-09-03 02:01 · Score: 3, Interesting
  
  So they must look at the back of their machine that is under the table and then be able to understand the difference between a light that is on and one that goes crazy. The people who are infected will most likely not be able to do that.
  The people who are infected will have a hard time understanding the difference between a monitor and a computer and will find doing anything that is not taught in a specific way and order difficult and scary.
  OK, this might not be the average user, but I think it is the average user who will be infected.
  
  --
  Don't fight for your country, if your country does not fight for you.
3. Re:How can you tell if a box is zombied? by hesaigo999ca · 2008-09-03 02:03 · Score: 2, Interesting
  
  Actually being able to turn off my modem by putting it on stand by, and using zonealarm to monitor outgoing traffic requests, lets me see what sort of traffic i have, if I am owned, then it will not be communicating, and I usually do a full reinstall from my backup cds every 3 months, so that in the event i did get owned, i will be only for a short time. At the 3 month interval i also change all the passwords to my accounts. So if someone did have access, they are cut off.
  Now however, I do use vmware, and am always weary of vmware rootkits, but don't know enough yet about them to mount a good offensive series of actions against them.
4. Re:How can you tell if a box is zombied? by HAKdragon · 2008-09-03 03:12 · Score: 2, Interesting
  
  You can also add a number to the end of the netstat command to tell how netstat how often to update (in seconds). So "netstat -a 60" will update the stats ever minute.
  
  --
  "Our opponent is an alien starship packed with atomic bombs. We have a protractor."
5. Re:How can you tell if a box is zombied? by Creepy · 2008-09-03 04:29 · Score: 3, Interesting
  
  In fact, I am working on just such a case. By dormant, I mean the initial infection was removed, but the virus added some changes to IE so searches almost exclusively go to infected websites and exploit a java bug to reinfect the machine.
  The PC in question was my wife's, and she had followed a link to an unknown sender's e-card (which happened to arrive on her birthday) and it exploited her gullibility and a java bug to install the trojan XP Antivirus '08. I managed to eradicate that virus, but it made a change to IE that I missed initially that takes searches to infected websites and exploits the java bug again to reinfected the machine (mainly with other viruses - Virtumunde has been the latest - both of these are Russian Federation originating). Antivirus software doesn't catch the infections because they happen in resident memory, but the software does find them after they've written files.
  The problem is, she needs to have her java patched to remove the java back door, but the virus seems to have tampered with java and it will not patch. I'm going to try a manual uninstall and reinstall tonight. I also likely need to reinstall IE (will try a registry fix first using my XP box as a reference), but MS has made that impossible by design, so I'll probably need to reinstall the entire OS.
This makes me sad actually... by O('_')O_Bush · 2008-09-03 00:57 · Score: 3, Interesting

because it could mean that people who are vulnerable to these types of attacks are on the rise. You would have thought that after all this time and the numerous virus-by-email crises, people would have learned better.

--
while(1) attack(People.Sandy);
I wonder if it had to do with... by arhhook · 2008-09-03 01:05 · Score: 2, Interesting

Vista's Security Rendered Completely Useless leading more machines (with Vista) open to drive by downloads, etc, becoming zombies?
Vigilante developers by kaunio · 2008-09-03 01:11 · Score: 4, Interesting

I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.
Of course, I see the problems with doing so (hasn't there been an article about this topic earlier?), but still, there are a lot of infected machines that have been so for ages are not likely to vanish. Bandwidth and cpu cycles can definitely be spent on better things than spam.
1. Re:Vigilante developers by Neoprofin · 2008-09-03 01:37 · Score: 3, Interesting
  
  The problem is someone with the drive to do so would come to Slashdot and be told, in hundreds of angry posts, that he has no right to do that and he's just as bad as the zombie botnet overlords. Of course he should have just done it, prayed for the best, and hoped that history would look kindly upon what's been done.
Riddle me this... by davmoo · 2008-09-03 01:25 · Score: 5, Interesting

So if researchers can detect these things with apparent reliability in their process, why can't ISPs detect them the same way and cut the bastards off?
If Comcast and ilk such as that were really interested in conserving network bandwidth, they'd be cutting off zombies instead of putting on bandwidth caps.

--
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
1. Re:Riddle me this... by SaDan · 2008-09-03 01:35 · Score: 2, Interesting
  
  ISPs can, and it was something I used to do as an "added feature" at the wireless ISP I used to work for.
  It can be construed as an invasion of privacy, and I was yelled at plenty by some of my former customers. While a pain to administer, it had an incredible impact on our network's performance, and a decrease in customer complaints for individual towers being slow, etc.
  The same technology Comcast uses (used?) to throttle Bittorrent users most likely could kill off zombies and DoS attacks. It's a shame they don't apply their resources appropriately.
2. Re:Riddle me this... by Missing_dc · 2008-09-03 01:53 · Score: 3, Interesting
  
  The cost of monitoring, administering, taking action and fielding the incoming support calls from irate customers who have had their service suspended is probably more than simply capping bandwidth and charging for over runs.
  You are on to something, but take it up a notch...
  The bots are a potential revenue source. The zombie traffic could push normal users over the caps resulting in extra usage fees. How long till an ISP exploits this intentionally (hijack or buy a botnet and make them send files back and forth)?
  
  --
  How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
I don't doubt it by Controlio · 2008-09-03 01:52 · Score: 4, Interesting

I don't doubt it at all. My computer, which is usually the epitome of clean, caught a worm the other day. It was automatically downloaded and executed (no clicks or dialogs) from one of the top 10 mainstream news websites, no less. Most likely one of the injection attacks. Had to really dig into it to find out that it somehow got downloaded by prefetch in Firefox (which has been promptly disabled now).
The ironic part... with all of the precautions I take, it wasn't detected at the router level nor the virus scan level. Windows firewall caught it before it could download its payload. As I manually removed it and restored from yesterday's registry copy, I had to chuckle a little.
But now that I've seen first-hand an unrequested .exe not only downloaded into ./system32 but executed - both without user approval or so much as a dialog box - I can only imagine how many zombies have popped up in the last few weeks.
Botnet Entropy? by Flayer_of_Minds · 2008-09-03 02:22 · Score: 2, Interesting

Sorry for being a uninformed moron, but what exactly is the definition of the "entropy of botnet infections"? Their infection rate? Their "healing" rate?

--
By will alone I set my mind in motion. - Mentat prayer
Give up - The performance hit is inevitable by Cassini2 · 2008-09-03 03:42 · Score: 4, Interesting

Speaking as someone that regularly works on number processing and real-time applications, I've given up on Windows machines. I just assume every Windows box is running ample code that is outside my control, and that code will make the machine much slower for any mathematically intensive computations, especially if they involve disk access or network access. All of the anti-virus code designed to stop viruses and bot-nets is killing Windows as a platform.
One way or another, you pay your speed and uptime penalty. You either pay in downtime caused by the "bad" guys writing bot-nets, malware or viruses, or you pay in slow speed caused by the "good" guys like Microsoft, Symantec, and McAfee, who are trying to stop the bot-nets, malware and viruses. The modern "good" vs. "bad" arms race is resulting in anti-virus software that is so slow that it is strangling the Windows platform with endless code bloat. If you want to prove this to yourself, get an older PC with a fresh Windows installation. Start installing software on it, one package at a time. As the newer service packs are applied, the anti-virus software installed, and the software packages installed, the PC will actually slow down!
Building better anti-virus software for Windows is self-defeating. It slows the computer down to the point that Windows is useless.
Run Linux. Take control of your own computer.