Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zombie Network Explosion

Posted by CmdrTaco on from the want-braaains dept.

anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."

12 of 262 comments (clear)

  1. Interesting. by scott_karana · · Score: 4, Interesting

    Interesting. Far more interesting to me, however, is speculating on how botnets quadrupled in the part three months.

    1. Re:Interesting. by Captain+Spam · · Score: 3, Interesting

      yea i know it is almost a taboo thing.. everyone thinks about doing it .. but no one does.. but in reality.. if they can monitor these bot nets and the command and control servers.. why not hijack the command and control servers to distribute the patchs to the bots it controls.. use their own power to take them out.

      A fair idea, but it's not that simple... modern botnets use encryption... the controller and bots share an encryption key... without proper encryption, the bot will ignore all orders because they know they didn't come from the original controller...

      So all the controller would need to do... is patch the problem that got them in the system in the first place... that'll stop others from exploiting it to put new instructions in... then, by encrypting all their commands... they ensure... insofar as they can do so without new vulnerabilities... that they will be the only ones ordering their own bots around...

      I think something similar to this has been tried before, but it didn't work out right. Maybe not on the botnet level, but effectively an anti-virus virus (or anti-worm worm, or any combination of the two) that caused more problems than it solved, partly due to hefty bandwidth use, but also due to flaws in the anti-virus virus program that didn't clean itself up properly, so it just kept looking around for the virus. It'd be a bit too big a risk.

      --
      Demanding constant attention will only lead to attention.
  2. How can you tell if a box is zombied? by oldspewey · · Score: 5, Interesting

    Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.

    --
    If libertarians are so opposed to effective government, why don't they all move to Somalia?
    1. Re:How can you tell if a box is zombied? by houghi · · Score: 3, Interesting

      So they must look at the back of their machine that is under the table and then be able to understand the difference between a light that is on and one that goes crazy. The people who are infected will most likely not be able to do that.

      The people who are infected will have a hard time understanding the difference between a monitor and a computer and will find doing anything that is not taught in a specific way and order difficult and scary.

      OK, this might not be the average user, but I think it is the average user who will be infected.

      --
      Don't fight for your country, if your country does not fight for you.
    2. Re:How can you tell if a box is zombied? by Creepy · · Score: 3, Interesting

      In fact, I am working on just such a case. By dormant, I mean the initial infection was removed, but the virus added some changes to IE so searches almost exclusively go to infected websites and exploit a java bug to reinfect the machine.

          The PC in question was my wife's, and she had followed a link to an unknown sender's e-card (which happened to arrive on her birthday) and it exploited her gullibility and a java bug to install the trojan XP Antivirus '08. I managed to eradicate that virus, but it made a change to IE that I missed initially that takes searches to infected websites and exploits the java bug again to reinfected the machine (mainly with other viruses - Virtumunde has been the latest - both of these are Russian Federation originating). Antivirus software doesn't catch the infections because they happen in resident memory, but the software does find them after they've written files.

      The problem is, she needs to have her java patched to remove the java back door, but the virus seems to have tampered with java and it will not patch. I'm going to try a manual uninstall and reinstall tonight. I also likely need to reinstall IE (will try a registry fix first using my XP box as a reference), but MS has made that impossible by design, so I'll probably need to reinstall the entire OS.

  3. This makes me sad actually... by O('_')O_Bush · · Score: 3, Interesting

    because it could mean that people who are vulnerable to these types of attacks are on the rise. You would have thought that after all this time and the numerous virus-by-email crises, people would have learned better.

    --
    while(1) attack(People.Sandy);
  4. Vigilante developers by kaunio · · Score: 4, Interesting

    I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.

    Of course, I see the problems with doing so (hasn't there been an article about this topic earlier?), but still, there are a lot of infected machines that have been so for ages are not likely to vanish. Bandwidth and cpu cycles can definitely be spent on better things than spam.

    1. Re:Vigilante developers by Neoprofin · · Score: 3, Interesting

      The problem is someone with the drive to do so would come to Slashdot and be told, in hundreds of angry posts, that he has no right to do that and he's just as bad as the zombie botnet overlords. Of course he should have just done it, prayed for the best, and hoped that history would look kindly upon what's been done.

  5. Riddle me this... by davmoo · · Score: 5, Interesting

    So if researchers can detect these things with apparent reliability in their process, why can't ISPs detect them the same way and cut the bastards off?

    If Comcast and ilk such as that were really interested in conserving network bandwidth, they'd be cutting off zombies instead of putting on bandwidth caps.

    --
    I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
    1. Re:Riddle me this... by Missing_dc · · Score: 3, Interesting

      The cost of monitoring, administering, taking action and fielding the incoming support calls from irate customers who have had their service suspended is probably more than simply capping bandwidth and charging for over runs.

      You are on to something, but take it up a notch...

      The bots are a potential revenue source. The zombie traffic could push normal users over the caps resulting in extra usage fees. How long till an ISP exploits this intentionally (hijack or buy a botnet and make them send files back and forth)?

      --
      How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
  6. I don't doubt it by Controlio · · Score: 4, Interesting

    I don't doubt it at all. My computer, which is usually the epitome of clean, caught a worm the other day. It was automatically downloaded and executed (no clicks or dialogs) from one of the top 10 mainstream news websites, no less. Most likely one of the injection attacks. Had to really dig into it to find out that it somehow got downloaded by prefetch in Firefox (which has been promptly disabled now).

    The ironic part... with all of the precautions I take, it wasn't detected at the router level nor the virus scan level. Windows firewall caught it before it could download its payload. As I manually removed it and restored from yesterday's registry copy, I had to chuckle a little.

    But now that I've seen first-hand an unrequested .exe not only downloaded into ./system32 but executed - both without user approval or so much as a dialog box - I can only imagine how many zombies have popped up in the last few weeks.

  7. Give up - The performance hit is inevitable by Cassini2 · · Score: 4, Interesting

    Speaking as someone that regularly works on number processing and real-time applications, I've given up on Windows machines. I just assume every Windows box is running ample code that is outside my control, and that code will make the machine much slower for any mathematically intensive computations, especially if they involve disk access or network access. All of the anti-virus code designed to stop viruses and bot-nets is killing Windows as a platform.

    One way or another, you pay your speed and uptime penalty. You either pay in downtime caused by the "bad" guys writing bot-nets, malware or viruses, or you pay in slow speed caused by the "good" guys like Microsoft, Symantec, and McAfee, who are trying to stop the bot-nets, malware and viruses. The modern "good" vs. "bad" arms race is resulting in anti-virus software that is so slow that it is strangling the Windows platform with endless code bloat. If you want to prove this to yourself, get an older PC with a fresh Windows installation. Start installing software on it, one package at a time. As the newer service packs are applied, the anti-virus software installed, and the software packages installed, the PC will actually slow down!

    Building better anti-virus software for Windows is self-defeating. It slows the computer down to the point that Windows is useless.

    Run Linux. Take control of your own computer.