Zombie Network Explosion

anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Interesting.

[scott_karana]

Interesting. Far more interesting to me, however, is speculating on how botnets quadrupled in the part three months.

Re:Interesting.

[Neil+Watson]

I've seen a large increase in SPAM with virus payloads.

Re:Interesting.

[v1]

Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.

We're likely to see the number decline gradually as people patch up the hole. Trends like this have a sawtooth pattern to them. Sudden jump up, and then gradual decline over time back down to where they started, and then repeats with the next new vulnerability making the rounds.

Re:Interesting.

[Lumpy]

That's odd.

I mostly have a email box full of messages that simply state...

BRAINS!!!!

I hate Zombie explosions, leaves festering goo all over the place.

Re:Interesting.

[Amouth]

i am sure everyone here remembers the code red worm.. few remember the code green worm (the one that spread the same way the code red did but it patched the infection and prevented further infection once it made it in)

i honestly thing it would be a good idea to start doing this - to have a group write patchs that spread in the same way the viruses do

Re:Interesting.

[M1rth]

Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.

Before someone jumps on the "everyone should use Linux" bandwagon, Windows has over 90% of the market. Windows also has much more of the casual user market and much less of the enthusiast market - and the casuals don't keep a hawklike watch on their system.

Therefore, if you want to make a big botnet, compromising Windows is the way to go.

Someone found a new vulnerability, but didn't publicize it. Or they're exploiting the same old vulnerabilities (PICNIC, blank admin passwords, etc) and just stepped up their efforts again.

If your machine's admin password is blank and you're not behind a NAT, you are completely exposed. All the botnet guys have to do is get into the system through XP Pro's originally configured default drive shares and replace one commonly used file (say, a favorite new video game) with their payload. The user reinstalls the game figuring it got corrupted and it wipes out how they originally got in - but they're already in the system with a rootkit installed from the time the user tried to run your game, and it's a bot.

The unfortunate reality is that the largest vulnerability is, and will be, the human element. They want their login to be "easy" - so anyone who gets physical access to the machine gets root access with no password credentials, or they use a trivially-cracked password. They want to "simplify" their security arrangements. They trust an email sent by their friends (or sometimes even spoofed to look like it came from themselves) or "system administrator at your domain."

End result? More vulnerabilities.

Unfortunately, the "solution" involves either telling a lot of crybabies "no, you can't have it this way" or else changing human nature. And it's not in human nature to stand up to the crybabies (actually, an actual corporation never would - it's "bad customer relations.")

Re:Interesting.

[TheRaven64]

In theory, it's a good idea. In practice, what happens when there's a code orange worm, one which patches the old vulnerability and then creates a new one? What happens if you're DoS'd by a load of Code Green worms all looking for machines to disinfect?

Re:Interesting.

[bazonic]

Probably safe to assume a new hole was found in something windows-ish and is making the rounds...

Yep. It's called "users." If I had a dollar for every time a relative or friend downloaded free animated smileys or a free game that completely compromised their system, I'd be able to, well, buy an iPod Shuffle. "Why is my system running so slow?" And that's just the stuff they invited into their machines.

Re:Interesting.

It's a poor idea because of liability issues, and the fact that altering the data in a computer without authorization is illegal. It also provides a defense for the bad guys (e.g. they write a "patch" with a subtle flaw in it, then claim it was with the best of intentions).

What if a "benign" patch takes a server down and it was performing a critical function, and lives are lost (e.g. an ambulance routing service) - who is liable? Arguing that the server was vulnerable anyway to some other malware won't get you very far.

Further, regardless of the legalities, if an administrator discovers their machine has been changed without their knowledge, they basically have to wipe it and start again, whether the patch was well intentioned or not (how can they be sure?), so it still causes economic damage.

Re:Interesting.

[Fex303]

i am sure everyone here remembers the code red worm.. few remember the code green worm (the one that spread the same way the code red did but it patched the infection and prevented further infection once it made it in)

i honestly thing it would be a good idea to start doing this - to have a group write patchs that spread in the same way the viruses do

I'd never heard of Code Green, but I do recall Welchia.

And that was terrible. It did bizarre things to some people's computers, crushed LANs as it tried to spread, and as bonus made up a substantial amount of net's traffic for a while.

While it's a cool idea in theory, in practice it ends up very inelegant, very fast.

Re:Interesting.

[MrNaz]

Yea but if you write a virus to kill their viruses, then your virus could mutate into something malicious and then spread. Then you'd need a bigger virus to kill those, and then those. Pretty soon you'd be emailing out blocks of code the size of an operating system.

It's like in Australia. The first farmers imported beetles to kill off the local locusts, then they found that the beetles didnt die and ate crops too. So they imported cane toads, which also ended up eating all the crops. They they tried cats, which ended up just running away and eating local fauna which were much tastier than cane toads, so they brought in foxes to prey on the cats. Then the foxes became a problem so they sent all the criminals there to kill the foxes. But the criminals got bored of that pretty quickly, and that's how we got Australian rules football.

Re:Interesting.

[antifoidulus]

Pretty soon you'd be emailing out blocks of code the size of an operating system.

Dude, Ubuntu spam! Thats perfect! Just create an email virus that installs Ubuntu and the botnets will disappear!

Re:Interesting.

[Amouth]

yea i know it is almost a taboo thing.. everyone thinks about doing it .. but no one does.. but in reality.. if they can monitor these bot nets and the command and control servers.. why not hijack the command and control servers to distribute the patchs to the bots it controls.. use their own power to take them out.

while the idea of spreading them in the wild seems bad because of the load on nutral or non effected hosts.. if they used the botnet to patch the botnet.. then that should elminate the issue with the nutral hosts.

Re:Interesting.

[gad_zuki!]

Why would you need a hole? All you need to do is write the executable, put it on the web, and send out an email about "greeting cards" or "photos of hot chicks." When all users run as admin by default then there's really no reason to go for anything than a simple download. This is why companies take away admin access from their users and why XP is much, much worse than Vista, by default.

Re:Interesting.

[Captain+Spam]

yea i know it is almost a taboo thing.. everyone thinks about doing it .. but no one does.. but in reality.. if they can monitor these bot nets and the command and control servers.. why not hijack the command and control servers to distribute the patchs to the bots it controls.. use their own power to take them out.

A fair idea, but it's not that simple... modern botnets use encryption... the controller and bots share an encryption key... without proper encryption, the bot will ignore all orders because they know they didn't come from the original controller...

So all the controller would need to do... is patch the problem that got them in the system in the first place... that'll stop others from exploiting it to put new instructions in... then, by encrypting all their commands... they ensure... insofar as they can do so without new vulnerabilities... that they will be the only ones ordering their own bots around...

I think something similar to this has been tried before, but it didn't work out right. Maybe not on the botnet level, but effectively an anti-virus virus (or anti-worm worm, or any combination of the two) that caused more problems than it solved, partly due to hefty bandwidth use, but also due to flaws in the anti-virus virus program that didn't clean itself up properly, so it just kept looking around for the virus. It'd be a bit too big a risk.

Re:Interesting.

[somersault]

It did fix the problem, but also generated massive amounts of traffic and made systems unstable.

That's pretty much what all the spam and viruseseseses are doing already though. I'd be happy for a few days of slow 'net access every 6 months if it meant everyone was all patched up after that week. Would make it much more difficult for the spammers to get anything done, and most of them would hopefully give up anyway.

Reactive solutions are still not as good as actively educating computer users though. Before people are allowed to use guns and cars they generally have to get a license - well, computers can be just as damaging to people as a physical accident, if they end up being used as part of a scheme to steal someone's identity. We need more training on basics like phishing, not running random code that someone sends you, etc. Basically just making people less gullible.

How can you tell if a box is zombied?

[oldspewey]

Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.

Re:How can you tell if a box is zombied?

[John+Hasler]

"if it's not running Linux it's zombied"

It isn't that easy. It might also be running BSD.

Re:How can you tell if a box is zombied?

[TheThiefMaster]

If their internet activity light is flashing when they're not doing anything.

It's surprisingly accurate.

Re:How can you tell if a box is zombied?

[syousef]

Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.

No, but you could teach them quickly even if they didn't fully understand what they are doing. Simple recipe
1. Turn off PC for half an hour
2. Start it up, and start your network connection. Do not start web browsers or other happs
3. Open up a command prompt from Start-Run
4. Type netstat -a and look for connections
5. Repeat step 4 several times over an one hour period

Now some connections may be software updating (eg. antivirus) but discounting that if you have lots of open connections or they're regularly changing, you have to assume it's probably owned.

Re:How can you tell if a box is zombied?

[ultranova]

If their internet activity light is flashing when they're not doing anything.

How can you know that they're not "doing anything" ? They could be downloading patches, an e-mail client could be checking for new mail, an instant messenger client could be exchanging "are you still there" packets with the server, the DHCP client could be renewing the lease, etc.

This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.

Re:How can you tell if a box is zombied?

[blueg3]

With botnets, you can get a pretty good idea by comparing external network logs to user-initiated communication. If they're not talking to their C&C, they're not doing much.

Re:How can you tell if a box is zombied?

[v1]

If you are only interested in actively used botnets (for DDoS and spam for example) then when you plug in the ethernet cable the router lights go mad, that's a good sign its pwned.

You can't really look at the network usage using tools ON the machine, as rootkits are designed to hide all their activity from the system tools by modifying them. So the owned windows box may show little or no network traffic while your router is nearly catching on fire. But the lights on the switch/router don't lie.

Re:How can you tell if a box is zombied?

[TheRaven64]

This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.

Not really. Most operating systems allow you to monitor disk activity in software. If this is showing nothing, but the disk light is on, then there's a good chance there's a rootkit hiding certain activity. Same with network usage. If your operating system thinks there's no activity, but the network card thinks there is, something very bad is probably going on. If your OS and your network card agree that there is network traffic, then you can try identifying it. Once you shut down everything that ought to be generating traffic, then you can analyse the rest quite easily (on a big network, expect around 10KB/s of multicast DNS).

Of course, this doesn't help if it's an application that's been trojaned. You probably wouldn't notice if your IM client, for example, has been infected and patched to initiate secondary connections. You can try using something like netstat (no idea what the Windows equivalent is) and find every remote host each application is connecting to, and check them against what you expect (if your IM client is connecting anywhere other than your IM server in the background it's probably malware or skype, but I repeat myself).

Re:How can you tell if a box is zombied?

[houghi]

So they must look at the back of their machine that is under the table and then be able to understand the difference between a light that is on and one that goes crazy. The people who are infected will most likely not be able to do that.

The people who are infected will have a hard time understanding the difference between a monitor and a computer and will find doing anything that is not taught in a specific way and order difficult and scary.

OK, this might not be the average user, but I think it is the average user who will be infected.

Re:How can you tell if a box is zombied?

[hesaigo999ca]

Actually being able to turn off my modem by putting it on stand by, and using zonealarm to monitor outgoing traffic requests, lets me see what sort of traffic i have, if I am owned, then it will not be communicating, and I usually do a full reinstall from my backup cds every 3 months, so that in the event i did get owned, i will be only for a short time. At the 3 month interval i also change all the passwords to my accounts. So if someone did have access, they are cut off.

Now however, I do use vmware, and am always weary of vmware rootkits, but don't know enough yet about them to mount a good offensive series of actions against them.

Re:How can you tell if a box is zombied?

[ksd1337]

Ha. We have zombie computers with Windows, and we have demons with BSD. What next, cute little penguins with Linux com... oh wait, never mind.

Re:How can you tell if a box is zombied?

[Spatial]

netstat (no idea what the Windows equivalent is)

It's the same. You can even use "netstat -b" to see which processes are using which connections, which can be quite handy.

Re:How can you tell if a box is zombied?

[maxume]

Watching something like Tcpview:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

or Currports:

http://www.nirsoft.net/utils/cports.html

may work better for a lot of users (anybody who can manage to download and extract a zip file...). A rootkit could still be hiding the traffic, but the approach you outline is better than nothing.

Re:How can you tell if a box is zombied?

[HAKdragon]

You can also add a number to the end of the netstat command to tell how netstat how often to update (in seconds). So "netstat -a 60" will update the stats ever minute.

Re:How can you tell if a box is zombied?

Productive[=============^=====(you)====]Secure

Filter error: Please use fewer 'junk' characters.
Filter error: Please use fewer 'junk' characters.
Filter error: Please use fewer 'junk' characters.
Filter error: Please use fewer 'junk' characters.
Filter error: Please use fewer 'junk' characters.

Re:How can you tell if a box is zombied?

[Creepy]

In fact, I am working on just such a case. By dormant, I mean the initial infection was removed, but the virus added some changes to IE so searches almost exclusively go to infected websites and exploit a java bug to reinfect the machine.

    The PC in question was my wife's, and she had followed a link to an unknown sender's e-card (which happened to arrive on her birthday) and it exploited her gullibility and a java bug to install the trojan XP Antivirus '08. I managed to eradicate that virus, but it made a change to IE that I missed initially that takes searches to infected websites and exploits the java bug again to reinfected the machine (mainly with other viruses - Virtumunde has been the latest - both of these are Russian Federation originating). Antivirus software doesn't catch the infections because they happen in resident memory, but the software does find them after they've written files.

The problem is, she needs to have her java patched to remove the java back door, but the virus seems to have tampered with java and it will not patch. I'm going to try a manual uninstall and reinstall tonight. I also likely need to reinstall IE (will try a registry fix first using my XP box as a reference), but MS has made that impossible by design, so I'll probably need to reinstall the entire OS.

a rise in botnets

[nimbius]

can only mean one of two things:
the machines are starting to take over
people arent getting any more intelligent with pc's than they are savvy. job security!

Re:a rise in botnets

[HAKdragon]

"He often speaks of the coming war between man and the brotherhood of machines."

Comment removed

[account_deleted]

Comment removed based on user account deletion

This makes me sad actually...

[O('_')O_Bush]

because it could mean that people who are vulnerable to these types of attacks are on the rise. You would have thought that after all this time and the numerous virus-by-email crises, people would have learned better.

Re:This makes me sad actually...

[antifoidulus]

Also keep in mind that in places like India, China, Vietnam etc., the number of people using the internet for the first time is skyrocketing. While it would be nice if all these people used secure OSs, more than likely its a pirated copy of Windows that may or may not be able to get software updates etc.

Re:This makes me sad actually...

[Fex303]

Never underestimate the predictability of stupidity.

I knew you'd say that.

I think I played that

[gEvil+(beta)]

Zombie Network Explosion? Wasn't that a Flash game on some site?

Re:I think I played that

All I know is that I saw the words "zombie" and "explosion", and thought This is it! Finally! and grabbed my shotgun. So disappointed.

I wonder if it had to do with...

[arhhook]

Vista's Security Rendered Completely Useless leading more machines (with Vista) open to drive by downloads, etc, becoming zombies?

Easy

[Toreo+asesino]

They've become self-aware. Run for the hills!

Re:Easy

[Missing_dc]

They've become self-aware. Run for the hills!

Won't help, you will be found, in a week we are launching a satelite that has 41 centimeter resolution. The rocket will even have a google logo on the side.

(OK, que the "now they can see my penis(ego) from space" jokes)

Re:Easy

[stjobe]

Cue. Cue the jokes.

Re:Easy

[dkleinsc]

No, queue the jokes. I'll process them as quickly as a feel like, thank you.

Re:Easy

[somersault]

Colonel? You'd better take a look at this radar..

What is it, son?

I dunno, sir.. but it looks like a giant-

Dick!

Yeah?

Take a look out to starboard.

Oh my god, it looks like a huuuuge-

Pecker! Wait, that's not a woodpecker, it looks like someone's-

PRIVATES! We have reports of an unidentified flying object! It has a long, smooooth shaft! Complete with-

Two balls!

What is that? It looks just like an enormous-

Wang! Pay attention.

I was distracted, by that enormous, flying-

Willy!

Yeah?

What's that?

Well, it looks like a giant-

Johnston!

Yessir!

Get on the phone to British intelligence and notify them about this!

Vigilante developers

[kaunio]

I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.

Of course, I see the problems with doing so (hasn't there been an article about this topic earlier?), but still, there are a lot of infected machines that have been so for ages are not likely to vanish. Bandwidth and cpu cycles can definitely be spent on better things than spam.

Re:Vigilante developers

[Neoprofin]

The problem is someone with the drive to do so would come to Slashdot and be told, in hundreds of angry posts, that he has no right to do that and he's just as bad as the zombie botnet overlords. Of course he should have just done it, prayed for the best, and hoped that history would look kindly upon what's been done.

Re:Vigilante developers

[Joe+U]

I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.

As a network admin, I would love to see someone write code to destroy the boot sector of an infected machine and then run a shutdown. (No data is lost, but the system is offline)

As a system admin, I would hate to see code out there that does damage to any process on the system, infected or not.

As a developer, I won't go anywhere near that type of software.

As an end user, I want better antivirus with better alerting that doesn't require a full core of my processor to run.

Insane increase in SSH attacks

[h2o2]

I noticed an incredible increase in DenyHosts alerts over the last three days to the extent that I had to turn off alert emails. This picture says it all: http://stats.denyhosts.net/stats.html

Re:Insane increase in SSH attacks

[Megaweapon]

Same here, for some reason one of our servers on our subnet is a frequent attack for distributed SSH attacks, and there has been an explosion of them in the past few days for us. I've been collecting IP addresses and locking them out via firewall, but more just keep coming.

Re:clear sign that

[Locklin]

I wonder if it has more to do with bored students writing malicious code, or bored students downloading "suspicious" content.

Riddle me this...

[davmoo]

So if researchers can detect these things with apparent reliability in their process, why can't ISPs detect them the same way and cut the bastards off?

If Comcast and ilk such as that were really interested in conserving network bandwidth, they'd be cutting off zombies instead of putting on bandwidth caps.

Re:Riddle me this...

[SaDan]

ISPs can, and it was something I used to do as an "added feature" at the wireless ISP I used to work for.

It can be construed as an invasion of privacy, and I was yelled at plenty by some of my former customers. While a pain to administer, it had an incredible impact on our network's performance, and a decrease in customer complaints for individual towers being slow, etc.

The same technology Comcast uses (used?) to throttle Bittorrent users most likely could kill off zombies and DoS attacks. It's a shame they don't apply their resources appropriately.

Re:Riddle me this...

[Neil+Watson]

The cost of monitoring, administering, taking action and fielding the incoming support calls from irate customers who have had their service suspended is probably more than simply capping bandwidth and charging for over runs.

Re:Riddle me this...

[Missing_dc]

The cost of monitoring, administering, taking action and fielding the incoming support calls from irate customers who have had their service suspended is probably more than simply capping bandwidth and charging for over runs.

You are on to something, but take it up a notch...

The bots are a potential revenue source. The zombie traffic could push normal users over the caps resulting in extra usage fees. How long till an ISP exploits this intentionally (hijack or buy a botnet and make them send files back and forth)?

Re:Riddle me this...

[SaDan]

By "technology", I was referring to the black box that sits inline with the uplink(s) to the internet.

The system I used to maintain was such a beast, and it did everything from real-time AV scanning, SPAM scanning, and IDS/DoS functions. It could in fact be used to detect DoS attacks, and send alerts via SMS/email to us. I also used it to shape/limit Bittorrent and other P2P protocols.

http://www.fortinet.com/ is where you can find one example of such "technology".

Re:clear sign that

[shaka]

I wonder if it has more to do with bored students writing malicious code, or bored students downloading "suspicious" content.

I'm pretty sure it isn't the latter, these botnets are not the work of "bored students", they are controlled by organized crime and their ilk.

Uh, no

[phorm]

Because plenty of windows core services still send traffic even if there's not an obvious "app" in charge of them (there are a bunch of normal system processes that tend to run services underneath them, some of which involve networking).

And that doesn't count traffic on your network as well. Even if your computer isn't sending anything out, it may be responding to other traffic on the network depending on how things are configured, even if it's just to say "this is not the machine you're looking for."

I don't doubt it

[Controlio]

I don't doubt it at all. My computer, which is usually the epitome of clean, caught a worm the other day. It was automatically downloaded and executed (no clicks or dialogs) from one of the top 10 mainstream news websites, no less. Most likely one of the injection attacks. Had to really dig into it to find out that it somehow got downloaded by prefetch in Firefox (which has been promptly disabled now).

The ironic part... with all of the precautions I take, it wasn't detected at the router level nor the virus scan level. Windows firewall caught it before it could download its payload. As I manually removed it and restored from yesterday's registry copy, I had to chuckle a little.

But now that I've seen first-hand an unrequested .exe not only downloaded into ./system32 but executed - both without user approval or so much as a dialog box - I can only imagine how many zombies have popped up in the last few weeks.

Microsoft Windows Zombie Network Explosion

[rs232]

correct headline ..

Botnet Entropy?

[Flayer_of_Minds]

Sorry for being a uninformed moron, but what exactly is the definition of the "entropy of botnet infections"? Their infection rate? Their "healing" rate?

Zombie Network Explosion

Best band name ever!!

Re:clear sign that

[MadMidnightBomber]

Someone got a mail past our spamfilters at uni, pretending to be from the helpdesk, which contained a URL to some malicious code with instructions to download and run it.

Not only did loads of Windows users run the damn thing, but we got loads of helpdesk tickets from Mac users asking for a Mac version.

Give up - The performance hit is inevitable

[Cassini2]

Speaking as someone that regularly works on number processing and real-time applications, I've given up on Windows machines. I just assume every Windows box is running ample code that is outside my control, and that code will make the machine much slower for any mathematically intensive computations, especially if they involve disk access or network access. All of the anti-virus code designed to stop viruses and bot-nets is killing Windows as a platform.

One way or another, you pay your speed and uptime penalty. You either pay in downtime caused by the "bad" guys writing bot-nets, malware or viruses, or you pay in slow speed caused by the "good" guys like Microsoft, Symantec, and McAfee, who are trying to stop the bot-nets, malware and viruses. The modern "good" vs. "bad" arms race is resulting in anti-virus software that is so slow that it is strangling the Windows platform with endless code bloat. If you want to prove this to yourself, get an older PC with a fresh Windows installation. Start installing software on it, one package at a time. As the newer service packs are applied, the anti-virus software installed, and the software packages installed, the PC will actually slow down!

Building better anti-virus software for Windows is self-defeating. It slows the computer down to the point that Windows is useless.

Run Linux. Take control of your own computer.

Nah, it's just stupid users

[Joce640k]

There's that new "antivirus XP" thing doing the rounds. I bet loads of people have been stupid enough to click on that.

Not quite THAT bad

[Beryllium+Sphere(tm)]

>If your machine's admin password is blank and you're not behind a NAT, you are completely exposed.

As of XP Service Pack 2, the built-in software firewall is on by default, and blank passwords disable network logins. Not that the security posture of the typical home machine is anything we'd consider decent, but it's not the same as running sshd with a blank root password would be.

Love the tag

[Nonillion]

security, windows, brains. The three words that have the least in common.