Zombie Network Explosion

anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Interesting.

[scott_karana]

Interesting. Far more interesting to me, however, is speculating on how botnets quadrupled in the part three months.

Re:Interesting.

[Neil+Watson]

I've seen a large increase in SPAM with virus payloads.

Re:Interesting.

[v1]

Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.

We're likely to see the number decline gradually as people patch up the hole. Trends like this have a sawtooth pattern to them. Sudden jump up, and then gradual decline over time back down to where they started, and then repeats with the next new vulnerability making the rounds.

Re:Interesting.

[Lumpy]

That's odd.

I mostly have a email box full of messages that simply state...

BRAINS!!!!

I hate Zombie explosions, leaves festering goo all over the place.

Re:Interesting.

[M1rth]

Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.

Before someone jumps on the "everyone should use Linux" bandwagon, Windows has over 90% of the market. Windows also has much more of the casual user market and much less of the enthusiast market - and the casuals don't keep a hawklike watch on their system.

Therefore, if you want to make a big botnet, compromising Windows is the way to go.

Someone found a new vulnerability, but didn't publicize it. Or they're exploiting the same old vulnerabilities (PICNIC, blank admin passwords, etc) and just stepped up their efforts again.

If your machine's admin password is blank and you're not behind a NAT, you are completely exposed. All the botnet guys have to do is get into the system through XP Pro's originally configured default drive shares and replace one commonly used file (say, a favorite new video game) with their payload. The user reinstalls the game figuring it got corrupted and it wipes out how they originally got in - but they're already in the system with a rootkit installed from the time the user tried to run your game, and it's a bot.

The unfortunate reality is that the largest vulnerability is, and will be, the human element. They want their login to be "easy" - so anyone who gets physical access to the machine gets root access with no password credentials, or they use a trivially-cracked password. They want to "simplify" their security arrangements. They trust an email sent by their friends (or sometimes even spoofed to look like it came from themselves) or "system administrator at your domain."

End result? More vulnerabilities.

Unfortunately, the "solution" involves either telling a lot of crybabies "no, you can't have it this way" or else changing human nature. And it's not in human nature to stand up to the crybabies (actually, an actual corporation never would - it's "bad customer relations.")

Re:Interesting.

[TheRaven64]

In theory, it's a good idea. In practice, what happens when there's a code orange worm, one which patches the old vulnerability and then creates a new one? What happens if you're DoS'd by a load of Code Green worms all looking for machines to disinfect?

Re:Interesting.

[Fex303]

i am sure everyone here remembers the code red worm.. few remember the code green worm (the one that spread the same way the code red did but it patched the infection and prevented further infection once it made it in)

i honestly thing it would be a good idea to start doing this - to have a group write patchs that spread in the same way the viruses do

I'd never heard of Code Green, but I do recall Welchia.

And that was terrible. It did bizarre things to some people's computers, crushed LANs as it tried to spread, and as bonus made up a substantial amount of net's traffic for a while.

While it's a cool idea in theory, in practice it ends up very inelegant, very fast.

Re:Interesting.

[MrNaz]

Yea but if you write a virus to kill their viruses, then your virus could mutate into something malicious and then spread. Then you'd need a bigger virus to kill those, and then those. Pretty soon you'd be emailing out blocks of code the size of an operating system.

It's like in Australia. The first farmers imported beetles to kill off the local locusts, then they found that the beetles didnt die and ate crops too. So they imported cane toads, which also ended up eating all the crops. They they tried cats, which ended up just running away and eating local fauna which were much tastier than cane toads, so they brought in foxes to prey on the cats. Then the foxes became a problem so they sent all the criminals there to kill the foxes. But the criminals got bored of that pretty quickly, and that's how we got Australian rules football.

Re:Interesting.

[antifoidulus]

Pretty soon you'd be emailing out blocks of code the size of an operating system.

Dude, Ubuntu spam! Thats perfect! Just create an email virus that installs Ubuntu and the botnets will disappear!

Re:Interesting.

[gad_zuki!]

Why would you need a hole? All you need to do is write the executable, put it on the web, and send out an email about "greeting cards" or "photos of hot chicks." When all users run as admin by default then there's really no reason to go for anything than a simple download. This is why companies take away admin access from their users and why XP is much, much worse than Vista, by default.

Re:Interesting.

[Captain+Spam]

yea i know it is almost a taboo thing.. everyone thinks about doing it .. but no one does.. but in reality.. if they can monitor these bot nets and the command and control servers.. why not hijack the command and control servers to distribute the patchs to the bots it controls.. use their own power to take them out.

A fair idea, but it's not that simple... modern botnets use encryption... the controller and bots share an encryption key... without proper encryption, the bot will ignore all orders because they know they didn't come from the original controller...

So all the controller would need to do... is patch the problem that got them in the system in the first place... that'll stop others from exploiting it to put new instructions in... then, by encrypting all their commands... they ensure... insofar as they can do so without new vulnerabilities... that they will be the only ones ordering their own bots around...

I think something similar to this has been tried before, but it didn't work out right. Maybe not on the botnet level, but effectively an anti-virus virus (or anti-worm worm, or any combination of the two) that caused more problems than it solved, partly due to hefty bandwidth use, but also due to flaws in the anti-virus virus program that didn't clean itself up properly, so it just kept looking around for the virus. It'd be a bit too big a risk.

How can you tell if a box is zombied?

[oldspewey]

Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.

Re:How can you tell if a box is zombied?

[John+Hasler]

"if it's not running Linux it's zombied"

It isn't that easy. It might also be running BSD.

Re:How can you tell if a box is zombied?

[TheThiefMaster]

If their internet activity light is flashing when they're not doing anything.

It's surprisingly accurate.

Re:How can you tell if a box is zombied?

[syousef]

Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.

No, but you could teach them quickly even if they didn't fully understand what they are doing. Simple recipe
1. Turn off PC for half an hour
2. Start it up, and start your network connection. Do not start web browsers or other happs
3. Open up a command prompt from Start-Run
4. Type netstat -a and look for connections
5. Repeat step 4 several times over an one hour period

Now some connections may be software updating (eg. antivirus) but discounting that if you have lots of open connections or they're regularly changing, you have to assume it's probably owned.

Re:How can you tell if a box is zombied?

[ultranova]

If their internet activity light is flashing when they're not doing anything.

How can you know that they're not "doing anything" ? They could be downloading patches, an e-mail client could be checking for new mail, an instant messenger client could be exchanging "are you still there" packets with the server, the DHCP client could be renewing the lease, etc.

This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.

Re:How can you tell if a box is zombied?

[blueg3]

With botnets, you can get a pretty good idea by comparing external network logs to user-initiated communication. If they're not talking to their C&C, they're not doing much.

Re:How can you tell if a box is zombied?

[v1]

If you are only interested in actively used botnets (for DDoS and spam for example) then when you plug in the ethernet cable the router lights go mad, that's a good sign its pwned.

You can't really look at the network usage using tools ON the machine, as rootkits are designed to hide all their activity from the system tools by modifying them. So the owned windows box may show little or no network traffic while your router is nearly catching on fire. But the lights on the switch/router don't lie.

Re:How can you tell if a box is zombied?

[TheRaven64]

This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.

Not really. Most operating systems allow you to monitor disk activity in software. If this is showing nothing, but the disk light is on, then there's a good chance there's a rootkit hiding certain activity. Same with network usage. If your operating system thinks there's no activity, but the network card thinks there is, something very bad is probably going on. If your OS and your network card agree that there is network traffic, then you can try identifying it. Once you shut down everything that ought to be generating traffic, then you can analyse the rest quite easily (on a big network, expect around 10KB/s of multicast DNS).

Of course, this doesn't help if it's an application that's been trojaned. You probably wouldn't notice if your IM client, for example, has been infected and patched to initiate secondary connections. You can try using something like netstat (no idea what the Windows equivalent is) and find every remote host each application is connecting to, and check them against what you expect (if your IM client is connecting anywhere other than your IM server in the background it's probably malware or skype, but I repeat myself).

Re:How can you tell if a box is zombied?

[houghi]

So they must look at the back of their machine that is under the table and then be able to understand the difference between a light that is on and one that goes crazy. The people who are infected will most likely not be able to do that.

The people who are infected will have a hard time understanding the difference between a monitor and a computer and will find doing anything that is not taught in a specific way and order difficult and scary.

OK, this might not be the average user, but I think it is the average user who will be infected.

Re:How can you tell if a box is zombied?

[Spatial]

netstat (no idea what the Windows equivalent is)

It's the same. You can even use "netstat -b" to see which processes are using which connections, which can be quite handy.

Re:How can you tell if a box is zombied?

[Creepy]

In fact, I am working on just such a case. By dormant, I mean the initial infection was removed, but the virus added some changes to IE so searches almost exclusively go to infected websites and exploit a java bug to reinfect the machine.

    The PC in question was my wife's, and she had followed a link to an unknown sender's e-card (which happened to arrive on her birthday) and it exploited her gullibility and a java bug to install the trojan XP Antivirus '08. I managed to eradicate that virus, but it made a change to IE that I missed initially that takes searches to infected websites and exploits the java bug again to reinfected the machine (mainly with other viruses - Virtumunde has been the latest - both of these are Russian Federation originating). Antivirus software doesn't catch the infections because they happen in resident memory, but the software does find them after they've written files.

The problem is, she needs to have her java patched to remove the java back door, but the virus seems to have tampered with java and it will not patch. I'm going to try a manual uninstall and reinstall tonight. I also likely need to reinstall IE (will try a registry fix first using my XP box as a reference), but MS has made that impossible by design, so I'll probably need to reinstall the entire OS.

a rise in botnets

[nimbius]

can only mean one of two things:
the machines are starting to take over
people arent getting any more intelligent with pc's than they are savvy. job security!

Comment removed

[account_deleted]

Comment removed based on user account deletion

This makes me sad actually...

[O('_')O_Bush]

because it could mean that people who are vulnerable to these types of attacks are on the rise. You would have thought that after all this time and the numerous virus-by-email crises, people would have learned better.

Re:This makes me sad actually...

[Fex303]

Never underestimate the predictability of stupidity.

I knew you'd say that.

I think I played that

[gEvil+(beta)]

Zombie Network Explosion? Wasn't that a Flash game on some site?

Re:I think I played that

All I know is that I saw the words "zombie" and "explosion", and thought This is it! Finally! and grabbed my shotgun. So disappointed.

Easy

[Toreo+asesino]

They've become self-aware. Run for the hills!

Re:Easy

[Missing_dc]

They've become self-aware. Run for the hills!

Won't help, you will be found, in a week we are launching a satelite that has 41 centimeter resolution. The rocket will even have a google logo on the side.

(OK, que the "now they can see my penis(ego) from space" jokes)

Re:Easy

[dkleinsc]

No, queue the jokes. I'll process them as quickly as a feel like, thank you.

Vigilante developers

[kaunio]

I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.

Of course, I see the problems with doing so (hasn't there been an article about this topic earlier?), but still, there are a lot of infected machines that have been so for ages are not likely to vanish. Bandwidth and cpu cycles can definitely be spent on better things than spam.

Re:Vigilante developers

[Neoprofin]

The problem is someone with the drive to do so would come to Slashdot and be told, in hundreds of angry posts, that he has no right to do that and he's just as bad as the zombie botnet overlords. Of course he should have just done it, prayed for the best, and hoped that history would look kindly upon what's been done.

Re:Vigilante developers

[Joe+U]

I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.

As a network admin, I would love to see someone write code to destroy the boot sector of an infected machine and then run a shutdown. (No data is lost, but the system is offline)

As a system admin, I would hate to see code out there that does damage to any process on the system, infected or not.

As a developer, I won't go anywhere near that type of software.

As an end user, I want better antivirus with better alerting that doesn't require a full core of my processor to run.

Insane increase in SSH attacks

[h2o2]

I noticed an incredible increase in DenyHosts alerts over the last three days to the extent that I had to turn off alert emails. This picture says it all: http://stats.denyhosts.net/stats.html

Re:clear sign that

[Locklin]

I wonder if it has more to do with bored students writing malicious code, or bored students downloading "suspicious" content.

Riddle me this...

[davmoo]

So if researchers can detect these things with apparent reliability in their process, why can't ISPs detect them the same way and cut the bastards off?

If Comcast and ilk such as that were really interested in conserving network bandwidth, they'd be cutting off zombies instead of putting on bandwidth caps.

Re:Riddle me this...

[Missing_dc]

The cost of monitoring, administering, taking action and fielding the incoming support calls from irate customers who have had their service suspended is probably more than simply capping bandwidth and charging for over runs.

You are on to something, but take it up a notch...

The bots are a potential revenue source. The zombie traffic could push normal users over the caps resulting in extra usage fees. How long till an ISP exploits this intentionally (hijack or buy a botnet and make them send files back and forth)?

Uh, no

[phorm]

Because plenty of windows core services still send traffic even if there's not an obvious "app" in charge of them (there are a bunch of normal system processes that tend to run services underneath them, some of which involve networking).

And that doesn't count traffic on your network as well. Even if your computer isn't sending anything out, it may be responding to other traffic on the network depending on how things are configured, even if it's just to say "this is not the machine you're looking for."

I don't doubt it

[Controlio]

I don't doubt it at all. My computer, which is usually the epitome of clean, caught a worm the other day. It was automatically downloaded and executed (no clicks or dialogs) from one of the top 10 mainstream news websites, no less. Most likely one of the injection attacks. Had to really dig into it to find out that it somehow got downloaded by prefetch in Firefox (which has been promptly disabled now).

The ironic part... with all of the precautions I take, it wasn't detected at the router level nor the virus scan level. Windows firewall caught it before it could download its payload. As I manually removed it and restored from yesterday's registry copy, I had to chuckle a little.

But now that I've seen first-hand an unrequested .exe not only downloaded into ./system32 but executed - both without user approval or so much as a dialog box - I can only imagine how many zombies have popped up in the last few weeks.

Microsoft Windows Zombie Network Explosion

[rs232]

correct headline ..

Zombie Network Explosion

Best band name ever!!

Re:clear sign that

[MadMidnightBomber]

Someone got a mail past our spamfilters at uni, pretending to be from the helpdesk, which contained a URL to some malicious code with instructions to download and run it.

Not only did loads of Windows users run the damn thing, but we got loads of helpdesk tickets from Mac users asking for a Mac version.

Give up - The performance hit is inevitable

[Cassini2]

Speaking as someone that regularly works on number processing and real-time applications, I've given up on Windows machines. I just assume every Windows box is running ample code that is outside my control, and that code will make the machine much slower for any mathematically intensive computations, especially if they involve disk access or network access. All of the anti-virus code designed to stop viruses and bot-nets is killing Windows as a platform.

One way or another, you pay your speed and uptime penalty. You either pay in downtime caused by the "bad" guys writing bot-nets, malware or viruses, or you pay in slow speed caused by the "good" guys like Microsoft, Symantec, and McAfee, who are trying to stop the bot-nets, malware and viruses. The modern "good" vs. "bad" arms race is resulting in anti-virus software that is so slow that it is strangling the Windows platform with endless code bloat. If you want to prove this to yourself, get an older PC with a fresh Windows installation. Start installing software on it, one package at a time. As the newer service packs are applied, the anti-virus software installed, and the software packages installed, the PC will actually slow down!

Building better anti-virus software for Windows is self-defeating. It slows the computer down to the point that Windows is useless.

Run Linux. Take control of your own computer.