Zombie Network Explosion

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Wednesday September 3, 2008 @12:50AM from the want-braaains dept.

anti-globalism writes "The number of compromised zombie PCs in botnet networks has quadrupled over the last three months. Shadowserver tracks botnet activity and the number of command and control servers. It uses a variety of metrics to slice and dice its figures based in part on the entropy of botnet infections. The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy)."

31 of 262 comments (clear)

Min score:

Reason:

Sort:

Comment removed by account_deleted · 2008-09-03 00:51 · Score: 5, Funny

Comment removed based on user account deletion
Interesting. by scott_karana · 2008-09-03 00:54 · Score: 4, Interesting

Interesting. Far more interesting to me, however, is speculating on how botnets quadrupled in the part three months.
1. Re:Interesting. by Neil+Watson · 2008-09-03 01:00 · Score: 4, Informative
  
  I've seen a large increase in SPAM with virus payloads.
  
  --
  UNIX/Linux Consulting
2. Re:Interesting. by v1 · 2008-09-03 01:12 · Score: 4, Insightful
  
  Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.
  We're likely to see the number decline gradually as people patch up the hole. Trends like this have a sawtooth pattern to them. Sudden jump up, and then gradual decline over time back down to where they started, and then repeats with the next new vulnerability making the rounds.
  
  --
  I work for the Department of Redundancy Department.
3. Re:Interesting. by Lumpy · 2008-09-03 01:19 · Score: 5, Funny
  
  That's odd.
  I mostly have a email box full of messages that simply state...
  BRAINS!!!!
  I hate Zombie explosions, leaves festering goo all over the place.
  
  --
  Do not look at laser with remaining good eye.
4. Re:Interesting. by M1rth · 2008-09-03 01:37 · Score: 5, Insightful
  
  Probably safe to assume a new hole was found in something windows-ish and is making the rounds, gathering up all the vulnerable machines.
  Before someone jumps on the "everyone should use Linux" bandwagon, Windows has over 90% of the market. Windows also has much more of the casual user market and much less of the enthusiast market - and the casuals don't keep a hawklike watch on their system.
  Therefore, if you want to make a big botnet, compromising Windows is the way to go.
  Someone found a new vulnerability, but didn't publicize it. Or they're exploiting the same old vulnerabilities (PICNIC, blank admin passwords, etc) and just stepped up their efforts again.
  If your machine's admin password is blank and you're not behind a NAT, you are completely exposed. All the botnet guys have to do is get into the system through XP Pro's originally configured default drive shares and replace one commonly used file (say, a favorite new video game) with their payload. The user reinstalls the game figuring it got corrupted and it wipes out how they originally got in - but they're already in the system with a rootkit installed from the time the user tried to run your game, and it's a bot.
  The unfortunate reality is that the largest vulnerability is, and will be, the human element. They want their login to be "easy" - so anyone who gets physical access to the machine gets root access with no password credentials, or they use a trivially-cracked password. They want to "simplify" their security arrangements. They trust an email sent by their friends (or sometimes even spoofed to look like it came from themselves) or "system administrator at your domain."
  End result? More vulnerabilities.
  Unfortunately, the "solution" involves either telling a lot of crybabies "no, you can't have it this way" or else changing human nature. And it's not in human nature to stand up to the crybabies (actually, an actual corporation never would - it's "bad customer relations.")
  
  --
  If you can read this sig, congratulations, you have your glasses on!
5. Re:Interesting. by TheRaven64 · 2008-09-03 01:38 · Score: 4, Insightful
  
  In theory, it's a good idea. In practice, what happens when there's a code orange worm, one which patches the old vulnerability and then creates a new one? What happens if you're DoS'd by a load of Code Green worms all looking for machines to disinfect?
  
  --
  I am TheRaven on Soylent News
6. Re:Interesting. by MrNaz · 2008-09-03 02:10 · Score: 4, Funny
  
  Yea but if you write a virus to kill their viruses, then your virus could mutate into something malicious and then spread. Then you'd need a bigger virus to kill those, and then those. Pretty soon you'd be emailing out blocks of code the size of an operating system.
  It's like in Australia. The first farmers imported beetles to kill off the local locusts, then they found that the beetles didnt die and ate crops too. So they imported cane toads, which also ended up eating all the crops. They they tried cats, which ended up just running away and eating local fauna which were much tastier than cane toads, so they brought in foxes to prey on the cats. Then the foxes became a problem so they sent all the criminals there to kill the foxes. But the criminals got bored of that pretty quickly, and that's how we got Australian rules football.
  
  --
  I hate printers.
How can you tell if a box is zombied? by oldspewey · 2008-09-03 00:54 · Score: 5, Interesting

Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.

--
If libertarians are so opposed to effective government, why don't they all move to Somalia?
1. Re:How can you tell if a box is zombied? by John+Hasler · 2008-09-03 00:57 · Score: 5, Funny
  
  "if it's not running Linux it's zombied"
  It isn't that easy. It might also be running BSD.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
2. Re:How can you tell if a box is zombied? by TheThiefMaster · 2008-09-03 00:57 · Score: 4, Insightful
  
  If their internet activity light is flashing when they're not doing anything.
  It's surprisingly accurate.
3. Re:How can you tell if a box is zombied? by syousef · 2008-09-03 01:13 · Score: 4, Informative
  
  Honest question - without resorting to answers like "if it's not running Linux it's zombied" I'd be curious to know how the average user can even determine whether their box is pwn3d.
  No, but you could teach them quickly even if they didn't fully understand what they are doing. Simple recipe
  1. Turn off PC for half an hour
  2. Start it up, and start your network connection. Do not start web browsers or other happs
  3. Open up a command prompt from Start-Run
  4. Type netstat -a and look for connections
  5. Repeat step 4 several times over an one hour period
  Now some connections may be software updating (eg. antivirus) but discounting that if you have lots of open connections or they're regularly changing, you have to assume it's probably owned.
  
  --
  These posts express my own personal views, not those of my employer
4. Re:How can you tell if a box is zombied? by ultranova · 2008-09-03 01:13 · Score: 4, Insightful
  
  If their internet activity light is flashing when they're not doing anything.
  
  How can you know that they're not "doing anything" ? They could be downloading patches, an e-mail client could be checking for new mail, an instant messenger client could be exchanging "are you still there" packets with the server, the DHCP client could be renewing the lease, etc.
  This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
5. Re:How can you tell if a box is zombied? by v1 · 2008-09-03 01:15 · Score: 5, Insightful
  
  If you are only interested in actively used botnets (for DDoS and spam for example) then when you plug in the ethernet cable the router lights go mad, that's a good sign its pwned.
  You can't really look at the network usage using tools ON the machine, as rootkits are designed to hide all their activity from the system tools by modifying them. So the owned windows box may show little or no network traffic while your router is nearly catching on fire. But the lights on the switch/router don't lie.
  
  --
  I work for the Department of Redundancy Department.
6. Re:How can you tell if a box is zombied? by TheRaven64 · 2008-09-03 01:43 · Score: 4, Informative
  
  This is in the same category than "there's hard drive activity when you're not doing anything". It's fine for DOS, but near useless for modern multitasking machines.
  Not really. Most operating systems allow you to monitor disk activity in software. If this is showing nothing, but the disk light is on, then there's a good chance there's a rootkit hiding certain activity. Same with network usage. If your operating system thinks there's no activity, but the network card thinks there is, something very bad is probably going on. If your OS and your network card agree that there is network traffic, then you can try identifying it. Once you shut down everything that ought to be generating traffic, then you can analyse the rest quite easily (on a big network, expect around 10KB/s of multicast DNS).
  Of course, this doesn't help if it's an application that's been trojaned. You probably wouldn't notice if your IM client, for example, has been infected and patched to initiate secondary connections. You can try using something like netstat (no idea what the Windows equivalent is) and find every remote host each application is connecting to, and check them against what you expect (if your IM client is connecting anywhere other than your IM server in the background it's probably malware or skype, but I repeat myself).
  
  --
  I am TheRaven on Soylent News
7. Re:How can you tell if a box is zombied? by Spatial · 2008-09-03 02:38 · Score: 4, Informative
  
  netstat (no idea what the Windows equivalent is)
  It's the same. You can even use "netstat -b" to see which processes are using which connections, which can be quite handy.
Comment removed by account_deleted · 2008-09-03 00:57 · Score: 5, Funny

Comment removed based on user account deletion
Easy by Toreo+asesino · 2008-09-03 01:08 · Score: 4, Funny

They've become self-aware. Run for the hills!

--
throw new NoSignatureException();
1. Re:Easy by Missing_dc · 2008-09-03 01:26 · Score: 4, Funny
  
  They've become self-aware. Run for the hills!
  Won't help, you will be found, in a week we are launching a satelite that has 41 centimeter resolution. The rocket will even have a google logo on the side.
  (OK, que the "now they can see my penis(ego) from space" jokes)
  
  --
  How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
2. Re:Easy by dkleinsc · 2008-09-03 03:01 · Score: 4, Funny
  
  No, queue the jokes. I'll process them as quickly as a feel like, thank you.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
Vigilante developers by kaunio · 2008-09-03 01:11 · Score: 4, Interesting

I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.
Of course, I see the problems with doing so (hasn't there been an article about this topic earlier?), but still, there are a lot of infected machines that have been so for ages are not likely to vanish. Bandwidth and cpu cycles can definitely be spent on better things than spam.
1. Re:Vigilante developers by Joe+U · 2008-09-03 01:49 · Score: 4, Insightful
  
  I'm actually surprised that we don't see any vigilante developers actually developing something that in some way or another disable or display information about the serious state the infected machine is in.
  As a network admin, I would love to see someone write code to destroy the boot sector of an infected machine and then run a shutdown. (No data is lost, but the system is offline)
  As a system admin, I would hate to see code out there that does damage to any process on the system, infected or not.
  As a developer, I won't go anywhere near that type of software.
  As an end user, I want better antivirus with better alerting that doesn't require a full core of my processor to run.
Insane increase in SSH attacks by h2o2 · 2008-09-03 01:15 · Score: 5, Informative

I noticed an incredible increase in DenyHosts alerts over the last three days to the extent that I had to turn off alert emails. This picture says it all: http://stats.denyhosts.net/stats.html
Re:I think I played that by Anonymous Coward · 2008-09-03 01:15 · Score: 5, Funny

All I know is that I saw the words "zombie" and "explosion", and thought This is it! Finally! and grabbed my shotgun. So disappointed.
Riddle me this... by davmoo · 2008-09-03 01:25 · Score: 5, Interesting

So if researchers can detect these things with apparent reliability in their process, why can't ISPs detect them the same way and cut the bastards off?
If Comcast and ilk such as that were really interested in conserving network bandwidth, they'd be cutting off zombies instead of putting on bandwidth caps.

--
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Uh, no by phorm · 2008-09-03 01:51 · Score: 4, Informative

Because plenty of windows core services still send traffic even if there's not an obvious "app" in charge of them (there are a bunch of normal system processes that tend to run services underneath them, some of which involve networking).
And that doesn't count traffic on your network as well. Even if your computer isn't sending anything out, it may be responding to other traffic on the network depending on how things are configured, even if it's just to say "this is not the machine you're looking for."
I don't doubt it by Controlio · 2008-09-03 01:52 · Score: 4, Interesting

I don't doubt it at all. My computer, which is usually the epitome of clean, caught a worm the other day. It was automatically downloaded and executed (no clicks or dialogs) from one of the top 10 mainstream news websites, no less. Most likely one of the injection attacks. Had to really dig into it to find out that it somehow got downloaded by prefetch in Firefox (which has been promptly disabled now).
The ironic part... with all of the precautions I take, it wasn't detected at the router level nor the virus scan level. Windows firewall caught it before it could download its payload. As I manually removed it and restored from yesterday's registry copy, I had to chuckle a little.
But now that I've seen first-hand an unrequested .exe not only downloaded into ./system32 but executed - both without user approval or so much as a dialog box - I can only imagine how many zombies have popped up in the last few weeks.
Zombie Network Explosion by Anonymous Coward · 2008-09-03 02:29 · Score: 5, Funny

Best band name ever!!
Re:clear sign that by MadMidnightBomber · 2008-09-03 02:31 · Score: 5, Funny

Someone got a mail past our spamfilters at uni, pretending to be from the helpdesk, which contained a URL to some malicious code with instructions to download and run it.
Not only did loads of Windows users run the damn thing, but we got loads of helpdesk tickets from Mac users asking for a Mac version.

--
"It doesn't cost enough, and it makes too much sense."
Give up - The performance hit is inevitable by Cassini2 · 2008-09-03 03:42 · Score: 4, Interesting

Speaking as someone that regularly works on number processing and real-time applications, I've given up on Windows machines. I just assume every Windows box is running ample code that is outside my control, and that code will make the machine much slower for any mathematically intensive computations, especially if they involve disk access or network access. All of the anti-virus code designed to stop viruses and bot-nets is killing Windows as a platform.
One way or another, you pay your speed and uptime penalty. You either pay in downtime caused by the "bad" guys writing bot-nets, malware or viruses, or you pay in slow speed caused by the "good" guys like Microsoft, Symantec, and McAfee, who are trying to stop the bot-nets, malware and viruses. The modern "good" vs. "bad" arms race is resulting in anti-virus software that is so slow that it is strangling the Windows platform with endless code bloat. If you want to prove this to yourself, get an older PC with a fresh Windows installation. Start installing software on it, one package at a time. As the newer service packs are applied, the anti-virus software installed, and the software packages installed, the PC will actually slow down!
Building better anti-virus software for Windows is self-defeating. It slows the computer down to the point that Windows is useless.
Run Linux. Take control of your own computer.
Re:This makes me sad actually... by Fex303 · 2008-09-03 05:24 · Score: 4, Funny

Never underestimate the predictability of stupidity.
I knew you'd say that.