Massive Botnet Returns From the Dead To Spam On

Zombies!!!!! by syousef · 2008-11-26 08:12 · Score: 5, Funny

Argh! Zombies!!!!! They're bound to be after brains! Well they'll find none here! Take that you evil zombies.

--
These posts express my own personal views, not those of my employer

Re:Zombies!!!!! by tankadin · 2008-11-26 09:07 · Score: 1, Funny

(Evil Overlord laugh)
I'm from Estonia!
All your zombies are belong to us!

Further Proof by MaxwellEdison · 2008-11-26 08:13 · Score: 5, Insightful

Further proof that crime doesn't pay. Unless you have a reliable business plan, of course.

--
-=Bang Bang=-

Re:Further Proof by internerdj · 2008-11-26 08:28 · Score: 1, Funny

Tell that to the RIAA.
Re:Further Proof by Anonymous Coward · 2008-11-26 08:30 · Score: 1, Interesting

ah but if you can figure out the alg it uses to get domain names....
The next time they are knocked out you can get a list of machines that are infected. Set up an agreement with the ISP and say 'if you give me the people who have their machines infected (btw here is a list) I will split the profit with you of every copy of mcafee or norton or whatever we sell to these customers.
Letter from the ISP with a 20 dollar of coupon for a virus scaner. 'Your computer was recently infected (see attached log)' We recommend that you purchase some software to fix this issue. We recommend software X and here is a coupon for it. Hell some ISPs even give away the software...
It will not fix the problem but there is money to be made fixing it...
Re:Further Proof by damn_registrars · 2008-11-26 08:43 · Score: 4, Insightful

the alg it uses to get domain names
Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?

And if the botnets are doing double duty by both propagating spam and attempting to hack into systems via ssh, I can tell you from my IP logs at home that most systems in the botnets aren't behind any particular domains.

On top of that, how many languages would you want to sell antivirus software in?

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Re:Further Proof by Lobster+Quadrille · 2008-11-26 08:55 · Score: 5, Funny

It's nice to see that somebody's IT department has the funding and expertise to implement a backup plan.
It gives me hope.

--
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
Re:Further Proof by Windows_NT · 2008-11-26 09:21 · Score: 1

Well im glad they got it running ... For a while i thought they might need to get in on the Government bailout package.
On another note, im suprised some l337 doesnt get pissed about it and hack that computer. If i knew how to .. i would.. Id hack that SOB and but a big picture of my ass as his background ...
"Mess wit the best, and get corn-holed!"

--
Go go Gadget Nailgun!
Re:Further Proof by julian67 · 2008-11-26 09:28 · Score: 5, Insightful

Actually there isn't money to be made this way because all those unhappy customers demanding refunds will be expensive. The idea that you can clean an infected Windows PC by installing product A or B or C is mistaken. The whole idea that security is a boxed product or is available by clicking an .exe/.msi installer is bogus. Assuming that the malware on these infected computers is even known to the AV companies (and that's no longer a reasonable assumption in most cases) then the only way to actually remove it effectively is by running the AV tools from read only media, i.e. a live CD. Well designed malware will simply disallow the installation/use/updating of common AV software. The malware authors are streets ahead of the "security" vendors. The AV products installed on a clean machine can't even prevent many of these problems let alone cure them. Most Windows users would be better advised to save their pennies and re-install from original media, always be patched and up to date (applications as well as OS), run as unprivileged user with strong passwords on all accounts and browse only with Firefox + privoxy + noscript + adblock. That isn't perfect but it's zero financial cost and way more effective than anything Symantec, McAfee etc can offer. Unfortunately running Windows with an unprivileged account is as convenient as toothache.
Re:Further Proof by jargon82 · 2008-11-26 09:36 · Score: 5, Informative

I've been running my windows XP laptop as non-admin for over 2 years. It's not as bad as you say. Two things keep me going. Superior SU, found here: http://www.stefan-kuhr.de/supsu/main.php3 and make me admin, found here: http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx. Between the two, running non-admin is quite comfortable with a bit of practice.
Re:Further Proof by Anonymous Coward · 2008-11-26 10:35 · Score: 0

"Unfortunately running Windows with an unprivileged account is as convenient as toothache."
Right mouse, run as. Works most of the time. I've been using XP Pro for many years that way. In very rare cases I had to login with a privileged user.
Re:Further Proof by blhack · 2008-11-26 11:10 · Score: 5, Informative

A little windows trickery:
Right click on internet explorer and click "Run As" run it as admin.
type C:\ into the address bar. Navigate to whatever folder the programs you want to run are in and run them. Anything that spawns from here will be running as admin.

--
NewslilySocial News. No lolcats allowed.
Re:Further Proof by nurb432 · 2008-11-26 11:16 · Score: 1

Or get into politics.

--
---- Booth was a patriot ----
Re:Further Proof by julian67 · 2008-11-26 11:21 · Score: 3, Interesting

There's a lot more to it than launching applications. Even then it's unsatisfactory in many ways. It's extremely inconvenient to have to run an application as admin and have all the output non-executable and non-writable for other users...one more crappy task to fix all the permissions after every run. Anyway there are many applications which simply don't work with run as. The previous poster who linked to Super SU was nearer the mark. Windows user model works fine for users with no local admin rights working under a domain controller, i.e. in the office with IT dept running everything. For home/individual users it really stinks. The existence of botnets of tens or hundreds of thousands of compromised Windows PCs should negate the need to even mention or discuss this but it seems that simple, sane authorisation models have been thoroughly subverted for so long that the absolute worst model is considered normal and acceptable. What's really incredible to me is that if you look at unix user/super user model or the Ubuntu/OS X style sudo model they are both easy and *convenient* for the end user as well as the administrator and have no real drawback; I can't quite work out why MS dedicated the last 10 years to screwing it up so badly. It is a horrible experience for their users to suffer unwanted malicious software on their systems and it could all have been easily avoided. It shouldn't be normal to run a system so badly configured and implemented that it requires 3rd party add ons simply to appear secure. It shouldn't be anything other than extraordinarily unusual to have one's personal and financial details exposed to criminals etc. Run as is not the answer because there are too many situations where it simply doesn't work or is so inconvenient that it becomes impractical. Personally speaking, Windows is only for games while everything else gets done on a sensible OS. Windows by default has no immunity and no powers of recovery. It has AIDS.
Re:Further Proof by Jason+Hildebrand · 2008-11-26 12:12 · Score: 2, Informative

Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?
RTFA. The bots are generating domain names which they then attempt to contact in order to re-connect with botnet control.
It's very clever, really. The algorithm can generate a near-endless list of domain names, and all the botnet owners have to do is register one of them and set it up to respond to the bots.
On the other hand, in order to block this attempt by the bots to re-connect with the botnet owner, you have to pre-emptively register ALL domains which the algorithm generates. So in the long run, it's not financially feasible to block this.
I assume that the researchers are now going to try to make arrangements directly with the registrars to block registration of such domains in the future -- hope they can get co-operation on this.
Re:Further Proof by LackThereof · 2008-11-26 12:58 · Score: 2, Interesting

You misunderstand.
Srizbi has an algorithm to generate a pseudo-random domain name from the current date, and looks to that domain for command & control instructions.
The author of the bot has the same algorithm, and can calculate the domain names days and weeks out. Thus, if their c&c server is knocked off the internet, the bot herder just has to register a few domain names that Srizbi will be looking to in the near future.
This has nothing to do with the domain names of the bots themselves, or of the target machines.

--
Legalize recreational marijuana. Seriously.
Re:Further Proof by Anonymous Coward · 2008-11-26 13:16 · Score: 0

That won't work if IE7 or higher is installed - Internet Explorer is no longer Windows Explorer. Starting cmd as Administrator (Start -> Run -> cmd -> runas /user:Administrator cmd), opening regedit, and setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess key to 1 will allow you to run "explorer" from said command line to the same effect.
Re:Further Proof by Anonymous Coward · 2008-11-26 13:52 · Score: 0

ISPs could put those domains in their authoritative zones (and start responding like they own the domains for their customers) and block the traffic.
I do this all the time with my company network and an ISP I work for occasionally (with their blessing).
Ad networks = gone. Bot stuff = gone. Spam TLDs = Gone.
Not one of the end users noticed nor cared yet. Nobody notices when the ad banners come up blank apparently.
Re:Further Proof by Anonymous Coward · 2008-11-26 15:56 · Score: 0

That only works for IE6. For IE7, simply supply the full path in the address bar. Don't spawn the second window.
Re:Further Proof by plover · 2008-11-26 17:15 · Score: 1

So if we used that algorithm ourselves and just started querying a seedy registrar for these domain names, they'd squat them all in advance. Then we could query some of the other seedy registrars, who would check with the first domain squatter, who would then jack up his prices so high the botherders couldn't afford them anymore.
Sounds like killing two birds with one stone, if you ask me.

--
John
Re:Further Proof by SanityInAnarchy · 2008-11-26 17:33 · Score: 2, Interesting

Worth mentioning, sudo is essentially UAC, only somewhat less annoying. But it's still a broken model.
One thing a lot of Unix daemons get right is, one user per task. Basic, stupidly simple security model -- nothing should have more access than it needs to do its job. Server systems still handle this reasonably well -- small things as root, only where needed. Take Apache -- it's root mostly just to bind port 80; everything else is www-data.
Things like this completely go away with modern desktops. The only two users you deal with most of the time are yourself and root. Not that it matters -- X is full of potential exploits.
Oh, and Windows isn't entirely unrecoverable, though the most effective recovery tools I know of are all Linux-based -- a decent livecd, ntfsclone, etc.

--
Don't thank God, thank a doctor!
Re:Further Proof by orangesquid · 2008-11-26 19:10 · Score: 1

Why can't someone honeypot a bot, move the system time forward and intercept NTP queries, and watch the traffic to see what DNS queries it generates?
[Sorry for the bad grammar, grammar nazis need not reply]

--
--TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
Re:Further Proof by rav0 · 2008-11-26 19:15 · Score: 1

Recommending users to install collections of programs downloaded from the internet isn't going to do much good.
Re:Further Proof by deviated_prevert · 2008-11-26 19:27 · Score: 1

"Most Windows users would be better advised to save their pennies and re-install from original media,"
therein lies the rub Original media" Microshaft has made it so that most pc owners never get an original install disk just a system restore piddle disk from an oem. This install disk invariably requires you do re authorise the windows install and most users are sick and tired of endless re-installs the upgrading all the shitty windows drivers then watching to see if they got rid of the bull. Unless the user is savy enough to know where the infection is then the user is just spitting in the wind(ows) if they save anything during the install. The users that get infected with malware are usually stupid enough to follow the instructions and keep there old files and older windows crap from God knows where ...essentially the problem is Microsoft and the windows operating system not the consumer!

--
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
Re:Further Proof by ArsenneLupin · 2008-11-27 00:18 · Score: 2, Insightful

Why can't someone honeypot a bot, move the system time forward and intercept NTP queries, and watch the traffic to see what DNS queries it generates?
Actually, they managed to do better than that: they reverse-engineered the algorithm, and didn't even need to VM a bot.
However, where the plan failed was not in guessing the domain names, but in coming up with enough money to preemptively register them...
Re:Further Proof by julian67 · 2008-11-27 00:54 · Score: 1

re recovery: http://www.eweek.com/c/a/Security/Microsoft-Says-Recovery-from-Malware-Becoming-Impossible/
Re:Further Proof by Skrynesaver · 2008-11-27 01:34 · Score: 1

Which is why ICANN needs shooting. the notion that people of good will should have to club together to put these domains out of the herders reach is objectionable.

--
"Linux is for noobs"-The new MS fud strategy
Re:Further Proof by MadMidnightBomber · 2008-11-27 02:56 · Score: 1

Does having an offsite resumé count?

--
"It doesn't cost enough, and it makes too much sense."
Re:Further Proof by Anonymous Coward · 2008-11-27 04:08 · Score: 0

Yeah until the spammers mimic your idea and send virus out. Then we have 10x the ammount of infected computers...
Re:Further Proof by asadsalm · 2008-11-27 05:02 · Score: 1

Right click on internet explorer and click "Run As" run it as admin. type C:\ into the address bar. Navigate to whatever folder the programs you want to run are in and run them. Anything that spawns from here will be running as admin.
Except, after installing ie7, which stops this functionality... :-(
Re:Further Proof by Anonymous Coward · 2008-11-27 06:12 · Score: 0

Maybe read the MSDN link he posted. Very interesting:

You quickly realize two things:
- The program running as local Administrator cannot access network resources, since your local account is recognized only on your own computer; and
- Any per-user settings apply to the local Administrators profile, not to the profile you normally work with.
Re:Further Proof by SanityInAnarchy · 2008-11-28 09:03 · Score: 1

I'm talking about the whole process -- which, for me, is:
- Boot livecd
- Backup everything
- Reformat
Then, there's the pre-emptive steps:
- Boot livecd (or other OS)
- Take disk image of software partition (with ntfsclone)
- Before any major change, restore that image, make the change, then save a new one
Combined with the fact that I don't use Windows very much, malware is pretty much a non-issue for me. I don't even have any kind of anti-malware beyond the standard Windows firewall.

--
Don't thank God, thank a doctor!
Re:Further Proof by julian67 · 2008-11-28 09:35 · Score: 1

Recovery in this context clearly doesn't mean format & re-install. It's nice that you have your own definitions for words/phrases/concepts and are able to be oblivious to normal usage and context, but it makes a rational exchange rather difficult.
Re:Further Proof by SanityInAnarchy · 2008-11-29 20:40 · Score: 1

Recovery in this context clearly doesn't mean format & re-install.
No, recovery means restoring the system to a functional state, more or less the way it was before -- that is, without data loss.
Wiktionary will back me up on that one: "A return to normal health", or "A return to former status."
The end-user would also agree with me, I think -- the end result is a functioning computer with all their stuff. A reformat would work -- the only remaining question is whether it's the fastest method.

It's nice that you have your own definitions for words/phrases/concepts and are able to be oblivious to normal usage and context,
Find me a definitive dictionary. Until then, yes, rational exchange is difficult -- because it is your word against mine about a pointless argument.
Point is, even when malware makes traditional recovery impossible -- not a new thing, remember when malware used to erase your hard drive just because? -- the machine isn't completely dead, and the actually-important data is most often (but not always) intact.

--
Don't thank God, thank a doctor!

Going back in time ... by Anonymous Coward · 2008-11-26 08:16 · Score: 5, Interesting

"the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"

I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.

Hilarity ensue.

Re:Going back in time ... by DahGhostfacedFiddlah · 2008-11-26 08:29 · Score: 5, Funny

Never fails - I never have mod points when I see posts worthy of them.

--
Last post!
Re:Going back in time ... by Reality+Master+101 · 2008-11-26 09:08 · Score: 5, Funny

I don't know what he'd draw, but I know it'd be covered in chrome. :)

--
Sometimes it's best to just let stupid people be stupid.
Re:Going back in time ... by denis-The-menace · 2008-11-26 09:14 · Score: 5, Funny

I guess it would a giant, dilapidated 50's-style robot vomiting a stream of cans of spams to crowds of innocent people.

--
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Re:Going back in time ... by jollyreaper · 2008-11-26 09:18 · Score: 1

"the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"
I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.
Hell, just go back to the 60's and hand it to Mr. Crumb. I'm sure it would be filthy and funny by turns.

--
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
Re:Going back in time ... by MaxwellEdison · 2008-11-26 09:26 · Score: 1

Heck, just send it in to Exploding Dog. I can't foresee any interpretation which would not range from surreal to hillarious.

--
-=Bang Bang=-
Re:Going back in time ... by DahGhostfacedFiddlah · 2008-11-26 12:38 · Score: 1

Okay, maybe I'm a bit slow, but someone's going to have to explain the joke in that post. +4 Funny? Seriously?

--
Last post!
Re:Going back in time ... by weetabeex · 2008-11-26 14:13 · Score: 1

I suppose it would be the "Funny... that always happens to me aswell" kind of funny.
Re:Going back in time ... by DahGhostfacedFiddlah · 2008-11-28 18:52 · Score: 1

Never fails - I never have mod points when I see posts worthy of them. (worth a try :)

--
Last post!

They stopped them once. by Finallyjoined!!! · 2008-11-26 08:16 · Score: 5, Insightful

Now do it again. Rinse, repeat, until there's nowhere left for them to host the "command and control" servers.

The sooner the better. My good:spam ratio is almost 5:95 at the moment :-(

--
If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.

Re:They stopped them once. by snowraver1 · 2008-11-26 08:30 · Score: 5, Funny

If by 5:95 you mean 1:19. Didn't your math teacher teach you to reduce your fractions/ratios?

--
Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
Re:They stopped them once. by Spaham · 2008-11-26 08:36 · Score: 1

why get less when you can get more ?
(no, don't reply :))
Re:They stopped them once. by armanox · 2008-11-26 08:41 · Score: 3, Interesting

Actually mine told me not to reduce, as it helps to see where they came from.

--
I'm starting to think GNU is the problem with "GNU/Linux" these days.
Re:They stopped them once. by Anonymous Coward · 2008-11-26 08:51 · Score: 1, Funny

Your math teacher was a hamster and your history teacher smelled of elderberries.
Re:They stopped them once. by X0563511 · 2008-11-26 09:08 · Score: 1

My brain refuses to simplify, reduce, or factor. I don't know why, nothing else really gives me the trouble.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Re:They stopped them once. by smittyoneeach · 2008-11-26 09:09 · Score: 3, Interesting

Will switching to IPv6 make the bot nets more transparent to those trying to defend the intertubes?
If that were true, then that might be a good argument to upgrade...

--
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Re:They stopped them once. by Anonymous Coward · 2008-11-26 10:49 · Score: 1, Insightful

well in real life you dont always want to reduce, when you do that you lose detail...
sure 5:95 is the same as 1:19 but in this case you lose the detail that there were 100 total not just 20.
say you have a group of people die and only .01 percent die, you could say thats a super tiny amount and its not a big deal unless your talking about the whole planet and then that .01 is still 67 million people.
book smarts and common sense smarts aren't interchangeable you have to know when one way is just better then the so called "right way".
Re:They stopped them once. by Anonymous Coward · 2008-11-26 10:57 · Score: 0

No.
Re:They stopped them once. by jon3k · 2008-11-26 11:38 · Score: 1

We running about 99.9% on the year so consider yourself very lucky. We're using Ironport gateways for what it's worth.
Re:They stopped them once. by Liath · 2008-11-26 12:03 · Score: 2, Funny

I think you mean 52429 : 1048576
Re:They stopped them once. by Anonymous Coward · 2008-11-26 16:22 · Score: 0

Can't do that in countries where there is no law and order, say for example... RUSSIA.
And there's like 100 other countries too. That's quite a few potential c&c hosts.
I say we blackhole them altogether. Desperate times call for desperate measures.
On the other hand USA is the leader of the spam pack by wide marginal. http://www.spamhaus.org/statistics/countries.lasso
Re:They stopped them once. by sa1lnr · 2008-11-26 19:57 · Score: 2, Informative

I read that they had. Servers in Estonia shutdown quickly but one left up in Germany.
http://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/
Re:They stopped them once. by Arancaytar · 2008-11-27 03:21 · Score: 1

Yeah, should have put % marks after those numbers.
By the way, the ratio is 97% good v. 3% spam for me (I get nearly 60 mails per day).
I use Gmail.

What intriques me... by powerslave12r · 2008-11-26 08:18 · Score: 5, Insightful

..most is how efficiently the bad guys always work. Its just astounding.

--
Real men read Slashdot articles at -1, bottom up.

Re:What intriques me... by Yvan256 · 2008-11-26 08:26 · Score: 5, Funny

Well of course. With no worker unions, government bureaucracy or international laws to get in the way, they have it easier than your average law-abiding citizens and companies.
Re:What intriques me... by Marc+Desrochers · 2008-11-26 08:31 · Score: 5, Insightful

No red tape, no bureaucratic processes, no politics, no concern about being polite and correct about everything. Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.
Re:What intriques me... by Anonymous Coward · 2008-11-26 08:32 · Score: 0

Except your bonus usually comes from that bulge in Guido's pants, and I don't necessarily mean the gun.
Re:What intriques me... by Brigadier · 2008-11-26 08:38 · Score: 1

no face of the mob perhaps,,,,
Re:What intriques me... by Anonymous Coward · 2008-11-26 08:46 · Score: 0

Different command structure. Our governments are still basically working on the aristocratic model, with a confusing, extremely inefficient layer of semi-democracy smeared on top. The criminals work on a completely different combination: half authoritarianism, half meritocracy.
If we want to do them one better, we'd have to open source our government structures.
Re:What intriques me... by owlnation · 2008-11-26 09:04 · Score: 2, Insightful

Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.
You mean, "by not even trying to appear as though you give a shit about who you inconvenience".

If you've tried to contact Customer Support of any corporation (especially any outsourced CS) you know that that company really only pays lip service to the concept. Most corporations only provide just enough CS to be able to show that (massaged) stats reveal 80% customer satisfaction. There is almost never any genuine attempt to actually support customers.

Most corporations would be as well to just stop providing any customer support whatsoever, there would be little net difference in most cases.

I think the lack of bureaucracy is probably the key factor in the success of the black economy. Anyone who has worked in a corporation knows how many hoops you have to jump through to get anything meaningful done at any level in the organization. It's often best forgetting about anything that's not groundbreaking.

That, and the fact that the bottom feeders in the foodchain who fail to cover their asses often don't get a warning on their permanent record so much as a bullet in the brain.
Re:What intriques me... by Anonymous Coward · 2008-11-26 09:16 · Score: 0

You also left out no sense of shame or ethics.
Re:What intriques me... by Anonymous Coward · 2008-11-26 09:48 · Score: 0

No. What is astounding is how inefficiently the corporate model always works.
Most places I have worked still based on the '5os schemes, make me think of Jack Lemmon. One wonders how they get their sheets ever in the positive.. .. and what is that so boring to the 'bad guys' to push them be so creative elsewhere ..
Re:What intriques me... by Anonymous Coward · 2008-11-26 12:00 · Score: 0

They work efficiently because they have more information than the other side does. The good guys use public communication channels, so everything the good guys do and talk about, becomes immediately known to the bad guys who always work behind the scenes.
Take for example security researchers who share their findings with the community. Do you think that the bad guys dont read them? Or Slashdot articles for that matter? Hi, botherder.
The bad guys know how we think and what we publish. They have the "battlefield awareness" advantage.
Re:What intriques me... by SgrA* · 2008-11-26 23:48 · Score: 1

Crime is just more fun. Just consider, every evil genius that you ever met in an 007 movie has been really well decked out with superior technology.
Re:What intriques me... by Anonymous Coward · 2008-11-27 05:34 · Score: 0

...is how you can miss the "G" key so badly that you hit the "Q" key instead.
Re:What intriques me... by cbiltcliffe · 2008-11-27 06:30 · Score: 1

How is that different from most corporations?
Law-abiding citizens, I'll give you, but companies?

--
"City hall" in German is "Rathaus" Kinda explains a few things......

Thats strange... by pillowcase1 · 2008-11-26 08:18 · Score: 5, Funny

I know it's off topic, but my machine was running great for a couple weeks... now its all slow again.

Re:Thats strange... by NinthAgendaDotCom · 2008-11-26 10:05 · Score: 1

You jest, but I did notice a huge drop in my spam levels on my Gmail account. Went from avg of 2500 spam/month to 1400 spam/month over the last couple weeks.

--
-- http://ninthagenda.com/
Re:Thats strange... by dch24 · 2008-11-26 10:47 · Score: 1

I wonder if the gmail admins are trying to ID mail sender IPs based on the noticeable traffic pattern of the last few weeks...
Re:Thats strange... by Capt.DrumkenBum · 2008-11-26 10:49 · Score: 1

Did you just install the latest version of Bonsai Buddy?
I hear it is great!

--
If I were God, wouldn't I protect my churches from acts of me?
Re:Thats strange... by pipingguy · 2008-11-26 18:57 · Score: 1

Vista is NOT an XP upgrade.

We don't need no stinking backups... by Anonymous+Monkey · 2008-11-26 08:19 · Score: 5, Insightful

I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

--
We are the Borg...

Re:We don't need no stinking backups... by Anonymous Coward · 2008-11-26 08:27 · Score: 2, Funny

I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.
And here I've been wasting my time trying to set up an organ chop shop in Hong Kong!
Re:We don't need no stinking backups... by oerlikon · 2008-11-26 08:30 · Score: 1

Yeah, you never know when one of those silly ligament businesses might be subject to a "tendon take down" and go offline.
Re:We don't need no stinking backups... by Explodicle · 2008-11-26 08:32 · Score: 1

...a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.
Damn double-jointed criminals!
Re:We don't need no stinking backups... by Anonymous+Monkey · 2008-11-26 08:33 · Score: 3, Funny

AAHHAAAHH!!! My ham string!!! Make the burning stop!!!

--
We are the Borg...
Re:We don't need no stinking backups... by Culture20 · 2008-11-26 08:40 · Score: 1

Except these guys didn't have a good backup plan. They had to get Spanish Telesoniara(sp?) to bring McColo's link back up and transfer Terabytes of data to .ru domains. Of course, I bet they do have a good backup plan now.
Re:We don't need no stinking backups... by syncmaster955 · 2008-11-26 08:53 · Score: 2, Funny

AAHHAAAHH!!! My ham string!!! Make the burning stop!!!
Did you mean: Spam string?
Re:We don't need no stinking backups... by Anonymous Coward · 2008-11-26 09:00 · Score: 0

Well, the ligament industry is very unpredictable.
Re:We don't need no stinking backups... by mikael_j · 2008-11-26 09:13 · Score: 3, Interesting

Swedish TeliaSonera and it wasn't done directly, they purchased the link through a third party and made sure it was activated just as the weekend started (probably hoping that no one would shut it down before the weekend was over).
/Mikael

--
Greylisting is to SMTP as NAT is to IPv4
Re:We don't need no stinking backups... by umghhh · 2008-11-26 09:59 · Score: 1

to all that has been said about how efficient they work and how they do not have to deal with bureaucracy etc one must add motivation. They are motivated by direct profit and by the fact that if they screw up they are possibly in big trouble and I do not mean lack of bonus at the end of the year.
Re:We don't need no stinking backups... by Anonymous+Monkey · 2008-11-26 17:03 · Score: 1

Did you mean: Spam string?
Ok how about "AAHHAAHH!!! My spam string!!! Make the flaming stop!!!

--
We are the Borg...
Re:We don't need no stinking backups... by JakartaDean · 2008-11-26 20:52 · Score: 1

I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.
Are you implying that none of these guys have any backup procedures? Have you personally contacted all of these guys:
connective-tissue.com
Bones-to-bones
Bones2bones.com
JointsRus
bone-glue.com
Fibrous Tissue Cultures (FTC) Ltd.
(Interesting aside: if you Google "ligament businesses" the first hit is a page called "Business Representation (Greek Ligament Service)". Those clever Greeks are ahead of the rest of medical technology again!

--
The subject who is truly loyal to the Chief Magistrate will neither advise nor submit to arbitrary measures (Junius)
Re:We don't need no stinking backups... by Anonymous Coward · 2008-11-26 21:47 · Score: 0

I'm not really that surprised, because unlike a traditional business, criminals should expect to a greater extent than e.g. a power out happens that they might get caught, with things going wrong. When risks get low enough, people often stop thinking of backup plans.
Re:We don't need no stinking backups... by sydneyfong · 2008-11-26 23:50 · Score: 1

Aha! That explains the limbless blind beggars on the streets of Central!

--
Don't quote me on this.
Re:We don't need no stinking backups... by Arancaytar · 2008-11-27 03:26 · Score: 1

ligament business
...
I don't think that word means what you think it means.
Also, has there been any time when criminals have not been more efficiently organized than the right side of law?

Aim for the head ... by Anonymous Coward · 2008-11-26 08:23 · Score: 0

Works for zombies.

Or maybe a hydra is a better analogy. Cut the head off AND burn it -- cut off the sites that are hosting them and find the people responsible. Either charge them or get them booted from the ISPs hosting them once they violate the terms of service. There has to be some kind of paper/money trail to follow if they've shut down operations at one site and redeployed at another.

"The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web."

Why not?

Re:Aim for the head ... by Marc+Desrochers · 2008-11-26 08:34 · Score: 1

Probably because "Shut me down and your family is dead"
This is organized crime after all.
Re:Aim for the head ... by sexconker · 2008-11-26 08:52 · Score: 4, Funny

You don't have much experience battling hydras, do you?
Re:Aim for the head ... by powerlord · 2008-11-26 09:40 · Score: 1

You don't have much experience battling hydras, do you?
No, but I hear a wall of Fire can be helpful.

--
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.

Target in sights by Shotgun · 2008-11-26 08:24 · Score: 0, Troll

So, the researchers know where the CnC is originating from. Chase the rats down their holes with flamethrowers. Expose the subnets and let us DDoS them till the service providers cry uncle.

Yes, it will probably take Estonia offline for a while, but eventually providers will get the clue that taking in criminals and scufflaws as clients is not profitable.

--
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba

...well quite obviously... by thekm · 2008-11-26 08:26 · Score: 1

...they had a BotNet-Buster-Buster (tm)(c)

Re:...well quite obviously... by Anonymous Coward · 2008-11-26 08:32 · Score: 0

What they don't know, is that we have a Botnet-Buster-Buster-Bustah!

Businesses by 140Mandak262Jamuna · 2008-11-26 08:27 · Score: 1

There are more legitimate businesses than the ones selling snake oil to cure body aches, pains and ligament sprains. Why pick on them, poor sods.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact

Re:Random crashes by RiotingPacifist · 2008-11-26 08:27 · Score: 2, Funny

They're not random dammit! they always occur where the real part is a half, well the non-trivial crashes anyway.

--
IranAir Flight 655 never forget!

A McColo with Fries by INeededALogin · 2008-11-26 08:28 · Score: 5, Funny

... and a Coke

Re:A McColo with Fries by spartacus_prime · 2008-11-26 11:24 · Score: 0

Liter of cola?

--
If you can read this, it means that I bothered to log in.

Some Idiots by Nom+du+Keyboard · 2008-11-26 08:28 · Score: 4, Insightful

Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down? These major ISP backbone providers reall need to be talking to each other when they blacklist a site so that one rogue provider doesn't undermine the good efforts of all the rest.

--
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."

Re:Some Idiots by Detritus · 2008-11-26 08:36 · Score: 3, Informative

This was because they good guys stopped registering the dynamically generated domain names used by the botnet, allowing the bad guys to register some domain names and regain control.

--
Mea navis aericumbens anguillis abundat
Re:Some Idiots by damn_registrars · 2008-11-26 08:38 · Score: 3, Insightful

Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down?
I would be inclined to believe it to be more of the latter than the former. Why wouldn't the authors of the botnet software want to write something in to allow for the creation of a new botnet control system? These guys aren't idiots, as much as we might like to wish they were. They know that it takes time to amass a botnet, so I would expect they included some way to bring back the botnet, should they get caught somewhere.

need to be talking to each other when they blacklist a site
I might be missing something here, but I rather doubt that botnet control comes down to a specific site anywhere. Didn't they just say that the botnet is now controlled from a different country than before? I'm not sure that any amount of activities from major ISP's would be able to be both tolerable to users and capable of restricting the botnets.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Re:Some Idiots by Dunbal · 2008-11-26 08:42 · Score: 1

one rogue provider doesn't undermine the good efforts of all the rest.
This sort of resilience was the whole point of the internet anyway. Of course, it was never supposed to be used for "Evil" (tm).

--
Seven puppies were harmed during the making of this post.
Re:Some Idiots by gmuslera · 2008-11-26 09:09 · Score: 1

In fact, are good news. Now the people behind McColo could be judged as at least responsible in part of Srizbi botnet, and that could be read as hacking into millons of PCs. With a bit of luck by the time they get out of jail the sun will be red.
Re:Some Idiots by naich · 2008-11-26 21:25 · Score: 1

Obvious question: Why did the good guys not set up the domains to pass instructions to the bots to kill themselves or tell them to use a hard coded C&C that was owned by the good guys?
Re:Some Idiots by ArsenneLupin · 2008-11-27 00:26 · Score: 1

Digital signatures

OK now... by damn_registrars · 2008-11-26 08:30 · Score: 4, Insightful

Anyone who is surprised by this, raise your hand. If someone was able to write the requisite application to gather the botnet, one would expect the same programmer to have the foresight to write in a way to re-gather and restart the botnet at a later point in time.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.

Re:OK now... by jon3k · 2008-11-26 11:42 · Score: 2, Insightful

You mean operators of a massive botnet worth literally MILLIONS of dollars have a backup plan? SHOCKING!

How is this surprising to anyone? Do you not understand this is a business, illegal or otherwise? Do you not think cocaine smugglers have backup plans too?
Re:OK now... by Skater · 2008-11-27 00:06 · Score: 1

Who said they were surprised? Updates to continuing stories aren't necessarily surprising. If someone is arrested for murder you wouldn't be surprised to later hear that person is on trial for murder, would you?

They missed the chance by confused+one · 2008-11-26 08:30 · Score: 3, Insightful

While the command and control was down, they missed the chance to take out the bots too.

Re:They missed the chance by blair1q · 2008-11-26 10:33 · Score: 1

I was thinking about that.
It would be neat if the bot writers included an uninstall commmand; then you could hijack the server domain, inject the command, and the network would vaporize itself.
But of course they don't do that, and they probably know how to write code that isn't vulnerable to external exploits, so you have to go in through a trusted channel on each infected host. Which is what Microsoft's malware thing does.
And they do that whether the command system is up or down.
What Microsoft needs to do is to make it plain to anyone infected by one of these things that their system is not secure and is causing problems for the rest of the internet, and show them how to secure it. Even if that means sending snail-mail to the address registered for an infected IP address.
Re:They missed the chance by LackThereof · 2008-11-26 13:18 · Score: 4, Informative

Srizbi will, in fact, accept an uninstall command from a bogus C&C server.
Lots of stuff about Srizbi
In the course of invesigating Srizbi, researchers had 250,000 bots under their control for a span of a few days. Sending the uninstall command was one of several ways they could have crippled this small portion of Srizbi. But honestly, no citizen has the legal authority to make changes to hundreds of thousands of other people's PCs. Maybe if some law enforcement agencies would get involved, that would be nice. Or at least give blanket immunity to researchers who would do so.

--
Legalize recreational marijuana. Seriously.
Re:They missed the chance by Have+Brain+Will+Rent · 2008-11-26 20:51 · Score: 1

More technology isn't always the best way to solve a technological problem. All you really need is a modest bounty on the guys behind it it... say $10 Million for the bodies... errrr....ahhh... arrest, yeah that's it, the arrest... of the guy or guys running a botnet of any size. Cheap, efficient and for a little bit of irony it could be funded out of the Caymans.

--
The tyrant will always find a pretext for his tyranny - Aesop
Re:They missed the chance by Anonymous Coward · 2008-11-27 03:57 · Score: 1, Informative

Technically they also do not have the 'legal authority' to be in control of those bots, but they did anyways. So that throws it out the window of changing the PC in some way.
Re:They missed the chance by ArsenneLupin · 2008-11-27 04:50 · Score: 1

But honestly, no citizen has the legal authority to make changes to hundreds of thousands of other people's PCs.
But who'd complain? Not the owners of the PCs, because they're not even aware that their PCs are (were) infected.
Not the botnet operators, as they are in full illegality.
And then, you know, typoes do happen.
Pussies!
Re:They missed the chance by blair1q · 2008-12-02 05:26 · Score: 1

You don't need authority, you only need permission, and you only need to get permission after you have performed the service.
If nobody accuses you of harming their system, you are not running afoul of the law.

Not really. by khasim · 2008-11-26 08:35 · Score: 4, Informative

They also have to deal with various groups trying to stop them. As in TFA:

"We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

So the spammers had to have thought about and planned for such a contingency.

And still bring in enough money to pay for the connections they'll be using to control the zombies.

The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.

So while attempting to register the domain names, work was going on to update the zombie software.

The question now is how to get those hard-coded references to the various ISP's in the world so that they can block traffic to/from them and stop the zombies from updating again.

Why isn't information such as that ever included in these articles?

Re:Not really. by Anonymous Coward · 2008-11-26 10:13 · Score: 0

>The question now is how to get those hard-coded >references to the various ISP's in the world so >that they can block traffic to/from them and stop >the zombies from updating again.
>Why isn't information such as that ever included >in these articles?
Estonian IP ranges (http://www.ipaddresslocation.org/ip_ranges/get_ranges.php) :
This is a range of Estonian IP Addresses: 62.65.32.0 62.65.63.255
This is a range of Estonian IP Addresses: 62.65.192.0 62.65.255.255
This is a range of Estonian IP Addresses: 62.128.96.0 62.128.105.255
This is a range of Estonian IP Addresses: 62.128.107.0 62.128.127.255
This is a range of Estonian IP Addresses: 62.200.95.40 62.200.95.47
This is a range of Estonian IP Addresses: 66.111.36.60 66.111.36.69
This is a range of Estonian IP Addresses: 67.212.187.88 67.212.187.95
This is a range of Estonian IP Addresses: 69.61.29.192 69.61.29.207
This is a range of Estonian IP Addresses: 72.52.0.0 72.52.0.63
This is a range of Estonian IP Addresses: 77.233.64.0 77.233.95.255
This is a range of Estonian IP Addresses: 77.240.240.0 77.240.244.255
This is a range of Estonian IP Addresses: 77.240.245.40 77.240.248.255
This is a range of Estonian IP Addresses: 77.240.249.80 77.240.250.103
This is a range of Estonian IP Addresses: 77.240.250.112 77.240.250.175
This is a range of Estonian IP Addresses: 77.240.250.192 77.240.251.47
This is a range of Estonian IP Addresses: 77.240.251.80 77.240.255.255
This is a range of Estonian IP Addresses: 78.24.192.0 78.24.199.255
This is a range of Estonian IP Addresses: 78.28.64.0 78.28.127.255
This is a range of Estonian IP Addresses: 78.110.32.0 78.110.47.255
This is a range of Estonian IP Addresses: 79.134.192.0 79.134.223.255
This is a range of Estonian IP Addresses: 80.66.240.0 80.66.255.255
This is a range of Estonian IP Addresses: 80.79.112.0 80.79.127.255
This is a range of Estonian IP Addresses: 80.235.0.0 80.235.127.255
This is a range of Estonian IP Addresses: 80.241.208.0 80.241.223.255
This is a range of Estonian IP Addresses: 80.250.112.0 80.250.127.255
This is a range of Estonian IP Addresses: 81.20.144.0 81.20.159.255
This is a range of Estonian IP Addresses: 81.21.240.0 81.21.255.255
This is a range of Estonian IP Addresses: 81.25.240.0 81.25.255.255
This is a range of Estonian IP Addresses: 81.29.147.64 81.29.147.67
This is a range of Estonian IP Addresses: 81.90.112.0 81.90.127.255
This is a range of Estonian IP Addresses: 82.131.0.0 82.131.127.255
This is a range of Estonian IP Addresses: 82.147.160.0 82.147.191.255
This is a range of Estonian IP Addresses: 83.166.32.0 83.166.47.255
This is a range of Estonian IP Addresses: 83.166.48.16 83.166.48.23
This is a range of Estonian IP Addresses: 83.166.48.28 83.166.48.47
This is a range of Estonian IP Addresses: 83.166.48.64 83.166.48.71
This is a range of Estonian IP Addresses: 83.166.48.80 83.166.63.255
This is a range of Estonian IP Addresses: 83.178.58.0 83.178.59.255
This is a range of Estonian IP Addresses: 84.50.0.0 84.50.255.255
This is a range of Estonian IP Addresses: 84.52.0.0 84.52.63.255
This is a range of Estonian IP Addresses: 85.29.192.0 85.29.255.255
This is a range of Estonian IP Addresses: 85.89.32.0 85.89.63.255
This is a range of Estonian IP Addresses: 85.117.96.0 85.117.127.255
This is a range of Estonian IP Addresses: 85.196.192.0 85.196.255.255
This is a range of Estonian IP Addresses: 85.253.0.0 85.253.255.255
This is a range of Estonian IP Addresses: 86.110.32.0 86.110.63.255
This is a range of Estonian IP Addresses: 87.98.0.0 87.98.127.255
This is a range of Estonian IP Addresses: 87.119.160.0 87.119.191.255
This is a range of Estonian IP Addresses: 88.196.0.0 88.196.255.255
This is a range of Estonian
Re:Not really. by Rich0 · 2008-11-26 12:56 · Score: 2, Interesting

Yeah, but do you really need to block the whole country?
The bots obviously need to find their home. Most likely this is via either a hard-coded IP, or a DNS lookup. So, just publish whichever one it is and then everybody can blackhole either the DNS entry or the IP address. If the major ISPs do that the bot dies.
Now, if the bot uses IRC or something like that it could get trickier, since blocking that at the protocol level (short of killing an entire irc network) isn't possible. However, the irc network could probably block the appropriate channels.
Re:Not really. by Anonymous Coward · 2008-11-27 01:30 · Score: 0

It uses an algorithm to generate a domain name that it will try to connect to, apparently based on the date. Not quite so easy to blackhole.
Re:Not really. by Rich0 · 2008-11-27 13:26 · Score: 1

Then just take an infected computer, keep changing its clock for the next month, and see where it goes.
Then set up a sting for the appropriate domain names (and don't allow them to actually be registered). The behavior is deterministic so you can stay ahead of the worm.
Agreed that it wouldn't be easy to stay ahead of it indefinitely. However, authorities could register a year's worth of DNS entries to stall for time, and then send emails to ISPs about any infected IPs that connect.

Re:Real terrorists by Anonymous Coward · 2008-11-26 08:37 · Score: 0

Are you saying this botnet is a CIA asset?

Wish my employer took catastrophe planning this by mkcmkc · 2008-11-26 08:41 · Score: 1

seriously... :-(

--
"Not an actor, but he plays one on TV."

Sample bias by DahGhostfacedFiddlah · 2008-11-26 08:43 · Score: 2, Insightful

how efficiently the bad guys always work.

Not really - we only ever hear about the efficient ones here. Head on over to Fark (or even Youtube:) to get some examples of bad guys working....inefficiently.

--
Last post!

Re:fallback strategy by maxume · 2008-11-26 08:52 · Score: 2, Funny

Nice troll.

I think it might be more accurate to say if only they had a strategy.

--
Nerd rage is the funniest rage.

Soft on terrorism by Animats · 2008-11-26 08:53 · Score: 4, Informative

So where are the US antiterrorism people? This is an attack on US assets by foreign nationals. We have a whole Department of Homeland Security. They had a good computer security guy in charge of dealing with such attacks, Amit Yoran, and he quit in 2004, fed up because DHS didn't really want to deal with real problems. His replacement was a career lobbyist. Really. "He served as Director of 3Com Corporation's Government Relations Office in Washington, DC where he was responsible for all aspects of the company's strategic public policy formulation and advocacy." That's America's first line of defense against cyberterrorism.

The FBI has an antiterrorism operation. What are they doing? What they say they're doing is working to "strengthen and support our top operational priorities: counterterrorism, counterintelligence, cyber, and major criminal programs." What they're actually doing is flying around the FBI director in the private jet purchased with antiterrorism funds.

FBI testimony before Congress, 2001: "The FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or government services, for the purpose of coercing or intimidating a government or civilian population, is clearly an emerging threat for which its must develop prevention, deterrence, and response capabilities."

FBI testimony before Congress, 2004: " In the event of a cyberterrorist attack, the FBI will conduct an intense post-incident investigation to determine the source including the motive and purpose of the attack."

So where's the action?

Heads need to roll at DHS and the FBI.

Re:Soft on terrorism by blair1q · 2008-11-26 10:31 · Score: 1

They're busy watching Kazaa for pr0n doctors.
Re:Soft on terrorism by dave420 · 2008-11-26 11:00 · Score: 1

The main reason is that it's not terrorism. Every time people misuse that word, when real terrorism happens, people don't care as much.
Re:Soft on terrorism by Anonymous Coward · 2008-11-29 09:48 · Score: 0

Note that they omitted "or your money back" from those statements.

Excuses by Anonymous Coward · 2008-11-26 08:56 · Score: 0

No, they have it much harder than law-abiding companies. They can't blame all their problems on worker unions, government bureaucracy or international laws, which means that they have to actually be efficient rather than litigate their way into profitability.

"my pen^H^H^H spam folder is bigger!" thread by ed.mps · 2008-11-26 09:00 · Score: 1

I always had ~1200 mails in my gmail spam folder (ie: spam received in the last 30 days)

(until today, at least,) it has been shrinking in the last two weeks, and has (atm) 950 mail... I'll let the party begin again, and see if this number goes up again.

--
!sig

Re:"my pen^H^H^H spam folder is bigger!" thread by u38cg · 2008-11-26 09:47 · Score: 1

I've had a similar experience. I moved to gmail for the legendary spam handling when I crossed the 2000/month barrier; I peaked at 3500 and now I'm under 500 per month. Someone is doing something right. Interestingly, I has actually gone up over the last few weeks, not down.

--
[FUCK BETA]
Re:"my pen^H^H^H spam folder is bigger!" thread by mrand · 2008-11-26 09:54 · Score: 1

I always had ~1200 mails in my gmail spam folder (ie: spam received in the last 30 days)
(until today, at least,) it has been shrinking in the last two weeks, and has (atm) 950 mail... I'll let the party begin again, and see if this number goes up again.
Write back when it has over 8100 in it (since Sun, Oct 19, 2008). The price of having the same email address for over 12 years: average of roughly 9 messages per hour that land in the spam folder. Short term average (just today) is about the same... 9 to 10 per hour.
If we would have somehow guessed the onslaught of junk email we'd have to endure back then, mailing lists and the like would have been set up differently back then.
Marc

--
-- PGP keyID: 0x4C95994D

Disaster Recovery by centron · 2008-11-26 09:02 · Score: 1

Once again we have proof of the value of a disaster recovery plan.

I would have thought a money mill like that would use an Active/Active failover rather than a cold standby site, but I suppose they have to consider risks versus costs like anybody.

--

XeoMage

Re:Hello fudge packers! by X0563511 · 2008-11-26 09:05 · Score: 1

The random crashes will occur until you install Linux. You see, Linux is the fix for the random crashing!

</tongue-in-cheek>

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...

Lost opportunity by yenne · 2008-11-26 09:16 · Score: 1

From TFA:

According to Gong, when Srizbi bots were unable to connect with the command-and-control servers hosted by McColo, they tried to connect with new servers via domains that were generated on the fly by an internal algorithm. FireEye reverse-engineered Srizbi, rooted out that algorithm and used it to predict, then preemptively register, several hundred of the possible routing domains.

"We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

Once FireEye stopped preempting Srizbi's makers, the latter swooped in and registered the five domains in the next cycle.

I would have donated to this cause, as I imagine would have many others. It's a shame that we're finding out about it just now.

spam on you crazy diamonds by jollyreaper · 2008-11-26 09:16 · Score: 0

Spamble on!
And nows the time, the time is now
to spam some shit
Botnet's goin round the world,
Viagra for your dong, on the way
419 scams a hundred times a day, spamble on!
Gotta find the key for all my nets

Mines a service that can be sold,
But my IP I hold dear;
And years ago in days of old
When trojans flooded the LAN,
Twas in the darkest depths of Redmond
I met an exploit so fair,
But Balmer, and the evil one crept up
And patched away at it.
It, it....yea.
But it was seven years too late, no!

Spamble on!

--
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne

Re:spam on you crazy diamonds by Anonymous Coward · 2008-11-26 10:03 · Score: 0

People really need to stop posting crap like that. It's never funny. Just keep it to yourself.

how come you say for sure they're in Estonia? by tankadin · 2008-11-26 09:17 · Score: 2, Interesting

You could send an e-mail about command-and-control servers, to our Cyber Defence Center (KÃ¼berkaitse Keskus aka KKK) http://en.wikipedia.org/wiki/CCDCOE Estonia is not a big country at all so i think these new servers would be taken down pretty quickly.

Re:how come you say for sure they're in Estonia? by Whiteox · 2008-11-26 10:16 · Score: 0, Troll

Wasn't Estonia DDOS'd a few months ago by the Russian Government?
That was very freaky. I heard that they got a lot of outside help to try and get their backbone up and running again.

--
Don't be apathetic. Procrastinate!

Re:fallback strategy by LandDolphin · 2008-11-26 09:18 · Score: 1

I am sure de does, much like the criminals who control the botnet had a fallback strategy to help them, not the public.

--
Spelling and Grammar errors have been added to this post for your enjoyment

(H|Cr)ack attack by Thaelon · 2008-11-26 09:19 · Score: 3, Interesting

What I wonder is, why don't some of those white/grey/black hat hackers out there don't try to hijack the botnets, spammers, or the control servers of the spammers and shut that shit down. I'm sure it would be challenging and billions would approve.

The way I see it, spam is a distributed problem that ignores virtually any boundary you can think of, so the solution must be equally pervasive and distributed. Such as an equally (dis)organized group of spammer-attackers. Sure some innocents will probably get nailed, but ain't war hell?

--

Question everything

Re:(H|Cr)ack attack by Anonymous Coward · 2008-11-26 11:25 · Score: 1, Insightful

What you seem to be overlooking is the fact that there is a huge profit motive in spam. As such, there is a huge profit motive in maintaining as large a botnet as possible. One thing botnet owners often do is try to steal bots from other nets. To combat this, they will often patch the holes they used to gain control of the bots in the first place, and any other holes they know of. Essentially, it is in botnet owners' best interests to make their bots as secure as possible against determined attackers (i.e., other botnet owners).
This leaves basically two reasonably reliable (legal) options for removing bots from the network: physical access to clean (or format) the infected computer offline, or persuading the bot's ISP that the bot is a bot and should have 'net access removed until such time as it is cleaned.
Re:(H|Cr)ack attack by vvaduva · 2008-11-26 16:11 · Score: 1

What makes you think that it has not happened?
Re:(H|Cr)ack attack by Yvanhoe · 2008-11-27 01:53 · Score: 1

Why do you dismiss the possibility of a vigilante-style anti-worm ? It happened for Code Red : a counter worm, named Code Green, used the same vulnerability to spread, infect PCs, then install a patch to close the security flaw and suppressed itself.

Code green caused some problems too but, well, it looks like an intriguing possibility.

--
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Re:(H|Cr)ack attack by Yvanhoe · 2008-11-27 02:02 · Score: 2, Interesting

While looking for informations on Code Green, I came accross this 2002 Black hat conference that discusses the possibility of back striking an attacker in the case of the Nimda worm epidemic. http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-mullen.pdf You may be interested by this presentation.

--
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.

Money was involved... by The+Master+Control+P · 2008-11-26 09:20 · Score: 2, Informative

There is no possible way any ISP would reconnect someone like McColo out of ignorance: TeliaSonera was bribed.

Re:Money was involved... by Antique+Geekmeister · 2008-11-26 09:53 · Score: 2, Insightful

Are you under the impression that ISP's cannot be bribed, confused, or flat out lied to using stolen credit card information? Boy, I wish I had your ISP to tell me what singles ads are lying about.
Re:Money was involved... by afidel · 2008-11-26 10:06 · Score: 4, Informative

More like duped, they bought the backup link through a reseller a long time ago and never activated it till Sat 11/15.

--
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Re:Money was involved... by Lanforod · 2008-11-27 05:26 · Score: 1

In other news, Wyatt Sonera, CEO of local ISP TeliaSonera has been spotted driving a new Bugatti...

Blue Frog? by MrNougat · 2008-11-26 09:28 · Score: 1

Does anyone remember Blue Frog? That was actually [i]working[/i]. Nothing before or since has been anything but a mosquito bite to spammers.

There was an open source version, Okopipi, in the works for a very brief moment. I think the forum is probably full of weeds and spam now.

--
Web 2.0 == Giant Blogspam Circle Jerk

Re:Blue Frog? by u38cg · 2008-11-26 09:55 · Score: 3, Interesting

The trouble was any kind of central point became a massive juicy target for them, and it would be just the same for an open source project. Bluefrog IIRC ended up just drowning in a tide of DDOSing. Kinda ironic, really :)
As far as I can see the only real solution to spam is intelligent filtering, which Google leads the way on: it's got to the point where if a spam mail gets through, I open it it up and have a good look at it to see how the heck it got through.

--
[FUCK BETA]
Re:Blue Frog? by Anonymous Coward · 2008-11-26 10:03 · Score: 0

problem with blue frog was that, while it did work, it leeched other people's bandwidth to perform dDoS with.
You put that on your $9.95/mo shared account, or hell, even a dedicated server pushing under 1Mb and all of the sudden your bandwidth triples... As does your bill.
Not to mention installing it violates just about every hosting TOS agreement and will get you kicked off the network:/
Now if something like that were to be done in a coordinated way with the tier1 providers' buy in? that would be something to see. But who has the resources?
We had a customer under a dDoS a few weeks back get hit with spikes as high as 80Gb of inbound traffic (no, that's not a typo-o. Eighty). While we only saw 10Gb of it (the pipe saturated, naturally) our tier1 provider eventually just null routed - it affected the entire south west, and frankly, nothing at all will be done about it because they don't even have the resources to investigate it:/
(posted anon because anyone where I work would know who I am, and I am not speaking on behalf of my employer :)
Re:Blue Frog? by LackThereof · 2008-11-26 13:34 · Score: 1

problem with blue frog was that, while it did work, it leeched other people's bandwidth to perform dDoS with.
You're wrong.
the bluefrog client submitted one complaint report for each relevant spam that client's machine received. If you didn't receive that spam and forward it to Blue Frog, your box wouldn't send out anything. Likewise, no one else's box would send out complaints for spam that you received.
Some could describe it as a ddos, but blue frog actually throttled itself to keep from knocking people off the internet. Complaints were sent out gradually over a couple of days, rather than having all the clients respond at once.

--
Legalize recreational marijuana. Seriously.
Re:Blue Frog? by kvezach · 2008-11-26 23:22 · Score: 1

How about a decentralized Blue Frog? Hook up the system to a DHT and use cryptographic signatures with some sort of replication system. The idea would be that the "maintainers" would introduce a (properly signed) message into the network, then the computers on the net would propagate it to the other nodes. If any single node is taken down, well, the net just routes around it. So that it wouldn't be considered a DDoS, each node might have a backoff system that stops sending stuff if the target computer is unresponsive.

For bonus points, have each node host a small "web server" that just serves up an AA419/Lad Vampire type script, so anyone can join in the action. If you really want to make the Best Blue Frog Ever, connect the entire thing to a corruption-resistant trust metric, like Advogato's.

Re:Hello fudge packers! by Anonymous Coward · 2008-11-26 09:32 · Score: 1, Funny

do zombies cause a panic in linux?

hehe

1:19 by jDeepbeep · 2008-11-26 09:33 · Score: 1

you mean 1:19

I detect a conspiracy here. I know you are really just typing 911 in reverse.

--
Reply to That ||

Please grow up and join the real world by janrinok · 2008-11-26 09:36 · Score: 0, Redundant

This is an attack on US assets by foreign nationals.

You are receiving spam not nuclear weapons, you idiot. It's not terrorism. What are you being terrorised to do? For goodness sake, get a sense of perspective! It is an annoyance, but it is hardly posing a threat to your national security. If it is causing you that much of a problem then unplug your computer from the socket in the wall.

I'm not saying that there isn't a cost involved - there is. But what sort of action are you suggesting should be taken? A military invasion? Undercover assassinations of anyone you think might be involved in spamming? Or simply killing all those whose machines are infected? And if you think that any of those is acceptable then you surely won't have any objection if/when other nations start behaving that way in your country, will you? I know where most of my spam originates.

--
Have a look at soylentnews.org for a different view

Re:Please grow up and join the real world by Animats · 2008-11-26 10:03 · Score: 2, Interesting

You are receiving spam not nuclear weapons, you idiot. It's not terrorism.
Tens of millions of American computers are under the direct control of hostile foreign interests. At any moment, they can be ordered to do anything by those interests, including erasing files, sending financial information, or attacking infrastructure sites. That's a much bigger threat than some guys mouthing off in a bar in Miami about blowing up some building, which got the FBI's full attention.
Re:Please grow up and join the real world by WTF+Chuck · 2008-11-26 10:47 · Score: 2, Interesting

Or simply killing all those whose machines are infected? And if you think that any of those is acceptable then you surely won't have any objection if/when other nations start behaving that way in your country, will you? I know where most of my spam originates.
I have no problem with the infected machines being killed off, regardless of where the attacker that killed the machine is located or who the attacker is. Just leave some indication of why the machine was killed so I can point to it when charging the customer for re-installing their OS and recovering whatever of their files that you are kind enough to leave for them. A nice little README.txt file explaining "Your machine was a spam spewing zombie in the <botnet name> botnet." will be sufficient.

--
Note - Liberal use of <sarcasm> tags may or may not need to be applied.

Lost opportunity to take over by Anonymous Coward · 2008-11-26 09:40 · Score: 1, Informative

They should have used the domains to take over the botnet. If they know how it works, why not use the system to shut it down?!

Re:JYUO FaIL IT! by Anonymous Coward · 2008-11-26 09:50 · Score: 0

8-O

As Ash said in the Army of Darkness flick... by Lead+Butthead · 2008-11-26 10:05 · Score: 1

"It took Linda('s e-mail box.) Then it came after (my e-mail box,) it got into my (windows box) and it (turned zombie,) so (we got McColo shutted down.) But that didn't stop it, it came back big time."

--
ELOI, ELOI, LAMA SABACHTHANI!?

A plan for spam by Johnny+Loves+Linux · 2008-11-26 10:09 · Score: 1

Folks, I know this is flogging a dead horse, but let's see if this time the suggestion takes hold. How about this plan for dealing with spam spewing botnets:

1) If you're a Microsoft Power User (MPU) and you do the normal security precautions go ahead and use your Microsoft OS of choice -- you know *your* box isn't going to get infected because you're on top of the security issues.

2) If you're a MPU and you've got family or friends who are *NOT* MPUs and they ask you for advice why not make the "reasonable" suggestion:

a) Get a Mac OS X box if they're looking for a new computer and you want them to have a decent Desktop environment with decent default network security. This minimizes *your* sysadmin requirements and *increases* their odds of not becoming yet another Windows Spam Spewing bot (WSSB).

b) If they already have a Windows PC or have recently purchased a windows PC why not suggest that

i) for *non-networking* activities go ahead and use the Windows OS *if* that is what they are comfortable with, things like say spreadsheets, or word processing, Adobe Photoshop, etc.

ii) for *networking* activities like web browsing, checking e-mail, watching flash videos, irc, etc. go ahead and install say Ubuntu, or Open SuSe or whatever Linux flavor *you* are familiar with and teach them how to use it. That way you have reduced for *you* the sysadmins network security headaches.

Ideally, I would recommend to make the base OS a Linux distro, and run the Window OS in VMware or Xen virtual box. That way they don't have to reboot when switching between network based activities (Linux) and non-network based stuff (Windows).

Microsoft should be happy they still get a sale. You should be happy that your family and/or friends are still using Windows for most stuff. And the rest of us who don't use windows in any networking capacity can be happy that there is 1 (or more) fewer WSSB out there spamming us with stuff we don't care about.

Is that a reasonable nonflaming suggestion?

domains ? by smoker2 · 2008-11-26 10:09 · Score: 0

So why is the botnets domain still resolving ? You can't seriously believe that we know all about this botnets c+c but don't know what domains it's using. Just blacklist the domain.

Re:domains ? by LackThereof · 2008-11-26 13:41 · Score: 2, Interesting

Because Srizbi has an algorithm that generates new pseudo-random domain names based on the current date. If the hard-coded C&C server ever goes down, the bot herder can calculate what domain names Srizbi will be looking to in the near future, and register them to reclaim the botnet (and push an update that changes the hard-coded server)
Technical Details of Srizbis domain generation algorithm

--
Legalize recreational marijuana. Seriously.

casting for this spooky spam monster action flick by zogger · 2008-11-26 10:17 · Score: 1

Mr. Natural as Fox Muldaur and Angelfood McSpade as Scully, and the Fabulous Furry Freak Brothers as the Lone Gunmen. Evil Spam Monster overlord, Mr. The Toad

No wonder! by antdude · 2008-11-26 10:27 · Score: 1

That explains why I got higher spam in my inboxes over the last two days. Ugh! :(

--
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).

Why is this still going on? by blair1q · 2008-11-26 10:29 · Score: 1, Interesting

It's pretty obvious to me that it's trivially simple to watch one of these bots cycle through its algorithm, then when it gets a working server site, you trace to that site and find who's running it and cut their balls off as well as their network access. Then watch it happen again, and so on.

That would be a lot smarter than paying tens of thousands of dollars for randomly-generated domain names.

Why are spam-fighters so intent on doing the dumb thing instead of the right thing?

Re:Why is this still going on? by kvezach · 2008-11-26 23:37 · Score: 2, Interesting

What they should have done was this: Cut the provider's proverbial balls off. Then snap up the next ten or twenty domains. Connect them all to a server that instructs the bots that get there to uninstall themselves. I can see why they didn't, though; they could have been liable for any unintended effects (computers crashing, whatever), which is why that step should ideally have been done by some anonymous or pseudonymous party.
Re:Why is this still going on? by shentino · 2008-11-26 23:55 · Score: 1

That would assume the bot had an uninstall function.
I doubt a computer hijacker would make it easy for a botnet to be removed, let alone let it be able to uninstall itself.
Re:Why is this still going on? by Kijori · 2008-11-27 00:50 · Score: 1

According to FireEye, they do indeed have an uninstall function, and their researchers could have issued it to 250,000 bots. They decided not to because they didn't want to make unauthorised changes to users' computers.

Random or crashing? by mi · 2008-11-26 11:01 · Score: 2, Funny

You see, Linux is the fix for the random crashing!

Which part of "random crashing" is alleviated by Linux? The "random" or the "crashing"?

--
In Soviet Washington the swamp drains you.

Re:Random or crashing? by X0563511 · 2008-11-26 18:13 · Score: 1

Some days, I think you get to pick one.
But that's only sometimes.
Truth be told, the only problems I've ever had were directly my fault, and what I was doing was usually highly unusual or warned against.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Re:Random or crashing? by Air-conditioned+cowh · 2008-11-27 05:07 · Score: 1

You see, Linux is the fix for the random crashing!
Which part of "random crashing" is alleviated by Linux? The "random" or the "crashing"?
With KDE 4.1 I'm getting "consistent crashing" :-

didn't notice by slashdotard · 2008-11-26 13:49 · Score: 1

Really? I hadn't noticed any change since McColo was taken out: Since the moment McColo was taken out, spam received jumped over tenfold. It's been steady since.

--
me. --a by-product of public education

Re:didn't notice by gujo-odori · 2008-11-26 14:14 · Score: 1

I work for one of the major anti-spam vendors, and our inbound volume dropped off by 75% within 24 hours of the McColo shutdown. Other sources in and out of the industry were reporting similar numbers.
One effect seen pretty much everywhere as a result of the McColo shutdown was that while absolute spam volumes were down, efficacy against what was left dropped for everyone. This is because pretty much every one of those bots was on at least one blocklist and/or had a very poor reputation and would have a hard time delivering mail past any good filtering solution. When those bots all went away, spam that had to be filtered by other means increased as a percentage of spam, which lowered everyone's efficacy. Not day and night, of course, but enough for (all of) us to notice. Certainly nothing like a 10X decrease in efficacy.
Your own tenfold increase is an interesting event; certainly an aberration and probably a coincidence. Are you at liberty to post any other info about that, such as how you're measuring it, where it's coming from, what kind of spam it is, etc.?

Stupid question by nbauman · 2008-11-26 13:52 · Score: 1

I'm a non-(computer) geek.

Can somebody explain to me how I can tell if my computer is infected by a bot?

Is there something that will tell me what's running in the background, so I can identify a bot spewing out spam from my system?

(Yes, I promise to learn linux.)

Re:Stupid question by erikina · 2008-11-26 15:21 · Score: 1

There's a whole genre of software for it. But prevention is the best cure. Use the security features of your OS. If you're letting people (especially kids) use your machine, get them their own VM (preferably XP) and full screen it. If you're planning on learning about Linux security, get yourself a copy of Fedora and play (and learn) SELinux.
Re:Stupid question by kegon · 2008-11-26 17:09 · Score: 1

Yes, you know so little that your computer is unquestionably infected and is probably churning out millions of spam viagra emails in German as you read this.
Here is the procedure you should follow:
1. Disconnect your zombie computer from the internet (pull out the network cable, switch off wi-fi)
2. Learn something about how computers connect to the internet, computer security and viruses
3. Make sure your computer is clean and as secure as you can make it
4. Reconnect to the internet
If step 2 does not take you several weeks then you should start step 2 again.
Re:Stupid question by sydneyfong · 2008-11-27 00:01 · Score: 1

If you're talking about a spam bot, look for sustained unexplained internet traffic using the indicator lights on your modem. Spam bots usually use up a sizable chunk of your pipe to send spam, so it should be quite noticeable if you bothered to look.
Otherwise, forget it. There are so many theoretical ways malicious code can reside and hide on your computer that unless you've built your computer from the ground up, using trusted parts from trusted vendors, and never connected to the internet, you don't know for sure.
Between those two extremes there are lots of info out there, and it's rightly offtopic. Just STFW.

--
Don't quote me on this.
Re:Stupid question by Kijori · 2008-11-27 00:59 · Score: 1

They usually use a rootkit, which attempts to hide the activity from antivirus software; according to FireEye (the lab in the article), AV software detects these bots less than half the time. Still, it's worth using.
If you're worried that you might be infected, the best thing to do would be to watch the traffic being sent by your PC, by logging the traffic on another box. Many routers can do this. If the traffic seems oddly high, you might have a problem. FireEye have made available examples of typical traffic from a variety of different bots, so you could try to identify the bot based on its traffic, although the binaries and commands are updated regularly.
If you're worried that you have this specific bot, there are detection/removal instructions at http://blog.fireeye.com/research/2008/11/srizbi-removal-instructions.html . If you think you have a bot but can't work out what it is, your best bet may well be starting over. Some rootkits can attempt a reinstall even after a format, so take the opportunity to upgrade your harddisk. Install Windows (or Linux if you're so inclined) from scratch, and patch it before going online (you can download the patches on a different box, or they're frequently available on computer magazine cover discs). Keep your antivirus software up to date, use a firewall, hide behind a router, and never touch suspicious files, and hopefully you'll manage to avoid an infection.

Update by LackThereof · 2008-11-26 13:53 · Score: 4, Informative

The Estonia based Command and Control servers have been kicked offline.

Only one server is still online, based in Frankfurt, Germany; name registered through the Cayman Islands.

This is not the server that's hard-coded in to the new Srizbi patch, just one of the backup servers supplying it.

source

--
Legalize recreational marijuana. Seriously.

Re:Update by Arancaytar · 2008-11-27 03:29 · Score: 1

Hey, interesting; I live in Frankfurt. I wonder if it's anywhere close to me.

In related news ... by PPH · 2008-11-26 14:37 · Score: 4, Funny

...the one remaining 4800 baud link between Estonia and the rest of the world was taken down earlier today when IT technicians took control of the phone line to order a pizza.

--
Have gnu, will travel.

Re:In related news ... by tokul · 2008-11-26 23:56 · Score: 1

the one remaining 4800 baud link

You have confused Estonia with Elbonia or with own basement.

Linux on the botnet by troll8901 · 2008-11-26 16:53 · Score: 1

Well, Linux's advantage is:

high availability (five 9's)
an uptime measured in years (minimum 5)
security problems patched quickly

We don't really want the spammers to use Linux on their master control servers, do we?

Not to worry... by deanston · 2008-11-26 19:27 · Score: 1

I'm sure the new free security software in Windows 7 will take care of it.

Hit them with their own methods by Anonymous Coward · 2008-11-26 20:02 · Score: 0

Why don't we just strike back using their very own methods?

It's now obvious how important those C&C centers are for them, so just initiate a global DDoS attack against those very systems (like the "Make Love Not Spam" screensaver a few years back), exactly like they do against their blackmail victims. Without C&C they can't even retaliate and if the method is repeated every time a new bot herd surfaces, they're effectively out of business. I have no problem with the collateral damage at those ISPs hosting the C&Cs because they just need to kick them out or stop taking them in to begin with.

then doing nothing is a crime too by cheekyboy · 2008-11-26 23:29 · Score: 2, Interesting

surely doing nothing is just like knowing a criminal has done a crime without reporting it, so you are deemed an aid to the crime if you let it happen.

Idiots.

Just do it under the table from a netcafe, and no one will complain, really, no one will, no body, bloody no one!!! Those guys have NO balls.

--
Liberty freedom are no1, not dicks in suits.

No surprise by shentino · 2008-11-26 23:50 · Score: 1

Doesn't really surprise me after that massive burst of traffic to russia.

Probably the botnet fleeing a sinking ship so to speak.

I'd like to wring the neck of whoever let mccolo bail.

Disaster Recovery Plan by Doctor+O · 2008-11-27 01:21 · Score: 1

Oh, we have a plan, too.

--
Who is General Failure and why is he reading my hard disk?

Broken security model by Anonymous Coward · 2008-11-27 03:09 · Score: 0

Anything that spawns from here will be running as admin. That inheritance is part of the problem! The child processes should run at their own privilege level, they should not inherent additional privileges from their parent. The fact that this "windows trickery" works exposes the inverted security model: privileges should be granted explicitly and only as necessary, not applied by default. Microsoft has allowed, even encouraged application coders to work-around the OS security model since the days of PC-DOS (direct access to BIOS, bypassing the OS calls). That slippery slope has led to today's sad situation where user applications are expected to run with admin privileges.

Re:What intrigues me... by Anonymous Coward · 2008-11-27 03:28 · Score: 0

..most is how efficiently the bad guys always work. Its just astounding.

Life is (was) easy without (before) Oracle|SAP, Basel II, Sarbanes-Oxley, customer care, six-sigma, IRR justifications, KPIs, SLAs, business reviews, A/R overdues analysis, inventory checks, capex approval requests...

What we need... by Anonymous Coward · 2008-11-27 03:35 · Score: 0

is universal health care for PCs. But that'll probably come after the one for people.

The road to profit by Anonymous Coward · 2008-11-27 19:29 · Score: 0

1. Wait for a botnet's admins to get busted
2. Hack the botnet, take control
3. Shoot out spam like mad
4. Profit!!!

Slashdot Mirror

Massive Botnet Returns From the Dead To Spam On

205 comments