New Massive Botnet Building On Windows Hole

CWmike writes "The worm exploiting a critical Windows bug that Microsoft patched with an emergency fix in late October is now being used to build a fast-growing botnet, said Ivan Macalintal, a senior research engineer with Trend Micro. Dubbed 'Downad.a' by Trend (and 'Conficker.a' by Microsoft and 'Downadup' by Symantec), the worm is a key component in a massive new botnet that a new criminal element, not associated with McColo, is creating. 'We think 500,000 is a ballpark figure,' said Macalintal when asked the size of the new botnet. 'That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's... starting to grow.'"

It would be so easy.

[Surreal+Puppet]

Every time i see one of these high-yield Windows remote execution holes, I'm tempted to couple a timed network-stack-erasing payload to it (24 hours should be enough for it to be able to infect through vpn-connected laptops and such) and send it cracking. Then i always begin to wonder why this hasn't been done already; is the combination of narcissistic recklessness and technical competence really that rare? It could be argued that it's more fun to play pranks and infiltrate corporate and government networks, but we don't even see things like that (I know it was more common up to the early 90s, when the "criminal prankster hacker scene" still existed outside of small tight groups...)? Or do people just cover it up? You sysadmins out there, have you ever had anything like that happen to you, or anyone you know?

Re:It would be so easy.

Welcome to the 21st century.

Unlike the 90's, viruses aren't typically coded for the purpose of doing as much damage as possible. Between eBay, Paypal, Amazon, and the other major e-commerce sites, the internet is now worth hundreds of billions - even trillions - of dollars every year. Dollars that would be lost if it went down or that can be stolen by the boatload. By and large, the motive for hacking - including the use of botnets - is all money driven these days. The two most common attack vectors are to either hold a site for ransom, threatening to take it offline via a Denial of Service attack if a certain mount is not paid or to simply use the masses of drones to slow down anti-phishing efforts by distributing the fake page across hundreds of bots (after all, you can run a web server using 500k of RAM and 200k of disk space, plus space for the pages, i.e. a Paypal clone takes up about 5MB on a drone.)

Judging by the size of this one, I'm going to guess its use will be the former rather than the later. 500,000 bots, all launched, say, the week of Christmas, would do a LOT of damage. Many of those systems will be corporate boxes and nobody will be sitting at them to monitor or notice anything, meanwhile a site that offers "last minute" shipping could be taken offline at the...well...last minute, costing them billions in lost sales. $10 mil would be a small price to pay to avoid that.

So yeah, it was more common in the 90's, but hacking solely to cause damage isn't something done any more. At all. The only people doing that would be, for example, if the Chinese were trying to crack a US State Department or Pentagon system (using the drones for brute force remote login attacks). That happens, but even there, the intent isn't to harm the systems, but merely to gain a valid login so you can steal information. This goes on in the corporate world too. After all, don't you think Ford would be willing to cough up $2 mil if someone could hand them a copy of Toyota's future business plan right now?

It's not so much that there aren't people who want to "just cause damage" but rather that those people grew up and realized they could make a lot of money by NOT damaging the systems. They needed jobs and there aren't a lot of positions available for someone with a skill set that includes brute forcing SSH logins. The generation that has come since them, mine (I'm 21, but I have friends who are 18 and 19, and we see each other as about the same) doesn't generally posses the level of skill of those who came before us. Sure, I can crack SSH and brute force NT Hashes with the best of them, but if you sit me and my 60 year old uncle both in front of a binary disassembler only he will know what he's doing, and finding the kind of flaw needed to make this massive botnet will require a very intimate knowledge of one.

Sorry, the script kiddies that bring the world to its knees have grown up and they refuse to work without pay.

Re:It would be so easy.

[trawg]

Many of those systems will be corporate boxes and nobody will be sitting at them to monitor or notice anything, meanwhile a site that offers "last minute" shipping could be taken offline at the...well...last minute, costing them billions in lost sales. $10 mil would be a small price to pay to avoid that.

Question: I'm not too savvy with the intricacies of DNS, but - could an organisation that was threatened with such a blackmail attempt do something like this:

1) duplicate your web infrastructure on a number of different networks
2) lower the TTL on your DNS records to something more responsive
3) /if/ you are attacked, update DNS records to point to your alternate hosting (..repeat as necessary until you run out of sites or they give up)

This is under the assumption that such an attack once launched would be hard to stop and/or redirect, which is quite probably not the case, I guess.

There's no profit it in.

[khasim]

Then i always begin to wonder why this hasn't been done already; is the combination of narcissistic recklessness and technical competence really that rare?

Pretty much. The closest was the "I Luv U" email which overwrote media files.

Since then, it's all about profit. Why destroy a computer when you can use it to send spam?

If you want to be really cruel, your "virus" would randomly alter a few numbers on any Excel spreadsheet it could access.

Re:Idiots

What about all the users that never, you know, bought the software? Or those who installed Windows Genuine Advantage and now have a black background and MS watermark?

Nooo, you must be an idiot if auto update, windows firewall or #insert service name here# isn't started at boot. Only possible explanation.

Dial up users.

[aywwts4]

Indeed, my father in law is stuck on dialup, and wondered why his computer was so slow. (I hadn't been supporting him previously so I didn't look at his patch status) A quick speedtest (20 minutes later) showed he was downloading at less than a kilobyte per second.

Thats when I noticed it was downloading SP2 every single time he connected to check his mail. It has probably been downloading SP2 since it came out, years prior.

I think he was almost 70% complete with sp2 it probably would have been done in another year of intermittent use, but not before sp3 came out ;)

I now give him service packs on CDs

Re:Idiots

[Architect_sasyr]

Whilst I happen to be highly entertained by your idea about GA I should like to recount a little story:

Fully registered and licensed domain of XP machines (~60 or so). Update Windows Genuine Advantage. 58 of them claim to be pirated and cease to work at any level that can be considered acceptable for a corporation.

Stories like that are why people complain about GA.

Wouldn't it be nice

[Smuttley]

if the people writing exploits for these security holes wrote a worm that once it had got onto a computer patched the exploit and then detached?

You could call it Good Samaritan Computing or something ;)

How Do They Survive?

[Bob9113]

I'm curious - how do infected computers survive on the Internet?

We have legions of honeypots for the detection of infected hosts (not to mention the likes of GMail). ISPs have been qqing about bandwidth - surely bandwidth consumed by infection is the most loathsome waste.

Why don't ISPs have a takedown system? They could restrict who they trust - perhaps only Symantec and McAffee, maybe hotmail, yahoo, and GMail as well. The could do a limited takedown of outbound email only, adding a message to the customer's email account. Perhaps have an HTTP interceptor display a page with links to tools for system cleaning, maybe commercial products if they feel the defense of their corner of the net is not sufficient recompense.

OK, I can dig the risk of inappropriate takedowns - but we run that risk non-stop with the DMCA for a heckuva lot less tangible benefit.

Expense? I'm sure we could get a few dozen folks together to write the software.

Customer experience? Really now - if my Mom's computer was infected and her ISP told her, and gave her links to fix it, she'd love it.

Inability to trust the router droppings? Half the Internet connections in the world are probably covered by a couple dozen ISPs - start with trusting only those router entries.

So - what am I missing?

Re:How Do They Survive?

[ko10ha]

> Why don't ISPs have a takedown system?
My ISP does. It took me down within hours when I let a friend connect his laptop to my network. He had a problem with his computer he told me. That proved correct - it was spamming like mad. But his own - cheapish - ISP did not take him down. So perhaps only solid and more expensive ISP have a take down system.

Re:Idiots

[mixmatch]

Why should corporate customers have to call up Microsoft every time they fuck up Genuine Advantage? Activation/IP protection schemes are hugely hated for the very reason that they don't bother the pirates but they do hassle the paying customers. Its great that you have time to play around on your pirated laptop copy, but come back when you have a bottom line to worry about.

Re:Idiots

[aliquis]

Except in OS X it downloads the updates and tell you that they are updated, inform you if any of them will require a reboot and let you check the ones not requiring it, all of them and reboot, or not care at all and it won't bother you until next week or something such. (Of if you decide to do it manually)

In XP however it will tell you that they are downloaded and ask you if you want to reboot to install them EVERY FIFTH MINUTE. Even if you tell the OS you don't give a shit and don't want to reboot.

I don't like that OS X installers requiring a reboot remains running until you press reboot in them however. I'd rather just choose "I don't want to reboot now" and have them do their thing the next time I choose to reboot.