New Massive Botnet Building On Windows Hole

CWmike writes "The worm exploiting a critical Windows bug that Microsoft patched with an emergency fix in late October is now being used to build a fast-growing botnet, said Ivan Macalintal, a senior research engineer with Trend Micro. Dubbed 'Downad.a' by Trend (and 'Conficker.a' by Microsoft and 'Downadup' by Symantec), the worm is a key component in a massive new botnet that a new criminal element, not associated with McColo, is creating. 'We think 500,000 is a ballpark figure,' said Macalintal when asked the size of the new botnet. 'That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's... starting to grow.'"

Go vigilante

It's time MS write botnets to exploit their own holes as means for patching said hole. Who gives a shit about the ethics of it, we are losing.

ISPs need to be more vigilant as well. Cut off subscribers ASAP when they're machine begins sending botnet traffic.

Re:Go vigilante

[alohatiger]

ISP action is definitely appropriate. If they can tell who is using torrent software, they should be able to tell who is sending spam and which machines are part of a botnet.

Filtering/quarantine at this level is like shooting down a scud missile on the way up instead of on the way down.

Re:Go vigilante

[Surreal+Puppet]

Take a look at Schneier's arguments against this: http://www.schneier.com/blog/archives/2008/02/benevolent_worm_1.html. One additional point is that stack/heap overflows and other memory-corrupting vulnerabilities often can't be made to be 100% reliable, and can be difficult to code for different service packs and such. This can be, and is, coded around as a matter of course, but a bug in the exploitation process can have disastrous and unpredictable results (in this case, interruption of a large swath of critical internal office file sharing networks.) This doesn't matter to the criminals, but it presumably matters to any prospective "grey hat" worm authors.

Re:Idiots

[moniker127]

Auto-update is really annoying, especially if you don't have a very good connection. Its one of the first things I disable when I do a fresh install of XP.

Re:Going around my work already

Three words:

Incompetent IT Department.

Re:Idiots

[Henry+V+.009]

Here, let me turn it back on for you. There. Don't bother thanking me, I've already debited your bank account for my time.

It would be so easy.

[Surreal+Puppet]

Every time i see one of these high-yield Windows remote execution holes, I'm tempted to couple a timed network-stack-erasing payload to it (24 hours should be enough for it to be able to infect through vpn-connected laptops and such) and send it cracking. Then i always begin to wonder why this hasn't been done already; is the combination of narcissistic recklessness and technical competence really that rare? It could be argued that it's more fun to play pranks and infiltrate corporate and government networks, but we don't even see things like that (I know it was more common up to the early 90s, when the "criminal prankster hacker scene" still existed outside of small tight groups...)? Or do people just cover it up? You sysadmins out there, have you ever had anything like that happen to you, or anyone you know?

Re:It would be so easy.

Welcome to the 21st century.

Unlike the 90's, viruses aren't typically coded for the purpose of doing as much damage as possible. Between eBay, Paypal, Amazon, and the other major e-commerce sites, the internet is now worth hundreds of billions - even trillions - of dollars every year. Dollars that would be lost if it went down or that can be stolen by the boatload. By and large, the motive for hacking - including the use of botnets - is all money driven these days. The two most common attack vectors are to either hold a site for ransom, threatening to take it offline via a Denial of Service attack if a certain mount is not paid or to simply use the masses of drones to slow down anti-phishing efforts by distributing the fake page across hundreds of bots (after all, you can run a web server using 500k of RAM and 200k of disk space, plus space for the pages, i.e. a Paypal clone takes up about 5MB on a drone.)

Judging by the size of this one, I'm going to guess its use will be the former rather than the later. 500,000 bots, all launched, say, the week of Christmas, would do a LOT of damage. Many of those systems will be corporate boxes and nobody will be sitting at them to monitor or notice anything, meanwhile a site that offers "last minute" shipping could be taken offline at the...well...last minute, costing them billions in lost sales. $10 mil would be a small price to pay to avoid that.

So yeah, it was more common in the 90's, but hacking solely to cause damage isn't something done any more. At all. The only people doing that would be, for example, if the Chinese were trying to crack a US State Department or Pentagon system (using the drones for brute force remote login attacks). That happens, but even there, the intent isn't to harm the systems, but merely to gain a valid login so you can steal information. This goes on in the corporate world too. After all, don't you think Ford would be willing to cough up $2 mil if someone could hand them a copy of Toyota's future business plan right now?

It's not so much that there aren't people who want to "just cause damage" but rather that those people grew up and realized they could make a lot of money by NOT damaging the systems. They needed jobs and there aren't a lot of positions available for someone with a skill set that includes brute forcing SSH logins. The generation that has come since them, mine (I'm 21, but I have friends who are 18 and 19, and we see each other as about the same) doesn't generally posses the level of skill of those who came before us. Sure, I can crack SSH and brute force NT Hashes with the best of them, but if you sit me and my 60 year old uncle both in front of a binary disassembler only he will know what he's doing, and finding the kind of flaw needed to make this massive botnet will require a very intimate knowledge of one.

Sorry, the script kiddies that bring the world to its knees have grown up and they refuse to work without pay.

Re:It would be so easy.

[trawg]

Many of those systems will be corporate boxes and nobody will be sitting at them to monitor or notice anything, meanwhile a site that offers "last minute" shipping could be taken offline at the...well...last minute, costing them billions in lost sales. $10 mil would be a small price to pay to avoid that.

Question: I'm not too savvy with the intricacies of DNS, but - could an organisation that was threatened with such a blackmail attempt do something like this:

1) duplicate your web infrastructure on a number of different networks
2) lower the TTL on your DNS records to something more responsive
3) /if/ you are attacked, update DNS records to point to your alternate hosting (..repeat as necessary until you run out of sites or they give up)

This is under the assumption that such an attack once launched would be hard to stop and/or redirect, which is quite probably not the case, I guess.

Re:It would be so easy.

[Graymalkin]

For starters it is trivial to embed an HTTP or mail server in a worm and is done all the time. They don't need to be full featured, simply functional enough to get their intended job done. As for the NAT issues the default usernames and passwords for popular routers is common knowledge. Given the number of LINKSYS and 2WIRE WiFi networks I can see from my apartment it's safe to say at least some of those people are still using those defaults. From there it's simply building the appropriate POST or GET request to modify the port forwarding settings. Besides opening connections for remote hosts a worm can simply listen for local connections and modify the hosts file to point paypal.com to localhost and then collect information that way.

Information harvesting worms do not need to be 100% effective to make their handlers money. If they get a few thousand PayPal accounts for every million machines they infect they can make a lot of money. Even if they don't get PayPal accounts or other information they can still be used for DDoS attacks and sending spam.

Re:Idiots

[Brain+Damaged+Bogan]

I would imagine that most pirated copies of windows wouldn't use auto update, you don't want your pirated OS contacting the developer whenever it feels like.

There's no profit it in.

[khasim]

Then i always begin to wonder why this hasn't been done already; is the combination of narcissistic recklessness and technical competence really that rare?

Pretty much. The closest was the "I Luv U" email which overwrote media files.

Since then, it's all about profit. Why destroy a computer when you can use it to send spam?

If you want to be really cruel, your "virus" would randomly alter a few numbers on any Excel spreadsheet it could access.

Re:Idiots

wait, wait, but then you do complain when a patch does not get installed and your system is compromized and it's all MSFT's fault... right, right? Am I right?
What did I win?

Re:Idiots

[imemyself]

I believe that MS actually does provide security updates for systems that do not pass WGA.

ancient joke

[FunkyRider]

Reminds me an ancient joke:
Windows is same as whores: They both have massive hole and full of viruses.

Botnet, starting to grow

[PPH]

Do you want a larger, firmer botnet? One that all the ladies will love and other guys will envy? Here's how to enlarge your botnet quickly and easily.

If your botnet stays up for 6 hours or longer, please seek the help of a physician.

Re:Botnet, starting to grow

[ockegheim]

Denial of Service to one's botnet can be disheartening.

Re:Idiots

[LtGordon]

I own a legit copy of XP Pro and it bothers me how frequently MSFT releases that Genuine Advantage garbage. If only they put that kind of enthusiasm into the rest of their products.

Dial up users.

[aywwts4]

Indeed, my father in law is stuck on dialup, and wondered why his computer was so slow. (I hadn't been supporting him previously so I didn't look at his patch status) A quick speedtest (20 minutes later) showed he was downloading at less than a kilobyte per second.

Thats when I noticed it was downloading SP2 every single time he connected to check his mail. It has probably been downloading SP2 since it came out, years prior.

I think he was almost 70% complete with sp2 it probably would have been done in another year of intermittent use, but not before sp3 came out ;)

I now give him service packs on CDs

Re:Dial up users.

[Ragzouken]

Did you read the bit where he said what you said?

Re:Idiots

[LtGordon]

Systems that do not pass WGA are only allowed access to "critical" updates.

Re:Idiots

[jaxtherat]

Auto-update is really annoying, especially if you don't have a very good connection. Its one of the first things I disable when I do a fresh install of XP.

Not sure why this was modded funny, as this seems to be far and away the predominant mentality of windows users...

Re:Idiots

[The+Bungi]

Which this particular patch qualifies as.

Re:Idiots

[0123456]

"Some think they know better what updates to install than Microsoft suggests."

When updates stop breaking other software, and Microsoft stop bundling DRM as 'critical updates', then I suspect people will start trusting Microsoft to tell them what updates to install.

Personally I like to see what Microsoft are doing to my computer before I install it.

Re:Idiots

[nabsltd]

Auto-update works if you have a legitimate copy of Windows, and there are plenty of people using pirated copies of Windows which do not qualify for the "genuine advantage" required by Windows Update.

If someone is already using a pirated copy of Windows as their desktop OS, then they probably wouldn't have a problem running a pirated copy of Windows 2003, either.

In which case, they can then download Windows Server Update Services which doesn't require WGA to download. After installing WSUS on Win2K3, they can configure it to only download updates matching the pirated MS software they have, and then individually approve or reject updates. They would then configure all the systems to retrieve the approved updates from the WSUS server.

By doing this, every update is available, and WGA is never installed on any of the systems.

Re:Idiots

[Xabraxas]

You're just an idiot then. You don't need to click on FREEREGISTRYSCANNER or anything like that to get infected. In fact you can click on a link that you click everyday and get infected. The best you can do is stay up-to-date and pray for no 0 day exploits.

Analogy

[jaavaaguru]

If you buy a gun, and leave it sitting in your front garden, then some criminals come along, take control of it, and kill everyone in your street, you're kind of responsible for that.

Apart from the obvious killing != spam and/or fraud, how is leaving an unprotected OS with known problems available to be hijacked by anyone who wants to do damage with it any different? You should still be responsible (although the punishment might be different). Suppliers should be forced to make this obvious to people buying this stuff.

Re:Analogy

[NicknamesAreStupid]

What if I buy a rosebush and plant it in my garden, then somebody uses it to deface little kids and old ladies with its thorns? Am I kinda liable for that?

Is a computer more like a gun or a rosebush? I guess that depends on whether it is running Windows or Linux.

Re:Analogy

Is a computer more like a gun or a rosebush? I guess that depends on whether it is running Windows or Linux.

Wait... which is which?

Re:Analogy

[Bane1998]

Computer to 'Some simple concept' analogies are stupid as hell. Get over your elitism. Most people don't understand the first thing about computers, and they don't have to. Just like most people use a TV, VCR, whatever, without any clue how it works, they just use it to play movies. Blinking 12:00.

Your analogy fails because leaving a gun out is gross negligence. It's a dangerous thing, and that's fairly obvious. A computer isn't. I suppose an argument could be made that computers are dangerous. It would be quite a stretch though. In that case there should be mandatory licensing to operate one, you know... like a car. But there isn't. So, either make the argument that computers are dangerous and should be controlled (and make sure you understand the actual ramifications of that argument), or stfu and realize that no, most people don't understand Computer Security or why it's important, and they never will.

And then, as an expert in the field, learn that you aren't smarter than mom and dad using their computer, you just have a specialized skill set. Most nerd kids like prolly half the slashdot crowd are or were.. started out with computers coming naturally to them. It's easy to assume then that it shoudl come naturally to everyone. And when you see it doesn't, your first reaction is that something is broken in them. After that nerd grows up a bit in the world, that person learns that no... they aren't idiots. We just have an aptitude for something that others don't. And that doesn't make them dumb. They probably have skills we don't. Say... socializing for example. So my guess is your (and all those who always come to slashdot posting the same song and dance) maturity level hasn't quite evolved yet.

And to not be elitist myself... I can admit I was once the same way. I grew out of it, as will you. :)

Re:Idiots

[master811]

That's not true, systems will still get access to the "recommended" updates as well if Auto-Update is set. I don't understand it myself as the same updates can't be accessed without validating, but they appear fine if you have it set to automatic (and don't use the windows update website).

Re:Idiots

[Hal_Porter]

I don't know why people complain about Genuine Advantage. If you buy the software it is unlocked. If you pirate it it will still work, even though it knows it is pirated, but it won't work 100%. I.e. pirate copies are partially locked.

Genuine Advantage would be better if they had a sense of humour about it. Like instead of black screening pirate copies they could shrink the desktop slowly surrounded it by a dirty border and have photorealistic DirectX 10 cockroaches in the border. When you unlocked the workstation they'd scatter, but you still see the odd leg or antenna poking out from the edge of the monitor. Every so often one would run across the screen when you were hard at work. Hell, maybe you'd let people crush them with the mouse pointer but it would leave a nasty yellow blob on the screen. The longer you held out against buying a license, the more bold the roaches would become, and the more hit points they would have.

Essentially Microsoft discovered a way to make people RAGE! by accident with Clippy. They should put that knowledge to use annoying pirates and making everyone else laugh at them. Most people have a fear of being mocked for being cheap, they should put that fear to use.

use norton

[delvsional]

I use Norton, Mccaffee and AVG Grisoft all at once, oh wait nevermind. I don't use windows anymore.

Re:Idiots

[Architect_sasyr]

Whilst I happen to be highly entertained by your idea about GA I should like to recount a little story:

Fully registered and licensed domain of XP machines (~60 or so). Update Windows Genuine Advantage. 58 of them claim to be pirated and cease to work at any level that can be considered acceptable for a corporation.

Stories like that are why people complain about GA.

Re:Idiots

[dissy]

I dont get viruses because I'm not a wintard who opens any FREEREGISTRYSCANNER add they see.
I've been running windows xp without firewalls/AV for like four years now. Every 6 months or so I scan for viruses, rootkits, trojans, and adware, and i've yet to come up with anything.

Well of course if you have a rootkit, scanning for rootkits will show clean. Thats how they work.

A rootkit modifies the kernel so that it intercepts all API calls, including the read() functions your scanner is using, and the rootkit feeds back false info such as directory listings omitting the rootkits files, and if one tries to open one of its files by name, the open() call now controlled by the rootkit returns a no such file error.

You no doubt have a home router that does a form of NAT, which acts as a firewall for all intents and purposes for incoming connections, so your statement about not running a firewall is false.
At least I hope so, else you have been rooted 10 minutes after connecting your computer to the internet. Sadly, your description fits the profile of someone who is infected and doesn't even know it because it has been that way since day one it went online.

Re:Idiots

[corsec67]

You no doubt have a home router that does a form of NAT, which acts as a firewall for all intents and purposes for incoming connections, so your statement about not running a firewall is false.

Yeah, he would have to patch everything within 4 minutes to not have an infection.

Wouldn't it be nice

[Smuttley]

if the people writing exploits for these security holes wrote a worm that once it had got onto a computer patched the exploit and then detached?

You could call it Good Samaritan Computing or something ;)

Everybody, SING ALONG!

[Chris+Tucker]

"Botnets, spammer's botnets!
What kind of boxes are on botnets?

Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!

Are boxes, found on botnets.
All running Windows, FOO!"

I'm running Mac OS X 10.5.5, here.

Why, yes. I AM a smug bastard!
Thanks for asking.

How Do They Survive?

[Bob9113]

I'm curious - how do infected computers survive on the Internet?

We have legions of honeypots for the detection of infected hosts (not to mention the likes of GMail). ISPs have been qqing about bandwidth - surely bandwidth consumed by infection is the most loathsome waste.

Why don't ISPs have a takedown system? They could restrict who they trust - perhaps only Symantec and McAffee, maybe hotmail, yahoo, and GMail as well. The could do a limited takedown of outbound email only, adding a message to the customer's email account. Perhaps have an HTTP interceptor display a page with links to tools for system cleaning, maybe commercial products if they feel the defense of their corner of the net is not sufficient recompense.

OK, I can dig the risk of inappropriate takedowns - but we run that risk non-stop with the DMCA for a heckuva lot less tangible benefit.

Expense? I'm sure we could get a few dozen folks together to write the software.

Customer experience? Really now - if my Mom's computer was infected and her ISP told her, and gave her links to fix it, she'd love it.

Inability to trust the router droppings? Half the Internet connections in the world are probably covered by a couple dozen ISPs - start with trusting only those router entries.

So - what am I missing?

Re:How Do They Survive?

[slydder]

Bob,

I agree 100% and that is exactly why I started WIPOC (World Internet Providers Organization Counsel) back in the early 90's. had a few ISP's/Hosting Companies interested.

However, a majority of them were like "why? this will all be gone by the beginning of 2000 anyway. They will get it all under control".

Well, hate to say it but "I F*CKIN TOLD YA!"

You CANNOT always push responsibility for your problems onto others. and believe me. it's your networks so it IS your problem.

rant done. nothing left to see here. enjoy. ;)

Re:How Do They Survive?

[ko10ha]

> Why don't ISPs have a takedown system?
My ISP does. It took me down within hours when I let a friend connect his laptop to my network. He had a problem with his computer he told me. That proved correct - it was spamming like mad. But his own - cheapish - ISP did not take him down. So perhaps only solid and more expensive ISP have a take down system.

Re:Idiots

[LackThereof]

On machines that fail WGA, Auto-update functions fine; manually updating from the Microsoft website is disabled.

However, XP's autoupdate is not particularly reliable with service packs. It's more likely to sit in the tray saying "click here to install SP2" than actually install itself, even if the machine is set to "Automatically download and install updates". And users always ignore tray warnings; it's just another bubble between Weatherbug and VirusProtectPro.

Re:Idiots

[mixmatch]

Why should corporate customers have to call up Microsoft every time they fuck up Genuine Advantage? Activation/IP protection schemes are hugely hated for the very reason that they don't bother the pirates but they do hassle the paying customers. Its great that you have time to play around on your pirated laptop copy, but come back when you have a bottom line to worry about.

Re:Idiots

[mowall]

not at all: - install XP with network unplugged - turn on firewall - plug in network

XP didn't come with a firewall. You had to upgrade to SP2 (IIRC) to get the Windows firewall. Granted, if you bought XP after SP2 was released you'd have the firewall, otherwise you can potentially get infected very quickly... way before you get the chance to download SP2 and enable the firewall.

Re:Idiots

[aliquis]

Find out if your credit card number has been stolen on the Internet!
CC # __________________ Expiration date __/__

Re:Idiots

[aliquis]

I see that you have already been (correctly) moderated as troll.

But anyway, for your information those systems isn't without exploitable bugs either. I would assume that OS X is especially risky since it might have a more standard collection of software and Apple bundles a bunch of security upgrades at the same time instead of sending them out as soon as there is an issue.

I won't say that I'd rather trust Microsoft getting updates out in time than Apple because then I to will be moderated troll but well, let's just say neither of them are perfect.

Regarding BSD and Linux it will to a big extent depend on what software you have installed.

Re:Idiots

[aliquis]

Except in OS X it downloads the updates and tell you that they are updated, inform you if any of them will require a reboot and let you check the ones not requiring it, all of them and reboot, or not care at all and it won't bother you until next week or something such. (Of if you decide to do it manually)

In XP however it will tell you that they are downloaded and ask you if you want to reboot to install them EVERY FIFTH MINUTE. Even if you tell the OS you don't give a shit and don't want to reboot.

I don't like that OS X installers requiring a reboot remains running until you press reboot in them however. I'd rather just choose "I don't want to reboot now" and have them do their thing the next time I choose to reboot.

Re:Idiots

[INT_QRK]

One of the things that drove our household completely away from Windows is that as three of my daughters one-by-one traipsed through their college years, every few months (sometimes weeks or days) I'd have to fix their oft' gunked, crippled, or pwnd computers. The first and most common problem I'd have to confront would be the tons of adware slowing their system to a crawl, which at some point killed or subverted the antivirus software (evidently the preferred collegiate attack vector). Then, about the second really bad incident, one usually involving the appearance of a mysterious new admin account with theirs eerily downgraded. My epiphany at some point was that the registry is actually a giant Petri dish for malware spores. Anyway, once so totally pwnd, the only sure-fire cure would be to reload Windows from their OEM disks. About the second or third time this occurred, MS would reject the **always legal** reinstall as not "genuine." As my last raw nerve snapped at the insanity of it all, my solution would ultimately be to slick their drives and install Linux. This would carry them safely through their Junior and Senior years. However, when it came time to for them replace their computers following graduation, they all ended up buying Macs. Problem solved either way.

Re:Idiots

[The+MAZZTer]

Rootkits are not undetectable. Though in theory they can be, in practice fully scrubbing the files from all file request APIs can be difficult. Most scanners will use the high-level APIs (which are most likely to be manipulated by rootkits) as well as a low-level API (such as undocumented kernel functions or even direct hard drive access) which is far more difficult for the rootkit to manipulate... then they compare the results of the two scans. Any discrepancies are reported to the user as possible rootkits. MS hides some system-critical files from normal viewing, even if you choose to show system and hidden files, such as the master file table:

C:\>dir $*
Volume in drive C is Windows XP
Volume Serial Number is DEAD-BEEF

Directory of C:\

File Not Found

C:\>type nonexistantfile
The system cannot find the file specified.

C:\>type $MFT
Access is denied.

(Yes that is my real volume serial number. No it wasn't like that when I got it, I changed it.)

These files are small in number and so hard-coded into most rootkit scanners to ignore. Other legit reasons for discrepancies can be attributed to files being created or deleted between the two scans. Anything that's left can be Googled or otherwise analyzed to determine if it is a rootkit.

Of course an even easier way to find rootkits is to boot from a known rootkit-free environment (BartPE, Linux LiveCD) and run a scan on the suspected rootkit-infected volume.