New Mega-Botnet Discovered

← Back to Stories (view on slashdot.org)

Posted by samzenpus on Wednesday April 22, 2009 @11:48AM from the we're-gonna-need-a-bigger-internet dept.

yahoi writes "According to the DarkReading article, 'Researchers have discovered a major botnet operating out of the Ukraine that has infected 1.9 million machines, including large corporate and government PCs mainly in the US. The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains — 51 of which are in the US government. Researchers from Finjan who found the botnet say it's controlled by six individuals, and includes machines in major banks.'"

29 of 257 comments (clear)

Can Help? by arizwebfoot · 2009-04-22 11:52 · Score: 5, Funny

Can they fix the government? Infect AIG and get our money back?

Maybe this isn't such a bad thing after all.

--
Beer is proof that God loves us and wants us to be happy.
1. Re:Can Help? by PotatoFarmer · 2009-04-22 12:14 · Score: 4, Insightful
  
  So true. And so uncalled for here. Because surfing legitimate sites and catching a trojan is nothing that network security can do about.
  How so? Network security in this context doesn't mean setting up a firewall and calling it a day, it means layered security of the entire network, including all the devices attached to it.
  
  In the case of a trojan payload, properly patched machines along with restricted user accounts help quite a bit.
2. Re:Can Help? by LostCluster · 2009-04-22 12:50 · Score: 4, Insightful
  
  Maybe it's unavoidable that when you let people download, they may get fooled. However, noticing you've got a botnet on your network is Network Security's job.
3. Re:Can Help? by thePowerOfGrayskull · 2009-04-22 12:56 · Score: 4, Insightful
  
  > In the case of a trojan payload, properly patched machines > along with restricted user accounts help quite a bit.
  So why does the XP installer first create an Administrator account and then prompts you to create a "user" account, which ALSO has (to have) administrative access??
  There's a few million infections right there...
  We're not talking about home users, we're talking about sys admins who should know better than to allow this when they configure users in their domains; and when they mass-prepare their workstation images.
4. Re:Can Help? by pwizard2 · 2009-04-22 12:56 · Score: 4, Insightful
  
  Although Linux is better than most systems out there and is resistant to the various drive-by attack methods, nothing is completely impervious to malware. Linux can still get hit with a trojan if the user can be tricked into installing a tainted package as root.
  
  --
  "It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
5. Re:Can Help? by maxume · 2009-04-22 13:40 · Score: 4, Insightful
  
  Required for what exactly? There are probably government computers that legitimately need access to the internets.
  
  --
  Nerd rage is the funniest rage.
6. Re:Can Help? by dimeglio · 2009-04-22 13:47 · Score: 4, Informative
  
  Why would a competent sysadmin even design a network hooked to the general internet to begin with if security is an absolute must?
  ... maybe because of Internet banking? Risk, cost or convenience, pick two.
  
  --
  Views expressed do not necessarily reflect those of the author.
7. Re:Can Help? by Anonymous Coward · 2009-04-22 13:48 · Score: 5, Interesting
  
  Maybe it'll finally open the government's eyes to protecting their networks.
  Oh, they realize it. There is a big push to have a standard secure desktop to all of the Fed's computer. The standard is good. It does everything that you'd expect for a secure desktop. Restriction of services, and admin accounts, and blocking Active X controls. Lock down the ability to connect to Windows share willy-nilly. Make sure that all the patches to software are installed in a timely fashion. (IE: Conflicker should not be infecting Federal machines, if they were following these guidelines, they would have had the patch deployed in 10 days) And the best part is (in theory anyway, I have yet to see it actually happen) that if a software vendor wants to be on GSA, they need to certify that their application can run without admin rights. And if they don't they need to document exactly why.
  The problem? It was supposed to be implemented February of 20088. And outside of a few big pilot programs, nobody has the thing 100% implemented yet.
  Part of the problem is that if you implement everything, you're practically guaranteed to not be able to work in your environment, so one must find and document the exceptions. If you have a crappy network/desktop practices to begin with, you'll be screwed in your deployment. Our practices were good to begin with, scoring 80% compliance, and it didn't take much to get to 90%, but that last 3% to be in the green is proving to be a killer.
  
  There are some exceptional sysadmins out there, but they are often hogtied by anti-security regulations and expectations.
  The regulations generally aren't the problem (Though just last month it was announced that Entrust encrypted email is no longer acceptable to send PII through. You have to use an encrypted USB thumbdrive. And not just any drive, A Kanagaroo drive. No BlackBox Data Travellers, no IronKeys, just these colorful Kanagroo drives, so sometimes the regs don't make sense), it's the expectations. I'm always told that "The company (I work for a subcontractor to the feds) will do everything that they can to make sure that we meet Cyber's needs". Which is great until somebody with enough political clout is inconvenienced. Fortionatly, this is becoming more and more rare, as the Feds have been backing our decisions.
  Support from software vendors also suck: "It works for us, why don't you give them admin rights, that'll fix it?" Uh, not just no, HELL NO
8. Re:Can Help? by steveb3210 · 2009-04-22 14:14 · Score: 5, Insightful
  
  Cue the response of the typical /. user:
  
  "I use linux and firefox and noscript and noflash and adblock plus.... so therefore I should be able to surf ANY site I want to..."
  Too bad you forgot to turn off images and just got pwned by the 0 day buffer overflow the hackers discovered in libjpeg.
9. Re:Can Help? by Daengbo · 2009-04-22 14:44 · Score: 5, Funny
  
  Lynx to the rescue! Lynx should be the only browser allowed on secure networks. Hehe.
  
  --
  Put identity in the browser.
10. Re:Can Help? by steveb3210 · 2009-04-22 14:53 · Score: 5, Funny
  
  Lynx to the rescue! Lynx should be the only browser allowed on secure networks. Hehe.
  Too bad you just got owned by the buffer overflow the hackers found in the VT100 emulator library.
11. Re:Can Help? by Bigjeff5 · 2009-04-22 15:06 · Score: 5, Insightful
  
  Ever notice that 99% of trojan and virus attacks require user intervention?
  Social Engineering is the primary attack risk to a computer network once basic protection measures are taken (firewall, AV, and current updates), because users are the primary vulnerability. That's why it is usually worth the trouble to simply give the user bare minimum rights to their machines. It helps limit the damage they can cause.
  This is, however, inconvenient, and so is not done universally. There are even reasons not to do it that are sound, though requiring any kind of security generally makes low user rights a necessity.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
12. Re:Can Help? by Mia'cova · 2009-04-22 15:44 · Score: 4, Funny
  
  Wow! I'm glad I have Windows!
13. Re:Can Help? by speculatrix · 2009-04-22 21:31 · Score: 4, Interesting
  
  actually, computers can be made much more robust to viruses and trojans, however, there's fundamental problems with the x86 architecture and the way we program that are hard to overcome.
  
  Let me take you back in time to when most computers were embedded systems. The program ran from ROM (or EEPROM) and could not be changed at all without physically switching out the non-volatile memory - in-system programming was a rarity. Moreover, many processor architectures had entirely separate executable and data spaces - you couldn't actually write to the executable memory, so even if it was flash or battery-backed static RAM, it wouldn't work. Thus no matter how corrupt the data became, it could only crash the software or make it misbehave; to restore operation you'd simply reset the CPU and everything would return to normal!
  
  In contrast, the x86 usually boots the OS into RAM, even shadowing the BIOS into RAM (because it's faster), and it's possible to scribble all over executable code space - the obvious example being to overflow stack space to execute unauthorised code. The NX bit was added relatively recently to ameliorate these problems.
  
  Sparc architecture has been more resilient to attack too, partly because of its relative obscurity, but mainly due to its relative immunity to stack smashing.
Big PC's!!! by gandhi_2 · 2009-04-22 11:55 · Score: 5, Funny

large corporate and government PCs
So small ones are mostly safe.

--
THL phish sticks
1. Re:Big PC's!!! by Your+Pal+Dave · 2009-04-22 12:49 · Score: 4, Funny
  
  Wouldn't that be a mebibotnet.
  Mebibotnet, Mebibotnet... Now that just rolls off the tongue!
Need I say more? by udippel · 2009-04-22 11:59 · Score: 5, Interesting

From the article:
Around 45 percent of the bots are in the U.S., and the machines are Windows XP.
On the other hand:
Nearly 80 percent run Internet Explorer; 15 percent, Firefox; 3 percent, Opera; and 1 percent Safari
What else does one expect? Since it is an infection spread through trojans on legitimate sites and XP the target, what can we expect the browser to do?
In the end, we might see all browsers running completely sandboxed on demand, that is: no interaction with the rest of the system; a 'browse-only' kiosk.
Quick! by anjilslaire · 2009-04-22 12:01 · Score: 5, Funny

Get Abby & the whole NCIS crew on the job. Everyone know a goth hacker chick will solve it!

--
Need more useless stuff to read on teh internetz?
1. Re:Quick! by TheOtherChimeraTwin · 2009-04-22 12:27 · Score: 5, Funny
  
  For the tough hacking cases, they have to call in McGee. For the really tough cases, it takes both Abbie and McGee, typing as fast as they can. And for a Mega-Botnet, it takes Gibbs delivering Abbie a Caf-Pow and whispering in her ear about a little something-something later on, and Gibbs slapping McGee on the back of the head and whispering in his ear about a little something-something later on too.
2. Re:Quick! by Penguinshit · 2009-04-22 12:37 · Score: 4, Funny
  
  I am ashamed that I understand your post. My wife forces me to watch that show.
  
  --
  I have something in common with Stephen Hawking...
Re:FTP? by TubeSteak · 2009-04-22 12:08 · Score: 5, Interesting

Then what would people use to download and upload files? Would FTP come back into style?
I already use a program called SandBoxie after seeing it mentioned on /.
You can either allow files to escape the sandbox on a case by case basis or setup default allows wherever you like.
And as a general comment, it's terribly easy to allow files into a sandbox, like when you want to upload something, but not allow any changes out.
P.S. FTP server/client software has terrible security. Even the most popular ones, which have been around for over a decade, still get hit with remote exploits.

--
[Fuck Beta]
o0t!
One of four malware tools to find it... by east+coast · 2009-04-22 12:17 · Score: 4, Insightful

I wonder if the AVG product they were using was the freeware version or one of the commercial products...

I think it's great that they find this kind of stuff but at the same time I have some misgivings about how they don't do much to point the public in the right direction as far as finding out if they're infected or what they can do to remedy the situation. It seems that a lot of security articles are lean on providing the details about helping yourself to a more secure system.

--
Dedicated Cthulhu Cultist since 4523 BC.
no definite article needed by osvenskan · 2009-04-22 12:18 · Score: 5, Informative

It's just "Ukraine", not "the Ukraine".
New Mega-Botnet! by geekoid · 2009-04-22 12:24 · Score: 5, Funny

Now with more Bot to boost your immune system!

--
The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
Re:is it really this bad? by mea_culpa · 2009-04-22 12:38 · Score: 5, Interesting

I think it is more widespread. I'll take my local bank as an example. I stop by to make a deposit, I notice the teller minimizing her facebook page as I glanced at the screen.
I am shocked that a bank would allow any www access on a machine that has direct access to accounts. Dollars to donuts there is some form of malware on that machine, or already throughout their network.
It was my belief that competent IT would only allow the necessary Intranet infrastructure to run the banks applications. But I would bet their policies get changed by ignorant management that are sold on 'security' appliances and software to protect themselves while granting www access.
Clean up botnets by DragonDru · 2009-04-22 12:51 · Score: 5, Insightful

How can we expect to clean up the botnets if the hosts are never contacted. I may think I am clean, but if I unknowingly lack the skills to know better, I would never know better, and would never do better. The big papers detailing botnets never provide enough details to know if *I* screwed up the internet.

--
20 characters max for the password? How will I use my favorite poems as passwords?
Virus devastates millions of complacent idiots by David+Gerard · 2009-04-22 12:59 · Score: 4, Funny

A computer worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough to still think Windows is not ridiculously and unfixably insecure by design.
Despite many years' warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying "COME AND GET IT."
Microsoft cannot believe people have not applied the patch for the problem, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. "Don't they trust us?" sobbed marketing marketer Steve Ballmer.
Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. "There's a reason the Unix system on Mac OS X is called Darwin," said appallingly smug Mac user Arty Phagge.
"It can't be stupid if everyone else runs it," said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. "Macs cost more than Windows PCs."
"Yes," said Phagge. "Yes, they do."
Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can't say we care.

--
http://rocknerd.co.uk
Re:DingDingDing! by jake-in-a-box · 2009-04-22 14:11 · Score: 5, Informative

The data was not lost from military systems, it was obtained by crackers who penetrated military contractor's commercial systems. Yes, that leads to a whole bunch of questions and is not by any means an absolution of the military's IT security. But your statement does not match the facts.

--
To hear the gods laugh tell them your plans.
Re:DingDingDing! by Randall311 · 2009-04-22 15:15 · Score: 4, Informative

The data was not classified, just FOUO. Electronic copies exist for convince sake. It depends on the project, but there is usually no requirements for encryption of such documents. Expect that to change... soon.