Well, a botnet could certainly be used to perform some Google queries, and simulate clicks on google ads, generating revenue. A relatively small botnet, given relatively subtle enough instructions, might not even trip the Google fraud alarms.
That's so funny, it's almost worthy of its own number... maybe Catch 22.314159265 or something impossible to remember.
Another client of ours experienced some small amount of decision-making and communication chaos early in this worm outbreak. Some division managers instructed (many thousands of) users to unplug their computers from the network to prevent infection. This is a reasonable enough strategy, I suppose, but now they are strugging with the question of how to get these people to connect back to the network when they can't... wait for it... check their email!
They are working up phone trees -- an old-fashioned technique employed today mostly by blue-hair bridge clubs, terrorist cells, and desperate IT managers, I gather.
There are other possible infection vectors, but that one is most likely. Corporations would never expose Windows systems directly on the internet, but they buy laptops by the truckload, allow users to take them anywhere, then bring them back into the office and hook them up as though they were not any different than your nice safely-protected behind the firewall chained to the desktop system -- as though they hadn't been handed over to organized crime for a few days, for example. It's really not rational, but it's almost universal practice.
ABC News on the worm "CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly."
We have seen this at a government client this week. It appears that the worm authors didn't test on Windows 2000 SP3. Several variants cause the target system to reboot when they attempt to exploit the MS05-039 defect on systems older than Windows 2000 SP4, apparently without infecting the target. The issue could be more subtle than that, perhaps systems running a particular hotfix or something like that, but I haven't had a chance to dig deeper on this point.
People tend to panic when all the PCs around them are crashing every few minutes instead of every few hours or days like normal (depending on patch level and usage pattern). The first assumption they tend to make is that the crashing computers were infected, but in this case that doesn't seem to be happening. A different worm on a different day, of course, might very well crash them after a successful infection, rather than before, so best not to get too cozy because of a small bit of luck.
It hasn't received much publicity, but if you're a network administrator battling this problem, you may have trouble patching your systems because they crash too quickly. You might want to disable NULL sessions on the Windows 2000 systems which haven't been patched yet. It appears that this will prevent an infection of an unpatched Windows 2000 system, allowing you more time to patch. (Patches being larger and the systems not staying up long enough to distribute a large package and whatnot.) I haven't yet been able to determine if the UPnP vulnerability could be exploited with NULL sessions disabled, but apparently the current crop of worms and bots all rely on it.
There will probably be variants within a few days. Some of those will undoubtedly email copies around. Perimeter defense is necessary but not sufficient.
There are many large networks still running Windows 2000, and it's not easy to upgrade them. It's not upgrading Windows on a single machine that's hard, it's upgrading Windows and dozens of other software systems that run on it, for tens of thousands of desktop systems. Oh, and that needs to be done in some way that the old and new interroperate during the transition period, and it's all got to be documented by about 3 people who understand it all so that the helpdesk and end users and internal development teams all understand the various customized moving parts.
It's really harder than it seems, when your perspective is "The PC on my desk has been running Windows XP SP2 since the day it was released." Believe it or not, it's actually so difficult and expensive, that many organizations are still contemplating whether or not they can skip Windows XP altogether and leap directly to Longhorn / Vista.
That sounds like the pre-quantum wave theory equivalent of the bogon flux. (It's applied more generally now that we understand more about the underlying quantum nature of the bogon, and the fact that they only act like waves when observed in particular ways.)
The Fine Article doesn't mention one exciting development in the field of information theory, related to negative information, which may one day tie it to Vacuum Energy or Zero Point physics in a grand unified theory that, once we come to understand it, could form the basis of a star drive to power star ships.
It seems that virtual particles of antimatter and exotic particles of normal matter that spontaneously emerge from the void, and then disappear without interacting with anything. [1] The theoretical potential of tapping this particle flux has brought vacuum energy to the fore of research by the NSA into Quantum Information Theory.
Experiments conducted by the NSA and the DOE on large data samples gathered in large bureaucracies (both public and private) indicate that Microsoft Word Documents are effective containers for Negative Information, which hitherto had been considered a transient phenomenon, almost impossible to store given our current understanding of physics. The phenomenon of massive amounts of stored negative informisinformation, as it turns out, makes the typical corporate or government intranet much more resiliant to cyber terrorist attack than previously predicted -- nearly as resiliant as the typical government organization to a FOIA request today, for comparison.
It is expected that once we understand the characteristics of MS Word Documents which allow them to efficiently store negative information in a stable form, Quantum Physicists and Information Theorists should be able to get together, perhaps over a nice hot cup of tea, and stitch the two branches together, getting us one step closer to faster than light travel, finally bringing the stars within reach -- except it won't really be FTL, it will be something that we don't presently understand. [2]
Only the humor-impaired need read this bootnote. [1]Yes, I see the grammar error. I've intentionally borrowed a pattern, common in conspiracy theory writing, of constructing a complex sentence, perhaps full of objects, perhaps full of verbs, perhaps full of nouns, on the theory that it might amuse, whereas it normally serves to confuse, as sometimes subjects or verbs may go missing. Oops I did it again! Or did I?
[2]Yes, I realize I mention antimatter only in the title, and not in the text.
[3]Yes, I realize there are 3 bootnotes, not a single bootnote as referenced above.
[4]Yes, I realize that only 2 of the bootnotes are indicated by reference numbers in the text. (Absurd bootnotes are also common in conspiracy theorist writings.)
With an installed base up from zero five years ago to about 10 Millon today and with
another million added each quarter, the users of
Mac OS X as well as any real armchair operating system aficionados
would be surprised to hear that *BSD is anything but alive and kicking. It's certainly growing faster than any Un*x has ever grown in the past, and has a larger installed user base than any *nix ever.
Regarding the number of NetBSD posts to Usenet... good grief. This correlation can be easily explained by other factors. Most likely, NetBSD users are more mature both technically and emotionally, and don't participate in Usenet any longer. Perhaps they're too busy shipping gazillions of embedded devices to bother with a forum with such a poor signal to noise ratio as Usenet. They probably also have more education, drive nicer cars, and have 1.2 girlfriends (vs. 0.1 for the average AC Troll) .
rootkit implied by "fully compromised system"
on
Anatomy of a Hack
·
· Score: 1
Your commentary is interesting, but there's one bit that's worthy of further consideration.
TFA: A fully compromised system cannot be trusted to tell you the truth. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it.
Your critique: If by "fully compromised" it means that the BIOS has been flashed and now lies about the files it reports, I then more or less agree. However such a tool is improbable (not enough room in the BIOS memory and not all BIOS can be flashed at will). So by "fully compromised" that's probably not what they meant. How would then an attacker lie when booting from a CD and running the scan from the CD? Or when hooking the compromised HD as a second HD on a clean system? It's not like everybody run their virus/trojans/rootkits scanners from the suspicious host.
There's no need to flash the BIOS to get the system to lie to the legitimate systems administrator. The guest administrator need only install a rootkit, which is probably what the author had in mind.
Yes, one can detect a rootkit if one boots from a known clean media such as a CDROM. It's sometimes tricky though, because you don't really know what to look for, and even if you find part of it, you may not have all of it. Recently I've seen descriptions of rootkit watchdogs -- essentially two instances of a kernel rootkit installed in different ways, where each will re-activate the other if it goes away. Clever systems administrators who "clean" a system and miss part of a rootkit might wind up remaining 0wn3d by Th3m.
Although you seem to assume that nobody in their right mind would trust a scan run directly from the booted, known-to-be-compromised system, you would be surprised. (At the very least, you might be surprised how many systems administrators and managers are not in their right mind.) It can be quite difficult to talk people out of trusting their AntiVirus scan after a system has been rooted. After all, they spent millions of dollars for it (at the enterprise scale). I am frequently asked "If I can't trust FAVORITE_ANTIVIRUS_VENDOR, who can I trust?" and "If I can't trust the AntiVirus scan to detect a rootkit after a box has been cracked, what good is it?" Even if they understand the technical issues, which sometimes they don't, they are still able to maintain cognitive dissonance with the best of televangelist fans, "That person has no legs, but Jesus, acting through the hands of Tommy Ray Piemaker just healed them and they got up and walked!"
For many years variants of this legend have floated around the net, taking different forms. The least conspiratorial version that I've heard is told as follows:
"__Fill in the blank with one of the early players in the antivirus market__ had an ill-conceived bonus program in place for a while which rewarded employees for being the first to discover a virus. The incentives created by the program obviously ran counter to the long term interests of the company and their clients, and the bonus program was discontinued when an employee was caught writing their own viruses for submission."
This is so dilbertesque that it seems almost likely to become true someday, even if it wasn't when the rumor started. It just sounds like something that would happen in a big company. I half expect one day to wake up to a headline, "Former AntiVirus executive admits to creating legendary bonus incentive program to find viruses in the early days of computing".
However, it's probably just as likely that the rumor was started in usenet by the other major antivirus company, only to have it backfire in the form of some general level of mistrust of the AntiVirus industry.
The legend has since mutated into the simpler but unlikely "AntiVirus vendors write most of the viruses" form of the legend. AntiVirus vendors today have far too much to lose. I'm confident that like all good corporations, they have policy in place which would lead not only to instant dismissal of employees caught releasing viruses "into the wild" to borrow their expression, but also probably to prosecution as well.
By the way, this was also the earliest, well more precisely, the first form that I ever heard. It might be fun to trace this rumor back to its origins and analyze the meme propagation, as was done regarding the damaging misquotation that Al Gore claimed to invent the internet. The analysis would probably require more effort, since it goes back possibly twenty years or more.
It's likely that most home computers at least are infected by worms rather than careless double-clickery. You can buy a computer as a novice home user, and it can get infected before you have time to patch it. Here's an amusing example, just one of many recent stories on the phenomenon: Jacques' Hack Attack
The same is probably also true for most infected corporate computers, even though those are some what better protected.
The major AntiVirus vendors also have automated sytems in place to help their clients collect virus samples and deliver them for analysis. The Symantec feature is called Scan and Deliver.
Reverse engineering malware is so much fun, and appeals to techie and tech-savvy manager types so much that it has been a terrific and terrible distraction. I've seen the effect firsthand -- companies waste precious limited mitigation and response talent and time trying to analyze malware when they should be taking immediate action to contain the spread of a worm.
Corporations and government agencies have been so thoroughly trained by the AntiVirus industry that they have a hard time coping in an age of the zero day worm, flash worm, or even the boring ordinary retread worm with 800 variants that do different things and propagate through a dozen different old defects. In fact, in the last year it's become clear that worms targeting many old defects can spread widely, slipping in under the radar of AntiVirus definitions with dozens of daily variants. (It's hard to patch a large network, and the industry hasn't woke up to the fact that it's also hard to keep it patched.)
What does it matter, which of the 800 strains of Spybot or Rxbot is smacking your PC's around? Well, if it were possible to quickly assess exactly what a given strain might do on a computer, it might be. But typically it's not possible.
In fact, it's gotten to the point where the AntiVirus vendors themselves have all but given up on detailed analysis of the many variants emerging each hour. Sometimes critical features of a strain (what ports does it probe, etc.) are missing entirely from the public analysis of the strain for weeks after it was first detected. Sometimes one vendor will describe a feature while others don't. Obvious cut-and-paste errors in the analysis of major vendors can also be observed, if one pays close attention.
The AntiVirus industry can't keep up the analysis of every minor strain, but they do continue the practice because it's a proven effective strategy for keeping mindshare. To their credit, they do a pretty reasonable job of rapid analysis and signature development on quite a few variants every day. Unfortunately, the stakes are pretty high and getting higher.
The bottom line for big networks: focus on prevention and containment. Cleanup is very costly, so do your own analysis if you must, but don't let it delay or sap resources from containment efforts when a worm hits. Other damages might be mounting while the mitigation effort stalls out because an incident response team is bogged down trying to answer the question: "Does the variant that hit your network today have a keystroke logger?"
With several variants of various worms released each day, are you *sure* that you've been hit with only one variant?
Even if you think you are sure, in fact, you typically can't be sure quickly enough. Well staffed, well funded, and highly experienced labs at the major AntiVirus vendors can't keep up with detailed analysis of the zillions of variants. Neither can the overburdened IT staffs of the world. They need to stop trying.
Disclaimer: As the founder of Intrinsic Security I am clearly convinced enough in the limitations of the AntiVirus approach that I started a company and developed an alternative (complementary) approach. All of my opinions, well reasoned and otherwise, are my own, although they may be shared by others.
I did once see a similar device nearly crushed when configured in a particularly unusual way. It was set to redirect traffic directed at any port over to a tarpit sitting behind it. After a few minutes of exposure on the wild internet several portscans and worms happened by. The device response slowed a bit, even though very little bandwidth was being used. These devices don't have much CPU and memory, and they are really not designed to front a tarpit on all ports like that. Poor little thing!
Of course, this is unlikely to be the source of the problem experienced by Kainaw. An infested PC is much more likely.
Seriously though, I bet some sexy PG pics on t-shirts and coffee mugs, sold via something like Cafe Press might work. A hot babe with one of those skimpy little halloween costumes that get trotted out on halloween should do the trick -- little satin horns, red bikini, tail, pitchfork, and a smile.
This growing attitude of "if you don't run AV software, you're probably infected" is disturbing. Viruses and worms don't just magically appear out of nowhere, they come in through known, predictable routes. Close those routes, and you prevent infection.
You're right, as far as you go.
The problem is that's pretty hard to defend against those things. Home users don't know how. Corporate network administrators have hundreds of interlocking "business requirements" that prevent them from shutting the door to "critical services" like SMB file sharing between PC systems.
Worms get into corporate networks through a variety of means, borrowing techniques from viruses and mass emailer viruses, as well as adware and spyware. Some of those holes are impossible to block on a typical corporate network. Take the Internet Explorer holes in corporations that have spent the last several years deploying "internet based applications" that only function correctly with Internet Explorer, for example. Can't block 'em. Might take months to patch 'em if you have tens of thousands of PC systems.
Once a worm gets into a network by exploiting a single system through a mundane virus or adware-only hole like this, it's likely to find a wormable exploit on many other systems. Once a worm is inside, the soft candy center of the corporate network is difficult to defend from a worm with conventional techniques, which are typically perimeter defense in nature.
Even worse, some of my clients have reported that they have, out of tens of thousands of users, at least several who seem to get their PC infected over and over and over. They suspect that this is a "coffee break effect". The users learned that if they double-click on the occasional malicious attachment that leaks through the antivirus email filter at the gateway, and the one on their PC, they get the afternoon off because their PC is taken offline by the network admin staff.
So AntiVirus really is part of the layered defense required for "closing those routes" in the modern age for most companies and home users.
By the way, the observed incidents supporting the "coffee break effect" are the worms and viruses that successfully exploit the patch gap or the definition gap. Most of the time that users double-click to unzip, type in the password and then double-click to execute a malicious attachment, they are thwarted by the AntiVirus system.
The internet does not slow down just because one site is getting DDoS'ed.
Well, that's mostly a function of the DDoS instrument. Various worms have slowed the internet (to a subjective crawl) while propagating aggressively. Some of them infected such a large number of PC systems that DDoS on multiple sites at once could have been performed.
A DDoS directed by such a worm against certain routers or DNS servers, rather than "a web site" might have a profound impact on performance of the internet as a whole -- as perceived from just about any location on it. Much smaller networks of bots can certainly DDoS a site off the net without affecting the overall performance of the internet, but that's not the only possibility.
Intrusion Suppression techniques like honeypots and tarpits are not really strike-back techniques. They are really more like network judo. When you redirect the energy of the attack, it's not always against the attacker, it's just away from the victim.
Intrusion Suppression techniques actually reduce the network traffic generated by the attacker, and yet also reduce the effectiveness with which the attacker can perform an attack. It's not really a counter-strike.
Yes, this is a potentially serious issue with any of the active countermeasures. Even simple intrusion suppression techniques like honeypots can fall victim to this kind of redirect attack if exposed directly on the internet.
Fortunately these types of attacks can be detected and modulated. With respect to certain antiworm systems based on honeypot techniques I can safely say that these problems are not insurmountable.
I used to do this, but gave up some years ago. It was pretty rare to get a useful response of any kind from the owner of the attacking system. Oftentimes they didn't believe the report or didn't understand the problem.
There is one type of "attack" that I continue to try to foil this way -- bogus "you're infected" messages from email antispam gateways. Many email administrators still don't understand that virii can (and do) spew email with fake headers, and don't believe it when it's explained to them. These are the same folk with antivirus email gateway filters that automatically send email to the apparent origin telling them their PC is infected. They really think they are doing the world a huge favor by letting them know, and they are not about to take some Random Guy's word for it. Of course, the virus they warn me about is always a Windows executable virus, and I use a Macintosh, so the reports that I've received have thus far always been in error. It doesn't matter to them. I clearly do not know what I'm talking about.
Sadly, I've never been able to convince a single email administrator to disable this feature. A few have vehemently defended their abusive configuration. Over time, the antivirus vendors seem to be removing this misfeature from their products, so eventually the upgrade cycle will take care of the problem, I hope.
As a touchstone to the main topic, I note that a strike-back technique here would be to spam their own gateway with infected messages which appear to originate from their own account, to demonstrate the point. Unfortunately, that would be wrong.
Slashdot Mirror
Well, a botnet could certainly be used to perform some Google queries, and simulate clicks on google ads, generating revenue. A relatively small botnet, given relatively subtle enough instructions, might not even trip the Google fraud alarms.
Well, strictly speaking not forever. They do dabble about with orange now and again.
I may have been sub-consciously trawling for funny mods.
That's so funny, it's almost worthy of its own number... maybe Catch 22.314159265 or something impossible to remember.
Another client of ours experienced some small amount of decision-making and communication chaos early in this worm outbreak. Some division managers instructed (many thousands of) users to unplug their computers from the network to prevent infection. This is a reasonable enough strategy, I suppose, but now they are strugging with the question of how to get these people to connect back to the network when they can't... wait for it... check their email!
They are working up phone trees -- an old-fashioned technique employed today mostly by blue-hair bridge clubs, terrorist cells, and desperate IT managers, I gather.
People tend to panic when all the PCs around them are crashing every few minutes instead of every few hours or days like normal (depending on patch level and usage pattern). The first assumption they tend to make is that the crashing computers were infected, but in this case that doesn't seem to be happening. A different worm on a different day, of course, might very well crash them after a successful infection, rather than before, so best not to get too cozy because of a small bit of luck.
It hasn't received much publicity, but if you're a network administrator battling this problem, you may have trouble patching your systems because they crash too quickly. You might want to disable NULL sessions on the Windows 2000 systems which haven't been patched yet. It appears that this will prevent an infection of an unpatched Windows 2000 system, allowing you more time to patch. (Patches being larger and the systems not staying up long enough to distribute a large package and whatnot.) I haven't yet been able to determine if the UPnP vulnerability could be exploited with NULL sessions disabled, but apparently the current crop of worms and bots all rely on it.
There will probably be variants within a few days. Some of those will undoubtedly email copies around. Perimeter defense is necessary but not sufficient.
There are many large networks still running Windows 2000, and it's not easy to upgrade them. It's not upgrading Windows on a single machine that's hard, it's upgrading Windows and dozens of other software systems that run on it, for tens of thousands of desktop systems. Oh, and that needs to be done in some way that the old and new interroperate during the transition period, and it's all got to be documented by about 3 people who understand it all so that the helpdesk and end users and internal development teams all understand the various customized moving parts.
It's really harder than it seems, when your perspective is "The PC on my desk has been running Windows XP SP2 since the day it was released." Believe it or not, it's actually so difficult and expensive, that many organizations are still contemplating whether or not they can skip Windows XP altogether and leap directly to Longhorn / Vista.
That sounds like the pre-quantum wave theory equivalent of the bogon flux. (It's applied more generally now that we understand more about the underlying quantum nature of the bogon, and the fact that they only act like waves when observed in particular ways.)
The Fine Article doesn't mention one exciting development in the field of information theory, related to negative information, which may one day tie it to Vacuum Energy or Zero Point physics in a grand unified theory that, once we come to understand it, could form the basis of a star drive to power star ships.
It seems that virtual particles of antimatter and exotic particles of normal matter that spontaneously emerge from the void, and then disappear without interacting with anything. [1] The theoretical potential of tapping this particle flux has brought vacuum energy to the fore of research by the NSA into Quantum Information Theory.
Experiments conducted by the NSA and the DOE on large data samples gathered in large bureaucracies (both public and private) indicate that Microsoft Word Documents are effective containers for Negative Information, which hitherto had been considered a transient phenomenon, almost impossible to store given our current understanding of physics. The phenomenon of massive amounts of stored negative informisinformation, as it turns out, makes the typical corporate or government intranet much more resiliant to cyber terrorist attack than previously predicted -- nearly as resiliant as the typical government organization to a FOIA request today, for comparison.
It is expected that once we understand the characteristics of MS Word Documents which allow them to efficiently store negative information in a stable form, Quantum Physicists and Information Theorists should be able to get together, perhaps over a nice hot cup of tea, and stitch the two branches together, getting us one step closer to faster than light travel, finally bringing the stars within reach -- except it won't really be FTL, it will be something that we don't presently understand. [2]
Only the humor-impaired need read this bootnote.
[1]Yes, I see the grammar error. I've intentionally borrowed a pattern, common in conspiracy theory writing, of constructing a complex sentence, perhaps full of objects, perhaps full of verbs, perhaps full of nouns, on the theory that it might amuse, whereas it normally serves to confuse, as sometimes subjects or verbs may go missing. Oops I did it again! Or did I?
[2]Yes, I realize I mention antimatter only in the title, and not in the text.
[3]Yes, I realize there are 3 bootnotes, not a single bootnote as referenced above.
[4]Yes, I realize that only 2 of the bootnotes are indicated by reference numbers in the text. (Absurd bootnotes are also common in conspiracy theorist writings.)
Silly Anonymous Coward Troll, stats are for ids.
With an installed base up from zero five years ago to about 10 Millon today and with another million added each quarter, the users of Mac OS X as well as any real armchair operating system aficionados would be surprised to hear that *BSD is anything but alive and kicking. It's certainly growing faster than any Un*x has ever grown in the past, and has a larger installed user base than any *nix ever.
Regarding the number of NetBSD posts to Usenet... good grief. This correlation can be easily explained by other factors. Most likely, NetBSD users are more mature both technically and emotionally, and don't participate in Usenet any longer. Perhaps they're too busy shipping gazillions of embedded devices to bother with a forum with such a poor signal to noise ratio as Usenet. They probably also have more education, drive nicer cars, and have 1.2 girlfriends (vs. 0.1 for the average AC Troll) .
Yes, one can detect a rootkit if one boots from a known clean media such as a CDROM. It's sometimes tricky though, because you don't really know what to look for, and even if you find part of it, you may not have all of it. Recently I've seen descriptions of rootkit watchdogs -- essentially two instances of a kernel rootkit installed in different ways, where each will re-activate the other if it goes away. Clever systems administrators who "clean" a system and miss part of a rootkit might wind up remaining 0wn3d by Th3m.
Although you seem to assume that nobody in their right mind would trust a scan run directly from the booted, known-to-be-compromised system, you would be surprised. (At the very least, you might be surprised how many systems administrators and managers are not in their right mind.) It can be quite difficult to talk people out of trusting their AntiVirus scan after a system has been rooted. After all, they spent millions of dollars for it (at the enterprise scale). I am frequently asked "If I can't trust FAVORITE_ANTIVIRUS_VENDOR, who can I trust?" and "If I can't trust the AntiVirus scan to detect a rootkit after a box has been cracked, what good is it?" Even if they understand the technical issues, which sometimes they don't, they are still able to maintain cognitive dissonance with the best of televangelist fans, "That person has no legs, but Jesus, acting through the hands of Tommy Ray Piemaker just healed them and they got up and walked!"
Here's an interesting starting point on rootkits:Recognizing and Recovering from Rootkit Attacks
However, it's probably just as likely that the rumor was started in usenet by the other major antivirus company, only to have it backfire in the form of some general level of mistrust of the AntiVirus industry.
The legend has since mutated into the simpler but unlikely "AntiVirus vendors write most of the viruses" form of the legend. AntiVirus vendors today have far too much to lose. I'm confident that like all good corporations, they have policy in place which would lead not only to instant dismissal of employees caught releasing viruses "into the wild" to borrow their expression, but also probably to prosecution as well.
By the way, this was also the earliest, well more precisely, the first form that I ever heard. It might be fun to trace this rumor back to its origins and analyze the meme propagation, as was done regarding the damaging misquotation that Al Gore claimed to invent the internet. The analysis would probably require more effort, since it goes back possibly twenty years or more.
It's likely that most home computers at least are infected by worms rather than careless double-clickery. You can buy a computer as a novice home user, and it can get infected before you have time to patch it. Here's an amusing example, just one of many recent stories on the phenomenon: Jacques' Hack Attack
The same is probably also true for most infected corporate computers, even though those are some what better protected.
The major AntiVirus vendors also have automated sytems in place to help their clients collect virus samples and deliver them for analysis. The Symantec feature is called Scan and Deliver.
I think you have hit the nail on the head here.
Reverse engineering malware is so much fun, and appeals to techie and tech-savvy manager types so much that it has been a terrific and terrible distraction. I've seen the effect firsthand -- companies waste precious limited mitigation and response talent and time trying to analyze malware when they should be taking immediate action to contain the spread of a worm.
Corporations and government agencies have been so thoroughly trained by the AntiVirus industry that they have a hard time coping in an age of the zero day worm, flash worm, or even the boring ordinary retread worm with 800 variants that do different things and propagate through a dozen different old defects. In fact, in the last year it's become clear that worms targeting many old defects can spread widely, slipping in under the radar of AntiVirus definitions with dozens of daily variants. (It's hard to patch a large network, and the industry hasn't woke up to the fact that it's also hard to keep it patched.)
What does it matter, which of the 800 strains of Spybot or Rxbot is smacking your PC's around? Well, if it were possible to quickly assess exactly what a given strain might do on a computer, it might be. But typically it's not possible.
In fact, it's gotten to the point where the AntiVirus vendors themselves have all but given up on detailed analysis of the many variants emerging each hour. Sometimes critical features of a strain (what ports does it probe, etc.) are missing entirely from the public analysis of the strain for weeks after it was first detected. Sometimes one vendor will describe a feature while others don't. Obvious cut-and-paste errors in the analysis of major vendors can also be observed, if one pays close attention.
The AntiVirus industry can't keep up the analysis of every minor strain, but they do continue the practice because it's a proven effective strategy for keeping mindshare. To their credit, they do a pretty reasonable job of rapid analysis and signature development on quite a few variants every day. Unfortunately, the stakes are pretty high and getting higher.
The bottom line for big networks: focus on prevention and containment. Cleanup is very costly, so do your own analysis if you must, but don't let it delay or sap resources from containment efforts when a worm hits. Other damages might be mounting while the mitigation effort stalls out because an incident response team is bogged down trying to answer the question: "Does the variant that hit your network today have a keystroke logger?"
With several variants of various worms released each day, are you *sure* that you've been hit with only one variant?
Even if you think you are sure, in fact, you typically can't be sure quickly enough. Well staffed, well funded, and highly experienced labs at the major AntiVirus vendors can't keep up with detailed analysis of the zillions of variants. Neither can the overburdened IT staffs of the world. They need to stop trying.
Disclaimer: As the founder of Intrinsic Security I am clearly convinced enough in the limitations of the AntiVirus approach that I started a company and developed an alternative (complementary) approach. All of my opinions, well reasoned and otherwise, are my own, although they may be shared by others.
I did once see a similar device nearly crushed when configured in a particularly unusual way. It was set to redirect traffic directed at any port over to a tarpit sitting behind it. After a few minutes of exposure on the wild internet several portscans and worms happened by. The device response slowed a bit, even though very little bandwidth was being used. These devices don't have much CPU and memory, and they are really not designed to front a tarpit on all ports like that. Poor little thing!
Of course, this is unlikely to be the source of the problem experienced by Kainaw. An infested PC is much more likely.
My normally keen sense of comic timing must be off kilter today. I'll just go out and come back in.
I seem to recall reading some speculation that a spacefareing race would evolve to be smaller.
Seriously though, I bet some sexy PG pics on t-shirts and coffee mugs, sold via something like Cafe Press might work. A hot babe with one of those skimpy little halloween costumes that get trotted out on halloween should do the trick -- little satin horns, red bikini, tail, pitchfork, and a smile.
There is apparently no shortage of sexy she-devil costumes.
If NetBSD doesn't jump on this chance, some other open source project will, undoubtedly.
The problem is that's pretty hard to defend against those things. Home users don't know how. Corporate network administrators have hundreds of interlocking "business requirements" that prevent them from shutting the door to "critical services" like SMB file sharing between PC systems.
Worms get into corporate networks through a variety of means, borrowing techniques from viruses and mass emailer viruses, as well as adware and spyware. Some of those holes are impossible to block on a typical corporate network. Take the Internet Explorer holes in corporations that have spent the last several years deploying "internet based applications" that only function correctly with Internet Explorer, for example. Can't block 'em. Might take months to patch 'em if you have tens of thousands of PC systems.
Once a worm gets into a network by exploiting a single system through a mundane virus or adware-only hole like this, it's likely to find a wormable exploit on many other systems. Once a worm is inside, the soft candy center of the corporate network is difficult to defend from a worm with conventional techniques, which are typically perimeter defense in nature.
Even worse, some of my clients have reported that they have, out of tens of thousands of users, at least several who seem to get their PC infected over and over and over. They suspect that this is a "coffee break effect". The users learned that if they double-click on the occasional malicious attachment that leaks through the antivirus email filter at the gateway, and the one on their PC, they get the afternoon off because their PC is taken offline by the network admin staff.
So AntiVirus really is part of the layered defense required for "closing those routes" in the modern age for most companies and home users.
By the way, the observed incidents supporting the "coffee break effect" are the worms and viruses that successfully exploit the patch gap or the definition gap. Most of the time that users double-click to unzip, type in the password and then double-click to execute a malicious attachment, they are thwarted by the AntiVirus system.
A DDoS directed by such a worm against certain routers or DNS servers, rather than "a web site" might have a profound impact on performance of the internet as a whole -- as perceived from just about any location on it. Much smaller networks of bots can certainly DDoS a site off the net without affecting the overall performance of the internet, but that's not the only possibility.
Intrusion Suppression techniques like honeypots and tarpits are not really strike-back techniques. They are really more like network judo. When you redirect the energy of the attack, it's not always against the attacker, it's just away from the victim.
Intrusion Suppression techniques actually reduce the network traffic generated by the attacker, and yet also reduce the effectiveness with which the attacker can perform an attack. It's not really a counter-strike.
Yes, this is a potentially serious issue with any of the active countermeasures. Even simple intrusion suppression techniques like honeypots can fall victim to this kind of redirect attack if exposed directly on the internet.
Fortunately these types of attacks can be detected and modulated. With respect to certain antiworm systems based on honeypot techniques I can safely say that these problems are not insurmountable.
I used to do this, but gave up some years ago. It was pretty rare to get a useful response of any kind from the owner of the attacking system. Oftentimes they didn't believe the report or didn't understand the problem.
There is one type of "attack" that I continue to try to foil this way -- bogus "you're infected" messages from email antispam gateways. Many email administrators still don't understand that virii can (and do) spew email with fake headers, and don't believe it when it's explained to them. These are the same folk with antivirus email gateway filters that automatically send email to the apparent origin telling them their PC is infected. They really think they are doing the world a huge favor by letting them know, and they are not about to take some Random Guy's word for it. Of course, the virus they warn me about is always a Windows executable virus, and I use a Macintosh, so the reports that I've received have thus far always been in error. It doesn't matter to them. I clearly do not know what I'm talking about.
Sadly, I've never been able to convince a single email administrator to disable this feature. A few have vehemently defended their abusive configuration. Over time, the antivirus vendors seem to be removing this misfeature from their products, so eventually the upgrade cycle will take care of the problem, I hope.
As a touchstone to the main topic, I note that a strike-back technique here would be to spam their own gateway with infected messages which appear to originate from their own account, to demonstrate the point. Unfortunately, that would be wrong.