×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

America's 10 Most-Wanted Botnets

timothy posted more than 4 years ago | from the lurking-on-your-parents'-desktops dept.

Security 84

bednarz writes "Network World ranks America's 10 most wanted botnets, based on an estimate by security firm Damballa of botnet size and activity in the United States. The leader is Zeus, with 3.6 million compromised PCs so far. The Zeus Trojan uses key-logging techniques to steal user names, passwords, account numbers and credit card numbers, and it injects fake HTML forms into online banking login pages to steal user data. At the bottom of the list is Conficker, which despite its celebrity status has compromised just 210,000 US computers so far."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

84 comments

Let's talk about bots... (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28786025)

I have to say that Firefox is getting a lot worse lately. The user experience is in serious need of improvement and development is the pits. I installed the latest "big deal" Firefox update on June 30th. (For some reason they skipped a full four secondary updates, but whatever.) Upon restarting, which took several minutes, I began using Firefox 3.5 [trollaxor.com] .

At first, Firefox seemed strangely familiar. I thought they had changed very little unnecessarily until I visited the Acid3 [acidtests.org] test. Lo and behold, I was still using Firefox 3.0.0.11. What the fuck? I manually invoked Check for Updates and repeated my first attempt only to find, upon restarting, the same thing.

Finally in desperation I downloaded the installer manually from Mozilla [mozilla.com] . The install ran surprisingly quickly and, after a few minutes, I was launched with the new version. I had to check, though, because again I thought it looked like very little had changed.

In fact, did Mozilla bother changing anything beside the JavaScript? The new TraceMonkey is great and all, but they could have at least made it look like they were working on something else. When the most noticeable improvement is the "Know Your Rights" button (which everyone ignores) one really starts to wonder what the fuss was all about.

Well, after the three tries it took to upgrade, I found my profile wouldn't migrate. This was a mess, but I was able to eventually retrieve my bookmarks from a long, arcane file path in a hidden directory. But then upon visiting my bookmarked sites I found that almost none of my add-ons are compatible with it. Therefore my browser is almost entirely functionless.

The bookmark tool itself could use a polishing. It's a mess and has been since version 1.0. If a browser is meant to render and organize content, Firefox surely falls down in this area. Why does it take me several minutes to slosh through the GUI just to make a new folder and alphabetize some bookmarks in it? Not to mention the damned Bookmarks toolbar, which takes up too much damn space and can't be turned off.

And speaking of the GUI, it's slow as Hell slowget rid of the proprietary XUL and just hardcode the damned interface already!

I also have to mention memory use. On my system, Firefox was swallowing an incredible 400 MB with only a simple HTML 4 table open. 400 MB?! I blame this on the Firefox team's use of C++, where memory management is about as easy as herding cats. Likewise Firefox is a slow, bloated nightmare. (For a contrast, there's Safari [apple.com] , which is written in Objective C and is very small and efficient.)

Most of the time I have heavy JavaScript sites open. I shudder to think how much Firefox eats then, and I'll be sure to check in the future. No wonder my system tends to slow down when I've left Firefox open for days on end with dynamically updating pages and RSS feeds. Clearly, Firefox leaks memory like a cracked sieve in a waterfall.

With Firefox smelling more and more like crapware, I started to dig a little, first on Wikipedia [wikipedia.org] and then on the Mozilla Development Forums [mozilla.org] . It turns out that my observations are part of a larger pattern of Firefox quality issues and development customs. The Mozilla developers are a bunch of arrogant, abusive shitheads.

For starters, they're still running all tabs in the same process. This is something IE7 and Safari 3 have had right for years. So if a plugin crashes or a page takes forever to finish rendering, everything's stuck. You can't even switch tabs to another page! And Firefox 3.5 is a "milestone" release? Firefox 3.6 and 4 are milestones too, and process-per-tab isn't scheduled for either.

Developer interaction with Firefox users is stilted too. Sometimes Bugzilla [mozilla.org] reports are dismissed out of hand, only to be reopened when something goes terribly wrong later. I also saw instances of reported security flaws sitting years before being patched. In one case, someone released an exploit to point out the deep holes in Firefox before anyone did anything.

One time, a user with some programming experience suggested a bugfix to the wishlist. One programmer, whom I will not publicly name, suggested the user submit patches "once his balls dropped," if he were even male. If this were a real company and not a bunch of arrogant hacker hippies, user antagonism and sexism would never be acceptable. When I read this particular incident I uninstalled Firefox for good.

If anyone else has complaints about Firefox, post them here. For a browser that's taken nearly a third of the market, it's doing so with an incredibly broken development model and backend. Just imagine if the Firefox team actually treated its users right or prioritized projects properly. Maybe then the web would move beyond the mess of incompatibile standards and site hacks it is today.

Until then, Firefox is just another out-of-control Open Source project that needs a good stiff slap in the face.

Re:Let's talk about bots... (1)

Runaway1956 (1322357) | more than 4 years ago | (#28788069)

I'd put this asshole on ignore, but AC actually makes some good posts now and then. Which asshole is which? Slashdot should enable us to put people on ignore based on IP address rather than nick. Hmmm, how would that work? Hmmm..........

slashbots (5, Funny)

Anonymous Coward | more than 4 years ago | (#28786101)

I'm surprised the slashbots aren't on that list. They have the power to take a website offline in mere moments thanks to the power wielded by their evil overlord, CmdrTaco. He simply posts a link to the site he wants removed from the net on the front of his homepage, and the site goes offline.

Re:slashbots (3, Funny)

starglider29a (719559) | more than 4 years ago | (#28786235)

Yes, but he only wields this power for good.

Re:slashbots (1, Funny)

Anonymous Coward | more than 4 years ago | (#28786653)

Yes, but he only wields this power for good.

Oh, how quickly they forget [flickr.com] .

Re:slashbots (1)

QuantumRiff (120817) | more than 4 years ago | (#28788045)

Unfortunately, some of us are still trying, unsuccessfully. Damn those pink ponies.

Re:slashbots (5, Funny)

mcrbids (148650) | more than 4 years ago | (#28786293)

I'm surprised the slashbots aren't on that list. They have the power to take a website offline in mere moments thanks to the power wielded by their evil overlord, CmdrTaco. He simply posts a link to the site he wants removed from the net on the front of his homepage, and the site goes offline.

Thus invoking what has been described as the greatest paradox of all time: Slashdot can remove sites from the Internet by merely posting them, yet it's quite demonstrable that none of the slashbots ever RTFA.

So where are these mysterious article readers, and where do they come from? I'm waiting for a Scientific Expose on Nova...

Re:slashbots (1)

HomelessInLaJolla (1026842) | more than 4 years ago | (#28786471)

Pay-per-click bots used to artificially adjust page rankings and for the generation of statistical data used by network administrators to promote their latest list of needed upgrades to their financial budget directors.

Re:slashbots (2, Funny)

Culture20 (968837) | more than 4 years ago | (#28786599)

Proof that lurkers still outnumber posters. &$#^*ing leaches. They're the reason I can't RTFA. Stop reading and post something!

Re:slashbots (1)

Opportunist (166417) | more than 4 years ago | (#28793033)

Think before you ask for something! You are aware that you're asking 20 times the amount of people who post on /. to post something, and those people having even less to say than the average /. poster, aren't you?

Re:slashbots (0)

Anonymous Coward | more than 4 years ago | (#28786859)

The article said MOST wanted. That doesn't include slashbots. Ask any female.

Re:slashbots (1)

ZiakII (829432) | more than 4 years ago | (#28788537)

People actually click on those links?

Re:slashbots (1)

Opportunist (166417) | more than 4 years ago | (#28793041)

Judging from my firewall log, yes, people click on anything as long as it promises them something "cool".

I have a link on my webpage that states quite bluntly "DO NOT click this link. It leads to a trojan, you'll be drive by infected when you click this. DO NOT click! I don't take any responsibility"... yaddayadda.

Over 50 percent of the people who go there DO click. Now, I don't infect them. I only belittle, berate and ridicule them for being utterly stupid in the fact of a certain now-where-did-I-put-that-Windows-CD afternoon.

Re:slashbots (1)

Opportunist (166417) | more than 4 years ago | (#28793023)

Yeah, but its impact is limited to those servers that have open 0x50 ports. You can easily defend against that one.

Re:slashbots - CmdrTaco always says that (1)

zukinux (1094199) | more than 4 years ago | (#28793141)

CmdrTaco always says that : "With great power comes great responsibility", he even told this sentence to Spiderman.

That's why he's not using his power to get all the bitches out there.

Top ten lists... (5, Informative)

Anonymous Coward | more than 4 years ago | (#28786229)

Please... If you are interested in top 10 lists, put the information from least significant to most. This makes the piece more interesting.
Thanks.

No. 10: Conficker

Compromised U.S. computers: 210,000

Main crime use: Also called Downadup, this downloader worm has spread significantly throughout the world, though not so much in the U.S. It's a complex downloader used to propagate other malware. Though it has been used to sell fake antivirus software, this crimeware currently seems to have no real purpose other than to spread. Industry watchers fear a more dangerous purpose will emerge.

No. 9: Gammima

Compromised U.S. computers: 230,000

Main crime use: Also know as Gamina, Gamania, Frethog, Vaklik and Krap, this crimeware focuses on stealing online game logins, passwords and account information. It uses rootkit techniques to load into the address space of other common processes, such as Explorer.exe, and will spread through removable media such as USB keys. It's also known to be the worm that got into the International Space Station in the summer of 2008.

No. 8: Swizzor

Compromised U.S. computers: 370,000

Main crime use: A variant of the Lop malware, this Trojan dropper can download and launch files from the Internet on the victim's machine without the user's knowledge, installing an adware program and other Trojans.

No. 7: Hamweq

Compromised U.S. computers: 480,000

Main crime use: Also known as IRCBrute, or an autorun worm, this backdoor worm makes copies of itself on the system and any removable drive it finds -- and anytime the removable drives are accessed, it executes automatically. An effective spreading mechanism, Hamweq creates registry entries to enable its automatic execution at every startup and injects itself into Explorer.exe. The botmaster using it can execute commands on and receive information from the compromised system.

No. 6: Monkif

Compromised U.S. computers: 520,000

Main crime use: This crimeware's current focus is downloading an adware BHO (browser helper object) onto a compromised system.

No. 5: TR/Dldr.Agent.JKH

Compromised U.S. computers: 1.2 million

Main crime use: This remote Trojan posts encrypted data back to its command-and-control domains and periodically receives instruction. Often loaded by other malware, TR/Dldr.Agent.JKH currently is used as a clickbot, generating ad revenue for the botmaster through constant ad-specific activity

No. 4: Trojan.Fakeavalert

Compromised U.S. computers: 1.4 million

Main crime use: Formerly used for spamming, this botnet has shifted to downloading other malware, with its main focus on fake alerts and rogue antivirus software.

No. 3: TidServ

Compromised U.S. computers: 1.5 million

Main crime use: This downloader Trojan spreads through spam e-mail, arriving as an attachment. It uses rootkit techniques to run inside common Windows services (sometimes bundled with fake antivirus software) or in Windows safe mode, and it can hide most of its files and registry entries.

No. 2: Koobface

Compromised U.S. computers: 2.9 million

Main crime use: This malware spreads via social networking sites MySpace and Facebook with faked messages or comments from "friends." When a user is enticed into clicking on a provided link to view a video, the user is prompted to obtain a necessary update, like a codec -- but it's really malware that can take control over the computer.

No. 1: Zeus

Compromised U.S. computers: 3.6 million

Main crime use: The Zeus Trojan uses key-logging techniques to steal sensitive data such as user names, passwords, account numbers and credit card numbers. It injects fake HTML forms into online banking login pages to steal user data.

Re:Top ten lists... (1)

CopaceticOpus (965603) | more than 4 years ago | (#28786675)

Perhaps I'm in the minority, but I prefer top tens lists with #1 first. I usually skip to the end of the list and read backwards. In this case, knowing the size of the #1 botnet gives me some perspective on the scale of the other list items.

Having a countdown only makes sense to me if there is drama about what #1 will be. I wasn't really on the edge of my seat to find out the name of the biggest botnet.

Re:Top ten lists... (1)

bursch-X (458146) | more than 4 years ago | (#28790965)

Maybe that was the format meant for the writers of the trojans, because they'd definitely be on the edge of their seats wanting to know whether their botnet had "won" or not ;-)

Re:Top ten lists... (1)

Opportunist (166417) | more than 4 years ago | (#28793057)

I'm fairly sure they don't care. If you're on that list at all, you won. It's like a Forbes 400 list for malware.

Re:Top ten lists... (1)

T Murphy (1054674) | more than 4 years ago | (#28788019)

I don't expect there to be 12 million PCs infected, as many of the people managing to be hit by one of these can easily find more, but at the same time I understand some/many botnet programs fight off others to either avoid notice or to establish more complete control. I won't bother trying to speculate how these two forces balance out, but I'm assuming there are people here who can offer some insightful comments to this end.

Re:Top ten lists... (1)

Opportunist (166417) | more than 4 years ago | (#28793071)

The "battle" for computers is still a minor concern for malware writers. So far, the battle is rather against AV suits. Usually, the attempt to remove other malware has been limited to "rival" malware from others who fish in the same pond, but the attempt to actually proactively push out everyone else has been minimal until recently.

Only a short time ago some malware packages started actively searching (and removing) other malware, mostly the "noticable" kind that bombards the user with ads and exhibits other "suspicious" behaviour. My theory is that they want to avoid that the user notices something is wrong and calls a knowledgeable friend, who might then also find the other, more stealthy and less obvious, trojan.

!Botnet (4, Insightful)

Darkness404 (1287218) | more than 4 years ago | (#28786253)

The leader is Zeus, with 3.6 million compromised PCs so far. The Zeus Trojan uses key-logging techniques to steal user names, passwords, account numbers and credit card numbers, and it injects fake HTML forms into online banking login pages to steal user data

And how the heck does that make it a botnet? Apparently now botnet is a buzword for any type of popular malware now. Now, if it said that it went and DDoSed websites, yes that would make it be a botnet, but this? That just is malware.

Re:!Botnet (5, Informative)

maxume (22995) | more than 4 years ago | (#28786373)

It is a botnet that happens to include key logging and other phishing features. It even features an EULA:

http://jabolins.livejournal.com/16538.html [livejournal.com]

Re:!Botnet (0, Flamebait)

Darkness404 (1287218) | more than 4 years ago | (#28786457)

Hm, that is interesting. However the article didn't ever mention anything about the actual botnet part of it which I kinda thought was the point of the article. But having a EULA for a botnet? Now thats funny.

Re:!Botnet (3, Informative)

maxume (22995) | more than 4 years ago | (#28786601)

It highlights a confusion in the way the terms are used: I guess it might make more sense to say that a botnet is comprised of systems running botnet software, rather than systems running a botnet. Apparently in the case of Zeus, people are purchasing the software as a kit and then deploying it in order to create their own botnets, so the Zeus botnet software is the platform for more than 1 botnet.

Re:!Botnet (1)

Opportunist (166417) | more than 4 years ago | (#28793077)

As if anyone ever read an EULA...

Seriously, I want to do that experiment. Write a piece of software and fill the EULA with legalese saying pretty much "we pwnz yoo". And wait how many still install it.

My money is on 90 percent.

Re:!Botnet (1)

Runaway1956 (1322357) | more than 4 years ago | (#28788167)

But, the EULA looks as legitimate as anything Microsoft or Adobe asks you to "sign", or accept. begin sarcasm: IMO, that makes it legal, doesn't it? end sarcasm

Re:!Botnet (5, Informative)

Teun (17872) | more than 4 years ago | (#28786465)

Malware becomes a botnet when it can be remotely controlled and updated, that's what these ten have in common.

Re:!Botnet (1)

thelexx (237096) | more than 4 years ago | (#28786891)

Unless the bots are coordinated in their action it doesn't seem like much of a 'net'work, just a bunch of bots (which is the part of 'botnet' that DOES make sense in the "can be remotely controlled and updated" context).

Re:!Botnet (1)

bursch-X (458146) | more than 4 years ago | (#28790975)

Malware becomes a botnet when it can be remotely controlled and updated, that's what these ten have in common.

So Windows IS a botnet.

I knew it all the time.

Re:!Botnet (1)

Opportunist (166417) | more than 4 years ago | (#28793127)

Terminology isn't easy anymore in mal/crimeware. Is it a virus? A trojan? A worm? What if it infects a PC, runs in the space of another program, distributes itself autonomously and phones home? It's a worm according to its spreading, a virus according to its location in memory and a trojan according to its actions. Please classify.

Botnet is a convenient term for any malware that has a more or less permanent connection to its controlling server. I wouldn't make DDoSing a defining feature. As we've seen of lately, updating malware to change its behaviour and role is trivial and done often, what's stealing passwords today can be used for DDoSes tomorrow. Want to reclassify every time it changes its behaviour?

The reason why DDoSes are fairly rare is that there's simply no good way to squeeze money out of this stone. You can easily turn credit card numbers and bank access into money. But DDoS? First, your target would not be Joe Citizen, because he's not worth enough to blackmail him. What could he give you? 5k? Peanuts. You get that much and more from him by stealing his bank info. And not only from him but from a few thousand other fools. Now we're talking money. So you'd have to turn to companies that rely heavily on the internet for business. For a while it was popular to try to blackmail online betting services, until they beefed up their infrastructure. Companies also more readily turn to law enforcement and consultants that cost a little money, but less than what you try to squeeze from them. No Joe Random can afford that.

In a nutshell, it's more profitable to steal from many small targets than from a large one. After all, it's easy to automatize the process, so whether you steal from one or from a thousand targets does not really matter.

Is there a reward? (3, Funny)

gubers33 (1302099) | more than 4 years ago | (#28786261)

Are they wanted Dead or Alive?

Obligatory Short Circuit quote (2, Funny)

megamerican (1073936) | more than 4 years ago | (#28786641)

Number 5: "It's nice to be wanted."

Re:Obligatory Short Circuit quote (1)

timias1 (1063832) | more than 4 years ago | (#28797033)

In regards to your signature, someone at wired either pulled the article or the link got broken. I have to assume the latter, but the former would be just as likely.

Re:Is there a reward? (0)

Anonymous Coward | more than 4 years ago | (#28787363)

I don't think this is what Jon Bon Jovi had in mind.

Re:Is there a reward? (0)

Anonymous Coward | more than 4 years ago | (#28794979)

Honestly, if some agency posted a reward for the destruction of these botnets which was less than the amount of money that can be made by running one, but large enough to make clever unemployed young geeks stand up and take notice, we'd probably see these things start vanishing.

Or, if not vanishing, at least going rogue and not concertedly attacking or spamming. I'd like to see computer hackers and script kiddies have to actually fight their own kind just to get any "business" done in the future. At the moment, they've got it all too easy.

"despite its celebrity status..." (1)

spacefiddle (620205) | more than 4 years ago | (#28786351)

Yes, for some reason, a widely discussed, analyzed, publicised, dissected threat that everyone knew about just hasn't managed to do as much damage as it might have.

/facepalm

Re:"despite its celebrity status..." (2, Interesting)

rm999 (775449) | more than 4 years ago | (#28786893)

Don't you think it's a problem that a lot of people have never heard of Zeus? I would agree with you if Conficker was the only computer worm/virus out there.

Re:"despite its celebrity status..." (1)

spacefiddle (620205) | more than 4 years ago | (#28798317)

Hmm? That's my point... not enough people DO know about common threats, and if they did, they wouldn't be as effective.

Backwards (1)

sexconker (1179573) | more than 4 years ago | (#28786821)

Who the fuck does a "Top 10" list with number 1 being shown first?

Nobody will click to the second page to read about botnet number 10.

car analogy... (1)

Em Emalb (452530) | more than 4 years ago | (#28786887)

People don't go to the mall and leave their car unlocked*, so why do users think security on a computer is not just as important?

*Yes, there are exceptions, no, you aren't special for being one, but I would enjoy reading your missive on why you don't lock your 1972 Pinto with nothing in it of value.

Re:car analogy... (2, Insightful)

ConceptJunkie (24823) | more than 4 years ago | (#28787001)

People don't go to the mall and leave their car unlocked*, so why do users think security on a computer is not just as important?

20 years of Microsoft trying to convince them security isn't an issue might have something to do with it.

Re:car analogy... (2, Interesting)

Em Emalb (452530) | more than 4 years ago | (#28788041)

How has microsoft convinced anyone for the past 20 years that security isn't important? If anything, I'd say it HAS convinced people security IS important.

Re:car analogy... (3, Insightful)

ConceptJunkie (24823) | more than 4 years ago | (#28788505)

Microsoft has made security a real issue since about 2000, or at least acknowledged it. Since about 2004 they have actually made significant headway solving the problem. Before then, they were pretty much completely negligent on securing their system or making users aware that Windows was like a sieve.

That adds up to about 20 years of ignoring security, the legacy of which is still causing problems today, such as the more than 10 million botted Windows machines across the world.

Re:car analogy... (1)

mcgrew (92797) | more than 4 years ago | (#28787365)

If you have nothing of value in your car, a thief can cause a $200 window repair getting in your locked car. A brick and two seconds is all it takes to "hack" a car. Then when the theief finds he's wasted his time, he may decide to break the rest of your windows.

That said, I lock my car because the stupid thing has a button that opens the trunk from the passenger compartment, despite the fact that there's another one on my keychain. What moron came up with that idea, I wonder?

Re:car analogy... (1)

maxume (22995) | more than 4 years ago | (#28788789)

They figured out it was a misfeature; on my car, the button is in the glove box, which can be locked with the door/ignition key (as a bonus, I have valet keys that will open the door and start the car, but they won't open the glove box or trunk).

Re:car analogy... (1)

mcgrew (92797) | more than 4 years ago | (#28794305)

Mine's right out in the open, but I did discover yesterday (used car, no manual to read) that if you lock the car with the remote, the button inside the car doesn't work. I still mey get under the dash and disconnect the button, though.

Re:car analogy... (1)

linzeal (197905) | more than 4 years ago | (#28790745)

There was a story in Oakland a few years ago of a guy who was sick of people stealing his stereo. So he got this great idea, weld some razor blades to the back of the receiver and on the edge of the amps. As far as I know he is serving a 3-4 year sentence for assault with a deadly weapon.

Re:car analogy... (1)

ethanms (319039) | more than 4 years ago | (#28787855)

People don't go to the mall and leave their car unlocked*, so why do users think security on a computer is not just as important?

Well... I don't know if that's an accurate analogy because you know fairly quickly when you return if a thief has stolen something from your parked car.

I think it would be more analogous to think of the malware as an invisible car-jacker who can jump in your car without your noticing when you're driving along the road. That car-jacker waits in your back seat--listening to your conversations (key logging), relaying your location back to it's boss, and possibly will take control of your car while you aren't in it--and you might not even know this is all happening.

So I guess it might be better to say "why do people think they can drive through bad neighborhoods with their car doors unlocked" ??? :)

So that would make firewalls and securing exploits like locks and closed windows... and Norton is like a guy who rides around in your back seat and should a car-jacker jump in he yells "Hey who the heck is this?!?" and kicks him out if you say so.

Re:car analogy... (1)

bursch-X (458146) | more than 4 years ago | (#28791035)

Unfortunately the Norton guy would be slightly senile and not notice many of the new kids on the block and let them take over your car anyway.

Re:car analogy... (1)

Opportunist (166417) | more than 4 years ago | (#28793161)

Not only that, but until recently it was easier to trash the car and get a new one instead of trying to get him out of the car at all. He had a bit of leprosy, so if you pulled to hard some bits of him fell off and rolled under your seat, then started to rot and stink up your car, usually enough that you eventually trashed it and got a new one.

But he sure has spiffy clothing.

Re:car analogy... (1)

bursch-X (458146) | more than 4 years ago | (#28791015)

Wrong analogy, cars make it clear that you have to take action to make your car safe. You lock it. On Windows the only "locking" mechanism obvious to the user is the login/logout. And of course to bring in another car analogy, if Windows was a car, the doors would have holes everywhere so you just put your hands in push in the right places and the doors would open, furthermore your car could be remotely unlocked with any multi-functional TV remote.

Re:car analogy... (1)

stine2469 (1349335) | more than 4 years ago | (#28791133)

I dont have a 72 Pinto, but i have a very beat-up 94 mustang, and it's better if someone doesn't have to break out the windows to find that there is nothing of value (unless you count tacobell wrappers from the '90's) inside.

Re:car analogy... (1)

Opportunist (166417) | more than 4 years ago | (#28793145)

Because they're not losing anything if their computer is compromised. It's content vs. tangible good all over again. I'm fairly sure if the car wouldn't be gone so they can't drive anymore when someone steals it, people would leave the car keys in, because it's more convenient and they can't lose them.

When you hijack their computer, first of all they don't notice it. They might notice their internet connection is getting sluggish at times, but they don't really care too much. FSCKing provider charging for 10mbit and I only get 7, talk about false advertising... but they leave it at that. It still works. Those ad windows are a nuisance, but that's certainly only something that I have to deal with. FSCKing webpages with their full size popup ads... but they leave it at that. It still works.

You will notice that malware goes to extreme lengths to ensure it does NOT cripple the machine to the point where the user cannot use it anymore. I've seen code in malware that makes sure it does not clog the connection so people don't get inconvenienced enough to actually go investigate.

I don't get it... (1)

BlueScreenOfTOM (939766) | more than 4 years ago | (#28787519)

I don't understand why, in this day and age, this shit is still happening. I can think of at least 3 free antivirus applications that anyone with a Windows PC can download and use at no cost, with little or no effort required. Most COTS PCs come with some kind of antivirus software (usually the dreaded Norton, which totally blows but is better than nothing for most average users). Is the problem that people don't know that there are free solutions out there? Is it that people are willingly not installing antivirus? Are these viruses particularly good at avoiding detection? It boggles my mind that that many machines are still being infected.

Re:I don't get it... (1)

vil3nr0b (930195) | more than 4 years ago | (#28787613)

Even more boggling is when ISP's refuse to blacklist these zombies. Kill the modem after you send out a nice letter stating their box is hosed and must be repaired before they are allowed back on the pipe.

Re:I don't get it... (1)

0ld_d0g (923931) | more than 4 years ago | (#28787705)

The Conficker vulnerability was patched months before it was seen exploited in the wild. All that means is people aren't up to date with security updates. I can understand some people being hesitant to install windows updates in case they break anything. [Though out of tens of thousands of updates, only a handful have broken software that was coded properly in the first place] But security updates should be installed automatically. I would argue that this should be the default option. If companies want they can turn it off but it should be on by default for home users.

Ultimately its just a lack of awareness.

Re:I don't get it... (3, Informative)

Joce640k (829181) | more than 4 years ago | (#28787735)

Simple: There's always a window between a virus appearing in large numbers and an antivirus updating itself. Get a copy of Virtual PC and try it yourself - get a few viruses from your daily spam. I do it every once in a while and it can take two or three days for my antivirus to kick in. Today's Viruses can disable all the major antivirus programs and prevent you from rebooting in failsafe mode to delete them so once they're in, they're in. There's no way for the antivirus to get rid of them.

Re:I don't get it... (1)

techno-vampire (666512) | more than 4 years ago | (#28789443)

Can they prevent you from booting from a CD? If so, color me impressed. If not, you can always boot from a live CD with some form of Linux on it and ClamAV. Use that to clean up your system, then reboot into Windows.

Re:I don't get it... (2, Informative)

pandrijeczko (588093) | more than 4 years ago | (#28789921)

I thoroughly recommend the Trinity Rescue Kit [trinityhome.org] precisely for this purpose and for repairing and/or cloning NTFS partitions from a bootable Linux CD.

And, no, I'm nothing to do with any of the team who develop it, I came across it pretty much by accident and have used it ever since.

Re:I don't get it... (1)

raylu (914970) | more than 4 years ago | (#28792191)

Yes, of course that's a solution, but that hardly falls under the OP's "little or no effort required."

Re:I don't get it... (1)

techno-vampire (666512) | more than 4 years ago | (#28792261)

There's a slight misunderstanding here: I wasn't suggesting using a live CD instead of a virus checker running under Windows, I was suggesting it as a "last resort" when other scanners/checkers are unable to do the job. Yes, it's a bit of work (Not that much, really, once you have the CD set up.) but it's a lot better than nuking, paving and reinstalling.

Re:I don't get it... (1)

Opportunist (166417) | more than 4 years ago | (#28793225)

There are many reasons. Allow me to list a few.

First, the obvious one: The user with no AV suit and no brain. He got his computer built by a "friend" who is almost as clueless as him (or even managed to slap that box together himself), or (worse) thinks he's so damn smart and can get it done for cheap. I.e. hacked Windows (which can't be updated, but hey, it 'works'), AV costs money and those free ones are useless (the former is a matter of about 30-50 bucks a year, the latter simply untrue), and some 'tweaks' that eliminate the last threads of anything resembling security (like making his standard account administrator because then 'everything works'. Yes, indeed, including malware).

Second, the almost as obvious one: The user who has an AV suit, but didn't ever bother updating it (or his OS for that matter). Either because it was disabled for some reason or because he's paranoid enough to avoid any contact with those companies (they're spying at you, after all... ironically, he's handing a lot more info to some people in a country the name of which ends in -stan).

Then the user who had an AV suit that suddenly "stopped working". Probably around the same time when his license renewal was due. But hey, it continued to 'work', so why bother?

And finally, my personal favorite, the dancing pig enthusiast. Most of the time a subset of the above, he finds something he REALLY wants to have or see on the internet and installs it, grants it every permission and clicks away every warning. Look up dancing pig in Wikipedia for an explanation, I'm feeling lazy today.

Aside of these groups that make up something I'd estimate at about 80-90 percent of infections, there's also the battle between malware and malware fighting groups. And that battle can't really be won easily by the latter.

First of all, you're always in the defense. You're always at the reaction side of the action-reaction equation. You can hardly go proactive and do something in advance. There's simply too much possible entry points for infections and you don't know what malware will do until you got it in your hands. I hope I'm not giving away trade secrets, but there's currently a strongly exploited 0day in circulation concerning a product from a maker of a well known graphics suit, document creator and a tool that's very popular with internet games (I guess anyone can guess now who and what product...). Now, AV people are scrambling to find out what kind of exploit it is (currently it seems it has something to do with the graphics rendering engine for certain formats in that product), when they find out how it's exploited they have to figure out a way to detect malware exploiting this hole, then they have to implement a way to detect that and finally push it to their AV updates.

Yes, that takes a few hours, as you may expect.

So you're always second in that battle.

Now add that it's anything but common anymore to just provide the malware "plain". You have installers (like that 0day exploiting) that download encrypted executables (most of the time XORed, good enough to pass most firewalls easily, just XOR with another seed if you get too well known, or use multiple seeds to avoid brute forcing by the firewall), you have executables that are runtime packed and runtime encrypted (they come with their own decryption routine, very tricky for pattern matchers for obvious reasons and behaviour heuristics for their erratic behaviour before they're decrypted, not to mention that you get more and more decrypters that decrypt-then-run but decrypt on the fly, run and trash the already executed code)...

I fear we're losing the battle. The way I see it, our only chance is to educate the user. We can't protect him much longer.

BotNet Problem solved. (0)

Anonymous Coward | more than 4 years ago | (#28790947)

Just create an update that wipes a system clean of them. Make it manditory with all virus protection and firewalls to have to have a clean slate before a user can access the internet, (kinda like that Microsoft update that made ZoneAlarm block internet access). I think the majority of the problem with BotNet's success, is the user is unaware of the infection.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...