×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Botnets Using Ubiquity For Security

kdawson posted more than 3 years ago | from the whack-a-c-and-c dept.

Botnet 95

Trailrunner7 sends in this excerpt from Threatpost: "As major botnet operators have moved from top-down C&C infrastructures, like those employed throughout the 1990s and most of the last decade, to more flexible peer-to-peer designs, they also have found it much easier to keep their networks up and running once they're discovered. When an attacker at just one, or at most two, C&C servers was doling out commands to compromised machines, evading detection and keeping the command server online were vitally important. But that's all changed now. With many botnet operators maintaining dozens or sometimes hundreds of C&C servers around the world at any one time, the effect of taking a handful of them offline is negligible, experts say, making takedown operations increasingly complicated and time-consuming. It's security through ubiquity. Security researchers say this change, which has been occurring gradually in the last couple of years, has made life much more difficult for them. ... Researchers in recent months have identified and cleaned hundreds of domains being used by the Gumblar botnet, but that's had little effect on the botnet's overall operation."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

95 comments

I knew Linux had problems! (0, Flamebait)

Saint Stephen (19450) | more than 3 years ago | (#32492122)

I was wondering why a Live CD based version of Ubunutu was helping out Botnets.

https://wiki.ubuntu.com/Ubiquity [ubuntu.com]

Re:I knew Linux had problems! (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32492130)

I was wondering why a Live CD based version of Ubunutu was helping out Botnets.

https://wiki.ubuntu.com/Ubiquity [ubuntu.com]

i was wondering why the first post in this article went to the niggers

Re:I knew Linux had problems! (1, Funny)

Anonymous Coward | more than 3 years ago | (#32492146)

That's politically incorrect in the extreme. I think the proper term is "original post".

Do niggers use botnets? (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#32492178)

i'm curious..

Re:Do niggers use botnets? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32492366)

Niggers dont use computers...

Re:Do niggers use botnets? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32492502)

Niggers dont use computers...

Correct. They just steal them to get more money for crack.

Mod Parent Funny (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32492296)

That's politically incorrect in the extreme. I think the proper term is "original post".

This is funny you fucks. Not the thousandth repetition of "in soviet russia" or "sharks with lasers on their heads" you damn mouth-breathers.

Re:Mod Parent Funny (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#32492720)

In Soviet Russia, sharks with lasers on their heads say:
- FUCK YOU, mouth-breather! We breathe with our gills. PWNT l01

Re:I knew Linux had problems! (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#32492208)

Do not "whoosh!" the moderators. It makes them angry..

Some news from Australia on this (3, Interesting)

AHuxley (892839) | more than 3 years ago | (#32492198)

http://www.acma.gov.au/WEB/STANDARD..PC/pc=PC_310317 [acma.gov.au]
"The AISI collects data from various sources on computers exhibiting 'bot' behaviour on the Australian internet.
Using this data, the ACMA provides daily reports to ISPs identifying IP addresses on their networks that have been
reported in the previous 24-hour period.
ISPs can then inform their customer that their computer appears to be compromised and provide advice on how they can fix it."

The only question seems to be when will p2p be seen as a botnet, limewire ect. Will the Anti-Counterfeiting Trade Agreement (ACTA) alter 'bot' behaviour to new areas isp use and account 'fixing'?
Will isp's get powers to pop packets to note 'bot' behaviour early on, rather than seeing their ip's reported back days later?

Re:Some news from Australia on this (1, Insightful)

LordLucless (582312) | more than 3 years ago | (#32492580)

Huh? ISPs already have this power. It's called "owning their infrastructure". If AISI stops providing accurate information, people will stop trusting it. This isn't a mandated cut-off - it's an advisory notice. ISPs aren't even obliged to pass it on.

Re:Some news from Australia on this (1)

AHuxley (892839) | more than 3 years ago | (#32493174)

If AISI stops providing accurate information, people will stop trusting it. This isn't a mandated cut-off - it's an advisory notice. ISPs aren't even obliged to pass it on.
For now. Like when we had filter software for the desktop and now have the vision of a national filter, advisory and obliged can turn into monitor, log, warn and disconnect.
Todays passive friendly note, is next years p2p watcher.

i hear two things get linux users hot and bothered (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32492200)

one is a new distro but close behind is when tyrone tells them to bend over and get ready for some nigger dick in the ass.

ISP accountability (2, Interesting)

drDugan (219551) | more than 3 years ago | (#32492226)

It seems to me there is an accountability gap for ISPs. Those providing network connections are not held accountable for machines on their network. Yet another example of prices and business practices not matching the real costs of activities.

To me, I would think the real solution, long term, to fixing botnets is creating a tight loop with internal scanning, reporting, warnings, verification, and then turning off Internet connection to machines that are infected. ISPs will need to be "motivated" to take responsibility for actions taken on their network, and they will have to have fully automated systems that take infected machines offline.

It doesn't seem like this is a priority for ISPs yet. Its easier and cheaper to simply ignore the problem.

Re:ISP accountability (2, Insightful)

Muggins the Mad (27719) | more than 3 years ago | (#32492260)

how would the ISP inform the customer that they've been infected?

obviously web or email would just open them up to the usual phishing.

Re:ISP accountability (0, Informative)

Anonymous Coward | more than 3 years ago | (#32492288)

Letter or telephone call. Or even better just shut off their connection and let them call you.

Re:ISP accountability (1)

sqrt(2) (786011) | more than 3 years ago | (#32492310)

Once they lose their connection I have a feeling the customer will take care of initiating the necessary dialog :p

Re:ISP accountability (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32492336)

Here's why an ISP won't do that (disconnect the customer)--because the customer WILL take care of it by SWITCHING ISPs. ISPs hope to MAKE money, not lose it. So they won't do something that drives customers away.

Why should the ISP be responsible for a problem that is the customer's problem anyway?

Re:ISP accountability (1)

sqrt(2) (786011) | more than 3 years ago | (#32492376)

And what if all the ISPs had a similar law? What if they were mandated to by the state? Sounds draconian but it just might force Microsoft and the end user to get their ducks in a row regarding security.

Re:ISP accountability (1)

Lennie (16154) | more than 3 years ago | (#32494152)

Maybe it's just me, but I don't see how this would force Microsoft to do anything.

People will just buy a newer Microsoft operating system or even a whole new computer, to 'fix' the problems they are having.

Re:ISP accountability (1)

OeLeWaPpErKe (412765) | more than 3 years ago | (#32494626)

Furthermore the only real security microsoft could possibly enter to guarantee no viruses is a simple "signed code only" policy (you know, like the iPhone). After that, microsoft has a security-justified veto over what software can run on windows machines.

Let's not propose cures that are far worse than the disease. This suggestion has about the same value as curing a painful toe by killing the patient.

Re:ISP accountability (1)

Lennie (16154) | more than 3 years ago | (#32494866)

The iPhone doesn't have a signed code only policy.

A quote: "Apple supports two platforms. First is HTML5, open and uncontrolled platform. He says the company fully supports it and behind it 100 percent - and stresses that it’s fully open. Second platform is the App Store — a curated platform with more than 225,000 apps and calls it the most vibrant app store on the planet. Interesting reference to curated as a asset of App Store."

The HTML5 isn't signed. ;-)

Re:ISP accountability (1)

OeLeWaPpErKe (412765) | more than 3 years ago | (#32495156)

Is this a joke ?

Imagine if microsoft would say : you can only install microsoft-approved applications, but we include a webbrowser.

Would you call that free ?

thought so

Re:ISP accountability (1)

tepples (727027) | more than 3 years ago | (#32495448)

The HTML5 isn't signed. ;-)

But the HTML5 DOM exposed by Safari does not necessarily expose all useful hardware features. Good luck making an app that displays three-dimensional graphics in HTML5. Good luck making video chat over Wi-Fi in HTML5.

Re:ISP accountability (1)

Sethumme (1313479) | more than 3 years ago | (#32495738)

HTML5 Quake [youtube.com]

Lennie said iPhone (1)

tepples (727027) | more than 3 years ago | (#32495846)

The iPhone doesn't have a signed code only policy. [...] The HTML5 isn't signed.

the HTML5 DOM exposed by Safari does not necessarily expose all useful hardware features.

HTML5 Quake [running on a Mac]

How many frames per second do you get on an iPhone running that app?

Re:ISP accountability (3, Insightful)

JWSmythe (446288) | more than 3 years ago | (#32492460)

    You know, that's very true. Residential customers may stick with their provider (how many AOL users are still out there), but hosting customers will jump ship if they get disconnected. I had a friend who's SQL server got unplugged when a MSSQL worm was going around. It wasn't infected, but for the "safety of the datacenter" one of the techs walked around and pulled the power cord on any machine labeled "SQL". He called, and they couldn't resolve the problem. They said "we don't see anything wrong." When he got there, he found his machine was unplugged, just like quite a few other customers SQL boxes. Two days later, his equipment was in another datacenter.

Re:ISP accountability (1)

LingNoi (1066278) | more than 3 years ago | (#32494058)

Since everyone on slashdot regularly complains that they don't have a choice in ISPs I doubt that'd be a problem and lets be honest, if a non-slashdot person got that kind of notification their first thought wouldn't be "i must change ISPs" it'd be either:

  1 - Lie to the ISP, "yeah it's fixed"
  2 - Panic and get their computer cleaned.

Re:ISP accountability (1)

Sancho (17056) | more than 3 years ago | (#32492590)

Really? Is it that easy to get ahold of your ISP? Around here, I'm lucky if I can get someone on the phone after 30 minutes on hold, and that's without hundreds of people calling about deactivations.

Re:ISP accountability (1)

ben_kelley (234423) | more than 3 years ago | (#32493078)

My ISP sends an e-mail to customers in this case. The e-mail says to contact the ISP.

Yes there is a phishing risk, but given that most people don't expect these kinds of e-mails, there is not much more phishing risk than if they didn't send them. I'd be suspicious of an e-mail from my bank asking me for my password, regardless of whether my bank normally sends me such e-mails or not.

Re:ISP accountability (3, Insightful)

Cylix (55374) | more than 3 years ago | (#32492292)

The cost to the ISPs would be fairly significant. It's not simply the potential lost revenue from disabling unwitting users, but forcing the issue will also generate a good deal of customer interaction. Talking with customers will generally result in additional costs as well as dealing with potential infections.

It's not an act of benevolence, but rather it is assuming responsibility. If you don't treat the issue for the customer then they may simply take the path of least resistance. ie, they may ultimately simply find another provider. Conversely, attempting to correct the problem will also result in issues as you now have the responsibility of restoring the customers computer to working order.

Ultimately, all of these risks and more would have to outweigh the costs of fixing the problem. I'm glad I don't have to deal with these kinds of issues anymore because trying to pitch an act of altruism to the company owner probably would not have worked.

With that said there are basically a few ways to approach the issue. Tighter regulation which states ISP's have to shepard their flock, fines on non-compliance or grants to award certain infection threshold reductions. In the end it really is about making one choice more expensive then the other.

Re:ISP accountability (3, Interesting)

Splab (574204) | more than 3 years ago | (#32492370)

BS, ISPs are just lazy. Here in Denmark at least a couple of the ISPs will actively block your connection if they detect botnet-like activity from your machine. When flagged any requests will be directed to a homepage where they tell you that you probably are infected and asks you to contact support for further assitance.

Re:ISP accountability (3, Interesting)

Anonymous Coward | more than 3 years ago | (#32492424)

It's a very dangerous route to go down. If all isps did that, I'm pretty sure that botnets would start encrypting their c&c data. Then what? If you just block all data you can't understand, say good-bye to vpn, legit p2p applications, and private communications between actual people.
Of course, if you detect that your customers are ddosing some server, that's a different story.

Re:ISP accountability (1)

AHuxley (892839) | more than 3 years ago | (#32493182)

Use banking ports and encryption :) With todays cpu's would the end user notice :)

Re:ISP accountability (1)

dropadrop (1057046) | more than 3 years ago | (#32494166)

Make darknets / honeypots to detect your customers trying to infect other hosts on your network(s). You are saying there is no point trying to fight infected machines that are part of bot nets because if you succeed in taking them down they will further improve the design of the botnet? And the alternative is?

Re:ISP accountability (1)

moeinvt (851793) | more than 3 years ago | (#32494504)

" . . . And the alternative is?"

Do your best evil laugh and go over to the dark side.

Re:ISP accountability (1)

marcosdumay (620877) | more than 3 years ago | (#32495794)

You mean... Their cut your connection, and will only restore it if you pay some extra fees? They'd better not do any mistake and cut a clean machine.

Re:ISP accountability (1)

Splab (574204) | more than 3 years ago | (#32501026)

Where did you get that from? Where in my post does it suggest they charge customers for this?

Botnet and spam activity cost bandwith, it's in the interest of the ISP to get rid of it - no one would dare charging for this service, when I worked in NOC for one of them we would happily guide you through installation of free anti virus and help you clean it up.

You know, there are still countries in this world where companies try to satisfy their customers.

Re:ISP accountability (1)

marcosdumay (620877) | more than 3 years ago | (#32501938)

Yep, I misreaded it. When you said "asks you to contact support for further assitance", I instinctively assumed the support was paid. I can think companies may try to satisfy their customers, but ISP doing so is such an exotic concept, I didn't grasp it at first. That is bad :(

Re:ISP accountability (1)

Cylix (55374) | more than 3 years ago | (#32507082)

You are thinking in terms of small to no impact with such an administrative change. In any environment with a significantly large customer base this would be handled by customer service representatives. They will generally be trained and have material for troubleshooting connection issues.

Now, you have to support removing or explaining why the infection is a problem and deal with the issue.

Is it cheaper to allow the customer to consume bandwidth or deal with the problem? Since many organizations already have caps in place it may not actually be an effective deterrent. ie, does the infected host really consume 250gb'ish a month?

The dynamics change a great deal when we are speaking terms of large profit driven organizations. Costs and changes have to be justified and someone along the chain is going to question the necessity of it.

Small shops can get by with being the altruistic good guy because it really won't generate an impact and will likely only burn spare cycles.

Re:ISP accountability (1)

SCHecklerX (229973) | more than 3 years ago | (#32495826)

Dumb solution. ISPs are idiots. They detect valid mailing lists as 'botnet activity from your machine' No thanks. They give me a pipe and the bandwidth I pay for. They aren't the Internet Police. Maybe if they'd listen to customer complaints about other customer traffic, or better yet THEIR OWN. I once had a firewall crash because its log partition filled due to the raw amount of invalid DHCP traffic the ISP was spewing over the line from one of its own servers. And you want me to trust *THEM* with the authority to arbitrarily disconnect me from a service that I pay for?? I don't think so.

Re:ISP accountability (1)

Splab (574204) | more than 3 years ago | (#32501076)

Sounds like you are the moron my friend.

1. This is for consumers, want something where you can freely spam, sorry, send out on mailing lists? Go buy a line designed for that. Don't know of any ISP in Denmark that let any traffic pass from consumer to port 25
2. You claim to be such an avid user, yet your firewall crashes from something as simple as log entries?

Your kind is the worst to support when you sit in the NOC, you know just enough to fuck up big time, jargo enough to get through level 1 and 2, yet act like an asshat when we kindly point out that it's in fact you who have put on the router the wrong way around...

Re:ISP accountability (1)

Cylix (55374) | more than 3 years ago | (#32507056)

Having actually performed both as a system and network engineer role at a fairly large ISP in my youth it isn't any concept of being lazy.

This is especially true when you get to larger corporate environments which translates a single decision effecting hundreds of thousands of customers. At a given level of customer volume even small changes have larger repercusions.

Sure, if you have a lower then 5000 sub count you can get by with helping everyone fix their computer. It's not like the office will be fielding a very large call volume.

However, the point I am stated is that if it is cheaper to ignore the problem then the problem will be ignored. Right now all it costs the current crop of companies is bandwidth. They suffer no ill will if their customers inadvertently take a bank or small country offline.

Re:ISP accountability (2, Insightful)

Anonymous Coward | more than 3 years ago | (#32492406)

"...fines [fining ISPs] on non-compliance..."

Why not fine the actual owner of the computer that's causing the problem? That would generate more motivation both to ISPs and end users. The user would seek an ISP that has excellent and quick detection and alerting facilities to protect him/her from fines. The user would be motivated to keep his/her machine more up-to-date. The user would have monetary motivation to purchase help if he/she can't administer his/her own computer effectively from someone competent.

Targeting the ISP only will just raise rates and make users hate their ISPs more. And why should the ISP (who doesn't own the computer that's infected, who didn't click on the phishing link, who didn't install that trojan toolbar, but only provided, at the END USER'S REQUEST, a connection that allowed the user to accomplish this) bear responsibility and not the end user?

I think too many end-user slashdotters are lazy and want someone else to nanny-state-take-care-of-them instead of bearing personal responsibility. *sigh* That's pretty much the state of modern society... Mama/papa government will take care of us!

Re:ISP accountability (1)

OeLeWaPpErKe (412765) | more than 3 years ago | (#32494708)

Why not fine the actual owner of the computer that's causing the problem?

Great, except of course that it can only work by
1) bringing all IP address assignments under government control, down to the individual user (translation : goodbye p2p, for obvious reasons)
2) creating a world government that has enforcement capabilities in all internet-connected countries (translation : bye-bye piratebay, whereever you host, you get shot)
3) obviously since this method has zero use unless truly every country participates, what are we going to do ? Attack any non-compliant government ? Disconnect them ?
4) it provides a slippery slope : what if saudi arabia starts demanding no women connect to any machine in their country ? Now they have a way to enforce that.

Re:ISP accountability (1)

Cylix (55374) | more than 3 years ago | (#32507120)

Slightly more on the extreme side, but some valid points as well.

Once you create an infrastructure to easily identify everyone such an infrastructure would be abused to no end.

Re:ISP accountability (1)

Cylix (55374) | more than 3 years ago | (#32507108)

To identify a user would require a subpoena for the information.

This would be a significant cost and undertaking across multiple jurisdictions. ie, the crime, detected in new york, but the bots would be scattered across the united states and globe. Also take note of the volume of dealing with 1000's of subpoenas across the nation.

To me it seems like such a system with the current infrastructure would be more affordable to ignore.

The point is it has to cost more to not treat the infection as opposed to the costs of not dealing with it. Likely, the only way to really force someone to deal with the problem is to artificially inflate the cost of not dealing with the issue.

Re:ISP accountability (5, Insightful)

girlintraining (1395911) | more than 3 years ago | (#32492356)

It seems to me there is an accountability gap for ISPs. Those providing network connections are not held accountable for machines on their network.

And the moment they do that, they'll be expected to police for other illegal or immoral activity, like video and music downloading, content monitoring, deep packet inspection, and more. The operating costs go up as well, making them less competitive compared to other ISPs that do not monitor their customer's habits.

No, security needs to be managed by the owner of the machine. The ISP only has the responsibility to ensure that the customer has reasonable access through its networks, and perhaps a measure of QoS filtering/rate limiting/etc., to manage a shared (and limited) resource. Unless the bot is commanding the machine to use lots of network resources, its impact to other users is negligible from the ISPs perspective.

Re:ISP accountability (1)

tepples (727027) | more than 3 years ago | (#32495482)

Unless the bot is commanding the machine to use lots of network resources, its impact to other users is negligible from the ISPs perspective.

Except that in most cases I know about, the bot is in fact "commanding the machine to use lots of network resources".

Re:ISP accountability (3, Insightful)

Urza9814 (883915) | more than 3 years ago | (#32492442)

It seems to me there is an accountability gap for ISPs. Those providing network connections are not held accountable for machines on their network.

And why should they be? If I sell you a fishing line, it isn't my job to ensure you don't choke somebody with it. Or for an even better analogy, look at the phone networks. Generally, if someone is calling you on the phone and harassing you, the phone company will not disconnect that person. They'll offer to change your number. It takes a _lot_ of complaints for them to cut off service to an offender. Same thing goes on the internet. Yes, botnets _will_ eventually be cut off, but it takes a lot of complaints. Otherwise, who decides what's malware?

Re:ISP accountability (1)

dropadrop (1057046) | more than 3 years ago | (#32494180)

But if you rent him a fishing line the situation might be different. Once he returns it you would be in possession of a murder weapon. Which part of your internet connection did the ISP sell to you?

Re:ISP accountability (1)

Urza9814 (883915) | more than 3 years ago | (#32504564)

So? You aren't going to get arrested just because you happened to rent someone a tool and they used it to kill someone. I mean you might get arrested initially if they discover that you have the fishing line, but you'll be let go. I mean, assuming a perfect world and all (because this is all about what _should_ happen), you would prove you didn't have the fishing line at the time the guy was killed, and you would be released without any charges. Possession of a murder weapon isn't a crime.

Re:ISP accountability (1)

dropadrop (1057046) | more than 3 years ago | (#32506812)

The question is maybe more of what your responsibility is when you know somebody is at this moment using the fishing line to kill people. If you had a button you could press that would make the murder weapon vanish, should you just shrug as you won't be prosecuted anyway?

Re:ISP accountability (3, Informative)

FrankieBaby1986 (1035596) | more than 3 years ago | (#32492450)

They do exactly that at my University. Students get disconnected from the network when a bot or worm or rootkit is detected. I'm not sure what methods they use to detect, but when this happens, the user is REQUIRED to bring their computer to the Residential Computing Desk and have it reformatted. (They are allowed to and assisted with make(ing) backups of their personal files.)

The users are sent an email informing them of the situation, but usually they never get it, and just visit or call the desk when their internet won't work.

It's always pretty funny (but rare) when a Mac needs to be reformatted, the user is almost always blown away that they can be infected.

Re:ISP accountability (1)

Sancho (17056) | more than 3 years ago | (#32492618)

They are almost certainly just using some sort of IDS (or "network virus scanner", which amounts to the same thing in the security appliance world.) Unfortunately, these are usually fairly prone to false positives. It wouldn't surprise me at all if the Macs that were caught were falses.

Skype, for some reason, really throws our IDS for a loop. Whenever a machine that has just been reimaged triggers our IDS, invariably the user had started Skype just before the alert was triggered. But other software causes problems, too. We've even had people copying infected files in plaintext trigger various SMB-related signatures, even though the machines themselves were not compromised.

Lots of universities use IDS, but I don't think so many go to those lengths (requiring a reformat.)

Mac Infections (1)

Cheech Wizard (698728) | more than 3 years ago | (#32493830)

Specifically, what Mac infections have you found and had to reformat the drive to remove?

Re:Mac Infections (1)

FrankieBaby1986 (1035596) | more than 3 years ago | (#32503620)

To both my HelpDesk and the User's frustrations, the only information the lockout system gives us is usually "Misc Bot" or "Misc Bots". It sucks having to tell users that when they ask just why they need to be reformatted.

Re:ISP accountability (1)

operagost (62405) | more than 3 years ago | (#32496614)

Students get disconnected from the network when a bot or worm or rootkit is detected. I'm not sure what methods they use to detect, but when this happens, the user is REQUIRED to bring their computer to the Residential Computing Desk and have it reformatted.

God forbid you get a false positive and they wipe out your machine for it. It seems like every major AV marks remote administration programs as malicious backdoors now.

Re:ISP accountability (1)

zix619 (802964) | more than 3 years ago | (#32499314)

By analogy to viruses and human beings, in any human society sick people (infected by viruses) go around the city without being bothered, nobody will ask the public transport system to scan the users and bar sick people from taking the bus in order not to infect other people in the bus. this should be the same for ISPs! Just in case of very malicious behavior the ISP should intervene to bar access to its network!

They seem to throttle their "attacks" as well. (5, Interesting)

RobertSeattle (1345313) | more than 3 years ago | (#32492234)

My small 16 person company gets an average of 300K Directory Harvesting emails a day - everyday - day in day out. All I have to say is I appreciate the jerks running the botnets for not killing my domain with 30 Million of these a day. They throttle their crap to a certain level somehow so they are annoying but not crippling. Gee, thanks, I guess.

Re:They seem to throttle their "attacks" as well. (4, Insightful)

noz (253073) | more than 3 years ago | (#32492430)

There's no point sending any spam, if not your estimated 30 million messages, only to collapse the server and not relay the messages to the recipients.

The botnet operators probably think of this as an optimization problem and not good manners.

Re:They seem to throttle their "attacks" as well. (2, Interesting)

JWSmythe (446288) | more than 3 years ago | (#32492480)

    Tie your spam filtering software into your firewall. Nothing says loving like dropping their inbound traffic. :) We only receive about 20k spams/day now (versus more than 300k before), just by having rolling blacklists based on spammy inbound traffic. You'll get a handful through, but nothing else will come in for days.

Re:They seem to throttle their "attacks" as well. (2, Insightful)

timmarhy (659436) | more than 3 years ago | (#32492668)

you can go one better and implement a tarpit which actually costs the spammer money by delaying their emails. every second they are delayed is a second they can't spam another mail server frustrating their efforts. http://en.wikipedia.org/wiki/Tarpit_(networking) [wikipedia.org]

Re:They seem to throttle their "attacks" as well. (1)

Fumus (1258966) | more than 3 years ago | (#32492798)

I'm not really knowledgeable about e-mail servers so I can't tell it from the wikipedia article. Does this method work only for computers sending out spam, or can it be run on everyone's server and cause spam-bots to slow down noticeably? If the latter, I'm surprised it's not standard practice worldwide.

Re:They seem to throttle their "attacks" as well. (0)

Anonymous Coward | more than 3 years ago | (#32493154)

The principle is pretty straightforward:

  1. Attacker [Spammer] connects to mail server
  2. Connection is picked out of the OS queue by the mail server software
  3. The connection is opened but the mail server ignore's the attackers messages for a few second
  4. The ignored connection is finally processed

This essentially forces the spambot to wait before the mail server will service the request, this reduces the available spam bandwidth from "as fast as I can connect and throw crap through my up pipe" to "whenever the mail servers feel like getting around to listening to my request".

The obvious reason for it not being implemented is that it isn't obvious due to counter intuitiveness (You are intentionally making your server less efficient/performant in order to harm attackers). The wikipedia page also mentions it harming "legitimate" mass mailing like mailing lists, I'm doubtful that the volume of mailing list messages is anywhere near as high to be severely affected; but it's been a while since I read anything about SMTP.

Re:They seem to throttle their "attacks" as well. (0)

Anonymous Coward | more than 3 years ago | (#32493402)

But if it's a botnet sending the spams, then a tarpit will only make individual nodes wait. So what? The nodes aren't sending spam as fast as they can anyway, that would be too obvious and would lead to the machine being cleaned out. They're waiting most of the time anyway, so a tarpit wouldn't have any effect.

Can we call a spade a Windows machine? (-1)

Russ Nelson (33911) | more than 3 years ago | (#32492314)

One of these days, some victim of a botnet is going to initiate a class action lawsuit against Microsoft for publishing an insecure operating system, with the injured parties being the people whose machines were induced to participate in a tort.

Re:Can we call a spade a Windows machine? (2, Informative)

upyourshomo (1803732) | more than 3 years ago | (#32492786)

your comment is pretty much the most retarded thing I've read all day on slashdot. congrats.

Re:Can we call a spade a Windows machine? (0)

Anonymous Coward | more than 3 years ago | (#32495478)

"One of these days, some victim of a botnet is going to initiate a class action lawsuit against Microsoft for publishing an insecure operating system, with the injured parties being the people whose machines were induced to participate in a tort." - by Russ Nelson (33911) on Tuesday June 08, @12:11AM (#32492314) Homepage

Ok Russ, per what I've quoted from you (seeing as you've been thoroughly "brainwashed" by the "wannabe slashdot samurais" around here on /., which many others know of, even in respected publications such as INFOWORLD here -> http://hardware.slashdot.org/story/10/06/07/1518216/Six-More-Tech-Cults [slashdot.org] from this week no less)?

Lets review some facts & figures from a respected security vulnerabilities gathering website (SECUNIA.COM) where we can see the number of known security vulnerabilities in each of the major "big 3" OS' in use (Windows 7, Linux 2.6x (kernel only, would be more with say, KDE/Gnome or BA$H security vulnerabilities added mind you), & MacOS X):

---

Linux 2.6x KERNEL SECURITY VULNERABILITIES CURRENTLY AS OF THIS DATE 06/08/2010:

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

Unpatched 5% (11 of 217 Secunia advisories)

(Additionally, that's JUST THE KERNEL/CORE OF THE LINUX OS ALONE (how much more would be added by diff. distros & their softwares/shells etc.- et al?))

---

APPLE MacOS X SECURITY VULNERABILITIES CURRENTLY AS OF THIS DATE 06/08/2010:

---

http://secunia.com/advisories/product/96/?task=advisories [secunia.com]

Unpatched (approximately) 1% (8 of 1233 Secunia advisories)

---

MICROSOFT WINDOWS 7 SECURITY VULNERABILITIES CURRENTLY AS OF THIS DATE 06/08/2010:

---

http://secunia.com/advisories/product/27467/?task=advisories [secunia.com] [secunia.com]

Unpatched 13% (2 of 16 Secunia advisories)

REMEMBER/AGAIN: This is the ENTIRETY of Windows 7 being analyzed - not just its kernel, as is the case with Linux 2.6x above... & ONLY 2 security problems are present!

Top that off with the fact that 1 of them IS EASILY "worked-around" no less, in the AERO problem!

The other will also be fixed, most likely, TODAY in FULL, also (as it is "Microsoft 'Patch Tuesday'" & what-not & I wager BOTH of the security vulnerabilities in Windows 7 will be fixed by then (less emphasis on AERO issue though, as it has a valid working safe "work-around" & MS tends to not concentrate on those as much, because they have easy work-arounds (turn off the THEMES service? You turn off AERO GLASS in essence is why, easy & works)))

----

So, we have security vulnerabilities issues in Windows, Linux, AND MacOS X (but, less apparently in the current builds of Windows (7, Server 2008) than there is in Linux OR MacOS X in terms of numbers of security vulnerabilities present!

That also includes the fact that Windows 7 has MORE being checked on too, ala the Windows kernel/core AND ITS OS SHELL in this analysis... not just kernel's like Linux 2.6x shown above!

(Thus again - There is most likely even MORE security holes in Linux, especially if you toss on GUI shells & Windows managers most likely, inclusive of diff. distros variations of both to compound that more).

(Sure, now I am certain I will also see repliers here to my post here say

"but the 2 security vulnerabilities in Windows are 'remote' in nature"

Well, newsflash - ANY OF THESE SECURITY VULNERABILITIES REALLY "BOIL DOWN" TO BEING LOCAL, IN THAT SOONER OR LATER, THEY HAVE TO "TOUCH" THE LOCAL SYSTEM ANYHOW IN ORDER TO EXPLOIT THEM PERIOD!)

---

So, can Windows be secured far better than it comes "out of the box/oem-stock"? Absolutely. Heck, any OS usually can be... such as is shown here:

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA/Windows 7 (+ make it "fun-to-do" via CIS Tool Guidance & beyond):

http://forums.theplanet.com/index.php?s=a3272f47031ff9e8939bf662e3a7b7fe&showtopic=89123 [theplanet.com]

(Much of what's in it "principles-wise" (uses the concept of "layered security") & yes, tools-wise, can also be applied to LINUX (or other *NIX variants too like MacOS X (done via Apple's guide for this, no CIS Tool exists for MacOS X, sorry) + other BSD variants, Solaris, etc.) & e.g. -> There is a CIS Tool for them also (again, except MacOS X, but Apple's got a GREAT GUIDE for this too though, but you have to do it manually yourself using its guidance), as it is a cross-platform benchmark for security analysis, and it's been highly rated over time by various sources in publications like Computer World & others also)

----

A small sampling of quoted testimonials from Windows users who applied it (THRONKA in full, for himself, his family, friends, & even clients - plus, Kings Joker who is only using a FRACTION of that guide's points, in his tests of the effectiveness of using a HOSTS file alone to help secure himself (and, with good reasons, once you see WHY he has to do so, below)):

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2 [xtremepccentral.com]

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral

http://forums.theplanet.com/index.php?s=80bbbffc22d358de6b01b8450d596746&showtopic=89123&st=60&start=60 [theplanet.com]

"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK." - Kings Joker, user of my guide @ THE PLANET

(ALSO - This LAST gents' testimonial IS an "interesting case": He is running Windows 2000 no less, with NO SERVICE PACKS &/or HOTFIXES present either, and no antivirus OR antispyware programs running resident "in the background" constantly either, in order to test the efficacy of a custom blocking HOSTS file vs. malware makers "wares & 'heinous machinations'", & so far, for over 1/2 yr. now? Those are his results above... not bad, eh?)

----

(Those results are only a SMALL SAMPLING TOO, mind you - I can produce more such results, upon request, from other users & sites online)

HOWEVER/BOTTOM-LINE HERE: Once more, per your quoted statements above? IT APPEARS THAT WINDOWS 7 (Microsoft's "latest/greatest" Windows NT-based OS offering, in its entirety, not just it's core/kernel being analyzed which IS THE CASE WITH LINUX 2.6x stats here no less & would be more with its KDE/Gnome errors listed for example as well) has less known security vulnerabilities than do BOTH MacOS X &/or LINUX latest offerings... period!

APK

P.S.=> People here with their "anti-microsoft/anti-Windows" take on things amaze me in their "one-sided zealotry", they really do (especially when they say "down with Windows" etc./et al, but, don't back up anything said of that nature with some facts/figures/analysis).

Fact is, this: MOST every modern OS can be secured far, Far, FAR BETTER than they come "oem stock", & things like SeLinux show anyone this much in the Linux world alone!

(That is, IF you take the time to activate it, if it is NOT active by default (not every distro of Linux has it "bolted on", or even turned on & if it is? It still can be "security-hardened" more))

Just as the security guides Apple provides for MacOS X users on their website which goes FAR ABOVE & BEYOND the std. oem stock/out of the box setup of MacOS X!

(Actually, the guide @ Apple for security hardening MacOS X is much like the guide's points I put up for Windows users (which, once more/can't stress this enough, uses the CIS Tool & that extends to many *NIX variants also (sorry, no MacOS X though) such as Linux, Solaris, & other BSD variants too - NOT just Windows only!))... apk

Efficiency (4, Interesting)

w00tsauce (1482311) | more than 3 years ago | (#32492388)

I for one think botnets are uber cool, a testament to the efficiency of the internet. Using computers that would normally sit idle to do something, even if it's detrimental is just plain cool. I also think botnets foreshadow the future of the internet, where most applications work by p2p instead of the normal client-server relationship.

Re:Efficiency (0)

Anonymous Coward | more than 3 years ago | (#32492750)

I really hope you get a bot/trojan that steals your personal info and hurts you in some way.

Re:Efficiency (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#32493142)

Would you call the Nazis uber cool? Their extermination techniques were certainly a testimony to industrialisation. Is that cool? Is *that* "cool"? Well is it? Yes or No?

Re:Efficiency? (0)

Anonymous Coward | more than 3 years ago | (#32493198)

Its only cool if you make a conscious, informed decision to allow your "idle computing time" to be made available for other purposes. A hijacked computer, being used for detrimental purposes isn't cool, its just criminal activity on the part of the hijackers.

I fear botnets forshadow the end of the Internet as we know it.

I do NOT welcome our botnet overlords!

Re:Efficiency? (1)

Psaakyrn (838406) | more than 3 years ago | (#32493486)

Alternatively, there can come a time where we no longer "own" our computers, only license them. Then, during idle-times, the companies owning the license can justifiably use your system to do other computing-intensive processes.

Or better yet, do the same, except always have a subsection of your computing processes relegated to said computing processes (such as mission-critical services like emergency broadcasts and tracking). For that note, there are plenty of reasons why to diversify and spread out computing as opposed to putting it in a single central location.

Re:Efficiency? (0)

Anonymous Coward | more than 3 years ago | (#32496426)

Alternatively, there can come a time where we no longer "own" our computers, only license them. Then, during idle-times, the companies owning the license can justifiably use your system to do other computing-intensive processes.

Or better yet, do the same, except always have a subsection of your computing processes relegated to said computing processes (such as mission-critical services like emergency broadcasts and tracking). For that note, there are plenty of reasons why to diversify and spread out computing as opposed to putting it in a single central location.

That might make sense if the cost of computing infrastructure was going up instead of down. But it's not. As it becomes cheaper for individuals to build/maintain their own infrastructure the likelyhood of total dystopian control decreases (even as it appears to increase as governments et al appear to finally be 'getting it'.)

I'm not saying that there aren't going to be conflicts and subversiveness needed to keep the ways clear, just that it's going to be hard for a society to put a complete choke hold on communication.

Re:Efficiency? (0)

Anonymous Coward | more than 3 years ago | (#32496528)

In Corporate America, computer owns YOU!

Finally a use for Firefox Ubiquity? (0, Offtopic)

lordlod (458156) | more than 3 years ago | (#32492414)

Sadly no.

It turns out even botnetters haven't yet figured out a good use for Mozilla's Ubiquity extension.

The solution is at the ISP level, not at MS... (0)

Anonymous Coward | more than 3 years ago | (#32492420)

It's hopeless to think MS will one day provide an OS that won't be zero-day exploited when IE 19 's HTML8 bold tag is found to allow a buffer overrun so the solution lies elsewhere...

Once the impact on the economy shall be too important (it really ain't today: the world is pretty much running fine, despites the hundreds of millions of bots/zombies) the solution will be at the ISP level.

Machine found to be part of a botnet -> a unique webpage explaining why your system cannot access the Internet anymore.

Apple will like this day, because quite some people will dump their PC and buy Macs ;)

Re:The solution is at the ISP level, not at MS... (0)

Anonymous Coward | more than 3 years ago | (#32492802)

Because Macs can't be 0wned, right?

DAAA DA DAAA DA DA DAAA DA DA DA DAAA DAAA (3, Funny)

identity0 (77976) | more than 3 years ago | (#32492456)

top-down C&C infrastructures, like those employed throughout the 1990s

My C&C keeps going down because the &*#$ing Harvester goes after Tiberium next to the enemy tanks :(

With many botnet operators maintaining dozens or sometimes hundreds of C&C servers around the world at any one time

Oh I wish.

Re:DAAA DA DAAA DA DA DAAA DA DA DA DAAA DAAA (1, Informative)

Anonymous Coward | more than 3 years ago | (#32492528)

My C&C goes down when the other guy builds Mammoth Tanks on the same grid location as his Tesla Coil.

Re:DAAA DA DAAA DA DA DAAA DA DA DA DAAA DAAA (0)

Anonymous Coward | more than 3 years ago | (#32494124)

http://www.youtube.com/watch?v=PrwnJDQy0ic

This is not news (0)

Anonymous Coward | more than 3 years ago | (#32492652)

P2P botnets have been around for a while.

Bring back the biff! (2, Informative)

Puff_Of_Hot_Air (995689) | more than 3 years ago | (#32493552)

Years ago, virii held more fear to the average punter as they would literally trash your o/s, data, everything. The thing is, these viruses did far less real damage than the trojans and botnets of today. We need some well meaning black hats to write some old school virii. Viruses that knock those old unpatched boxes right of the web. It's time we brought back the biff!

Re:Bring back the biff! (1)

Puff_Of_Hot_Air (995689) | more than 3 years ago | (#32493624)

Apologies to everyone who is not an Australian rugby league fan, and for whom the phrase "bring back the biff!" will have no meaning.

Clarification please... (1)

hesaigo999ca (786966) | more than 3 years ago | (#32495292)

So you are telling me instead of loading all the botnets with just a script to log on and receive commands, that a lot of them now are also quasi C&C centers...wow, imagine that, who would have thought, instead of making just drones, they are making more generals too....sounds a lot like C&C (command and conquer) strategy.... ; )

I always though the best botnet would be would compromised machines that uses torrent abilities to get pieces of itself that is still missing, but start with smaller parts, then once the full operation is up, you have a program running that is both a drone and general...the general part being the main build centers, as soon as a new torrent file is out, with the latest info for C&C strategies, it is propagated into all other drones using torrent streaming, almost immediate replication of the next phase of an attack vector....i would also use the dates of the torrent files to know which is the newest....and maybe hide the name of the file amongst many torrent sites, like a pdf doc or something, that has value on a quick look, but hidden within is the set of commands...

yeah, sounds like I might be busy this weekend after all.....

Decentralization (1)

selven (1556643) | more than 3 years ago | (#32495746)

Decentralization makes things more robust. I think we've known that for about two decades now.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...