×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Eavesdropping on a Botnet

ScuttleMonkey posted more than 7 years ago | from the like-a-soap-opera-for-geeks dept.

185

wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

185 comments

Empty Words. (1, Flamebait)

Enoxice (993945) | more than 7 years ago | (#15941782)

FTFA: "Stewart successfully started spying on the control channel, but there was not much to see."

In other words: nothing to see here, just remember to patch your computers.

Seriously, I was hoping for some real news, because I find malware incredibly interesting. Alas, TFA was a let-down...

bot free, really... (2)

MeatFlap3 (741121) | more than 7 years ago | (#15941785)

I would imagine this applies only to the BORG boxes out there... So if you are running Solaris on SPARC, are you safe from these bots?

-r

malware-free system? (4, Insightful)

Anonymous Coward | more than 7 years ago | (#15941795)

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'" ...or to run a live-CD version of some OS where all you need to do is reboot
options abound Linux, BSD, Windo... oh, forget about that last one

Re:malware-free system? (4, Interesting)

JamesTRexx (675890) | more than 7 years ago | (#15941826)

Sort of like my first reaction, "The only way to be sure is to run something that is not Windows".

Until someone creates something that can infect the various *nixes that is.

malware-free system?-Linux. (5, Funny)

Anonymous Coward | more than 7 years ago | (#15941865)

"Until someone creates something that can infect the various *nixes that is."

That's impossible. How do I know. Just "Ask Slashdot".

Re:malware-free system? (5, Funny)

Nested (981630) | more than 7 years ago | (#15941882)

Until someone creates something that can infect the various *nixes that is. Or an asteroid destroys Earth.

Re:malware-free system? (4, Insightful)

Nutria (679911) | more than 7 years ago | (#15942131)

Until someone creates something that can infect the various *nixes that is.

It's called a rootkit. They've been around for years.

Find a *ix server that's running a vulnerable process listening on an exposed port (DNS, ssh, ftp, http, pop, imap, smtp, whatever). Root that box and install your malware.

Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted.

Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.

Why do you rob banks? (5, Insightful)

twitter (104583) | more than 7 years ago | (#15942225)

... because that's where the money is.

You write about root kits and declare:

Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted. Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.

As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.

On the desktop there's another crucial difference, the ease of recovery. In the Windoze world, you pull out your ancient "original" CD and put the same broken crap right back on your machine. It wipes out all your documents and setting so you suffer a loss for no gain. Then you are rooted again in about 12 minutes after hooking up to a network. In the free world, you do a net install and get the latest and greatest of everything, without losing anything at all. A few extra steps can make sure the root kit is not in your home directory. The easiest is to chmod file in your home directory to no execute. In the very worst case you can chmod and then tar up the documents you worry about and start fresh with your settings, like in the windoze world but much easier.

Re:Why do you rob banks? (3, Insightful)

Nutria (679911) | more than 7 years ago | (#15942369)

Just by the virtue of the large number of x86 Linux servers exposed ... there must be thousands of systems

As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.


Re-read my post, and then think.

Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.

(I say servers because Linux desktops tend not to expose services to the Internet.)

Re:Why do you rob banks? (1, Interesting)

twitter (104583) | more than 7 years ago | (#15942714)

An oversized rat tells me to think, and offers an lesson in proportions and exponents:

Re-read my post, and then think. Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.

So what? You want to replace that with systems that are ALL vulnerable to multiple attacks regardless of the competence of the administrator? Help me out Nutria, what are you trying to tell me? I don't see anything worth pondering above.

Re:Why do you rob banks? (2, Insightful)

Nutria (679911) | more than 7 years ago | (#15942826)

So what? You want to replace that with systems that are ALL vulnerable to multiple attacks regardless of the competence of the administrator?

What gives you that idea?

Because I recognize that Linux distros are not perfect, not all SysAdmins are up to snuff, and not all security bugs in all *ix apps have been discovered and patched, you think I am a Windows fanboi?

Re:Why do you rob banks? (5, Insightful)

Anonymous Coward | more than 7 years ago | (#15942746)

What do you think the C&C machines are running?

Linux servers, especially colocated ones, tend to have a much higher uptime; in addition, the ircds and other servers they run tend to run best (or only) on Linux. A Linux shell box is a lot more useful to a blackhat than a Windows drone. This makes them individually more attractive targets.

Imagine you're a blackhat. So what you're after, for a C&C server, is someone else's poorly-maintained Linux box; the one that the admin thinks is impenetrable, because it runs Linux, and so hasn't updated it or even looked at it in ages. It's going to have a high uptime, because it almost never reboots because the guy never installs a new kernel on it. You can probably spy out the uptime quietly in advance via the usual trickery, because some admin thought Linux boxes don't need firewalls. And you're most likely going to get in through a PHP hole (application or language, it doesn't matter when the language and common software is that poorly designed) or if it's really out of date an Apache or MySQL hole - because it's probably a almost-never-used webserver.

And then you're going to install a rootkit - think l10n, only more so (there are actually some seriously hardcore Linux rootkits that blow pretty much all of the public rootkits for Windows out of the water when it comes to stealth; and this is why) - and then you're going to patch it, so no-one else roots your new 0wned C&C box, because nothing sucks more than some other blackhat stealing your botnet.

Next thing you know, bam, the thing's running a modified hybrid-ircd or something, and is one of the magic servers you encoded in your trojan to which the Windows drones are connecting back, or one of the webservers they are getting the spam proxy or spyware installer from; and thus you, the blackhat, earning nice fat sums of cash on the back of one or two Linux servers and a few hundred or thousand random Windows machines.

So, don't discount the threat. All operating systems need patching and good security practice to run safely.

And 0.1% seems like a low estimate; remember Linux distributions, especially server-oriented ones, tend not to have an automatic update feature (with good reason, to a point), so they do require manual intervention to patch. With appropriate care and feeding they are of course not just fine, but can be really quite secure; but neglected, it's a whole different story. Think closer to 2-3% as being a potential problem, and almost 5% in some (LAMP) brackets.

Re:malware-free system? (1)

thoughtlover (83833) | more than 7 years ago | (#15942610)

"process listening on an exposed port (DNS, ssh, ftp, http, pop, imap, smtp..."

Not to mention Perl, PHP, SQL-injection, AJAX hacks, and, I'm sure that there will be some sort of way the CMOS could become infected someday.............remember that an image is (was) just an image and can't infect your computer? What about UPnP? I'm sure people are trying to figure out a way to exploit that. Really, I don't profess to know anything. I just read the headlines, here.

Re:malware-free system? (2, Interesting)

marcello_dl (667940) | more than 7 years ago | (#15942010)

How come a security guy doesn't mention live CDs. I seem to recall somebody did a live windows cd. Personally i'd go for a free live distro, I'd boot from it and download clam or similar stuff to scan the HD. Unless the guy meant there could always a rootkit not detectable by a current anti virus. But, this level of paranoia should make you reinstall your OS every time you use your PC... and never install closed stuff like windows, anyway.

Windows LiveCD (2, Interesting)

Coopjust (872796) | more than 7 years ago | (#15942057)

The Windows live CD you are thinking about is BartPE [nu2.nu], but it's not as easy to use or setup as a Linux LiveCD.

I did set up one myself. It works pretty well once setup.

Re:Windows LiveCD (2, Informative)

Anonymous Coward | more than 7 years ago | (#15942080)

Actually, I think the one you are thinking of is Ultimate Boot CD for Windows http://www.ubcd4win.com/ [ubcd4win.com] which is a very functional live cd. Also has numerous other tools that make cleaning an infected system, creating admin accounts, and other cool maintenance a breeze.

Re:Windows LiveCD (2, Informative)

poolmeister (872753) | more than 7 years ago | (#15942212)

UBCD for Windows is just a collection of Barts PE plugins to help you build your own Windows Live CD from Barts PE and your Windows disk, even then it's only really a maintenance CD, you wouldn't want to use it as a Live boot OS, I've tried it on many PCs in the past and I've never been able to get networking going once.
Windows is inherantly a bad choice for a live boot OS because of the messy issue of having as many 3rd party drivers as possible loaded into the image.

Linux distros are now miles ahead of Windows when it comes to hardware detection on first boot.

Re:Windows LiveCD (1)

Yyrkoon420 (996553) | more than 7 years ago | (#15942345)

Miles ahead if you're lazy perhaps, there another tool seemingly lost on you 'slipstreaming'. You can manually slipstream, or use third party GUI tools. I think we all can agree Windows is NOT like Linux in many respects, one is that you actually have to pay for someone elses hard work, two while windows may make update availible via the internet, you cannot download a freshly made ISO (atleast not without a high level MSDN subscription you cant). Anyhow, the only other option for this case, is slipstreaming, and if you think about it, its easier on bandwidth, and less time consuming than downloading an entire ISO from whatever distro you preffer. Yes, we also know that Linux has live updates as well . . . Now, why live CD if not for maintenance ? Atleast in this situation thats the whole idea, removal of malicious software. You need something to mount a drive, in a way, that makes removing malware easier. Personally, I'd never use a Linux LIVE CD to 'fix' anything on a windows system, but I actually know about, and know how to use the tools availible for said operating system. Would you use a 'LIVE' windows CD to remove rootkits from Linux ? Somehow I dont think so.

Re:Windows LiveCD (3, Funny)

ozmanjusri (601766) | more than 7 years ago | (#15942475)

Windows is NOT like Linux in many respects, one is that you actually have to pay over and over and over again for someone elses hard work

Fixed that for you.

Re:malware-free system? (2, Insightful)

httptech (5553) | more than 7 years ago | (#15942155)

The actual quote in my analysis [lurhq.com] is "unless you are a malware expert..."

Running a liveCD with a rootkit scanner and an antivirus isn't going to cut it - you have to have the knowledge to know what to go after - you'd be surprised at how much malware doesn't get detected by scanners even months after its been released.

Although I might use liveCDs myself to do malware recovery, average users are going to be in over their heads. So I didn't mention it.

-Joe

Re:malware-free system? (1)

xeoron (639412) | more than 7 years ago | (#15942279)

True... The best protection is just running a computer off a livecd and have network file storage

Re:malware-free system? (1)

Yyrkoon420 (996553) | more than 7 years ago | (#15942316)

So I guess the idea of ERD 200x, Windows PE, etc were completely lost on you ? Lets not forget that atleast the two items I've mentioned can actually mount, read, and write to a NTFS file system without problems, and ERD can break / reset passwds locally. There are also other options such as booting from USB (where you can use many different media types), booting into safemode (assuming you're running windows), and writting your own applications for finding, and dealing with viruses in general. Since we're obviously talking mainly windows here (key word virus . . .) I think its rather limited thinking that you would use a different OS to deal with said system.

ISP should warn (1)

zymano (581466) | more than 7 years ago | (#15942359)

There should also be mandatory rule about not using Windows xp without firewall and virus protection. It's a useless operating system.

Re:malware-free system? (0)

Anonymous Coward | more than 7 years ago | (#15942453)

freeware Rootkit Revealer by sysinternals may help avoid an OS reinstall

BartPE? (1)

ecalkin (468811) | more than 7 years ago | (#15942466)

I realized that BartPE could be a handy tool for cleaning up stuff. if nothing from the hard drive is in memory when bart is running, it can't stop tools running under bart from cleaning the crud out.

    I also realized that with the many plug-ins that bart has, you could make a fairly usable static system with it. it gets infected? reboot. it gets questionable? reboot.

e

It's a bird. It's a plane. It's TC! (3, Funny)

Anonymous Coward | more than 7 years ago | (#15941800)

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'""

Trusted Computing to the rescue!

Re:It's a bird. It's a plane. It's TC! (5, Interesting)

l33t gambler (739436) | more than 7 years ago | (#15941868)

Trusted Computing to the rescue!

Absolutely! Trusted Computing is made to protect consumers from potential threats, but will it let consumers decide what is trustworthy? I recently discovered I had a UAService7.exe running in my Task Manager. After a search I found it is a SecuROM service, and lo and behold theres a service with that name in Services.

I can't remember being asked by a game or application to install such a service, and I don't know how to remove it as there's no reference to it in either Start Menu or Add/Remove Programs.

http://jooh.no/root/torrents/trusted-computing.tor rent [jooh.no]

Re:It's a bird. It's a plane. It's TC! (5, Informative)

The MAZZTer (911996) | more than 7 years ago | (#15941990)

Some games use it for CD verification. If you tamper with it (ie remove it) the game will likely fail it's CD check and no longer run.

I have a game that uses it, you probably agree to it in the EULA somewhere. I forget which game it was...

Oh and I can't help but notice, as others have before me, that software pirates are not encumbered by these restrictions and bloatware, while legitimate customers are forced to use it.

Re:It's a bird. It's a plane. It's TC! (5, Insightful)

mrbcs (737902) | more than 7 years ago | (#15941999)

Every game I buy, before installation, I go to gamecopyworld.com and get the no-cd patch. I friggin HATE putting the cd in every stinkin time I want to play a game.

Trusted Computing.... and Windows (1)

Lord Prox (521892) | more than 7 years ago | (#15942125)

Just a thought... With Windows security being what it is, how long will it be before a malware author or spamhouse coder get their stuff installed as trusted code. Then things really will be hard to remove.

Second thought. This could be a good thing. After a while of malware being "trusted" will people and companies abandon the TCP program? I am not a big fan of the TCP concept and this outcome could be the answer to getting rid of it. Or not.


Re:Trusted Computing.... and Windows (1)

Short Circuit (52384) | more than 7 years ago | (#15942539)

It'll likely remain in systems, just rarely used or updated. Like floppy drives, serial ports parallel ports, the AT keyboard architecture (of which PS/2 keyboards are essentially a clone), and CGA and EGA video modes.

To cut costs, it'll get integrated into the northbridge/southbridge pair of chips. The x86 system is (in)famous for its support and occasional dependancy on legacy systems. Did you know that you can still run MS DOS on most modern computers?

Re:Trusted Computing.... and Windows (0)

Anonymous Coward | more than 7 years ago | (#15942626)

Ninja please, TC/Palladium could bend Joe User over and fuck him in the ass every time he sat down to use the computer and he'd still grit his teeth and take it like a champ. Working the front lines of tech support has taught me that the average user is stupid. Far more stupid than anyone on Slashdot can imagine. Windows is all they'll ever know because they are incapable of understanding anything even slightly different, and if Windows comes bundled with all manner of DRM and TC technologies that make the user's life a living hell, they'll take it and they'll tell their friends how great it is. This might change in 20-30 years as more people grow up with computers and understand them more (and fear them less) but for the immediate future we're stuck swallowing shit because Joe User likes the taste.

Happened to me. (0)

Anonymous Coward | more than 7 years ago | (#15941801)

This happened to me once... even with a fully patched XP, up to date Norton, and Ad-Aware installed. For peace of mind, I too decided the format/reinstall route was the best option. I've since switched to the Mac and have been problem free.

Re:Happened to me. (0)

Anonymous Coward | more than 7 years ago | (#15941811)



your probably had a weak password.. patches wont save everything you know.

Re:Happened to me. (0)

Anonymous Coward | more than 7 years ago | (#15941822)

Yeah, you're probably right. At the time it was a dictionary word, two numbers, and then another dictionary word.

Re:Happened to me. (5, Funny)

Anonymous Coward | more than 7 years ago | (#15941824)

My house was robbed once... even with fully locked doors, up to date alarm company subscription, and a dog. For peace of mind, I decided blowing up the house was the best option. I've since moved to the woods and have been civilization free.

Re:Happened to me. (0)

Anonymous Coward | more than 7 years ago | (#15942009)

do you know my dad

Re:Happened to me. (4, Funny)

JoeCommodore (567479) | more than 7 years ago | (#15942109)

This needs some re-working

My house was robbed once...

It was one of those cheap houses, you know using old materials and not the best contractors (the doors and windows would not always close properly.)

even with fully locked doors, up to date alarm company subscription, and a dog.

Though that brand of locks use one of five common keys, and the alarm company sometimes works with other companies to let marketers in, and the dog, as vigient as he is is just a dog and frankly pretty stupid.

For peace of mind, I decided blowing up the house was the best option. I've since moved to the woods and have been civilization free.

Actually it was more like a posh wooded suburb gated-community thing, where all the prices are higher and the selection is more limited, but the cars are to die for. I don't even assoiate with my old neighbors much anymore. My kids ands wife are much more happier and I have a lot less stress about stuff like that.

Now if it were Linux, you would probably be in the woods, in some commune, inside an abandoned high security military bunker, whith a lot of really smart people that don't socialize all that well.

Re:Happened to me. (1)

Nutria (679911) | more than 7 years ago | (#15942148)

Now if it were Linux, you would probably be in the woods, in some commune, inside an abandoned high security military bunker, whith a lot of really smart people that don't socialize all that well.

Humorous, but you've probably never been to a LinuxCon.

Too easy... (4, Funny)

MoogMan (442253) | more than 7 years ago | (#15942221)

My house was robbed once... even with fully locked doors, up to date alarm company subscription, and a dog.

You probably had Windows...

Next opportunity (5, Interesting)

QuantumFTL (197300) | more than 7 years ago | (#15941809)

Perhaps the next opportunity for profit in this game is to hack other people's botnets to bend to your own purposes? Probably a lot less risky than hacking thousands of potentially litigous members of the public. Secure encryption would stop most of this, however the master endpoint computer would still have some vulnerability.

Re:Next opportunity (4, Funny)

Enoxice (993945) | more than 7 years ago | (#15941828)

I can see it now: In the future there will only be one botnet, then the entire hacking community will just be a big game of RootThisBox (http://rootthisbox.org/ [rootthisbox.org]) (hmm...RTBs website seems to be redirecting to HackThisSite for some reason).

Re:Next opportunity (1)

Sir_Lewk (967686) | more than 7 years ago | (#15941884)

I'm sure it happens, though I think that at least the larger botmasters know enough of the tricks to protect themselfs from others.

PC Clinic (5, Informative)

Short Circuit (52384) | more than 7 years ago | (#15941812)

At my computer club's PC Clinic [grc4.org], I set up Ethereal on our network gateway computer, to keep track of things. You can easily see this kind of crap going on.

Re:PC Clinic (1)

JavaBrain (920722) | more than 7 years ago | (#15942445)

I'm assuming sophisticated key catchers do not have to be post keys as they are typed, nor do they have to post the keys in the clear. Keeping that in mind, are you sure you can tell what's going on?

Re:PC Clinic (2, Interesting)

Short Circuit (52384) | more than 7 years ago | (#15942489)

are you sure you can tell what's going on?

Well, systems are only connected to our network for a few hours at most. Less, if we see traffic that bothers us. Like this last time, two of the machines started scanning all the IPs on the class C subnets adjacent to the subnet we were using. We put a stop to that. The only botnet activity I saw was repeated attempts to connect to the IRC port of a domain name. However, that domain had expired, so the bots couldn't connect.

I'm looking around for a way to prevent machines on our network from talking to each other...putting each one on its own subnet seems like a good idea, but I don't know how to set up Linux dhcp to do it.

To clarify... (1, Insightful)

Drinian (621383) | more than 7 years ago | (#15941816)

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

:s/reinstall the operating system/install Linux/g

Re:To clarify... (0)

Anonymous Coward | more than 7 years ago | (#15941872)

:s/install Linux/put a gun in your mouth and pull the trigger/g

"Post to Slashdot" (2, Interesting)

Gopal.V (532678) | more than 7 years ago | (#15941818)

It is the first time I've ever seen a "Post to Slashdot" icon on any news item.

(yeah, I pretty much forgive the Digg one, everybody has those ...)

Re:"Post to Slashdot" (1)

triso (67491) | more than 7 years ago | (#15942228)

It is the first time I've ever seen a "Post to Slashdot" icon on any news item....
It isn't very useful yet--it only goes to the submit screen, most of the fields are blank and it doesn't even fill in the URL of where you clicked on the "Post to Slashdot" button to get here.

Joe Stewart said Comedy Gold! (0)

Anonymous Coward | more than 7 years ago | (#15941835)

OMG Think he's a goon??

Makes you wonder what else is going on (5, Insightful)

perkr (626584) | more than 7 years ago | (#15941843)

Spam is one thing, but once you got access to the machine, getting logins and passwords for online stock and bank account services via a keylogger is completely different. I wonder how much stuff is silently running on users machines right now...

Re:Makes you wonder what else is going on (1)

mapkinase (958129) | more than 7 years ago | (#15941917)

There should be tougher laws on people who break in the computers. It should be equal to breaking and entering people's houses.

Tough laws work given their enforcement (I meant, once caught, got 10 years of gang-infested prison time, people will look at the keyboard in a different way).

Re:Makes you wonder what else is going on (2, Interesting)

Lusa (153265) | more than 7 years ago | (#15941969)

Perhaps, but there is a massive flaw. This assumes that the people doing this can be caught and prosecuted. Chances are they aren't even on the same continent as the computer. Until the planet is under some kind of single law then this sort of thing will not work. I think it'd be easier and better to isolate and control network traffic. Have a safe known configuration of OS, programs, firewalls etc in a read only format that can quickly be ghosted back onto the hardware if an infection is detected. Sort of like a live CD but personalised. Of course, this would require an overhaul of the way things are done. But it needs to be done. Now, if we could get offensive firewalls as in Ghost in the Shell we could have some fun :D

Re:Makes you wonder what else is going on (0, Offtopic)

mapkinase (958129) | more than 7 years ago | (#15942223)

It does require a lot of effort, but for every uncatchable hacker there are plenty loser hackers. Catch them, and punish dearly so the "uncatchable" ones think twice.

Re:Makes you wonder what else is going on (1)

msobkow (48369) | more than 7 years ago | (#15942344)

Most of the traffic I log and run a traceroute on bounces through a number of nodes into the "darknet" of unregistered IP addresses. Even there it bounces through 3-5 darknet nodes before hitting a recognizable backbone or gateway node. Although certain nations primary gateways are common, there is no way to tell whether the attacker is located in that nation or using compromised darknet machines in that nation.

The odds are that the majority are located in Canada or the US and simply using darknet proxies.

Re:Makes you wonder what else is going on (1)

mapkinase (958129) | more than 7 years ago | (#15942383)

When the crime will be more wide-spread, the darknet will be hit by interested governments.

I think that the problem with this is that there are tons of dummies with unprotected computers that do not see the disadvanatge of their computers being used for "dark" purposes.

In short, big problems will get big attention, small problems are getting small attention. Inasmuch as personally I want every organizaed crimial whipped, hanged, executed, tortured and very much dead, the trouble from them seems not that big. Otherwise, the repuglican dogs would be unleashed on them.

Re:Makes you wonder what else is going on (1)

uvajed_ekil (914487) | more than 7 years ago | (#15942517)

There should be tougher laws on people who break in the computers. It should be equal to breaking and entering people's houses. Tough laws work given their enforcement (I meant, once caught, got 10 years of gang-infested prison time, people will look at the keyboard in a different way).

As the US criminal justice system proves every day, stiff penalties for crimes do not necessarily act as effective deterrents. We have embarassingly high violent crime rates in the US, despite the penalties being more harsh than in most of Europe and many other places. Until the certainty of apprehension becomes greater (i.e. unless potential criminals think they'll get caught) we'll continue to have high crime rates. I suspect the same applies to computer-based crimes; for-profit hackers don't care about the jail time since they are usually not caught to begin with.

You could make the penalty for all crimes death by hanging, but if you have no cops catching people, or even knowing where and how to do so, you'll still have crime.

Re:Makes you wonder what else is going on (1)

mapkinase (958129) | more than 7 years ago | (#15942548)

Well, the crime in US is localized to poor neighborhoods, mostly. May be poor neighborhoods should have preventive laws, like curfew for youngsters, like prohibition of gathering more than 3. I am just throwing ideas here.

The laws are touch for murder, but they are nearly not tough enough for prostitution and drugs. Basically every shady business that organized crime feeds on should be penalized severly - bookmakers, gamblers, shark loaning, drugs, prostitution, what else...

I am telling you people will think twice before dealing a baggy of pot if they would knew that they will get life or beheading for that.

Re:Makes you wonder what else is going on (5, Insightful)

Pantero Blanco (792776) | more than 7 years ago | (#15942812)

You'd also end up with many more dead cops, and much more sympathy for those criminals. If the penalty for dealing pot or prostitution was death or life in prison, I for one would offer safe haven and protection to pot dealers and prostitutes.

Re:Makes you wonder what else is going on (0)

Anonymous Coward | more than 7 years ago | (#15942795)

Common things they are used for at the moment include:
  • Proxies for further system cracking (self-explanatory)
  • Spam proxies (specialised SMTP proxies rented out to spammers for, say, Send-Safe)
  • Spyware installation (some spyware companies, for example VX2, have a long and illustrious history - despite their denials - of paying "affiliates" more or less per-seat, which could be lucrative given access to a botnet of Windows machines you utterly do not care about)
  • Data mining for identity theft, via keylogging and/or static analysis (at the moment; banking, Paypal, eGold login/passwords, and of course the old faithful credit card numbers, but also some more exotic things; in particular MMORPG login/passwords - WoW gold goes for around $50-$70 per 1000g, so you may wake up to find your epics vendored and your account cleaned out)
  • and of course the old classic, DDoS extortion and botwars
Occasionally, they are used for less common things. Some things that spring to mind:
  • Proxies for "bulletproof" hosting (think spam sites, when they don't want to use Russia or China, although the spammers themselves are frequently American)
  • Cryptoviral extortion (which is to say, "We have encrypted your files - pay up and we decrypt them")
  • Illicit webservers or FTP dumps containing stuff you do NOT want to be even unknowingly hosting, enough said

Be sure... (4, Funny)

shmlco (594907) | more than 7 years ago | (#15941889)

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system."

I say we take off and nuke 'em all from orbit. It's the only way to be sure.

Re:Be sure... (1)

Linker3000 (626634) | more than 7 years ago | (#15941968)

Thank you - I had to scroll down several inches to see that comment but you have restored my faith in the Slashdot community.

I nearly thought that one had slipped through the next.

Re:Be sure... (1)

modecx (130548) | more than 7 years ago | (#15942701)

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system."

I say we take off and nuke 'em all from orbit. It's the only way to be sure.


Hey! That's my idea for people who drive wile talking on a cell phone, damnit! You just can't go around stealing other people's ideas so you can go twist them to fit some other problem! I mean, you know what happened the last time someone used a cotton jin to do something it wasn't meant to do? I'll tell you this, it was a tragic day that five men including Burt Reynolds, a goat, a family of opossums, and a small town in Arkansas will NEVER forget!

so many only/lonely ways. (4, Funny)

mapkinase (958129) | more than 7 years ago | (#15941903)

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'
In other news: the only way to be completely sure your wife is not cheating on you is to whack her and her alleged boyfriend.

Re:so many only/lonely ways. (1)

Odin's Raven (145278) | more than 7 years ago | (#15941965)

In other news: the only way to be completely sure your wife is not cheating on you is to whack her and her alleged boyfriend.

I dare say that whacking just the wife would be sufficient to put a stop to her cheating. Not to mention cheaper.

(Unless you have a 2-for-1 coupon from the local mob - no sense letting a freebie go to waste.)

Re:so many only/lonely ways. (1)

Jack Action (761544) | more than 7 years ago | (#15942084)

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'
In other news: the only way to be completely sure your wife is not cheating on you is to whack her and her alleged boyfriend.
Isn't this equivalent to whacking yourself?

Re:so many only/lonely ways. (1)

mapkinase (958129) | more than 7 years ago | (#15942241)

That will certainly solve all your worldly problems, but will it solve all your problems.

From TFA... (1)

dark-br (473115) | more than 7 years ago | (#15941908)

"The lesson? Don't get infected in the first place"

Oh, *R*E*A*L*L*Y*? Gotta love some ppl aproach to security articles :/ *grin*

The only way to be [completely] sure... (1, Redundant)

Harlequin (11000) | more than 7 years ago | (#15941913)

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.
Ripley: I say we take off and nuke the entire site from orbit. It's the only way to be [completely] sure.

Steve Gibson did something akin to this (5, Informative)

BertieBaggio (944287) | more than 7 years ago | (#15942028)

I know he may not be [theregister.co.uk] the most favourite [theregister.co.uk] of people around here, but Steve Gibson was able to spy on the IRC command & control channel of a botnet a few years ago. It was precipitated by a DDoS on his site, which he investigated rather thoroughly.

Link to the article [grc.com] (...long article warning)

Some of the article is quite interesting, some is obvious, some is ego-boosting self-congratulatory statements, and some of it is his "teh XP can create complete 'UNIX sockets' OH NOES!" propaganda. Still worth a read, even if it is a few years old.

Re:Steve Gibson did something akin to this (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#15942135)

Steve Gibson? LOL!

I'm not going to even bother reading the rest of your post.

MOD PARENT DOWN

Need to hold users responsible. (5, Insightful)

Rotten168 (104565) | more than 7 years ago | (#15942032)

If you are a computer user, you are responsible for the problems they are creating. ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped. Tough love.

Need to hold ISP's responsible (4, Insightful)

RKBA (622932) | more than 7 years ago | (#15942116)

"ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped."

In my experience, the cable installers are clueless. When I switched from DSL to Cable, the cable installers (two of them, one was a trainee) hooked up their cable to my router/hardware firewall and everything was fine. Then the senior guy asked if he could hook up their cable box directly to my computer to show the trainee how they normally do things. After booting into a spare version of the OS that I only use for maintenance (which is on a different partition than my regular OS), I let him hook his cable directly up to my computer, bypassing my router. Within about 20 seconds my antivirus program detected and reported a virus attack, although I forget the exact details because it was several years ago.

The point is that the cable installers connect their cable up to new subscribers computers without even checking their virus protection, and the naive users computers are probably infected before the installers drive away. The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.

Re:Need to hold ISP's responsible (1)

Grand Facade (35180) | more than 7 years ago | (#15942253)

Initiate a support call to your ISP and the first thing they tell you to do is to remove your firewall/router in order to trouble shoot your connection......

Bastards

the already do that. (1)

twitter (104583) | more than 7 years ago | (#15942274)

Congratulations, you noticed the reason that studies show Windows has a 12 minute half life on any network.

The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.

The cable modem already does that but it does not work. They block outbound ports and limit the upload speed. You can't block the inbound ports because you would block services users would actually notice. Even if you could lock up everything and only use one port for inbound and one port for outbound, the root would come through your browser or email. The bottom line is the computer on the other end has Windoze and Windoze has problems you can't fix with a router or an anti virus program. Without Windoze, you would not need any of the above, performance limiting crap.

Re:Need to hold ISP's responsible (1)

CronoCloud (590650) | more than 7 years ago | (#15942666)

the ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.


The local cable ISP used to say home networks were unsupported and would ask you to remove the router if you had troubles. They also charged $5 per additional computer (or other device)attached to the connection (for the IP address)

Now they have networking information on their website and include routers as part of connection packages.

Re:Need to hold users responsible. (1)

poolmeister (872753) | more than 7 years ago | (#15942254)

Some ISPs do just that. I used to work for the abuse team for a cable ISP in the UK.
We had a policy of disconnecting customers who we'd found to have worm or spambot activity originating from their address.
If we weren't able to contact them straight away, we'd disconnect with the prejudice they deserved... n00bs

My ISP does this. (1, Interesting)

PotatoHead (12771) | more than 7 years ago | (#15942331)

I've one XP home box running.

(We play online poker ok?)

It got infected with this crap and started spewing spam. Primary cause of this is kid browsing BTW. They are the most likely to click on the baddies. Put 'yer kids on Linux or a Mac and lots of this just goes away.

Within a few hours I got a call on my cell. Asked me what I wanted to do. I said pull the plug if the box is still spewing in a few hours. (That was time enough for me to get home and deal.) I arrived home, pulled the plug on the offending box, started archiving data in preparation for a re-image. Shot off a quick e-mail asking them to check for baddies on their end just to be sure. All done, next.

This is exactly why the ISP consolidation is just horrible. Had we continued to have a high percentage of live and local ISP's, people would have someone they could trust to let them know things are not as they seem.

I know my ISP sysadmins by name. Most people should. I don't talk with them much, but when I need to, it's always worthwhile. Nice folks --we need more of them.

BTW: Joey http://www.spiretech.com/ [spiretech.com] If you are in PDX, give them a call.

Re:My ISP does this. (1)

despisethesun (880261) | more than 7 years ago | (#15942664)

It got infected with this crap and started spewing spam. Primary cause of this is kid browsing BTW. They are the most likely to click on the baddies. Put 'yer kids on Linux or a Mac and lots of this just goes away.

You must not deal with a lot of "normal" computer users. Believe me, the average user is at least as bad as any child you've left on one of your computers. Left to their own devices (ie without an IT department to baby them) these people will wreak all manner of havoc. But who am I to complain? Stupid users are keeping me employed.

Re:My ISP does this. (0)

Anonymous Coward | more than 7 years ago | (#15942692)

(We play online poker ok?)

No. Not ok. Online poker sites pay for a huge amount of spam, especially stuff like forum comment spam and domain squatting. That's like saying "We send free iPods to the widows of Nigerian princes, then refinance our mortgage and buy knockoff rolex watches and cheap v.1.4.g.R.a with the profits, ok?"

Reinstalling is not always the answer (2, Interesting)

electronerdz (838825) | more than 7 years ago | (#15942054)

There is no reason to just reinstall the operating system just because you got a little bit of spyware. Only about 1% of the machines that I have worked on because of spyware have I had to reinstall the operating system. The infection can always be completely gotten rid of. I've only had call backs about spyware that I missed about 3 times. And for all I know, it was because the user went and downloaded something again that put it on there (like Party Poker, etc). And it can all be done with just two a handful of tools (where AdAware is NOT included), and a little bit of creative thinking. For example, recently, I booted a computer into safe mode and used AVG Free to check for viruses. It picked up about 3000 "Trojan.Downloaders." Once it found them, I hit delete for all of them. It took about 30 seconds a file (you do the math). Well, I had two hours before the guy got on a plane. So I exported the list to CSV. Opened it in Excel, deleted all columns except the file names, and put a "del" column to the front. Save, rename to .bat or .cmd, and run. They were deleted in about 20 seconds.

Re:Reinstalling is not always the answer (2, Insightful)

Thunderbear (4257) | more than 7 years ago | (#15942126)

I congratulate you on your efficiency.

But how can you be _certain_ that you got them all, and that your boss is not still infected?

Re:Reinstalling is not always the answer (4, Insightful)

leenks (906881) | more than 7 years ago | (#15942134)

How do you know? At any given time virus / spyware checkers only get between 30 and 50 percent of malware that is currently being used, and it takes several months before they eventually get detected. If you can remove stuff that nobody else can detect, you are doing pretty well.

Re:Reinstalling is not always the answer (1)

httptech (5553) | more than 7 years ago | (#15942170)

We're not just talking about spyware here - you feel you've completely cleaned the infection because you no longer notice the intrusive symptoms of popup-ads, slowness, etc. However, how would you know the initial infection hadn't subsequently downloaded a keystroke logger (bought commercially, they can go months without being detected by AV) along with a rootkit to hide it? Rootkit scanners, like AV, are having to play a constant game of keep-up with the commercial malware writers.

If you're a malware expert, yes, you can find and kill all instances of malware on a system without a rebuild. It used to be easier, but the profit motive has really upped the ante for the malware writers, to the point where for 99.999% of the population, a rebuild is in order.

-Joe

Re:Reinstalling is not always the answer (2, Funny)

Anonymous Coward | more than 7 years ago | (#15942756)

You are a pseudo-geek with a handful of windoze skills who has no idea how much he doesn't know. Congratulations on writing some crappy .bat script, you are officially eligible to work in the tech support department at Best Buy.

For the record... (1, Insightful)

httptech (5553) | more than 7 years ago | (#15942198)

It not like I'm the only one who ever figured out how to spy on botnet control channels. This has been going on for years. Some researchers only spy on the botnet to find out what the botnet is being used for. Some even take it upon themselves to try and "clean" the infected systems of the bots (Mocbot has a "remove" command, by the way, but you have to have the correct user@host mask). Botherders sometimes even spy on each others channels, to try and take control of less-protected botnets from other botherders.

-Joe

However, sad but true... (1)

Jugalator (259273) | more than 7 years ago | (#15942245)

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system

However, even that might not help if the OS in question is Windows XP and not integrated with SP2 on the same CD, and you don't know what you're doing. (like disconnecting the network until you've installed SP2 that you of course had lying on another disc so you don't need to go online for it)

Pretty annoying what a highly flawed and widely spread OS can do.

A change is coming and the Vista is beautiful ! (0)

Anonymous Coward | more than 7 years ago | (#15942362)

How much do you know about Windows Vista and how it changes this?

correction (1)

thinsoldier (937530) | more than 7 years ago | (#15942403)

CORRECTION:
The only way to be [completely] sure the system (Windows) is malware-free is to completely wipe the hard drive and reinstall (Windows)the operating system.'"

get it right.

You have to wonder (1)

gx5000 (863863) | more than 7 years ago | (#15942416)

You have to wonder..I mean, of course it's a disaster out there, we're not setting up newbies with enough education or software. I setup my users with XPSP2, Norton, Pest Patrol, Spybot, Norton ghost or Acronis and a router and a promise to "try" and stay away from googling porn. Out of ninety regulars on my phone, only three of them need re-image instruction once in a while. Malware ? what malware ?

Then beg for another activation (1)

HangingChad (677530) | more than 7 years ago | (#15942540)

The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

The only way to be sure on a WINDOWS system is to reinstall the operating system, something that Windows users just seem to accept. Then you have to beg MSFT to reactivate your operating system. If you reinstall routinely, some day they'll start acting like you're expected to pay for it...again.

I have one token XP Pro box on my network but don't routinely use it to surf the internet (except when it's rendering video). Email, most of my online work...all Linux. Windows is a fine operating system, just don't connect it to the internet.

Re:Then beg for another activation (1)

Joe U (443617) | more than 7 years ago | (#15942645)

The only way to be sure on a WINDOWS system is to reinstall the operating system, something that Windows users just seem to accept.

Actually, there are two methods available, one is to reinstall, which takes a few hours. The other is to clean the system and do a comparison from the original media/sources, which would take longer, so it's easier to reinstall. Either way, these are ONLY METHODS FOR ANY OS that guarantee you are not infected.

Then you have to beg MSFT to reactivate your operating system. If you reinstall routinely, some day they'll start acting like you're expected to pay for it...again

Yeah, you keep ranting and raving on about that. It's a load of crap and not true at all, but don't worry, it sounds good. Eventually, if you yell loud enough and jump up and down while waving your hands, people might listen or even take you seriously.

Granted, you'll be acting like a spoiled brat, but hey, it works for politicians.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...