×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

176 comments

FROSTY PISS (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#18664585)

Pouring up a tall mug of the frosty piss since 1997.
 

Isn't the most prevalent worm, the (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#18664681)

GeorgeWBushnet worm?

Well, you see, (3, Funny)

GodFjotten (807870) | about 7 years ago | (#18664707)

viruses kinda runs in the family...

Automated Trolling System (-1, Troll)

TrollBot1.1 (1086151) | about 7 years ago | (#18665657)

Welcome to the Automated Trolling System. Using the latest technology, we are striving for a new generation of /. trolling. We shall usher in this glorius new era with pride in our hearts.

But how does it work? Using the latest technology called PHP we have optimised a scraping technique to detect new stories to troll, as well as sending POST requests for inserting of the troll post. TrollBot1.1 requires very little human intervention.

Why not download a copy here? [nimp.org]

Please bear with us while we work out the bugs.

Re:Well, you see, (2, Funny)

Ngarrang (1023425) | about 7 years ago | (#18665711)

The FTC should file a lawsuit against those two worms. In this day and age, we should have the freedom to choose whichever worm we prefer to infect our system. What if I want a completely different family of worm on my system? Did these virus writers think of that? Feh on them.

And that won't change soon (5, Informative)

Opportunist (166417) | about 7 years ago | (#18664741)

Recently, I had to put an SP1 WinXP online to demonstrate that it's (still) insecure to do that. I was expecting that the blaster menace has somewhat dwindled since its outbreak, simply 'cause it's been a while since its outbreak.

Boy, was I wrong!

It took 10 seconds for the FTP to go berserk, a minute later I was a happy member of the still strongly going family of wormspreaders.

People simply don't update their systems. It's amazing, that thing is afaik about 5 years old now, and still there are a LOT of machines existing that still blow the worm through the net.

We're not talking about an unfixable problem, or at least one where the user has to be dumb enough to open the can for the worm (ok, bad pun). It's as simple as updateing to SP2, something that works automatically.

You actually have to disable MS Messenger to at least cease to get those annoying popup messages, so why can people disable that but not update their systems? That's simply beyond my comprehension.

Re:And that won't change soon (2, Interesting)

someone1234 (830754) | about 7 years ago | (#18664807)

I still wonder why no one wrote some code which wipes those rogue bots off (along with the terminally ill host).

Liability... (4, Interesting)

msimm (580077) | about 7 years ago | (#18665043)

If you write a piece of code that's going to spread through unpatched computer networks you're creating a worm. Not only that, but if you make a mistake and this piece of code somehow (unforeseeably) damages any thing you will be in a world of hurt.

Either way, the law doesn't look to kindly on computer trespass even if (you *claim*) your intentions are good.

Re:Liability... (3, Interesting)

cdrguru (88047) | about 7 years ago | (#18665167)

Yes, you are going to be in the same position as the folks that create botnets. We see every day how these people are treated.

Are they arrested in thrown in jail? No, they are living very well in Russia from their ill-gotten gains.

There is no liability unless you are a complete idiot.

Re:Liability... (4, Funny)

fm6 (162816) | about 7 years ago | (#18665519)

No, they are living very well in Russia from their ill-gotten gains.
So if I write a counter-bot, I get to go live in Russia? What an incentive!

Re:Liability... (4, Funny)

bcattwoo (737354) | about 7 years ago | (#18665559)

Yes, you are going to be in the same position as the folks that create botnets. We see every day how these people are treated.

Are they arrested in thrown in jail? No, they are living very well in Russia from their ill-gotten gains.

There is no liability unless you are a complete idiot.
Or don't want to live in Russia.

Re:Liability... (0)

Anonymous Coward | about 7 years ago | (#18666775)

Or you bounce it through a Russian system. You can see how tightly those are monitored.

Re:Liability... (1, Funny)

Anonymous Coward | about 7 years ago | (#18666155)

Either way, the law doesn't look to kindly on computer trespass even if (you *claim*) your intentions are good.

"Your honor, the camera I installed in her bedroom was intended to be a security camera. For burglars, you know..."

Re:And that won't change soon (1)

eli pabst (948845) | about 7 years ago | (#18667219)

Someone tried to do that a few years ago (remember Welchia) and it caused more harm than good with widespread internet congestion and critical systems getting rebooted.

Worm description:

W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the version of the operating system of the infected machine is Chinese (Simplified), Chinese (Traditional), Korean, or English, the worm will attempt to download the Microsoft Workstation Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun patches from the Microsoft® Windows Update Web site, install it, and then restart the computer.The worm also attempts to remove the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms.
http://www.symantec.com/security_response/writeup. jsp?docid=2004-021115-2540-99 [symantec.com]

Re:And that won't change soon (4, Insightful)

Anonymous Coward | about 7 years ago | (#18664861)

It's as simple as updateing to SP2, something that works automatically.

Updating to SP2 isn't simple though. It's a massive download if you're on dailup or even a slow DSL connection. On top of that it takes up a lot of disk space/RAM and if you have anything but latest high-speed machine you're going to be sitting there waiting a long time while it installs.

Make a CD (5, Insightful)

davidwr (791652) | about 7 years ago | (#18664929)

If you are stuck with dialup, get a friend to download the SP2 CD and burn it for you.

If you have DSL or Cable and nothing else on your LAN is infected, your NAT or other firewall should protect you from "out of the box" threats. As long as you stick to known-safe web sites like windowsupdate and most security-software vendors, you should be OK long enough to get updated.

What's that? You are on DSL or Cable and do NOT have a firewall? Spend a few bucks and get one!

Re:Make a CD (4, Insightful)

EsbenMoseHansen (731150) | about 7 years ago | (#18665805)

What's that? You are on DSL or Cable and do NOT have a firewall? Spend a few bucks and get one!

That one bears repeating. If you want to run windows, you are simply going to have to run it behind an idenpendent firewall, unless you enough of a security expert to be able to outline a IP packet without looking at the books. If you are too cheap or poor to get one, (k)ubuntu is right over there. CD's to be had for a couple of euros, and with the refund for the windows license, you're even going to save a few dollars or euros.

This goes for Windows up to and including the XP. Never been near Vistas, but from I hear, it's the same deal.

Hard to do with dialup (1)

davidwr (791652) | about 7 years ago | (#18666673)

Sure dialup users can install a non-Microsoft firewall, but is that really "independent" of Microsoft?

An external modem plus external firewall box that hooks to it isn't cheap, not on the new market anyways.

With newer motherboards and CPUs, you can run a stripped-down Linux that just dials and launches Windows XP or a VM-legal version of Vista in a VM. But what non-techie consumer wants to do that?

Dialups aren't good Bot fodder anyway (2, Insightful)

billstewart (78916) | about 7 years ago | (#18665091)

If you're on a slow DSL, yes, it'll take a while to download SP2. Big deal - run it at night, and you've now *had* a couple of years, so realistically what you're talking about is installing an upgraded OS on your upgraded PC, so you could do the download on your old machine before you plug the new one in.


A large fraction of the problem can be taken care of by using a hardware firewall in front of your PC from the moment you first plug it in, which'll usually keep you safe long enough to get the current security upgrades. That's not fool-proof - there are bad guys hunting for flaws in popular firewall boxes - but it's a good start.

Re:And that won't change soon (1)

Opportunist (166417) | about 7 years ago | (#18665129)

You mean the amount of bandwidth wasted by that bot within less than a day is less than that, yes?

Re:And that won't change soon (0)

Anonymous Coward | about 7 years ago | (#18665387)

Also the other problem with this is

1 - Most users are unaware of the need for a patch. when there pc gets infected they just think 'ah thats how computers are, they are really slow etc'
2 - SP2 should download automatically in the background even on a fresh install, sometimes it does not. even if it was to install successfully the chances are the machine has already been infected. It takes 1 or 2 minutes for a machine to become infected.

People need to be educated about the type of risks out there. but what we have is company's like norton that do not push this type of education, instead they will push there products first.

MS can not warn these people mainly because a lot of them have pirated copy's of xp.

I think this problem will take 10 years or so to clean up

Re:And that won't change soon (2, Informative)

toleraen (831634) | about 7 years ago | (#18666397)

Actually just running windows update [microsoft.com] will fix both of the named worms...so even if you do get infected with either of them, once you finally get your updates it should fix it.

Re:And that won't change soon (1)

zero_offset (200586) | about 7 years ago | (#18665541)

On top of that it takes up a lot of disk space/RAM

It's 2007. A couple hundred megs isn't a lot of disk space.
Come to think of it, a couple hundred megs is an average amount of RAM.

Re:And that won't change soon (4, Informative)

Junior J. Junior III (192702) | about 7 years ago | (#18664927)

Probably so many XP users are on license keys that have been disabled by Microsoft Genuine Advantage so that they can't upgrade to SP2, so they're left compromised and unable to defend themselves by remaining patched by Automatic Updates.

Re:And that won't change soon (2, Insightful)

Opportunist (166417) | about 7 years ago | (#18665181)

Hmm... then to fix that bot problem, all we'd have to do is report the IP Addresses hammering against our firewalls as potential pirates? In the current hype and the leeway IP holders get when filing suits and pressing Names from the ISPs, it should be easy to instill enough fear in those upgrade-resistant people ...

I have a plan. Thanks for helping me on the track.

Re:And that won't change soon (1)

Kristoph (242780) | about 7 years ago | (#18665295)

If Microsoft Genuine Advantage turned off these people they already know their IP address and they choose not to do anything about it.

]{

Re:And that won't change soon (4, Interesting)

Junior J. Junior III (192702) | about 7 years ago | (#18665649)

It's an idea, but I'd recommend against it. So many legitimate license keys have been disabled by Microsoft that it would affect a huge number of innocent users who've had their key disabled because MS felt like it.

I have seen firsthand and heard countless confirmations of people re-installing XP on their OEM system using the license key from the sticker that was glued to their system case, and being rejected by Microsoft's Product Activation. I'm not sure the reason behind this, but I'd guess that most likely some keygen hacker program ended up randomly generating the same key and was used enough times that MS decided to distrust that key anymore.

In my case, I was helping out a friend of the family with getting their laptop back in service after it had been hopelessly compromised by malware. I entered the key from the sticker on the bottom of their laptop, and Product Activation failed. I called the 1-800 number that Microsoft said to call, and went through all their steps to generate a new number, but it just told me that I was rejected and that my number was in fact really no good. I had no recourse, no appeal, no live body to talk to on the phone. So I did the only thing I could do to return the system to service, and used a Corporate license key that didn't need to be run through Product Activation and would not trip of on WGA.

Now, you might say that pissing off all these legitimate users would actually be a good thing, because it will ultimately help Microsoft to shoot its foot clean off by enraging masses of legitimately licensed end users who've been disconnected from the net because they couldn't maintain their systems properly because MS couldn't validate their license even though it wasn't pirated. But I don't think it's quite fair to say that every license key that fails to pass WGA is ipso facto a pirate user. If you block everyone on suspicion of running an unpatched, compromised, pirated OS, you're going to affect a lot of screwed paying customers. As long as they rightfully blame Microsoft for being the cause of their woes, you should be in the clear. If the collateral damage is worth it, then I guess it's not a bad plan.

Re:And that won't change soon (1)

innocent_white_lamb (151825) | about 7 years ago | (#18666865)

So I did the only thing I could do to return the system to service, and used a Corporate license key that didn't need to be run through Product Activation and would not trip of on WGA.
 
I wouldn't dream of doing this. If someone has problem with Windows and asks me for help my usual response is that I really don't know too much about Windows. Which is actually true.
 
Were I in your situation as described, I would be more inclinded to say, "Sorry, you'll have to deal with Microsoft directly on this one." and leave it at that.

Re:And that won't change soon (0)

Anonymous Coward | about 7 years ago | (#18667057)

Almost any Dell laptop running WinXP Pro will fail WGA if you try to reinstall it. I know of three people who have purchased new copies of WinXP Pro to solve this problem.

Mod parent up (0)

Anonymous Coward | about 7 years ago | (#18667435)

and Ouch!

How shitty is that? And why didn't they sue MS or something like that, demand a new version of Windows, instead of throwing more money at the company that totally ripped them off and left them with NO FRICKING OPERATING SYSTEM AT ALL, even though they legally paid for it?

I'm not using Windows anymore (used to run Mac OS after a while on Linux and XP, now I'm a happy Ubuntu user), but this is really the nail in the coffin. I'd tell that company such a big Fuck You that the mountains would shake.

Re:And that won't change soon (1)

Opportunist (166417) | about 7 years ago | (#18667315)

Well, you have to look at it this way, reporting those bots as pirates is a win-win situation. You use up the legal fund of the mafiaa and keep their sharks busy, and you get rid of bots.

I don't want to report the WGA failures, I want to report the bot IP Addies. If nothing else, it might give clueless people an incentive to update their system or get the hell out of the 'net.

Either way is fine with me.

Re:And that won't change soon (2, Insightful)

bogjobber (880402) | about 7 years ago | (#18665605)

That might be part of the problem, but I'm sure there are more people out there that simply don't upgrade. Every time I visit my sister and/or parents house I make sure to do it, because they never download or install updates. If it wasn't for me I doubt they'd have gotten SP2.

Re:And that won't change soon (1)

Hoi Polloi (522990) | about 7 years ago | (#18666643)

Might as well turn on automatic updating while you are on their machines. Maybe even install some spyware cleaners too.

Laziness as far as I can tell (3, Insightful)

Sycraft-fu (314770) | about 7 years ago | (#18665977)

I run in to two groups that make up the majority of "not updated" systems:

1) People who won't do any manual steps at all to update. Every so often, Windows has an update that needs you to interact with it. Rather than autoinstalling it'll just put the little "You've got updates" icon in your sys tray and pop up a bubble about it from time to time. However some people just refuse to deal with that. A couple clicks is more than they are willing to do. Totally automated is ok, but they can't be bothered to do anything more.

2) However an even larger number don't want their system to reboot. Tons of those at work. They have something or other running continuously that they can't be bothered to save the state on. So they turn off the updates so that it won't reboot. Yes, really.

That accounts for at least 90% of the no-update people I run across. There's a small percentage that won't do it because they read on some forum that some guy had a problem with an update and they are convinced Microsoft will break their system, but most are just lazy as hell.

Re:Laziness as far as I can tell (1)

Opportunist (166417) | about 7 years ago | (#18667335)

I really wish I had a license to kill. Well, at least kill those systems. I know that it's illegal for some odd reason to kill their users.

Re:And that won't change soon (1)

Heembo (916647) | about 7 years ago | (#18666629)

We're not talking about an unfixable problem,
Excuse me? I don't know about you, but I'm not going to be the one to globetrot to every idiots winblows machine and patch them up! Better bring extra underwear for that trip....

Reduced diversity. (4, Interesting)

Red Flayer (890720) | about 7 years ago | (#18664791)

Q1 2007: 80% from two families.

2006: 74% from these families.

Hmm. Too bad bots reproduce asexually, otherwise we could hope for inbreeding to take them out.

Seriously, though, is the decreased diversity in bot "heritage" a good thing -- does it mean that bot infections are easier to detect and treat?

Or does it not make any bit of difference until the typical user learns to protect their PC?

Re:Reduced diversity. (2, Funny)

drinkypoo (153816) | about 7 years ago | (#18664965)

Seriously, though, is the decreased diversity in bot "heritage" a good thing -- does it mean that bot infections are easier to detect and treat? Or does it not make any bit of difference until the typical user learns to protect their PC?

Your answer: "yes". Now where's my cookie?

Re:Reduced diversity. (1)

maxume (22995) | about 7 years ago | (#18665019)

It isn't clear to me that the drop means anything at all. If it represents some huge number of machines that are no longer bots, great, but if they didn't detect 15 instances of some other network, who cares(anecdotally, it appears that there are still many many infected machines).

Seeing as they are probably classifying the families based on the control systems, it probably just means that the authors of these particular networks are just working harder on newer exploits than other networks.

Re:Reduced diversity. (1)

Billosaur (927319) | about 7 years ago | (#18665263)

Until either a) the average Net user's savvy increases and they take steps to protect their personal systems or b) systems are developed that don't require the user's interaction to provide adequate defense, the number of bots will increase steadily. Bots using the same base code but with variations will always be easier to track than completely new strains, but I think at this point the mechanisms for bot injection are so well known that that this will end up being the best way to control them. And even that will simply force the black hats to come up with new and inventive ways of duping people. The end point of the power of the botnet starts with the user taking control of their box and learning to defend it.

Re:Reduced diversity. (2, Informative)

houghi (78078) | about 7 years ago | (#18665397)

It does not mean anything. The only thing it means is that those two families are more successfull then the others.
If the remaining 20% is less then the remaining 26% in numbers, that could mean that some other families are faded out and/or that it is harder to remove those two families.
If the 26% and 20% are the same, it just means that those two families are spreading faster then the rest.
If the 20% is more then the 26%, then it would mean that in general we are winning the battle slowly.

By itself it means absolutely nothing. Also you would need to know how they are being put out there. If there are just a few that are realy pushing those two families, then it is no wonder that there are more of them.

Ecology problem (1)

abb3w (696381) | about 7 years ago | (#18666517)

Seriously, though, is the decreased diversity in bot "heritage" a good thing -- does it mean that bot infections are easier to detect and treat? Or does it not make any bit of difference until the typical user learns to protect their PC?

The limited heritage diversity suggests that one might make a dramatic impact on the non-technical aspects of the problem with a carefully applied use [slashdot.org] of [slashdot.org] hardware [wikipedia.org]. Unfortunately, that's a very short-term solution most likely to only result in rediversification and speciation, rather than any broader environmental shift in the culture leading to permanent extinction.

Food for thought (1)

Opportunist (166417) | about 7 years ago | (#18667551)

Percentages are meaningless if you don't have the total number. It can well mean that those 2 families spread incredibly fast while other worms spread more slowly.

I would not necessarily call that a good sign. Actually, I'd take it as an alarming signal. People are still as stupid as last year, so I wouldn't say that it's harder to infect machines.

Non Windows Bots (4, Interesting)

pembo13 (770295) | about 7 years ago | (#18664883)

Any information on non-Windows bots? I know bots are forever trying to get into SSH, so that must means non Windows machines are being targeted, but I am curious as to the success-rate.

Re:Non Windows Bots (1)

Gheesh (191858) | about 7 years ago | (#18665015)

I, too, would like to see some success rate figures for these attacks. I'm not sure, however, that this constant SSH knocking comes from bots rather than programs run on purpose... Do you have some info on that?

Re:Non Windows Bots (1)

pembo13 (770295) | about 7 years ago | (#18667397)

Purely assumption that they are bots based on the fact that I've seen a lot of them, even on my my fairly paranoid university LAN, likely from laptops connecting via wifi.

Re:Non Windows Bots (5, Interesting)

Anon-Admin (443764) | about 7 years ago | (#18665037)

I don't think those are bots.

I noticed my servers SSH port being hit a few years ago. I moved it to another port, locked the port down, then set up an SSH honey pot on the standard port. The honey pot attempts to ID people from programs using a verity of methods such as space between key strokes and use of the backspace or delete key.

I found that once the attacking software appeared to have access to the server, A person would login and check it out. Most of them attempted to use wget to dump a root kit onto the server. I have grabbed copies of the software they attempt to down load and checked it out.

It normally consists of a root kit, network scanner, packet sniffer, and the scanning software to scan and hack SSH.

I think these are wannabe hacker kids trying to get in.

Re:Non Windows Bots (0)

Anonymous Coward | about 7 years ago | (#18666109)

I'm AC because I'm at work, but I would be extremely grateful if you would throw together a webpage that had instructions on how to do this.

Re:Non Windows Bots (4, Informative)

Anon-Admin (443764) | about 7 years ago | (#18666701)

For you or anyone who wants to know more about the software and setup. Go to my website, http://www.xganon.com/ [xganon.com] and send me an e-mail. Just select the "Contact Us" button and fill out the info. Ill e-mail you back and we can go over the software (open source) and how to set it up.

I am always willing to help people secure a system. :)

Redone bot runs on Linux (2, Informative)

flyingfsck (986395) | about 7 years ago | (#18666331)

Those SSH password attacks spread Linux based Spambots. I have repaired a handful of servers in the USA and Singapore that suffered infections. The Redone spambot targets the tens of thousands of indentical systems on server farms, of which some are sure to have bad passwords. Once it has set up shop it spewes out enormous amounts of spam. It is managed through IRC.

Re:Non Windows Bots (1)

garcia (6573) | about 7 years ago | (#18665069)

They never make it into my machine and every time I see a login flood that hasn't already been auto banned, I add the IP block to my ban list (usually a /24 unless it's a foreign ISP and then I ban the entire thing (usually a /16 and sometimes the entire /8).

There's a reason for that. (5, Informative)

Spazntwich (208070) | about 7 years ago | (#18664971)

SDBot is incredibly popular because it's open source and easily modified to sneak past most AV software with minor changes. It also has an extremely wide array of features, and tends to be very reliable.

People without the knowledge to code their own trojan/bot from scratch will naturally gravitate towards tools which allow them to make their money more easily, and it's a real time saver.

Or so I hear.

"Or so I hear." (1, Funny)

Anonymous Coward | about 7 years ago | (#18665297)

You are supposed to check the Post Anonymously box when you talk like that :)

Re:"Or so I hear." (2, Funny)

Spazntwich (208070) | about 7 years ago | (#18665705)

If I were posting seriously, I would have.

You get a lot of blank stares in casual conversation, don't you?

Re:"Or so I hear." (3, Funny)

karnal (22275) | about 7 years ago | (#18666319)

Are you trying to say he/she works at Radio Shack?

Oh wait, that'd be giving blank stares.... nevermind.

Re:There's a reason for that. (2, Funny)

bcattwoo (737354) | about 7 years ago | (#18665659)

SDBot is incredibly popular because it's open source

Yeah, I used to Oscarbot, but the EULA with their latest upgrade was freakin' joke! Then they dropped support for Oscarbot 98, meanwhile their crappy software isn't even compatible with Vista. Thank God for OSS!

Families of Virii (1)

The Living Fractal (162153) | about 7 years ago | (#18664997)

Not sure if the article wants me to be surprised by this. What percent of all virii in humans are in the family of the common cold or influenza?
There has to be some kind of parallel here.

Weird, but as I was writing this something tried to change my default search page. Usually I wouldn't say this, but I hope it was Microsoft ;p

TLF

Spelling Nazi (0, Offtopic)

skeevy (926052) | about 7 years ago | (#18665337)

Though you may have learned that the plural of 'octopus' is 'octopi' and the plural of 'cactus' is 'cacti', the plural of 'virus' is viruses, not 'virii'. In fact, the -i pluralization is optional; the -es pluralization is standard.

Refer to:

Re:Spelling Nazi (2)

TeknoHog (164938) | about 7 years ago | (#18665501)

Though you may have learned that the plural of 'octopus' is 'octopi' and the plural of 'cactus' is 'cacti', the plural of 'virus' is viruses, not 'virii'.

If you use the logic "-us" => "-i", then we should have "virus" => "viri". Where the heck do people get the extra i?

Math-oriented people must be familiar with "radius" => "radii", but it does follow the same logic with the extra i already there in the singular form. Then again, "virii" is funny in the way that it emphasizes incorrect spelling. It's even more funny when used by someone pretending to work with computers where typos are much more dangerous than in natural languages.

Sorry, dude, correct usage here (1)

I)_MaLaClYpSe_(I (447961) | about 7 years ago | (#18665685)

Although Wikipedia states that:

The less frequent variations viri and virii are virtually unknown in edited prose, and no major dictionary recognizes them as alternative forms
, Hackers like to use "virii" as the plural form of virus, even if Latin scholars object that this invented term does not follow standard patterns in that language - just to refer to the plural of computer viruses opposed to the plural of biological viruses.

So, although you are correct in terms of edited prose, I still use the term virii in order to refer to the plural of computer viruses.

Re:Sorry, dude, correct usage here (1)

Phisbut (761268) | about 7 years ago | (#18666329)

Hackers like to use "virii" as the plural form of virus

Just like they like to use "boxen" as the plural form of box. It's pure 1337ness, and I hate it.

Re:Spelling Nazi (1)

The Living Fractal (162153) | about 7 years ago | (#18665945)

You're right, the 2nd declension plural would be 'viri' not 'virii'.

But, language rules are sometimes broken. And virii looks better than viri and sounds better than viruses. It might be wrong, but that doesn't mean I can't like it more than what's 'right' as defined by some self-described language nazi. ;p

Does this make it easier for ISPs to spot them? (2, Interesting)

davidwr (791652) | about 7 years ago | (#18664999)

I'm not sure if botnets have "signature" activity that's easy for an ISP to spot or not.

If they do, then getting ISPs to proactively monitor their customers for botnet-specific activities and phone them when they see suspicious activity will go a long way toward eliminating these particular threats.

Imagine if your mother getting this answering-machine message from her DSL provider:
"Hello Ms. Jones. You've heard of computer viruses? Our engineers are seeing signs of a virus on one of your computers. Please visit our security web site at http://www.momsisp.com./ [www.momsisp.com] This same web site is printed on your billing statement. In the meantime, we are taking steps to keep the virus from spreading. This may affect your connection. We will remove these blocks automatically when we see your system is clean. If you have any questions, call us at 1-800-MOM-SISP. Thank you."

Her next call will probably be to you. Problem solved.

Re:Does this make it easier for ISPs to spot them? (1)

John Hasler (414242) | about 7 years ago | (#18665843)

> Her next call will probably be to you. Problem solved.

No. Money spent and customer antagonized.

Re:Does this make it easier for ISPs to spot them? (2, Funny)

vertinox (846076) | about 7 years ago | (#18665935)

Her next call will probably be to you. Problem solved.

And for those who don't have geek relatives...

Her next call will be to the ISP's tech in India who will say to call Microsoft who to says to call your OEM-Computer Vendor who says to call your Anti-virus vendor who tells you to call your local Geek squad who then proceeds to just somehow fry your video card while formatting your computer.

Problem solved! Oh wait...

Re:Does this make it easier for ISPs to spot them? (2, Interesting)

TerminalWriter (953282) | about 7 years ago | (#18666125)

Actually, I had this happen, although it wasn't a phone call.

My roommate set up a box and I guess he didn't finish patching it or something, because in less than a week, we got e-mail and snail mail from our ISP informing us of our PC that was scanning ports and more than likely had a virus. We took it off the network, but still haven't taken the time to wipe it and clean install it.

Fine, until... (1)

6Yankee (597075) | about 7 years ago | (#18666251)

"This is your Internet company. Our engineers are seeing signs of a virus on one of your computers. Please visit our security web site at $malware_site. In the meantime, we are taking steps to keep the virus from spreading. This may affect your connection. We will remove these blocks automatically when we see your system is clean. If you have any questions, call us at $premium_rate_engaged_tone_recording. Thank you."

Of course, I don't know whether the return is high enough to justify this sort of tactic, but it could happen.

Re:Does this make it easier for ISPs to spot them? (1)

nostrad (879390) | about 7 years ago | (#18666639)

I seem to recognize this. One of my friends got infected (family runs business and a server on NT4). I get there, disconnects router from ISP and gets to work. ISP calls, in 5 minutes your connection will be cut off.

Reasoning that no computer from the old network is connected wouldn't work. 5 minutes later and my rather old snort install can't be updated. Concluded that it was most likely the server (only computer that spit out weird traffic).

Conclusion: Your scenario is already in action if they spot suspicious traffic, and they've got no log of what triggered it so they won't aid you in your hunt.

Bot Nostalgia (1)

br0d (765028) | about 7 years ago | (#18665007)

I miss good old days, when all bots did was greet you, spit out dumb jokes, or print trite quotes on IRC. !spin !acro !seen Bananarama !cook me some bacon and eggs bitch

Re:Bot Nostalgia (1)

jginspace (678908) | about 7 years ago | (#18665471)

"I miss good old days, when all bots did was greet you, spit out dumb jokes, or print trite quotes on IRC."

Actually they were people. They've all moved on now buddy!

A valid botnet .. (3, Interesting)

Anonymous Coward | about 7 years ago | (#18665177)

Thought this would be an interesting point to add about botnets and security.

2 years ago I almost gave our security people a heart attack when I suggested an internal botnet.

We have most of our servers plugged into a tightly controlled IRC server.
All servers run a custom bot with limited access that pipe all critical files into specific IRC channels.

Response bots monitor the channels and take appropriate action, signaling the bots to run specific commands, paging, emailing, etc.

It allows NOC to run things like 'uptime' and have dozens of servers reply at once.

Security it tightly controlled at the bot and server level, using a custom hacked and very locked down UnlreaIRCd.

For our security at least, it was the first example of a useful IRC setup that allowed easy monitoring and limited control of servers.

As bad as botnets are, they are very good at what they do.
Good example of allowing totally unrelated applications to communicate with each other, as basically all programming languages have IRC support.

And a funny side note, my slashdot "verification image" is "misuse" ....

Don't call it a botnet (2, Insightful)

davidwr (791652) | about 7 years ago | (#18665345)

Would a botnet by any other name smell just as sour?

Probably not.

If you'd called it a distributed asset-monitoring and -control system and given it a fancy acronym like DAMACS or something, it would've been a better sell.

The Same Old Bots (4, Informative)

madsheep (984404) | about 7 years ago | (#18665227)

I have a few comments and one will answer some of the previous questions to some degree.
First, the majority of these trojans, specifically these are all IRC based. They are very easy to spot, especially in corporate environments. Why? Well because most people do not use IRC while they are at work. Not to mention many companies will have policies against it. This makes intrusion detection for these kinds of bots very easily. Since most of these servers housing the bots are just standard Unreal IRCD (generally hacker-installed) or whatever IRCD undernet/efnet/etc. run on, they are not encrypted. This means when a machine connects, traffic with "NOTICE", "PRIVMSG", "JOIN #" etc is all sent in the clear. There have been snort/bleeding snort rules to look for this type of activity for years and they haven't had to change much. Sure the ports might not always be 6667-6669/7000, but looking for activity like this on a certain port is dumb to do anyway.

A simple analysis of most IRC traffic should you have real-time peaks or capture logs will tell you pretty quick if it's malicious. If you see a nick change to XP|24249429 or USA|2942949 and it joins a channel called #owned with a topic of .scan 10.0.0.0/8 then there's a pretty good chance the machine in question is an infected bot and most likely with one of the aforementioned variants. Now most home users won't have insight into this type of activity. And funny enough there's not much "big brother" by way of ISPs caring much for this. Unless reported to them they most likely won't do anything. Even then they still might not do anything. http://www.shadowserver.org/ [shadowserver.org] keeps a list of good/responsive ISPs. This might be more in the case of a malicious host housing an IRCD, but that's beside the point.

Now finally these two are quite popular. Why? Well it has been said already. The source for them is our there and they are readily available. People frequently update and modify them to avoid AV detection. Hell, many people don't update and modify them. So many people are running without [updated] AV that it doesn't seem to matter much. If you notice how most people get infected, it's the same old thing. IM worm, e-mail worm, malicious website, or a scan for the 2 year old dcom exploit. Every time some new IE/Firefox/etc vulnerability is released, someone quickly makes it download their trojan.

These variants have been around for years. Luckily the people using them are pretty dumb. It's just a matter of time before worms/viruses/etc turn to web-based (not IRC) and encryption as the norm.

Uninstall? (0)

Anonymous Coward | about 7 years ago | (#18666073)

Given that these buggers usually have abilities like "download updates" why doesn't someone hack the bot networks and download an uninstall+patch program?

Unlike what others have said, it wouldn't be a "worm" because the patch would be unable to spread on its own. It would only be downloaded by those infected bots who are getting instructions over IRC.

Re:The Same Old Bots (1)

LocoMan (744414) | about 7 years ago | (#18667321)

There's a program that does something like that (IIRC it's norton internet security or something like that). If it detects a botnet command coming trough IRC, it disconnects all IRC connections on the computer. Unfortunately it has an annoying side effect (which an IRC friend kinda hated me for for a while) that if you were talking on IRC, and someone wrote one of those commands, it would disconnect you.. :)

ISP's half the problem (4, Insightful)

cdrguru (88047) | about 7 years ago | (#18665327)

No ISP is going to shut off an account because of an infected computer. They might throttle it somewhat, but it is the site administrator's responsibility to deal with infected computers. What? Your parents don't have a "site administrator" overseeing their computers? (((except when you are there... ha ha))) Well, that sounds like a real problem, doesn't it?

What we have are general-purpose computers that people install random software on without thinking about where it came from, what it might do and the consequences of having that happen. Then, they don't check to see what their computer is doing when it is supposedly idle and thrashing around on the hard drive or is really slow. Well, maybe it is just getting old and needs to be replaced. Right.

So we have the equivalent of handing a loaded revolver to a three-year-old and leaving the room. We have seen how they can hurt themselves with it. We can see how they hurt others with it. And about all that is done is giving them some more bullets.

Let's be clear about one thing here. Windows "security" or the lack of it is not the problem. If the machine is locked down utterly so that nothing can be installed, removed or modified Windows security is perfectly adequate. Unfortunately, nobody seems to want to run their computer this way. There is no security if the "user" can simply install any old thing they want, be it some new flash player with a bug in it, WeatherBug or a bot trojan. Signing code is not the answer - people aren't reading the messages that are displayed. You could have a page of text displayed when a trojan is installed that says in eight different ways "this will take over your computer and make it ours" and people would install it.

The answer is pretty clear. General purpose computers that can have software installed are a tool that must be monitored, controlled and administered. Giving one to a user and leaving them alone with it is a reciepe for disaster. Just like the disaster with spam, botnets and viruses we are seeing right now.

Re:ISP's half the problem (1)

Rob the Bold (788862) | about 7 years ago | (#18665589)

The answer is pretty clear. General purpose computers that can have software installed are a tool that must be monitored, controlled and administered. Giving one to a user and leaving them alone with it is a reciepe for disaster. Just like the disaster with spam, botnets and viruses we are seeing right now.

Your solution would take computers out of the hands of every non-expert user who didn't have a systems administrator handy. This would almost completely wipe out the home computer market. I don't disagree that your solution would be effective, but I doubt you could get too many parties (e.g. Dell, Microsoft, Aunt Betty) to accept the cost.

Re:ISP's half the problem (1)

MightyYar (622222) | about 7 years ago | (#18665789)

Instead of taking computers away from everyone, perhaps we should come up with an incentive plan for ISPs to deactivate or throttle the connection to infected computers? They won't do it without some incentive.

Of course, this would only take care of the zombies in the country where the incentive is being offered...

Re:ISP's half the problem (1)

jfengel (409917) | about 7 years ago | (#18666093)

It would take agreement among ISPs to ban/throttle each other when they're not following whatever rules they agree on about obvious spam sources coming from their routers.

As in, if Comcast or Verizon or AOL says, "Look, if you're not going to do something about the evil packets coming from your IP addresses, I'm going to have to do it myself by dropping all packets from you."

That has the effect of putting pressure even on ISPs from other countries. When their valid users start complaining that they can't get their mail through, they'll have to work on the problem.

It doesn't entirely solve the problem; the only thing that goes from one ISP to another is mail, and mail is not the most important protocol on the web. It would be nice if, say, Google and Amazon would also participate but they're just not going to turn away customers.

There are still some arguments to come out; some will swear that's all valid email traffic and not spam. Or they'll argue about how quickly they can be expected to react when one of their clients becomes a bot, and they'll come to Slashdot to complain how somebody hooked up a laptop to their network and they had to spend 20 hours talking to customer service to get it restored.

Nonetheless, it sounds like a start, and it works peer-to-peer between ISPs without having to get any governments involved.

O RLY? (1)

Sycraft-fu (314770) | about 7 years ago | (#18666069)

Cox (cable company) will. Back a few years ago I had a Cox connection and one day I found it not working. Called tech support, and they referred me over to the abuse department. Turns out my roommate had gotten his system infected. Once I'd confirmed I'd cleared it up, they turned the connection back on.

ISPs should, and some do, look for infected machines and shut down the connections.

Re:ISP's half the problem (2, Insightful)

tppublic (899574) | about 7 years ago | (#18666171)

The answer is pretty clear. General purpose computers that can have software installed are a tool that must be monitored, controlled and administered. Giving one to a user and leaving them alone with it is a reciepe for disaster. Just like the disaster with spam, botnets and viruses we are seeing right now.

I'm sure there are many large companies - ones that would love to protect the status quo - that would greatly support your proposal.

I think what you propose is crazy.

You have failed to follow through the implementation and resulting consequences of this action.

The problem isn't only general purpose computers, it is general purpose processors running general purpose operating systems. Making it 'embedded' doesn't necessarily solve the problem. For example, there have been vulnerabilities in various routers over the past few years, and your action would not solve those issues. You provide no evidence that preventing user installation will protect the system in any fashion. The system would still have underlying x86, PPC, ARM or MIPS processor which could run arbitrary code.

First, how do you allow people to get a system where they can write software? It is both systematically difficult, and is a practical impossibility with current systems. Given that many products have some form of scripting built in (including Microsoft Office, and about every version of *nix there is), it is difficult to prevent someone who is even marginally capable from writing software. For example, when I was a university student, there were strict policies that prevented the compilation of software on the community Unix system (Sun servers at the time). However, given that sh, csh, and tcsh were all available on the system, I could perform just about any action I wanted on that system, as far as software is concerned. That's not to say it wasn't slow compared to a compiled program (it WAS), but it was almost impossible for them to detect or prevent.

One potential (and partial) solution to this is so-called the 'trusted computing' model, which would only allow 'certified' software to run on a computer. I posit without proof that the challenge of preventing ANY method of forging electronic certifications is very difficult. Computational infeasibility can be worked around simply by having one person in the system walk off with a legal certificate. Look at how the Mongolians eventually got through the Great Wall of China. If I recall the stories correctly, they simply bribed some guards. Reducing the system leakage to zero is not practical (nor is it beneficial, given that there are countless 'business people' working in marketing and finance who develop their own scripts to automate their work).

Also, software development is valuable and available world-wide. The ability to go overseas to get work done is completely possible in the software engineering world. If only one country or region places the restriction you propose (I guarantee developing countries will ignore your restriction), then those countries are at a competitive disadvantage. Their next generation will ALSO be at a competitive disadvantage, because they will not develop the appropriate skills. Some of the best programmers do NOT come from formal education in computer science.

The problem we actually have is the lack of incentive to fix the problem.

The user who's machine is infected has no large incentive to help the problem. ... and the ISP just ignores the issue. So we need there to be penalties to having an infected machine. The ISPs can then sell a form of monitoring (effectively insurance, a wildly profitable business) to users who do not want to or have the skills to do their own monitoring. I recognize the challenge of dealing with international sites remains.

The companies have no incentive to change, either. The pressures that exist to release software combined with the lack of any material negative effect on software vendors for producing bad software cause the quality problems. For example, I challenge you to find any defects reported about the software that powers Johnson & Johnson's medical products (heart-lung machines and the like). This is not civil engineering, where there are major material effects from a failure. If my word processor crashes and destroys my blog entry, there is not a significant loss of life or other major harm for me to use against the software vendor. Combine that with the end user license agreements that prevent any action against the company, and a large portion of the software industry has effectively eliminated any incentive to write quality software. Making the softwrae embedded wouldn't change that. Liability on the software companies to produce good software would.

Re:ISP's half the problem (2, Interesting)

Beryllium Sphere(tm) (193358) | about 7 years ago | (#18666233)

>There is no security if the "user" can simply install any old thing they want, be it some new flash player with a bug in it, WeatherBug or a bot trojan.

Not on today's OSes and architectures, but those aren't the only possibilities.

Moving away from the assumption that software is trustable would be a great start. Why does my web browser have authority to overwrite my hosts file, just because I do and I'm the one logged in while it's running? Why does my email client have authority to launch executables?

Operating systems that enforce per-program restrictions do have a terrible record of being hard to use, and eventually someone will tell downloaders "remove jumper J4 to disable mandatory access control so you can install our dancing cursors.

Re:ISP's half the problem (1)

Lexic0n (107205) | about 7 years ago | (#18666709)

I hate to say it, but I am beginning to think the parent is correct in their assessment of how to solve the spam/bot/rootkit/spyware/malware problem. It seems that general purpose computers need to be regulated and only run by licensed professionals.

Give everyone else WebTV and an XBox or something.

Don't Italians own computers? (0)

Anonymous Coward | about 7 years ago | (#18665549)

What about the Gambino family?

(A/C b/c I don't want to go phishing wearing cement shoes;)

attn mods: this is not offtopic, troll, or flamebait. Mod me as such and Vinny will have ta see youse, capish? Noce kneecaps yo' momma got there, shame if anything was ta happen to 'em...

Two families??? (2, Funny)

Vexler (127353) | about 7 years ago | (#18665641)

I thought they were Symantec and AVG.

Oh, you mean *PUBLICLY* acknowledged virus writers?

Re:Two families??? (1)

flyingfsck (986395) | about 7 years ago | (#18666435)

Yup, I wish someone would slip up and make it clear that Symantec and McAfee are distributing viruses. I keep hearing rumours, but haven't seen proof myself.

White hat "mal'-ware? (1)

John Jorsett (171560) | about 7 years ago | (#18665957)

Just out of curiosity, has anyone ever attempted to put together malware-like programs that actually FIX the problems that real malware exploits? Maybe even expunging already-installed malware in the process? It sure seems leaving security up to the users isn't working.

Re:White hat "mal'-ware? (2, Interesting)

orclevegam (940336) | about 7 years ago | (#18666291)

There is a classic case of this that happened IIRC at MIT on one of the early networks. Some bright person wrote a small worm that went around and performed regular updates to the systems. All went well for a few months or so, but then a previously unknown bug in the worm caused it to go nuts and brought the network down HARD. In a similar vein, as an example of how things can go wrong, there's a famous story of someone (seem to remember him being connected with NSA or CIA or one of them... son of the director?) who wrote a worm that didn't have a payload in it to see if he could do it. It was supposed to send a couple copies of itself out, propogate for a bit, then erase itself. A bug in the logic however made it bombard the network attempting to propogate which resulted in one of the first DDOS attacks, even if un-intentional.

The reason in short of why you don't see any white hat mal-ware is because the risk is just too great that something can go wrong. It's better to come up with a more robust solution to the problem, rather than introducing another element into the mix that is already on shaky ground to begin with.

Re:White hat "mal'-ware? (0)

Anonymous Coward | about 7 years ago | (#18667221)

I'm too lazy to dig up the URL, but I remember seeing a story around here a while ago about a bot that installed an anti-virus program on infected computers. It's not quite what you're thinking of though, because instead of just being done to really clean the computer, it was to make sure that the bot ran as efficiently as possible.

Detection Question (1)

bizitch (546406) | about 7 years ago | (#18665993)

Whats the simplest down and dirty way of detecting a worm infection?

Assuming the worm is smart and disables any/all preventative measures on the host system - can one observe certain network activity behavior that would give the worm away?

Re:Detection Question (2, Interesting)

B5_geek (638928) | about 7 years ago | (#18667093)

Port monitoring.

Unusual activity on non-standard ports. Atleast thats how I discovered it at my last job. Open up a packet sniffer, let it pull in traffic for a little while, then investigate.

Smarter worms use standard ports, but then you tell but unusual traffic patterns. (ie, why does "Bob the idiots" computer keep sending 2k of data to pron-iz-gud.com 50 times a minute??)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...