Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Botnet Dwarfs Storm

CmdrTaco posted more than 6 years ago | from the that's-a-lotta-zombies dept.

Security 607

ancientribe writes "Storm is no longer the world's largest botnet: Researchers at Damballa have discovered Kraken, a botnet of 400,000 zombies — twice the size of Storm. But even more disturbing is that it has infected machines at 50 of the Fortune 500, and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques that hinder its detection and analysis by researchers."

cancel ×

607 comments

Sorry! There are no comments related to the filter you selected.

Another botnet? (-1, Redundant)

Mr.Fork (633378) | more than 6 years ago | (#22988462)

I welcome our new botnet overlords!

Designate Windows OS as Terrorist Tool (5, Funny)

weyesone (1216104) | more than 6 years ago | (#22988480)

Forbid Windows OSs from running in the USA because it's a defacto tool for terrorism.

Re:Designate Windows OS as Terrorist Tool (5, Interesting)

Arancaytar (966377) | more than 6 years ago | (#22988880)

Last I heard, they were arguing the exact opposite - non-Windows systems are too hard for the government to break into.

And who knows, perhaps Kraken is sending your data to HLS on the side? If I made a government spy virus, I'd disguise it as a spambot too... the signal is lost in the noise.

This, needless to say, could also explain the surprisingly low discovery rate on standard AV tools.

[/tinfoil hat]

In soviet russia ... (0, Funny)

Anonymous Coward | more than 6 years ago | (#22988498)

... the botnet detects you!

I am not trying to obnoxious. (5, Insightful)

AndGodSed (968378) | more than 6 years ago | (#22988502)

How many of those zombies are Linux platforms?

Re:I am not trying to obnoxious. (4, Insightful)

jcr (53032) | more than 6 years ago | (#22988548)

About as many as are running Mac OS X or Solaris.

-jcr

Re:I am not trying to obnoxious. (0, Troll)

Lumpy (12016) | more than 6 years ago | (#22988936)

Which honestly is why I have switched to OSX for ANYTHING that I do that has my financial and important information on them. My taxes this year was done with TaxCut on OSX.

I still use windows for my mediaPC and gaming but it will never again be used for important tasks that contain my private information.

I also was looking for an additional justification to get the wife to approve me dropping $2800 on a new Mac Tower :)

Re:I am not trying to obnoxious. (0, Funny)

Anonymous Coward | more than 6 years ago | (#22988554)

Less than 1%.

Re:I am not trying to obnoxious. (3, Informative)

Thelasko (1196535) | more than 6 years ago | (#22988642)

Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.
This implies that it's primarily targeting windows machines. But I still worry...

Re:I am not trying to obnoxious. (2, Insightful)

AndGodSed (968378) | more than 6 years ago | (#22988738)

Yes, and .exe should only target Windows - but what about people running wine?

But then, a person running wine either knows better than to open a random .exe from a mail - or has tech support looking after them...

btw, who these days open these spammy messages AND clicks on the executables?

*shakes head*

Re:I am not trying to obnoxious. (1)

Thelasko (1196535) | more than 6 years ago | (#22988776)

I don't trust wine for just that reason. I only run it on a VMware image of Xubuntu. Sounds redundant and it would probably be simpler to just install a VM of Windows XP but it's free and open source.

Re:I am not trying to obnoxious. (3, Informative)

kcbanner (929309) | more than 6 years ago | (#22988916)

ps aux | grep wine
Oh good, nothing running. wineserver runs when you start a program and ends when the last process is closed. Nothing will simply start on its own (unless the process running under wine is aware that is being run under wine and can somehow write to rc.local...even then, you need root privs for that).

Re:I am not trying to obnoxious. (4, Informative)

lilomar (1072448) | more than 6 years ago | (#22988934)

You know that VMWare is proprietary, right? Running ubuntu with wine in VMWare because using XP in VMWare wouldn't be FOSS is kinda self-contradicting.

Re:I am not trying to obnoxious. (2, Informative)

Thelasko (1196535) | more than 6 years ago | (#22988970)

Free as in beer.

Re:I am not trying to obnoxious. (1)

lilomar (1072448) | more than 6 years ago | (#22989038)

You should have left off the "and open source." if that is what you meant.

Don't get me wrong, I don't have anything against you for using proprietary stuff, I run XP in a VM on my Ubuntu box. But you shouldn't misrepresent yourself.

Re:I am not trying to obnoxious. (5, Funny)

Anonymous Coward | more than 6 years ago | (#22989110)

I've tried to run several exploits under WINE, only to have them crash.

The WINE developers really need to work on the compatibility... :P

Or Unix or Mac ... (1, Insightful)

Udo Schmitz (738216) | more than 6 years ago | (#22988688)

I assume a lot of those are Macs? Because I read on /. that Macs are as insecure as Windows machines and that Apple even takes longer to fix bugs ... Yeah, go and mod me flamebait or troll ... but I really would like an answer from all those MS apologists.

Re:Or Unix or Mac ... (3, Insightful)

stubear (130454) | more than 6 years ago | (#22988746)

Oh, please. Do you honestly think that if Windows were to vanish off the face of the earth tomorrow all these virus authors and botnet operators would suddenly throw their hands up and say "oh well, guess we'll have to find something else to do?" No, they start working on all the exploits in Linux and OSX. Since important financial data is stored in a user's account on the system there's little to stop someone from grabbing this data once they're in. Destroying the user's system is no longer the goal of an attack you know.

Re:Or Unix or Mac ... (5, Interesting)

Lumpy (12016) | more than 6 years ago | (#22989018)

yes actually.

Viriuses and bots are Incredibly easy to get installed and infected on a PC. It's brain dead easy.

It's far harder to get a linux or OSX or BSD infection going as you trigger the "you are trying to install "XXXX" enter your admin information to allow this to install for applications that are going to get it's hooks in the system. all other applications ca reside in a location that is safer and installable by the user only. and YES you can do this in linux, a user can download compile and run or even install an app to the user directory and use it just fine.

all OSX users I know dont simply click yes to everything because the software makers have 1/2 a brain for those platforms. windows apps all think they need to shove crap all over the pc. and therefore pc users are usedto having even a fricking mp3 playing app shoving thing in the windows system directory, changing the registry, etc...

stop that stupid behavior (return to farking ini files in the app directory instead of the incredibly stupid registry) and stop installing 65,000 random dll's in the system directories.

Re:Or Unix or Mac ... (5, Insightful)

shrykk (747039) | more than 6 years ago | (#22989044)

Do you honestly think that if Windows were to vanish off the face of the earth tomorrow all these virus authors and botnet operators would suddenly throw their hands up and say "oh well, guess we'll have to find something else to do?"

Well done, you've managed to switch the argument from the factual to the hypothetical.

This is the standard debate tactic in this situation. Get everyone tangled in debating the possibility of potential but non-existant Mac and Linux malware, judging its likelihood against factual and vastly damaging Windows viruses, worms and botnets.

Just acquit Microsoft of all culpability for poor and short-sighted decisions, incurring costs in the billions, for millions of users, by saying, "eh, it was inevitable."

Re:Or Unix or Mac ... (4, Insightful)

Sancho (17056) | more than 6 years ago | (#22989106)

It's the difference between "this platform is inherently more secure" and "this platform is safer because it's not targeted as much." Apple's market share is rising--if it gets too high, it will likely become the target of malware authors.

Re:Or Unix or Mac ... (1)

markov_chain (202465) | more than 6 years ago | (#22989078)

Destroying the user's system is no longer the goal of an attack you know.
Crap. What about every now and then writing random characters to the screen to fool the user into thinking their graphics card is worn out?
</goodoldtimes>

Re:Or Unix or Mac ... (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22988808)

You dumbass Mactard, pull your head out of Jobs' ass

Re:Or Unix or Mac ... (3, Insightful)

AndGodSed (968378) | more than 6 years ago | (#22988846)

Well, I don't use mac that often (only via a friend when I visit him...) but I don't think a regular .exe will run on a mac.

The only way I can see it working is if someone runs parrallels with windows and opens the executable there - thus it is technically a "windows machine" that is infected.

No os is totally safe from access - what distinguishes Linux/Unix/BSD and maybe even MACOS from the Windows crowd is what you can do when you have penetrated the firewall/got a mail inside.

With Windows it is easier (for various reasons) to have a program do something illegal - either via user click or automagically - than with the others.

For a hacker it would still be hard to do anything on a Linux/BSD/Unix box without root/admin privileges - maybe stealing info is the worst (via accounts that do not need special privileges to view/access files).

Thus the term "HOW SAFE" needs to be defined before one can argue the strong points of an OS over the other.

For one person ACCESS to the info is a security issue, and for another RUNNING AN UNWANTED PROGRAM (virus/keylogger/trojan/bot) is the issue.

With the first issue I'd say Linux/BSD/Unix is a little safer than Mac which is a little safer than Windows, with the second issue I'd say Linux/BSD/Unix is way safer than the others.

Re:Or Unix or Mac ... (0)

Sancho (17056) | more than 6 years ago | (#22988980)

Architecturally, there's little difference. However in practice, most vendors install Windows such that the default user is an administrator with no password, making it easier for malware to hide (but otherwise, not making it easier or harder for malware to get onto your machine.) Vista mitigates this slightly by ostensibly requiring an extra click from the user before modifying system files, even if the user is an administrator.

Despite what most Apple users would have you believe, the biggest reason that malware doesn't target OS X is the same reason that most game companies don't target OS X: market share. Because it's a cat-and-mouse game (malware writers vs. anti-malware writers--each always having to respond to the other), it makes much more sense to target the most common platform. Malware isn't a write-once, run for years kind of deal--it has to be constantly modified in order to escape detection. Effectively, this means that malware requires more updates than most software on a machine.

As Apple's market share grows, we'll probably see more malware target OS X. We may even see more infected machines initially, as there isn't much in the way of good Antivirus for OS X, most people don't run Antivirus software on OS X because of the perceived safety, and people are more likely to double-click dangerous files due to the perceived safety.

Re:I am not trying to obnoxious. (1)

ThirdPrize (938147) | more than 6 years ago | (#22988780)

but you are succeeding.

Re:I am not trying to obnoxious. (2, Funny)

AndGodSed (968378) | more than 6 years ago | (#22988948)

I try. *bow*

Re:I am not trying to obnoxious. (1)

Arancaytar (966377) | more than 6 years ago | (#22988814)

What you meant was surely:

"But... does it run Linux?"

I for one (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#22988506)

welcome our new giant zombie squid overlords

Scary (3, Insightful)

Mr2cents (323101) | more than 6 years ago | (#22988510)

A few years ago, you saw you were infected by all the popups that apperared out of nowhere. But now, there is no way to tell for sure, is there? Every time my computer does something strange, I'm worried that I might be infected.

Re:Scary (1, Insightful)

couchslug (175151) | more than 6 years ago | (#22988658)

"Every time my computer does something strange, I'm worried that I might be infected."

Dispose of Windows, install a more secure OS, and take the time to learn to properly use your new OS. Surf using a virtual appliance to isolate the rest of the system. Some folks even surf and do much of their stuff using a live CD. Somewhat awkward but quite safe, and not a bad idea for online banking etc. Even if one isn't especially worried, this stuff is fun and useful to learn.

Re:Scary (5, Interesting)

Pojut (1027544) | more than 6 years ago | (#22988834)

Dispose of Windows, install a more secure OS, and take the time to learn to properly use your new OS


Or you could just learn how to properly secure XP and not go clicking all willy-nilly on every email you receive.

With a combination of three free programs and a bit of common sense, I haven't gotten a single virus or bit of spyware on my XP box in literally years. ZoneAlarm, AVG, and Spybot make a fantastic defense.

Re:Scary (5, Funny)

Kugrian (886993) | more than 6 years ago | (#22988920)

With a combination of three free programs and a bit of common sense, I haven't gotten a single virus or bit of spyware on my XP box in literally years. ZoneAlarm, AVG, and Spybot make a fantastic defense.

..and is undetectable in over 80 percent of machines running antivirus software.

Re:Scary (4, Interesting)

Pojut (1027544) | more than 6 years ago | (#22989030)

..and is undetectable in over 80 percent of machines running antivirus software.


Hence why I also said using a bit of common sense (i.e. not clicking on everything that shows up in your email) and using a well-configured firewall. I also will occasionally check on the traffic that is outbound from my PC just to make sure something like this has not occured.

It really is not difficult to keep a windows box secure. Granted, it requires more attention than a Linux box, but still...it's quite easy to set up and maintain.

Re:Scary (1)

Keeper Of Keys (928206) | more than 6 years ago | (#22988926)

Seconded, though I use Sunbelt Kerio rather than ZoneAlarm. I do also browse with NoScript, which also does wonders in keeping ads off my screen.

Re:Scary (2, Informative)

Spokehedz (599285) | more than 6 years ago | (#22989100)

The problem is that you don't have to click 'willy-nilly' on anything for most of these things to get into your computer.

The final word is that most people are connected directly to the internet without any firewall or anything else between them and the unwashed masses.

Re:Scary (2, Insightful)

dc29A (636871) | more than 6 years ago | (#22988922)

"Every time my computer does something strange, I'm worried that I might be infected."

Dispose of Windows, install a more secure OS, and take the time to learn to properly use your new OS. Surf using a virtual appliance to isolate the rest of the system. Some folks even surf and do much of their stuff using a live CD. Somewhat awkward but quite safe, and not a bad idea for online banking etc. Even if one isn't especially worried, this stuff is fun and useful to learn.
I always laugh my ass off when people suggest "get a more secure OS". What's wrong with Windows? You can make one single minor adjustment to your computer's usage and be free of malware: fucking stop using Windows as administrator. Problem solved. No need to install another OS, no need to buy a more expensive computer (Mac). One single thing to do.

Oh and stop clicking on every "OMG YOU WON AN IPOD TOUCHME CLICK HERE1111!!!!ONEONEONoneELEVENTYone11!!" banners. And how about some common sense about not executing a file called "horny_18_teen.jpg.exe"?

99% of current malware is due exclusively because of user ignorance and stupidity. Wipe out Windows from the face of the Universe and what will you get? One BEEEELLLIIIIOOOON Linux and Mac zombies sending out SPAM.

Windows security is easy:
(1) Stop using your computer logged on as administrator.
(2) Common sense.

Yes I know, it's difficult.

Re:Scary (2, Informative)

Spokehedz (599285) | more than 6 years ago | (#22989134)

They tried the 'Run as Administrator' thing with Vista. It sucks.

You get spyware and crap TELLING you to click on the prompts--and people blindly follow it. Why? They don't know any better.

"For your Free iPod, click the Accept button, and then on the Allow Program dialog."

So, your logic fails.

Re:Scary (1)

SatanicPuppy (611928) | more than 6 years ago | (#22989024)

...install a more secure OS, and take the time to learn to properly use your new OS.
Whenever someone says this in reference to a *nix, I have to roll my eyes. There is a reason Unix admins are well paid, and it's not because it's trivial to competently admin a unix/linux machine. You have to master a number of skills to even begin looking for possible exploits on your machine, and to be able to say with certainty that it is secure? I don't know what that would take.

If it's not secure out of the box, then the odds that a person who doesn't specialize in unix is going to be able to figure out the issues is pretty low, and the amount of time a user would have to put in to get that sort of knowledge is prohibitive.

I do agree wrt using Live CDs; that's about the safest way of running a secure system. Deploying a security appliance can be done with a customized Knoppix, and the system will be effectively unhackable...Even the worst exploit could be fixed with a reboot. Most ATMs work this way, with their software stored in read-only media.

Re:Scary (2, Interesting)

TheRealMindChild (743925) | more than 6 years ago | (#22988676)

I simply wrote a script that scans through traffic logs on the router and gives me a nice report of questionable (not typical) traffic patterns. I've caught some baddies on a buddies machine that was on my network.

Re:Scary (1)

liquidpele (663430) | more than 6 years ago | (#22988806)

Build a router, and install ntop. You can track connections going through it to the internet. Most bots or viruses then show up like a nuclear blast, and even the clever ones you'll notice traffic increases over 80 and to strange IP addresses.

Re:Scary (1)

kcbanner (929309) | more than 6 years ago | (#22988932)

A few years ago, you saw you were infected by all the popups that apperared out of nowhere. But now, there is no way to tell for sure, is there? Every time my windows install does something strange, I'm worried that I might be infected.
There, fixed that.

Detection? (5, Insightful)

Brit_in_the_USA (936704) | more than 6 years ago | (#22988514)

With an "80%" miss rate by AV tools, It would be very helpful to know what software anti-virus programs do detect Storm and Kraken? So that responsible users can check their PC's.

Re:Detection? (1, Funny)

Anonymous Coward | more than 6 years ago | (#22988756)

Two words: hardware firewall.
Ok 2 more words: watchfor blinkenlights.

Re:Detection? (1)

JCSoRocks (1142053) | more than 6 years ago | (#22988810)

Riiiight... because fortune 500 companies don't have hardware firewalls.

Have them or monitor them? (2, Insightful)

khasim (1285) | more than 6 years ago | (#22988862)

They can have firewalls, but if they don't monitor them they're not very effective.

The same with intrusion detection systems.

Being a network administrator requires some effort, every day. Not much effort. Particularly if you have some scripting skill. But it still requires some effort.

Re:Detection? (1)

interiot (50685) | more than 6 years ago | (#22988910)

Hardware firewalls don't prevent employees bringing laptops / USB drives home and infecting them there. Hardware firewalls don't totally cut off outbound connections, so once the code gets inside, it has a chance to be able to communicate out.

Re:Detection? (2, Insightful)

kcbanner (929309) | more than 6 years ago | (#22988952)

They do have firewalls, they also have Joe User who likes to open every email and click each link to see "fun" pictures.

Re:Detection? (1, Informative)

Anonymous Coward | more than 6 years ago | (#22988864)

Two words: hardware firewall.
Ok 2 more words: watchfor blinkenlights.


My blinkenlights are going crazy right now! Oh, I should stop all my torrents, too?

Re:Detection? (1)

bigpicture (939772) | more than 6 years ago | (#22988890)

You might try ESET NOD 32.

How does it get in? Duh! (4, Informative)

apachetoolbox (456499) | more than 6 years ago | (#22988520)

Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.

Re:How does it get in? Duh! (5, Funny)

ceoyoyo (59147) | more than 6 years ago | (#22988600)

They should just ban that .exe image file format. It's nothing but trouble. It doesn't even always reproduce the image!

Re:How does it get in? Duh! (1)

gnick (1211984) | more than 6 years ago | (#22989010)

They should just ban that .exe image file format.
Please don't suggest that - You never know who may take it seriously. One associate in our IT department suggested improving security by banning all e-mail attachments - Solution: Snail-mail CDs nationwide to communicate with customers or collaborate on documents... Of course, that was a little more insightful than the suggestion that we change our user-policy to disallow buffer over-runs...

Re:How does it get in? Duh! (1)

BodhiCat (925309) | more than 6 years ago | (#22988616)

OK, if it ends in .exe its only infecting Windows PC's, how about saying this somewhere in the article????

Re:How does it get in? Duh! (3, Insightful)

AndGodSed (968378) | more than 6 years ago | (#22988618)

Which just goes to show that the best defense against infection is an educated userbase.

And then they must be willing to act along the guidelines for security set by IT dept.

Re:How does it get in? Duh! (0, Flamebait)

gad_zuki! (70830) | more than 6 years ago | (#22988762)

Why are email providers still allowing people to send executables out via email? I believe only gmail blocks them. End users shouldnt be receiving executables via email. If you need to send them something they can get it via http or ftp. This will stop the whole "but it looked like an acrobat file" social hack we've been seeing.

This includes executables in container formats too (zip, rar, etc).

Re:How does it get in? Duh! (2, Informative)

plague3106 (71849) | more than 6 years ago | (#22989062)

Because normal people can't setup a webserver to send a program to their home or someone else? Yours is an overblown solution to a problem, and is prett arrogant. " I can't see why this would ever be valid, so it must not be valid!" Ugh.

Re:How does it get in? Duh! (2, Insightful)

liquidpele (663430) | more than 6 years ago | (#22988844)

I find it hard to believe it got that many machines by having users click "olsontwinsnude.jpg.exe". Probably multiple points of infection, but that's the only one they've found so far.

Mac Book Air Hacked (0)

Anonymous Coward | more than 6 years ago | (#22988526)

I hear a Macbook Air was cracked at a security circus....are we even now?

Spamming (4, Insightful)

Scutter (18425) | more than 6 years ago | (#22988538)

There are still Fortune 500 companies that allow unimpeded outbound SMTP traffic from their general userbase?

Re:Spamming (1)

ilikejam (762039) | more than 6 years ago | (#22988654)

Infected Exchange server?

Re:Spamming (3, Informative)

Scutter (18425) | more than 6 years ago | (#22988714)

Infected Exchange server?

Yet another reason why you shouldn't be opening e-mail on a production server. Even if you are, the server admin at a Fortune 500 company ought to be smart enough to not click on the latest "Anna Kournikova pics!" e-mail.

Maybe this is my MS says that Outlook on an Exchange server is an unsupported configuration.

Infected Exchange administrator? (2, Interesting)

khasim (1285) | more than 6 years ago | (#22988742)

Someone who doesn't notice a 10x or more increase in outbound traffic?

Or, more likely, someone who just does not check the logs.

Re:Spamming (2, Interesting)

Anonymous Coward | more than 6 years ago | (#22988694)

Any given Fortune 500 company is big enough to justify having their own mail servers that handle all their traffic for them. Internal users will use the server as relay to the outside world, and all internal machines will naturally be "trusted". How do you suggest the admins are supposed to know which traffic passing out from inside their own network is legitimate and which is botnet traffic? Yes, you could filter all traffic, but that isn't going to be much of a help when a new infection springs up inside your own network.

Re:Spamming (3, Interesting)

Scutter (18425) | more than 6 years ago | (#22988752)

Any given Fortune 500 company is big enough to justify having their own mail servers that handle all their traffic for them. Internal users will use the server as relay to the outside world, and all internal machines will naturally be "trusted". How do you suggest the admins are supposed to know which traffic passing out from inside their own network is legitimate and which is botnet traffic? Yes, you could filter all traffic, but that isn't going to be much of a help when a new infection springs up inside your own network.

How about "don't trust your users" and "don't set up your server as an uncontrolled relay for them"? It certainly possibly, if nothing else, to limit the number of connections/minute or the number of recipients/message to at least contain the damage rather than allow your users unfettered access to your mail subsystems.

Re:Spamming (1)

BigGar' (411008) | more than 6 years ago | (#22988766)

Well for starters all SMTP traffic should be dumped at the firewall except that coming from the white listed servers.

Re:Spamming (0)

Anonymous Coward | more than 6 years ago | (#22988854)

Well for starters all SMTP traffic should be dumped at the firewall except that coming from the white listed servers.
You're missing the point: the article states that machines at several Fortune 500 companies have been infected. For some reason people have either ass-u-me'd that this means the servers have been infected or that the mail servers at these companies are acting as open relays: neither of which are actually implied by the article.

If a desktop inside a company gets infected and starts to send email out to the internet via. the company mail server, what difference does white-listing peers who can relay help? There is no relaying happening: the mail server is being used by a trusted MUA within a trusted network. You have to trust a certain percentage of the users within your own network, otherwise what's the point of having a mail server in the right place?

The only sensible suggestion so far is that a properly configured server should impose connection rate limiting for individual machines, but if you have 50,000 employees and 10% of those are acting as botnet agents, that's still going to let through a lot of spam. It's also unlikely you'd ever notice the increase in traffic on the back of the normal usage patterns of 50k users anyway, and you certainly wouldn't notice it in the logs unless you were already looking for it.

Re:Spamming (1)

SatanicPuppy (611928) | more than 6 years ago | (#22989122)

I assume you mean outbound; any large business is going to have problems if they try to use whitelists for all their incoming mail...You really have to let the spam filter take care of the junk that will come through, though stripping out .exe and archive files is smart.

Best practices, people! (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22988556)

Maybe if people stopped relying on antivirus and malware detectors alone, and started educating their users and locking down their systems (instead of giving everyone root / local admin rights), we wouldn't have this problem...

Security isn't a technology problem, it's a people problem.

Kraken, you say. (0)

Anonymous Coward | more than 6 years ago | (#22988568)

Wonder if Leviathan will be next one. Better phone the Ultramarines IT department.

500,000 Spam a day (2, Interesting)

insane_machine (952012) | more than 6 years ago | (#22988572)

"The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day."

So that's why I have been getting so much spam lately.

Wait a sec. I thought... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22988584)

...that security through obscurity didn't work? Apparently it does:

Kraken appears to be evading detection by a combination of clever obfuscation techniques that hinder its detection and analysis by researchers.

Re:Wait a sec. I thought... (2, Insightful)

Tridus (79566) | more than 6 years ago | (#22988702)

When your "security" is based entirely on reactive methods and file signatures (like standard AV products), obscurity is extremely effective.

When your security is based on not giving every user local admin rights, and educating them not to run random .exe files (oh, and changing the settings to actually show the extension is helpful too), obscurity doesn't work so well.

I mean really, this thing would never have started if people could learn to not run Image.exe.

Re:Wait a sec. I thought... (1)

Kjella (173770) | more than 6 years ago | (#22988914)

I mean really, this thing would never have started if people could learn to not run Image.exe.
Hidden extensions are a PITA, a decent fake will have an application icon that looks like an image and for all intents and purposes look just like an image. If you've learned them the bit about not running random software from the internet, they still won't believe non-executables like images, videos, documents etc. are dangerous You have to work reallllllly hard to make them believe in macro viruses and parser exploits.

Honestly, I blame Microsoft. It was they who decided that a file having a name AND a type was too complicated for users. Yes even I find the extension vs mime type confusing at times, but at least I've never run an executable that I thought to be an image.

Re:Wait a sec. I thought... (1)

Arancaytar (966377) | more than 6 years ago | (#22988958)

Hidden extensions are a PITA


I've kept count, and it takes exactly seven clicks to get Windows to show file extensions, not counting the button that closes the settings window.

Re:Wait a sec. I thought... (1)

Tridus (79566) | more than 6 years ago | (#22988998)

I agree with you there. If the extensions were on by default still, its something we can educate against. "Don't run anything that ends in .exe and comes by email" is fairly easy to understand.

Without them, its a lot harder to tell just what you're clicking on. Turning it back on is the first thing I do whenever I install Windows.

Re:Wait a sec. I thought... (3, Insightful)

ukatoton (999756) | more than 6 years ago | (#22988730)

This is not security through obscurity.

This is hiding in obscurity.

The program is not secure, it is simply good at hiding itself.

The naked truth about botnets (3, Insightful)

maxch (1264500) | more than 6 years ago | (#22988590)

The biggest one is the one that hasn't been found yet.

Re:The naked truth about botnets (1)

x1n933k (966581) | more than 6 years ago | (#22989040)

You're right. However I feel comfortable that guys like Dan Kaminsky, Director Penetration Testing (See article for link) are on the job...Testing and penetrating.

[J]

It's sending to a predefined list (1)

JoeD (12073) | more than 6 years ago | (#22988594)

All the emails it's sending are to names like sarah_conner@, sconner@, sarahc@, etc.

Drastic measures (0)

Anonymous Coward | more than 6 years ago | (#22988602)

Can we ban Windows PCs from connecting to the internet yet?

Re:Drastic measures (0)

Anonymous Coward | more than 6 years ago | (#22988648)

Yep. Just as soon as Linux is ready for the desktop.

Re:Drastic measures (1)

LiquidCoooled (634315) | more than 6 years ago | (#22988842)

You are a bit late.
Linux skipped the desktop and went directly to the laptop and smaller.

Aggravating... (5, Insightful)

MachineShedFred (621896) | more than 6 years ago | (#22988624)

Does anyone else find it absolutely aggravating that these stories

1. Never tell you how you know if you're infected, and
2. Never tell you how to clean up your shit if you are.

However, they always give massively generalized statistics on how vulnerable you are!

Thanks, asshats.

Re:Aggravating... (1)

Scutter (18425) | more than 6 years ago | (#22988656)

1. Never tell you how you know if you're infected, and

If you don't know whether you're infected or not, you are. Or rather, you should assume you are and take whatever steps are necessary to prevent the spread (like blocking port 25 on your firewall, for example).

Re:Aggravating... (1)

Thelasko (1196535) | more than 6 years ago | (#22988826)

Yes, Just I also hate it when the nightly news runs teasers that say something like, "There's something in your home that can kill you at any second. Details at 10."

Re:Aggravating... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22989014)

I agree completely. Look up Kraken + Bot in Google... lots of fear mongering about a giant bot-net... and NOTHING about how to detect or clean it.

Hmm.... (1)

Uthic (931553) | more than 6 years ago | (#22988630)

And right after Kraken, will come Leviathan!

Re:Hmm.... (1)

Keeper Of Keys (928206) | more than 6 years ago | (#22989016)

Is it pronounced "kray-ken" or "krakk-'n"?

Ban Windows! Switch to Linux! Blah Blah!!! (0)

RandoX (828285) | more than 6 years ago | (#22988670)

The biggest botnet: Predictable Slashdot posters.

The battle is lost (3, Insightful)

value_added (719364) | more than 6 years ago | (#22988674)

From the fine article:

Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.

There just aren't enough words.

Just so we're clear, (0)

Anonymous Coward | more than 6 years ago | (#22988690)

how do we pronounce this? Is it Kraaken, Krocken or Krayken?

Old news (1, Funny)

Anonymous Coward | more than 6 years ago | (#22988720)

This is old news. We knew about this back in 1830:

Below the thunders of the upper deep;
Far far beneath in the abysmal sea,
His ancient, dreamless, uninvaded sleep
The Kraken sleepeth: faintest sunlights flee
About his shadowy sides; above him swell
Huge sponges of millennial growth and height;
And far away into the sickly light,
From many a wondrous grot and secret cell
Unnumber'd and enormous polypi
Winnow with giant arms the slumbering green.
There hath he lain for ages, and will lie
Battening upon huge seaworms in his sleep,
Until the latter fire shall heat the deep;
Then once by man and angels to be seen,
In roaring he shall rise and on the surface die.

Re:Old news (0)

Ford Prefect (8777) | more than 6 years ago | (#22989066)

Unnumber'd and enormous polypi

Women prefer big p0lypi for s3xual satisfaction!

Tennyson, your spam is reaching me already. :-(

Idiots (4, Funny)

whoda (569082) | more than 6 years ago | (#22988744)

""We know the picture... ends in an .exe, which is not shown" to the user, Royal says."

If it ends in .exe it isn't a picture, you shouldn't keep calling it one.

wow (1)

joe 155 (937621) | more than 6 years ago | (#22988782)

I should apologize, I read a scroll of genocide but had no idea it was cursed - now the moat is full of krakens and evidently they seem to be spreading...

Also, have you seen how much spam they are sending out? "Its bots are prolific, too: The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day." - if all 400000 bots did that that'd be 200 billion a day. That has to represent a pretty large (albeit distributed) cost to ISPs

Re:wow (0)

Anonymous Coward | more than 6 years ago | (#22988972)

It's g that multiply in moats, not ;

Although....

YANI: clone trap. A ^ square that creates a copy of whatever monster steps on it (inventory isn't cloned). The trap has a 90% chance of disappearing after being triggered. Clones of peaceful/tame monsters have a 50% chance of being generated hostile/peaceful (ie one place down the scale) respectively. Cloned PCs are generated hostile with stats, resistances, spells etc identical to that of the player. Could be nasty.

So, in the end, this article is totally useless? (1)

Toad-san (64810) | more than 6 years ago | (#22988872)

They shriek of a problem, they offer no solution.

What the hell good is that?

Chicken Little did better.

Toad-san

Virus Writers (0)

Anonymous Coward | more than 6 years ago | (#22988924)

Should be shot.

How bad will i get flamed for this? (3, Insightful)

JeremyGNJ (1102465) | more than 6 years ago | (#22988968)

AntiVirus software has been relatively useless for the past few years. They charge extra just to detect basic "non virus malware" and they still dont detect the REAL threats!

AV vendors ought to be ashamed of themselves. Even more so, the customers should be ashamed of themselves for continuing to pay for a program that doesnt REALLY protect them.

We MUST move away from definition-based "protection" and move to behavioral-based protection. Unfortunately there's only one major player who's trying to do that. That is Microsoft, with Vista's User Account Control. Unfortunately, that is also the feature that people dislike about Vista, and way too many people turn it off.

It's funny how badly people hate the tools need to protect a PC.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>