Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Top Botnets Control Some 1 Million Hijacked Computers

Zonk posted more than 6 years ago | from the not-many-linux dept.

Security 250

Puskas writes "Joe Stewart is the director of malware research at SecureWorks, and presented a dire view of the current botnet landscape at the RSA conference this week. He conducted a survey of the top spamming 'nets, extrapolating their size from the volume of emails that flow across the internet. By his calculations, the top 11 networks control just over a million machines, hitting inboxes with some 100 billion messages a day. 'The botnet at the top of the chart is Srizbi. According to Stewart, this botnet — which also goes by the names "Cbeplay" and "Exchanger" — has an estimated 315,000 bots and can blast out 60 billion messages a day. While it may not have gotten the publicity that Storm has during the last year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart's list.'"

cancel ×

250 comments

Let's see some truthful tagging (3, Informative)

toby (759) | more than 6 years ago | (#23028908)

Start with "microsoft" and "windows" as the technologies which bring you the largest, most profitable botnets!

Re:Let's see some truthful tagging (1)

toadlife (301863) | more than 6 years ago | (#23029062)

So?

Re:Let's see some truthful tagging (0)

Anonymous Coward | more than 6 years ago | (#23029066)

Don't forget "dailyshow"

Re:Let's see some truthful tagging (0, Flamebait)

DJ Jones (997846) | more than 6 years ago | (#23029166)

I like to bash MS as much as the next, but the only reason Windows is the largest botnet host is because it has the largest market share. When you're creating a botnet, you're going for volume. If macs ever get significant market share they'll be targeted as well.

You also have to realize that most of these botnets are probably running on unpatched versions of XP or even earlier versions of windows. You can't blame Microsoft if people don't install security updates. And god knows we don't Microsoft installing them for us.

Re:Let's see some truthful tagging (5, Insightful)

geminidomino (614729) | more than 6 years ago | (#23029274)

I like to bash MS as much as the next, but the only reason Windows is the largest botnet host is because it has the largest market share. When you're creating a botnet, you're going for volume. If macs ever get significant market share they'll be targeted as well.
Every time windows proves what a swiss-cheese POS it is, someone trots out this old canard.

That's the same reason NIMDA went after Apache, Slammer hit LAMPs... Oh, wait, they didn't.

Re:Let's see some truthful tagging (4, Informative)

Jeremiah Cornelius (137) | more than 6 years ago | (#23029526)

Here I go again. Every time I point out real shortcomings of an Apple product, I get modded to oblivion - "There are none so blind as those who will not see." Posted from my MacBook, BTW.

'Tis no mere canard or straw man. Simple economies of scale keep the Macs out of the botnets - not Cupertino prowess.

Microsoft is Swiss Cheese, that's wrapped in foil.

Apple is Swiss Cheese labeled as "Ementhaler" - believing that the luxury branding will ward off serious scrutiny, but leaving those holes exposed.

Lo! http://www.news.com/8301-13579_3-9905095-37.html [news.com]

It's like this every [washingtonpost.com] year [news.com] . Apple leaves vulnerabilities wide enough to drive a truck through, and I've lost count of the number of these things given away as prizes to the cracking teams.

Apple patch the OS like Microsoft used to, before Slammer. The ususal culprits? QuickTime and Safari.

The guys who cracked the MacBook Air need only have coupled this with the DNS flaw in AT&T customer TwoWire routers, and a very bad situation would exist in the wild. Not trivial - but not too difficult. The hard part was finding the flaw - now it's an exercise for the Kid33z. If there were an economically feasible number of Macs to do this, you can bet it would be crime syndicates and not kids - and you'd have a happy, Apple botnet.

Re:Let's see some truthful tagging (2, Informative)

DJ Jones (997846) | more than 6 years ago | (#23029574)

You're right, NIMDA and Slammer didn't hit Apache or LAMPS. You know why? because they're both server applications not operating systems with kernel exploits.

You're comparing apples to oranges. You might have made good argument if you referenced linux, but you didn't. You also failed to realize that most botnets exploit home computer terminals, not web servers that are generally patched and monitored by knowledgeable administrators.

Now show me an OS that hasn't been exploited at least once?

Re:Let's see some truthful tagging (1)

0100010001010011 (652467) | more than 6 years ago | (#23029730)

http://www.openbsd.org/ [openbsd.org]

Ok, so 2 times in 10 years, but I'd say that's a bit better than say windows.

Type of computer (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23028926)

Yeah, and how many of them are Macs? Thought so. Go ahead, tag it as flamebait, but you know the truth.

Re:Type of computer (0)

Anonymous Coward | more than 6 years ago | (#23028984)

The truth is that Macs are completely impervious to anything other than the will of Steve Jobs, and that you are a douchebag.

Accept it!

Re:Type of computer (0)

Anonymous Coward | more than 6 years ago | (#23029090)

Wow, you're a cunt. The OP was talking about computers, and you just had to make this personal.

Re:Type of computer (0)

Anonymous Coward | more than 6 years ago | (#23029144)

cause you are a take it in the as little bitch.

Re:Type of computer (0)

Anonymous Coward | more than 6 years ago | (#23029330)

Another internet tough guy....don't you have some zits to pop?

Re:Type of computer (2, Insightful)

spazdor (902907) | more than 6 years ago | (#23029396)

This thread was all one person.

Re:Type of computer (0)

Anonymous Coward | more than 6 years ago | (#23029460)

i am too!

Re:Type of computer (1)

Jeremiah Cornelius (137) | more than 6 years ago | (#23029580)

"i am too!"

That's "I am two!"

Re:Type of computer (1)

Jeremiah Cornelius (137) | more than 6 years ago | (#23029560)

Ahh! How I wish you'd posted this under your real ID! I'd love to track the mod war!

Drastic Measures (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23029002)

Can we ban Windows PCs from the internet yet?

Yes, I did post the same thing a few days ago.

How do I tell...? (4, Interesting)

AdamTrace (255409) | more than 6 years ago | (#23029008)

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

I don't necessarily trust that a clean-virus scan means a whole lot.

What's the best way to make this determination?

Linux (0)

Anonymous Coward | more than 6 years ago | (#23029054)

No, you cannot trust that your computer is clean even if you run anti-virus software and firewall.

Use Linux, thats what I do.
I switched from Windows XP to Ubuntu, and I am happy with it.
Happy and secure.

Re:Linux (2, Insightful)

toadlife (301863) | more than 6 years ago | (#23029096)

I switched from Windows XP to Ubuntu...Happy and secure.
And still clueless about how your operating system works.

Re:Linux (1)

spazdor (902907) | more than 6 years ago | (#23029418)

That's fine. If the OS is invisible to you then it's doing its job.

Re:Linux (0)

Anonymous Coward | more than 6 years ago | (#23029446)

STFU elitist.

Re:How do I tell...? (5, Informative)

Volante3192 (953645) | more than 6 years ago | (#23029056)

Put a good firewall in front of it and watch the packets go in and out. Any rogue port 25 traffic would be a big clue.

Re:How do I tell...? (0)

Anonymous Coward | more than 6 years ago | (#23029292)

Well that rules out Forefront(tm), right?

Re:How do I tell...? (1)

AvitarX (172628) | more than 6 years ago | (#23029780)

Except storm for example has less than 50% sending out spam. This would lead me to believe that checking only port 25 is not going to work.

Better to check all ports when nothing should be going on.

Re:How do I tell...? (1, Interesting)

s0litaire (1205168) | more than 6 years ago | (#23029092)

(probably get flammed for this but...) If you're that worried about Viruses. Drop Windows and look into a Linux install instead. :D But if you wan't to keep windows then keep running Virus scans and praying to the FSM on an hourly basis..:D

Re:How do I tell...? (3, Informative)

Beardo the Bearded (321478) | more than 6 years ago | (#23029660)

Linux boxes are the sergeants in the Botnet army. [softpedia.com]

If you think you're immune just because you're running Linux, then you're part of the problem.

You're just as bad as someone with an unpatched HP-branded WinXP system fresh from Office Depot.

Re:How do I tell...? (4, Funny)

spun (1352) | more than 6 years ago | (#23029116)

You know what destroys infection? FIRE! Good old cleansing fire. Simply stuff your computer full of old newspapers, douse it with gasoline, and light it on fire, and I guarantee that it will be free from infection.

If this either seems to drastic or fails to do the trick, just squirt a syringe full of penicillin directly into the power supply while the computer is running, that should help.

Re:How do I tell...? (-1, Troll)

geekoid (135745) | more than 6 years ago | (#23029122)

"I'm a smart software developer, ..."
Your post says otherwise.

Re:How do I tell...? (0, Troll)

Kozar_The_Malignant (738483) | more than 6 years ago | (#23029192)

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?
format c:\ [Enter]

Re:How do I tell...? (1)

AdamTrace (255409) | more than 6 years ago | (#23029484)

format c:\ [Enter]
Was that ever funny?

Re:How do I tell...? (1)

misterooga (1172837) | more than 6 years ago | (#23029598)

fdisk ftw!

Re:How do I tell...? (3, Informative)

maxume (22995) | more than 6 years ago | (#23029452)

Short of a firewall, you can use something like TCPView to look for unexplained network activity:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx [microsoft.com]

A rootkit can hide its activity, so this isn't as good as a firewall, but it is easier, and you'll at least be able to figure out if you have a non-rootkit infection.

Re:How do I tell...? (1)

raju1kabir (251972) | more than 6 years ago | (#23029768)

If you want to do it right, run your traffic analysis on another host that has access to the subject host's traffic - that's the only way to know you aren't being fooled by an altered network stack. If you're doing this at home, and you have a little broadband router, consider installing OpenWRT on it so you can packet sniff at your leisure.

Re:How do I tell...? (2, Funny)

Zemplar (764598) | more than 6 years ago | (#23029468)

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure? I don't necessarily trust that a clean-virus scan means a whole lot. What's the best way to make this determination?
Do you shutdown your computer by pressing "start"? If so, odds are good you're at risk.

Re:How do I tell...? (1)

dbzero (64544) | more than 6 years ago | (#23029550)

"But how can I be sure?"
I eventually moved to the Mac. I got tired of going to security forums and reading about how one antivirus software was better than another. As if anyone really knows. Heck, the other day Slashdot had an article [slashdot.org] about a new bot that goes undetected in "over 80 percent of machines running antivirus software." The headache worrying over it isn't worth owning a Window's machine.

Re:How do I tell...? (2, Insightful)

johnny maxwell (1050822) | more than 6 years ago | (#23029582)

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?
I firmly believe that you can never be sure. It all comes down to trust: Do you trust - morally and technicaly - the people who wrote the programs you are running and the people who compiled them and those who packaged them onto a CD or a webserver... and so on.

As it is nowadays impossible to have complete insight into all your running softwere let alone your hardware, you will never be sure. But you can have confidence :)

Re:How do I tell...? (1)

v1 (525388) | more than 6 years ago | (#23029590)

What's the best way to make this determination

FORMAT it, reinstall from media, and only run updates manually from burned CDs. Then you can be as sure as possible (tho not 100%) that it's clean.

Re:How do I tell...? (2, Insightful)

Jeremiah Cornelius (137) | more than 6 years ago | (#23029614)

Firewalls don't help, if you navigate to a BadWare URL, and request an exploit on port 80!

Re:How do I tell...? (5, Insightful)

Beardo the Bearded (321478) | more than 6 years ago | (#23029630)

You can't.

Not even Linux boxes are safe from hacking. [softpedia.com]

An anti-virus scan is totally worthless. In fact, most systems slow your machine down so badly that they're worse than useless. Norton slows your machine down by thousands of percent! [codinghorror.com]

Let's be honest here. In my lifetime, I've spent less than $100 (one hundred dollars) on my security systems. That gives me a D-Link firewall, Avast!, and Spybot. The hackers have access to the same materials. If they want to write a program that gets around my meager defences, then they can. I live only by my obscurity, enhanced by my slight tweaks to my firewall. (Dropping pings, blocking port 113, etc.) As far as a passive scan goes, I don't exist. I simply wouldn't survive a concentrated attack.

That's probably okay, though - it's like when I lock up my bike. I have a kryptonite U-lock that I put through both wheels and the frame. I also take the seat with me and remove all the shiny bits. (It also has a VHF transmitter, but that's another story.) It would take someone with a plasma torch two or three seconds to cut the bike rack and put my bike into a truck. However, that's not worth your average meth-headed bike thief's time. It's easier for him to take another bike that's not as secure. If a dedicated professional wants my bike, then he's going to get it.

The major problem with Windows is that when you take your machine home and plug it in, it can be easily compromised. The same is true with a lot of commercial-grade routers with firewalls. The default settings leave a lot to be desired. Your firewall still sort of works, but you're not getting the same level of protection that you'd get by changing some settings. Just two days ago, we had an article about the 2-wire security holes, showing that a large percentage of IDSN home users in North America are wholly unprotected against external attacks.

So why do we have what we have? It's simple. We have a lot of programs written by people who simply do not understand security issues. Windows, for example, is perfectly stable until you start to put 3rd-party software on it. Then it starts to crash because the memory is being used in two or more different ways. Take a look at some of the snippets on thedailywtf to see what sort of quality work you end up with when you have people who "can program" and can't understand basic math (if you work unpaid overtime, that's you.) writing important code for important systems.

What's required to fix it is a wholesale change in CPU architecture along with mandatory licencing and regulation for anyone who wants to program anything in any language and sell it. (If you put up a dividing wall in your house, you can get the supplies at Home Depot and DIY. If you want to sell a wall-building service to the public, you have to be licenced.)

Only once we take programming as seriously as we take bridge construction and land surveying will we start to see safer computing.

Re:How do I tell...? (3, Insightful)

JoshJ (1009085) | more than 6 years ago | (#23029714)

Congratulations on eliminating hobbyist programming and having nothing left BUT the megacorps like Microsoft. No thanks. It's suitable for engineering firms where physical harm can be done, but it's definitely not suitable for software. This is nothing more than a legal framework for Trusted Computing.

Re:How do I tell...? (3, Informative)

Technician (215283) | more than 6 years ago | (#23029642)

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

As a smart software developer, you know not to trust a box that may be untrustworthy. You packets leave the untrusted box and must pass elsewhere where they can be monitored. Do you monitor your router traffic? That's number 1. Windows Updates may cause unexpected traffic, but the addresses will let you know if it's outgoing spam or request for updates from Microsoft.

For example my recent URL's from my router log show the following..
192.168.1.81 168.143.175.215 www
192.168.1.81 74.125.47.164 www Google
192.168.1.81 210.50.7.243 www Doubleclick --- I'm going to have to add this to my hosts file..
192.168.1.81 8.14.216.9 www
192.168.1.81 74.125.47.164 www Google
192.168.1.81 203.34.47.165 www IDG publications
192.168.1.81 210.50.7.243 www Doubleclick
192.168.1.81 210.247.196.12 www www.facilitatedigital.com/
192.168.1.81 217.20.16.80 www
192.168.1.81 209.27.52.115 www Doubleclick
192.168.1.81 66.35.250.151 www Slashdot
192.168.1.81 209.62.176.153 www Doubleclick
192.168.1.81 74.125.47.164 www Google
192.168.1.81 74.125.47.103 www Google

It's all WWW traffic and no unexpected port 25 traffic. A simple Linksys router can give you this information. Take the addresses given and plug them in to the URL bar in your browser to see if there is any unexpected traffic. Don't trust a possibly owned machine. Go upstream and look at the traffic. Most routers will log some incomming and outgoing traffic. Check it once in a while. You machine might be clean, but the kids may have problems. The kids are at school so all recent traffic is mine. If my wife's desktop was spewing traffic, I would see the traffic from another machine's IP address.

And yes, that is my real IP address for today. I'm glad media sentry isn't in the list. ;-)

Re:How do I tell...? (2, Interesting)

Reapman (740286) | more than 6 years ago | (#23029778)

Unlike the poster below, I don't believe that installing Linux makes you invincible from this... the only way I feel I can be totally secure is to monitor the network traffic.. if my computer is just sitting there, not running any apps, and there's a ton of traffic leaving my router, I know something is wrong. Not for the faint of heart however, and i'm still looking at how best to put this in place, I'm thinking OpenWRT on a Linksys Router, sending the data back to a sever for analysis.

Sadly there's no way a typical user could do this, but I don't know how else you can be sure your safe.. Although like anything, nothing is 100% a sure bet. :/

Take away their licenses (0, Flamebait)

jdigriz (676802) | more than 6 years ago | (#23029012)

Using Windows is a privilege, not a right. Anybody found to have a zombied computer should have their Internet connection cut off immediately and it should only be restored when they can demonstrate that they have removed the offending operating system and either installed a free and secure alternative, or bought a Mac. They clearly do not have the training or inclination to operate Windows safely.

Re:Take away their licenses (5, Insightful)

Sciros (986030) | more than 6 years ago | (#23029168)

Please fwd me some spam selling whatever it is you're smoking.

If Windows weren't so dominant an OS then botnets would operate on other systems as well (or in its place). It's a question of ROI, nothing else.

That said, it's also not a question of an "offending operating system." It's a question of uninformed (or incompetent, or both) users. If they can't be trusted to not double-click on an xxxxx.jpg.exe file in an email, they are likely to have problems with identity theft and other non-Windows-exclusive security issues. Rather than taking away Windows, these users need to receive training in basic computer security.

Using Windows is NOT a privilege, by the way. If the user paid for it, they have a right to use it.

Cutting off internet and then asking for demonstration that... they've bought a Mac? Will this be demonstrated using ninja magic? A photo via mail?

I can't tell whether you're a Windows elitist, a Mac fanboy, or just plain mental.

Re:Take away their licenses (5, Insightful)

Sloppy (14984) | more than 6 years ago | (#23029388)

That said, it's also not a question of an "offending operating system." It's a question of uninformed (or incompetent, or both) users. If they can't be trusted to not double-click on an xxxxx.jpg.exe file in an email, they are likely to have problems with identity theft and other non-Windows-exclusive security issues.

Yes, they'll have other security-related problems, so I won't dispute that users are a huge part of the problem. BUT: Windows really is a special case. Give a clueless user another OS, and they will run malware or otherwise join botnets far less often, and not because of ROI or what platforms that malware authors choose to target. Outside of Windows, most naive users do not know how to even deliberately execute an email attachment. They wouldn't just have to click on xxxx.jpg.exe; they'd have to save it and chmod +x it first, since (AFAIK) no email clients go to extra trouble to help users execute malware.

Windows and its applications have an unusual amount of "support" for running malware. (Executable-by-default is just one feature; there's also autorun, ActiveX, and fuck-knows-what-else.) These are technical (not marketshare-related) "features" of the platform, which most other OS creators have not elected to implement. Windows would be attractive to malware authors even if it had a small marketshare, because the platform is malware-friendly.

Re:Take away their licenses (1)

iamhigh (1252742) | more than 6 years ago | (#23029776)

Outside of Windows, most naive users do not know how to even deliberately execute an email attachment. They wouldn't just have to click on xxxx.jpg.exe; they'd have to save it and chmod +x it first
Gee, I wonder why the year of Linux eludes you consistently.

These are technical (not marketshare-related) "features" of the platform, which most other OS creators have not elected to implement.
You Linux zealots will never get it.

Re:Take away their licenses (2, Funny)

JoshJ (1009085) | more than 6 years ago | (#23029738)

Using Windows is NOT a privilege, by the way. If the user paid for it, they have a right to use it.
Not according to Microsoft.

Re:Take away their licenses (1)

cromar (1103585) | more than 6 years ago | (#23029766)

Please elaborate.

Re:Take away their licenses (1)

Deanalator (806515) | more than 6 years ago | (#23029740)

ISPs really should have better IDS on outgoing traffic. At the very least they should be dropping the malicious traffic, and I would hope some ISPs would go as far as redirecting users to a webpage that tells them how to remove the malware, and gives them the tools to do so.

Also, anyone who thinks that macs are comhow invunlerable probabally has a couple other mental disabilities as well, but you should look into it some time and see just how easy windows makes it for the virus writers. The complexity of a windows system gives one a million places and ways to hide, and also makes it extremely hard to prevent an attacker from escalating privileges.

Re:Take away their licenses (3, Insightful)

jdigriz (676802) | more than 6 years ago | (#23029770)

That said, it's also not a question of an "offending operating system." It's a question of uninformed (or incompetent, or both) users. If they can't be trusted to not double-click on an xxxxx.jpg.exe file in an email, they are likely to have problems with identity theft and other non-Windows-exclusive security issues. Rather than taking away Windows, these users need to receive training in basic computer security.
Definitely they require training in basic computer security. However, once it is technically infeasible for their computer to become infected with a botnet (due to the lack of support for alternate OSes by botnet software), their remaining issues with computer security harm themselves primarily and not others.

Using Windows is NOT a privilege, by the way. If the user paid for it, they have a right to use it.
Absolutely and categorically false. Property rights are not absolute. A drunk driver with a pulled driver's license does not have a right to operate a car that he purchases on a public road endangering others. By the same token, a negligent Windows user does not have the right to pollute the public Internet through willful ignorance, infecting other zombies and clogging networks with spam. He has every right to use Windows stand-alone, as you said, he paid for it.

Cutting off internet and then asking for demonstration that... they've bought a Mac? Will this be demonstrated using ninja magic? A photo via mail?
This is trivial. Upon reconnection, they will be subject to stateful packet inspection as a probationary period. If they are detected to be using a Windows browser or email client, they will be summarily yanked again. If botnet activity is detected they will be yanked again. If they're clever enough to fool their User Agent strings,or run Tor, they're clever enough to operate Windows securely if they so choose.

Re:Take away their licenses (1)

ushering05401 (1086795) | more than 6 years ago | (#23029236)

"Anybody found to have a zombied computer should have their Internet connection cut off immediately and it should only be restored when they can demonstrate that they have removed the offending operating system and either installed a free and secure alternative, or bought a Mac"

You really want ISPs making these decisions? Perhaps you are suggesting some new governmental agency decides when and where to summarily terminate someone's connection?

Freedom should not be sacrificed so trivially.

Re:Take away their licenses (0)

Anonymous Coward | more than 6 years ago | (#23029408)

someone mod this idiot down. There are plenty of reasons to bash MS, but this is dumb.

Re:Take away their licenses (1)

Jeremiah Cornelius (137) | more than 6 years ago | (#23029652)

Wow. Strong state advocacy from the Stainless Steel Rat!

Why don't the ISPs do something? (4, Interesting)

pembo13 (770295) | more than 6 years ago | (#23029026)

They obviously don't have a problem with tracking down and monitoring people. And they apperantly have bandwidth issue. Why don't they basically mail merge to SELECT * FROM `customers` WHERE `customers`.isinfected? Simple, cheap snail mail... nothing fancy.

Re:Why don't the ISPs do something? (1)

Himring (646324) | more than 6 years ago | (#23029222)

Because there's no music involved. If you really want your computer analyzed, even brought before people and talked about indepth, then put music files on it. It's especially helpful if you are an unprivileged child and/or handicapped....

Re:Why don't the ISPs do something? (0)

Anonymous Coward | more than 6 years ago | (#23029232)

because infected host use webmail like hotmail and aparently gmail to send the spam

Block outgoing TCP port 25 at ISP border routers! (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23029322)

If all ISPs and businesses would simply block egress tcp port 25 for all addresses on their network except approved mail servers, they would stop these botnets in their tracks.

Of course, the botnets would then be rewritten to try to discover the mail server the PC normally uses and try to use it instead. But is ISPs enforced SMTP authentication to send, it would make it more difficult. Even if the botnets got past all that, it would now be easier to track down exactly who has the infected computer.

Of course many ISPs won't do this because it will make them more directly responsible for preventing spam, preventing viruses, and keeping their customers computers clean.

Re:Block outgoing TCP port 25 at ISP border router (3, Informative)

Jeremiah Cornelius (137) | more than 6 years ago | (#23029712)

Bull.

I have a legitimate right to send SMTP from my machine - and I do so. I also run an SMTP server at home - have since 1993, when I got off of uucp.

I have never been an open relay, and access is passwd. I already have assholes at AT&T blacklisting me for no reason - and suffering their ridiculous petition process to get off their RBL.

This is the Internet. A collection of networks. ISPs are not cops, nor should they be. When you mandate this on common carriers, they become something else - and any slim protections we still have remaining will be long gone.

Re:Why don't the ISPs do something? (1)

uffe_nordholm (1187961) | more than 6 years ago | (#23029544)

I actually got a letter from my ISP about a year ago, telling me I had sent some virus (or other malware) via email. They recomended several tools for sorting out 'the problem' I might be having.

At first I was utterly stunned, considering I was running Linux, behind a router/firewall, but eventually figured out they were actually correct: a few days earlier I had _knowingly_ sent an acquiantance something I received via email, that I suspected was malware of some sort.

There had been a discussion on a webpage about this particular malware, and one person asked me to send it to him/her, so I did.

The phone contact I had with my ISPs technical staff revealed that this was the only instance of malware-sending they had recorded for me.

My father was not quite so lucky: he got his Windows XP owned pretty bad a couple of years ago, and also he got a letter from the ISP, although they were not quite as polite, saying in effect that if he didn't stop spamming the world they would cancel his service.

On the whole, I think this is a viable way to handling the spam/botnet problem. I don't think it will finish the problem off, but at least greatly reduce it. Having said this, I do wish to say that I am not entirely comfortable with my ISP keeping an eye on the emails I send, even if I can agree that this particular reason is beneficial to mankind.

Re:Why don't the ISPs do something? (1)

jimicus (737525) | more than 6 years ago | (#23029752)

Probably because they don't want customers to start thinking "This internet is more trouble than it's worth - I'm going to cancel it".

And it's rather hard to charge a monthly fee if you've cut the customer off.

1 million hijacked computers (0)

Anonymous Coward | more than 6 years ago | (#23029064)

and there's still no spam in my inbox. How's that, blackhats? For a short period in your life you'll know what organized crime does to people who don't deliver. Good riddance and fuck you!

My wife's notebook is one of them (4, Interesting)

should_be_linear (779431) | more than 6 years ago | (#23029074)

God knows I installed on that notebook each and every Anti-Spyware, Antivirus, Anti-everything in order to get rid of it. I traveled each and every "advisory" site with my HijackThis logs, removed numerous keys from registry. Still, every now and then goddamn popup window with site "pc-on-internet.com" appears. I spent altogether perhaps 3 working days trying to remove stupid thing, there is lot of data and SW installed so I am trying to avoid re-installation. Now I am in sitting-in-the-corner-and-crying phase.

Re:My wife's notebook is one of them (1)

alohatiger (313873) | more than 6 years ago | (#23029244)

Even Microsoft admits that sometimes an infection simply can't be removed.

Re:My wife's notebook is one of them (0)

Anonymous Coward | more than 6 years ago | (#23029272)

Look into Windows Services, disable telnet and messenger. And no you won't be shutting down the messenger chat program.

Re:My wife's notebook is one of them (1)

Ironsides (739422) | more than 6 years ago | (#23029300)

Make an image of your machine periodically. That way it is quicker and less painful to do a restore than a reinstall.

Re:My wife's notebook is one of them (3, Funny)

megaditto (982598) | more than 6 years ago | (#23029350)

In your hosts file, point "pc-on-internet.com" to 66.35.250.150, then each time a window pops up treat it as a helpful reminder to take an ergonomic break.

Re:My wife's notebook is one of them (1)

j.sanchez1 (1030764) | more than 6 years ago | (#23029462)

In your hosts file, point "pc-on-internet.com" to 66.35.250.150, then each time a window pops up treat it as a helpful reminder to take an ergonomic break.

I know it was a joke, but you hit on a good thing to try: a HOSTS file [mvps.org] that could block many of these things from getting out.

Repair is not an option (5, Insightful)

symbolset (646467) | more than 6 years ago | (#23029386)

Once you know the PC is compromised you cannot get it back to a known good state. The best you can hope for with the various utilities is to get it workable enough to offload your data, build your recovery media and record your settings. You're actually better off removing the hdd to an external enclosure and installing fresh on a new one. You could then scan the removable device before carefully recovering the data from it. The worst possible thing you could do is eliminate the visible problems and pretend that means you have a good PC on which to do work.

What is pwned cannot be unpwned. Reinstall. Somewhere in my journal may be some helpful instructions for getting the reinstall done without becoming compromised in the process. You're not the first (or the ten thosandth) person here this has happened to.

Somebody else here will have suggested you try Linux by now, or Apple. There are no Linux or Apple botnets so they don't have this problem. The do have security vulnerabilities too, but compromising one of them is a retail, rather than a wholesale, endeavor and so less fruitful for the botmasters.

Re:Repair is not an option (1)

oni (41625) | more than 6 years ago | (#23029688)

The worst possible thing you could do is eliminate the visible problems and pretend that means you have a good PC on which to do work.

This is *so* true. You know what, I once saw a system administrator respond to a known compromise (discovered by the presence of drop-site files) by "deleting the files the hacker uploaded and installing all windows patches"

There are just so many things wrong with that sentence that I don't even know where to start. "How did the hackers get in?" "I'm not sure, but I deleted their files." *sigh* The machine was discovered compromised again some time later. In reality, it was never uncompromised.

Reinstall. Always reinstall.

Re:My wife's notebook is one of them (1)

pablomme (1270790) | more than 6 years ago | (#23029472)

God knows I installed on that notebook each and every Anti-Spyware, Antivirus, Anti-everything in order to get rid of it.

Not at the same time, I hope. I'm not trying to sound smart: I've seen Windows PCs with two simultaneously-installed antivirus programs, hugely slowing down the machine and blocking each other's real-time scanner. Seen this twice in the last month, to be exact.

My suggestion is: get a linux liveCD (e.g. Ubuntu), start it, download and install Avast! antivirus (linux version, clearly), update its database, and scan the Windows drive.

Wasting your time (1)

HangingChad (677530) | more than 6 years ago | (#23029638)

I spent altogether perhaps 3 working days trying to remove stupid thing

Those programs are so complex, so woven in the fabric of Windows, I've never seen a repair work. You have to reformat the drive...not just reformat, but blow away the partitions and recreate them, then reinstal Windows, plus scanning the data files recovered with Knoppix.

Even then I won't warranty it. The hackers you're up against today are organized, professional programmers making big $$$ who do this for a living, not some 15 year old hack. They even know how to subvert security and anti-virus programs.

I'm not belittling you or anyone else when I suggest you may be a bit out of your league. Partition, reformat, reinstall.

Re:My wife's notebook is one of them (1)

v1 (525388) | more than 6 years ago | (#23029666)

I went to that URL and followed the link and it seems to give you an EXE to uninstall their malware. But then are you that brave? ;) I'm on a mac so that whole process was a lot less worrysome. I can send you the EXE if you like.

Re:My wife's notebook is one of them (1)

jandrese (485) | more than 6 years ago | (#23029734)

My wife's laptop got the same thing. I'd clear out all of the spyware and stuff that was found, but after a couple of days it would be reinstalled. Clearly the machine was rooted and whoever it was used the rootkit to install that crap. The only way to get rid of it was to reinstall Windows (and not a lame "repair", but a full on reinstall).

Re:My wife's notebook is one of them (1)

Technician (215283) | more than 6 years ago | (#23029760)

Still, every now and then goddamn popup window with site "pc-on-internet.com" appears. I spent altogether perhaps 3 working days trying to remove stupid thing,

So why did you leave it with a connection? The first thing I do with a rogue PC is block it's MAC address at the router, then work on it. When fixed or thing it's fixed, I turn on the address and monitor the router log for unexpected traffic. Unexpected port 25 traffic from that machine gets it shut back down for a more robust fix including a reformat.

From doing a search on the program, it appears to be an IE problem. Firefox on Ubuntu seems to be clean for me.

Hmmm.... (4, Funny)

Otter (3800) | more than 6 years ago | (#23029094)

Stewart and others at SecureWorks believe Damballa has simply rebranded the older Bobax, which has several other nicknames besides Kraken, including "Bobic," "Oderoor," "Cotmonger" and Hacktool.Spammer."

Be that as it may, "Kraken" is a superb name (as is "Damballa" itself.). "Bobic", "Oderoor" and "Bobax" sound like open-source CMSs. "Cotmonger" sounds like a word Bart Simpson would use when suddenly breaking into a unfunny Cockney accent for no reason.

I had a botnet once (4, Funny)

TheRealMindChild (743925) | more than 6 years ago | (#23029136)

I had a botnet once... didn't catch very many bots, but I got a shitload of dolphins :(

Just a thought... (1)

ZenDragon (1205104) | more than 6 years ago | (#23029170)

Wouldnt it be possible to log "bot" traffic and systematically, using the same exploits that the bot trojans used to infect the hosts, infect these machines with a virus that removes the bot and deletes itself? Sort of like an anti-bot virus?

Might be a little unethical, but hey drastic times call for drastic measures!

Re:Just a thought... (3, Interesting)

Umuri (897961) | more than 6 years ago | (#23029308)

Most infections actually patch and update machines they infect. Once they get in they seal the door behind them, as well as try to remove any competing infections already on the machine. That way they don't get their zombie stolen from them.

Re:Just a thought... (1)

Nullav (1053766) | more than 6 years ago | (#23029474)

Unethical? Anyone who intentionally starts blasting spam as part of a botnet should be stabbed in the face. (Both ideas sound like a desperately-needed public service to me.)

This is a job for goons (5, Insightful)

Animats (122034) | more than 6 years ago | (#23029204)

The industry is going at this all wrong. There are only a few players left, and they're all crooks. We need a consortium of companies with spam problems to hire Kroll [kroll.com] , Blackwater [blackwaterusa.com] , or one of the other big international security companies to deal with the people behind the problem.

If 5% of the money spent on dealing with spam went into finding the people behind it and making them go away, the problem would go away.

Re:This is a job for goons (2, Interesting)

darkmayo (251580) | more than 6 years ago | (#23029278)

Do we really know who is in control of these botnets? Would love to see some spammers eat bullets but i'd like to know the ones with power are the ones that get neutralized.

Re:This is a job for goons (1)

namityadav (989838) | more than 6 years ago | (#23029280)

Hate the Sin, But Not the Sinner

Seriously though, if you manage to stop these top spammers, then before you say, "Good riddance," new players will take up their space. If there's opportunity in this space, people will keep coming. There's no way you can get rid of spammers by stopping a handful of people .. however big they are in the spamming world.

Re:This is a job for goons (1)

ZenDragon (1205104) | more than 6 years ago | (#23029306)

You cant kill the beast but cutting its head off when the beast has a million heads. There will always be people willing to take advantage, the only thing we can do is make it difficult or impossible for them to do whatever it is they do.

Re:This is a job for goons (1)

Archangel Michael (180766) | more than 6 years ago | (#23029626)

"You cant kill the beast but cutting its head off when the beast has a million heads."

Then explain all the FPS games out there?

Answer, because it is FUN when done right.

Now, for something really scary..... (0)

zappepcs (820751) | more than 6 years ago | (#23029282)

Need some stats to glue you to that posh office chair you're sitting in? Try the CDC for mortality statistics http://www.cdc.gov/nchs/fastats/deaths.htm [cdc.gov] and watch how botnets blur into needless crap worthy of Fox News.

On the other hand, you are only hearing about the botnets that are reported! The ones that stay stealthy and only do a little espionage now and then are not reported... say from the USAF Cyber Defense Command!? Since MS et al are so cozy with the NSA these bots probably don't even register with detection software packages.

As stated, watch some port 25 traffic to see if you are spewing spam everywhere. Who knows what port the really nasty botnets are using. No, it's not tin foil I'm wearing on my head!!

Just because you're paranoid does NOT mean they are not out to get you. We've seen cable cuts, military attacks on various other-country establishments, industrial espionage from Israel, Chinese cyber attacks and all manner of oddities on the Internet.

I said it first: Recession will make the Internet more important than it is now. Cyber attackers will mature, and their attacks and goals will change also. Identity theft is peanuts if you can get inside a bank, a federal bank etc.

Think of it... 25 cents per transaction run through a large backend company for Visa? THAT is big money. Doesn't have to be a credit card company either.. just a large institution. Say the billing system of your local electric company gets hacked, and 25 cents per bill is being funneled off to Estonia? If you think it couldn't happen and is not happening, remind yourself how torture in the USA couldn't happen either!

Fine those who have hijacked machines. (1)

FatSean (18753) | more than 6 years ago | (#23029414)

Fine them a few hundred bucks per machine. Lazy people who can't or won't keep their machines secure don't deserve to be given access to the internet.

It's like owning a dog. If you don't keep the dog secure, and it runs about able to harm others, you get a fine and potentially lose your right to own a dog.

I realize the logistics are tough, but something needs to be done.

Re:Now, for something really scary..... (1)

maxume (22995) | more than 6 years ago | (#23029620)

I predict that despite our best efforts, more than 6 billion people will die in the next 100 years.

Anyway, as more and more economic activity moves onto the internet, security will get better. Look at the last five years. Security has actually gotten better. Even Windows is getting better, as long as you keep up with patches.

lolcats (1)

eneville (745111) | more than 6 years ago | (#23029354)

we're in your networks controlling your logins

Simple answer... (2, Informative)

Gordonjcp (186804) | more than 6 years ago | (#23029390)

I just block everything incoming on port 25 from IP blocks in the US, apart from a (very small) handful of whitelisted servers.

Why? (2, Interesting)

oni (41625) | more than 6 years ago | (#23029518)

WHO IS CLICKING ON THE LINKS IN THESE EMAILS?

Why does spam work? Who are these stupid people and why do they click? Also, if you get 80 spam a day for the same fake product, why would pick one at random and say, "der, I think I'll go buy this!"

Can someone please tell me why?

I wish some news reporter would send out a billion spam but then, instead of taking money from the people who click, contact them and do an interview. I want to know who these people are and what the hell they are thinking.

Re:Why? (1)

Hatta (162192) | more than 6 years ago | (#23029640)

The world is filled with extremely stupid people. Something like 30% of people still approve of the job GWB is doing for instance.

Re:Why? (4, Insightful)

v1 (525388) | more than 6 years ago | (#23029772)

If it costs you $500 to rent a chunk of botnet bandwidth for a few days. It blasts 1,000,000 of your spam. 25,000 of them survive all the layers of filtering (2.5%) and are viewed. 1000 of those (4%) get their link clicked on. 100 of those people (10%) actually buy the product, netting you $15 each, for a total of $1,500 in untaxable income. That's $1,000 total profit for your 30 minutes of work.

So of that 1,000,000 spam you sent, only 100 had to be actually bought for you to turn a big buck. (1-100th of 1%)

Do the math, that's why it works. Spam works due to cheap volume. Anything works if you can have cheap volume.

Botnets... (1)

spazdor (902907) | more than 6 years ago | (#23029556)

Has anyone thought of writing a worm that just installs a stealth Folding@home client and patches the machine up?

If a million clueless consumers are going to buy more megahertz of Dells than they know how to use, we might as well use their stolen CPU cycles to cure diseases rather than impotence.

Most users run as root and open all attachments (2, Insightful)

rabtech (223758) | more than 6 years ago | (#23029572)

Regardless of platform, most users

1) Run as root, administrator, or some other super-trusted user account and completely disregard security
2) Open anything they receive in email. I've even had some users do a Save-As giving the file the correct extension to be runnable!

These are a result of fundamental flaws in the design of Windows, Unix, et al. Most operating systems assume that all programs should have the ability to do whatever the user can do. In other words, programs are as trusted as the user account they run under.

Given people's experiences with OS X's admin dialogs or Vista's UAC, I'm not sure changing this assumption will lead to more security either. Most users, when presented with a dialog box, will immediately press whatever button is required to dismiss the dialog without reading it.

Even if the default is cancel, the first time they hit "naked ladies.jpg.exe", get a warning, and dismiss it they'll just figure they did something wrong and open it again, choosing the other option this time.

I'm not sure what the solution is.

Until I see an standadized Linux (0)

Anonymous Coward | more than 6 years ago | (#23029576)

Under one distribution and one sole source, I am not going switch out IIS anytime soon.

Thanks. I will stick with what I know since the 90's. If you are smart and know the stuff well, Windows are just acting like FOSS anyway.

Botnets-spam (2, Interesting)

gmuslera (3436) | more than 6 years ago | (#23029672)

There are a good chart mapping current botnets and spam at Marshall TRACE center [marshal.com] (updated frequently afaik). That over 80% of all internet spam comes from botnets (and almost 50% of it just from srizbi) is a good sample of what is the impact of this kind of spam sources.

Why the vague terminology? (1)

sloanster (213766) | more than 6 years ago | (#23029718)

Gotta love how these articles always say "a million machines" rather than the clearer and more accurate "a million microsoft windows PCs"...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...