Botnets

How to Stay Out of Botnets

Just finished reading this article on USAToday, Botnet scams are exploding, about how much botnets have increased and how they estimate that on a typical day, 40% of the 800 million computers on the internet are in a botnet. That is just ridiculous, but, probably true. Why? People don’t want to have to do anything to make something work, they just want it to work, and while you can buy a car and jump in it and take off, the same cannot be said for computers. With a new computer, you are already in the whole because you need to make sure your anti virus is up to date, make sure your machine has all of the latest patches and get some kind of spyware scanner. But, who wants to do all of that? Most people just jump online and take off, which is a bad, bad thing, unless you have been on the internet for awhile and actually know not to open emails from people you don’t know, etc. While this article on USAToday is good in informing the public about botnets, it does nothing to let you know how to keep them off of your computer.

Two days after actor Heath Ledger died, e-mails began moving across the Internet purportedly carrying a link to a detailed police report divulging “the real reason” behind the actor’s death. Ledger had been summarily drafted into the service of a botnet.

Bots are compromised computers controlled by profit-minded crooks. Those e-mails were spread by a network of thousands of bots, called a botnet. Anyone who clicked on the link got instantly absorbed into the fast-spreading Mega-D botnet, says security firm Marshal. Mega-D enriches its operators, mainly by distributing spam for male-enhancement pills.

Largely unnoticed by the public, botnets have come to inundate the Internet. On a typical day, 40% of the 800 million computers connected to the Internet are bots engaged in distributing e-mail spam, stealing sensitive data typed at banking and shopping websites, bombarding websites as part of extortionist denial-of-service attacks, and spreading fresh infections, says Rick Wesson, CEO of Support Intelligence, a San Francisco-based company that tracks and sells threat data.

The whole article is worth a read for sure, as you get some background info on how botnets work and what some of the current botnet “herders” are doing and how they evade the scanning systems, etc, of the gate keepers, such as your ISP. So, if you are buying a new computer, here is how to get started safely on the internet. I will post an article later and link to it from here for the ones who are already infected or think they might be.

Download all of the latest patches from Windows Update and install them. Make sure to set your computer to download the latest patches and to notify you when they are received. This is how computers end up in botnets, unpatched computers. If their is a hole in your operating system somebody will, or already is, exploiting it somewhere, a patched and up to date computer is your best friend. If you are surfing with an unpatched computer you are just asking for trouble eventually, mark my words.

In Internet Explorer, click on tools, then click on Windows Update. Or, you can go to www.windowsupdate.com, it should redirect you to the latest version. If you have other Microsoft products installed, like Microsoft Office, go ahead and click on the Upgrade to Microsoft Update link on the right, and you can get the latest patches automatically for those programs as well. Select and install all of the patches that it brings up and have a seat as this could take awhile.

Windows Update

Next, update the antivirus software you have installed, or install the one you are going to use and then update it, most will have a button that says check for updates when you go into the program. In the screenshot, using Network Associates Virusscan, you can click on Auto Update and the click the green arrow to go at the top. Once that is done, double click auto update and then click on schedule to set it to automatically get the updates everyday. I would set it to check at least once daily, maybe twice, if you leave it on all day. Note: Each program is different, the steps to do this will be in the manual or are probably easily found on their website.

Network Associates Antivirus

Download a spyware/malware scanner, my advice is to get more than one as all of these programs are not the same. Some will catch infections that others will not. If I have missed one that you like or recommend, drop a comment and let me know so I can try it. I will be adding others as I go, this list will probably never be comprehensive, as I am only adding the ones that I have used.

Recommended Programs: Spybot, Search and Destroy This program is free and is highly recommended by about everyone I know. Once you have it installed and setup, make sure you go to the immunize tab and let it run. This will stop many spyware or malware programs from even running.

Adaware – They have a pay version, but they have a free version as well here.

AVG Anti Spyware – This one is free for a month, then you will need to pay for it. It is worth paying for and they probably have a lot more customers because of me. I have caught malware on several machines that most free one’s do not find.

Prevx – They also sell this program, but they have a free pc check here. This is another program that has caught several malware programs for me that the others did not.

Microsoft Oncecare – Microsoft has really done a pretty good job with this program, if you look at the Prevx site listed above, you can see by the graph on the front page that it caught more stuff than a lot of the other programs. This is a pay program as well, but they have a 90 day free trial.

X-Cleaner – Another program you have to pay for, this one is also excellent and frequently updated. The makers of this program have a free online scan here.

Panda Antivirus – This is a 30 day free trial.

Once your spyware scanner is installed, your computer is patched and your anti virus is updated, you should be covered from most things, but there are always ways to get you. Spam is the botnets biggest weapon as they can spam out interesting things to get you to click on them, once clicked, you will be redirected to or through their site, their botnet program is installed, and it may likely forward you to a proper site, and you may not even have noticed what just happened. So, in your email program, set it to read email in plain text format to keep them from being able to do anything to your computer without you even opening an email, or, if you prefer the graphical format, you should get rid of the preview pane so it does not automatically run any programs or display any pictures.

Another suggestion is to use an alternate browser, such as Firefox, that are widely considered as being more secure.

Anyway, that is my little take and something they should’ve added to the article, or published in another article to actually help keep people out of spammers botnets.

Keep your computer clean and it will run better, faster and last a lot longer, guaranteed.

Note: Now all you techies out there are going to say, you can do this, you need to run that, use this operating system, etc. I’m not saying that this is comprehensive at all, but, the absolute minimum you should do is on this page. But I would also recommend not running under and administrator account, turning on your firewall, turning off your computers or your internet access when it is not being used, not opening emails from strangers, not opening strange emails from people you know without asking them what it is, and always pay attention to the websites you are going to online. When you click on a link, if you hold it down, it will show you where you are going, you can slide your mouse off without releasing the button to keep from going there or just letting go of the button to go ahead and visit that website. This article will change as necessary.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - March 18, 2008 at 6:41 pm

Categories: Botnets, Security, Windows Update   Tags:

Zunker the Botnet Management Application

Here is some really interesting information, Panda Labs has discovered an online app that controls botnets, and not just any app, it is laid out pretty good and gives you back some pretty good info on the botnet, number of computers, how many are up, where they are, etc. And spamming, that is a piece of cake as well, type up the message and post it into a pre-made template, say for forums, instant messenger apps, web mail, etc.

Anyway, you can see that bots are organized by country, and you can see how many bots you have, reports from each one, how much spam has been sent, what software has been used by the bots to send the spam (gmail, IM, forums, etc…):

You can also see in the statistics section number of bots, reports, and daily/monthly Spam statistics…not bad eh? Source: Zunker Bot

Network world talked to a couple of Panda’s employees to get some extra info.

Zunker could give botnetters statistics on the lifespan of particular botnets — how many infected PCs were still in operation — and allow files to be downloaded to infected PCs to perform activities beyond basic spam relaying, such as information theft.

“This is a lucrative crime. The bot-herder can rent out the network to the highest bidder. Cyber crooks use them for a wide range of criminal activities including downloading malware onto infected computers, distributing spam or phishing messages or causing denial of services. The bot-herder can also use the botnet for their own activities, although this is less common,” said Corrons. Source: Botnet management app exposed

They sure are making it easy, I guess one of use is going to have to create a botnet for good, so we can try to take out the bad botnets.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - May 15, 2007 at 5:41 pm

Categories: Botnets, Security   Tags:

Spam Doubles, is this Spam 2.0?

Just read this article on the NYTimes website called Spam Doubles, Finding New Ways to Deliver Itself, and the second paragraph says “Spam is back”, but what I want to know is, when and where did it go that it is now back? Spam hasn’t slowed down at all for me, at least on the accounts that get spam, I still have a couple that are pretty much spam free, so there spammers, stick that in your botnet and smoke it. I have noticed a big spike in image spam, and those are the bad ones as they know you looked at the email because the image has to load. By default, I make sure the displaying of images is turned off, so that does help keep them from knowing whether I opened it our not. Don’t mistake me, I hardly ever open it, but some of the titles make it hard not to, especially if you are using the internet for anything much at all.

You?re not the only one. Spam is back ? in e-mail in-boxes and on everyone?s minds. In the last six months, the problem has gotten measurably worse. Worldwide spam volumes have doubled from last year, according to Ironport, a spam filtering firm, and unsolicited junk mail now accounts for more than 9 of every 10 e-mail messages sent over the Internet.

Much of that flood is made up of a nettlesome new breed of junk e-mail called image spam, in which the words of the advertisement are part of a picture, often fooling traditional spam detectors that look for telltale phrases. Image spam increased fourfold from last year and now represents 25 to 45 percent of all junk e-mail, depending on the day, Ironport says. Source: NYTimes

Nowadays, spammers are using botnets to send spam, so that defeats a couple of the ways anti-spam organizations fought spam, by analyzing the reputation of the sender and it makes using blacklists of known junk emailers kind of useless. It also allows them to send many more spam messages because the spam is coming from thousands of computers and not just a few and they are using someone else’s bandwidth. And by using images instead of text messages, one CTO says they moved spam into their blind spot. They can change each individual email message just a little bit to confuse anti-spam filters that look for the same message over and over, a technique that could instantly thwart spam email in the good old days.

But don?t spammers still have to link to the incriminating Web sites where they sell their disreputable wares? Well, not anymore. Many of the messages in the latest spam wave promote penny stocks ? part of a scheme that antispam researchers call the ?pump and dump.? Spammers buy the inexpensive stock of an obscure company and send out messages hyping it. They sell their shares when the gullible masses respond and snap up the stock. No links to Web sites are needed in the messages.

Though the scam sounds obvious, a joint study by researchers at Purdue University and Oxford University this summer found that spam stock cons work. Enough recipients buy the stock that spammers can make a 5 percent to 6 percent return in two days, the study concluded.

I hadn’t noticed those penny stock emails don’t link to anything, this is ingenious in its sick little way, being able to make a 5 or 6 % return in just two days is probably well worth it for the spammers.

Some antispam veterans are not optimistic about the future of the spam battle. ?As an industry I think we are losing,? Mr. Peterson of Ironport said. ?The bad guys are simply outrunning most of the technology out there today.?

And they will keep winning as long as people still fall for their scams and messages, as long as users click on the links or buy the stock, spam will be here to stay and will probably get worse. It’s sad to say it, but right now education is the key. Once they no longer make money from it, it will peter out and slow down, but that day is a long way away, most users don’t care, don’t understand or just don’t pay attention when you try to teach them good computing practices. What is the solution? Complete revamping of the email system, which is easier said than done.

As a side note, the way spammers are using botnets should show everyone how well large groups of computers can do things together, as evidenced by the Seti project and a few other distributed computer projects.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - December 6, 2006 at 6:09 pm

Categories: Botnets, Education, Spam   Tags:

W32.Spybot.ACYR Testing the Waters

A new bot is appearing on University networks, here and there and in small numbers, which is surprising since many of the computers are vulnerable and only a few are being infected. Someone could be testing setting up their new botnet by sampling small groups of computers spread around the nation. The programs have been spreading by exploiting a 6 month old flaw in Symantec corporate edition antivirus and Client Security products and five patched vulnerabilities in Microsoft software. Most home users should not be affected.

The bot program, identified as W32.Spybot.ACYR by Symantec, has compromised a small number of systems at various universities, including about 30 systems at the University of Arkansas and another 150 systems at the University of New South Wales in Australia. The spread of the bot software became noticed because of an inordinate amount of traffic to the network port number used by Symantec’s software–both the Internet Storm Center and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) reported spikes in traffic to port 2967. Source: Bot spreads through antivirus, Windows flaws

Symantec has only had four reports submitted, all from educational institutions, and their network analysis system has detected a couple spikes in traffic on port 2967. The bots connect to an IRC channel, Internet Relay Chat, and await commands, it tries to detect if it’s in a honey pot by looking for signs of debugger or virtual machine software, and it uses ftp, file transfer protocol, programs to copy itself to other machines.

As always, keep your antivirus, spyware and windows software updated, and you will almost always be fine. Through in some good computer practices and you should be good to go.

1 comment - What do you think?  Posted by Jimmy Daniels - November 29, 2006 at 4:57 am

Categories: Botnets, Security   Tags:

IM Worm Attack Cloaked in Virtual Card Hoax

A new IM worm, dubbed W32Heartworm.A by Facetime, has been discovered that opens up a picture of a heart when you become infected and it then attempts to steal your banking data. The heart picture is taken from a site dealing with internet hoaxes, Quatrocantos, and the infection site mentions a “virtual card for you”…which is the name of a famous hoax stretching back to the year 2000. Clever stuff. Otherwise, you have no idea you were just infected with anything, and since they are referencing a known site that lists internet hoaxes, I would say most people wouldn’t think about it again, atleast until there machine starts acting….

read more | digg story

This is definitely one that could trick many users because it references the old internet hoax, A Virtual Card for You, and as these worms become more and more sophisticated at the social aspect of the engineering, we are going to need the companies that run these instant messaging programs to step up and actually block these urls as they are reported. We all know how easy it is to get messed up and click on the wrong thing, or type in the wrong text when an instant messaging window pops up. Wayne Porter calls it hoax cloaking,

“This is a cultural camouflage approach which we call “hoax cloaking”. It is a defensive construct that adopts the very lore, memes and culture of the Internet to serve as a self-preservation and cloaking mechanism, much like the advanced construction of a “media virus”.

I also posted this at Realtechnews.com.

1 comment - What do you think?  Posted by Jimmy Daniels - September 22, 2006 at 5:24 pm

Categories: Botnets, Malware, Security   Tags: , , , ,

Pipeline Worm Floods AIM with Botnet Drones

For removal, X-Cleaner.

A new worm is crawling through AIM – using a sophisticated network of “chain” installs, the bad guys can start the process of infection with any of the files and still hit you with the rest. Or they can target you with a certain selection of files depending on what they want you to do as part of their Botnet. Its like a 10-hit Tekken combo, one that you are on the receiving end. Start with an innocent message like, “hey would it be ok if i upload this picture of you to my blog?”, which, upon clicking, starts you off be plabing you in their botnet where they can pretty much do whatever they want to with you.

They can get you many different ways, but here are three they detailed on their blog, all which start with the downloading of the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder:

1) Running the file results in csts.exe being created in your system32 Folder. At this point, you may well be part of a Botnet (though not in all cases) and the infection has the potential to call down new files onto your PC, which are randomly selected from the numerous files waiting in “storage” that have been spread around the Net.

2) The infection has the potential to call numerous other files, such as files with fixed, unchanging names and randomly named executables which are constantly being updated. Depending on what files you end up with, the infection may create an unwanted service named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams).

3) The infection has the potential to call numerous other files, such as d227_seven2.exe and randomly named executables which are constantly being updated. Depending on what files you end up with, the infection may create an unwanted service named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams). You will also potentially end up with a Rootkit on your PC as a result of this particular scenario.

At this point, the infected PC is a Botnet drone and can be commanded to send new infection messages via AIM such as:

“hey is it alright if i put this picture of you on my egallery album? “, which will download the image22.com file (again, disguised as a jpeg).

At this point, the cycle begins again and they can look to infect fresh victims with this exploit.

X-Cleaner will remove w32.pipeline from your computer.

read more | digg story

I also blogged about this at Realtechnews.com.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 18, 2006 at 12:15 pm

Categories: Botnets, Security, Spyware Info   Tags: , ,