Feeds

back to article Most spam comes from just six botnets

Six botnets are responsible for 85 per cent of all spam, according to an analysis by net security firm Marshal. The Srizbi botnet is reckoned to be the largest single source of spam - accounting for 39 per cent of junk mail messages – followed by the Rustock botnet, responsible for 21 per cent of the spam clogging up users' …

COMMENTS

This topic is closed for new posts.

Page:

Linux

Stating the bloomin' obvious

So if we took all the 15-year old MySpackers, old Dears and everyone in between who's running an unpatched, unprotected OS and beat them into reality.. we could rid ourselves of a lot of misplaced penis enlargement offers?

Seems like a lot of effort......

Or we could just nuke the Russian Business Network, I'm happy either way.

Tux, cos penguins don't do spam, tinned or otherwise!

0
0

I'm still waiting for an answer

to a query I posted months ago on a similar Reg story.

Granted we can't (easily) go after the botnets. But given that most spam is trying to sell something and they obviously need to tell us who to contact in order to conduct the sale, why the hell can't we go after the advertisers who are obviously "authorising" the spam?

0
0
Linux

Where's the list of IP addresses?

Give me a list so that I can check to see if I or a "dear one" are part of the problem. It's probably not me - "linux inside" and all that - but if I recognize an address as near to me, perhaps I can help. Yeah, so there's still lots of dynamic IP addresses on the bigger ISPs. But if an address from *my* neighborhood, then action can be taken!

0
0
Pirate

Answer...

@stottle: Easy, because that would make a fake spam-run a formidable DoS weapon.

0
0
Silver badge
Go

@ Harry Stottle

> why the hell can't we go after the advertisers who are obviously

> "authorising" the spam?

I suppose it might be a competitor who is authorising the spamvert on their behalf, in order to make them look bad/damage their reputation.

But I doubt it.

And if they can be proved to have accepted orders then I agree, send 'em down.

0
0
Linux

one word

"why the hell can't we go after the advertisers who are obviously "authorising" the spam?"

http://wikipedia.org/wiki/joe-job

Regards,

me

0
0
Paris Hilton

Nuke them

Make it legal to remotely destroy the OS on any machine in a botnet. That way if you manage to infiltrate the botnet you can wreck every machine on it.

Once these idiots have had to reinstall everything a few times they might actually start patching their machines and stop clicking on the "naked Paris Hilton" attachments.

0
0
Dead Vulture

@AC vigilante

Shutting down a single host is going to have about the same effect on spam volumes as using a flyswatter against a plague of locusts.

0
0
Anonymous Coward

@@AC vigilante

If you compromise the botnet you have access to every machine on the botnet and can therefore destroy every OS on every machine on the botnet.

0
0
Boffin

Why reverse dns a compromised computer

Part of our anti-spam controls check whether the sending IP address is a server, and the way we do that (amongst others) is seeing if they have a reverse DNS address.

Many ISPs routinely apply xxxxx.dhcp-range.isp-name.com or something similar. That helps our servers think that these are real servers on the other end. Why do ISPs do this and is there any reason why they can't stop this - surely it would help reduce the volume of spam travelling on their networks.

What am I missing here?

0
1
Stop

Self-righteous penguins

"Tux, cos penguins don't do spam, tinned or otherwise!"

Tried running p0f (Passive OS Fingerprinting) on your smtp server recently? If so you'll find a fair few obviously compromised Linux systems (usually web servers) pumping out spam too. And no, these are not ISP email smarthosts.

Sure, the numbers are not in the same league as the BillyOS Botnets, but running Linux does not imply you will never become part of the problem.

0
0
Anonymous Coward

IP Numbers

The IP numbers would lead to the zombies, not to the control computers. You have some computers that control a large number of compromised computers. The messages emanate from the infected computers, not from the controllers. The IP numbers would lead to those infected computers, which in most cases are innocent victims of the spammers. Trying to block those IP numbers isn't a practical solution.

You *can* go after the advertisers, by making a complaint to the ISP that hosts their site, or to the postal authorities if they give you a postal address. It just requires more effort than most people are willing to invest.

0
0
Anonymous Coward

@AC

Naked Paris Hilton? Gimme one. Gimme one!!!!

0
0

Only 6? Let's hire some mercenaries

I'm sure there are tens of thousands or even millions of companies and computer users out there that would be happy to donate $5 towards hiring some people to back-track the spam through the ISPs, home-user infected machines, irc channels, infected webservers, etc back to the source and then hire some nasty goons to go after these guys. After a few botnet operators ended up in the hospital, perhaps they would re-think their "career" choices. And send the goons after the scum that are advertising in those SPAM e-mails too.

0
0
Flame

Fight botnets with botnets?

How about someone infiltrates the botnets and sends out an anti-virus spam? There are freeware, GOOD anti-virus proggies out there. Obvious, simplistic, and probably impossible...but hey, it might work right?

0
0
Linux

Joe Job?

Wait a minute - no one can go after the advertosers because some of them might be getting framed?

Good job the police don't use that logic for every case

Hows this?

1) Police go after Advertisers

2) Police use their powers to open up their accounts and investigate unusual transactions - apart fromt he fact that every company I know hates being audited this may well lead to the spammers

3) Police follow money to spammers and beat over head with wet fish till dead

4) Police similarly go back to advertisers and apply same punishment

5) Everybody rejoices (hurrah!) and Police start again with the next advert

Step 2a) Police find no evidence linking advertiser to suspect activity, apologise and leave

I know this is perhaps slightly simplified (jurisdictions and all) but its the way it SHOULD be I think

Penguin as in the interests of recycling they can eat the fish after the spammers are dead

0
0
Pirate

PSY/OP

Indeed nuking hosts is an interesting and probably effective mid-term solution, if in fact any group is willing to take the heat for such a snafu, considering the action's dubious legality, grey moral and the unstoppable controversy that would ensue.

Of course less than 23% of all zombie hosts would be taken down after months of bloodless fierce cyberwar, and I'm just making up a wildly optimistic statistic. Granted, the issue here is not aiming for obliteration of zombie hosts. The effect would hardly hit the spamnets as I'm sure they would quickly devise new mischievious ways to own new dumb-people boxen. What then?

It's not trying to strangle the spamnets zombie-bit-army but rather it's a war for the mounting psychological effect the nuking would generate. As the less technically oriented lusers begin to have their machines zonked by our "friends" in the hypothetical Spam Liberation Army, having their systems wrecked beyond simple fixes short of reinstallation and their personal data (hopefully) erased a word-of-mouth panic starts to pick up among the social network.

Eventually the outcry and awareness of the troubles grow so strong that major media is simply pressed to cover the "liberation" attacks in the news, furthering FUD and in the end forcing the general public to get informed and patched, finally solving the problem for the *most* part.

I believe our "friends" in the Military/Intelligence Circles call this a PsyOP, while our other "friends" in the corporate war call this a "Strategic Media Plan". Don't you love corporate lingo(bfuscation)? Heh. This is a horrid plan with too much fascist overtones for my taste, I'm not even sure why I'm crafting it, and I'm *certainly not* advocating it.

All I'm saying is yeah, it could work, possibly better than expected.

--Hung Mung

Apostle of the Goddess and Most Venerable Chaoist

Keeper of the Sacred Chao

0
0

don't allow the USA to exempt its citizens from international criminal law

Increase the penalties for unauthorized entry into a computer using international criminal law, create a law against financing unauthorized entry into a computer system, and create an international agency to help enforce the law. And then don't allow the USA to exempt its citizens from international criminal law, if they still want to be a part of the internet.

But it won't happen.

What will happen (sooner or later) is some large loss of life tragedy, and then the internet will be re-architected with permanent IP addresses and traceability features.

The internet is finananced by all those people and agencies with unpatched and otherwise insecure operating systems (which includes linux and mac os), and leaky applications. I suppose people who don't want to be exposed to these people's computers could create their own network.

0
0
Anonymous Coward

To quote another story from today...

I say we take off and nuke the entire site from orbit. It's the only way to be sure. (Ripley - Aliens)

0
0
Linux

@IP Addresses

"The IP numbers would lead to the zombies, not to the control computers."

I'm the AC who asked for IP addresses, and it's precisely because it would lead to a zombie. I have friends and relatives who don't "do computers" for a living; they have their redmondware set up for email and surfing. And they are - in spite of my urgings - the most likely to accidentally get p0wnd.

So I would love to see a list, not so I can be a "vigilante", but rather so I can go out and clean up messes where I can do so with the full knowledge and permission of the rightful owner(s).

And if for some reason I see my own IP addy, well, then I'll know to try to clean up my own house.

0
0
Anonymous Coward

Why no good worms?

Surely some Whitehat out there can use the same vunerabilities these worms/trojans use and turn them around to patch the vunerabilities??

Imagine, all these innocent, and unpatched, computers having their SMTP ports blocked or limited. Spam is almost eliminated overnight.

Come on, who wants to be the global superhero here??!

0
0

If you can detect it, block it!

I'm sure I'm missing something here, but if these agencies no the precentage of spam from each botnet, they must be able to identify the botnet that sent each e-mail. If you can identify it, why can't you block it. I know they're detecting at an endpoint, but if they can identify the source, why can't the ISPs?

Lee

0
0
Paris Hilton

The vigilantes miss the obvious.

An awful lot of people will take the position, "You nuke my computer and destroy my personal files and I'll sue YOUR f**king ass off. " Or, "I'll have YOU arrested and prosecuted." No damage to the spammer, just to the vigilantes.

Odds are, the self-righteous vigilantes will be a lot easier to find than the bad-guy spammers, too, not having developed the hiding mechanisms these criminals have.

Might want to think of a different tactic.

Paris, because she doesn't think before she acts, either.

0
0
Anonymous Coward

Going after advertisers

Going after advertisers has been done. Once at least very effectively. Even so that spammers attacked back heavily. So heavily that that the business had to close.

See the Blue Frog case for more - http://en.wikipedia.org/wiki/Blue_Frog .

Thereafter an similar open-source project was set up. But that didn't take off either - http://www.okopipi.org .

0
0
Stop

The most simple and eloquent of solutions has to be legislated!

if the laws were changed to FORCE all ISP's to block ALL outbound SMTP *except their own relays* for home networks you would zap about 75% of all traffic/botnet computers. before you scream -- a simple scan for properly run UNIX/RFC-822 and RFC-2822 machines could be allowed out of an ISP. now this does increase to a small extent the ISP having a competent SMTP admin, but it comes at a very small price to stop at SOURCE the issue.

then nuke the remaining 15%.

0
0

Tracking down the controllers...

So, if I have a compromised machine (easily done, just connect an unpatched windows machine to the internet and run a few unwisely chosen downloads) which then receives instructions from somewhere to send spam, shouldn't it be relatively easy to see where those instructions are coming from?

I must try this some time...

0
0
Anonymous Coward

just had first hand experience ....

A friend administers a few servers, one of which quietly started to silently install some nasties. Thankfully this was discovered early in the day. Part of the problem with getting restitution is the various jurisdictions involved. In this example a spot of research leads back to some pretty unsavoury eastern characters. Not a chance of gaining redress..... All you can really do is restore backups of compromised servers and hope to improve your security to the point that bunches of alleged gangsters don't get access in the first place.

As far as punishing the advertisers go, it rather supposes that the companies concerned are relatively conventional, legitimate corporate entities. Research I performed for my buddy tends to indicate that not one of the spamvertised "companies" was in any way remotely legit.

In this case the exploit was initially via msn of an admins home PC, this (keylogger) gained the FTP passwords for his hosted servers. Within hours, the servers had been accessed and rooted. The webservers in question attempted to install "java" on client PC's...... except the server they attempted to do so from were located in ..... well, Eastern Europe shall we say. Where the infection, an iFrame exploit was successful, the PC's concerned joined some muppets zombie army...

If this can happen to someone clued up, it can happen to anyone. Default configurations of any O/S should be more secure. Scripts should be prevented from running as default, regardless of the irritation. Given that security is none trivial, and that average users can have no grasp of it, considering the potential disruption for everyone, not just average home users, users should be protected from themselves. People that should know better should be smarter than to take anything on trust, and know that there is no such thing as being "off duty", they are just as likely to be compromised at home as at work.

I know for a fact one friend, whose PC I have purged of the pox several times before now, has taken the view that he must resort to pirated movies and software, clicking on any old icon in emails etc, et bloody cetera.... I've washed my hands - tired of securing the thing only for my security to be undone by the user. His PC now clocks up downtime like proper secure systems clock up uptime. Whilst I don't believe in the RIAA's aims, a few more high profile legal user reamings might just encourage dumb ass users to believe there friendly geek that these things are bad for their health.

The real enemy ? Complacency. People also need to remember that for f**ks sake...There really is no such thing as something for nothing.

0
0
Anonymous Coward

If...

These figures are accurate, then spam originating from bots must be easily identifiable.

If spam originating from bots is easily identifiable, why don't ISPs simply discard it?

0
0

@Hany Mustapha

All internet hosts are supposed to have a PTR record. That's mandated in the RFCs (I can't recall which ones off the top of my head, but if you use DNSReport.com against a domain you manage, the PTR test it runs specifies the relevant RFCs).

Now if you want to check that the PTR actually matches the hostname - then the check is more useful.

0
0
Pirate

@ first AC "Stating the bloomin' obvious "

"Tux, cos penguins don't do spam, tinned or otherwise!"

While I agree with much of what you said, the above statement is blatantly wrong. OK so maybe they don't spam but they do seem to host an awful lot of phishers. Until it became too much of a problem, I used to track down the phishering 'website' that I received email about and would contact the host. Often the duffus running the system (often for BANKS!) would not have changed a root password - and most often in was a UNIX system. (OK so it was mostly out of China or Eastern Europe - but things as they are.)

0
0
Flame

Why, I ask...

...does nobody care about the servers running the *web sites* that the spammers point to? They have access to only a very few bulletproof hosting sites. 90% of those are in the far East or Russia. Let's do a little check, shall we? The last five spams I've gotten:

Kyonggi-do - Seoul - Lg Dacom Corporation

Shanghai - Shanghai - China Mobile Communications Corporation - Shanghai

Istanbul - Istanbul - Sistemnet Telecom International Route Block

Beijing - Beijing - Beijing Zhongdianhuatong Limited Company

Netherlands - Dootall B.v

Kyonggi-do - Seoul - Lg Dacom Corporation

BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN

New Jersey - Princeton - Patriot Media And Communications Llc (now that's a weird one)

Jilin - Jilin - Cncgroup Jilin Province Network

Philippines - 18-4058401_muramatsu Enterprise (changed Ip)

China - Zbyd Technology Co. Ltd

Kyonggi-do - Seoul - Lg Dacom Corporation

Istanbul - Istanbul - Sistemnet Telecom Blackholed Ip

Beijing - Beijing - Beijing Pengbo Hengyetechnology Co. Ltd

So, here we have: SK, China, Turkey, China, NL, SK, China, USA, China, Phillipines, China, SK, Turkey, China.

14 spams, 6 countries, 9 spams from China or South Korea. Three were hosted by one company - LG Dacom.

The billions of spams all point back to a relatively tiny number of enabling organizations. It appears, though, that nobody has the balls to even discuss this, let alone do something about it - preferring to regurgitate pointless monthly statistics. I suppose it makes sense: this way, the media, the 'anti spam' companies, the ISPs, *and* the spammers all make money at once. And, somehow, three of four get to pretend to be the good guys while doing it.

0
0
Paris Hilton

@ Lee

>> If you can detect it, block it!

I have to agree here.

If the various "big" ISP's can see the spam email traversing *their* networks, then why don't they just block it straight away, instead of passing it through without issue.

Likewise most spam is the same content sent to 100's of thousands of recipients....so surely this sort of multiple sending would be easy to flag up very quickly...

So, come on ISP's.....you'll be doing us all a favour if you stop this stuff coming via your systems...

Paris, coz she loves traversing anything in her path !!

0
0

@Why I ask

"14 spams, 6 countries, 9 spams from China or South Korea. Three were hosted by one company - LG Dacom."

The vigilantes on here need to understand how the world works!

The powers that be in the likes of China and North Korea just see a tidy revenue stream being made at the expense of "corrupt westerners".

Now although a few countries may think they a Divine Mandate to invade other countries to impose their will (though you'll notice they're only ever big and macho around the little countries) the rest of us understand the consequences of such behaviour.

The anti-spam companies are doing what they can - providing precise information and stats - the real solution is down to the politicians and trade negotiations etc....

0
0
Stop

@David W

The sites they use are legion, and change frequently.

Hundreds of people get their webspace hacked daily, a combination of laxness on the part of the owner and the administrator. When this happens you`ll end up with a dodgy subdomain hocking cheap OEM software or viagra which may go unnoticed for months, especially with the domain redirecting DNS shennanigins many of these guys employ these days.

PS, it`s not at all clear from the confused numbers in your post that there are a `relatively tiny number of enabling organisations`. Finding more webspace is NOT a problem for these people.

0
0
Stop

To some of the less nuanced - more confused posters...

@ Where`s the list of IP addresses:

dShield.org

@Nuke Them:

It`s people like you who are responsible for the public`s impression of IT experts as calm, objective, well reasoned people - well done, I hope you have to spend the weekend reinstalling your grannys laptop again!

@Hany Mustapha:

ISPs don`t do this to help-hurt spam, it`s a useful and legitimate feature.. the fact that your spam filters use this as the test of what is a server (and therefore what is kosher or not) only means your spam filters are DEEPLY RETARDED. Start shopping around for something better.

@Lee Mulcahy and Thad

It`s not that simple, if it was they`d already be doing it wouldn`t they? I guess the way they figure it out is by crossreferencing the torrents of spam they get with what is coming out of honeypots they run. Look at some spam, they are NOT identical, they go to the trouble of salting each one with some random text to make sure they are not identical so even if you catch one, you can`t just filter out the rest.

@Sam Penny

That might have just about worked 10 years ago (see steve gibsons dos attack report at grc.com) but it`s not that simple these days.. if the bot is not run via IRC (hard to trace) then the machine or site relaying the commands is as likely owned too. These people are tricky - they have thought of this.

Roger Heathcote.

0
0

@George Schultz

> OK so maybe they [Linux/Unix] don't spam but they do seem to host an awful lot of phishers.

Well which is it? And who are "they" and what's "an awful lot"? And is the phishing stuff merely coming through a *nix box or is it actually being generated by one? There's a huge difference. I wonder how any of this, if it's actually real, compares to the *thousands* of Windows botnets?

> Often the duffus running the system (often for BANKS!) would not have changed a root password - and most often in was a UNIX system.

Hmm - "often" followed by another two, and all sounding rather like vague meanderings masquerading as fact. Convincing... But this assertion doesn't really make much sense because there is no default root password, and one Unix/Linux installation isn't necessarily anything like another installation. In any case if a system *had* been compromised then the root password would be irrelevant - changed or not.

0
0

@Timbo

> So, come on ISP's.....you'll be doing us all a favour if you stop this stuff coming via your systems...

This is rather like expecting the electricity company to do something about crap programs on TV. Just because spam comes via the pipes provided by an ISP doesn't make it something they should take control of - it's your machine, your OS, your inbox - so why not do yourself a favour and take control of it?

0
0
Alert

Here

@__"Surely some Whitehat out there can use the same vunerabilities these worms/trojans use and turn them around to patch the vunerabilities??"__

No, this is illegal too, and is not feasible. Once the machine is compromised, anything can be installed on the compromised machine - patching the hole is one thing, cleaning the computer is a bigger issue. By your logic, we should proactively go after holes. Windows _should_ patch known vulnerabilities automatically using windows update. Because their 0 hassle auto-update service still isn't used ubiquitously (for a myriad reasons), Microsoft has recently been talking about releasing white worms - a thought that was decades old (and was one of the first computer "viruses").

@__"Now if you want to check that the PTR actually matches the hostname - then the check is more useful.__"

Not necessarily. One IP address can have many hostnames, but will only reverse to one. Therefore, it's not a reverse check that could be somewhat useful (today, to automatically rule out only a little bit of spam) but a forward lookup that would match the sending machine's 'EHLO blah.sendingsomemail.net'. Servers (AOL's, for instance) that expect mail to be coming from the same machine that the sending domain's MX records point to have it wrong and are rather annoying.

The solution: Because there are so many residential clients perpetuating the problem, the responsibility needs to be placed on the IPSs to at least put a dent in the SPAM problem. Many ISPs block _inbound_ connections to port 80 because they don't want their clients hosting their own web servers on their residential networks (traffic on residential rings, marketing services, whatever) but, for some reason, most ISPs don't do anything to control _outbound_ port 25. This is absurd. Almost every bit of spam is coming from there driving the cost of access for each customer up, annoying the global internet community at large, yet ISPs don't take any action.

Net neutrality is an extremely important issue. However, if ISPs started implementing a 'if you send > 100 emails per hour, your outbound port 25 access is blocked' (better yet, they inform you your computer is probably infected and your port 25 access outbound is blocked), we would see a wonderful decrease in spam. This is also MUCH different than the case Comcast is currently fighting. In my opinion, Comcast should not be looking at my traffic, classifying it and then prioritizing it based on what it thinks is best. ISPs merely need a counter ticking up when a client connects outbound on port 25 - nothing is actually looking into the contents of each connection, but just the fact that a connection occurred. Much like walking through a turnstile - something counted the fact that you were there, but nothing knows that it was you.

This is fairly easy to implement for ISPs, yet they choose not to do it. Of course, with such a stellar lack of competition in the ISP market, many of them seemingly hiring incompetent people (Pakistan v. YouTube), and many of them now of the mindset that the service levels they continue to provide are good enough (as long as you can get to the Internet, you're happy and they're happy), we're not likely to see this kind of simple change unless demanded.

0
0

how about ...?

Don't buy from spammers. Nothing would shut down spammers faster than a lack of sales from all their hard work. Should we not be stressing to our more ignorant computer-using brethren that spammers are by definition liars and thieves, and therefore not ideal people to do business with and to trust with credit card numbers?

Yet do we hear anyone promoting a 'don't buy from spammers' message? Could it be that no-one wants to push this idea too hard in case their own - totally legit, real double opt-in I swear guv - marketing messages take collateral damage?

0
0
JC

Why we have spam - greed

Why we still have spam is greed - but that the greed is focused on everything else. Sure, spam costs money but not so directly. On the other hand we have multiple organizations trying to protect IP and stop software pirates and MP3 downloading dead grandmothers.

It's about time we quit whining about it and put some real pressure on those allowing it to happen. It is not that difficult to point the finger, like ISPs letting thousands of emails through at a time, like email servers not filtering it reasonably, like ISPs continuing to deliver hidden CC type emails.

Even when it's a compromised system owned by an innocent party, that person should be tracked down and given the choice of being responsible or having some tracking software put on their system so the trail isn't cold, so the next machine in the IP trail, that system's owner is given the same choice of responsiblity or tracking software. Obviously it would have to be an international effort but given spammers need perpetual high volume it is not a difficult thing to accomplish in a short period of time when computers are involved.

They can be used as tools for resolving the problem as well as the instruments for causing it. Perhaps making that a standard feature in antivirus engines would be helpful then it reports back to a central database, with the user's consent of course.

0
0

FORWARD SPAM......

I usually forward my SPAM to the company doing advertising......they should be boycotted if you ask me. I do this with regular mail as well, if it comes with a return addressed envelope, just load it up with their own crud and send it on back to 'em.....let 'em see how much they enjoy it!

0
0

Spam Zomies

The majority of zombies are Windows systems. For some reason the ISP’s are unwilling to help stop this. Just check with Gibson’s problem with denial of service. There is a simple solution but, can not be implemented. Since there are only a few active Trojans that are involved in this process the solution is to fix the leak in the Windows Firewall and write a specific Trojan remover and download it as an operating system update. The updates are world wide. Wednesday morning when everybody wakes up the botnets would be dissolved. The reason it can not be done is Microsoft is not in the business of writing Trojan removers and all of the companies making money for anti-virus and Trojans would protest. The government would become involved just as they did over the Internet Explorer. You can’t give away something that others are making money on! People will complain that’s slowing down their computer (not realizing that the Trojan is already eating up much more).

0
0
Thumb Up

simple solution

simple solution? all residential internet connections have a SMTP block. If you wish to setup a mailserver its simple, login to your account on your ISP's webpage and click "enable smtp from this account" easy.

0
0

@Here

> This [various functionality-limiting proposals] is fairly easy to implement for ISPs, yet they choose not to do it.

The problem exists at the scale it's reached because the "world's most 'popular' OS" is very easily compromised and is very poorly supported. This is not something ISPs should have to deal with, so they don't - and your 'solutions' are typical of those viewing all aspects of a problem as a single nail in that there's only one tool available: a large hammer.

Perhaps it would prove more beneficial to complain to the manufacturer of the OS responsible, *demanding* that they drop the BS & face-saving spin and take responsibility for the mess they've created - and continue to assist with so-called "ease of use" and silly sugar-coated GUIs, all implemented at the expense of effective operation and system security.

0
0
Thumb Down

>.<;;;; Why?

So what the hell is the problem?

Why isn't these networks getting banned/blacklisted.

Surely they can be traced..tracked...and eliminated?

0
0
Boffin

I actually have an idea...

If I understand it correctly, then the botnet is operated by a master server somewhere. The master server is invisible, and there might be levels of master...y, I guess. But what must be common for all infected machines, is that they must have an open socket, on a presumably random port. And since there are only 6 or so important botnets, it's theoretically possible to blacklist the IPs by trying to connect to the machines 65k sockets and if you get an answer test if it's a botnet socket. ISPs should do this, but anyone can really.

So. You get an email. You see if the host you got the email from is infected. If it's not, proceed as usual.

Plotholes : 65k pings could be expensive but this might be a destributable cost. The botnets might shut off sockets periodically, but I find it unlikely, as it would limit their response times. There *could* be a scanning authority, basically green/red listing as a service, but who'd do it?

Can *this* be done smarter?

0
0

@Gleb

> trying to connect to the machines 65k sockets and if you get an answer test if it's a botnet socket.

Connect how? And get an answer to what, exactly - there are plenty of valid things a machine could be doing which require an open socket or two. How would any of this differentiate between 'good' and 'bad' (botnet) machines? How would this work with a machine which is part of a Windows botnet located behind a firewall running on a different OS?

> Can *this* be done smarter?

Yes. Fix the damned OS responsible for making it so easy to create botnets.

0
0
Gold badge

Re: just had first hand experience ....

"In this case the exploit was initially via msn of an admins home PC, this (keylogger) gained the FTP passwords for his hosted servers."

I'm curious. Was this a case of running MSN in an administrative account? Or was it all confined to the one user-level account? In the former case, the lesson would be the rather mundane one of "Don't surf with admin privileges." which I suspect that most of the present readership already follow.

However, in the latter case, it would presumably be "Have *two* user-level accounts: one for playing and one for anything remotely sensitive." which even the El Reg readership would regard as unusually cautious.

0
0
Stop

Networthiness???

Folk are not permitted to drive on the roads with dangerous/unroadworthy vehicles. Why not do the same for computers connected to the net.

If a computer is identified as compromised by the ISP hosting its connection to the net, then plain and simple it is not permitted to venture out into the wider network.

It is only permitted access to a "repair" network with tightly restricted functionality, or zero access entirely, just a page telling the computer's owner to take it to a repairer when they attempt to run their browser, an email with the same information and functionally similar messages from messaging apps. Unrecognised net apps would simply fail to work.

Having to pony up fifty bucks once twice or a dozen times, depending on cranial density, will eventually get the message across.

@maty. 99% plus of people don't buy spamvertised products. But even if only one in a thousand do, that's a thousand sales from a million messages sent out for an investment of well under a hundred bucks. A decent ROI in anyone's books.

And that's if the product is even remotely legit. If the product they are selling is actually your credit card details...

0
0
Anonymous Coward

@Gleb

Nope.

Botnets will not necessarily have a server waiting for connections open on a port. Some connect to an IRC network and join a specific channel. That kind of thing. You can't determine if they're compromised or not just from a port scan.

PS: Also pinging does not work the way you described

0
0

Page:

This topic is closed for new posts.