homepage Welcome to WebmasterWorld Guest from 54.227.20.250
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

This 37 message thread spans 2 pages: 37 ( [1] 2 > >     
Botnet 'pandemic' threatens internet
Brett_Tabke

WebmasterWorld Administrator brett_tabke us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3232295 posted 1:45 am on Jan 26, 2007 (gmt 0)

[business.scotsman.com...]

...millions of personal computers threaten the internet's future, experts have warned at the World Economic Forum in Davos.

Up to a quarter of computers on the net may be used by cyber criminals in so-called "botnets", according to Vint Cerf, one of the internet's founders.

Cerf is one of the co-developers of the TCP/IP standard underling all internet traffic. He likened the spread of botnets to a pandemic.


 

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 1:56 am on Jan 26, 2007 (gmt 0)

This isn't a surprising announcement after we witnessed the scale of brute force attacks used to knock Blue Frog Security offline a year ago. If you remember, they even attacked Tucows which promptly dumped their registration.

I seriously doubt the number of infected machines as they are claiming, but when it's significant enough to hold a registrar hostage, it's bad.

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 2:05 am on Jan 26, 2007 (gmt 0)

Origianl PR
[news.bbc.co.uk...]

Nine hours later
[arstechnica.com...]

Your link just a short time earlier.

Mr. Cerf an employee of Google today.
[google.com...]

And on and on

[google.com...]


maherphil

10+ Year Member



 
Msg#: 3232295 posted 4:40 am on Jan 26, 2007 (gmt 0)

when Vint Cerf makes a claim like this peeps listen...or they surely should. Although, I'd like to see some real data from server logs to backup such claims. Lets see the hard evidence before making broad statements about 25% of all traffic being botnets, plus how does one jump to say that this threatens the internets.

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 4:58 am on Jan 26, 2007 (gmt 0)

I guess if we were capabale of dispensing with all the bots and all the spam (including the junk the folks have passed around and forwarded fifty times)?

The internet overhead costs, security and productivity would increase by 50% ;)

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 5:22 am on Jan 26, 2007 (gmt 0)

25% of all traffic being botnets

That's not what he said at all, he said 25% were available to be USED in a botnet.

That's doesn't mean they are all active, they get used when they need to bring someone down like Blue Security, then most of it sits quiet the rest of the time.

If you expose your entire botnet, people will get wise and shut it down.

This is what happened to me for a few weeks:
[webmasterworld.com...]

The botnet was in overdrive and too many hit my site, I got about half shut down.

Stealth is best for a botnet and it was obvious I was dealing with amateurs.

jomaxx

WebmasterWorld Senior Member jomaxx us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3232295 posted 6:41 am on Jan 26, 2007 (gmt 0)

Pretty insane situation. Not surprising, but insane that we should be expected to carry on in a business-as-usual way under these circumstances. Sometimes I think the whole Web should be shut down and everybody be forced to start over, with secure operating systems and secure protocols.

antonaf

5+ Year Member



 
Msg#: 3232295 posted 7:02 am on Jan 26, 2007 (gmt 0)

I don't think the claim of 25% of all traffic being botnets is far-fetched. As the internet advances cyber criminals advance. Most common users are just that...USERS, so if cyber criminals can spread their attacks over a larger network of computers but use less processes on each machine then they can potentially be more successful, because they are flying under the radar and undetected. USERS are not going to proactively protect their systems or scan/clean their systems if they do not notice a evident problem, they will operate as normal thinking all is fine while their computer is being used for criminal activities. So it is no surprise that 25% of all traffic would be involved in cyber crimes, because at least 75% of all internet users are non-techs and non-proactive when it concerns computer security.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 7:38 am on Jan 26, 2007 (gmt 0)

USERS are not going to proactively protect their systems or scan/clean their systems if they do not notice a evident problem

Most PCs come with anti-virus installed, or they get it free from their ISP, and the AV tools scan the systems automatically while you sleep, the end user doesn't have to get involved except to pay to keep licensed annually.

Therefore, I find it hard to believe these numbers unless the AV tools are fundamentally flawed and not detecting the problems in the first place.

Leosghost

WebmasterWorld Senior Member leosghost us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3232295 posted 8:30 am on Jan 26, 2007 (gmt 0)

I find it hard to believe these numbers unless the AV tools are fundamentally flawed and not detecting the problems in the first place.

The ones most often shipped ready installed in new machines ..such as norton , panda , macafee etc in their non pro forms are such awfull inept peices of junk that many users immediately stupidly go for cracked versions of the "pro suites" ..these have the worst protection of their own codes ..and so are very rapidly dissed and exchanged via torrents ..and of course the exchanged varieties are carrying the payloads ..

and most of the cracked apps that are also exchanged via P2P are adapted to not trigger the most used AV programs when they are installed ..

I dont think that I've ever seen ( apart from mine ..and new ones at major dealers and chain stores ) any machines in this country France..that are not running apps that the owners have got from an ami ..or telechargť ..even when you clean them of the virii the loggers the trojans the dialers and the slumbering bots ..and explain about emule and kazza etc and remove them ..you just know the next time you see that desktop the emule icon will be back there ..

and most computer repair guys here will install cracked XP pro or media for 50.00 euros ( complete with stuff that the guy doesnt know is in the ISO he burned from a torrent ) .."gold XP" is all over the place ..and has some lovely wildlife built in waiting for the first connection ..

mainstream preinstalled AV's are junk ..and people are greedy and stupid ..and DSL made it all so much worse ..
then again the software manufacturers dont help ..the exploit that was found last year to be affecting win 2000 ..the MS official patches wouldn't install on any french language operating sytems of win 2000 ..and the french MS site directed you to the English patches ..that wouldnt work .."not compatable with the language version of your OS" was all you got ..so most business 2000 users called the guy in with the cracked XP pro ..
their systems worked again ..and the fact that they are bot dormatories doesnt worry the owners ..most of them figure it's one back at MS for not having supplied them with a working patch ..for the 2000 OS they originally paid for ..

its like driving ..most people wont drive slow or drive without using the phone ..unless it's their kid playing in the street they are driving down ..

Green_Grass

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3232295 posted 8:43 am on Jan 26, 2007 (gmt 0)

Yes.. In countries like India and China, we may have hundreds of thousands of machines running on 'pirated' softwares..

These 'pirated' softwares are most definitely compromised...

koan

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3232295 posted 10:13 am on Jan 26, 2007 (gmt 0)

What I don't get is why ISPs still let their port 25 open to your average user. That's how zombie computers get used to relay or send spam. It should by default be closed unless someone makes a special request.

Now that wouldn't solve the problem of computers being used in DoS attacks, like the one that put the antispam company BlueFrog to their knees (definitely), but it would be a great start.

Spammers and cyber criminals are becoming more of a threat than your local mob.

rj87uk

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3232295 posted 10:19 am on Jan 26, 2007 (gmt 0)

There must be measures / ways and solutions to solve this type of problem the technical guruís need to get on they're thinking caps.

Microsoft need to get they're act together as well most computers run windows so I would think there must be technical solutions in the OS itself.

Its a hard one.

cmendla

10+ Year Member



 
Msg#: 3232295 posted 11:56 am on Jan 26, 2007 (gmt 0)

A great book on this topic is cliff stoll's "the Cuckoo's egg'. A lot of what he described 15 years ago is still happening.

For example, I just picked up a new client. Their win 2003 server's antivirus package had expired 6 months ago. They only had ONE update applied to the OS.

I still need to run the MS Baseline security analyzer which will result undoubtably in a laundry list of fixes that still need to be applied.

Things are getting a little better. However, I think that the biggest problem is home users with kids doing downloads. A lot of machines I run into are more infested than a $10 hotel room. You can clean the machines up and warn the parents but the kiddies go and download and reinfect the machines. The parents get tired of paying to clean the mess up and live with any slowness. The result is that one more machine is a zombie.

cg.

maherphil

10+ Year Member



 
Msg#: 3232295 posted 3:48 pm on Jan 26, 2007 (gmt 0)

he said 25% were available to be USED in a botnet.

Ah, I see. Thanks for the clarification Bill, this makes sense now.

So what can be done? It seems like all the botnets have one thing in common, they all need to ping a site through a connection to the internet. Is there monitoring software that would watch for these pings, and then send that data off to a spamhaus like repository to analyze the aggregate data and then zap the bot code installed on my local machine?

You botnet masters are prolly roflyao at my obvious noobness in this subject and over simplification, lol. But seriously, how can 'Johnny Noob' detect if his computer is making unauthorized internets requests?

Leosghost

WebmasterWorld Senior Member leosghost us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3232295 posted 4:14 pm on Jan 26, 2007 (gmt 0)

by sniffing for outgoing packets ..from things not authorised to make calls or connections.

rj87uk

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3232295 posted 4:19 pm on Jan 26, 2007 (gmt 0)

Im sure Jonny Noob wouldn't know how to do that Leosghost, I don't...

Maybe that is part of the solution, educate people on how to test they're computers / learn more about it.

So how does one "Sniff" outgoing packets?

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 4:24 pm on Jan 26, 2007 (gmt 0)

So how does one "Sniff" outgoing packets?

[google.com...]

Some interesting reading also at
[google.com...]

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 7:19 pm on Jan 26, 2007 (gmt 0)

You botnet masters

Hardly, I'm still in training when it comes to botnets ;)

Most of them that I've encountered seem to use the standard IRC ports to communicate so blocking IRC in the router network-wide would seem to be a reasonable precaution to stop the simple ones from communicating. You may still end up infected, but they won't be able to talk to your box unless they pick some random port.

ronburk

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3232295 posted 8:43 pm on Jan 26, 2007 (gmt 0)

What I don't get is why ISPs still let their port 25 open to your average user.

Lack of egress filtering has indeed been a shameful practice of ISPs in the past, but somewhat less so today.

However, it only requires a small adaptation for the infecting software to locate and use whatever SMTP server the infected machine is configured to talk to. Indeed, I see this kind of spam (sent via a clearly legitimate, not open-relay ISP MTA) increasingly often these days.

2007 will be the year that will finally begin to see rumblings of industry-wide efforts to disinfect zombie armies. It's going to eventually dawn on folks that for perhaps $50,000 worth of rented botnet time, you can essentially shut down the Internet in the U.S.

For perhaps $5,000 worth of rented botnet time, you could expose how completely vulnerable AdSense/AdWords is to botnet-based click fraud. Presumably, one would do this after selling Google stock short.

ronburk

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3232295 posted 8:47 pm on Jan 26, 2007 (gmt 0)

then zap the bot code installed on my local machine?

That would be illegal in this country and many others. If/when a large scale zombie cleanup effort begins, ISPs will have to provide the leverage by threatening termination of access for infected customers who won't either cleanup or grant permission to be forcibly cleaned up.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 9:44 pm on Jan 26, 2007 (gmt 0)

So how does one "Sniff" outgoing packets?

If you want a layman's or poor man's packet sniffer, assuming you have a router, such as a wireless router, just close every application on every PC on your network and then check to see if you still have chatter on the router.

You can login to the router and see how many packets are moving.

For instance, I have several wireless machines and one direct wired LAN connection so when I check the stats the wireless traffic is ZERO at this point, they appear to be clean. When I hit refresh to update the router information from the desktop machine, it takes an average about 8-10 packets to refresh the display.

If I see any other significant packet traffic at this point, I know there's possibly an active botnet communicating with something. Just make sure you have all other applications disabled, such as email notification, AdSense pings, etc. before you tear your machine apart looking for malware.

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 9:47 pm on Jan 26, 2007 (gmt 0)

If/when a large scale zombie cleanup effort begins, ISPs will have to provide the leverage by threatening termination of access for infected customers who won't either cleanup or grant permission to be forcibly cleaned up.

Fat chance that'll happen!

Providers have always had the "policies" to enforce AUP/UAG and they haven't exactly been going out of their way.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 10:58 pm on Jan 26, 2007 (gmt 0)

Fat chance that'll happen!

Providers have always had the "policies" to enforce AUP/UAG and they haven't exactly been going out of their way.

When the problem grows to the point that it threatens their business, and people block access to many of their customers from various networks because of the problems, it will boil over and action will be taken.

I think we're within 24 months of seeing it boil over as it appears to be simmering already.

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 3232295 posted 11:05 pm on Jan 26, 2007 (gmt 0)

I think we're within 24 months of seeing it boil over as it appears to be simmering already.

Sure hope your right Bill, however I'd hate to have to hold my breath for any length of time after 1/26/2009 waiting for it to happen ;)

Don

volatilegx

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3232295 posted 11:24 pm on Jan 26, 2007 (gmt 0)

So how does one "Sniff" outgoing packets?

I use an application called "Ethereal [ethereal.com]" for this, which is a "network protocol analyzer". Ethereal is free software. Unfortunately, the "geek factor" of Ethereal is very high ;)

gregbo

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3232295 posted 11:44 pm on Jan 28, 2007 (gmt 0)

Most PCs come with anti-virus installed, or they get it free from their ISP, and the AV tools scan the systems automatically while you sleep, the end user doesn't have to get involved except to pay to keep licensed annually.

Therefore, I find it hard to believe these numbers unless the AV tools are fundamentally flawed and not detecting the problems in the first place.

Some people never enable the AV systems, or are duped into opening phishing emails and their PCs are compromised.

gregbo

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3232295 posted 11:48 pm on Jan 28, 2007 (gmt 0)

There must be measures / ways and solutions to solve this type of problem the technical guruís need to get on they're thinking caps.

Microsoft need to get they're act together as well most computers run windows so I would think there must be technical solutions in the OS itself.

Don't hold your breath. It's a consequence of the openness of the Internet architecture. The very things that enable people to innovate with new web clients, servers, email software, etc. also allow botnets, click fraud, scrapers, etc.

surfin2u

10+ Year Member



 
Msg#: 3232295 posted 5:49 pm on Jan 31, 2007 (gmt 0)

I recently registered a domain that I am thinking about using as a place to send bad guys to. The site would have a link to a list of all of the site's recent visitors (ip address, agent), as a service to the rest of us. I haven't gotten around to implementing my idea yet. I wonder if it might help to solve the problem?

Matt Probert

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3232295 posted 7:04 pm on Jan 31, 2007 (gmt 0)

I find it hard to believe these numbers unless the AV tools are fundamentally flawed and not detecting the problems in the first place.

I think we know each other from else where, Bill? In which case you know what I'm going to say.

AV software is more than just fundamentally flawed, many AV companies have, historically, actively participated and encouraged the production and distribution of viruses for their own financial ends.

Most effective is switching off your PC when not in use, and keeping an eye on strange activity when you are using it. Don't rely on unreliable third-party software and think you're safe.

Matt

This 37 message thread spans 2 pages: 37 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved