RE: How many backbones here are filtering the makelovenotspam scr eensaver site?

From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]
Sent: Thursday, December 02, 2004 4:14 PM
To: nanog list
Subject: Re: How many backbones here are filtering the makelovenotspam
scr eensaver site?

>
>
> >
> > > Possibly. What will happen if the Lycos botnet gets hijacked?
> > >
> > > The conversations between the clients and the servers
don't appear
> > > to be keyed. If a million clients got owned, it would be the
> > > equivalent of an electronic Bubonic Plague with no antidote.
> >
> > You mean, like the existing botnets we already know exist but are
> > already under the control of spammers?
> >
> > What's the difference? Why is everyone so upset about
Lycos and nobody
> > seems to be doing much of anything about the /existing
botnets/, which
> > conservative estimates[1] already put at anywhere from
1-3K per botnet
> > to upwards of 1-5M hosts total[2]?
>
> perhaps the difference is 'reponsible people' don't go out
and recruit
> botnets... Lycos, as a corporate entity with it's business
model dependent
> upon the health and wellbeing of the Internet would try to be
> 'responsible', or so I would have thought.

I agree. I also think it's up to the companies providing the Internet
connectivity to the non-Lycos-"owned" botnets to prevent such activity
from affecting others.

> arguing that there are murderers and rapists out there and
that 'nothing
> is being done' is hardly reason to become one yourself.

I couldn't agree more that vigilantism isn't the answer. My earlier
remarks were directed to the shock and awe evident in the possibility
that - via Lycos - there might be, heaven forbid, /large numbers of
computers under the control of spammers, that could be used
in spamming
and abuse/.

Can you direct me toward a singluar entity of 1MM bots controlled by
a single master?

All I was pointing out was that, surprise, surprise, there
already are.
So why anyone thinks Lycos' botnet being hacked is /any
different/ from
/the current situation/ is utterly beyond my ken. Why would
any spammer
bother to hack Lycos' botnet? They /already have their own/.

I think you might be behind on what's going on in botland
lately.

Can you direct me toward a singluar entity of 1MM bots controlled by
a single master?

No, I cannot. I *can*, and have, forward on reports by those more in
the know than I that estimate 100K new bots / day are being added, and
I can certainly point to incidents here which suggest that the problem
is widespread, that the spammers responsible are few, and that many ISPs
continue to refuse to contain the problem. Do the math. 100K / day new
bots, added by a few responsible parties, and it's not hard to see that
over a brief period of time any one of those parties might control over
a million hosts or more.

I think you might be behind on what's going on in botland lately.

By all means, enlighten me. All I see from my limited pov is that bots
are useless if disallowed from sending spam via port 25 outbound, and
that every day sees hundreds if not thousands, of new bots trying to
send spam to my users, which suggests that /nothing is being done to
prevent them from using the available resources/. Convince me otherwise,
please. I'm all ears.

Well, it was a while ago that some Polish guys were openly advertising
their 465K zombie network - I'd be most surprised if it isn't over 1M by
now. And remember that hierarchical design is understood in the black
hat world too. If somebody has 1M bots, it won't be 1M bots in one network,
it will be several hundred subnets of several thousand bots, and some
automated way to signal several hundred control nodes to each fire up
their several thousand bots. So you may already have whacked off a 1%
chunk of that 1M net several times already and not even realized it....

By all means, enlighten me. All I see from my limited pov is that bots
are useless if disallowed from sending spam via port 25 outbound, and
that every day sees hundreds if not thousands, of new bots trying to
send spam to my users, which suggests that /nothing is being done to
prevent them from using the available resources/. Convince me otherwise,
please. I'm all ears.

1. Huge botnets of 25K-200K bots exist, and in vast numbers. They exist now for quite a few years. Only a numbered few are "fighting" them. Some of us have been lecturing on this for years, and being completely ignored.
I am glad I had a small part in making this issue known.

2. Only these past few months is this becoming a "buzz". AV companies finally lowered their efforts on hyping 99% similar worms and started talking about drone armies. Currently estimates per botnet are 1K-20K, usually. 8 years ago these numbers might have been current information.

3. They (the zombie program/malware) change and get replaced very often.

4. Each infected machine is part of several such nets, as once a machine is pwned...

5. Blocking port 25 (under whatever restrictions) will stop current worms and Trojan horses from working (sending spam and themselves). Period. Not trying to be a FUSSP, it's just how they work.

6. They (the zombies) could just as easily send out spam using the user's own credentials and real account. It won't be as useful as just sending out whatever they like.. but with the huge amounts of them out there - I don't see it (port 25 blocking) solving the problem as a whole. It would kill off the current strain of malware, though.

  Gadi Evron.

Nobody can, except the single master who's in control of same, and
whoever that is -- if there is -- is unlikely to voluntarily share
that information publicly.

That's part of the problem: we know that that are huge numbers of
them. How huge? 10e7 was probably a good estimate early in 2004,
10e8 is starting to look plausible given reported discovery rates.
And the quasi-related problem of spyware/adware is exacerbating it:
it's not like that cruft is exactly fastidious about making sure that
it doesn't open the door to things worse than itself.

We don't know how many there are.

We probably can't know how many there are -- unless they do something
to make themselves noticed, and surely those controlling them are smart
enough to realize this and keep plenty in reserve. We can only know how
many have made themselves visible, and even knowing that's hard.

We don't know who's controlling them: are we up against 10 people or 10,000?

We don't know everything they're doing with them.

We don't know everything they're going to try to do with them.

We don't know where they'll be next: they may move around (thanks to DHCP
and similar), may show up in multiple places (thanks to VPNs) or they
may *really* move around (laptops).

We don't know how many are "server" systems as opposed to end-user systems.

We don't know how to how to keep more from being created.

We don't have a mechanism for un-zombie'ing the ones that already exist
(other than laboriously going after them one at a time).

We don't have a means to keep them from being re-zombied -- just as soon
as the latest IE-bug-of-the-day hits Bugtraq.

We don't have a viable way of controlling their actions other than
disconnecting them entirely: sure, blocking outbound port 25 connections
stops them from attempting spam delivery directly into mail servers, but
surely nobody is so naive as to think those controlling these botnets
are going to shrug their shoulders and give up when that happens?
There are all kinds of other things they could be doing. *Are doing*.

We don't have a clear understanding of who they're being controlled:
are they quasi-autonomous? centrally directed? via a tree structure?
do they "phone home"? are they operating p2p? all of the above?

And so on.

But we darn well should find out.

---Rsk

Well, it was a while ago that some Polish guys were openly advertising
their 465K zombie network - I'd be most surprised if it isn't over 1M by
now. And remember that hierarchical design is understood in the black
hat world too. If somebody has 1M bots, it won't be 1M bots in one network,
it will be several hundred subnets of several thousand bots, and some
automated way to signal several hundred control nodes to each fire up
their several thousand bots. So you may already have whacked off a 1%
chunk of that 1M net several times already and not even realized it....

These guys are used to be on the run, looking for places to stash their botnets.

IRC networks (which are not scared, and then usually just a few renegade opers and volunteers) are the ones who fight these networks. Hunting them down in different channels.

Girlbots a year ago used an interesting algorithm to generate random channel names according to the date and time.. these guys are not that easy to find.

Then there are the virus reversers and network analysts who reverse the sample or sniff the traffic to see where bots go, and shut that place down.

Controllers/runners just move their bots quickly to a new location, and even if they lost one army.. there are others.

Ever heard of don't put all your eggs in one basket?

Regardless, they can always get new ones... and the people fighting them are in the shadows.. not even supported by their own people in many cases.

IRC servers for example, are very afraid of pissing these kiddies off, so that they won't DDoS them.
How many times have we seen an IRC DDoS taking down the entire ISP?

There are other ways of controlling armies.. but so far IRC has proven to be the easiest in utilization and in moving quickly.

Any other control mechanism would have to answer two main opposing factors.
The easier it is to control them, the easier it is to take them away from you. How do you balance the two, if you are a kiddie?

It's a never ending race.

Think of that in P2P terms, and you will see what I mean.

Exposure vs. ease of control.

Who would go against them when they'd know their ISP would be down the very next day, though?

There is no easy solution... and as long as AV companies treat Trojan horses as "garbage" and/or "not worth detecting", this is definitely not going to change.

Then there is the issue of "open source malware" (not to be confused with the open source community).
Today, any kid can find many code samples of writing their own Trojan horses, not to mention support forums online.

Take for example the huge increase in malware per month, these past few years.

One of the strains started with sdbot.. then ircbot.. then agobot.. then phatbot, rbot, whatever bot, korgobots (argh!) etc.

Thousands of different samples, all related - and for most you can find quite a few versions of their sources online.

It never ends.. I am just glad this is getting some attention now.

  Gadi Evron.

Rich Kulawiec wrote:

Can you direct me toward a singluar entity of 1MM bots controlled by
a single master?

Nobody can, except the single master who's in control of same, and
whoever that is -- if there is -- is unlikely to voluntarily share
that information publicly.

Back in 1997, a luser showed up on IRC in one of the help channels that formed to help users get rid of Trojan horses (after the big return in `96 - no hat Trojan horses ever really went away). The guy was a spammer. He owned nekkidchicks dot something.

He studied the works, and disappeared 6 months later. This is a losing battle, a tsunami we are now trying to stop with stones and sticks.

Actually, these kids share them like candy, as a friend of mine likes to say. I doubt there is just one singular master. It's the macro level we see, why not take the macro level into account?

That's part of the problem: we know that that are huge numbers of
them. How huge? 10e7 was probably a good estimate early in 2004,
10e8 is starting to look plausible given reported discovery rates.
And the quasi-related problem of spyware/adware is exacerbating it:
it's not like that cruft is exactly fastidious about making sure that
it doesn't open the door to things worse than itself.

In most network, I see about 50% of the traffic being spyware/malware related.. and that's in good cases. But than again, these are only my observations.

We don't know how many there are.

Does it matter? I believe we can call it an epidemic and move on.

We probably can't know how many there are -- unless they do something
to make themselves noticed, and surely those controlling them are smart
enough to realize this and keep plenty in reserve. We can only know how
many have made themselves visible, and even knowing that's hard.

I can tell you that 50-90% of the occupants of the different IRC networks are drones. The 5 big IRC networks have between 20K and 150K lusers at any given time. You add the numbers.

We don't know who's controlling them: are we up against 10 people or 10,000?

Much like with any social structure, it is difficult to say.

Is someone a hacker, a cracker or a kiddie? They still do what they do, regardless of who they are and what their capabilities are.

Kids trade them like candy, spammers use them to spam. Organized crime does what organized crime does. People who want to be anonymous stay anonymous. Gangs get protection money (absurd on the net, if you pay in real life you at least know you won't be attacked, and if you would be by someone else, this gang you paid would protect you - doesn't work online).

Then there are those who just like to feel like God. Go figure.

We don't know everything they're doing with them.

It doesn't matter. They are there. They can do whatever they want with them. It is an epidemic and it has been growing for years.

We don't know everything they're going to try to do with them.

See above. Irrelevant.

We don't know where they'll be next: they may move around (thanks to DHCP
and similar), may show up in multiple places (thanks to VPNs) or they
may *really* move around (laptops).

We don't know how many are "server" systems as opposed to end-user systems.

Depends on the malware discussed. I can give you many examples.

Sometimes there are several types used by one controller/runner, whose entire wish is to (a) recruit new drones, (b) use them to spam/network-scan to recruit new drones, (c) use these to spam for money and (d) have backup.

I have seen similar set-ups on Yahoo! chat and on IM. It is not limited to one media.

On Yahoo! (which basically does nothing about abuse) you can recruit, or more like.. draft.. a 10K net in a couple of days.

We don't know how to how to keep more from being created.

People are stupid. I don't have a solution. Maybe not allow this s**t to go through our networks? It is becoming an hazard to their operation.

We don't have a mechanism for un-zombie'ing the ones that already exist
(other than laboriously going after them one at a time).

We used to de-zombie them. You can try and "make like a zombie" and see what a controller/runner does, or reverse engineer a sample and see what the passwd and commands are. You can send it out in an IRC channel or remotely connect to all of them.
Some of it is legal, some of it is very shaky, legally.

Non of which is a solution.

We don't have a means to keep them from being re-zombied -- just as soon
as the latest IE-bug-of-the-day hits Bugtraq.

Or one from last year.. makes no difference. And they do get re-zombied. Users are stupid. And I used to think NOBODY is really stupid.. I was wrong. Stupid in this case may mean "needs to earn a driving license for a computer as he/she are clueless".

We don't have a viable way of controlling their actions other than
disconnecting them entirely: sure, blocking outbound port 25 connections
stops them from attempting spam delivery directly into mail servers, but
surely nobody is so naive as to think those controlling these botnets
are going to shrug their shoulders and give up when that happens?
There are all kinds of other things they could be doing. *Are doing*.

Amen.

We don't have a clear understanding of who they're being controlled:
are they quasi-autonomous? centrally directed? via a tree structure?
do they "phone home"? are they operating p2p? all of the above?

All of the above, P2P is not really viable currently though. Nobody solved the problem of exposure when trying to control the network. IRC has it's flaws.. but it works out great for them now.

And so on.

But we darn well should find out.

Feel free to email me. This is all I'll say here.

  Gadi.