Forgot your password?
typodupeerror

Eavesdropping on a Botnet 185

Posted by ScuttleMonkey
from the like-a-soap-opera-for-geeks dept.
wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"
This discussion has been archived. No new comments can be posted.

Eavesdropping on a Botnet

Comments Filter:
  • I would imagine this applies only to the BORG boxes out there... So if you are running Solaris on SPARC, are you safe from these bots?

    -r

    • Re: (Score:3, Insightful)

      by arivanov (12034)
      Flamebait, but I will take it.

      The first time I have seen stealth kernel mode rootkits in the wild for Linux and Solaris was Dec 1996. This is nearly 10 years ago. As a matter of fact in this area Linux and Solaris were first and Windows did not really follow until 2K became commonplace in the home. From there on the malware writers came back and hacked 98 and me.

      So your optimism regarding SloWarez is misplaced and misguided.
  • by Anonymous Coward on Saturday August 19, 2006 @05:11PM (#15941795)
    "The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'" ...or to run a live-CD version of some OS where all you need to do is reboot
    options abound Linux, BSD, Windo... oh, forget about that last one
    • by JamesTRexx (675890) <m.nystrom@m b i t z . nl> on Saturday August 19, 2006 @05:22PM (#15941826) Homepage Journal
      Sort of like my first reaction, "The only way to be sure is to run something that is not Windows".

      Until someone creates something that can infect the various *nixes that is.
      • by Anonymous Coward on Saturday August 19, 2006 @05:31PM (#15941865)
        "Until someone creates something that can infect the various *nixes that is."

        That's impossible. How do I know. Just "Ask Slashdot".
      • by Nested (981630) on Saturday August 19, 2006 @05:35PM (#15941882)
        Until someone creates something that can infect the various *nixes that is. Or an asteroid destroys Earth.
      • by Nutria (679911) on Saturday August 19, 2006 @07:07PM (#15942131)
        Until someone creates something that can infect the various *nixes that is.

        It's called a rootkit. They've been around for years.

        Find a *ix server that's running a vulnerable process listening on an exposed port (DNS, ssh, ftp, http, pop, imap, smtp, whatever). Root that box and install your malware.

        Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted.

        Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.

        • by twitter (104583) on Saturday August 19, 2006 @07:50PM (#15942225) Homepage Journal

          ... because that's where the money is.

          You write about root kits and declare:

          Just by the virtue of the large number of x86 Linux servers exposed to the Intarweb, there must be thousands of systems just waiting to be rooted. Fortunately for "us", there are millions of exposed Windows client PCs running as Adminstator, begging to be owned.

          As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.

          On the desktop there's another crucial difference, the ease of recovery. In the Windoze world, you pull out your ancient "original" CD and put the same broken crap right back on your machine. It wipes out all your documents and setting so you suffer a loss for no gain. Then you are rooted again in about 12 minutes after hooking up to a network. In the free world, you do a net install and get the latest and greatest of everything, without losing anything at all. A few extra steps can make sure the root kit is not in your home directory. The easiest is to chmod file in your home directory to no execute. In the very worst case you can chmod and then tar up the documents you worry about and start fresh with your settings, like in the windoze world but much easier.

          • by Nutria (679911) on Saturday August 19, 2006 @08:48PM (#15942369)
            Just by the virtue of the large number of x86 Linux servers exposed ... there must be thousands of systems

            As if the only difference was numbers. The other difference, or so claim the FUDsters, is that "Linux is for servers." You know, like banks and businesses that handle real money. Given the profile and importance of those targets, you would think they would be hit all the time and that we would hear about it as we hear of IIS exploits. For some reason we don't hear anything, despite the very open nature of the people running the software. It would seem that there's more at work than numbers here.


            Re-read my post, and then think.

            Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.

            (I say servers because Linux desktops tend not to expose services to the Internet.)

            • Re: (Score:2, Interesting)

              by twitter (104583)

              An oversized rat tells me to think, and offers an lesson in proportions and exponents:

              Re-read my post, and then think. Some Linux servers will be vulnerable. Even if only 0.1% of Linux systems are vulnerable thru SysAdmin neglect or unfixed bugs, if there are 10^6 systems there will be 1000 vulberable systems.

              So what? You want to replace that with systems that are ALL vulnerable to multiple attacks regardless of the competence of the administrator? Help me out Nutria, what are you trying to tell me?

              • Re: (Score:3, Insightful)

                by Nutria (679911)
                So what? You want to replace that with systems that are ALL vulnerable to multiple attacks regardless of the competence of the administrator?

                What gives you that idea?

                Because I recognize that Linux distros are not perfect, not all SysAdmins are up to snuff, and not all security bugs in all *ix apps have been discovered and patched, you think I am a Windows fanboi?

                • by twitter (104583)

                  I'll take that as a "no" response. You obviously think that free software is a superior alternative. Thanks!

            • by Anonymous Coward on Saturday August 19, 2006 @11:11PM (#15942746)
              What do you think the C&C machines are running?

              Linux servers, especially colocated ones, tend to have a much higher uptime; in addition, the ircds and other servers they run tend to run best (or only) on Linux. A Linux shell box is a lot more useful to a blackhat than a Windows drone. This makes them individually more attractive targets.

              Imagine you're a blackhat. So what you're after, for a C&C server, is someone else's poorly-maintained Linux box; the one that the admin thinks is impenetrable, because it runs Linux, and so hasn't updated it or even looked at it in ages. It's going to have a high uptime, because it almost never reboots because the guy never installs a new kernel on it. You can probably spy out the uptime quietly in advance via the usual trickery, because some admin thought Linux boxes don't need firewalls. And you're most likely going to get in through a PHP hole (application or language, it doesn't matter when the language and common software is that poorly designed) or if it's really out of date an Apache or MySQL hole - because it's probably a almost-never-used webserver.

              And then you're going to install a rootkit - think l10n, only more so (there are actually some seriously hardcore Linux rootkits that blow pretty much all of the public rootkits for Windows out of the water when it comes to stealth; and this is why) - and then you're going to patch it, so no-one else roots your new 0wned C&C box, because nothing sucks more than some other blackhat stealing your botnet.

              Next thing you know, bam, the thing's running a modified hybrid-ircd or something, and is one of the magic servers you encoded in your trojan to which the Windows drones are connecting back, or one of the webservers they are getting the spam proxy or spyware installer from; and thus you, the blackhat, earning nice fat sums of cash on the back of one or two Linux servers and a few hundred or thousand random Windows machines.

              So, don't discount the threat. All operating systems need patching and good security practice to run safely.

              And 0.1% seems like a low estimate; remember Linux distributions, especially server-oriented ones, tend not to have an automatic update feature (with good reason, to a point), so they do require manual intervention to patch. With appropriate care and feeding they are of course not just fine, but can be really quite secure; but neglected, it's a whole different story. Think closer to 2-3% as being a potential problem, and almost 5% in some (LAMP) brackets.
              • by Nutria (679911) on Saturday August 19, 2006 @11:47PM (#15942842)
                someone else's poorly-maintained Linux box; the one that the admin thinks is impenetrable, because it runs Linux, and so hasn't updated it or even looked at it in ages.

                Sacrilege! Sacrilege, you Windows fanboi!!!! How dare you criticize the Holy Penguin!!!!!!!!!!

              • What do you think the C&C machines are running?

                This is a good point and a lot of the IRC channels are running on rooted Linux boxes. What I find interesting is how the botherder community knowledge limits what they do. Linux desktops are not protected only by the fact that they are rare, but also by the fact that a lot of these people have no idea what they are doing beyond the tried and true tools. The community has the knowledge to root Linux servers and Windows servers, but aside from that they re

              • by dougmc (70836)

                the ircds and other servers they run tend to run best (or only) on Linux

                It's been a while (around ten years?), but back when I ran a few (legitimate) IRC servers, I found that in general ircd on FreeBSD worked much better on the same hardware than Linux did, being able to handle roughly twice as many users and crashing (sometimes the entire box) far less often while doing so. ircd is pretty hard on your networking stack when you have hundreds (back then -- now servers do thousands) of simultaneous user

        • Re: (Score:2, Insightful)

          by linuxwood (106113)
          You do not need a rootkit to turn a linux box into a spam-bot... All it takes is one bad cgi/php page in a Web Hosting environment (100+ virtual sites) for a perl spam proxy to get launched from tmp on an unprotected port. Matt Wright has kept all the bad web developers in the business of poor web code for years.

          I cannot tell you how many bad contact me web pages exist on the Internet with many of the worst being on Linux et al. Things like mod_security and PHP safe mode only mitigate certains cases. Its a
      • Not really... a spammer once got inside my linux box at work through an Apache exploit (which, afaik, wasn't even available to outside IPs ... though not properly firewalled, I'll grant you that).

        Anyway, the thing is, the guy used a script-kiddie package to take control of the server and spam... the first signal when I came into the office next morning was the server severly trashing around, but not because of the spamming but because (as I later found out through google) every copy available of the pack
    • Re: (Score:3, Interesting)

      by marcello_dl (667940)
      How come a security guy doesn't mention live CDs. I seem to recall somebody did a live windows cd. Personally i'd go for a free live distro, I'd boot from it and download clam or similar stuff to scan the HD. Unless the guy meant there could always a rootkit not detectable by a current anti virus. But, this level of paranoia should make you reinstall your OS every time you use your PC... and never install closed stuff like windows, anyway.
      • Windows LiveCD (Score:3, Interesting)

        by Coopjust (872796)
        The Windows live CD you are thinking about is BartPE [nu2.nu], but it's not as easy to use or setup as a Linux LiveCD.

        I did set up one myself. It works pretty well once setup.
        • Re: (Score:2, Informative)

          by Anonymous Coward
          Actually, I think the one you are thinking of is Ultimate Boot CD for Windows http://www.ubcd4win.com/ [ubcd4win.com] which is a very functional live cd. Also has numerous other tools that make cleaning an infected system, creating admin accounts, and other cool maintenance a breeze.
          • Re: (Score:2, Informative)

            by poolmeister (872753)
            UBCD for Windows is just a collection of Barts PE plugins to help you build your own Windows Live CD from Barts PE and your Windows disk, even then it's only really a maintenance CD, you wouldn't want to use it as a Live boot OS, I've tried it on many PCs in the past and I've never been able to get networking going once.
            Windows is inherantly a bad choice for a live boot OS because of the messy issue of having as many 3rd party drivers as possible loaded into the image.

            Linux distros are now miles ahead of
      • Re: (Score:3, Insightful)

        by httptech (5553)
        The actual quote in my analysis [lurhq.com] is "unless you are a malware expert..."

        Running a liveCD with a rootkit scanner and an antivirus isn't going to cut it - you have to have the knowledge to know what to go after - you'd be surprised at how much malware doesn't get detected by scanners even months after its been released.

        Although I might use liveCDs myself to do malware recovery, average users are going to be in over their heads. So I didn't mention it.

        -Joe
    • There should also be mandatory rule about not using Windows xp without firewall and virus protection. It's a useless operating system.
    • I realized that BartPE could be a handy tool for cleaning up stuff. if nothing from the hard drive is in memory when bart is running, it can't stop tools running under bart from cleaning the crud out.

          I also realized that with the many plug-ins that bart has, you could make a fairly usable static system with it. it gets infected? reboot. it gets questionable? reboot.

      e
  • by Anonymous Coward on Saturday August 19, 2006 @05:13PM (#15941800)
    "The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'""

    Trusted Computing to the rescue!
    • by l33t gambler (739436) on Saturday August 19, 2006 @05:32PM (#15941868) Homepage
      Trusted Computing to the rescue!

      Absolutely! Trusted Computing is made to protect consumers from potential threats, but will it let consumers decide what is trustworthy? I recently discovered I had a UAService7.exe running in my Task Manager. After a search I found it is a SecuROM service, and lo and behold theres a service with that name in Services.

      I can't remember being asked by a game or application to install such a service, and I don't know how to remove it as there's no reference to it in either Start Menu or Add/Remove Programs.

      http://jooh.no/root/torrents/trusted-computing.tor rent [jooh.no]
      • by The MAZZTer (911996) <megazzt@@@gmail...com> on Saturday August 19, 2006 @06:08PM (#15941990) Homepage

        Some games use it for CD verification. If you tamper with it (ie remove it) the game will likely fail it's CD check and no longer run.

        I have a game that uses it, you probably agree to it in the EULA somewhere. I forget which game it was...

        Oh and I can't help but notice, as others have before me, that software pirates are not encumbered by these restrictions and bloatware, while legitimate customers are forced to use it.

        • by mrbcs (737902) on Saturday August 19, 2006 @06:10PM (#15941999)
          Every game I buy, before installation, I go to gamecopyworld.com and get the no-cd patch. I friggin HATE putting the cd in every stinkin time I want to play a game.
        • Just a thought... With Windows security being what it is, how long will it be before a malware author or spamhouse coder get their stuff installed as trusted code. Then things really will be hard to remove.

          Second thought. This could be a good thing. After a while of malware being "trusted" will people and companies abandon the TCP program? I am not a big fan of the TCP concept and this outcome could be the answer to getting rid of it. Or not.


      • by PSC (107496)
        Trusted Computing is made to protect consumers from potential threats

        At least that's what they're selling us. Frankly, I have serious doubts about their motives. Probably the same doubts you seem to have:

        but will it let consumers decide what is trustworthy?

        Cynical question: Why should they? The average consumer has no idea whether a particular piece of software is thrustworthy - they click "yes" in every dialog. Heck, they even click on phishing links. So when the TC chain detects a new service to be in
    • Indeed ... I trust it to be subverted at the earliest opportunity.
  • Next opportunity (Score:5, Interesting)

    by QuantumFTL (197300) * <`moc.liamg' `ta' `kciw.nitsuj'> on Saturday August 19, 2006 @05:15PM (#15941809)
    Perhaps the next opportunity for profit in this game is to hack other people's botnets to bend to your own purposes? Probably a lot less risky than hacking thousands of potentially litigous members of the public. Secure encryption would stop most of this, however the master endpoint computer would still have some vulnerability.
  • PC Clinic (Score:5, Informative)

    by Short Circuit (52384) * <mikemol@gmail.com> on Saturday August 19, 2006 @05:17PM (#15941812) Homepage Journal
    At my computer club's PC Clinic [grc4.org], I set up Ethereal on our network gateway computer, to keep track of things. You can easily see this kind of crap going on.
  • "Post to Slashdot" (Score:3, Interesting)

    by Gopal.V (532678) on Saturday August 19, 2006 @05:20PM (#15941818) Homepage Journal
    It is the first time I've ever seen a "Post to Slashdot" icon on any news item.

    (yeah, I pretty much forgive the Digg one, everybody has those ...)

  • by perkr (626584) on Saturday August 19, 2006 @05:25PM (#15941843)
    Spam is one thing, but once you got access to the machine, getting logins and passwords for online stock and bank account services via a keylogger is completely different. I wonder how much stuff is silently running on users machines right now...
    • by mapkinase (958129)
      There should be tougher laws on people who break in the computers. It should be equal to breaking and entering people's houses.

      Tough laws work given their enforcement (I meant, once caught, got 10 years of gang-infested prison time, people will look at the keyboard in a different way).
      • Re: (Score:2, Interesting)

        by Lusa (153265)
        Perhaps, but there is a massive flaw. This assumes that the people doing this can be caught and prosecuted. Chances are they aren't even on the same continent as the computer. Until the planet is under some kind of single law then this sort of thing will not work. I think it'd be easier and better to isolate and control network traffic. Have a safe known configuration of OS, programs, firewalls etc in a read only format that can quickly be ghosted back onto the hardware if an infection is detected. Sort of
  • Be sure... (Score:5, Funny)

    by shmlco (594907) on Saturday August 19, 2006 @05:36PM (#15941889) Homepage
    "The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system."

    I say we take off and nuke 'em all from orbit. It's the only way to be sure.
    • Thank you - I had to scroll down several inches to see that comment but you have restored my faith in the Slashdot community.

      I nearly thought that one had slipped through the next.
  • by mapkinase (958129) on Saturday August 19, 2006 @05:39PM (#15941903) Homepage Journal
    The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'
    In other news: the only way to be completely sure your wife is not cheating on you is to whack her and her alleged boyfriend.
    • In other news: the only way to be completely sure your wife is not cheating on you is to whack her and her alleged boyfriend.

      I dare say that whacking just the wife would be sufficient to put a stop to her cheating. Not to mention cheaper.

      (Unless you have a 2-for-1 coupon from the local mob - no sense letting a freebie go to waste.)

    • The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'
      In other news: the only way to be completely sure your wife is not cheating on you is to whack her and her alleged boyfriend.
      Isn't this equivalent to whacking yourself?
      • by mapkinase (958129)
        That will certainly solve all your worldly problems, but will it solve all your problems.
  • "The lesson? Don't get infected in the first place"

    Oh, *R*E*A*L*L*Y*? Gotta love some ppl aproach to security articles :/ *grin*

  • by BertieBaggio (944287) * <bob@ma n i c s.eu> on Saturday August 19, 2006 @06:19PM (#15942028) Homepage

    I know he may not be [theregister.co.uk] the most favourite [theregister.co.uk] of people around here, but Steve Gibson was able to spy on the IRC command & control channel of a botnet a few years ago. It was precipitated by a DDoS on his site, which he investigated rather thoroughly.

    Link to the article [grc.com] (...long article warning)

    Some of the article is quite interesting, some is obvious, some is ego-boosting self-congratulatory statements, and some of it is his "teh XP can create complete 'UNIX sockets' OH NOES!" propaganda. Still worth a read, even if it is a few years old.

    • by Fulkkari (603331)

      I was under the impression that since Windows XP SP2, Microsoft decided to disable raw sockets. Gibson's concerns were valid. There is no reason why there should be raw socket functionality on any consumer-level product. Raw sockets doesn't maybe make the computer itself more vulnerable, but it definitely can make it a bigger threat to other machines and networks, once compromised. The casual user doesn't use it and therefore won't even notice it's gone, not to speak of knowing about its existance in the f

  • by Rotten168 (104565) on Saturday August 19, 2006 @06:23PM (#15942032) Homepage
    If you are a computer user, you are responsible for the problems they are creating. ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped. Tough love.
    • by RKBA (622932) * on Saturday August 19, 2006 @06:59PM (#15942116)
      "ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped."

      In my experience, the cable installers are clueless. When I switched from DSL to Cable, the cable installers (two of them, one was a trainee) hooked up their cable to my router/hardware firewall and everything was fine. Then the senior guy asked if he could hook up their cable box directly to my computer to show the trainee how they normally do things. After booting into a spare version of the OS that I only use for maintenance (which is on a different partition than my regular OS), I let him hook his cable directly up to my computer, bypassing my router. Within about 20 seconds my antivirus program detected and reported a virus attack, although I forget the exact details because it was several years ago.

      The point is that the cable installers connect their cable up to new subscribers computers without even checking their virus protection, and the naive users computers are probably infected before the installers drive away. The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.
      • Congratulations, you noticed the reason that studies show Windows has a 12 minute half life on any network.

        The ISP would be far better off supplying hardware router/firewalls to their customers gratis because of the reduced traffic load from zombie computers.

        The cable modem already does that but it does not work. They block outbound ports and limit the upload speed. You can't block the inbound ports because you would block services users would actually notice. Even if you could lock up everything

    • My ISP does this. (Score:2, Interesting)

      by PotatoHead (12771)
      I've one XP home box running.

      (We play online poker ok?)

      It got infected with this crap and started spewing spam. Primary cause of this is kid browsing BTW. They are the most likely to click on the baddies. Put 'yer kids on Linux or a Mac and lots of this just goes away.

      Within a few hours I got a call on my cell. Asked me what I wanted to do. I said pull the plug if the box is still spewing in a few hours. (That was time enough for me to get home and deal.) I arrived home, pulled the plug on the offe
      • It got infected with this crap and started spewing spam. Primary cause of this is kid browsing BTW. They are the most likely to click on the baddies. Put 'yer kids on Linux or a Mac and lots of this just goes away.

        You must not deal with a lot of "normal" computer users. Believe me, the average user is at least as bad as any child you've left on one of your computers. Left to their own devices (ie without an IT department to baby them) these people will wreak all manner of havoc. But who am I to complain?
    • by Tom (822)
      ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped.

      Not going to happen in a million years, I'm afraid.

      See, I happen to be the resident security dude at an ISP (half a million customers). Management doesn't care and doesn't understand that this is a problem that needs attention. It's the customer's computer, monitoring traffic costs money, shutting out customers creates service calls (thus costing money), doing what no one else does m
    • ISP's need to inform people they have bots and if they are infecting other computers they need their internet access dropped. Tough love.

      And this gets the ISPs more money in what way? Many ISPs can pull up and print out a list of infected hosts by worm and by the amount of traffic they generate. They can automatically integrate this into their notification system and send e-mail to the host's account or shut down access. They don't because then they have to answer the phone calls explaining what is going

  • There is no reason to just reinstall the operating system just because you got a little bit of spyware. Only about 1% of the machines that I have worked on because of spyware have I had to reinstall the operating system. The infection can always be completely gotten rid of. I've only had call backs about spyware that I missed about 3 times. And for all I know, it was because the user went and downloaded something again that put it on there (like Party Poker, etc). And it can all be done with just two a hand
    • Re: (Score:2, Insightful)

      by Thunderbear (4257)
      I congratulate you on your efficiency.

      But how can you be _certain_ that you got them all, and that your boss is not still infected?
    • by leenks (906881) on Saturday August 19, 2006 @07:08PM (#15942134)
      How do you know? At any given time virus / spyware checkers only get between 30 and 50 percent of malware that is currently being used, and it takes several months before they eventually get detected. If you can remove stuff that nobody else can detect, you are doing pretty well.
    • by httptech (5553)
      We're not just talking about spyware here - you feel you've completely cleaned the infection because you no longer notice the intrusive symptoms of popup-ads, slowness, etc. However, how would you know the initial infection hadn't subsequently downloaded a keystroke logger (bought commercially, they can go months without being detected by AV) along with a rootkit to hide it? Rootkit scanners, like AV, are having to play a constant game of keep-up with the commercial malware writers.

      If you're a malware exper
    • Re: (Score:2, Funny)

      by Anonymous Coward
      You are a pseudo-geek with a handful of windoze skills who has no idea how much he doesn't know. Congratulations on writing some crappy .bat script, you are officially eligible to work in the tech support department at Best Buy.
    • by Kjella (173770)
      There is no reason to just reinstall the operating system just because you got a little bit of spyware. Only about 1% of the machines that I have worked on because of spyware have I had to reinstall the operating system.

      Well, kudos to you but the last two machines I tried that on, it didn't work. Processes were restarting, files were locked, files were copies back when I deleted them, safe mode or not. Perhaps if I had a rescue CD with uncompromised tools on it and could nuke everything from orbit then mayb
    • If you really think reinstalling is the answer then reinstalling is *not* the answer - you're so clueless that you'll be reinfected within a week.

      There's very few Windows machines which can't be fixed if all they have is a malware infection. All it normally takes is a reboot in safe mode, run an antivirus and a malware scan, then look in "...Whatever\Current_Version\Microsoft\Windows\Run " and google the names of all the .exe files in there.

      Next, uninstall anything made by Symantec from the machine. It's al
  • by Alex Belits (437) * on Saturday August 19, 2006 @06:52PM (#15942104) Homepage
    How a server got compromised, and ran a Paypal scam site for two days [livejournal.com], more technical explanation of what happened [livejournal.com], and how to (and how not to) make Yahoo block the accounts involved [livejournal.com]. Of course, the idea that compromised machine can in any way be trusted, sounds like one of the stupidest things ever thought up by a human.
    • by makomk (752139)
      I always wondered why Windows machines were more often chosen as targets than Linux ones, and now it's obvious - the script kiddies doing the hacking can't cope with all the little variations between distros...
  • For the record... (Score:2, Insightful)

    by httptech (5553)
    It not like I'm the only one who ever figured out how to spy on botnet control channels. This has been going on for years. Some researchers only spy on the botnet to find out what the botnet is being used for. Some even take it upon themselves to try and "clean" the infected systems of the bots (Mocbot has a "remove" command, by the way, but you have to have the correct user@host mask). Botherders sometimes even spy on each others channels, to try and take control of less-protected botnets from other bother
  • The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system

    However, even that might not help if the OS in question is Windows XP and not integrated with SP2 on the same CD, and you don't know what you're doing. (like disconnecting the network until you've installed SP2 that you of course had lying on another disc so you don't need to go online for it)

    Pretty annoying what a highly flawed and widely spread OS can do.

  • The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

    The only way to be sure on a WINDOWS system is to reinstall the operating system, something that Windows users just seem to accept. Then you have to beg MSFT to reactivate your operating system. If you reinstall routinely, some day they'll start acting like you're expected to pay for it...again.

    I have one token XP Pro box on my network but don't routinely use it to s

  • Moo (Score:3, Insightful)

    by Chacham (981) * on Sunday August 20, 2006 @01:58AM (#15943131) Homepage Journal
    The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.

    Or MD5 everything.
  • by Nom du Keyboard (633989) on Sunday August 20, 2006 @03:12AM (#15943250)
    What users need, and I'm continually surprised that it isn't here already, is a Live CD Virus scanner. Download the ISO, burn the CD, boot it on suspect machines, and let it do the job of reading your system disc as a simple data disc. The idea that a program running on an infected system can spot and remove the infection seems questionable at best.
  • by Tom (822) on Sunday August 20, 2006 @07:10AM (#15943596) Homepage Journal
    The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'

    Yes, and your average user will quickly encounter another funny problem: He has a good chance to be infected again before the download of SP2 and/or other security updates he needs to not be re-infected, is finished...
  • He has it wrong, you have to take off and nuke the entire site from orbit. It's the only way to be sure.

Small is beautiful.

Working...