Researchers at security firm Finjan have uncovered a massive botnet of Windows machines. The botnet is 1.9 million machines strong, with many of the machines located in the United States: 45% of them are located in the US. The researchers detailed their findings at the RSA Conference in San Fransisco.
The botnet in question is one of the largest ever found that is controlled by a single gang of cybercriminals. Apparently, the command and control server of the botnet are located in the Ukraine. The researchers claim that during their work, the number of infected computers increased by the hour.
The botnet is actually quite user friendly, as it has a nice backend management application through which the cybercriminals can control the machines in the botnet. From this backend, the criminals can instruct machines to download additional malware, which in turn are used to read local data from the machines. “When inspecting these files, we identified that they can perform the following actions: read email address and other details from the infected computer; communicate with other computers using HTTP protocol; execute a process; inject code into other processes; visit websites without end-users’ consent; register as a background service on the infected computer and a few dozen other commands,” the researchers write. They conclude that the criminals can basically do whatever the heck they want with and on the infected machines.
Finjan has shared the information about the botnet with the authorities.
It seems a bit clumsy, if the botnet is as sophisticated as they claim it is, for the servers to have folders open to the world like that–folders which, if this article is to be believed, contain integral parts of the botnet. It’s certainly possible, but is it just me that thinks it might be a bit too… well, convenient? Somehow, I can’t imagine a gang that can design a botnet this refined, for lack of a better word, would fail to lock down their own server against intrusions.
Easier said the done; when you’re working at 100 kmph to meet a dead line with the stress of your boss breathing down your back – it is very easy to over look something that would be otherwise a very simple mistake.
It is the operating systems vendor to ensure that the operating system it locked down by default – out of and it is up to the administrator to unlock services and features as he or she requires. If you open everything and leave it to the admin to lock down there is the chance of overlooking something (for variety of reasons) versus a locked down system where it is up to the admin to setup from the ground up to do as he or she wants.
Which versions of Windows are infected.
I’m guessing XP (SP?), maybe 2003, but how about Vista?
Just saying Windows doesn’t tell us too much.
Maybe I missed it in the article, I must admit, I only scanned it…
It doesn’t really matter. The botnet probably runs on any version of Windows it can get on via old, unpatched vulnerabilities or by fooling the user. No OS can protect you completely from trojan horses.
That sounds like they are spying on the screen content of the control server, but that they can’t access files on disk. Maybe they commandeered a web cam in the same room that faces the server. If the criminals got wind that they were being spied on, maybe they left some highly inflated and misleading data on the screen.
I wonder if the final report will be a “Spy vs. Spy” episode in Mad Magazine.
SMB shares most likely. I sincerely doubt the control server runs VNC that’s open to anyone.
Whatever the mechanism, one has to wonder if they are clever enough to do the crime, they may well be clever enough to leave misleading information laying around for researchers to glom onto.
And the fact that Windows has a marketshare of more than 90%. Even for specialized media, Windows is the computer.
Edit: Argh, wrong thread. This should be on “Computer Botnet”, sorry.
Edited 2009-04-23 02:43 UTC
“And the fact that Windows has a marketshare of more than 90%. Even for specialized media, Windows is the computer.”
Marketshare has nothing to do with it and Windows is NOT the computer, it’s an OS, and one of the most unsecure on the planet in an out of the box install, at least on XP and earlier. Most home users are running as root which makes turning their machines into bots very easy.
Windows is attacked beecause it is EASY to attack and yes, it is a large target also, but the primary reason is it is easy to attack. The statistics doesn’t work for marketshare if you use Apache as an example: Apache is the most widely used web server on the market but IIS gets attacked more, or rather successfully attacked more. Why? Because IIS is not as secure as Apache.
It’s too bad back in the day Microsoft created an OS that was easy to use but with no thought whatsoever in terms of security. If they had thought about it, they would have started educating users on the proper way to run a computer: the Unix way, not one user as root. It’s sad, really, that a company so large has so many problems they have created themselves.
Please read the comment I was replying to. It was about why they call it “computer botnet” instead of “Windows botnet”. And please keep the patronizing speech, do you think I arrived to this site just by accident?
The command and control system which was connected is probably a temporary, bot infected one itself. The C&C will change over time and there could be many dozens of them at a time.
The C&C most likely is not the bot masters system.
As per usual, its a “Computer Botnet”. The name “Windows” doesn’t appear even once in the article. Nor the name “Microsoft”.
Of course, had it been some sort of security issue with Linux, MacOS, or one of the *BSDs that made the news, they would have been called out prominently by name.
Edited 2009-04-23 01:58 UTC
True its named as a Computer Botnet, but reading the article and seeing the examples of code getting executed on the bots makes it pretty clear that the botnet is in fact made up of windows machines. The fact that “Computer Botnet” has become synonymous with windows machines is just a natural thing when you look back at the history of exploits and botnets on windows.
Edited 2009-04-23 02:35 UTC
That’s because the term Windows before botnets is superfluous in a similar way to how saying Rome is sufficient, while Italian Rome just makes you look silly.
Now if there was a Linux botnet, that would be interesting.
Now if there was a Linux botnet, that would be interesting.
There IS atleast one Linux botnet…but it’s a small one, and runs only on unpatched OpenWRT routers. So it’s not exactly capable of much more than trying to sniff the packets going through it for something interesting or DDOS attacks.
This botnet does not use a vulnerability in OpenWrt, so the only thing that needs to be patched to prevent the router from participating in a botnet, is the user
“””
There IS atleast one Linux botnet…but it’s a small one, and runs only on unpatched OpenWRT routers.
“””
As an OpenWRT fan, I’d like to clarify that:
1. The worm only uses a simple brute force password attack on telnetd and sshd.
2. OpenWRT does not run telnetd by default.
3. All incoming WAN ports are blocked by default, including ssh.
4. There is no “patch” required, since there is no vulnerability involved.
5. The worm itself is only compatible with mipsel CPUs.
So to be vulnerable, one has to manually open up ssh incoming on the WAN port, select an insanely poor password, and do it on a mipsel-based router. There is no “default” password. After you flash, you log in on the lan port via telnet and set a password. Once that is done, telnet is automatically disabled. Reboot, and the router is ready to go.
Edited 2009-04-23 22:59 UTC
Well well…
I don/ t know but…. Maybe it has something to do with this: http://www.internetnews.com/security/article.php/3816701 ?
Yes boy’s and girls – there is the friendly TPM pusher again. If you lock the OS to the hardware you will be safe – promised. And everybody knows what Operating System that will be hmmm? Yes – you guessed it … The most safe OS on this planet (promised – trust me – it’s for real this time).
You see – you can’t trust other OS’es on the hardware. Look for yourself: http://www.networkworld.com/community/node/41180 . And we all know Microsoft and Intel have absolutely nothing to do with each other, so this article must be a shock for all those Linux/Intel users. Nobody would belief a fault in the hardware was only known by Microsoft and Intel to be used at the right moment. That idea is completely ridiculous.
And all this is high on the heels of a report by the European Committee for Interoperable Systems about some “shady” practices of a well known firm: http://www.groklaw.net/article.php?story=20090421111327711 The timing of all this is amazing.
Now all those thing could not possibly in any way be related hm? I would not dare to make such unfair statements…
WTF, man. You shouldn’t believe 90% of the things you read on the internet.
“Microsoft Subnet” is not affiliated with Microsoft in any way (it’s just a blog on network world). Windows is just as good of a vector for the SMRAM attack as Linux since both are just OSes and Joanna’s attack is on the hardware once you’ve already got kernel privileges.
Also, ECIS is a lobbying organization… check out their member list to figure out what exactly they’re lobbying for.
Does not prevent them from stating facts.
You mean their spin on the facts. It’s almost impossible to find somewhere you can just read straight facts, you have to read several different spins and points of view then put the pieces together to end up at something that even resembles the actual facts.
Good lord Jokel, I sure hope you have enough tinfoil to prevent the black helicopters from using a mindprobe to find this info out.
OMG – com one now…
Where did you guy’s left your sense of humor?
I had the impression it would be so over the top that anyone who read it would immediately see this as what it was – an over-dramatization…
Your reactions however gives me the impression I did strike a unsuspected nerve or something….
Now – wait while I check out this tinfoil hat 😉
You must be new to OSN, then
You can say pretty much anything and people will take your seriously.
Edited 2009-04-23 13:16 UTC
Good thing OSNews did do the right thing then, ey?
are they going to clean it up?
No, because then they’re as guilty as the hackers in the eyes of the law for using the machine without user’s consent.
I think the OP meant:
Is this security firm going to disclose a fix for systems participating in the botnet, and the signatures of the trojans involved so anti-malware programs can protect users?
“The medium is the message” – Marshal McLuhan
“The Network is the Computer” – Sun Microsystems
“The Windows is the Computer” – someone has said this thing in one of these comments. Great analogy! Yes, definitely, this bot net was “computer based” 😉
lazy hackers? Maybe someone bought some time on the botnet and installed a backdoor on the C&C server that Finjan discovered. Hell, maybe Finjan just bought the time on the botnet.