ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"

alphadogg writes with this Network World story, excerpting "A Latvian ISP linked to online criminal activity has been cut off from the Internet, following complaints from Internet security researchers. Real Host, based in Riga, Latvia was thought to control command-and-control servers for infected botnet PCs, and had been linked to phishing sites, Web sites that launched attack code at visitors and were also home to malicious 'rogue' antivirus products, according to a researcher using the pseudonym Jart Armin, who works on the Hostexploit.com Web site. 'This is maybe one of the top European centers of crap,' he said in an e-mail interview. 'It was a cesspool of criminal activity,' said Paul Ferguson, a researcher with Trend Micro."

darthcamaro writes "Remember Conficker? April first doom and gloom and all? Well apparently after infecting over five million IP addresses, it's now an autonomous botnet working on its own without any master command and control. Speaking at the Black Hat/Defcon Hat security conference in Las Vegas, Mikko Hypponen, chief research officer at security firm F-Secure, was told not to talk in detail about the Conficker gang — the problem is that not all researchers were under the same gag order. Just ask Roel Schouwenberg, senior anti-virus researcher at security firm Kaspersky, who says 'The Conficker botnet is autonomous; that is very strange in itself that they made Conficker replicate by itself. Now it seems like the authors have abandoned the project, but because it is autonomous, it can do whatever it wants and it keeps on trying to find new hosts to infect.'"

Ponca City, We love you writes "The NY Times has the story of researchers at Sandia National Laboratories creating what is in effect a vast digital petri dish able to hold one million operating systems at once in an effort to study the behavior of botnets. Sandia scientist Ron Minnich, the inventor of LinuxBIOS, and his colleague Don Rudish have converted a Dell supercomputer to simulate a mini-Internet of one million computers. The researchers say they hope to be able to infect their digital petri dish with a botnet and then gather data on how the system behaves. 'When a forest is on fire you can fly over it, but with a cyber-attack you have no clear idea of what it looks like,' says Minnich. 'It's an extremely difficult task to get a global picture.' The Dell Thunderbird supercomputer, named MegaTux, has 4,480 Intel microprocessors running Linux virtual machines with Wine, making it possible to run 1 million copies of a Windows environment without paying licensing fees to Microsoft. MegaTux is an example of a new kind of computational science, in which computers are used to simulate scientific instruments that were once used in physical world laboratories. In the past, the researchers said, no one has tried to program a computer to simulate more than tens of thousands of operating systems."

bednarz writes "Network World ranks America's 10 most wanted botnets, based on an estimate by security firm Damballa of botnet size and activity in the United States. The leader is Zeus, with 3.6 million compromised PCs so far. The Zeus Trojan uses key-logging techniques to steal user names, passwords, account numbers and credit card numbers, and it injects fake HTML forms into online banking login pages to steal user data. At the bottom of the list is Conficker, which despite its celebrity status has compromised just 210,000 US computers so far."

GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

angry tapir writes "A botnet composed of about 50,000 infected computers has been waging a war against US government Web sites and causing headaches for businesses in the US and South Korea. The attack started Saturday, and security experts have credited it with knocking the Federal Trade Commission's (FTC's) web site offline for parts of Monday and Tuesday. Several other government Web sites have also been targeted, including the Department of Transportation."

snydeq writes "Pwn2Own winner Charlie Miller has revealed an SMS vulnerability that could provide hackers with root access to the iPhone. Malicious code sent by SMS to run on the phone could include commands to monitor location using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a DDoS attack or botnet, Miller said. Miller did not provide detailed description of the SMS vulnerability, citing an agreement with Apple, which is working to fix the vulnerability in advance of Black Hat, where Miller plans to discuss the attack in greater detail. 'SMS is a great vector to attack the iPhone,' Miller said, as SMS can send binary code that the iPhone processes without user interaction. Sequences can be sent to the phone as multiple messages that are automatically reassembled, thereby surpassing individual SMS message limits of 140 bytes."

LionMage writes "Much has been made previously of how China's Green Dam software must be installed on all new PCs in China, and of more recent revelations that the software may create exploitable security vulnerabilities or even provide the Chinese government with a ready-made botnet to use for potentially nefarious purposes. (One of those prior articles even discusses how Green Dam incorporates blacklists from CyberSitter.) Now the BBC is reporting that Solid Oak's CyberSitter software may have had more than just a compiled blacklist lifted from it. Solid Oak is claiming that actual pieces of their code somehow ended up in Green Dam. From PC Magazine's article: 'Solid Oak Software, the developer of CyberSitter, claims that the look and feel of the GUI used by Green Dam mimics the style of CyberSitter. But more damning, chief executive Brian Milburn said, was the fact that the Green Dam code uses DLLs identified with the CyberSitter name, and even makes calls back to Solid Oak's servers for updates.'" Relatedly, reader Spurious Logic writes that Green Dam won't be mandatory after all, according to an unnamed official with China's Ministry of Industry and Information Technology.

NewScientist has an interesting look back at the birth of the Conficker worm and how this sophisticated monster quickly grew to such power and infamy. "Since that flurry of activity in early April, all has been uneasily quiet on the Conficker front. In some senses, that marks a victory for the criminals. The zombie network is now established and being used for its intended purpose: to make money. Through its peer-to-peer capabilities, the worm can be updated on the infected network at any time. It is not an unprecedented situation. There are several other large networks of machines infected with malicious software. Conficker has simply joined the list. The security community will continue to fight them, but as long as the worm remains embedded in any computer there can be no quick fixes."

david_a_eaves writes "The Chinese government is mandating that all computers sold in China come with Internet blocking software. Rob Cottingham writes an excellent piece noting how the censorship application of this software should be the least of our concerns. This new software may create an opportunity for the Chinese Government to appropriate these computers and use them to create the worlds largest botnet army." Update: 06/11 21:26 GMT by T : J. Alex Halderman writes "My students and I have been examining the Green Dam censorware software. We've found serious vulnerabilities that can be exploited by any web site a user visits with the software installed. We also found that some of the blacklists seems to have been taken from the American-made filtering program CyberSitter. We've posted a report and demo."

An anonymous reader writes "The Federal Trade Commission has convinced a federal judge to pull the plug on a 3FN.net, a.k.a. 'Pricewert LLC,' a Northern California based hosting provider. The FTC alleges that 3FN/Pricewert was directly involved in setting up spam-spewing botnets, among other illegal activities, the Washington Post's Security Fix Blog writes. From the story: 'Pricewert hosts very little legitimate content and vast quantities of illegal, malicious, and harmful content, including child pornography, botnet command and control servers, spyware, viruses, trojans, phishing related sites, illegal online pharmacies, investment and other Web-based scams, and pornography featuring violence, bestiality, and incest.' The story quotes a former Justice Dept. expert saying the FTC action may be a smoke screen for a larger criminal investigation by the federal government in 3FN's activities."

Frequent Slashdot contributor Bennett Haselton writes with his idea for mass adoption of anti-virus software: "If the US government did more to encourage people to keep their computers secure — by buying TV ads to publicize free private-sector anti-virus programs, or subsidizing the purchase of anti-virus software — we'd all be better off, on average. That's not just idealistic nanny-statism, but something you can argue mathematically, to the point where even some libertarians would agree." Read on for the rest of Bennett's thoughts.

An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"

Mike writes "A network of hackers, most based in China, have been making up to 70,000 attempts a day to break into the NYPD's computer system, the city's Commissioner, Raymond Kelly, revealed Wednesday. Kelly suggested that 'perhaps it is because of the NYPD's reach into the international arena' that they are being targeted for computer hacking 'in much the way the Pentagon has been.' The hackers are apparently using a botnet to make up to 5,000 attempts a day at various unsecured portals into the NYPD's files. China's foreign ministry spokesman Qin Gang denied involvement in computer espionage. 'Some people outside of China are bent on fabricating lies of so-called Chinese computer spies,' he said last month. The obvious question is, why are the Chinese so interested in the NYPD computer network?"

yahoi writes "According to the DarkReading article, 'Researchers have discovered a major botnet operating out of the Ukraine that has infected 1.9 million machines, including large corporate and government PCs mainly in the US. The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains — 51 of which are in the US government. Researchers from Finjan who found the botnet say it's controlled by six individuals, and includes machines in major banks.'"

CWmike writes "Criminal cybergangs must be harried, hounded and hunted until they're driven out of business, a noted botnet researcher said as he prepared to pitch a new anti-malware strategy at the RSA Conference in SF. 'We need a new approach to fighting cybercrime,' said Joe Stewart, director of SecureWorks' counterthreat unit. 'What we're doing now is not making a significant dent.' He said teams of paid security researchers should set up like a police department's major crimes unit or a military special operations team, perhaps infiltrating the botnet group and employing a spectrum of disruptive tactics. Stewart cited last November's takedown of McColo as one success story. Another is the Conficker Working Group. 'Criminals are operating with the same risk-effort-reward model of legitimate businesses,' said Stewart. 'If we really want to dissuade them, we have to attack all three of those. Only then can we disrupt their business.'"

Cludge writes "ZDNet has a story (and several related articles) about how Symantec has discovered evidence of an all-Mac based botnet that is actively involved in a DOS attack. Apparently, security on the exploited Macs (call them iBots?) was compromised when unwary users bit-torrented pirated copies of iWork 09 and Photoshop CS4 that contained malware. From the article: 'They describe this as the "first real attempt to create a Mac botnet" and note that the zombie Macs are already being used for nefarious purposes.'"

Simmons writes with news of research that demonstrated vulnerabilities in Skype and Google Voice that would have allowed attackers to eavesdrop on calls or place unauthorized calls of their own. "The attacks on Google Voice and Skype use different techniques, but essentially they both work because neither service requires a password to access its voicemail system. For the Skype attack to work, the victim would have to be tricked into visiting a malicious Web site within 30 minutes of being logged into Skype. In the Google Voice attack (PDF), the hacker would first need to know the victim's phone number, but Secure Science has devised a way to figure this out using Google Voice's Short Message Service (SMS). Google patched the bugs that enabled Secure Science's attack last week and has now added a password requirement to its voicemail system, the company said in a statement. ... The Skype flaws have not yet been patched, according to James." Reader EricTheGreen contributes related news that eBay may sell Skype back to its original founders.

nk497 writes "Conficker seems to finally be doing something, a week after hype around the worm peaked on April Fool's Day. It has now downloaded components from the Waledac botnet, which could contain rootkit capabilities. Trend Micro security expert Rik Ferguson said: 'These components have so far been missing, but could this finally be the "other boot dropping" that we have all been been waiting for?' Ferguson also suggested that people behind Conficker could be the very same who are running Waledac and created the Storm botnet. 'It tallies with some of the assumptions people have made about Conficker — that the first variant was actively trying to avoid the Ukraine because Waledac was Eastern European,' Ferguson added."