Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on 80 per cent of home PCs infected - survey

From: David Farber <dave () farber net>
Date: Fri, 29 Oct 2004 20:39:01 -0400


Begin forwarded message:

From: Rich Kulawiec <rsk () gsp org>
Date: October 29, 2004 5:40:05 PM EDT
To: thomas.greene () theregister co uk
Cc: David Farber <dave () farber net>, Dewayne Hendricks <dewayne () warpspeed com>, Ronald Edge <InactiveX666 () hotmail com> 
Subject: Re: [IP] 80 per cent of home PCs infected - survey


The Internet is well on its way to becoming one vast bot net, a survey
(http://www.staysafeonline.info/news/safety_study_v04.pdf) by AOL and
the National Cyber Security Alliance suggests.
This meshes rather closely with what those of us in the anti-spam community are seeing: estimates vary depending on who's making them, but as a rough 
consensus, something like 80% of all SMTP spam presented to mail servers
is currently coming from infected Windows systes ("zombies").

This trend started as a trickle about two years ago, underwent geometric
increase in the spring of 2003, and has continued upward ever since:
I can't see any sign that it's been reversed, or for that matter, even
being seriously addressed.

(We're also seeing substantial populations of zombies on corporate and
educational networks.  Granted, systems in these environments tend to be
better managed than those belonging to home users, but the avalanche of
viruses, worms, spyware, adware, etc., has been a problem for them as well. For instance, Ronald Edge, writing in Usenet's news.admin.net-abuse.email 
earlier this month, commented:

        A couple of weeks ago studies released suggested numbers of new
        systems being zombied / taken over range at a minimum estimate
        of 30,000 and a high estimate of 70,000 every day. We are starting
        to see troubling signs of PCs we maintain that are locked down and
        updated as tight as possible managing to get infected, we suspect
        either by web browser or by email, since the holes there and the
        vulnerabilities are now coming faster than we can respond to. MS
        is certainly not resonding fast enough, e.g. with an operating
        system that is not to security what cheese is to Switzerland.

I've CC'd Ron on this note in case he wants to comment further, but the
impression I get from his comments and others is that even people who
are very clueful, very diligent, and working their tails off are being
overwhelmed with problems that are arising much faster than they can
be addressed.
I should also pause to note that in some cases home systems and corporate 
systems are synonymous: some people work from home via VPNs, others use
laptops which may be connected in different places at different times,
and so on.)

But this problem has far worse implications than those associated just
with spam, which, as bad as it is, is probably the least of our concerns. 

Whoever is controlling those zombies has access to an enormous amount of
computing power and bandwidth. Moreover, they also enjoy network diversity, 
making their operation exceedingly difficult to disrupt -- because it is
everywhere and nowhere. And with even a modicum of care, they can probably 
make themselves very difficult to trace (i.e. by concealing their points
of control, or redirecting them through multiple layers or zombies, etc.) And - as far as I can tell - we, where "we" is everyone who isn't controlling 
them, don't know who is: are we up against 4 attackers or 4,000?

I could spend the rest of the afternoon constructing a list of all the
things those zombies could be used for.  One thing that we've seen
already is advertising touting distributed denial-of-service (DDoS)
attacks-for-hire; one thing we may have seen are test runs to gauge the
effectiveness of the possible future DDoS attacks against various targets. 

See, for example:
http://story.news.yahoo.com/news?tmpl=story&cid=2026&ncid=2026&e=4&u=/ latimests/20041025/ts_latimes/deletingonlineextortion 

and
http://news.com.com/British+cybercops+nab+alleged+blackmailers/2100 -7348_3-5278046.html?tag=nefd.top
These zombies also render moot any pretense of security and privacy: after all, those who are remotely controlling them have FULL control of them, including the ability to retrieve any file on them (or replace it), retrieve username/ 
password combinations or grab them as they're used, use any service that
the former owner of the system has credentials to use, and so on.
(Which is one reason why all currently-proposed mail sender authentication schemes have absolutely no value at the moment. All of them presume that 
the mail origination points are secure.  They're not.)

Let me suggest just one scenario: what do you think would happen if
an attacker unleashed a serious DDoS attack against selected US city,
state, and federal network resources on Tuesday, November 2, 2004?
(with perhaps a few major news web sites thrown in for good measure)
Oh, I'm aware that voting processes are, in theory, insulated from
exposure to the Internet: but I'm willing to bet that in practice
that's not true, and that sufficiently aggressive and well-targeted
attacks against infrastructure such as routers, firewalls, DNS servers,
mail servers and web servers would have a noticeable disruptive effect.

I have no idea what we do if that happens.  (Well, actually, I do:
first we engage in a serious round of partisan finger-pointing.
It's what we do whenever there's a crisis. ;-) )

I suspect that it will take a crisis situation like that, or something
of a similar nature, to provoke serious action on this problem.  (I very
much hope I'm wrong about that.)

But...

The end-users are largely unaware of the problem, and even those who are
aware often lack the (admittedly extensive) skills to solve it AND keep
it solved. The ISPs which connect most of the users have been in steadfast denial for what is now going on years; only a few have begun taking belated and half-hearted measures like blocking outbound port 25 (SMTP) access -- 
and even that only deals with spam issues, and then only in part.  And
Microsoft...well, let's just say that there's not much help coming there, 
especially for users of older versions of their OS.  And even if there
were -- I'm not sure how much good it would do, as the points-of-entry
for malware are so numerous (see Ron's comments above) that it's not
clear that it's possible to really and truly secure these systems.

---Rsk

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: