Interesting People mailing list archives
more on 80 per cent of home PCs infected - survey
From: David Farber <dave () farber net>
Date: Fri, 29 Oct 2004 20:39:01 -0400
Begin forwarded message: From: Rich Kulawiec <rsk () gsp org> Date: October 29, 2004 5:40:05 PM EDT To: thomas.greene () theregister co ukCc: David Farber <dave () farber net>, Dewayne Hendricks <dewayne () warpspeed com>, Ronald Edge <InactiveX666 () hotmail com>
Subject: Re: [IP] 80 per cent of home PCs infected - survey
The Internet is well on its way to becoming one vast bot net, a survey (http://www.staysafeonline.info/news/safety_study_v04.pdf) by AOL and the National Cyber Security Alliance suggests.
This meshes rather closely with what those of us in the anti-spam community are seeing: estimates vary depending on who's making them, but as a rough
consensus, something like 80% of all SMTP spam presented to mail servers is currently coming from infected Windows systes ("zombies"). This trend started as a trickle about two years ago, underwent geometric increase in the spring of 2003, and has continued upward ever since: I can't see any sign that it's been reversed, or for that matter, even being seriously addressed. (We're also seeing substantial populations of zombies on corporate and educational networks. Granted, systems in these environments tend to be better managed than those belonging to home users, but the avalanche ofviruses, worms, spyware, adware, etc., has been a problem for them as well. For instance, Ronald Edge, writing in Usenet's news.admin.net-abuse.email
earlier this month, commented: A couple of weeks ago studies released suggested numbers of new systems being zombied / taken over range at a minimum estimate of 30,000 and a high estimate of 70,000 every day. We are starting to see troubling signs of PCs we maintain that are locked down and updated as tight as possible managing to get infected, we suspect either by web browser or by email, since the holes there and the vulnerabilities are now coming faster than we can respond to. MS is certainly not resonding fast enough, e.g. with an operating system that is not to security what cheese is to Switzerland. I've CC'd Ron on this note in case he wants to comment further, but the impression I get from his comments and others is that even people who are very clueful, very diligent, and working their tails off are being overwhelmed with problems that are arising much faster than they can be addressed.I should also pause to note that in some cases home systems and corporate
systems are synonymous: some people work from home via VPNs, others use laptops which may be connected in different places at different times, and so on.) But this problem has far worse implications than those associated justwith spam, which, as bad as it is, is probably the least of our concerns.
Whoever is controlling those zombies has access to an enormous amount ofcomputing power and bandwidth. Moreover, they also enjoy network diversity,
making their operation exceedingly difficult to disrupt -- because it iseverywhere and nowhere. And with even a modicum of care, they can probably
make themselves very difficult to trace (i.e. by concealing their pointsof control, or redirecting them through multiple layers or zombies, etc.) And - as far as I can tell - we, where "we" is everyone who isn't controlling
them, don't know who is: are we up against 4 attackers or 4,000? I could spend the rest of the afternoon constructing a list of all the things those zombies could be used for. One thing that we've seen already is advertising touting distributed denial-of-service (DDoS) attacks-for-hire; one thing we may have seen are test runs to gauge theeffectiveness of the possible future DDoS attacks against various targets.
See, for example:http://story.news.yahoo.com/news?tmpl=story&cid=2026&ncid=2026&e=4&u=/ latimests/20041025/ts_latimes/deletingonlineextortion
andhttp://news.com.com/British+cybercops+nab+alleged+blackmailers/2100 -7348_3-5278046.html?tag=nefd.top
These zombies also render moot any pretense of security and privacy: after all, those who are remotely controlling them have FULL control of them, including the ability to retrieve any file on them (or replace it), retrieve username/
password combinations or grab them as they're used, use any service that the former owner of the system has credentials to use, and so on.(Which is one reason why all currently-proposed mail sender authentication schemes have absolutely no value at the moment. All of them presume that
the mail origination points are secure. They're not.) Let me suggest just one scenario: what do you think would happen if an attacker unleashed a serious DDoS attack against selected US city, state, and federal network resources on Tuesday, November 2, 2004? (with perhaps a few major news web sites thrown in for good measure) Oh, I'm aware that voting processes are, in theory, insulated from exposure to the Internet: but I'm willing to bet that in practice that's not true, and that sufficiently aggressive and well-targeted attacks against infrastructure such as routers, firewalls, DNS servers, mail servers and web servers would have a noticeable disruptive effect. I have no idea what we do if that happens. (Well, actually, I do: first we engage in a serious round of partisan finger-pointing. It's what we do whenever there's a crisis. ;-) ) I suspect that it will take a crisis situation like that, or something of a similar nature, to provoke serious action on this problem. (I very much hope I'm wrong about that.) But... The end-users are largely unaware of the problem, and even those who are aware often lack the (admittedly extensive) skills to solve it AND keepit solved. The ISPs which connect most of the users have been in steadfast denial for what is now going on years; only a few have begun taking belated and half-hearted measures like blocking outbound port 25 (SMTP) access --
and even that only deals with spam issues, and then only in part. AndMicrosoft...well, let's just say that there's not much help coming there,
especially for users of older versions of their OS. And even if there were -- I'm not sure how much good it would do, as the points-of-entry for malware are so numerous (see Ron's comments above) that it's not clear that it's possible to really and truly secure these systems. ---Rsk ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on 80 per cent of home PCs infected - survey David Farber (Oct 29)