dslreports logo
 story category
Infected Botnet PCs Quadruple In 90 Days
It's getting easier to keep compromised machines under control?
The Register and a post over at the SANS Internet Storm Center points to new data that suggests the number of infected zombie botnet machines has quadrupled in the last ninety days. "I imagine that the bad guys have gotten better about keeping machines owned," suggests John Bambenek, who also says the spike coincides with an increase in SQL injection attacks against webservers. According to the post, malware honeypot detection and analysis techniques have been lacking, but the ISC have been working on it.
view:
topics flat nest 

Smith6612
MVM
join:2008-02-01
North Tonawanda, NY
·Charter
Ubee EU2251
Ubiquiti UAP-IW-HD
Ubiquiti UniFi AP-AC-HD

1 edit

Smith6612

MVM

Most recently...

I've been cleaning a lot of junk out of PCs for people in my area, so I wouldn't be surprised that their PCs might have been taken over by a virus into a botnet after finding roughly 20 viruses in their machine. And even more recently as of yesturday I had to reformat someone's PC for them because a virus corrupted their Windows install and their files which I couldn't repair.

Keep on the anti-virus (not outdated OEM installed stuff) and the anti-spy and you'll be good. Not to mention that safe browsing and firewalls help a lot.

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

6 recommendations

Matt3

Premium Member

Re: Most recently...

said by Smith6612:

Keep on the anti-virus (not outdated OEM installed stuff) and the anti-spy and you'll be good. Not to mention that safe browsing and firewalls help a lot.
All the firewalls, anti-virus, anti-spyware, and anti-trojan programs in the world can't fix stupid.

QuakeFrag
Premium Member
join:2003-06-13
NH

QuakeFrag

Premium Member

Re: Most recently...

said by Matt3:

All the firewalls, anti-virus, anti-spyware, and anti-trojan programs in the world can't fix stupid.
So very, very true.
atigerman
join:2002-01-19
Tigerton, WI

atigerman

Member

Re: Most recently...

Reminds me of the time when i went to my cousins place because he was complaining of a slow computer. After spending a few hours with it i found he had

5 Rootkits
3 Backdoor downloaders
3 Different browser Hijacks
50 Different virus

I just look him in the eye and told him his computer has AIDS and walked out

n2jtx
join:2001-01-13
Glen Head, NY

n2jtx to QuakeFrag

Member

to QuakeFrag
said by QuakeFrag:

said by Matt3:

All the firewalls, anti-virus, anti-spyware, and anti-trojan programs in the world can't fix stupid.
So very, very true.
+1

Even the most sophisticated software can be overridden by a dumb user clicking "OK" to an alert.
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

Kearnstd

Premium Member

Re: Most recently...

said by n2jtx:
said by QuakeFrag:
said by Matt3:

All the firewalls, anti-virus, anti-spyware, and anti-trojan programs in the world can't fix stupid.
So very, very true.
+1

Even the most sophisticated software can be overridden by a dumb user clicking "OK" to an alert.
this is why i at times question the value of the UAC in Vista. i bet most users will just click OK anytime that thing pops up.

SLD
Premium Member
join:2002-04-17
San Francisco, CA

1 edit

SLD

Premium Member

Re: Most recently...

Yep. MS made it too invasive, so you are clicking so often than it becomes a habit to just click any message. I turn off UAC on all Vista installs I work with, and my Dad asked me to take it off of his as well. Funny thing is I originally recommended he upgrade to Vista for the UAC (a long while back)...what a waste.
boast
join:2005-09-03
Miami, FL

boast to n2jtx

Member

to n2jtx
reason I had to switch my dad from windows. He would press ok for whatever popped up, no matter what it said, just to get it to go away.

After installing linux and not telling him the root pass, all is good.

Smith6612
MVM
join:2008-02-01
North Tonawanda, NY
·Charter
Ubee EU2251
Ubiquiti UAP-IW-HD
Ubiquiti UniFi AP-AC-HD

1 edit

Smith6612 to Matt3

MVM

to Matt3
And I completely understand that. It's one of the reasons why I taught myself how to remove these things for people in the first place. I have personally never had a virus or spyware infection since I first used the internet in 1998, and I'm online quite a bit as well.

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

2 recommendations

Maxo to Matt3

Premium Member

to Matt3
said by Matt3:

All the firewalls, anti-virus, anti-spyware, and anti-trojan programs in the world can't fix stupid.
There is one Trojan that will keep stupid from spreading. I'm just sayin'...

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

Re: Most recently...

said by Maxo:
said by Matt3:

All the firewalls, anti-virus, anti-spyware, and anti-trojan programs in the world can't fix stupid.
There is one Trojan that will keep stupid from spreading. I'm just sayin'...
Now that is the biggest truth of all!

bent
and Inga
Premium Member
join:2004-10-04
Loveland, CO

bent to Maxo

Premium Member

to Maxo
said by Maxo:
said by Matt3:

All the firewalls, anti-virus, anti-spyware, and anti-trojan programs in the world can't fix stupid.
There is one Trojan that will keep stupid from spreading. I'm just sayin'...
Unfortunately the ones who should are the ones who don't.

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

Doctor Four

Premium Member

Re: Most recently...

said by bent:
said by Maxo:
said by Matt3:

All the firewalls, anti-virus, anti-spyware, and anti-trojan programs in the world can't fix stupid.
There is one Trojan that will keep stupid from spreading. I'm just sayin'...
Unfortunately the ones who should are the ones who don't.
Idiocracy at work...
mrgrock1
join:2003-06-05
Port Charlotte, FL

mrgrock1 to Matt3

Member

to Matt3
Id.10t errors will do it every time.

CampMaster
Rather Be Camp'n
Premium Member
join:2001-05-16
Trabuco Canyon, CA

CampMaster to Matt3

Premium Member

to Matt3
AMEN!

~CMT

DaMaGeINC
The Lan Man
Premium Member
join:2002-06-08
Greenville, SC

DaMaGeINC to Smith6612

Premium Member

to Smith6612
Whats some of the software you use to do this. I never had the need for anti virus software, that stuff is for the retards that do not know how to use the internet. But I have a friends pc over here and he wanted me to clean it. I was like sure, but then I was like, what do I clean it with. Its easy to google search, but I rather have 1st hand advice on what is good and whats not.

jaa
Premium Member
join:2000-06-13

jaa

Premium Member

Re: Most recently...

Here ya go: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

Smith6612
MVM
join:2008-02-01
North Tonawanda, NY
·Charter
Ubee EU2251
Ubiquiti UAP-IW-HD
Ubiquiti UniFi AP-AC-HD

1 edit

Smith6612 to DaMaGeINC

MVM

to DaMaGeINC
I personally don't need A/V software myself, as all I do is game and visit FileFront for game patches when Steam doesn't download the game patches, and of course e-mail and forums. However, we have some internet users in our house who don't know the internet as well as me, so I have to use Avast! and Spybot S&D on all of our computers. MY gaming computer which I have to myself has Avast and Spybot S&D just for the heck of it.

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru

MVM

Re: Most recently...

said by Smith6612:

I personally don't need A/V software myself...
Famous last words, along with...

...I don't need to wear a seat belt.
...I know my drinking limit.
...I can keep pirating [insert media], I've never been caught.

It only takes one time for one mistake to happen to completely fsck up your life (or in this case, a computer). I don't care how careful you are, not having some type of protection is like playing Russian roulette.
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

I wonder if "Antivirus 2008" has any connection with this...

This seems to be the infection du jour lately. I almost got bitten with it myself, but fortunately I was using Firefox and I killed it before it was able to download anything.

I think home routers should be equipped with built-in bot traffic detection code. When a machine gets "botted", the router shuts down traffic to that machine until it's cleaned.
moonpuppy (banned)
join:2000-08-21
Glen Burnie, MD

moonpuppy (banned)

Member

Re: I wonder if "Antivirus 2008" has any connection with this...

said by kpatz:

This seems to be the infection du jour lately. I almost got bitten with it myself, but fortunately I was using Firefox and I killed it before it was able to download anything.

I think home routers should be equipped with built-in bot traffic detection code. When a machine gets "botted", the router shuts down traffic to that machine until it's cleaned.
That is that Vundo crap that I just cleaned off another machine.

Such a pain to clean off.

Cjaiceman
MVM
join:2004-10-12
Castle Rock, WA
(Software) pfSense
Ubiquiti UniFi UAP-AC-PRO

Cjaiceman

MVM

Re: I wonder if "Antivirus 2008" has any connection with this...

The latest version of Antivirus 2008 that I have been cleaning off people's computers also has rootkits. They are a major PITA to clean, unless you know how.

In the last 3 weeks, out of 11 computers that had Antivirus 2008, 8 of them had the same rootkit, which no anti-virus or anti-spyware will get, you have to do it manually.
moonpuppy (banned)
join:2000-08-21
Glen Burnie, MD

moonpuppy (banned)

Member

Re: I wonder if "Antivirus 2008" has any connection with this...

said by Cjaiceman:

The latest version of Antivirus 2008 that I have been cleaning off people's computers also has rootkits. They are a major PITA to clean, unless you know how.

In the last 3 weeks, out of 11 computers that had Antivirus 2008, 8 of them had the same rootkit, which no anti-virus or anti-spyware will get, you have to do it manually.
What do you look for since I have to clean another one of those in a couple of days.

S_engineer
Premium Member
join:2007-05-16
Chicago, IL

S_engineer to moonpuppy

Premium Member

to moonpuppy
said by moonpuppy:

said by kpatz:

That is that Vundo crap that I just cleaned off another machine.

Such a pain to clean off.
If it's Vundo or nail.exe I tell people not to waste their time. Back up as read only and wipe the OS. Start anew, maybe then their browsing habits will change.

Smith6612
MVM
join:2008-02-01
North Tonawanda, NY
·Charter
Ubee EU2251
Ubiquiti UAP-IW-HD
Ubiquiti UniFi AP-AC-HD

1 edit

Smith6612 to kpatz

MVM

to kpatz
I've had to clean loads of these infections out of local PCs. It's been a pretty quick spreading Malware program since the beginning of this year from where I can see. I've probably already made enough money to buy myself a GeForce GTX 280 for my gaming computer removing this malware program. Of course, that's given the fact that I trade in my GeForce 8800 Ultra.

IT Guy
Ow, My Balls
Premium Member
join:2004-07-29
Las Cruces, NM
Cisco ASA 5505
Cisco Meraki MX64

IT Guy to kpatz

Premium Member

to kpatz
Don't get me started on this one!!! I had to clean this off of a client's computer and it was a major pain. To make matters worse, he thought the messages popping up on his screen were legitimate and ended up ordering their 'product'. Needless to say, I urged him to contact his credit card company and ask them to stop payment on that transaction. He didn't seem to understand the full nature of giving his credit card info to an unscrupulous, thieving company. I was tempted to contact my state Attorney General's office about it, but figured my efforts would be in vein without the cooperation of my client. Oh well..
frankhs
join:2007-10-18
Anaheim, CA

frankhs to kpatz

Member

to kpatz
Anti-Virus 2008, the popup you get IS a virus. Give it permission to install on your PC and it will, inviting all kinds of nasty relatives over to move in.

Frank

meister_sd
Premium Member
join:2006-01-29
La Mesa, CA

meister_sd

Premium Member

Lists?

If these guys are finding all these bot nets, then they should know the IPs of the infected computers. Shouldn't someone have a list of these IPs posted somewhere so home users or corporate admins can check this?
nightstar75
join:2008-07-30
Pleasantville, PA

nightstar75

Member

Nasty Devil

This new phase of malware is nasty. One cannot goto one of the 100 or so sites to get software or removal tools for these (Ad-Aware, Avast, Spybot, Hijackthis, etc) as the DNS points to another IP or to the local system itself. Makes it difficult when one can't install the software on an infected system in regular or safe mode.

After a while of playing around I finally transferred spybot s&d (fully updated) from another system to a flash drive, copied the folder over to the infected system and ran it. It cleaned it somewhat, but enough to install Avast and Adaware (eventhough DNS was still being redirected). I had to manually download the definitions for Avast and Adaware to a flash drive then import them into the infected system.

Finally a ton of success and I also ran Hijackthis and the online version of trend and panda once the DNS got fixed.

It had a mix of Zlob, Virtumondo, and AV 2008.

Anyone who gets caught for making this stuff should be in prison (in the USA) or if they are from a different county, punish the county by not allowing DNS resolution to US territory (thus preventing access or limited access to US networks) until they can resolve the issue.
atigerman
join:2002-01-19
Tigerton, WI

1 edit

atigerman

Member

Re: Nasty Devil

I have to ask whats the point of spending countless hours attempting to clean a system up? I mean can you ever be 100% certain that the system is clean?

Wouldn't it make more sense to just reinstall from an original backup or to just preform a clean install?

Smith6612
MVM
join:2008-02-01
North Tonawanda, NY
·Charter
Ubee EU2251
Ubiquiti UAP-IW-HD
Ubiquiti UniFi AP-AC-HD

1 edit

Smith6612

MVM

Re: Nasty Devil

That can be a pain for many users who don't know a thing about the Windows Setup Utility (or OEM PCAngel craps out on them). Last month I had to do this twice for people, and since I do in-home work, I ended up spending 3-5 hours installing Windows, moving their files back up, updating their box, and doing some before I leave work on the machine at their home.
nightstar75
join:2008-07-30
Pleasantville, PA

nightstar75

Member

Re: Nasty Devil

I do this for a living too, and have for 20 years. I would love to re-install everything for a client. I take pride in trying to keep as much as possible, esiecially when a client has important software they may or may not have the keys for.

Upon cleaning, I get a backup of the data and let the client know I can not gurantee the outcome. If it happens within so many days again, I have the client gather as much info as possible and I factory restore the system for them.

Smith6612
MVM
join:2008-02-01
North Tonawanda, NY

Smith6612

MVM

Re: Nasty Devil

I actually do quite a bit of computer work just for fun, so it's not for a living in my case. I get called in for jobs mainly during the summer and winter months when everyone is online.

Glaice
Brutal Video Vault
Premium Member
join:2002-10-01
North Babylon, NY

1 edit

Glaice

Premium Member

Lessons?

Where are mandatory security lessons and COMMON SENSE for people using computers these days?

Hardware firewalls and anti-spyware countermeasures (IE SpywareBlaster) have to be a top priority now.

What if more people used Linux or Linux based OSes than Windows? We'd have far less zombie PCs as we know it.
phantom6294
join:2002-02-27
Abingdon, MD

phantom6294

Member

Re: Lessons?

said by Glaice:

Where are mandatory security lessons and COMMON SENSE for people using computers these days?
Common sense, as many know, is perhaps the least common thing in this world. Even if we did have mandatory security lessons... it wouldn't do a damn thing. Why is that? Take a look at the millions upon millions of seemingly complete idiots who take to the nation's highways everyday. They all supposedly had to take driving classes and/or pass a driving test. Yet, it seems 99% of most drivers still don't understand the basic mechanics of driving. Many people haven't mastered the basic mechanics of using turn signals, driving right / passing left, obeying traffic lights/signals, signs, etc.

Why on earth does anyone think the masses will ever master the basics of anti-virus, firewalls, anti-spyware, safe surfing, etc??? It's not going to happen... which is great for those who make a living off the more moronic of our species.
nightstar75
join:2008-07-30
Pleasantville, PA

nightstar75 to Glaice

Member

to Glaice
You may be right, but once linux and Mac become more mainstream like windows then idiots will target them too. Why target an OS where a few million use it when you can target one that is used by 90x more people.

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

1 recommendation

TamaraB

Premium Member

A bad sign

This says ONE thing; and that is, that M|(r0$#|t, is not only getting worse in the security department, but it continuing to use their paid customers as unpaid beta-testers. What slime-balls!

Until you M$ slaves refuse to accept and pay for defective beta software, you will continue to crap up the net for everyone.

What's wrong with you people?

Bob

GeEkSpeak
@cox.net

GeEkSpeak

Anon

Re: A bad sign

Bob,

Please don't take this the wrong way, but that was the most idiotic comment of the year. Save it.

djrobx
Premium Member
join:2000-05-31
Reno, NV

djrobx

Premium Member

Wouldn't take much...

quote:
I imagine that the bad guys have gotten better about keeping machines owned
The biggest mistake malware scum "programmers" make is over-use of system resources. Infected machines will get cleaned eventually if they're getting pop up ads galore, or their computer/network is slowed down to a crawl due to their CPU usage or connection being maxed out.

If, however, a recent strain was more "courteous", people might not even know they're infected, and might be more apt to unknowingly leave their machine as part of the botnet for a long time.

The recent strains of malware are definitely more tough to remove. I generally give Hijackthis, Ad Aware and Spybot a good college try, but if that doesn't do it, it's a fresh install. Some people really freak because they've lost their software installation CDs or license keys. If you think you might be that sort of person you need to be making a backup with something like Acronis TrueImage.

P Ness
You'Ve Forgotten 9-11 Already
Premium Member
join:2001-08-29
way way out

P Ness

Premium Member

good thing they are dealing with real problems like.....

User Caps...
TheMG
Premium Member
join:2007-09-04
Canada
MikroTik RB450G
Cisco DPC3008
Cisco SPA112

TheMG

Premium Member

Botnets: every sysadmin's cause of frustration.

It's getting pretty ridiculous, there's so much you have to do now to ward off all the malicious acts caused by botnets. Tightening mail server security and spam filtering, using ever more complex captchas (image verification), changing server ports, managing firewalls... the list goes on. Oh, and don't get me started on DDoS attacks!
frankhs
join:2007-10-18
Anaheim, CA

frankhs

Member

That's why Linux was created

I run no anti-virus with no Firewall on a 9-year old IBM ThinkPad 600x, WiFi-ing and all running with absolutely no protection. Never got anything.

Of course I run Ubuntu Linux

Friends run Windows and are always catching something.

I won't re-install Windows of any flavor for a friend but I'll always offer to install Linux, with Ubuntu being my first choice.

I use Windows, off-line for Gaming ONLY

I know, I'm opinionated but you should try leaving the virus, spyware and zombie botnets behind in the last century. Windows is so last week

Sincerely

Frank Harris-Smith

••••••

ITALIAN926
join:2003-08-16

ITALIAN926

Member

From a FiOS tech.

Hey guys, the other day, I came across a router that was just going bezerk. Activity light was just blinking a zillion times a minute ... non-stop. Initially , I thought it was a defective router, so I changed it out. Same issue. I then unwillingly swapped out our ONT.. same issue.

There was soooo much data being transferred , it even screwed up our on-demand. Apologized to the customer and told them they gotta have their computer checked. Left their computer unplugged when I left so it wouldnt interfere with the on-demand.

Anyone know what this was all about.. or if I missed anything?

ultracooldave
@verizon.net

ultracooldave

Anon

"Imaging is the answer"

I keep an image (Acronis True Image v11) of all partitions (10) on 7 computers so that just in case my security fails I can always go back to a good image (without the malware) with a couple of clicks.
Unfortunately most people are too dumb or cheap to do so, all I can say is good luck spending your life fooling around with your computers! All of mine work perfectly all the time.

tech25
@comcast.net

tech25

Anon

hype

I don't know why all you people are attracting all this spyware/malware crap, but me and my clients have been clean for years - I just don't have these problems!! All I'm using is McAfee VScan Enterprise 8.5i and DNS Redirector (or in some corporate environments another filtering solution) with Porn, Phishing and Advertisement blocking. Problem solved. Or maybe this is one of those self-fulfilling prophecies where you like the business of cleaning up spyware/malware from horny customers?

Billclo
@comcast.net

Billclo

Anon

things seem worse lately

I actually ran across an interesting malware infestation recently. The machine had 2 user accts and 1 admin acct, yet the user accts could not install anything, could not get on the Internet, had popups, etc. Upon further investigation, I found that the 2 user accts had been changed into guest accts, and the admin acct had been monkeyed with.

I mean, there was no password for the admin acct, yet upon going into Control panel/User accts, there were NO users listed. You couldn't change them to a regular user. Even the admin acct could not change services, etc.

It's as if someone remotely setup another admin acct, locking out all the other accts. Needless to say that machine got re-formatted and reinstalled pronto...

But yes things seem worse lately than they did before, Malware-wise.