Tuesday, May 04, 2004

Is your machine a member of BotNet?

Some spyware and viruses contain scripts that allow a third party to take over a users computer and use it without the owner knowing. The most common use made of people's computers at this point are as a conduit for spamming. By hijacking a computer a spammer can use that computer's IP address to send the spam and mask that is coming from the spammer (this is now illegal under the CAN-SPAM Act). Another fairly common use is to make the hijacked computer send out loads of data requests from a particular website, if enough computers are sending the requests the server that the webpage is located on gets clogged up and the target site is brought down.

Viruses such as My-Doom and Bagle surrender the control of infected machines to hackers. This expanding network of infected, zombie machines can be used either for spam distribution or as platforms for DDoS attacks, such as those that many online bookies have suffered in recent months. By using compromised machines - instead of open mail relays or unscrupulous hosts - spammers can bypass IP address blacklists.

Now things are getting even worse for users, apparently spammer and hackers are now selling access to these "BotNets." Even organized crime is starting to get in on the action. What they are actually using the BotNets for other than spamming and denial of service attacks is less certain, but with keyloggers and other tools they would certainly have the ability to find out passwords, credit card numbers, etc. from hundreds of thousands or millions of people who have this malware on thier machines. They are even selling access to machines with highspeed access for a premium to speed up their spamming!

Mark Sunner, chief technology officer at email security firm MessageLabs, said much of the spam it blocks comes from IP ranges allocated to high-speed cable modem or ADSL accounts, such as roadrunner and MSN in the US. MessageLabs reckons two thirds of the spam it blocks originates from computers infected by viruses such as Sobig-F or Bagle. Spam volumes are growing. More than two thirds of the email passing through MessageLabs systems so far this month was spam compared to 53 per cent for March as a whole.

The recent MyDoom virus used infected computers to launch a DDoS attack on SCO, the company that is suing IBM over the Linux OS. Obviously those virus writers were big Linux fans.

Sasser, the latest big-time virus which debuted over the weekend is spreading fast. Some think it could reach MSBlast proportions, MSBlast infected 10 million computers.

The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing a File Transfer Protocol (FTP) server and then downloading themselves to the new host.
Early Monday, Symantec had counted at least 10,000 confirmed infections, and acknowledged that hundreds of thousands of computers have likely been infected.

Luckily, News.com.com says: Although Sasser.B does not feature a back door to allow spammers and others to enter a user's system, Symantec's Huger said he would not be surprised if that feature is added to later versions of Sasser. So Sasser doesn't add you to BotNet, yet...

Via The Register.

More on News.com.com about Sasser here. More from the Reuters here.


Post a Comment

<< Home

Listed on BlogShares < ? law blogs # > Listed on Blogwise Blogarama - The Blog Directory