[IP] more on 80 per cent of home PCs infected - survey

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] more on 80 per cent of home PCs infected - survey
From: David Farber <dave@xxxxxxxxxx>
Date: Fri, 29 Oct 2004 20:39:01 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: Rich Kulawiec <rsk@xxxxxxx>
Date: October 29, 2004 5:40:05 PM EDT
To: thomas.greene@xxxxxxxxxxxxxxxxx

Cc: David Farber <dave@xxxxxxxxxx>, Dewayne Hendricks<dewayne@xxxxxxxxxxxxx>, Ronald Edge <InactiveX666@xxxxxxxxxxx>

Subject: Re: [IP] 80 per cent of home PCs infected - survey

The Internet is well on its way to becoming one vast bot net, a survey
(http://www.staysafeonline.info/news/safety_study_v04.pdf) by AOL and
the National Cyber Security Alliance suggests.

This meshes rather closely with what those of us in the anti-spamcommunityare seeing: estimates vary depending on who's making them, but as arough

consensus, something like 80% of all SMTP spam presented to mail servers
is currently coming from infected Windows systes ("zombies").

This trend started as a trickle about two years ago, underwent geometric
increase in the spring of 2003, and has continued upward ever since:
I can't see any sign that it's been reversed, or for that matter, even
being seriously addressed.

(We're also seeing substantial populations of zombies on corporate and
educational networks.  Granted, systems in these environments tend to be
better managed than those belonging to home users, but the avalanche of

viruses, worms, spyware, adware, etc., has been a problem for them aswell.For instance, Ronald Edge, writing in Usenet'snews.admin.net-abuse.email

earlier this month, commented:

        A couple of weeks ago studies released suggested numbers of new
        systems being zombied / taken over range at a minimum estimate
        of 30,000 and a high estimate of 70,000 every day. We are starting
        to see troubling signs of PCs we maintain that are locked down and
        updated as tight as possible managing to get infected, we suspect
        either by web browser or by email, since the holes there and the
        vulnerabilities are now coming faster than we can respond to. MS
        is certainly not resonding fast enough, e.g. with an operating
        system that is not to security what cheese is to Switzerland.

I've CC'd Ron on this note in case he wants to comment further, but the
impression I get from his comments and others is that even people who
are very clueful, very diligent, and working their tails off are being
overwhelmed with problems that are arising much faster than they can
be addressed.

I should also pause to note that in some cases home systems andcorporate

systems are synonymous: some people work from home via VPNs, others use
laptops which may be connected in different places at different times,
and so on.)

But this problem has far worse implications than those associated just

with spam, which, as bad as it is, is probably the least of ourconcerns.


Whoever is controlling those zombies has access to an enormous amount of

computing power and bandwidth. Moreover, they also enjoy networkdiversity,

making their operation exceedingly difficult to disrupt -- because it is

everywhere and nowhere. And with even a modicum of care, they canprobably

make themselves very difficult to trace (i.e. by concealing their points

of control, or redirecting them through multiple layers or zombies,etc.)And - as far as I can tell - we, where "we" is everyone who isn'tcontrolling

them, don't know who is: are we up against 4 attackers or 4,000?

I could spend the rest of the afternoon constructing a list of all the
things those zombies could be used for.  One thing that we've seen
already is advertising touting distributed denial-of-service (DDoS)
attacks-for-hire; one thing we may have seen are test runs to gauge the

effectiveness of the possible future DDoS attacks against varioustargets.


See, for example:

http://story.news.yahoo.com/news?tmpl=story&cid=2026&ncid=2026&e=4&u=/latimests/20041025/ts_latimes/deletingonlineextortion

and

http://news.com.com/British+cybercops+nab+alleged+blackmailers/2100-7348_3-5278046.html?tag=nefd.top

These zombies also render moot any pretense of security and privacy:after all,those who are remotely controlling them have FULL control of them,includingthe ability to retrieve any file on them (or replace it), retrieveusername/

password combinations or grab them as they're used, use any service that
the former owner of the system has credentials to use, and so on.

(Which is one reason why all currently-proposed mail senderauthenticationschemes have absolutely no value at the moment. All of them presumethat

the mail origination points are secure.  They're not.)

Let me suggest just one scenario: what do you think would happen if
an attacker unleashed a serious DDoS attack against selected US city,
state, and federal network resources on Tuesday, November 2, 2004?
(with perhaps a few major news web sites thrown in for good measure)
Oh, I'm aware that voting processes are, in theory, insulated from
exposure to the Internet: but I'm willing to bet that in practice
that's not true, and that sufficiently aggressive and well-targeted
attacks against infrastructure such as routers, firewalls, DNS servers,
mail servers and web servers would have a noticeable disruptive effect.

I have no idea what we do if that happens.  (Well, actually, I do:
first we engage in a serious round of partisan finger-pointing.
It's what we do whenever there's a crisis. ;-) )

I suspect that it will take a crisis situation like that, or something
of a similar nature, to provoke serious action on this problem.  (I very
much hope I'm wrong about that.)

But...

The end-users are largely unaware of the problem, and even those who are
aware often lack the (admittedly extensive) skills to solve it AND keep

it solved. The ISPs which connect most of the users have been insteadfastdenial for what is now going on years; only a few have begun takingbelatedand half-hearted measures like blocking outbound port 25 (SMTP) access--

and even that only deals with spam issues, and then only in part.  And

Microsoft...well, let's just say that there's not much help comingthere,

especially for users of older versions of their OS.  And even if there
were -- I'm not sure how much good it would do, as the points-of-entry
for malware are so numerous (see Ron's comments above) that it's not
clear that it's possible to really and truly secure these systems.

---Rsk

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Stanford End-user software engineering * 4:15PM, Wed November 03, 2004 in Gates B03
Next by Date: [IP] more on Utilities take pass on offering broadband
Previous by thread: [IP] Stanford End-user software engineering * 4:15PM, Wed November 03, 2004 in Gates B03
Next by thread: [IP] more on Utilities take pass on offering broadband
Index(es):
- Date
- Thread