Botnets are using some of the distributed computing algorithms (leader election etc..)!! The firewalls should become more sophisticated and there should be a central team (funded by govt) to monitor and bring to justice whoever is illegally exploting this.

I did not see the fact that these malware issues do not affect Mac OS X in the least, at least to date.
Do you really think that is irrelevant to the discussion?

to expland on what cbum said -- a VERY helpful item to go along with your excellent story would have been a list of systems that can be inftected in this way, and a list of systems that cannot.

What about connections -- do dial-up connections suffer less?

One has to wonder if you are reluctant to say "Well, Windows machines on high speed connections are the ones that get hit by this the most." because of ad pressure by the suppliers of those systems, or something.

Did you ask your botmaster if he would ever consider going after mac systems? Or linux systems? Your article leaves the impression that every system is subject to this, but I suspect this is not the case.I wonder why your editor did not point these really obvious holes out to you.

Cbum - I never mentioned Mac systems in the story b/c there aren't any botted mac systems, that I know of. Are you suggesting I should have put a line in the story listing all the computing platforms this isn't a problem on?

To Charlie -- Did you actually read the entire article? I find it amazing that after reading this story you could possibly suggest that I somehow pulled punches on Microsoft. I clearly say in the story that this is a problem that relates to Windows machines. Just because I fail to mention that this doesn't affect Sun/Solaris computers or Brother typewriters, does that mean I am somehow suggesting they're at risk from a botmaster? There certainly have been worms in the past that have targeted Linux computers. And when was the last time you saw spyware or adware on a Linux box? Never. So I'm not sure I understand the point of your comment/questions.

The images in the article contain metadata about where they were taken. Looks like you have exposed 0x80's whereabouts. His arrest seems assured. Hopefully your sloppiness will cost you.

yes, i read the whole thing -- it was excellent, but you need to know, I'm not a tech savy guy -- i read these things as a civilian, hoping to learn, and I wonder, "can this effect me?"

If I don't see a list of systems that it does effect, or does not, then I am left to wonder. There is such an enormous amount of information on these problems being reported, but the stories rarely say which systems are effected, and that gets confusing.

So, no, you didn't pull ur punches on microsoft, but at the same time you didn't put in a graph saying "only microsoft-based computers have this problem," or "you are more likely to have this problem if you have high speed access."

And yes, you should have, because some of us out here need to know in very clear terms, these things.

And, yes, i wonder some times that the failure of the press to say which systems do or do not get these problems is, in a backhand way, a failure to hit microsoft hard enough, even a way to make the reader think ALL systems get them.

Think about it. A story on "Cars that have bad motors" that only mentioned Fords would leave a reader to wonder if Chrysler had the problem too, would it not?

thanks

charlie

Charlie,

If I am sensitive to your criticism on Microsoft, it is because some of the other research I have published recently addresses this very issue, and compares the (in)security of Windows and its attendant software programs with those of other software makers. I have only so far done this with Windows and Mozilla, but there will be more.

Not sure how much of the rest of the blog you have read, or whether you're a first time visitor. But you should check out a few of the past posts, specifically:

2005 Patch Times for Firefox and IE
http://blog.washingtonpost.com/securityfix/2006/02/2005_patch_times_for_firefox_a.html

More MS Patch Data
http://blog.washingtonpost.com/securityfix/2006/01/more_ms_patch_data.html

A Time To Patch
http://blog.washingtonpost.com/securityfix/2006/01/a_time_to_patch.html

Also, this blog post that we put up along with the story:

http://blog.washingtonpost.com/securityfix/2006/02/just_your_basic_windows_user.html

...details another of this guy's victims. It was cut from the print version of the story at the last minute due to space limitations. It goes into far more detail about how this epidemic is a Windows-specific problem.

From that post:

"But Feito isn't terribly concerned about keeping his computer current with anti-virus updates or Windows security patches. In fact, he can't remember ever installing one.

"I don't really update my Windows," Feito said. "I think I'm just a basic user, you know?"

Feito's attitude toward maintaining his computer is all too common among Windows users. Unfortunately for them, failing to apply patches regularly is the computer-world equivalent of refusing to get inoculation shots against the most deadly human diseases.

Without the protection afforded by security patches and anti-virus updates, Microsoft machines soon become breeding grounds for computer viruses, worms and bots -- destructive programs that eat away at the machine's productivity and stability. For thousands of users like Feito, the presence of spyware and adware on their PCs may be just the most visible symptoms of much larger security problems resident on their machines."

Do you use a Windows computer? I ask because I did say in the magazine story:

"0x80's bot program was able to infiltrate the pastor's computer because the PC lacked dozens of software patches that Microsoft has issued to fix security flaws in its Windows operating system."

Bk, re: "I never mentioned Mac systems in the story b/c there aren't any botted mac systems, that I know of. Are you suggesting I should have put a line in the story listing all the computing platforms this isn't a problem on?"

That's really a more superficial answer than I expected from a Post reporter.

If I'm not mistaken, the principle target audience of your otherwise excellent piece are home users. How long do you think that line "listing all platforms" would have been?

And since the obvious reaction of said audience is, well, what should I do?, mentioning the one home platform devoid of these issues could actually be construed as useful...

"The images in the article contain metadata about where they were taken. Looks like you have exposed 0x80's whereabouts. His arrest seems assured. Hopefully your sloppiness will cost you."

funny is that that is way off from where i reside apprently from what i gathered from brian kreps was it was old metadata so im still safe. haha i guess luck is on my side :)

Cbum -- Did you see my response to Charlie?

yes, saw it, but it was late in utah -- just got back from a tattoo convention (strictly for journalistic purposes, really)

I use both mac and pc -- am a 56 year old newspaper columnist who uses pc at work and mac at home, so i swing both ways and find myself pretty much constantly confused by all the rapid change -- my iBook, which cost me $1400 two years ago, now is junk? Wait a minute...

There's a very old doonsbury cartoon where rev. sloan wants to go buy his first computer and the guy in the shop lays such a stream of tech talk on him he almost runs out until mike asks for a more "user friendly human ware".

that's us out in computerland -- as a newspaper reporter I was always told "write the story as if the person reading it knows nothing about what you are talking about" and way, way too often, computer news sections -- not yours, this is a universal problem -- assume a level of knowledge that i personally feel the vast majority of your potential customers don't have.Sure, ur writing for the knowledgable, but in this fast pasced industry, who can really claim to be that any more? Which is why we read you.

so, yes, like the guy up above there says, if you are writing about a huge problem in the business -- and botnets strike me as a really big one -- you need to put in a graph for the lay person -- a "who will not get this attack," -- pcs on a dial up? Macs on high speed? I also end up doing tech support on my wife's pc --what do I tell her when she asks "will this hurt me?" She's on dial-up through aol, like me, by the way.

well, will it? Her entire doctoral dissertation is on that damn computer. I really, really need to know.

The post just ran an article on a mac virus -- a fairly crude one, i gather, and one that some tech person couldn't even get to work most often, but still --

another side-note -- your newspaper and mine (the ogden standard-examiner) are both working very hard to get into the computer age -- it behooves us both to find ways to make our customers comfortable with the technology -- my father in law regularly asks me about viruses, spam, adware and so on -- he has a mac on a high speed connection -- I need to know what to tell him so he'll feel comfortable reading our stuff on line -- if he gets confuses (hell with him, if I get confused) I'm likely to just chuck it and stick with the paper edition.

sorry to rant -- and thanks, your story really was good, i got all the way to the end, no problem.

(bk, please prune the osama article someone copy-pasted into here, it's not really relevent.)

Like others who replies, yes, we thought your article was brill, kudos for it.

But, the person who asked whether you asked 0x80 whether he would consider attacking linux/mac was correct to do so. And you didn't answer the question.

Did you ask 0x80? If not, why not, can you please do so, it's an incredibly good question.

From the media and the IT industry, and hobbyists, there is a lot of argument about yes, linux and mac are harder to hack, no they are not -- they just aren't as popular .. etc etc.

Well, it would be *mega* interesting to have an opinion from someone who hacks systems for a living? No?

I think you are oversensitive about the favouring windows thing, your column has pointed out appropriately the problems with the platform and the attitude it engenders in its users, thankyou for that.

But please, pretty please, answer the [expletive] question. What does *0x80* think of his prospects at running similar operations on mac or linux, imagining that *some* adware was available to provide commercial incentive?

It's not appropriate to imagine other alterations to the environments, just imagine please for a moment that someone provided a similar ad-serving app that would give 0x80 and his colleagues the incentive to hack those two popular alternative desktop systems. Does *he* think they would be worth even trying to hit? Why/why not?

Very simple exercise, very valuable opinion. Most of us do not have a line in to the headspace of the people doing these things. We just watch the packets whizz by...

Thanks in advance, I'm sure you can get us this info. And 0x80, please don't bother replying in here unless bk is going to certify that it's you, cause we know there are some inscupulous people out there who aren't averse to impersonation ;)

second lieutenant bot jagermeister

Hey BK, if you really work at the WPost perhaps you can get your name on the Staff E-Mail list ...
...
Tony Kornheiser
Serge F. Kovaleski
Marcia Kramer
Alice Kresse
Andy Krisch
Evan Jane Kriss
Fredrick Kunkle
Howard Kurtz
Phil Kushin
...

Those of us who work in the anti-spam community have been
closely tracking bots for years.
We can report the following:

1. "bot" is synonymous with
"compromised Windows box". Use
of techniques such as passive
OS fingerprinting demonstrates
that while it's of course theoretically possible to create bots on MacOS, Solaris,
Linux, etc. that this is not
what we find in the field.
Thus: the bot problem is really
a Windows security problem.
No surprise there.

2. The overwhelming majority of
spam is sent via bots. This is
a marked change from ~3 years
ago, but not a surprising one.
The average home PC on a DSL or
cable link is quite capable of
sending ferocious quantities of
spam *if* a decent SMTP sending
agent is installed on it, and
of course that's precisely what
spammers have done.

3. Every trend we have observed
indicates that the number of
bots is increasing. There is no
reason for it to be otherwise:
the deployment of ill-advised
DRM (see "Sony") along with spyware and rootkits guarantees
a steady supply of partially
or fully-compromised systems.

4. Our consensus estimate of
the number of bots, worldwide,
by summer 2005, was 100M.
(The methodology for this estimate is complex, but suffice
it to say that it was arrived
at with the help of people who
have insight into VERY large
populations of Internet-connected systems.)

5. Unsurprisingly, given that
huge population, bots have been observed everywhere: commercial sites, home users, academia,
military installations: *everywhere*. The rule appears
to be "where there are Windows
boxes, there is a substantial
probability of bots".

6. Sadly, the response to bots
to date has largely focused on
symptomatic treatment rather than attacking the underlying cause. Thus we have an endless
parade of worthless half-measures: anti-virus,
anti-spyware, IDS, IPS, and other
snake-oil designed to (a) ensure
that the problem remains intact
while (b) separating a gullible
public from its money.

7. Let us not forget: every major ISP on this planet was
warned, multiple times, about
this problem when it was still
quite small, perhaps .001 to .01% of the size that it is today. They chose to ignore
these warnings because it wasn't
something they wanted to hear.
And as a consequence, today, every consumer broadband ISP
on the planet is overflowing
with bots: Comcast, Verizon,
Versatel, Tiscali, Wanadoo, Charter, Adelphia, SBC, *all
of them*.

8. There are no prospects for
improvement. People either do
not wish to hear this information, and/or they do not
wish to make the decisions necessary to put a stop to it.

Oh, by the way: Sunbelt Software
is NOT an "anti-spyware firm".
They're spammers. Long-time,
hard-core spammers. Search the
Usenet archives at Google for "Sunbelt
Software" and "Stu Sjouwerman"
and you'll find more supporting evidence
than you could possibly want to read.

@ 0x80 and BK:

If those photos had old metadata, then why were they removed from the WP article and from the WP servers? It's suspicious at best, and looks like destruction of evidence and interference with an official investigation at worst.

Furthermore, it doesn't matter if the location was wrong or not. 0x80 admitted to a felony regarding intrusion and compromise of government computer systems in the article. A motivated posecuting attorney would lock up the reporter and/or photographer until they revealed their source(s). I would think that compromising national security assets and systems via a worm would rank higher than disclosing the identity of a mostly already known CIA operative. Just a matter of political priorities I suppose.

Interesting times in Roland, OK I bet.

r,
i think you are just flaming. do you read slashdot? the photographer is in the location, not the hacker.
additionally, we have a war on terror going on here...maybe the secret service and fbi are more involved in protecting our country than saving stupid noobs...i feel sorry for those who's computers have been botnotized (my new word) but what are they doing to stop it??? from the report...people just buy new cheaper computers.
You are all , you bloggers out there, trying to expliot this...(to make people read your blogs) becuz you didnt come up with this story. bravo bk

"...people just buy new cheaper computers."

Yes, they do. And those are almost always *faster* computers
which are subsequently infected
via the same means that their old
ones were.

Sometimes this process also involves switching to a newer
faster Internet connection.

In either case, the bot herders
just smile, as they've picked up
a performance increase at zero cost.

: 1. "bot" is synonymous with "compromised Windows
: box". Use of techniques such as passive OS
: fingerprinting demonstrates that while it's of
: course theoretically possible to create bots on
: MacOS, Solaris, Linux, etc. that this is not what
: we find in the field.
: Thus: the bot problem is really a Windows security
: problem. No surprise there.

do you really expect me to believe no one has a kaiten botnet running somewhere?

No, I don't expect you to believe that -- and it's not what I said, anyway.

There may well be, for example,
172,982 compromised Slackware Linux boxes out there that have
been organized into various botnets. However, I have no evidence of their existence, and
neither does anyone else that
I'm in communication with (or whose work I'm monitoring).

Believe me, we're all experienced enough to realize
that absence of evidence is not
evidence of absence, and we have
long since had extensive discussions about our measurement methodologies,
including the difficulties involved in trying to do so
at Internet scale.

So what I'm reporting is what
we have found. There is no doubt more to find, and perhaps
in time we'll do so. But *to date*, just for example, out
of over 3 million bots that
I've observed trying to send spam, NONE were running anything but Windows.

nub

And people say security must be improved and that major action must be brought against these "malicious people". Don't push to hard or else...when our situation becomes like 1984*, you won't like it, though it would be a simple remedy world wide (Just not very appealing).
*1984 written by George Orwell.

Very good site, congratulations! suikoden iii