FBI Unveils Movable Feast with 'Operation Bot Roast'
The FBI said today it has identified more than 1 million personal computers that have been infected with computer worms enabling the attackers to control PCs for criminal purposes such as sending spam, spreading spyware and attacking Web sites.
The FBI used details it gleaned from an ongoing investigation called "Operation Bot Roast" to highlight a few recent arrests of individuals accused of running botnets and to raise public awareness about the problem, which the agency called "a growing threat to national security, the national information infrastructure and the economy."
Individual personal computers infected with remote-control software are known as "bots," and people who control these PCs herd them in 'botnets," which generally are large groups of centrally controlled machines that are used for criminal moneymaking schemes.
"The majority of victims are not even aware that their computer has been compromised or their personal information exploited," FBI Assistant Director for the Cyber Division James Finch said in a statement. "An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised."
Estimates of the global bot problem vary widely. Symantec Corp. in a recent Internet Security Threat Report estimated that there are more than 6 million bot-infested PCs worldwide. Other experts, such as Georgia Tech's David Dagon, posit that the actual number of these compromised PCs is growing upward of 13 million.
The FBI said it is working with industry partners to notify the victims of the botted computers, ostensibly to glean evidence from the machines and to get them cleaned. However, it also warned people to be wary of scam artists who might use the incident to send e-mails disguised as messages from the FBI seeking personal or financial information.
The government named three individuals it has arrested or charged in connection with the investigation, one of whom was long-time spam king Robert Soloway. The FBI charged James Brewer of Arlington, Tex., with running a botnet of "tens of thousands of computers," at least some of which were located in Chicago-area hospitals.
Jason Michael Downey of Covington, Ky., is charged with conducting "distributed denial-of-service" attacks, which involve using a botnet to flood a Web site or network with so much junk Internet traffic that the target network either crashes or is rendered unavailable.
Security Fix dug up the charging document on Downey showing that he may be the administrator of an Internet server called Yotta-Byte.net, which, according to anti-virus vendor Trend Micro, was the server used to control a botnet infected by a particularly nasty version of the Agobot worm. The worm family has spawned thousands of variants and goes by a few other names, including "Phatbot." In spring 2004, washingtonpost.com ran my story about a version of phatbot that was estimated to have infected between 1 million to 2 million computers.
By Brian Krebs |
June 13, 2007; 5:03 PM ET
Fraud
, From the Bunker
, Misc.
, Safety Tips
Previous: ZoneAlarm for Windows Vista Released |
Next: Apple Issues Windows Safari Bug Fixes
Posted by: thebob.bob | June 13, 2007 6:10 PM
Are they just going to check 1 million random computers because i agree bob, I'm just as uncomfortable letting the FBI into my computer as I am a bot.
Posted by: nate | June 14, 2007 1:19 PM
pub date=dec.24.2006
Translation=machine
Original text=http://groups.google.com/group/lichtnavi/browse_thread/thread/591a22d78b49b6dc
But they are really completely close? What is the matrix
in the DNS von Computersystemen? The matrix is the Matritze. Them are
where the interfaces meet one another. To the matrix also letters and
colors belong. The matrix can be worked on and changed with *.exe. Is
the matrix static or is close it? Statically the matrix cannot be. It
behaves like each atomic thing. It is semipermeable. Information is
filtered and not filtered dependent on the respective instruction of
the Executable. What is the today's problem? I found out like so many
different before already, that the matrix in one of the most important
computer programs world-wide (Microsoft [r] /Windows [r]) tears has.
These are versursacht among other things also by letters. The
vulnerability of this is safe Admits of operating system. But already
once someone has thought about it how much money for patch production
is annually used? For patch world-wide it spread-test operating system
with which the "nose-fixed" and update, uses anyway nothing. Why
doesn't the Patchen use anything? First of all I do not think that it
does not use anything. There are many not repaired computers in many
countries in the world gives world-wide however infinitely. And all
this ["whitoutwarranty"} on my personal computer the pieces of
repairing [of patches have} already an extent of more than five
gigabyte. Like many humans like many trillions dollar or euro pay
world-wide for the fact that they may hope their information systems
will perfectly function. Then I remind still of the necessary
Kompalibilitaet of the computer systems world-wide. There are virus
protection programs already free of charge for private users. And like
many programmers, server administrators, Webmail operators and other
IT-Securities spend per year how many trillions dollar on a conception,
which cannot function, because Operating systems just like humans are
binary. Most holes are caused however through not repaired computers.
In addition, by software Cracks. Such Cracks is made available partly
intentionally by other Cracks in the Internet, so that over this Cracks
again the infected computer can be accessed. That is in such a way as
became one humans also high-sticking on diseases unprotected in
meetings send. Because computers are among themselves comrades. They
want itself natural-prove with their Species to interlace and
information exchange. What is the effect of tears? Through these tears
either data go penetrating lost or aggressors. What can we do? Because
it is two minutes before twelve, I request hereby the company Microsoft
in talking moon to patchen the infected computers and to seal thus the
patch carpet partly, at least with service luggage 2, all the same from
where the copy of the operating system comes. It comes in such a way or
so from a larger company, which had it available. And finally also
Christmas and oath celebration are in short consequence. Thus a first
important step would have taken place and into the third dimension from
computer systems the journey will be able to begin. What is light
navigation? I discovered and also investigated that the DNA of the
computer matrix is absolutely close if this three-dimensional is, at
least if one with the Camera look. The consequence of a close matrix in
the DNS von Computersystemen is three-dimensionality. I have this
three-dimensionality that Computer matrix photographs. I become the
photos shortly publish. The Screenshots was reflected both and tilted
in infinite consequence of first Frame reflected and in the second
Frame reflected and thus developed an infinite succession of turns and
reflections from their center light radiates. I could count six. In
addition I discovered that Adobe and Microsoft use different diagram
program adapters and that therefore diagrams in Adobe can be leaky
during it in Windows to appear close.
http://groups.google.com/group/lichtnavi/browse_thread/thread/dc7439533a4bf445
URL for the translation
Posted by: tagesclaus | June 14, 2007 3:00 PM
This is a MAJOR plus and takedown for mainstream computer users. The great
efforts and work here are to be greatly applauded. Amounts of infected
computers in malware botnets is well over 100 million - from 7 to 11 percent
worldwide. The actual bust of one has been rare. There has been a major
campaign over 2 years to get computers and people protected. I have
personally launched a website, groups, and forums as help. Not tooting my
own horn here (with over 1 million hits this year) but those of the
ignorant, apathetic, and plain naive operators - this is a major bulletin
and wake up call once again for the average operator consumer. Fantastic
effort, reward. Listen to my podcast too "Malware Botnet Cartel"
http://www.bluecollarpc.net/downloads/DestroyBotnetCartel.wma
Webmaster http://www.BlueCollarPC.Net
Posted by: cbgerry | June 14, 2007 8:47 PM
Is there any surefire way to determine whether your computer has been hijacked/made part of a botnet? I have not seen any discussion of that. I use McAfee AV and Firewall, and I scan my computer regularly using McAfee, Spybot, and Ad-Aware. As far as those programs are concerned, my computer is okay, so I am assuming it is. But is there something else I can/should do to ensure that my computer is not being used as part of a botnet, or to find out if it is? If I do have a problem, I'd rather find and fix it myself, rather than rely on the FBI. Any insight would be appreciated.
Posted by: hopefullysafe | June 15, 2007 5:26 PM
To hopefullysafe:
Sure fire way from your OWN machine? No. However you can use what the FBI is using which is the analysis of packets from machines. One thing you can do is submit your WAN IP address (the address on your router's WAN port) to SANS:
http://isc.sans.org/about.html
If you don't notice yourself being listed there as doing anything bad at least you aren't listed as being an egregious spammer or packet spewer. You can download and use WireShark on your own system:
After your computer starts up, allow it to stay connected to the Internet but don't do anything like browsing, email, etcetera (anything on your part going to the Internet). If your email program starts up automatically and stores your password, make it so it does neither (permanently). After your computer has settled down (MS updates checks, Antivirus update checks, Firewall, all done) then start up Wireshark and let it run for ten minutes collecting information on your Internet network interface. Save the results to a file. Now disconnect your network interface and run it the same period of time without a connection to the Internet. What do you look for? Eh, that's the rub. If you had done this when you first got your machine you would have a good baseline to compare to. However, you shouldn't see much of any traffic except local MS Windows LAN discovery / query packets or occasional packets to Microsoft, your Antivirus, and other security programs. That still doesn't assure absence of you being botted, since some times the bot processes sit there doing nothing for long periods of time. One thing bots do though is take advantage of almost everybody storing their email password in the email program so they don't have to type it. That is used to send out SPAM, but they limit what they send from each machine so that the ISP doesn't detect a problem of what a normal person would send out on their own.
If you analyze your drive with a clean root-kit detector (your OS doesn't boot up at all, your disk is just passive data), you can get a pretty good idea whether you are infected or not. Even if it doesn't know which root-kit you have, it can detect it's presence. If you don't have a root-kit, then the bot process should show up in the process list (do Ctrl-Alt-Del and start Task Manager). But again, you would have had to look at each and every task / process in their respective tables and know all of them so you can detect something you weren't used to. That is about as sure fire as you can get and most likely you can't do it unless you have some pretty savvy tech help or are that yourself.
Having said all that, with the safeguards you are taking, you are probably not infected.
Posted by: hhhobbit | June 18, 2007 2:56 AM
The comments to this entry are closed.
The FBI is going to contact 1 million computer users? How? By e-mail? Click here and let the FBI into your computer to search for bot-ware??? Yeah right! I'm going to click on that?