Re: [sfx: Discuss] What is Going on with wikileaks

On Dec 19, 2010, at 9:50 PM, Nicholas Thompson wrote:

> Owen:
>
> How do I tell if I'm a zombie?
>
> [Even his best friends kept it from him!]
>
> Nick

There are folks much more in the know around here than I am, feel free to speak up!

Easiest is to use a pro like Dotfoil here in Santa Fe.  But Googling will turn up something for your particular system as well.

I use a "root-kit" checker periodically (thus far clean) and a much more complete unix-y system (Macs are Unix), clamav, that checks every file on your system! (You can skip certain types of files, but hard to tell what to skip).  Clamav now works on windows too. Unfortunately, they both just log questionable files, and require you to determine if they are bad.

The general advice is to just avoid direct exposure to the internet (i.e. use a wireless router w/ firewall), but that is only for active probing of machines (port scans for well known defects) by the bad guys.  My mac mini (home server) was probed within 2 hours of being connected to the open internet! (I saw this because I opened a firewall port for ssh, for which I only use public/private crypto keys, no logins allowed)

The harder problem is indirect exposure to the raw internet .. mainly mail or websites & downloads (including mail attachments).  These connections provide direct access to your machine, but only to the program being used.  I've gotten several of these lately, all ending with ".exe" which is not a Mac file format .. a windows executable.)

To my knowledge, I've been hacked only once.  It was a linux laptop in 1994 or so, while in Sun labs.  The system had a few odd configuration changes and about a dozen of us looked at it and decided something was wrong so I wiped the system and started over.  We think it was picked up while at the San Francisco Mosconi conference center.  Problem did not reappear.

For the scale of systems we're talking about (http://en.wikipedia.org/wiki/Botnet), your system will show some signs in general, but alas, signs that are typical for other, benign forms of mis-configuration.  One cute trick is to try to limit C&C (command and control) access to your system.  The bots communicate home via chat and other protocols that you likely do not use.  You can configure your router to disallow outgoing use of their port numbers.

But dropping by Dotfoil periodically is a lot like a yearly checkup for your car, not a bad idea.

   -- Owen


On Dec 19, 2010, at 9:50 PM, Nicholas Thompson wrote:

> Owen:
>
> How do I tell if I'm a zombie?
>
> [Even his best friends kept it from him!]
>
> Nick
>
> -----Original Message-----
> From: Owen Densmore [mailto:[hidden email]]
> Sent: Sunday, December 19, 2010 9:32 PM
> To: [hidden email]
> Subject: Re: [sfx: Discuss] What is Going on with wikileaks
>
> Whew, thanks .. I thought I was loosing it.  I couldn't understand any
> non-botnet (zombie collections) solution working, given how routers and load
> balancing works, along with their back-off timers for multiple requests from
> the same net.
>
> I was still skeptical until I found out that the Mariposa botnet consisted
> of > 12 million computers!  Holy cow!
>
> Given that almost all home computers are on a router w/ firewall, I'm a bit
> surprised they can get this large a number of zombies.  I guess they're
> hacking the routers?
>
> I suspect the recent Mac App Store includes the idea of keeping your
> computer clean: buy just certified apps and you're safe.  Similarly the
> ChromeOS web-top could sandbox their system such that they too could be
> certified clean.
>
>    -- Owen
>
>
> On Dec 19, 2010, at 2:55 PM, David Jondreau wrote:
>
>> It's pretty easy.  Essentially, a botnet is a collection of thousands of
> virus infected computers that can take orders. If you don't have your own
> botnet, or a friend with one, to send your spam or launch your DDOS, you can
> rent one.
>>
>> Yes, you can pay by the hour to use tens of thousands of computers to do
> your bidding.
>>
>> Pricing depends on the number of machines you want to use. But this
>> article at zdnet has some prices:  $10/hr and  $70/day.
>> http://bit.ly/ibQEZi
>>
>>
>> DJ
>>
>> -
>> David Jondreau | Wing Forward Solutions, LLC
>> 505.231.1074 | www.wingforward.net |
>> FileMaker Certified 9, 10, 11
>>
>> On Dec 19, 2010, at 2:21 PM, Owen Densmore wrote:
>>
>>> Sorry to be late back to the conversation .. but what I would like to
> know is how they access a very large number of machines which then can be
> used to mount the DDOS?
>>>
>>> Does 4chan allow this somehow?  I understand 4chan does not require a
> registration, thus allowing semi "anonymous" users, although their routes
> are likely available.
>>>
>>> As far as I know, DDOS alway requires a large number of
> unaware/unwilling/clueless machines that have been hacked, and wait upon
> trigger events to run downloaded programs.  This provides anonymity and
> power both.
>>>
>>> If these are just folks with several accounts on a hosting service (does
> 4chan allow hosted user apps like loic? or some sort of redirects/forwards
> of posts?), they are unlikely to create enough flooding agents, and are
> easily shut down because only the hosting services need to be targeted.
>>>
>>> Confused, please enlighten!
>>>
>>>  -- Owen
>>>
>>>
>>> On Dec 11, 2010, at 12:11 PM, Jon Bringhurst wrote:
>>>
>>>> Actually, it looks like I'm wrong. Here's an svn repo for the tool they
> used:
>>>>
>>>> <https://loic.svn.sourceforge.net/svnroot/loic>
>>>>
>>>> It looks like it loops http requests that don't download the entire
> result.
>>>>
>>>> As far as the teenager thing goes, here's an article about one who was
> arrested:
>>>> <http://gizmodo.com/5710568/dutch-4chan-teen-arrested-for-wikileaks-
>>>> revenge-attacks>
>>>>
>>>> -Jon
>>>>
>>>> On Sat, Dec 11, 2010 at 10:42 AM, Jonathan Bringhurst
>>>> <[hidden email]> wrote:
>>>>> The "zombies" came from a 4chan based /i/ board (a bunch of teenagers).
>>>>>
>>>>> Someone on there distributed a tool that floods an endpoint with
>>>>> half open syn requests.
>>>>>
>>>>> The targets were distributed to people via IRC and twitter (one of
>>>>> the twitter accounts was shut down half way through the attacks).
>>>>>
>>>>> -Jon
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>> On Dec 11, 2010, at 9:37 AM, Owen Densmore <[hidden email]> wrote:
>>>>>
>>>>>> On Dec 11, 2010, at 2:26 AM, Jon Bringhurst wrote:
>>>>>>
>>>>>>> Much of the "hacker battles" you refer to was just a bunch of
>>>>>>> teenagers who were bored (i.e. the ddos of paypal, visa, and
>>>>>>> mastercard).
>>>>>>
>>>>>> Well, how do a bunch of bored teenagers do it?  I thought it would
> take a reasonable amount of sophistication.
>>>>>>
>>>>>> Surely the targets are reasonably protected against over-use by a
> single source address?  Simple load balancing goes a long way, and any
> commercial grade router will detect too much traffic from a single address
> or even set of addresses.
>>>>>>
>>>>>> Thus the second "D" in ddos.  The blackhat has to have created a large
> number of zombies that can be triggered to begin flooding targets.  This
> solves the router problem and leaves load balancer to spread the requests
> among enough servers.
>>>>>>
>>>>>> One stunt the ddos folks use is to "hang" the requests, with protocols
> that require handshakes.  They simply point the client address to a
> non-existing address hanging the TCP connection completion.  But, again, you
> can buy boxes that solve this problem by creating proxies in the TCP stream
> which detect this flaw.
>>>>>>
>>>>>> So I don't believe we could do it via an obvious use of curl, say,
> getting into a loop making requests of paypal.  Maybe we should hire these
> bored kids?  Or do you know how to do this easily?
>>>>>>
>>>>>> -- Owen
>>>>>>
>>>>>>