Operation Ghost Click

Rich Kulawiec rsk at gsp.org
Sat Apr 28 11:44:46 UTC 2012


On Thu, Apr 26, 2012 at 10:03:44PM -0400, Jeff Kell wrote:
> And what about the millions of users unknowingly infected with
> "something else" ??

s/millions/hundreds of millions/

We passed the 100M zombie/bot mark years ago and nothing has happened
in the interim that should/would cause the trend to reverse.  (Based on
what I've seen, the curve continues to monotonically increase.)  Worse,
even the most sophisticated measurement techniques we have are guaranteed
to miss some unknown/unknowable fraction of the total population, since
botmasters are known to keep reserves.  And worse yet, we're now seeing
infestations of portable devices/phones, systems running MacOS, etc.,
so while it's been, to this point, a Windows problem to about five to
seven 9's, it's not anymore, and it's not going to be.

> Does anyone have a plan?

No.  Well, that's a bit unfair: lots of people have ideas, proposals,
and such, but until/unless there's a massive, coordinated, focused effort
-- which will cost a LOT of money -- those ideas and proposals can have
(at best) temporary, localized effects.  I would like to think that the
software vendors whose products are involved would step up, but if that
was going to happen, it probably would have happened by now.

The most likely outcomes are: (1) that the status quo will continue:
massive amounts of attention, effort, and money will be focused on
mitigating the consequences (e.g., anti-spam, anti-phish, anti-DDoS,
anti-malware, anti-anti-anti defenses) and almost none will be focused
on addressing the root causes.  (2) Those running networks which are
infested on a systemic and chronic basis will continue to do so and
will not be held accountable (by anyone) for their incompetence.
(3) More sophisticated bot-creating software will be developed and thoroughly
tested against anti-malware products before being deployed.
(4) Botnet command and control mechanisms will become more resilient in the
face of attacks.  (5) Every now and then, some vendor and/or some government
agency will have a press conference and engage in self-congratulatory
chest-beating about how they've taken down a 5-million member botnet,
while botmasters are busy recruiting all 5 million still-compromised
systems into new botnets.  (6) Once in a while, some poor unsuspecting
person sitting in front of one of these systems will be stuck holding the
bag when clueless prosecutors, assisted by thoroughly ignorant judges and
stunningly inept "experts", decide to score some election-year points by
destroying an innocent person's life: see "Julie Amero" for a canonical
example.  (7) Data harvested from all these systems will continue to be
collated and sold to spammers, phishers, identity thieves, blackmailers,
and anyone else with a passing interest in the usable contents of large
numbers of systems.  (8) Legislators and politicians who cannot even
use computers will propose and likely pass bill after bill after bill
which not only makes the situation worse, but uses it as an excuse to
destroy the few remaining protections that citizens have against wholesale
government snooping into their private lives.  As a bonus, they'll
ensure that much of this information is passed along to any private
contractors who've made sufficient campaign contributions, and they
in turn will be hacked by the first bored 17-year-old with an attitude
that takes note of their existence.

Oh.  Almost forgot.  At each step, the favorite phrases of people who've
failed to learn from history, failed to heed warnings, failed to educate
themselves, failed to listen to experts and now wish to distance themselves
as far as they possibly can from the direct consequences of their own
choices and actions will be used:

	"nobody could have predicted"
and
	"we take this matter seriously" 

---rsk




More information about the NANOG mailing list