Maps Showing Spread of ZeroAccess Botnet

The folks at F-Secure have plotted ZeroAccess infections across the U.S. and across Europe. It's interesting to see, but I'm curious to see the data normalized to the number of computers on the Internet.

Posted on October 5, 2012 at 7:44 AM • 8 Comments

Comments

Nes AndersonOctober 5, 2012 12:34 PM

I've been wondering lately how people get infected so easily. I've gone for almost 5 years now without getting an infection.
I don't run unknown software, I generally use non-standard software. I use adblock and noscript like plugins in my browsers.

The last bit of cruft that infected my computer was a rather badly programmed botnet that redlined my network and CPU. Ended up reinstalling my OS just to be safe.

So I suppose I play it pretty safe, but still... what are the viable attack vectors these days? In the 90s I was fighting off a virus every week. These days I rarely download anything that a scanner complains about.

Richard PetersonOctober 5, 2012 12:38 PM

To get a heat map of percentage of total connected machines that are infected per region, for instance?

Clive RobinsonOctober 5, 2012 2:27 PM

@ Nes Anderson,

I've gone for almost 5 years now without getting an infection

Once upon a time that would have been a statment that would have indicated that you were failing to detect the malware.

But times have changed as you have noted,

... but still... what are the viable attack vectors these days? In the 90s I was fighting off a virus every week. These days I rarely download anything that a scanner complains about.

The simple answer is "low hanging fruit", but it's a little more complicated than that. Basicaly what has happened is two fold, the first is that people are in general more wary than they used to be, the second is that software security has and still is improving. Attack vectors have moved up the software stack as first the OS and now Application security is improving, and many attacks these days go fundementaly for the major weak link the user who sits at the top of the stack. For whilst users are more savey these days in general and use technical security measures there are still a lot of people out there who are basicaly gullible in one way or another.

Now I'm not saying that those who do get hit are to blaim for the attacks succeeding althoug a few are, but in the main there is an edge effect on peoples knowledge thus nearly all of us can be attacked successfully if the attack comes at us from what is our knowledge blind spot.

The question is then do we try and improve peoples knowledge or do we try other methods?

Well to be homest, I have trouble keeping up with all the latest twists and turns as I suspect many of this blogs readers do and I realise that there is just no way I can assimilate all the required knowledge in a timely manner so why on earth should I expect others to do so?

We have got to the point now where even very paranoid solutions (air gaps) are being defeated by clever and determined attackers. We have also seen that "supply chain poisoning" can not realisticaly be avoided even for the proffessionaly paranoid such as the Military.

So you are going to get hit and owned if an attacker is determined enough irrespective of who you are.

So the answer is in reality limit your vulnerability (attack surface) and desireability (minimise loss potential) to attack and cross your fingers and hope you don't have the misfortune to become an unwitting cut out.

In essence the oldish advise about you need to get "street wise" before you become "road kill" applies. But the only way you can guaranty not becoming road kill is by never stepping on the streets which is in most cases niether practical or possible because you cannot live a life without risk. The same reasoning applies today with the Internet only it's harder because it's intangible "information" not tangible "physical" objects you can see and touch.

For instance it's moderatly easy to stop a physical object being stolen by all but the most determind theif, and you are usually quickly aware of when the physical object has gone missing. This does not apply to information where accessing it is copying it which is in effect identical to stealing it only you get to keep the original. And this is a hard problem to deal with because usually information only has value if it is used therefor in effect (potentialy) stolen because you generaly don't have sufficient control over the person who accesses the information to limit them to legitimate use only (if you can even define "legitimate use" in the first place).

Mark AOctober 5, 2012 2:57 PM

Nes how can you know for sure that your machine is not infected?
...and as a follow up, if you cant tell why do you care?
To me part of the problem is the complexity and time requirements of installing windows. I like win7 but in the past I have preferred Linux platforms and I still duel boot. What strikes me is that with Linux the OS is disposable with a half hour on your hands you can install say the latest Ubuntu and get all your software set up the way you like whereas with windows you are looking at a weekend project and that is if you can get the license to work.
With a disposable OS, bot net infection kind of becomes a non issue. I see one of the biggest problems with Windows the tendency of users to hold on to the same install for years.

SevenThreeTwoOctober 5, 2012 4:33 PM

@Nes Anderson
Attack vectors Java are and Flasplayer Plugins. Both are known to have severe security holes in the past. Both have a wide user base. Java has a very bad update automatic functionality were one is left with a critical bug for up to a month although the bug is fixed (Java checks only once per month for new fixes)

Nes AndersonOctober 8, 2012 2:27 AM

I don't "know" that I am not infected. However I generally know what to look for, for the standard attacks. And I have an idea what some one would be looking for in my computer if they were trying to acquire information from me.

But on the other tangent here, the disposable OS is a very good point, and Microsoft is making it even worse lately. Trying to restrict how often you install. Windows 8 for instance, you are only supposed to install once, and its mostly just a service pack built on top of windows 7 (if you upgrade, at least from what I understand.) So any virus you already have, might persist through an install.

Plus if you do upgrade, you may not be able to wipe and reinstall. This is very bad in my opinion, but I'm of the crowd that prefers to nuke the C drive at least once a year if not twice.

Mike AnthisNovember 13, 2013 11:39 PM

Regarding Win7, I find it's stable enough that if it got twitchy, I would be suspicious. Earlier releases were congenitally DOS, so how to tell whether/when things worsen?.

The danger in a disposable OS is that you assume it's safe because you reinstalled it. Unsinkable.

If you have a reliable system, investigate why it fails. If you have to keep refreshing, you never find out what's getting swept under the rug.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..