Malware

The top 10 spam botnets: New and improved

Latest reports have spam accounting for more than 95 percent of all email messages. You can thank botnets for most of that. Here's what we're up against.

Latest reports have spam accounting for more than 95 percent of all email messages. You can thank botnets for most of that. Here's what we're up against.


While doing research for this project, I came across a blog series (first, second, third post) that forced me to rethink. Ranking spam botnets is not as simple as I thought. The blog author, Terry Zink, pointed out that there are several measurement philosophies:

  • The number of bot members
  • The number of bytes sent
  • The number of messages sent

In the grand scheme of things, it may not seem important. But techies like details. Counting the number of bot members or bytes sent is straightforward enough. You would assume that the number of messages would be, too.

Well, it's not. Botnets are smart enough to create a spam message but address it to a lot of different recipients. That adds another factor when counting messages.

Confused? So am I. To make some sense out of it all, I juggled the different attributes (totally unscientifically, of course) and came up with the following list of the best of the breed. The botnets are arranged in order of spam activity, with the most popular name being listed first:

Note: This article is also available as a download that includes a PDF version and a PowerPoint presentation.

1: Grum (Tedroo)

Grum is the future for spam botnets. It's a kernel-mode rootkit and thus hard to detect. It's also sneaky, infecting files used by Autorun registries. That guarantees it will be activated. This botnet is of special interest to researchers. It's relatively small, only 600,000 members. Yet it accounts for almost 25 percent, or 40 billion spam-emails a day.

Grum focuses on pharmaceutical spam. You know the kind. There must be money in this, as most spam botnets are involved with it to some degree.

2: Bobax (Kraken/Oderoor/Hacktool.spammer)

Bobax confuses botnet hunters, being somewhat related to the Kraken botnet. Recently, Bobax went through a rewrite. The authors converted command and control traffic to HTTP, making it more difficult to block and trace.

Right now, Bobax has only 100,000 members, yet it produces 27 billion spam messages a day. That's 15 percent. Or more impressively, 1,400 spam email messages per bot per minute. Bobax appears to be a botnet for hire, as the type of spam varies.

3: Pushdo (Cutwail/Pandex)

Pushdo started at the same time as Storm, in 2007. Storm is all but gone. But Pushdo is still going strong, sending out approximately 19 billion spam email messages a day from one and a half million bots. Pushdo is the downloader, which gains access to the victim computer. It then downloads Cutwail, the spamming software.

The Pushdo/Cutwail botnet spews spam with a wide variety of subject matter, including pharmaceuticals, online casinos, phishing schemes, and links to malware-laced Web sites.

4: Rustock (Costrat)

Rustock is another survivor. It was almost destroyed when McColo was shuttered in 2008. But it's back and currently the largest botnet, with almost two million bots. Before McColo, Rustock's trademark was to generate huge amounts of spam, then go dormant for several months. Today, Rustock's signature is to deliver spam only from 3 a.m. to 7 a.m. EST (GM-5) daily.

Rustock is also known for forging legitimate email newsletters using image files. Image spam is undetectable by most filtering software. In addition, Rustock does the usual pharmaceutical and Twitter-based spam to the tune of 17 billion spam messages a day.

5: Bagle (Beagle/Mitglieder/Lodeight)

Bagle is an interesting botnet because of its industrious author. Since 2004, it has gone through hundreds of iterations. Two years ago, the developer decided to start making money, using Bagle to cultivate and sell email address databases.

Now, Bagle bots act as relay proxies, forwarding spam email messages to their final destination. Bagle has at most 500,000 bots, but it still moves 14 billion pieces of spam each day.

6: Mega-D (Ozdok)

Mega-D is famous -- or infamous, depending on your point of view. In November 2009, researchers at FireEye were able to shut the botnet down by registering its command and control domains ahead of the botmasters. But the malware is programmed to constantly generate new domains, allowing the botmasters to eventually regain control.

Of the top 10 botnets, Mega-D is the smallest, consisting of 50,000 members. That's not very many, considering it pushes out 11 billion pieces of spam daily. It's second only to Bobax, when considering spam per bot per minute. Mega-D's spam consists of advertisements for an online pharmacy and, of course, male-enhancement drugs.

7: Maazben

Maazben has been around only since June 2009. Yet it's of special interest to researchers. Maazben is the first botnet that can use either proxy-based or template-based bots. Spammers prefer proxy-based bots because the spam source remains hidden. But proxy-based bots don't work if the infected computer is behind a NAT device.

The new technique must be working. Maazben is the fastest-growing botnet of the top 10, increasing membership five percent in one month. With 300,000 bots, Maazben spreads two and a half billion casino-related spam messages per day.

8: Xarvester (Rlsloup/Pixoliz)

Xarvester came into the picture after the McColo shutdown. Researchers feel the Xarvester botnet picked up a few customers from the closure. Researchers also see many similarities between Xarvester and the infamous Srizbi botnet, one of the botnets affected by the closing of the McColo data center.

Currently, the Xarvester botnet contains 60,000 members, sending out approximately two and a half billion spam messages a day. The email messages could contain spam for pharmaceuticals, fake diplomas, replica watches, and Russian-specific spam.

9: Donbot (Buzus)

The Donbot botnet is unique. It is one of the first botnets to use URL shortening, in an attempt to hide malicious links in the spam email. The thought is to increase the likelihood of someone clicking on the link. Donbot also seems to be divided into multiple individually run networks, each one pushing different types of spam.

Donbot has 100,000 members and sends out about 800 million spam emails a day. Spam content varies from weight loss drugs to stock pump-and-dump to debt settlement offers.

10: Gheg (Tofsee/Mondera)

Three things stand out about the number 10 botnet. First, almost 85 percent of the spam from it originates in South Korea. Second, Gheg is one of the few botnets that encrypt traffic from the command and control servers using a nonstandard SSL connection on port 443.

Third, Gheg has options in how it sends spam email. It can act as a conventional proxy spambot. Or it can route spam messages through the victim's Internet provider's mail server. Gheg has 60,000 members and pushes out about 400 million spam emails daily, concentrating on pharmaceutical spam.

Grand total

Daren Lewis of Symantec keeps tabs on many of the botnets for MessageLabs and has come up with some startling numbers. Here are the overall statistics:

  • 80 percent of all spam is sent by these 10 botnets.
  • These 10 botnets send 135 billion spam messages a day.
  • Five million computers belong to the 10 botnets.

The statistics are probably worse now, as I do not see any reduction in any of the spam filtering houses.

Final thoughts

Well, there you have it. I wouldn't get rid of spam filtering devices or services just yet. To make matters worse, I keep close tabs on anti-spam research and do not see any solutions in the near future.

[UPDATE]: I just received an email from MessageLabs. The research arm of Symantec released the February 2010 Intelligence Report, and it's full of valuable information. I thought it would be a good idea to share the link and mention some of the highlights.

The paper pointed out that Grum and Rustock are the current heavyweights, accounting for 32 percent of all spam delivered. The following figure (courtesy of MessageLabs) shows the output from the 10 most active spam-sending botnets. That's a lot of green (Rustock) and purple (Grum).

MessageLabs

Two additional notable statistics:

  • The number of spam email messages containing attachments has dropped to less than one percent.
  • The size of spam email messages has also dropped considerably. Spammers are taking advantage of image spam with hidden links.

MessageLabs mentions that both changes reduce the file size of the spam email, allowing the botnets to send more spam messages per minute.


Check out 10 Things... the newsletter

Get the key facts on a wide range of technologies, techniques, strategies, and skills with the help of the concise need-to-know lists featured in TechRepublic's 10 Things newsletter, delivered every Friday. Automatically sign up today.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

188 comments
Ocie3
Ocie3

Of course, before concluding that a computer system is running malware, let alone a rootkit, you must have evidence that such is the cause of the problems that you have discovered (especially after you run several anti-malware scanners, and none of them find anything). But that is not a matter which will be addressed here. GMER is a well-known tool for analyzing the Windows OS to determine whether malware, usually a "rootkit", is installed on a specific computer. However, if you are not an expert on Windows "system internals", then you must submit the GMER output for analysis, because it is unlikely to make any sense if you examine it. Unfortunately, sometimes you might not receive an acknowledgment, [i]i.e.[/i], "yes, a rootkit" or "no rootkit". So I recommend GMER as a last resort, if only so that you do not waste [i]their[/i] time analyzing the GMER output for a rootkit which may or may not exist, especially if it could be found by anti-rootkit software instead. [b]Note:[/b] many anti-malware programs can and do detect some rootkits, whether they can also remove them. Of course, if the program that you run doesn't find one, that does not mean that the rootkit cannot be detected by other software. Start by visiting the anti-Rootkit Forum: http://www.antirootkit.com/index.htm Their following "index" page has many links to pages on which a specific anti-rootkit program is described along with the hyperlink needed to download it: http://www.antirootkit.com/software/index.htm F-Secure Blacklight is recently updated (although the index shows it is a beta release, I believe that it has been released from beta). Ice Sword is useful, but does not remove rootkits. It is necessary to run it before any malware infection of the system is suspected, since it looks for changes that might reveal whether a rootkit has been installed. Rootkit Revealer, Rootkit Detective and Rootkit Buster are among the programs that can detect rootkits, whether they can remove them. There are two particular things to note when dealing with a rootkit: [b](1)[/b] With regard to detection, in the final analysis, so to speak, none of the utilities listed above are likely to find a rootkit which installs a [i]kernel-mode driver[/i], if that driver is properly written, because it will filter-out all mentions of its processes and files. ([i]Note[/i]: according to Microsoft, a kernel-mode driver is not allowed on a 64-bit Wintel computer system.) As far as I know, GMER is the ultimate resort that will gather Windows OS data that is needed to determine whether a kernel-mode driver has been installed; download it from: http://www.gmer.net/files.php [b](2)[/b] Even if GMER or other software finds a rootkit on your computer, the only way that you can be reasonably certain that the rootkit will be entirely eliminated, is to "wipe" the drive, with a utility such as Darik's Boot and Nuke (DBAN), then completely replace everything that you want on it from a "fresh", uncontaminated source. Consequently, many people do not bother to spend much time and effort to find whether there is a rootkit, especially if they can wipe the HDD and re-install the operating system, applications, utilities and data from a HDD image.

DT2
DT2

"...focuses on pharmaceutical spam. You know the kind. There must be money in this, as most spam botnets are involved with it to some degree." If they play a part in some form or other why aren't they taking some sort of initiative to stop it? Like - Not paying the bastards! Or, are they so unethical that they welcome the advertising? Doh! I think I just answered my own question...

desertcities
desertcities

Has anyone noticed via social network sites, and matchmaker sites, a number of foreigners posing as friends and then getting the victim to click on a link or download a photo that then infects a system? I've seen this in many instances of total strangers outside the US infiltrating social sites and befriending other members just enough to gain some level of trust and then infect the other member. Whether this is planned and coordinated I don't know. But it sure seems like it is happening often. These days I've been using 'Returnil' as it creates a virtual system. So if I'm infected, I just reboot and nothing is saved to the disk. It also has a very good virus guard program too. I'm very pleased with this program so far.

KiloWatt1975
KiloWatt1975

I was watching and signed up for a DC party newsletter. Now I get spam from people wanting a donation. Any idea if this is a SpamBot running amuck in DC? I've unsubscribed many times. Thanks

greggwon
greggwon

RSS and similar technologies is really where email should go. I should have to subscribe to a publication to have it end up in my mail box. Everything should be signed, and keys should be managed globally as in PGP etc. Of course the malware from web sites, breaking into broken browsers (humm why are people still using IE?) is still a problem, but some of the things that MS is trying to do with site "validation" and access limits help to allow a site identified as evil, to no longer be accessible.

gassyandy
gassyandy

It is time the laws of our land are upgraded to include this kind of thing as a very serious crime and make the punishment fit. perhaps life imprisonment as a minimum sentence will deter infraction. The laws should also include those who profit from this and the penalty should also be life!! WHY IS THIS NOT ALREADY A SERIOUS CRIME?

hakim_al
hakim_al

Hi, any logged public IP address by your firewall can be checked on http://www.trustedsource.org, you could know about its reputation, thanks to it, I generally categorize IPs to be blocked, Hakim.

dusty_reed
dusty_reed

I think that a customer clearing house should be set up. It should contain the names of the botnet customers, i.e. various drugs etc. No one should buy any of that stuff, and refuse prescriptions that support the pharmaceutical companies that make it. In addition, an offender should have all of their products listed on line. If one checks and one of their drugs comes up, ask for one that is not their product. Mess with the money, and you control the beast.

levilan
levilan

That's one of the penalties / tax, for using windows, in addition to 700 billion dollars each year from loosing data.

JCitizen
JCitizen

Ever thought of writing for Tech Republic? This is the most information about rootkits that I can remember! Of course I have missed many of Michael Kassner's articles, or maybe I wouldn't feel that way. :) I was surprised you didn't say rootkits do not install on 64 bit "yet", with emphasis on the (yet)! Or perhaps I'm misunderstanding once again?

Michael Kassner
Michael Kassner

Several reports from reliable sources that say the on-line enhancement drug business is well over a billion dollars US a year.

Neon Samurai
Neon Samurai

.. pretty much any opportunity to run a social engineering gambit on the target is a viable attack channel. Now.. you gotta check out this link a friend showed me... ;)

Michael Kassner
Michael Kassner

Do you have a spam filter? I would suggest a service like Red Condor. It's not that expensive per month and they check each e-mail thoroughly.

Neon Samurai
Neon Samurai

Though the existing subscription mailing lists are beneficial, I'd go so far as to suggest that things like subscribed publications should not be emailed out in the first place. Email should be for communications between two people similar to a phone; I don't get my monthly magazines delivered by phone and shouldn't have them dropped by the e-mailman either. At minimum, converting mail servers over to encrypted email protocols only would be a welcome change but a more drastic and effective change may be your RSS suggestion. if the publication is a regular subscription then RSS it on over. In both cases, unsolicited marketing/fraud email should be left out in the cold. My only complaint about site validation is that we're now having to ask permission from an unrelated third party when browsing. I shouldn't need to hand MS an ever updated list of my browsing habits so I can feel safe when the URL bar turns green. I turn that crap off as it is now. If we abandon http in favor of https; that also goes away since we're now validating a websites certificate against an independent certificate authority not a software developer with vested interest. The trick is making the cert authorities vett applicants as they do now finally with the more expensive certificates and respond to those who gain a certificate from them for fraudulent use. Ideally a cert based https system without requiring a third party authority would be preferable but I'm not sure how to do that yet.

sboverie
sboverie

It is ironic that a new medium such as the internet is such a challenge for laws. The laws that are on the books can be used to prosecute internet thieves. The biggest hurdle is that it is hard to trace the criminal activity back to the perpetrators. It would stop a lot of the malware if the network protocols were redesigned to prevent spoofing and high jacking. It is too easy to strip off the headers and add a different header to cover the tracks with TCP/IP, an old protocol that is the default standard. I read that Spain has arrested suspects in the Mariposa botnet. What would be cool if they can find the command and control codes and send out a command that would kill the infection, a program aptosis, to really destroy the botnet instead of leaving malware installed. The laws that are being broken are fraud, theft, vandalism, trespass, conspiracy to commit fraud and theft, wire fraud and spying. There is no need to write new laws just because the medium of commerce is new. It would also help if there was an international agency that can work with different countries to investigate cybercrime. It is one thing to identify the country of origion and another to follow the trail into that country. This is a global issue.

Michael Kassner
Michael Kassner

Are the same people that have been making money forever in the shady underground. The Internet just makes it easier for them to not be physically involved.

Michael Kassner
Michael Kassner

The pharmaceutical industry is a very strong lobby though. You can tell that by what is happening with the health reform bills. Edit: Spelling

bostergaard
bostergaard

Thanks for the list. However, seems there are serious discrepancies in how these botnets are counted. The Register has this story today about: "The Mariposa botnet, which infected 12.7 million PCs, appeared in late 2008 and spread to more than 190 countries, the AP reported, citing researchers. The researchers that dismantled it first started looking at it in the spring of 2009". Maybe this should top the list - unless it's only used for DDoS activities and not spam. And what about the conficker botnet? Might one simple step be for either the PC firewall or the ISP to notify/quarantine users, if they were sending out masses more mails, say more than 100 mails a minute? Then it wouldn't be messing up the whole Internet.

brian
brian

I've got some great little PHP exploits that hit me, should you need to be botted. Linux is becoming a bigger target every day, with everyone shifting to linux for their servers. Didn't you notice all of the recent patch updates to every tool known to man available on RedHat the past 4 weeks? It's usually something found in a library, which ripples across the entire platform of software tools. If you're not patched, you're a target now. Congratulations!

rpr.nospam
rpr.nospam

And I'd say the MS Windows OS' are so much susceptible to malware mostly because user accounts have administrative rights by default. This was one of the worst design decisions in software industry. -- rpr.

Ocie3
Ocie3

computer systems, I don't know whether there are any rootkits which would install on one of them, but I would suspect that there will be if there aren't any yet. However, the Microsoft Patchguard feature in all (?) 64-bit versions of Windows will not allow a kernel-mode driver to be installed. That only means that a rootkit cannot use that method to make its processes and files "undetectable". There are other ways and means for malware to hide, though. For example, there are so many possible, different collections of Windows OS files in C:\Windows and its subdirectories that it is possible for malware (not just rootkits) to "hide in plain sight". How would anyone know which ones are legitimate Windows OS files, which ones belong to "legitimate" installed programs and utilities, and which ones "do not belong"? Personally, I have never found any information that would answer that question.

Neon Samurai
Neon Samurai

The cure is far worse than the poison. Anonymity is the very basic DNA that makes the Internet what it is. TCP/IP should remain a platform agnostic, protocol agnostic, anonymized transport layer. Consider all the the places where things would go very badly for citizens once anonymity is removed. Sure, the NSA and current political fluffing over "cyberwar" makes it look pretty and apealing until you give it deeper thought but consider those who would be arrested and/or executed for expression thoughts unsanctioned by there respective governments. Dissent is a healthy part of a functioning society. http://www.wired.com/threatlevel/2010/03/cyber-war-hype/ What we need instead is to improve the network protocols; kill off cleartext like http. Remove the anonymity at the user level not the service provider or transport layers. If that email from Aunty em isn't delivered by smtps, signed and encrypted by Aunty Em then it's not legitimate. A final destination should be able to validate that the traffic came to them without modification from the originating source. This should not involve third parties especially big business and control addicted, myopically biased government.

Fokke Wierda
Fokke Wierda

I sincerely doubt if the pharmaceutical industry is using botnets for its advertising. Be aware that tests by consumer organizations and the like have shown that products offered by spam e-mails generally are fakes. Pfizer would hit you hard if you publicly called out for a boycot of their products without any proof of their involvement.

Michael Kassner
Michael Kassner

It not around any more, as they arrested the botmasters. Mariposa was not a spam botnet, but an information-stealing botnet. It was very good at its job. Conficker in of itself is not a botnet. It carries bot malware in its payload many times. In fact, Conficker is spreading Waledac right now.

arjanh
arjanh

Application/OS integration is another reason. Nice way to escalate privileges. I never understood why I should browse with an OS....

JCitizen
JCitizen

for forcing developers to include at minimum, some form of malware. Usually standard types, so they can claim someone else off the internet did it. Even hardware firmware is compromised; and conveniently blamed on one bad employee or "criminal". I've had driver CDs listed as published in China, that are loaded with very tricky spyware, cloaked to look like simple ping probes. With ICESWORD, they could lay the blame on the originator. I'm pretty skeptical; like you say, if some good peer review comes out on the Register or Dark Reading, maybe I'll relax.

Neon Samurai
Neon Samurai

IceSword seems to remain a popular program though peer review of the source code would be better as would development by more than one person. I wouldn't consider the form of government the citizen has to live under the main factor for disqualifying it though I also wouldn't discount that fact either.

JCitizen
JCitizen

that is how it works, other than fighting data streaming and other obfuscation techniques. I understand it needs to be installed BEFORE infection, so as to more efficiently take the system snap-shot. I just can't trust any developer inside the PRC though. If he were from Taiwan it would be different(somewhat). Or if his code were open source, of which I am ignorant.

Neon Samurai
Neon Samurai

I'd love a daily Tripwire type report on what files have been changed and modified on my Windows systems. I should put some time into that this week and see what's available outside of "what the enterprise will bare" pricing structures.

seanferd
seanferd

If you spend any time in system directories. Of course, if you use an app that tracks installs, it will know if something doesn't belong.

Neon Samurai
Neon Samurai

A friend uses an old dos Dir alternative that doesn't rely on the usual system hooks. As a result, it displays the files and folders that you don't normally see using cmd.com/command.com's dir or the file explorer.

Neon Samurai
Neon Samurai

The mis-reading of your first command may be my fault. Slippery slope and all that. It's just too easy for people to say "well, just remove all anonymity from the Internet" when that would destroy rather than improve it. Snarky trolling comments are par for the course. People are just as badly behaved in public and crushing keyboard-courage wouldn't really change anything but the symptom. That's a social problem not something needing a technological solution beyond the points systems employed by some forums. To stick with the example of the TR forums, a user reading the posts should absolutely not be able to identify the poster's private information. The reader should be able to verify that they are reading TR and that whatever hits there browser came from TR's servers (https). The poster should absolutely be able to verify that they are sending comments up to TR (https). TR should be able to confirm that the user has the minimum approval to post and treat the user's credentials responsibly (logged in over https). Governments, service providers and other third parties should not have access to the data stream (log retention demands, weak reasons for warrants). The time for cleartext protocols running on top of TCP/IP is long since past. HTTP, SMTP, POP3, FTP, TELNET; these need to be dragged out behind the barn and shot in the face. In terms of replacing insecure protocols with hardened updates; I'd agree fully.

sboverie
sboverie

I read the article you linked, this is not what I am advocating. The article is about a congress critter's actions to change the internet to a Big Brother system. What I am advocating is a more secure update to TCP/IP to stop spoofing and other attack vectors. Your final paragraph is what I am advocating. There is a problem with people being anonymous; they tend to be snarky without fear of being held responsible. The goofy troll wars on this site and others is a good demonstration of bad behavior. I don't have a suggestion to deal with this kind of childish behavior. It wasn't anonymity that was the drive for the internet, it was information sharing. The internet is a new culture and it is like the old wild west. There are security issues with the way the internet works that are being exploited to the detriment of the majority.

JCitizen
JCitizen

I just don't have the stamina to sit and read on one subject for too long. Probably my Adult Attention Deficit syndrome! HA!

Neon Samurai
Neon Samurai

Reports seem to be averaging one Botnet a week the last month or so. The italian arrests and Panda take-down this week. MS taking out a botnet the week previous. I thought there was one the week previous to that but can't remember it offhand. Last month it was the kingpin of a black market website joined his subordinates in jail time. All with good old fashion police work. Here's hoping for more.

Fokke Wierda
Fokke Wierda

... boycotting the manufacturers of the products advertised in spam messages would lead to nothing and would probably backfire. And of course the spam problem would not be so huge if there weren't so many people stupid (or just naive?) enough to make spam-instigated purchases (including giving their credit card details to the spammers). The bad guys wouldn't go to the trouble of hiring programmers and buying the necessary hardware and bandwidth if there was no money in it. Mundus vult decipi. It's very hard to protect too-trusting people from themselves. But in the case of spam, there is the added factor of ever-increasing hindrance and extra cost for all those who would prefer to steer clear of this nuisance. I think a single successful approach to solve the problem is not possible. But busting the largest botnets - with a combination of legal, technical and other means - would be a major strike, deserving all the support it can get. Of course, it would have to be an ongoing operation, it would cost a lot of money and it should be a joint effort, not just of one company. In my opinion, that's unavoidable and we should support it.

Michael Kassner
Michael Kassner

Last year Cisco did a huge study about the economics of spam and it surprised me. Their is a huge amount of money being spent on purchases instigated by spam. The other key thing is the bad guys want to get your personal financial information.

JCitizen
JCitizen

Too bad banking users would probably not respond well to a solution like that. I would think steady state would be a good alternative to encryption for Windows users. I like the USB idea, better than the LiveCD idea, but I must admit, for home users, they would probably lose the pen drive more likely than not. I lose mine all the time despite having lanyards on them!! I guess, I'm just too much of a gadget nut!

Neon Samurai
Neon Samurai

The ISO booted clean under a VM and I poked around but from the user side, it really is just a series of boot messages followed by the Google Chrome browser GUI. I'll try it again with a later ISO release and see how it's maturing. The mention of USB did remind me of something similar though. I read an article on breaking LVM HD encryption about a month ago. Because the intial boot loader has to be unencrypted just like Truecrypted HDD, an Evil Maid type attack is possible. The solution for this person was to put the system boot loader on a USB drive; the bits that must remain unencrypted remain with him on his keychain while the entire HDD in his machine can be fully encrypted. Access to the unattended machine would not result in a chance to drop malware into the boot partition.

JCitizen
JCitizen

I saw an advertisement somewhere calling for open source programmers to join the project back in November 2009. At least it will be an unlikely target for a short while I hope. I'm sure someone makes a similar program like DeepFreeze to lock down the OS in the mean time. I do like the idea of a ROM pen drive for devices that can boot to USB. Have you tried it yet?

Neon Samurai
Neon Samurai

I just hope they don't fork it too far away from the official kernel.org version as it'll become up to Google to maintain drivers and such which will inevitably limit what it will run on.

JCitizen
JCitizen

If netbooks are still on the market by that time. I plan on using it for banking. I was thinking it was supposed to be out by July or so?

Neon Samurai
Neon Samurai

There are two very closely related products; Chrome Web Browser and ChromeOS. Google Chrome is the web browser that anyone can download already. It's nice enough to use, has some good approaches to security. I think in the case of the current Windows Help vulnerability, it doesn't make much of a difference since Windows is still initiating the help process from the OS. (Google Chrome is actually built on top of Chromium; the OSS browser/engine but that's a side note) ChromeOS is a distinctly seporate platform more closely related to the Ipad from the user perspective. The user interface is what you see now as Google Chrome and the rest of the OS exists to boot the hardware and present that browser. They have some very interesting things in the information so far including the promissed ability for a ChromeOS tablet to automatically reflash itself from a clean image off Google's servers. It's not available in a widely usable format as of yet so the security researchers haven't really had a chance to go at it and see where the whole to be patched are. I've not been following ChromeOS closely enough to offer much of an opinion though. Someone more involved may be able to help further if they happen past the discussion.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

The new Google OS that people have been talking about is just a browser. How does it compare? Bill

Neon Samurai
Neon Samurai

A web browser being wired so deeply into the OS that it breaks the kernel and system if fully removed was bad enough. The latest is abusing the help system with malicious .hlp files that allow arbitrary code execution. Easy pwnage, just hit F1 and let the malware in through winhelp32.dll http://isc.sans.org/diary.html?storyid=8332

Editor's Picks