Storm Worm Rising

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Wednesday August 8, 2007 @03:33AM from the goggles-do-nothing dept.

The Storm worm has been an increasing problem in the last few months, but a change in tactics may mean something big is going to happen. The article discusses a bit of back story about the worm, including the somewhat frightening numbers about the millions of spam emails carrying the worm payload. They estimate between a quarter and a million infected systems usable for spam or DDOS attacks.

18 of 218 comments (clear)

Min score:

Reason:

Sort:

How are these numbers calculated? by IndieKid · 2007-08-08 03:37 · Score: 5, Funny

They estimate between a quarter and a million infected systems usable for spam or DDOS attacks. 0.25 to 1,000,000 is a pretty large range.

Seriously though, how does one go about estimating these numbers? Is it something as simple as an estimate of what proportion of infected e-mails are expected to result in an infected desktop? I doubt that would give a very accurate figure.
1. Re:How are these numbers calculated? by strongmace · 2007-08-08 03:48 · Score: 4, Informative
  
  Article says how they are calculated:
  
  "Joe Stewart, senior security researcher at managed security company SecureWorks, at the Black Hat conference. .....
  
  From the number of infected machines he's found, Stewart estimates that the Storm botnet could comprise anywhere from 250,000 to 1 million infected computers. And that raises questions, along with eyebrows. "
  
  --
  "If we hit that bullseye, the rest of the dominos will fall like a house of cards. Checkmate." -Zapp Brannigan
2. Re:How are these numbers calculated? by httptech · 2007-08-08 03:56 · Score: 5, Informative
  
  The estimate is based on the number of unique IPs we've seen attacking networks we monitor, coupled with our knowledge of how the Storm botnet works. We've seen up to 100,000 bots sending the attack (the ecard spam) in a single day. Storm is a multi-tiered botnet, meaning that not all the bots are tasked with sending the emails. Some are supernodes (first-tier), designed to serve up the ecard executables via HTTP and facilitate communication between the regular (second-tier) nodes. Another factor is that some second-tier nodes will never be seen attacking, since they may be behind firewalls that block port 25 outbound or at an ISP that is doing SMTP blocking, so they may be part of the botnet but difficult to count.
  
  In reality, the only source that can give you a precise count for the Storm botnet is the Storm controller - and he/she's not talking. So we do the best we can at estimating its size given the data available.
3. Re:How are these numbers calculated? by ObsessiveMathsFreak · 2007-08-08 04:08 · Score: 5, Funny
  Seriously though, how does one go about estimating these numbers?
  
  1. Roll 2D6
  2. Take the number rolled, and multiply it times the number of worm messages that have arrived in your inbox.
  3. If your computer is actually infected, square the result.
  4. Play a game of Solitare
  5. Add your final score to the result
  6. Divide the result by your Boss's vigilance.
  7. Make a saving throw against discovery, and multiply the result by 1000
  8. Round up to the nearest 100,000
  9. Publish
  10. Profit!
  
  Lower bounds are trickier as they will require you to actually care about what you're doing.
  --
  May the Maths Be with you!
Naked teens attack home director by tttonyyy · 2007-08-08 03:40 · Score: 5, Informative

Now I've got your attention worm style, click this link for more information:

http://en.wikipedia.org/wiki/Storm_Worm

--
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
More information by apachetoolbox · 2007-08-08 03:42 · Score: 4, Informative

http://en.wikipedia.org/wiki/Storm_Worm

...names ranging from "postcard.exe" to "Flash Postcard.exe,"...

Shouldn't everyone be blocking .exe attackments at the MTA? Also look for a service running called wincom32 on infected machines.
that is why by clubhi · 2007-08-08 03:45 · Score: 5, Funny

That is why I always do my online banking BEFORE I browse for porn
Maybe there's a silver lining here... by Novae+D'Arx · 2007-08-08 03:47 · Score: 5, Interesting

I dunno - maybe this is what we need ~ a botnet big enough to do some real damage could actually catalyze some public awareness. Imagine if they DDoS'd MS, or Amazon, heck, Google? Maybe these guys (esp. Google) could handle this kind of slamming, but they've got lobbyists now. I really wouldn't mind seeing a well-funded FBI task force with the express purpose of rooting out botnets and going after their creators. Yeah, yeah, most of them are not on US soil. I know. However, imagine legislation that actually required the disconnection of infected bots from an ISP until it was cleaned, and a public awareness campaign that painted users who allow this to happen as idiots, and the ISPs as protectors of the rest of the internet users. Most people are concerned that there would be a backlash against the ISPs and they would stop complying for fear of loss of business, but that's where the legislation comes in. It's a quarantine situation - just like IRL, if you've got something nasty and contagious, the CDC can legally quarantine (forcibly, if you're an idiot like the TB guy) you because you're endangering the lives of others by going out and exposing them. Same thing here - don't give the botnets a chance to expand, cut them off, force a windows-cleaning (ISPs could offer a cleanup disk, $5.95 plus tax, or something, to help make it worth it for them - don't want to hurt the small ISPs, even though I think TW and the rest are bastards), and let them reconnect afterwards. Simple, painless, and will definitely make sure people learn their lesson for next time.
NO! by everphilski · 2007-08-08 03:47 · Score: 4, Insightful

Shouldn't everyone be blocking .exe attackments at the MTA?

NO! It's annoying enough that Google rapes through my .zip files looking for .exe's.

If I'm working on a c++ program at work and zip it up and gmail it home (lock the computer while it uploads) and forget to 'make clean' ... I don't get my code. I know its nitpicky and a make clean or a thumb drive will cure my problems but I'm forgetful which tend to preclude both.
Re:Removal Tool by ben0207 · 2007-08-08 03:49 · Score: 5, Funny

No fukcing way am I going anywhere near a site called Team Furry.

The goggle really might do nothing.

--
cmd-q.co.uk - some sort of stupid fucking internet bullshit
"The silent majority" is uninformed. by khasim · 2007-08-08 03:49 · Score: 4, Insightful

No. "The silent majority" believe that this is the way computers just "work".

They've been shown that in countless movies and TV shows and by "experts" on the news.

They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases.

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.
1. Re:"The silent majority" is uninformed. by NickFortune · 2007-08-08 04:03 · Score: 4, Interesting
  
  No. "The silent majority" believe that this is the way computers just "work".
  
  More accurate, perhaps, to say that they think this is just the way computers don't work.
  
  There was a program on last week where they had a collection of self proclaimed grumpy old women listing things they hated about computers - and you know what? Every single complaint was not about computers per se, but about Microsoft software.
  
  There's got to be an opportunity in there somewhere for the FOSS movement. Imagine if we could convince the "I hate computers" brigade that what they mainly hate is Microsoft ...
  
  With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.
  
  That's just silly. People have different convincer strategies. If nothing else, there are people out there who still haven't heard that there's an alternative. There's a lot of meat left on that bone.
  
  --
  Don't let THEM immanentize the Eschaton!
2. Re:"The silent majority" is uninformed. by Stefanwulf · 2007-08-08 06:10 · Score: 4, Insightful
  They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases.
  Out of curiosity, what aspects of the OSX/BSD and Linux architectures are going to stop:
  
  An uneducated user from executing a binary file they download from a URL they are given
  
  A process that user is running from executing further code with that user's privileges
  
  That user's processes from making outbound TCP/UDP connections
  
  That user's processes from accessing an SMTP server to send emails
  
  A user from configuring a process to run on logging in
  
  By my thinking, that's really all that's needed for a botnet to work on a given platform. I am certainly ignorant of many details regarding the BSD/Linux kernels and I stand ready to be corrected, but I believe I've seen all those things happening individually as part of day to day user life on my linux box.
3. Re:"The silent majority" is uninformed. by NickFortune · 2007-08-08 09:02 · Score: 4, Informative
  
  None of those things are with Windows itself though.
  
  No, but they are Microsoft though - which is what I said in the first place.
  
  Annoyances.org isn't the collection of old ladies you discussed
  
  You're right, I just used it as a loose example. I'd be more specific about the complaints, but I wasn't expecting a test, and I forgot to make notes. All I can do is report what I remember from the show.
  
  I'm willing to be quite a bit of /.ers post over there, so I doubt its unbiased.
  
  meh. It's a support forum, not an advocacy site. It's not so much "Microsoft sucks" as "what do I do when when the registry fills up?". You don't get a lot of penguin heads there because... well, because we all use Linux and it's a windows support forum.
  
  Annoying things are hardly a reason to HATE MS though.
  
  Hatred isn't a rational act, though, is it? I mean, most people don't wake up in the morning and say "now who shall I hate today? Who is the most rational target for my hatred?". It's not like that. On the other hand, there's no shortage of people who think "if that computer crashes and loses my document one more time today, it's going through that window..." My point is that a lot of the things I heard cited as inspiring this hatred were typical MS grumbling points.
  
  And if it's a good enough reason to hate computers, it's good enough to hate Microsoft. It's just a question of education ;)
  
  I'd also have to think that the group would find a whole new slew of anoyances with Linux as well.
  
  Oh quite possibly, although the latest Ubuntu is getting very good in that respect. But they'd be spared the malware, and the viruses and the worms... which is the starting point for this discussion.
  
  (does YouTube work w/Linux?).
  
  Yes, perfectly. At least since flash 9 was released for Linux.
  
  --
  Don't let THEM immanentize the Eschaton!
4. Re:"The silent majority" is uninformed. by jez9999 · 2007-08-08 10:48 · Score: 4, Funny
  
  That is the last straw for me! I can't get cards from my "friend". I am going back to Windows where I can open cards.
  --
  Try to hack my 31337 firewall! [127.0.0.1]
  
  Yeah, you really should do; you clearly need a more secure OS than the one you're running now. I just hacked your firewall, and man have you got a lot of weird stuff on there. :-) You're lucky I'm not a black-hat.
  
  --
  == Jez ==
  Do you miss Firefox? Try Pale Moon.
Re:Removal Tool by jollyreaper · 2007-08-08 03:57 · Score: 4, Funny

http://www.teamfurry.com/wordpress/2007/07/19/suns hine-on-a-stormy-day/ I'm too scared to look. On a scale of goatse to tubgirl, how's it rate?

--
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
Military? by wytcld · 2007-08-08 04:25 · Score: 5, Interesting

It's well-known that the Chinese government has an active computer warfare department. A botnet on this scale is way beyond anything needed for mere industrial blackmail. But if you wanted to bring down large chunks of some nation's Internet quickly, without the attack coming from an obvious (and blockable) source, this would be a great weapon. Let's say you wanted to disable the Internet in Taiwan, or South Korea, or Japan, or all three, just prior to military action. Or let's say you wanted to disrupt financial markets to be sure that your intentional crashing of the dollar had maximal effects.

--
"with their freedom lost all virtue lose" - Milton
Re:Microsoft is going to lose big by jpop32 · 2007-08-08 05:24 · Score: 4, Informative

If they can't find a way to reach customers and get them fixes for the rampant insecurity of these machines that are compromised.

WTF are you talking about? RTFA, please. If you actually did that before funboying around, you'd notice that the program in question is not a worm at all, but a trojan. User has to manually run the attachment, probably clicking through a couple of dialogs practically begging him not to. But, since the user really, really _wants_ to see the cute kittens, or a naked celebrity, or whatever the trojan claims to be, trojan will be run. No OS can defend against the user being a sucker.

So, move along, please. Your tirade is totally off topic here.