Storm Botnet Is Behind Two New Attacks

We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.

Windows is inherently less secure

[argent]

the reason Windows gets hacked is because there are so many more MS machines than any other type of machine.

If that was the case, then why are Microsoft applications (like IIS) more often compromised than non-Microsoft applications even in areas where Microsoft is NOT dominant?

Windows is inherently less secure than most of the competition in a number of ways.

1. The Microsoft HTML control's use of ActiveX is inherently insecure and can not be fixed without breaking every application that uses the HTML control.
1a. This insecure design was deliberate and Microsoft fought the Justice Department to a standstill rather than change or replace it.
2. Windows requires a number of insecure services to run to perform routine operations.
2a. There is no way to force these services to be run local-only without using a firewall.
2b. This means that Windows Firewall has to be used to secure Windows to the same degree as a UNIX based system WITHOUT a firewall.
3. Windows document formats are still based on serialized COM objects. It's even possible for them to include serialized COM objects in XML files.
3a. Serialized COM objects can refer to or even contain insecure code that can be used for an attack.

The idea that any one of these three issues and theor consequent corollaries are accepted boggles my mind. The idea that they're defended by the claim that the only reason Windows is more often compromised is that it is more common...I can not conceive of the confusion in the mind that would lead to such a conclusion.

Re:Ha!

[WhatAmIDoingHere]

I think what he meant was you can install but not use the app while logged in as an Administrator account, encouraging people to log in as users.

Re:It's not just windows they're exploiting...

[inKubus]

Yeah, that link is just to an eggdrop-based bot. It connects to the irc channel and probably lets the next layer of the botnet know it's alive. This is one of many tools they use to fully exploit an open box. The bot probably has the ability to remote run commands. That script in the GP looked a lot like a human was doing the typing though, due to spelling errors, etc.

As far as xhost, You can get a free account too :). Storm is pretty scary, and there's bad people out there wanting to use your computing resources illegally.

Make sure you run logwatch and logrotate and md5 the logs when they rotate (and rotate frequently, like every minute). Then store the checksum somewhere innocent after rotating. Have logwatch automatically check the checksums on all existing logs and report on that also. hosts.deny everything but your own personal IP address (in hosts.allow) on all ports except those you need to do business. SSH ONLY, don't use telnet or other unencrypted connections. Don't allow root to connect from SSH. Don't allow su from ssh (if possible). Compile your own stuff (including your compiler), never run binaries. Use shadow passwords. Put all of your binaries on a read-only mounted partition, with /var /tmp on a read/write (this is pretty good to do if you have a stable setup, such as a web server). If you can't do that, break your services into virtualized boxes using Xen or VMware or something so you can quickly recover from a saved image if something does happen. Regularly nmap, nessus and satan your box for holes. Put a passive hardware sniffer between your box and the 'net to look for suspicious packets. Etc.

Most of this is duh stuff and easy to do, and you should have it written in your procedures for building a new box. I believe the NSA has some guidelines also.