Storm Worm More Powerful Than Top Supercomputers

Stony Stevenson writes to mention that some security researchers are claiming that the Storm Worm has grown so massive that it could rival the world's top supercomputers in terms of raw power. "Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10 percent of capacity. 'We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see,' he said, noting he suspects the botnet could be as large as 50 million computers. 'That means they can turn on the taps whenever they want to.'"

Fine the technically illiterate

[ComradeSnarky]

They should write a virus that uses exploits to install stuff like Folding@Home etc. If people pose a nuisance/danger to others in real life they get fined/jailed, if they pose a nuisance/danger online by letting their computers be compromised then they should face "punishment" by "fining" them part of their CPU power.

Re:Fine the technically illiterate

[laparel]

Yea! Let's go fucking experiment on retards; since they're just "nuisance" to society we might as well make them our guinea pigs.

Re:Fine the technically illiterate

[TapeCutter]

"Fsck that, they should install a vaccine that makes the machine unbootable, and more or less requires a re-install and shutdown the system."

MS already offer a range of products that do just that, I hear they are very popular. :0

Re:Fine the technically illiterate

[fm6]

...if they pose a nuisance/danger online by letting their computers be compromised then they should face "punishment" by "fining" them part of their CPU power.

In other words, you want to punish people for not being geeks.

That sort of self-righteous bullshit is exactly how criminals rationalize their own misdeeds — such as botnets.

Re:Fine the technically illiterate

[fm6]

I would like to punish them for being naive and oblivious about the fact that a PC attached to a network is a complex responsibility.

So nobody but a geek should be allowed to have a networked computer? Not only is that morally absurd (punishing people for owning infestable technology is like punishing Pinto owners for buying a car that tends to explode), it would destroy the online economy. Off which more than a few of us make our livings.

If you want to start regulating who and what can or cannot connect to the Internet (you can't, it's not politically feasible to introduce such a rule, or practical to enforce it; but let's say you can) then you should ban all PCs from the Internet. People would only be allowed to access the Internet via network appliances like the Foleo, which are relatively resistant to malware because they don't support on-the-fly software installation.

Right now, you're sputtering and saying something that begins with "Why should I have to give up ...." Well dude, you just made a proposal that would have a lot of other people making similar protests. It's a lot easier to play social engineer when only other people are affected by your proposals.

Re:Fine the technically illiterate

[GooberToo]

According to the DoD, botnets pose a danger to national security. Accordingly, I just don't understand why the DoD, under the guise of national security, doesn't create their own worm which infects the systems which simply uninstalls its NIC driver. They can then change the screen saver, all found browser's homepage, and desktop to indicate the system has been removed from the internet for national security reasons because their system was infected. It should then instruct them to reinstall their system with a firewall installed before they reconnect to the internet.

By doing this they immediately stop both DoS and spam vectors. They alert the user owning the computer their computer has been infected. By simply uninstalling the NIC driver, they have not caused any long term damage. If they manage to annoy both the end user and ISP enough, one or the other is likely to do something to prevent recurring issues.

Obviously the botnet owner can attempt to prevent this but at least it turns into a cat and mouse game between the owner and the DoD. As such, the botnet owner must now spend resources protecting their harvest rather than exploiting its capabilities. So it seems like a win-win to me.

Re:Fine the technically illiterate

[Kpt+Kill]

Warning Foo.exe is try...[OK] Warning WinCom.exe is attempting to [Allow] Warning Internet Explorer is being told to [Permit] "Ahhh Finally, I can get to the internet. These pop ups are ridiculous." And this is the problem. To use the car analogy: It can blink and beep a million times that Red 'OIL' Icon, but unless you actually know or pay attention to that warning... well poof.

Re:Fine the technically illiterate

The idea that a clueless user should be fined part of their CPU power is just flat out wrong. If someone leaves their door to their house unlocked (even if accidentally) should they be fined with a burglary? How about you personally being fined with that burglary? Would you like that? I didn't think so. You think that computers are different than a physical residence? You are just plain stupid. Just because you think you have some knowledge in that area doesn't mean you have any right to walk in just because it is unsecured any more than you have the right to walk into an unlocked house or car or any other place. You should go to prison for accessing someone else's computer without authorization.

Re:Fine the technically illiterate

[tsm_sf]

Is there a reason we actually need tortured analogies for something as simple as this? We all get it. You may or may not agree, but bringing your car into the situation has to be the slashdot version of mentioning nazis in usenet.

Storm Worm - good name for sci-fi novel

[pzs]

Plot idea 1: Near future. Governments completely dependent on their IT infrastructure. Organised crime in control of huge botnet able to hold government to ransom. With hilarious consequences.

Plot idea 2: Now-ish. Script kiddie unleashes attack using enormous botnet. Runs out of control. Becomes so deeply imbedded into internet that it's impossible to shut down without "rebooting" the whole infrastructure. With hilarious consequences.

Plot idea 3: Medium future. Internet and control of botnets becomes so intrinsic to society that governments have less importance than internet societies. Whole "countries" exist as virtual connections of affiliated machines. With hilarious consequences.

Any of the above would work well as a Hollywood movie given Angelina Jolie and lots of gratuitous and incorrect techno-babble.

Peter

Re:Storm Worm - good name for sci-fi novel

[arivanov]

Plot No 4.

A Government agency of a country whose main opponent is heavily dependant on the Internet finds the owner of the botnet and put a nice simlpe and utterly conventional 9mm gun to his head to surrender the keys to it.

A day later it uses this newly attained power to wipe out its adversary off the Internet map. While some internal company communication still occurs communication between companies which is mostly done over the Internet dies instantly. Stock market goes into a tailspin and the economy of the victim collapses into deep recession.

Considering the level of dependence USA and most NATO countries have on the Internet for day-to-day operation of their business infrastructure this plot is not far off in the future.

"Add the computers together"?

[gardyloo]

So this botnet rivals supercomputers for power as long as it's working on some purely parallelizeable problem. Like, for instance, sending spam messages.

Re:Threat to national security?

[jdogalt]

Any country whose top tech advisers aren't fans of battlestar, and thus know to keep all critical infrastructure independent of networked computers, deserves what it gets.

Re:Follow the money

As a side issue, how hard is it for an ISP to see an IP sending out the typical spam mail and closing off that IP/client. That may be dangerous ground. Show an ISP who can invade their users' traffic enough to sniff out a particular worm, and you'll have the **AA swooping in demanding that the ISP also sniff out illegal torrents, .gov insisting that their ability to catalog your pr0n collection is more important, bad parents insisting that the ISP filter out anything that might show their children a boob, etc.

Re:Threat to national security?

[MrMr]

I'd say this is a bigger threat than terrorism
You mean as bad as drunk driving, smoking, unsafe sex, lax gun-laws, police brutality, alcohol consumption, government corruption, cheap paint on toys, corporate fraud, poor personal hygiene, bad weather, poor infrastructure maintenance, racism, communism, capitalism, and being cruel to small animals for no particular reason?

Re:Co-opt it.. remove it.

[Colin+Smith]

No. The blame can largely by levelled at the purchasers.

Re:Not really like a supercomputer though

[ZachPruckowski]

Correct, but high-speed interconnects don't really matter for its applications.

• Sending spam is a fully parallel operation.
• Distributed Denial of Service is equally parallel. Once a bot has the instructions, it can run indefinitely (or until caught)
• Encryption cracking can be relatively parallel, especially with PGP - tell each computer to take a certain set of prime combinations to check.
• Click fraud is also distributable (tell bots to click on ads on site X once a day)

Additionally, many botnet operations don't involve the whole botnet. A few members of the botnet may be used for warez or pr0n storage, and which only involves computers working together to achieve redundancy. Also, the use of a botnet to allow for misdirection in tracking a hacker only requires the bots to be used serially.

Re:That 60s reassurance, "we can always unplug the

[Jerry]

here's not much we can do about it." (emphasis supplied)

Sure there is. 70% of the worlds websites use FOSS. 30% use Windows. Yet essentially ALL of the bots run off of infected computers in the 30% group.

Simply outlaw the use of Windows as an internet server and the problem will go away. Linux cannot be compromised by a simple email and it takes too much effort to create a harem of zombies by adding them one at a time via cracking.

Re:Co-opt it.. remove it.

[Richard+W.M.+Jones]

I think the real question is -- what are the FBI / police doing about it? There's a huge, ongoing, major crime happening, and there is apparently no police activity at all.

Rich.

Re:Not really like a supercomputer though

[TheRaven64]

Interconnects between nodes in a supercomputer are on the order of <1ms latency and >1Gb/s bandwidth. Interconnects between nodes in the Internet are on the order of 100ms latency and 1Mb/s bandwidth. While a highly distributed network might be okay for embarrassingly parallel problems, it doesn't come close for everything else.

Where's the investigation

[Tom]

Makes you wonder why the FBI and other police forces have enough resources to go after Joe sharing the latest CD release, but apparently not enough to do something about what probably is the largest computer crime in history.

I guess the answer has something to do with priorities. Which is exactly what I think the problem is.

monoculture problem?

[Gary+W.+Longsine]

I'm not convinced that the monopoly presence of Windows accounts for enormous Windows based botnets. There are what, something like 25 million Macintosh computers running Mac OS X, and most of those are running the same version of Mac OS X. That's a big enough pool, yet we don't see botnets on the Macintosh at all.

Suppose the market were evenly divided, 1/4 Windows, 1/4 Linux, 1/4 Macintosh, and 1/4 online game consoles that are always connected to the internet. Where would the botnets be hosted? Probably Windows. Botnets will begin to run on other platforms within about 48 hours after the security of Windows systems rises to a level equivalent to the other available platforms.

Re:monoculture problem?

[pe1chl]

The problem with Windows (recent versions) insecurity lies mainly in the user instead of the OS.
The basic design is quite good, but the average user spends his days working as an admin so all of the protection is effectively disabled.
It would be the same when all Linux users were working as root.

Usually a Linux installation procedure tries to convince you that you need a root acccount and a working user account, and often warnings are displayed when you try to use the GUI as root.
Similar things were tried with XP SP2 and more in Vista, but the users view it as a nuisance and there is a big demand for "solutions" to disable those popups that ask you to enter a password to do something stupid.

Probably when everyone switched to Linux, the same situation would arise, and it would not take long before similar botnets appeared.
Users are not interested in security. They don't see the need, and they hate the extra effort required.

Re:monoculture problem?

[RzUpAnmsCwrds]

Suppose the market were evenly divided, 1/4 Windows, 1/4 Linux, 1/4 Macintosh, and 1/4 online game consoles that are always connected to the internet. Where would the botnets be hosted? Probably Windows. Botnets will begin to run on other platforms within about 48 hours after the security of Windows systems rises to a level equivalent to the other available platforms.

No, it would run on 1/4 Windows, 1/4 Mac, 1/4 Linux, and 1/4 your ass.

See, I can make up statements without any justification too! It's easy to say, "botnets exist because Windows is insecure". But that statement is unjustified and meaningless. If you want rational people (and not just Slashdot MS-hating drones) to believe you, you need to provide evidence of why Windows is less secure.

And FYI, I know for a fact that Mac OS X is full of security vulnerabilities. There have been several well-documented exploits. Everyone always says, "well every OS has holes". But of course that's the same logic you use to impugn Windows.

Re:monoculture problem?

[maxwell+demon]

Users are not interested in how their refrigerators work, either, but they work reliably for years. Computers should be able to work without users needing to learn all manner of ever-changing and imperfect rules for how to tell a phishing web site from a bank web site (and by the time they are looking at a web page it's too late anyway). Usually refrigerators are not linked to worldwide networks, and also the possibilities of misuse are rather limited.
A private Windows computer not connected to the internet is quite secure. It will never be part of a botnet, you'll get no viruses through mail on them (you may get an old-fashioned virus on disk or USB stick, though), nor will you get phishing mails. And even if your computer is virus-infected, you'll usually not directly affect very many people (basically those using that computer, and those you are swapping data with). That's already close to the refrigerator example.

A closer analogy to the internet-connected computer would be the car. If you want to drive a car, you have to obtain a driving license. To get that, you not only have to learn how to drive a car, but also a lot of rules needed so that you don't negatively affect others. There are rules about how fast you may drive at different road types, there are rules on behaviour at crossroads, etc. Also there are things on your car the usage of which you must learn, which are not really related to driving itself, but are only there to make sure you don't endanger yourself and others. For example, why do you need to learn how to use the direction indicator? Your car will perfectly turn left or right without it. It's not there to make the task of driving possible or easier, it's just there for safety. You'll have to learn those things despite them strictly speaking not being necessary for the act of driving.

Ok, one thing which differs from cars is that the threats of the network are changing. But that's not a fault of computers or the net, but that's because there's malice behind it. The same is true everywhere where malice is at work, be it investment fraud, selling overpriced crap, etc. It's not limited to computers or the net, but it's just a fact of life.

Re:Follow the money

[Opportunist]

I'm willing to take a few risks and take care of my own security to protect my liberty. I know, it's going out of fashion, but an old dog doesn't like learning new tricks.

Criminal Charges allright. But hit the right one!

[Opportunist]

This isn't MSs fault. The worm doesn't (only) rely on exploits. Yes, it tries to attach itself through exploits, but it does contain a "normal" infector as well. I'd wager, even without the exploits in question this would be a very successful one.

The culprit are simply morons who wield impressive computing power without a clue just what kind of digital "weapon" they have in their hands. Every system that's as old as XP is insecure out of the box. Take whatever Linux distry from 2001 and install it. I would guess you'd find an exploitable bug or two (I'd start looking for it in sendmail). The very first thing to do after installing a system is to update and patch it. That should be a given. Yet, how many people are still running on XP SP1? And it's only SP1 because it came that way. They installed it, jacked it into the box they got from their ISP, opened it up until it "worked" and that's how the box is running now, essentially with the security makeup WinXP had in 2002. That this cannot be secure is a given, but not because it's from MS. Simply because in the meantime bugs have been found and exploited. And fixed.

But if the fixes aren't applied, the system remains exploitable.

So if you want to blame anyone for the success of malware like the Storm trojans/worms, blame the people who attach unpached, unsecured machines directly and without any kind of security suit or firewall whatsoever to the internet.

Re:Is this a stuipid question?

[JacksBrokenCode]

If they were forced to provide routers instead with basic nat firewall would this not block worms from getting in no matter how unpatched the systems were behind the firewall?

It would block unsolicited inbound worms, but it wouldn't do anything to protect the stupid people who click the link when their email says, "Dude, your face is all over the web! www.youtube.com/watch?v=YBUImjOCg5g

The biggest problem is, and always will be, humans doing stupid human stuff.

Re:Threat to national security?

[SoulRider]

They should and they are not, what does that tell you?

It's not a car

[TheLink]

A computer is NOT a car. And I actually don't blame the users.

Because in my opinion things can actually be a LOT safer.

After so many decades and billions of dollars (in time and real money) all we end up with is a few Unix reimplementations and Microsoft Vista?

Stuff like SELinux is nice, but it's still not "Aunt May" friendly.

What would be good would be something like "sandbox templates". Apparmor is close but not close enough.

While there are zillions of apps, there are a LOT fewer categories of common/popular apps in terms of the permissions and privileges they require.

So I'm saying a real Desktop OS should have a few preset sandbox templates.

Then you have an app request to be run under one of those templates.

And if the app is untrusted the user gets a prompt like "Random Game Someone Emailed" requests "Temporary/Guest Game Privileges"- Allow? Yes/No/Yes and always/More...

And "Guest Game Privileges" would provide a tempory storage (that's just for that app), sound access, windowed graphics (always has a border - so you know whether it really exited or not go figure why ;) ), no network access, no access to "My Documents", no access to microphone (eavesdropping).

Even if the game tried to do something naughty the O/S would prevent it.

Whereas if the game requested "Full System Install Privileges" (with the associated big exclamation marks, and big red warnings, requirement of Admin password etc), I'm sure you can easily train your "Aunt May" to not ever click Yes to such stuff.

Naturally O/S makers like Microsoft could do things so that certain signed programs can optionally run without such inconvenient prompts ;).

But instead after all these years we have Vista UAC, SELinux or the usual situation of the user having to guess whether something is safe to run or not, which is just as silly as asking "grandpa joe" to solve the "halting problem" - will browsing this website/opening this email turn my machine into a worm infested zombie?

You can say "they shouldn't run anything" - but that's being silly. They want to run their browser and their email app, and I personally think that's reasonable, and at the same time I don't think their web browser should have read access to their personal documents - it should just have "browser access".

Yes, what I'm asking for is hard, but I believe what I'm asking for is far more reasonable than what the O/S people are in effect requiring their users to do - solve the halting problem.

I doubt the Linux distros could pull it off (most can't even decide on a desktop ;) ), but Apple or Microsoft (haha) might.

Re:STILL NOT A WORM

> How this got so large is a pretty sad commentary.

Indeed it is. Why modern desktop mail clients are still configured to display HTML email in 2007 is beyond explanation. Obviously I'm missing something because HTML and images could always be sent as attachments without increasing the size of the actual message text by 20k.

HTML email - thanks for all the phishing, spam and viruses; worst idea ever!

Could Botnets break encryption?

[FutureDomain]

I always wondered if a botnet could get large enough to effectively break encryption.
The only reason AES, RSA, and other algorithms are considered secure is the extremely large amount of time or processing power needed to brute force them. But with a "distributed supercomputer", a botnet operator could potentially brute force the keys, like those protecting Microsoft's driver signing, bank SSL certificates, and even the keys used by certificate authorities.

Breaking them could allow hackers to forge certificates, fake driver signing, sniff bank transactions, and circumvent other security measures. Even TrueCrypt is vulnerable if the encryption keys can be brute forced. With enough processing power, hashing algorithms are potentially vulnerable too; like those used for passwords.

Encryption is so heavily relied on by the computer industry that successful key breaking could cause lots of security problems. The only way to mitigate possible attacks is to use stronger encryption algorithms, use longer keys, and to use multiple encryption layers instead of relying on a single algorithm's strength.

~~FutureDomain~~

Re:Threat to national security?

[rastoboy29]

You're assuming they actually want to fix the problem.  MS knew that Outlook automatically executing binary attachments was a bad idea for about...10 years before they fixed it.  Clearly, this is not what they want.

I'll leave the conclusions to draw from that assumption as an exercise for the reader.

Re:Block tcp/25

[dkf]

It's a bit harder in a self-managed datacenter, like the one I work at. Plenty of exploited Linux boxen there, too, by the way. Not necessarily rooted, but quite, quite exploited. (PHP, MySQL) It's not harder. You can still block outbound tcp/25; there's nothing special about Linux boxes (or any other kind of computing kit) that means they have to be able to send email directly...