Slashdot Mirror
Storm Worm More Powerful Than Top Supercomputers
Stony Stevenson writes to mention that some security researchers are claiming that the Storm Worm has grown so massive that it could rival the world's top supercomputers in terms of raw power. "Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10 percent of capacity. 'We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see,' he said, noting he suspects the botnet could be as large as 50 million computers. 'That means they can turn on the taps whenever they want to.'"
Where's Paul Atredies when you need him?
They should write a virus that uses exploits to install stuff like Folding@Home etc. If people pose a nuisance/danger to others in real life they get fined/jailed, if they pose a nuisance/danger online by letting their computers be compromised then they should face "punishment" by "fining" them part of their CPU power.
Imagine a beowulf clus.... never mind.
Anonymous Coward: "This is slashdot. Accuracy is second class citizen here, unlike King Bias."
I just don't see why if 1) there are known decompiled versions of it and 2) the network activity can be monitored. why 3) Hasn't code been written to exploit the 'sploit and shut them down. Something that infiltrates, but keeps them running for - oh, say a week - while the exploit percolates through the system, and then kills and patches the running process.
meh
Plot idea 1: Near future. Governments completely dependent on their IT infrastructure. Organised crime in control of huge botnet able to hold government to ransom. With hilarious consequences.
Plot idea 2: Now-ish. Script kiddie unleashes attack using enormous botnet. Runs out of control. Becomes so deeply imbedded into internet that it's impossible to shut down without "rebooting" the whole infrastructure. With hilarious consequences.
Plot idea 3: Medium future. Internet and control of botnets becomes so intrinsic to society that governments have less importance than internet societies. Whole "countries" exist as virtual connections of affiliated machines. With hilarious consequences.
Any of the above would work well as a Hollywood movie given Angelina Jolie and lots of gratuitous and incorrect techno-babble.
Peter
At some point the flow of money will have to converge in a meaningful way, that should help picking up a few scalps. Of course, it's probably going to be like beheading a hydra. Welcome to the net-mafia.
As a side issue, how hard is it for an ISP to see an IP sending out the typical spam mail and closing off that IP/client.
Perhaps now is a good time to push for better adoption of SPF (though surely RMX would have been faster to implement?)
So this botnet rivals supercomputers for power as long as it's working on some purely parallelizeable problem. Like, for instance, sending spam messages.
Isn't this so large that it should be deemed a threat to national security? Not just to one country's national security, but ANY country's. Shouldn't there be a half dozen senior analysts from a few different countrys and from NATO HUNTING the people that control this thing and figuring out how to neutralize it?
Why hasn't Microsoft added Storm to its Malicious Software Removal Tool?
In the 50s, 60s, 70s when there was science-fiction-inspired angst about the possibilities of computers taking over the world, the standard reassurance was that "after all, we can always unplug them." And I believe there was an SF story or two about how a computer could put up resistance to being unplugged. And of course everyone remembers the heartrending scene in 2001, A Space Odyssey when Dave shuts down Hal by physically ejecting Hal's logic modules.
It's funny how things work out:
"If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." (emphasis supplied)
So much for "we can always unplug them," eh?
"How to Do Nothing," kids activities, back in print!
I was unable to find this worm in Gentoo's portage tree. When do we get our ebuilds? Yet again, it is a discrimination for all Linux people.
I'll tell you - as long as there are no worms for GNU/Linux, we won't see the masses converting to free operation system! RMS has to write a Gworm at last! If an open-source worm beats closed and proprietary Storm Worm this will be a clear indication of superiority of FLOSS!
wow
While it might be more powerful than machines on the TOP500 in terms of raw number-crunching ability, it lacks any sort of high-speed interconnect for message passing. The latency issue would make for poor benchmark results in most "supercomputer" type tests (Linpack, etc.)
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
Methinks such problems could be solved rather efficiently if Congress would exercise its Constitutional power to grant "Letters of Marque".
Can we get a "-1 Wrong" moderation option?
Makes you wonder why the FBI and other police forces have enough resources to go after Joe sharing the latest CD release, but apparently not enough to do something about what probably is the largest computer crime in history.
I guess the answer has something to do with priorities. Which is exactly what I think the problem is.
Assorted stuff I do sometimes: Lemuria.org
Why any person can't leverage the botnet for their own use? What it the "key" that allows the creator(s) to have exclusive access? If it essentially works like a peer-to-peer network couldn't you essentially "poison" the network with a few rouge nodes?
We go through this every time this subject comes up.
It would be EASY for ISP's to block outgoing port 25 connections. Some of them already do.
That means that the worm would have to send through the ISP's mail servers.
Which means that the ISP can easily monitor the NUMBER of messages sent by any user. No need to dig into everyone's email. Just look for the senders who are X% higher than the average.
And watch for sudden increases in a user's mail usage. It should be easy to establish a baseline for each account.
I do that where I work to watch out for dueling vacation replies.
,ad88888ba 88 88 88 888b 88 ,d "" 88 88 8888b 88 ,d
,8I
d8" "8b
Y8, 88 88 88 88 `8b 88 88
`Y8aaaaa, MM88MMM 88 88 88 88 `8b 88 ,adPPYba, MM88MMM
`"""""8b, 88 88 88 88 88 `8b 88 a8" "8a 88
`8b 88 88 88 88 88 `8b 88 8b d8 88
Y8a a8P 88, 88 88 88 88 `8888 "8a, ,a8" 88,
"Y88888P" "Y888 88 88 88 88 `888 `"YbbdP"' "Y888
db
d88b
d8'`8b
d8' `8b
d8YaaaaY8b
d8""""""""8b
d8' `8b
d8' `8b
I8, 8
`8b d8b d8'
"8, ,8"8, ,8"
Y8 8P Y8 8P ,adPPYba, 8b,dPPYba, 88,dPYba,,adPYba,
`8b d8' `8b d8' a8" "8a 88P' "Y8 88P' "88" "8a
`8a a8' `8a a8' 8b d8 88 88 88 88
`8a8' `8a8' "8a, ,a8" 88 88 88 88
`8' `8' `"YbbdP"' 88 88 88 88
Yes, nasty ASCII art.
Just in case you hadn't guessed (which it appears that the meeedia has not) - This Is A Trojan. Which means that it's Powered By Stupid People (tm). A worm would be Powered By Stupid Programmers (tm).
The Storm Worm is in fact already defined - It was an IIS worm. Please, feel free to look at the reputable AV lists.
I'm not convinced that the monopoly presence of Windows accounts for enormous Windows based botnets. There are what, something like 25 million Macintosh computers running Mac OS X, and most of those are running the same version of Mac OS X. That's a big enough pool, yet we don't see botnets on the Macintosh at all.
Suppose the market were evenly divided, 1/4 Windows, 1/4 Linux, 1/4 Macintosh, and 1/4 online game consoles that are always connected to the internet. Where would the botnets be hosted? Probably Windows. Botnets will begin to run on other platforms within about 48 hours after the security of Windows systems rises to a level equivalent to the other available platforms.
If you mod me down, I shall become more powerful than you could possibly imagine.
There's a reason why we only get 1-2 spam complaints (LARTs) per week. We aren't a source of spam. Spamming botnets are all but worthless on our network. Looking at the counters on the blocked outbound tcp/25 connections in our ACLs I literally seeing billions of hits per week. That's billions, with a B. Ba, Ba, B. Considering that we're a relatively small ISP, that's saying something. These spamming botnets would be far less useful to spammers if more ISPs took a stance and fought spam. That takes effort though.
Remember Amit Yoran? He was "cyber-security czar" at the US Department of Homeland Security. He started talking about the vulnerabilities implicit in Microsoft's software. His position was downgraded and he resigned in 2004.
Yoran's successor, Gregory Garcia, was a professional lobbyist, not a security expert.
By and large, servers are well maintained. And people seldom use them as their desktop machine. And server admins are usually too savvy to infect themselves with a trojan horse bundled in an email. And when they do get pwned, people notice because their infrastructure starts suffering.
With that in mind, the Storm Worm specifically doesn't infect Windows 2003 server - a deliberate decision on the part of the author, I'm sure. If you upset enough businesses, they'll devote enough money to the problem to fix it.
The problem is desktops. Specifically, Windows desktops in the hands of the technically illiterate.
Just connecting an unpatched Windows box directly to the internet is enough. It belongs to a hacker in very short order. Even if you patch it up, the sheer number of services running on your average Windows box that listen to network ports is worrying. Never mind being on the internet, with the number of laptops moving in and out of corporate networks, it's not even safe "indoors". And it's hard to turn a lot of this stuff off without adversely affecting it's functionality.
I wouldn't even trust a general-purpose Linux installation on the internet ; it's just too difficult to track all the potential vulnerabilities. I keep a dedicated firewall running in my router, and the only services it runs are network translation, and a secure shell for administration, which reduces the target footprint to two highly secured services which were designed to be secure in the first place.
Windows users don't help, they are daft enough to infest themselves with everything going. Even if they are not quite daft enough to double-click executable attachments, they will download all the worst sorts of "Freeware" and click straight through the license agreement. Not only are they pwned, they actually agreed to it!
A case in point - one of our accountants was mailing around an executable Flash package (some kind of novelty). I deleted it instantly, and made a point of telling her that it could have been anything and done anything. Ten minutes later, I mailed her a VB executable decorated with the Flash icon. All it did was plonk up a dialogue box which said "Erasing hard drive". Somewhat predictably, she executed it. I almost pretended that I didn't send it and that it was a virus that emailed it.
The root problem is the design of Windows and windows applications.
1) Double-click to open OR execute
This isn't all Windows fault. People don't make a distinction between running a program and opening a file, because there isn't one in terms of the user action required. I'm willing to bet that the average user doesn't even understand the difference. If you had to perform a different action from double-click to execute programs, viral infection rates would drop enormously. You could still keep the d-click to open files with their registered program, just stop running programs themselves by this method. You've not lost the convenience of file-association. Just put "execute" on the context menu and make it a non-default action.
2) No executable flag in filesystems.
In Linux, a file isn't executable until you grant it permission to be so. If you had to open the permissions dialogue and check the "executable" box, it would hammer home the difference between executables and mere content. And by making it something more than a casual action, it would reduce the "impulse" running of many of these things, where people have their caution overridden momentarily by the promise of naked flesh or other inducements. Heck, you can even have whole filesystems that refuse to execute files - download all internet content into one of these and before you run it, you'll have to unpack it, move it to an executable folder, and check it's execute bit. This would seem too much work for the average Joe for a quick glimpse at Jessica Alba with no bra...