Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Worm More Powerful Than Top Supercomputers

Posted by ScuttleMonkey on from the spamalot dept.

Stony Stevenson writes to mention that some security researchers are claiming that the Storm Worm has grown so massive that it could rival the world's top supercomputers in terms of raw power. "Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10 percent of capacity. 'We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see,' he said, noting he suspects the botnet could be as large as 50 million computers. 'That means they can turn on the taps whenever they want to.'"

32 of 390 comments (clear)

  1. Massive storm worm? by EveryNickIsTaken · · Score: 5, Funny

    Where's Paul Atredies when you need him?

  2. Fine the technically illiterate by ComradeSnarky · · Score: 4, Insightful

    They should write a virus that uses exploits to install stuff like Folding@Home etc. If people pose a nuisance/danger to others in real life they get fined/jailed, if they pose a nuisance/danger online by letting their computers be compromised then they should face "punishment" by "fining" them part of their CPU power.

    1. Re:Fine the technically illiterate by QMO · · Score: 5, Funny

      Folding@Home is the biggest waste of time on the Internet without exception. It's worthless.
      Not quite. Don't forget World of Warcraft.
      --
      Exam 4/C again. Maybe I'll do better this time.
  3. Imagine... by nuclearpenguins · · Score: 5, Funny

    Imagine a beowulf clus.... never mind.

    --
    Anonymous Coward: "This is slashdot. Accuracy is second class citizen here, unlike King Bias."
  4. Co-opt it.. remove it. by bigattichouse · · Score: 5, Interesting

    I just don't see why if 1) there are known decompiled versions of it and 2) the network activity can be monitored. why 3) Hasn't code been written to exploit the 'sploit and shut them down. Something that infiltrates, but keeps them running for - oh, say a week - while the exploit percolates through the system, and then kills and patches the running process.

    --
    meh
    1. Re:Co-opt it.. remove it. by Anonymous Coward · · Score: 5, Interesting

      I'm not aware of any decompiled version. Storm detects when it's being run in a virtual machine and features heavy obfuscation and code morphing.

      I see storm as a monoculture problem, the blame can largely be leveled at Microsoft.

    2. Re:Co-opt it.. remove it. by ZachPruckowski · · Score: 4, Interesting

      In addition to the complexity of the Storm worm, most zombies are set to be self-patching, for exactly the reason you mention. Many trojans, worms, and viruses actually remove other threats (using a pirated version of Kaspersky's software) and generally install patches. Once the hacker has stolen your computer, he doesn't want someone else stealing it away from him.

    3. Re:Co-opt it.. remove it. by Richard+W.M.+Jones · · Score: 5, Insightful

      I think the real question is -- what are the FBI / police doing about it? There's a huge, ongoing, major crime happening, and there is apparently no police activity at all.

      Rich.

      --
      libguestfs - tools for accessing and modifying virtual machine disk images
    4. Re:Co-opt it.. remove it. by Abcd1234 · · Score: 4, Interesting

      Well, if the CPU virtualization is imperfect, it may be possible to detect either anomalies in the emulation, or by monitoring things like CPU cycle counters. And even if the CPU is emulated perfectly, you can also check for things like known bugs in peripherals, etc, which may not have been correctly emulated.

  5. Storm Worm - good name for sci-fi novel by pzs · · Score: 5, Insightful

    Plot idea 1: Near future. Governments completely dependent on their IT infrastructure. Organised crime in control of huge botnet able to hold government to ransom. With hilarious consequences.

    Plot idea 2: Now-ish. Script kiddie unleashes attack using enormous botnet. Runs out of control. Becomes so deeply imbedded into internet that it's impossible to shut down without "rebooting" the whole infrastructure. With hilarious consequences.

    Plot idea 3: Medium future. Internet and control of botnets becomes so intrinsic to society that governments have less importance than internet societies. Whole "countries" exist as virtual connections of affiliated machines. With hilarious consequences.

    Any of the above would work well as a Hollywood movie given Angelina Jolie and lots of gratuitous and incorrect techno-babble.

    Peter

    1. Re:Storm Worm - good name for sci-fi novel by sugarman · · Score: 4, Interesting

      Plot idea 1: Near future. Governments completely dependent on their IT infrastructure. Organised crime in control of huge botnet able to hold government to ransom. With hilarious consequences Vernor Vinge, "True Names", 1981

      Plot idea 2: Now-ish. Script kiddie unleashes attack using enormous botnet. Runs out of control. Becomes so deeply imbedded into internet that it's impossible to shut down without "rebooting" the whole infrastructure. With hilarious consequences. Pat Cadigan, Synners, 1991
      (for various versions of "script kiddie", I guess)

      Plot idea 3: Medium future. Internet and control of botnets becomes so intrinsic to society that governments have less importance than internet societies. Whole "countries" exist as virtual connections of affiliated machines. With hilarious consequences. Cory Doctorow, Eastern Standard Tribe, 2004

      Of course, the above are only approximations of the listed plots. Someone with a deeper knowledge might be able to provide a better match.

      Have you considered visiting your library? =)
      --
      --sugarman--
    2. Re:Storm Worm - good name for sci-fi novel by bytesex · · Score: 4, Funny

      As long as it means operating the escape key with one of Angelinas boobies, I'm all for it !

      --
      Religion is what happens when nature strikes and groupthink goes wrong.
  6. "Add the computers together"? by gardyloo · · Score: 4, Insightful

    So this botnet rivals supercomputers for power as long as it's working on some purely parallelizeable problem. Like, for instance, sending spam messages.

    1. Re:"Add the computers together"? by nacturation · · Score: 4, Funny

      Is there some kind of standardized performance metric for sending spam messages? Of course there is: Libraries of Congress per second.
      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  7. Threat to national security? by ckedge · · Score: 4, Interesting

    Isn't this so large that it should be deemed a threat to national security? Not just to one country's national security, but ANY country's. Shouldn't there be a half dozen senior analysts from a few different countrys and from NATO HUNTING the people that control this thing and figuring out how to neutralize it?

  8. Microsoft can help, but isn't by courtarro · · Score: 4, Interesting

    Why hasn't Microsoft added Storm to its Malicious Software Removal Tool?

    1. Re:Microsoft can help, but isn't by garcia · · Score: 4, Interesting

      Why hasn't Microsoft added Storm to its Malicious Software Removal Tool?

      Why don't more ISPs (like Comcast and Roadrunner) self-police their machines on a much more frequent basis and knock these customers offline? 99% of the limited spam and the massive amounts of trackback attempts, other web attacks, etc all come from residential cable connections.

      I know that Comcast can check their network for infected hosts and shut them off. They need to do a much better job of it.

    2. Re:Microsoft can help, but isn't by TheRaven64 · · Score: 4, Interesting

      Which is why you don't completely nock them off the net, you block everything except port 80, and redirect that to a site explaining how to get rid of the infection. For bonus points, you post them a bootable CD that will scan their machine and remove the infection through the post, so the virus can't intercept the antivirus downloads and break them.

      --
      I am TheRaven on Soylent News
  9. That 60s reassurance, "we can always unplug them" by dpbsmith · · Score: 4, Interesting

    In the 50s, 60s, 70s when there was science-fiction-inspired angst about the possibilities of computers taking over the world, the standard reassurance was that "after all, we can always unplug them." And I believe there was an SF story or two about how a computer could put up resistance to being unplugged. And of course everyone remembers the heartrending scene in 2001, A Space Odyssey when Dave shuts down Hal by physically ejecting Hal's logic modules.

    It's funny how things work out:

    "If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." (emphasis supplied)

    So much for "we can always unplug them," eh?

    --

    "How to Do Nothing," kids activities, back in print!

  10. Does this work on Linux? by Erikderzweite · · Score: 5, Funny

    I was unable to find this worm in Gentoo's portage tree. When do we get our ebuilds? Yet again, it is a discrimination for all Linux people.
    I'll tell you - as long as there are no worms for GNU/Linux, we won't see the masses converting to free operation system! RMS has to write a Gworm at last! If an open-source worm beats closed and proprietary Storm Worm this will be a clear indication of superiority of FLOSS!

    1. Re:Does this work on Linux? by 140Mandak262Jamuna · · Score: 4, Funny
      Here is the Linux compatible worm for you:

      A simple email message: "This is a linux virus. It works on the honor principle. Please forward the attached bash script to everyone in your .mailrc and then execute it. Thanks."

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  11. Who'd have guessed that Windows can scale so well by Anonymous Coward · · Score: 4, Funny

    wow

  12. Re:Follow the money by Anonymous Coward · · Score: 4, Insightful

    As a side issue, how hard is it for an ISP to see an IP sending out the typical spam mail and closing off that IP/client. That may be dangerous ground. Show an ISP who can invade their users' traffic enough to sniff out a particular worm, and you'll have the **AA swooping in demanding that the ISP also sniff out illegal torrents, .gov insisting that their ability to catalog your pr0n collection is more important, bad parents insisting that the ISP filter out anything that might show their children a boob, etc.
  13. Not really like a supercomputer though by SpaFF · · Score: 4, Funny

    While it might be more powerful than machines on the TOP500 in terms of raw number-crunching ability, it lacks any sort of high-speed interconnect for message passing. The latency issue would make for poor benchmark results in most "supercomputer" type tests (Linpack, etc.)

    --
    -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
  14. Where's the investigation by Tom · · Score: 5, Insightful

    Makes you wonder why the FBI and other police forces have enough resources to go after Joe sharing the latest CD release, but apparently not enough to do something about what probably is the largest computer crime in history.

    I guess the answer has something to do with priorities. Which is exactly what I think the problem is.

    --
    Assorted stuff I do sometimes: Lemuria.org
  15. Can somebody explain by CaffeineAddict2001 · · Score: 4, Interesting

    Why any person can't leverage the botnet for their own use? What it the "key" that allows the creator(s) to have exclusive access? If it essentially works like a peer-to-peer network couldn't you essentially "poison" the network with a few rouge nodes?

    1. Re:Can somebody explain by lightversusdark · · Score: 4, Funny

      a few rouge nodes

      This would cause a bleu screen of death on said rouge nodes.
      --
      "There is nothing nice about Steve Jobs and nothing evil about Bill Gates." - Chuck Peddle
  16. STILL NOT A WORM by Dibblah · · Score: 5, Informative

    ,ad88888ba          88  88  88        888b      88
    d8"     "8b  ,d     ""  88  88        8888b     88                ,d
    Y8,          88         88  88        88 `8b    88                88
    `Y8aaaaa,  MM88MMM  88  88  88        88  `8b   88   ,adPPYba,  MM88MMM
      `"""""8b,  88     88  88  88        88   `8b  88  a8"     "8a   88
            `8b  88     88  88  88        88    `8b 88  8b       d8   88
    Y8a     a8P  88,    88  88  88        88     `8888  "8a,   ,a8"   88,
    "Y88888P"   "Y888   88  88  88        88      `888   `"YbbdP"'    "Y888

                    db
                   d88b
                  d8'`8b
                 d8'  `8b
                d8YaaaaY8b
               d8""""""""8b
              d8'        `8b
             d8'          `8b

    I8,        8        ,8I
    `8b       d8b       d8'
    "8,     ,8"8,     ,8"
      Y8     8P Y8     8P   ,adPPYba,   8b,dPPYba,  88,dPYba,,adPYba,
      `8b   d8' `8b   d8'  a8"     "8a  88P'   "Y8  88P'   "88"    "8a
       `8a a8'   `8a a8'   8b       d8  88          88      88      88
        `8a8'     `8a8'    "8a,   ,a8"  88          88      88      88
         `8'       `8'      `"YbbdP"'   88          88      88      88

    Yes, nasty ASCII art.

    Just in case you hadn't guessed (which it appears that the meeedia has not) - This Is A Trojan. Which means that it's Powered By Stupid People (tm). A worm would be Powered By Stupid Programmers (tm).

    The Storm Worm is in fact already defined - It was an IIS worm. Please, feel free to look at the reputable AV lists.

    1. Re:STILL NOT A WORM by VENONA · · Score: 4, Informative

      Parent 100% correct. Though it's easy to see how people can be mislead, as even some of the security sites are calling it a worm. http://www.secureworks.com/research/threats/view.h tml?threat=storm-worm
      gives you some information on how it operates (as of 2/07, and the names of the executables you had to click on to infect yourself have probably changed since then)

      The original storm.worm (2001) attacked unpatched MS IIS servers, and actually was a worm.
      http://www.securiteam.com/securitynews/5DP0B0K4KG. html

      How this got so large is a pretty sad commentary. First off, it's proof that people will still click on attachments without verifying whether they're legitimate. I'm not convinced that any amount of training will ever stop this behavior. It hasn't worked over the *last* ten years, at any rate. Second, several virus scanners would have detected it, if they'd been kept updated. Thirdly, I've seen this running from within a couple of corporate LANs, which implies that even corporations don't always keep anti-virus software up to date, or monitor for P2P traffic, which IMO should very seldom be allowed on a corporate network.

      --
      What you do with a computer does not constitute the whole of computing.
  17. monoculture problem? by Gary+W.+Longsine · · Score: 4, Insightful

    I'm not convinced that the monopoly presence of Windows accounts for enormous Windows based botnets. There are what, something like 25 million Macintosh computers running Mac OS X, and most of those are running the same version of Mac OS X. That's a big enough pool, yet we don't see botnets on the Macintosh at all.

    Suppose the market were evenly divided, 1/4 Windows, 1/4 Linux, 1/4 Macintosh, and 1/4 online game consoles that are always connected to the internet. Where would the botnets be hosted? Probably Windows. Botnets will begin to run on other platforms within about 48 hours after the security of Windows systems rises to a level equivalent to the other available platforms.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  18. Block tcp/25 by macdaddy · · Score: 4, Interesting
    This is exactly why I, as the admin of an ISP, chose to block outbound tcp/25 at the edge with the only exception being the ISP's SMTP servers. I do this for all dynamically-assigned customers. Do you need to use a corporate SMTP server somewhere and they refuse to utilize the mail submission port (tcp/587)? Pay $5/month to get a static IP. Making the customer undertake a conscious effort with a monetary cost filters out the people who'll take any free service offered to them. The ones who really do need it are the ones who request it.

    There's a reason why we only get 1-2 spam complaints (LARTs) per week. We aren't a source of spam. Spamming botnets are all but worthless on our network. Looking at the counters on the blocked outbound tcp/25 connections in our ACLs I literally seeing billions of hits per week. That's billions, with a B. Ba, Ba, B. Considering that we're a relatively small ISP, that's saying something. These spamming botnets would be far less useful to spammers if more ISPs took a stance and fought spam. That takes effort though.

  19. Why nothing gets done about it. by Animats · · Score: 4, Interesting

    Remember Amit Yoran? He was "cyber-security czar" at the US Department of Homeland Security. He started talking about the vulnerabilities implicit in Microsoft's software. His position was downgraded and he resigned in 2004.

    Yoran's successor, Gregory Garcia, was a professional lobbyist, not a security expert.