Anti-Scammers Become Storm Botnet Victims

capnkr writes "It looks like the efforts of the anti-scammers at sites like 419eater, Scamwarners, Artists Against 419, and possibly others have become the target of the Storm botnet. Spamnation has a post about it, and as of this writing none of the above listed sites are responding. Spamnation reports that CastleCops and other anti-spam forums are being DDoSed as well. Sounds like a massive, concerted effort against the folks who are fighting the good fight. Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working."

Slashdotted

[elh_inny]

Posting the info and having people slashdot the mentioned sites is not going to help them either :)

Re:Slashdotted

[MollyB]

To an extent, you are correct. But I got the impression from the Spamnation link (#4) that this has been going on for days. Heck, the Update on that site was dated Sept. 6. We only have n number of users. The Russians (read TFA) have lots and lots (technical term) of botnets and are assumed to be taking revenge on their tormentors. I think this trumps the slashdot effect, but that's just my opinion.

Re:Slashdotted

[LuminaireX]

Botnet traffic may trump being slashdotted, but being slashdotted certainly isn't helping.

Re:Slashdotted

[bl8n8r]

> Posting the info and having people slashdot the mentioned sites is not going to help them either :)

*l* at this point, it's not going to hurt either.

Re:Slashdotted

[History's+Coming+To]

Because stopping "the Russians" using "our cyberspace" is like stopping those pesky Malaysians/Scottish/Venezuelans from breathing "our air"....

Re:Slashdotted

[JackieBrown]

You replied to the wrong post
http://it.slashdot.org/comments.pl?sid=291833&cid= 20524469

Re:Slashdotted

[History's+Coming+To]

Thank you....I realised moments after posting, then debated whether or not to compound the problem by posting AGAIN to explain, but guessed people would probably get it.

My bad. As somebody once said, "stupid is forever"

Re:Slashdotted

[RockDoctor]

The Russians (read TFA) have lots and lots (technical term) of botnets

Actually, the technical term seems to be "customers". Viz - while the technical machinery for carrying out these attacks may have been designed and implemented by Russians, the motivation and the money would seem to be coming form Joe.Average.Spammer. Who is well-known and well-demonstrated to be American. (OK, being fair, there are significant others ; the small European contingent might move the centre-of-spammicity off the America east coast, but the counterbalance of Chinese- and Korean- spambots would pull the centre-of-spammicity back to central or western America.

Sow ; reap later. Doesn't some god-squad bullshit talk about that? Maybe Loki is on the throne currently and is enjoying pay-back time.

Have the bots scared everyone?

[peripatetic_bum]

Such that no one wants to say any...

Re:Have the bots scared everyone?

[rwven]

The Storm Worm Mafia!

craigslist scammers

[digitalsushi]

I screwed with a craigslist scammer this week. It was sorta fun.

http://digitalsushi.com/goraku/fakecheck/story.htm l

Getting him to mail a check made out to "Pownd Uholot" was entertaining. :)

Re:craigslist scammers

That mail from the "FBI agent" is gold :D Thanks for that

Re:craigslist scammers

[WhatAmIDoingHere]

You blew your load too quickly. The comedy comes from pissing them off and seeing how many hoops you can get them to jump through before telling them that you're just fucking with them.

Re:craigslist scammers

[digitalsushi]

i was gonna tell him that my imaginary daughter spilled juice on the check, and then ask for another overnighted copy. but the scammer wasn't getting any more clever, and i just got bored with it honestly.

Re:craigslist scammers

[modecx]

Pownd Uholot... Classic!

Grey Hat solution

[DigiShaman]

Aside from the legalities, perhaps Grey Hats round the world need to start developing "neuter-viri" (self replicating auto-patchers). These zombified machines have got to be defanged somehow, and fast.

Re:Grey Hat solution

[snsr]

"neuter-viri" (self replicating auto-patchers).

This is a great idea. I wonder how well this would be recieved- I guess ideally it wouldn't even be noticed.

Re:Grey Hat solution

[saskboy]

The authors would have to be extremely careful. If they include a bug, the results could be worse than doing nothing at all. And if they include a backdoor or auto-update feature, the blackhats could end up using machines with the auto-patcher infection instead.

Re:Grey Hat solution

[Evi1BastardFromHe11]

What would this accomplish? The lusers have to be hit hard to start to care about what sort of malware resides on their machines. I would rather see a solution where someone exploits a hole in the Storm control implementation and distributes a disk shredding update to all nodes.

50M dead HDDs would be fun in the oldschool spirit and at the same time would generate enough of fuss for people to start actually caring about security.

Re:Grey Hat solution

[budgenator]

There was a great disturbance in the force, it was if 50 million zombies all died as one. Then suddenly they returned in their pristine and un-patched state, and then suddenly update.windows.com went super-nova and imploded into a black hole.

Re:Grey Hat solution

[Nintendork]

Someone already did this to counter the Blaster worm. See Welchia. The problem with this one though is that it was flooding networks with ICMP pings, causing more network outages than the Blaster worm it was designed to fight.

Re:Grey Hat solution

[Joebert]

That's the mindset that's getting Sony in hot water with rootkits.

Re:Grey Hat solution

[Anonymous+Brave+Guy]

Ah, a plan with no drawbacks... :-)

Re:Grey Hat solution

That is because Welchia was poorly designed. A properly designed counter-worm would not actively seek out targets. Instead, it would patch the system and wait for an infected system to contact it, where it would then spread to that infected system.

Re:Grey Hat solution

[LordSnooty]

This is the best idea yet. Or it could even disable the machine in some way that doesn't shred their data but prevents access until they find out what's going on - combine with a small bit of PR and I'm sure the media in countries like mine would cover it, after all this summer they've been resorted to running stuff like "Facebook under threat in patent storm". A huge slice of the public losing their machines would be massive news.

Re:Grey Hat solution

[guruevi]

No, the Grey Hat's would have to include something that destroys the boot sector from the hard drive, then shut down the machine. All of a sudden, we would have a massive drop in power usage (saving the environment) and a whole lot of dumbasses that in turn will provide a job to low-wage Circuit City and Best Buy employees. I guess a lot of computers would just stay off because no-one knows that they are running.

So to make it easy:
1) Create or take over Storm botnet
2a) (Optional): dd if=/dev/null of=/dev/hda count=2000 (I think that should do it)
2b) Send "shutdown -h now" to all machines (I don't know the Windows equivalent, I don't use Windows)
3) ???
4) Profit!

Re:Grey Hat solution

If only worms could be used for good. Add a more secure browser to the desktop or DOS RIAA/MPAA servers from peer networks and such. Or maybe do something to take out the most annoying spamming networks in addition to innoculating them from future threats. Unfortunately there's no sign of there being a "Cyber Robin Hood" worm operator yet...

Re:Grey Hat solution

I always wanted to write a system of taking down a bot by writing a program to set the system to boot to a file on the system that was a copy of damnsmalllinux, that basically just said "Your system is infected and was attacking other computers. To keep you from being sued by the people it was attacking, Windows has been disabled. No personal files were deleted or modified. See a computer specialist to recover your system and remove the virus infection."

Re:Grey Hat solution

Better to just replace their bootloader code with that. Using ~ 50mb for that is overkill when you could just prevent booting with the same message.

If they have windows, you can fix that with a windows disc in recovery console (command is "fixmbr" or "fixboot" - cant remember which)

If they have linux or something, likely they will know how to fix it.

Re:Grey Hat solution

[Lehk228]

better to use time bombs using more efficient and agressive search patterns then a machine suicide scrambling the hard drive and if possible damaging hardware through software overclocking and other dark arts.

the ONLY way to cause botnets and other infections to be taken seriously is to deprive the lusers of their porn, mp3's and possibly their hardware. a few crispy video cards, region-locked DVD players set to only play japanese DVDs and corrupted documents will force them to but at least basic security such as NAT firewalls and one of the plethora of internet security suites.

Re:Grey Hat solution

[Sigma+7]

A properly designed counter-worm would not actively seek out targets. Instead, it would patch the system and wait for an infected system to contact it, where it would then spread to that infected system. This design of counter-worm is ineffective against worms that also patch the system against the vulnerability in question. While I don't know any names, such a design isn't far fetched.

The only way to counter such a worm is to perform active scanning, even if it floods the networks. Of course, a gray hat designer would prefer a flooded network over a botnet - per minimal collateral damage guidelines.

Re:Grey Hat solution

[saskboy]

But, if you give them DSLinux, then they have a web browser and uninfected system they can surf and webmail from!

Re:Grey Hat solution

[Stradivarius]

This is why ISPs are in the best position to deal with this issue. They can detect the vulnerable machine at a local level, upon accessing the ISP, rather than requiring scans that span (and flood) the network.

Now, with the caveat that I've only given this a moment's thought, and I'm sure there are plenty of devils in the details, possible approaches:

The ISP could periodically scan your PC, and could do it frequently because it's at a local level, such that the ISP is far more likely to be the first to detect the vulnerability (versus a worm that also patches the hole to protect the worm). If the ISP detects a serious vulnerability for which a patch exists, it could block all traffic inbound to that PC except from the patch servers (and maybe place you an automated voice call or voicemail letting you know this has occurred).

Alternatively a subscriber could agree in advance that the ISP is allowed to exploit any such vulnerability for the sole purpose of installing the vendor-approved patch. (I suspect this may make some folks uncomfortable, and with some good reason, but those folks probably are already keeping their machines patched).

ISPs could even sell this as a consumer-protection feature (you don't want your identity/credit cards/etc stolen off your PC, do you?). And it is, even though much of the benefit would come once enough ISPs starting doing this to create herd immunity. And the ISP would benefit from reduced bandwidth usage, now that fewer machines are infected.

Of course, all of the above assumes that it's economically worthwhile for the ISP to do this. It's not clear that would be the case. You would essentially be creating an immune system for the Internet, which could be costly to maintain, and for best effect you'd want all ISPs in on the action. So you've got a competition problem: all would benefit if all implement it, but if the cost is sufficiently high to outweigh the marketing benefits, then individual ISPs may see it as a competitive disadvantage to implement if others aren't doing it too.

Re:Grey Hat solution

[SomeoneGotMyNick]

Firewall the rest of the world. What resources do you use to identify IP address ranges by country/region? I'd do the same thing if I had an accurate resource.

Re:Grey Hat solution

[TFGeditor]

I use two ways:

1. Resources such as http://www.apnic.net/db/ranges.html and http://www.iana.org/assignments/ipv4-address-space

2. Build the list "manually" by checking originating IP addresses through the ARIN datatbase http://www.arin.net/whois/

Using the latter method, simply pasting the originating IP address (example, 116.24.118.9) into the search field yields that the address block 116.0.0.0 - 116.255.255.255 is admintrated by APNIC, and therefore "foreign" (to North America). So, simply block that entire range.

Other foreign registries include AFRINIC (Africa et al), LACNIC (Latin America), and RIPE (Europe).

Trust me, this kind of blocking really does work and is a viable tool for many North American mail servers--Karma be damned.

Re:Grey Hat solution

[J0e3gan]

You're absolutely right. For some users this is ideal.

Going to need a bot-net to take out the bot-net.

[snsr]

Good to know that these sites have been effective; I had always been skeptical of them having any measurable effect. What's the next salvo?

The counter-solution

[EvilMonkeySlayer]

The counter solution to this is for a big company like Google, Yahoo, Microsoft (yes, Microsoft) should offer either their servers, hosting, bandwidth etc. To these sites that are quite evidently being successful against the scammers. Or at the least they could give the sites some cash injections to buy more capable servers, fatter lines etc.

Re:The counter-solution

[cpq]

Or you can always get the idiot PC users who download .exe's , .pif's etc from email and get them a bloody virus scanner. Anyone think of attacking that end instead of putting the site on a damn quad-core w/ GigE uplink?

Re:The counter-solution

[Joebert]

These are corporations you're talking about, they're just happy the botnets' attention isn't on them. Why would they want to draw fire to themselves, what's in it for them ?

Re:The counter-solution

[Joebert]

Why would we attack them, they pay good money for all that hooplah.

Re:The counter-solution

[Anonymous+Brave+Guy]

What on earth makes you think people like Microsoft and Google don't get hit by these people?

I have no data you don't, but I'd be amazed if no-one has ever threatened the richest IT companies in the world with outages if they don't pay up.

Re:The counter-solution

[Joebert]

If the portion of the botnet is attacking sites not on Corporation property, it's obviously not attacking Corporation property.
Why do somthing to bring it to Corporation property, what's in it for them other than an increased workload ?

Re:The counter-solution

[xtracto]

Wasnt the "Make love no spam" lycos screensaver TRYING to achieve something similar? I remember it was widely critizised for what it was doing. I ran it for some tiem though.

Re:The counter-solution

[ncc74656]

What on earth makes you think people like Microsoft and Google don't get hit by these people?

...especially since Google wasn't working for me a few hours ago. I have to wonder a bit if they had also been hit by this botnet, or if someone else in the connection between there and here was hit. Everything else I tried (/., Yahoo, my own website, etc.) worked, but Google's search and reader pages timed out.

(Google Reader is working now. Search works, too.)

Re:interesting

Week 5: Mommy, now i've just started to develop a brain and only now does conciousness have a probability greater than zero of occurring. Mommy, how the fuck was i having that internal monologue during the first few days of my life? Oh wait i wasn't as i was just non-sentient sack of chemicals.

What next?

[the_humeister]

Hopefully these guys don't get assassinated.

somebody needs to stop...

[FudRucker]

flooding the PC market with ms-windows PCs that never get updated or virus checked to clueless consumers...

as long as msft & oem pc manufacturers are more interested is making a quick buck and the problems that go along with it are ignored this sort of thing is never going to stop...

-if you mod this comment down it just buries your head deeper in the sand-

Re:somebody needs to stop...

[Constantine+XVI]

Storm actually does install updates and checks for viruses on its victims. It just excludes anything that would make life harder on itself.

Re:somebody needs to stop...

[j00r0m4nc3r]

How does it determine that an update is going to harm it? Are the update people really stupid enough to put "Removes Storm" in their list of patch features? It seems like Microsoft should start being responsible for helping to remove these sorts of botnets, and using trickier techniques to get its patches for stuff like this onto machines. Microsoft has caused these problems by shipping a faulty product. They should be dumping lots of resources into fixing this problem. Or get sued.

Re:somebody needs to stop...

The GP's comment was saying that the storm worm will install windows updates to make it harder for OTHER viruses/worms to get into the system. I've even heard that it installs a pirated AV program to help 'protect' the zombified machine.

As for your second point, don't be a troll. All software has bugs, microsoft is no different. If you bothered reading about this at all, you'd realize that most anti-virus products will detect and remove this worm. The people who are running windows without an anti-virus program are the same people who don't install windows updates (and the ones who ran 'game1.exe' from a random email). If Microsoft could create an 'ultimate patch' that would make Windows completely secure (stop laughing, there's a point to this), do you really think everyone would install it? There would still be worms and viruses, they'd just target the unpatched systems and prey on people who don't know enough about computer security.

Re:somebody needs to stop...

[piojo]

Microsoft has caused these problems by shipping a faulty product. If Linux had 85% market share, I guarantee you that there would be Linux-based botnets running around. How? Find an application vulnerability that allows execution of arbitrary code. I hear about a few of these every year, and there would be more if Russia and China's most devious minds were dedicated to the task. To send spam, you don't even need to be root. If you want to hide your presence, you must be root, but that is easy on any moderately badly configured distribution that uses sudo (I'm thinking of popular distributions, here).

Microsoft has made some design decisions that make it easier for a worm to get control of a machine, but it's an overstatement to say that the whole issue is their fault.

And just in case any site survives the DDOS attack

[DrXym]

The submitter has helpfully provided the links to these sites so Slashdotters can finish the job.

Solution???

[Glock27]

Why have I seen several articles on this Storm worm, and yet no one seems concerned with how to remove it from systems?

Is there a scanner and fix available? It does require executing an email attachment, right?

It really shouldn't be called a worm unless it can worm its way in without social engineering...

Re:Solution???

[budgenator]

team fury reports a removal tool called SunShine can remove the worm; of course being a Linux Geek rather than a windows geek I've no-way to vouch for the tool so if you toast your harddrive, you've been warned, YMMV

Re:Solution???

[an.echte.trilingue]

It is delivered as a Trojan. People don't discuss removal techniques because the answer is so painfully obvious that most here don't think it is worth mentioning. Norton, AVG, clamAV, any anti-virus on the market or available for free will detect storms various incarnations, and most of them will disable it. Problem is, there are just millions and millions of (windows) users who don't bother with the most basic security.

Re:Solution???

[advocate_one]

It usually comes as an email with an enticing subject line such as "xxxx has sent you an E-card" and inviting you to click on a link in the email to view the ecard...

I'm expecting a waver of emails inviting the reader to "click here to see Vannessa Hudgens's naughty pics, the ones Disney tried to ban..."

Re:Solution???

[arkhan_jg]

It is a backdoor trojan, not a worm - largely spread via email .exe attachments, but also installed by at least one other mass mailer worm, W32.Mixor.Q@mm.

http://en.wikipedia.org/wiki/Storm_Worm
http://www.symantec.com/security_response/writeup. jsp?docid=2007-011917-1403-99&tabid=2

It's detected and removed by the usual array of anti-virus software (it installs a malicious device service %System%\wincom32.sys, that joins it to the private distributed P2P control network). However, it does also have capability to download additional malicious software, and has changed form several times.

http://www.symantec.com/enterprise/security_respon se/weblog/2007/01/trojanpeacomm_building_a_peert.h tml
Currently the malware being downloaded is as follows:

game0.exe: A downloader + rootkit component - detected as Trojan.Abwiz.F
game1.exe: Proxy Mail Relay for spam which opens port TCP 25 on the infected machine - detected as W32.Mixor.Q@mm
game2.exe: Mail Harvester which gathers mail addresses on the machine and post them as 1.JPG to a remote server - detected as W32.Mixor.Q@mm
game3.exe: W32.Mixor.Q@mm
game4.exe: It contacts a C&C server to download some configuration file - detected as W32.Mixor.Q@mm

Re:Solution???

[Joebert]

This is exactly how people get infected.

Who the fuck are you, & who the fuck is "Team Fury" ?

Re:Solution???

[Technician]

I got a bunch of those e-card emails several weeks ago. Knowing how my Ubuntu box is configured, I went ahead to see how the exploit works. The link is a very sparce page indicating a video download that will start automatically. If it doesn't, click here. The exploit uses both a script and social engineering. Firefox didn't start an automatic download on Ubuntu, so for grins I clicked the link. I was asked where I wanted to save e-card.exe. This exploit page was common to many e-mails indicating cards from my mother, relative, etc. I thought it interesting there was no information passed to load any kind of customized card like a real e-card. Also highly suspicious is the link was an IP address, not a URL. That move alone gets past filtered DNS services and a hosts file.

By the way, the download in Ubuntu asking where to save it has a cancel button. I didn't download it to get a filesize. Sorry.

I know I am not sending any extra data as part of this bot simply because my network switch sits right under my monitor. There is no unusual traffic here. I think everyone should be constantly monitoring their network traffic.

Maybe MS and Ubuntu can make a traffic monitor that sits on the desktop by default. I know most people would ignore it thinking it is Limewire or Torrent traffic.

Re:Solution???

[skeeto]

Why have I seen several articles on this Storm worm, and yet no one seems concerned with how to remove it from systems?

Yep, there is a patch that will remove the worm so that you will never get it again: here.

Re:Solution???

[Anonymous+Brave+Guy]

Problem is, there are just millions and millions of (windows) users who don't bother with the most basic security.

And the solution is for ISPs to cut off any machine that appears to have been compromised, and for ISPs to collectively isolate and cut off other ISPs that allow significant amounts of bad traffic out of their networks.

I'm all for due process, but in cases like this, a real-time response is required and there isn't much doubt whether a machine/network is emitting significant amounts of bad traffic or not. You just have to make people get their own house in order, and if they don't, kick them off the Internet until they do.

Re:Solution???

[an.echte.trilingue]

I hear you. I work for a small business, and we have our email handled by our ISP. They won't cut off other users who are spamming, and so their mail server is now starting to show up on spam blacklists. It is really embarrassing to have to call our partners and customers and tell them to check their spam box for our email, and then we are lucky if it is even there. We will be changing ISPs soon... I hope.

Re:Solution???

[TehZorroness]

Precisely! Right now the internet is a terrible mess. It is much to easy to get away with atrocious abuse of network infrastructure (ie. DoS, DDoS, Botnets, spam ect. ect). The ISPs truly don't give a damn. I have been the victim of a small handful of attacks over the years. I'll tell you the story you all already know. It is quite easy to be a complete scumbag on the net. Being DoSed is not at all a fun experience. It costs time, money, and inconvenience to put up with.

If I plow through Main Street in a tank and fire shells though arbitrarily passing vehicles, I will have my license removed and will certainly spend some time in jail. On the internet, abuse goes unpunished. In my opinion, people who abuse network infrastructure should be quite simply suspended from that network. All ISPs should invest a lot more effort in a counter-abuse department which can actively handle reports from the public. As for those infected by botnets, they need to be pulled over and have a stern talking to before they are allowed back on the net.

Re:Solution???

[freedumb2000]

Also, all the ip addresses i did a lookup on, resolved to a dynamic host address so it looks like the infected machines are distributing the storm files themselfs to new victims with no central distributing server to shut down.

Re:Solution???

[totally+bogus+dude]

It's not even "Team Fury", it's "Team Furry". Trying to find something else to think about now...

Re:Solution???

Why do you send through the ISP's servers?? None of the ISP's I know of block SMTP over TLS, so as long as you're not going over port 25 you're fine to connect to any mail host you want. Just have your mail server a dedicated host somewhere else, and use it that way.

Re:Solution???

[Technician]

Also, all the ip addresses i did a lookup on, resolved to a dynamic host address so it looks like the infected machines are distributing the storm files themselfs to new victims with no central distributing server to shut down.

I noticed that also, but didn't mention it. Even though every e-mail had an IP address link, all the links were unique, but the content on the resulting pages was identical.

Re:Solution???

...of course, you won't be able to run SFA else either.

-AC

Re:Solution???

[arkhan_jg]

Yup, spot on. The scary thing about this botnet - and why it's not been shut down - is it's using the overnet p2p protocol to establish a private P2P command and control network. The updates and additional malware (including a rootkit, spam proxy and mass mailer) are delivered from other compromised machines on the network. Each zombie connects to about 30-50 other computers, thus making shutting it down or even getting a true estimate of its size virtually impossible. The method of infection also uses a number of vectors to try and infect PCs, from script exploits on the hosted pages to the old social engineering .exe file titles.

The storm 'worm' in and of itself is relatively harmless, but it provides the distributed method to spread and control a lot more nasties. What's rather scary is just having an up to date virus scanner check .exe files before execution stops storm entirely, and also removes it's malware service. So all the compromised PCs are simply unprotected windows desktop PCs. (it won't attack windows server 2003)

Re:Solution???

[Tolookah]

See, the thing is, many ISPs offer a free anti-virus package just for being their customer. It wouldn't be hard to re-direct them to a page about the virus they may be infected with, and limit access to the internet to just a few AV websites (including a free solution). They just need to add something to that extent as a clause in the TOS that no one reads anyway.

Re:Solution???

[Technician]

just having an up to date virus scanner check .exe files before execution stops storm entirely

Firefox on Ubuntu also does a nice job out of the box and does not require a credit card for a subscription. Even better, it's free. So are the updates.

Re:Solution???

Sir, would you run your antivirus scanner (available for $5.49 per month if you don't have one) to remove this 'linux' thing and we'll get your connection back up in no time.

Re:Solution???

[jimicus]

Who the fuck are you, & who the fuck is "Team Fury" ?

Wasn't that one of the teams you could play as in the game "Sonic Heroes"?

Re:Solution???

[Joebert]

I dunno, Sonic was a Sega character & I was a Nintendork.

Probably explains why I go with Intel over AMD these days.

Re:Solution???

[jimicus]

Nah, "Sonic Heroes" postdates Sega giving up the console business and just developing games for other people's consoles. It's on the XBox and PS2.

Re:Solution???

[motokochan]

There is actually a really good video up on YouTube that F-Secure posted. It shows how this is actually dynamically generated on the fly and the HTML page is customized based on the browser you use. It is really sophisticated stuff, actually, and likely took some clever coders to develop it.

Re:Solution???

[motokochan]

Sorry, I posted the wrong link. This is the correct link.

so sad...

if only someone had taken the time to teach Skynet love.

Re:interesting

I can hear that doctor again.

Really. What with? No hearing system at that stage. Barely present nervous system and certainly nothing large enough to call a brain at the other end capable of interpreting the signals.

Learn some basic science, creationism-boy.

Re:And just in case any site survives the DDOS att

[The+Ancients]

Because we all know we're all to lazy to look for the links ourselves.

Hmm. I'm not actually sure if that's true, sarcastic, funny, or what...

Big deal?

[machinelou]

Doesn't that seem like a poor allocation of resources on behalf of the bot net controllers? I mean, how long could a DDOS attack possibly be carried on? A few hours? Maybe a day at most? I can see that, for a retailer, that sort of thing would seriously impact business but if these sites go down for a day, does that really matter?

In addition, implementing a DDOS probably entails some sort of risk. This could be either in terms of having individual machines identified and temporarily disabled or in terms of the risk of getting caught increasing with every illegal act that is committed (although, the risk is probably very small, it's still there).

Re:Big deal?

[cpq]

Doesn't that seem like a poor allocation of resources on behalf of the bot net controllers? I mean, how long could a DDOS attack possibly be carried on? A few hours? Maybe a day at most? I can see that, for a retailer, that sort of thing would seriously impact business but if these sites go down for a day, does that really matter? They could have it run for a month or two. With the lack of knowledge of PC users, and the mass-spreading technique, and the fact we have cable infected PCs and now have zombied Verizon FiOS machines, that's some serious bandwidth. This is just a slap on the wrists from the runners of the botnet, perhaps making a point?

Re:Big deal?

[arkhan_jg]

Why would they stop after one day? The latest attacks have been going on for several days already. The current estimates put between 10 and 50 million computers as part of the storm botnet. They'd need to keep rolling in new ones as they get filtered out, but just 2 million computers involved in a rolling DDOS would be a real headache, especially if they just do normal http requests like a real user; most DDOS attacks only use a few 10's of thousands bots at most, though average numbers required are rising as defences improve.

Re:Big deal?

[h4rm0ny]

Interesting to look at it from a different perspective, however. This allocation of resources can be considered a success for these sites, of a kind, in that it's induced the botnet's controllers to direct a massive amount of firepower at a something that will gain them no profit. If they weren't doing this then there would be some genuine extortion victims out there right now. This action on there part suggests that these sites are actually inflicting some pain on the botnet controllers, so it's good PR for them.

And personally, I'm a big believer in taking this direct approach to sorting the problem out, rather than draconian legislation. Let the Internet defend itself!

Battle of the Worms....

[CharonX]

I recall reading a quite interesting article on this topic a while ago while doing research for a university seminar I had to hold.
The big crux is that the "worm" needs to show negative behaviour, i.e. exploit it's host bandwith and CPU cycles, at least for a while, to gain sufficient impact to "infect & patch" vulnerable machines. It would turn into a battle of the worms, where "grey" worms attempt to infect as many machines as possible, plug the security holes, seek new machines to "infect and patch" and then, after a while, self-delete themselves - while the "black" worms, attempt almost the same, only that they do not self-delete but instead continue to exploit their host. Most machines that become victims of rootkits or worms are actually patched up once infected, to avoid losing the machine to competing malware.

Re:Battle of the Worms....

[yters]

Why do the grey hat virii have to delete themselves? Since there will be many more worms and such to come, it makes sense to set up a grey hat base of ops on all the computers.

Re:Battle of the Worms....

[CharonX]

The reason for the necessity for self-deletion is simple:
First, allowing the worms to run actually pushes you deeper into the "black" area - you keep using the hosts bandwith etc. even after the job is done - seeing the rapid spread of worms, most vulnerable machines should be patched up within (even pessimistically speaking) 1-2 months. Having the worm self-delete after a while, possibly displaying a little message of "Hi, you were vulnerable to lots of exploits. I have patched you and now deleted myself. Please run an up-to-date virus scanner to make sure I am gone. And please be more careful in the future, I might have been an evil worm or trojan instead." after deletion might raise user-awareness. Also it reinforces the "do no evil" thought behind writing such worms.
And secondly, having the worms stay offers no benefit. While more exploits appear on a weekly basis, there are few feasible ways for a worm to keep "up to date". Integrating the worm into a network (like the Bot-nets) to recieve updates creates the threat of exploitation - i.e. if a malicious hacker manages to compromise the C&C structure by reverse-engineering the worm he'd gain control over hundreds of thousands of machines. Setting up a web-page for the worm to query for updates creates a legal problem as well as the technical of keeping the website running. Also if the website is compromised, similar issues of hostile takeover like with the bot-net loom. So there is no benefit of keeping the worm running after its job (patch the machine, "charging" the owner for this service by using his bandwith and CPU for a while to search for additional vulnerable machines) is done.

Re:Battle of the Worms....

[yters]

Thanks, I thought as much. Has there ever been a theoretical study done to determine if computers can be completely locked down and still usable, so there are no vulnerabilities for the malicious code? Otherwise, once the net becomes super clogged, the spam cartels may start trying to set up deals with the users for better access to their boxes in return for not screwing up their computers as badly.

More than just DDoS

[weierstrass]

At the moment http://www.aa419.org/ gives me the main pages of my own web server on my laptop

user@my-box:~$ host aa419.org
aa419.org has address 127.0.0.1
aa419.org mail is handled by 5 mail.aa419.org.

Re:More than just DDoS

[cpq]

user@my-box:~$ host aa419.org aa419.org has address 127.0.0.1 Actually this is the SMART thing to do. If they're attacking the hostname of the website, any smart admin would change the DNS record to lower the TTL to update, and update their address to 127.0.0.1. This way the botnet boxes end up attacking themselves. I've done it before. Then once the attack is over you update your A name record to the actual IP.

Re:More than just DDoS

[morgan_greywolf]

Probably Slashdotted. They use DynDNS for DNS:

morgan@dagda:~$ dig aa419.org

; > DiG 9.3.4 > aa419.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER

Re:More than just DDoS

[Short+Circuit]

I thought that webserver looked poorly configured...

Re:More than just DDoS

[garett_spencley]

How do you know when the attack is over if they're no longer attacking your machine thanks to the DNS record pointing to 127.0.0.1 ?

How long do you wait ?

I suppose you can try to identify the specific worm that's doing the attack and infect a test machine and watch it. Or if you can reverse engineer it you might be able to find out when the end date is. Beyond that you've effectively taken your entire web site / business offline for an undetermined period of time. I'm not sure it's any better than riding out the attack. The attack could stop and you wouldn't even know it.

Plus, the minute you unplug your network cable or change your DNS records to a machine that doesn't host your web site you've just handed yourself to the attackers. Taking your business offline is *exactly* what they intended to do. And you did it for them.

Re:More than just DDoS

[someone1234]

Heh, what if the ddos zombies don't use DNS?
I would surely instruct my botnet to attack IP numbers instead of names (it is faster).

Re:More than just DDoS

[timmarhy]

Taking the website off the air isn't their only objective, they are trying to cost them $ in bandwidth. Face it, once you've been targeted by a big ddos your screwed, all you can do is try mitigate some of the damage.

Re:More than just DDoS

[fbartho]

yeah, but then they can just put some new IP's behind their round-robin dns server, and retire the old ones, and your bots will never know!

Re:More than just DDoS

[Gregar]

What they really should be doing is change their DNS records to point to known spam/scam sites instead. That way the scammers/spammers who paid for these attacks will help clean up the internet for us! ;).

Re:More than just DDoS

[sglines]

You could look at your name server logs. When the attack subsides so will the DNS pings.

SG

How do you explain this to the average joe?

[mark-t]

I told my oldest son about this botnet yesterday, mentioning that with between 2 million and 20 million CPU's working at any one time, and even that larger figure likely representing only a fraction of the botnet's total capacity, it collectively represented the most powerful supercomputer ever built... and it was effectively under the control of a small group of people with criminal intent - the author, or authors, of the worm. My son responded to me with a great deal of scepticism, first saying that none of these security experts which have made this analysis have any way to estimate what sort of computing power military organizations might have, so saying that it represented the most powerful supercomputer ever was actually a completely meaningless claim, and also, he proclaimed that the story was most probably just hype and over exaggerated. He said that the claim of the most powerful supercomputer ever being controlled by criminals was simply too much to be believable, like the headlines one might see on the front page of the Weekly World News tabloid. He also said that it was ludicrous to see how sending people "penis extension ads" (which is about all he figures a botnet can do) can actually seriously harm anything or anyone.

So this got me to wondering... how much of this actually _is_ something that is of any real concern, and if it really is, how could it be explained to people in such a way that it's not going to sound like some claim from a conspiracy theorist?

Re:How do you explain this to the average joe?

[DavidTC]

Your son is an idiot.

Yes, the supercomputer they have control of is only the most powerful known computer, but it's unlikely that, barring national government involvement, there are any others, and considering the amount of power they would draw, they'd need some sort of secret power source, too.

But arguing about the difference between 'most powerful known' and 'most powerful' is idiotic. I'm sorry, everyone knows what people are talking about.

Secondly, they clearly can do serious harm to the internet and any machine on it. Whether or not any specific attack would harm any people is unknowable, but they can, right now, take any company or person they want offline and keep them there.

Re:How do you explain this to the average joe?

[garompeta]

Simple: 1) by saying that you have facts 2) by reminding him you are an expert in computers and programming 3) by showing to him a sample of what a "good" trojan can do in his laptop. (good: AV stealthy, rootkit, proxy http/socks, bot, keylogger, distributed computing capabilities, rat, rat with gui, shell, at least) 4) fry his computer, steal all his logins. 5) When you see him crying telling him, "I told you so".

Re:How do you explain this to the average joe?

[mark-t]

Er... is there any alternative to options 3,4,and 5? I'd rather not cause any real damage. I helped raise him to be skeptical of exaggerated claims, and I understand where this is coming from, and I don't even really care whether he believes the story or not, personally... although I admit that found it bothersome that the fact that I know a thing or two about computers wasn't duly considered in his assessment.

Re:How do you explain this to the average joe?

Whether or not any specific attack would harm any people is unknowable, but they can, right now, take any company or person they want offline and keep them there.

I think the GP's point is that if "the most powerful supercomputer in the world" is capable of no more than sending a lot of email or interrupting some organization's internet access, is it really that "powerful"?

I mean, don't we usually measure the "power" of supercomputers in terms of their compute power? How quickly can the botnet render "Toy Story"? How many SETI@home blocks? Can it do weather modeling? Atomic bomb modeling?

Flooding the internet just doesn't seem like a particularly good demonstration of supercomputing power. Nor do I think the average Joe, who's own internet connection goes down periodically, for inexplicable reasons, sometimes for hours, if not days, will be especially impressed with taking "any company or person offline."

Re:How do you explain this to the average joe?

[garompeta]

hey that was fast!, Of course there is an alternative. I was just joking, but actually thinking of it... it could work! It depends how naive your son is, the more he is the easier to montage the show. If he doesn't have the slightest idea about trojans and rats, why don't you get a few well-known ones, and show to him what someone can do in his machine? (without destroying anything) The more impressionable he is, the more "aware" he will be of the potential threats he had been ignoring. Since news articles can be "felt" like easily hyped, why don't you show him technical papers (this gives more credibility in my opinion) and researches about real cases and real methods. A interesting case can be found in GRC.com, where Gibson explaines with enough detailes how he was DDoS and how he tracked the attacker back. To be make him more security conscious and with the real shit, get him the book series "Stealing the network", those stories are well written by real hackers in very, very possible scenarios with real methologies and accesible and well-known tools.

Re:How do you explain this to the average joe?

[garompeta]

You are underestimating how valuable and powerful distributed computing is, my friend.
It has been used as a distributed MD5 crackers, collisions in SHA-1, and search for extraterrestrial life... (eer... yeah)
Having a gigantic botnet of at least 100,000 computers to unimaginable millions of infected computers that we'll probably ignoring or we are unable to detect, this gives a tremendous asset to a malicious hacker.

It is a very fat milking cow:

1) Crack passwords that it is not considered crackeable in a reasonable amount of time
2) Botnets to attack whoever he wants (at a reasonable price or for a reasonable cause)
3) Millions of Passwords, logins accounts, paypal, amazon, credit card, identity, whatever, stolen.
4) Millions of proxies to hop on and chain hiding the source of a real meticulous attack. 5) Millions of illegal distributed server to host for illegal materials (eg: virii, worms, child pornography)

Etc...

Re:How do you explain this to the average joe?

[mark-t]

I think what he finds incredible is how 'science-fiction' it sounds.... 20 million computers all being infected by a single virus... all potentially dedicatable towards a single distributed goal... sort of reminiscent of T3, perhaps.

Re:How do you explain this to the average joe?

Well, it's clear that your son has very limited analytical expertise (some blame the teachers, I actually blame the parents). If he's five it's ok, if he's fifteen, oh dear...

Re:How do you explain this to the average joe?

[garompeta]

Then, don't you find suitable my advises to give him a reality check?

Give him the real thing, show him how a real trojan works and some technical papers.
Why don't you show him the whole process? Get an unpatched (Sp1) Windows XP (download it), and do a complete "hacking" job, exploiting DCOM RPC, uploading a backdoor, executing it, getting gui control remotely and finally loading the keylogging module of the trojan?.

It is not hard to do, it will look impressive ("oh, my god he is using the console, he is a hacker") and the exploits available are very stable and sophisticated.

You can even change the console to "color 0a" to make it look "cooler" =P (Oh my god, my dad is a über-hacker!)

If it is hard for you to perform such a show, just give him what I told you, real cases, technical papers or from trustable sources. That looks more objective than the "news media". And as I told you before there is a case in grc.com GO TO THE SITE and click the DRDoS note.
If he has some brain, I think he will get it.

Re:How do you explain this to the average joe?

[LordSnooty]

Just demonstrate that several unconnected sites that cover anti-scamming are down, and one site with 46k hits on Google is resolving to localhost. That ought to show what damage botnets can do. It cannot be a coincidence.

Re:How do you explain this to the average joe?

I predict that distributed malware is going to morph in some truly interesting (and scary) ways over the next few years. This spam and DDoS stuff has only been a warm up for the main act.

Think of the absolute worst things that various extremist groups might want to do with a few weeks or months worth of supercomputing resources ... don't be afraid to *really* use your imagination on this one ... then realize that these resources are up for sale to the highest bidder.

Re:How do you explain this to the average joe?

Don't know how old your son is, but it's their lot to be skeptical and dismissive of warnings that come from their parents, and he's part right.

First, the figure is closer to 20 million CPUs, and that's just for Storm. All the botnets all put together are probably around 60 million CPUs. I work in the security industry and deal with the spam that the botnets send out, so your son can read that as a) me hyping the industry's necessity, despite me not even naming a vendor, or b) that I actually see the traffic stats and know what I'm talking about.

However, these CPUs not all online at the same time, I/O latencies just suck, and the kind of tasks that would benefit from a truly massive supercomputer running isolated distributed tasks just aren't all that profitable right now, and that's what drives the existence of the botnets in the first place. So while he's not completely correct that they're only good for spam (extortion of online casinos under threat of DDOS attacks is a working business model for them too), it's just their brute force that's available.

For now. You might want to tell your kid to work out the future implications in his head without insinuating them directly. It'll probably come out to something scarier than spam, but less than skynet.

Re:How do you explain this to the average joe?

[RAMMS+EIN]

``So this got me to wondering... how much of this actually _is_ something that is of any real concern, and if it really is, how could it be explained to people in such a way that it's not going to sound like some claim from a conspiracy theorist?''

A few days ago, I figured that the great difficulty in explaining this to people who don't know already is that, in the Real World, preposterous conspiracy theories are often false. In fact, much more innocuous ones usually are, too. This is something I figured while actually taking some time away from computer security and traveling through the Real World. In the Real World, you can leave your expensive laptop in your unlocked yacht in an unguarded marina, and then leave thousands of dollars worth of electronics equipment in a restaurant to recharge overnight, and none of it will get stolen.

On the Internet, if your computer is reachable, it will be attacked in a matter of minutes. Any hole that is found in the software you run is likely to get exploited. Most of the email you get is spam sent by exploited Windows machines people have at home. Corporations are watching you, some with orders from the government. You can legitimately wonder _who_ controls your computer. It's not really an exaggeration to say that everything that can go wrong not only will, but has.

It only starts to get _really_ scary when you consider how much of the Real World is actually dependent on computers these days...

Re:How do you explain this to the average joe?

The plural of virus is viruses. I thought that by now every Slashdot reader knew this.

Re:How do you explain this to the average joe?

[Krishnoid]

In the Real World, you can leave your expensive laptop in your unlocked yacht in an unguarded marina, and then leave thousands of dollars worth of electronics equipment in a restaurant to recharge overnight, and none of it will get stolen.

In which country/ies? I'll bet people can name countries where your stuff is guaranteed to get stolen in those situations. Heck, I had my sneakers stolen once from a common area -- after being warned by the people I was with that yes, they pretty much were guaranteed to be stolen.

Re:How do you explain this to the average joe?

[garompeta]

It is a jargon, not proper grammar. I thought that by now every Slashdot reader knew this.

Re:How do you explain this to the average joe?

[qzulla]

http://www.top500.org/list/2007/06/100

They not be .mil sites but I'm sure they do work for them.

qz

Re:How do you explain this to the average joe?

Have him play Uplink. Remind him that the game was written in 2001. Ask him to compare and contrast the elements of gameplay with reality. The game is a great layman's intro to the concepts of onion routing and darknets, and the storyline involves something that's eerily similar to the Storm botnet.

Re:How do you explain this to the average joe?

[sjames]

Tell him it is orders of magnitude larger than the number 1 supercomputer on top500.org. Unfortunatly, DDOS and spamming are both embarrassingly parellel.

The rest is simple. Have him imagine recieving 2 million emails every minute (very conservatively each machine can crank out 1 per minute). Point out that that's well over 200Mbps (assuming 1K per email) just in spam and that most servers are on fast ethernet. That scenerio assumes no capability other than sending email. Naturally if the count is 20 million, multiply the resultant load by 10.

fallacious statement

[mr100percent]

Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working.

By that logic, does all the hate mail Fred Phelps get mean that he's on the right track?
Does it mean that all those protesting Bush's speeches validate his argument?
Odd way for the author to phrase it. I don't think there's a cause and effect here. They might be publicly opposed to the spamming and phishing scams, but they fact that they're getting attacked doesn't necessarily mean they're making more than a dent in it.

Re:fallacious statement

[AaxelB]

fallacious statement

Sorry, offtopic, but I remember once in early high school I was trying to figure out what "fallacious" meant, and was trying to break it down to its roots (I know too few roots for that really to be useful) and looking for words that sound similar to see if that gave some hint. The only word I came up with was "fellatio," and as you might guess, that gave me an odd pespective.

Now, whenever anyone uses "fallacious," my first response is as if it were "fellatious."

I wonder what a fellatious statement would be...

Re:fallacious statement

[Angostura]

Nope, you've got yourself into a logical twist.

By that logic, does all the hate mail Fred Phelps get mean that he's on the right track?

It's a poor analogy. It wouldn't be someone sending hate mail to Fred Phelps. It would be someone putting up posters about the problems with Fred Phelps, and then Phelps setting out to kill the Poster-makers.

Does it mean that all those protesting Bush's speeches validate his argument?

Wrong analogy again. A correct analogy would be If those protesting against Bush's speeches caused a massive decline in support for Bush and he moved to outlaw protest. It has nothing to do with validating his argument.

Hope that helps.

Re:fallacious statement

[silent_artichoke]

Fellacious statements suck!

Re:fallacious statement

Someday, you will father my child.

Re:fallacious statement

[capnkr]

"Odd way for the author to phrase it. I don't think there's a cause and effect here." - mr100percent

So if the scammers, whatever their ilk, didn't do (or pay to have done) this DDOS attack by the biggest botnot in existence, then... Who Did?
And... Why?

The stated goal of a scambaiter is not just to get some sort of a prize from the scammer, it is primarily
to deprive the scammer of time and resources they could/would otherwise spend on victims (source: 419eater.com).

Since the scammers had to spend *something* on this attack, that same "something" cannot be spent scamming victims.

Mission Accomplished. And a great example of Cause and Effect. Though perhaps a bit more effect than anticipated. :) BTW, the 'eater has been the victim of DDOS'es before this one, though this might be the biggest such attack to date; they recovered quicker before, and IIRC there weren't as many other sites taken down simultaneously. To me, this big an effort on the part of the scammers shows that the 'eater and other such sites are very much a thorn in the side of the scammers.

Even if this is solely an action by the controllers of the Storm botnet to publicly 'flex their muscles', it is keeping "Storm" (or part of it, at least) busy and away from 'innocents/ignorants', and that fits right into the goals of the anti-scammer sites as well...

Of course, YMMV.

Re:fallacious statement

Perhaps it's more like a hose swatting at flies. The fact that the horse spends time and energy trying to destroy them is ergo proof that the flies are having an effect on hurting the horse?

Re:fallacious statement

[mr100percent]

I didn't say that the scammers weren't the ones responsible for the DDOS attack, and they're likely the culprits.

I meant that swatting at a gadfly doesn't necessarily mean the gadfly is really successful at hurting their target. Could we see some evidence that the number of scams is going down, or that 419eater.com is causing a remarkable drop? The fact that they're DDoSed doesn't mean that they're anything more than a nuisance, maybe the perpetrators are going for a symbolic strike against a weak opponent for all we know.

Re:fallacious statement

[capnkr]

Mr100, I don't think that what you are proposing is really that logical at all, and I think the evidence you are asking for is staring you in the face. :)

Why? Because they're scammers, they could probably care less about 'eater and other sites *just as long as their revenues stay up, or increase*. These scammers will take incredible punishment to their pride if they think there is a chance they'll get money by doing so. Look at some of the reverse scams that have been pulled by 'baiters when the site(s) come back up, and you'll see solid evidence of just how true this is.

They're ONLY in it for the money, their is no "higher purpose" to the scams they pull. They don't care about 'face', or pride, or anything except getting the vics money as fast and as much as they can. Trust me - I've baited, and I've seen and played upon the scammers greed myself. It is extremely evident.

Therefore, to me at least, it follows that they would only devote resources to doing something like this to the 'eater and others if those websites and what they do have been in some way an interruption to their revenue stream.

As before, YMMV. Have a good weekend!

Re:fallacious statement

[nailBnny]

My, my my... Aren't we the Cunning Linguist.

Re:fallacious statement

Pretend I go out on the street and say "Everyone! We have to stop Bush!" If someone on the street gets tyired and knocks me down, does that mean my efforts were clearly working? Thus the fallacy.

I think that's what the grandparent post meant.

Bandwidth...

Assuming you run a DDOS attack with 100'000 clients and 100kbit/s upstream per client you end up with ~9700mbit/s. _Most_ sites don't have so much bandwidth and if they do, it costs a lot of cash. The botnet is most likely even bigger and can assign more clients to the attack. So NO, getting a bigger pipe is not gonna work for them... One way to solve this problem is making the ISP disconnect the infected clients or block them at the edge of the originating network.

Worm / hacker / cracker

[wantedman]

Actually, the entire virus / worm / trojan definition is pretty muddled.

AFAIK, Worm meant it propagated by the Internet. Trojan horse was something that was an undesirable feature in a software package and did not propagate on it's own. Virus attacked itself to different software packages by itself, unlike a trojan horse, and it relied on piracy to spread. And since the sneaker net was way more prevelent than the Internet, making the virus the most common in early computing, virus came to refer to all 3.

Self-emailing malware share more features with worms than trojans, so they're more often classified as worms, although there is a move to reclassify them as trojans.

All anti-virus programs detect and fix it, and there are also stand alone fixes avalible. Clicky The problem is all the unpatched boxes.

Re:Worm / hacker / cracker

> AFAIK, Worm meant it propagated by the Internet.

Worm meant it was a separate executable, and virus meant it needed attaching to a host file. Viruses in the classic sense are virtually non-existent, but "virus" is still used pretty loosely as a term for malware in the AV industry. But in IDS and network-facing areas, "worm" is the usual term.

I work for symantec, that's the terms they use. BTW, absolutely no one there says "virii".

TheScamBaiter is still up

TheScamBaiter.com has been under attack for several days too, but has stayed up so far.

Re:Going to need a bot-net to take out the bot-net

[gbjbaanb]

Maybe BlueSecurity will resurrect Bluefrog now that its been shown that the spammers will go after you regardless. It is good to know the anti-spam crowd is having an effect though, once the botnet is patched into obscurity, we can get back to normality.

Solution

[JamesRose]

Right a piece of code that detects if the storm bot virii are present, then have it format the hard drive. If their computer is putting other computers with real work to do in danger they should be deleted until the administrator learns to use it. Seems harsh but trying to fix a computer thats already infected is almost impossible to do, as they keep changing the virii, so carpet bomb it.

Re:Solution

"Write..."

English.

Re:Solution

[JamesRose]

I know, I'm sorry, I have no idea how I mucked that up, I only noticed after i posted.

Re:Solution

[nyctopterus]

Brilliant! And let's bomb all the major cities in the world because they have criminal elements operating out of them.

Re:Solution

[mike2R]

Well there is a small difference between figuratively carpet bombing, in the sense of wiping people hard drives, and actually carpet bombing in the sense of levelling cities with high explosive. No one gets killed in the former method to start with.. Well ok probably no-one gets killed unless it shuts down a hospital with a crap computer setup or something..

Yeah ok it's not a good idea, but you have to admit it has a certain appeal in terms of getting people to actually give a shit about their computers.

Possible solution: treat computers like a car

[Swavek]

Didn't some internet provider at one time threaten or attempt to disconnect customers whose computer were suspected to have spyware or a virus infection? I think more internet provider (errr.. high speed internet providers) should take charge and disconnect computers that are (or might be) part of a large botnet. This brings me to the point that like most people don't have a clue how a car functions under the hood, most people also don't know how a computer functions inside its case. So ignorance should not be an excuse for having a computer that's infected with every virus or malware under the sun which is connected to the internet. If a person had a car that kept causing problems on the road than it would eventually find itself towed away or shoved off the road (much like a computer might be forcefully disconnected from it's internet provider).
Much like the local police or the local transportation dept. might maintain roads and highways, so should the super information highway be maintained by internet providers and various security experts. Ignorance cannot be an excuse! It certainly doesn't work when you're being arrested for vehicular manslaughter. "But officer, I didn't see that old lady crossing the road..."

Re:Possible solution: treat computers like a car

[wubboy]

Something like, if os = Windows then deny?

Re:Possible solution: treat computers like a car

[pokerdad]

Didn't some internet provider at one time threaten or attempt to disconnect customers whose computer were suspected to have spyware or a virus infection?

Virtually all ISPs do this, its just that what they count as "suspected to have spyware or a virus infection" is pretty lax. Usually the only thing that counts is sending out more than x many emails in a certain time frame. Of course, I would rather have them be lax than be intruding to my system.

Re:Possible solution: treat computers like a car

[jamar0303]

YES, that's exactly what we need. If people would only actually give a damn about their security, there would be no such incidents. Support the use of OS X on PCs if you're not into the Linux thing, because Windows is proven to be insecure (I only use XP because I haven't installed my patched copy of OS X on it yet).

Re:Possible solution: treat computers like a car

Where I work (local WISP, over 4000 subscribers and growing!), we block nothing to or from a customer's PC (or PCs) unless it trips our antivirus or antispam system with a known signature. We do not do heuristic scanning, so we don't get false positives from malformed data or "something close".

We also have intrusion protection at all of our border routers, that scans incoming and outgoing traffic. Our traffic wipes its feet before going out to the internet, if you know what I mean.

We also have a service plan for customers that covers all labor for anything they need done to their computer systems. So, if we detect that they are sending out viruses or spam (or both), we give them a call, pick up their PC, clean it, and return it to them at no additional charge.

The benefits of this program have been measured in lower support calls from customers, a cleaner internal network, more bandwidth available to everyone, and customers who no longer have to spend hundreds of dollars at a brick and mortar computer store to have their systems cleaned up and repaired. We are proactive in protecting the rest of the internet from whatever someone brought home from work (or any other network) on a laptop.

It's a hell of a lot of work, and a lot of money invested in hardware based IPS/Anti-SPAM/Anti-virus detection and prevention. But, it's an end-to-end service that rivals no other ISP that I know of.

We advertise by word of mouth, BTW, and will break 5000 customers by summer of next year. People on our system love this stuff!

Re:Possible solution: treat computers like a car

[cpq]

Packet shaping + Disconnection from the network with a generic catch-all DNS redirect to a page with the virus cleaner would work quite well on mitigating the attack from the ISP's side. But what do they care, it's just their bandwidth :)

Re:Possible solution: treat computers like a car

[mike2R]

Comcast back in 2004 did some selective blocking of port 25. Could have been a coincidence but a heavy (about 100MB an hour) dictionary spam run at our company domain cut off at around that time IIRC.

Almost

[Xenographic]

* A worm infects without user intervention (e.g. SQL Slammer, which *was* a worm).
* A trojan is a hidden "feature" of some otherwise legitimate software.
* A virus is a program that attaches itself to other files.
* A backdoor gives someone remote control of the machine.
* A botnet is an advanced backdoor where one can control many machines at once, e.g. from an IRC channel. PCs infected by completely different malware can all join the same person's botnet. Conversely, PCs infected by customized versions of the same malware can join different botnets.

The problem is that the media doesn't understand ANY of this and that the categories aren't all mutually exclusive. This is a trojan & backdoor that spreads via dumb users executing attachments they shouldn't.

Re:Almost

[mashade]

Almost ;)

From what I've seen, this trojan isn't even spread as an attachment. It's simply a link within an email, spoofed to some credible URL. You click it, and a download begins under the facade of an 'authentication program'.

Re:Almost

[antdude]

What about malware? What do you call a general one? Infection?

Re:Almost

[Watson+Ladd]

I thought trojans came in through the front gates?

Re:Almost

[jimicus]

The problem is that the media doesn't understand ANY of this and that the categories aren't all mutually exclusive. This is a trojan & backdoor that spreads via dumb users executing attachments they shouldn't.

If a company sells a hairdryer which, under some circumstances, will explode without warning as an intended part of the design, is the user dumb for buying it or is the manufacturer dumb for selling it? What if there's only one company which makes 90% of the worlds hairdryers?

Perhaps allowing executables to go through email was a bad idea in the first place...

Re:Almost

no is a perfectly fine idea. email sends data. exicutables are data. if you don't trust the sender, your shouldn't trust the data, ergo you souldn't run the exicutable.

Your analogy misses one point, so I'll extend it for you. The Acme Hairdryer Co. sells you a hairdryer. Then you see some guy in a trenchcoat (no offence to those in trenchcoats, I personally like them) says to you "hey, if you put this in your hairdryer before using it, it will make your hair smooth and shiny (ooohhh shiney...).

NOW whos at fault when your hairdryer exploads? YOU because you were the moron who listened to some shady charictar telling you to put a vial of Acetone in you hairdryer.

Re:interesting

>>>> REPOST THIS IF U HATE ABORTION

I do, usually. But in your case the post-natal variety seems fitting.

The choice of targets is significant in itself

[The+Mutant]

I mean, don't they have better things to do with these resources? Seems like the choice of targets tells us a lot about the opportunities - or perhaps lack of opportunities - that this resource (i.e., the Storm botnet) can be put to.

I mean, why not use it to make money? Attacking these sites ain't gonna directly generate any revenue. And one must consider such a resource as having a time value; what is the half life of a bot net anyhow? Is this one, given it's size, likely to be significantly different?

Sure, these scams are easier to pull off it people are uninformed. But how many of the people who are likely to get involved in such scams, upon receipt of these emails, will google first?

Re:The choice of targets is significant in itself

For all we know this is a distraction while the owner of tuenneling through a bunch of boxes and hacking his way into some financial records or other sensitive data.

127.0.0.1'd

[cpq]

Some of the site's are using DNS records to point back to 127.0.0.1 and lowering their TTL so the botnet machines attack themselves. Easy way to defend (in some way) a DDoS. Don't count on the site(s) being up until the owners are sure more bandwidth / CPU cycles won't be wasted.

It might be a demonstration/test

[quanticle]

It might be a test or demonstration of the botnet. Like any weapon it needs to be test fired before actual use. The persons controlling this might be trying to kill two birds with one stone - test the botnet, and knock those who taunt you off the air.

size

[Johnny+Mnemonic]

Is the size of the the Storm network large enough to hold a really big player hostage? Could they eg DDoS Microsoft's update portal? Or Google's homepage? either for ransom or without?

Could they cripple other internet backbone infrastructure stuff, and thereby hold the nation's entire computer infrastructure hostage?
As TFA mentions, a DDoS attack is more expensive for the customer of the botnetters, as is easier to detect and stop at the ISP level, so I wonder if those attacks are really feasible, or if it'd just mean that everyone that's infected loses internet access until they get cleaned up. Which might not be such a bad thing.

But, in short, is the Storm Botnet an actual national security threat? Could a foreign power commission it to do the US computing infrastructure grievous harm; but could it be stopped if the DHS etc took protective action at the ISP level?

Re:size

The sad truth is that we just don't know. There's never been anything this big before.

Makes me wish I was a bit more underground. I'd give almost anything to get in on this. I know exactly what I'd like to make it do. I want to pick a large region with crappy bandwidth, like, say, the entire African continent, and blow them off the internet for a few days. Just to see what would happen.

Hmmm. I need to get me some criminal contacts.

Re:size

[maztuhblastah]

if the DHS etc took protective action at the ISP level?

Oh please god.... no....

Think of what you're saying! The same group of people who color-code our paranoia, who decide that waterbottles are dangerous, and who advise us to purchase duct tape... you want to turn to them for help securing the Internet? Do you have any idea how painful that would be?

No -- the responsibility here lies with the users and (to some extent) the carriers. If the user's machines are infected, disconnect them. If the carriers detect a large, coordinated traffic pattern, investigate -- and if it's a DDOS attack, block it at the firewall level (before the traffic leaves your network segments.)

Slashdotted (*blush*)

[Torodung]

Sorry guys, we know your suffering a DDoS attack right now, but we just thought we'd publish links to your sites on Slashdot to compound the issue. Think of it as an experiment to see what effect a massive storm of legitimate traffic will have on an ongoing DDoS attack.

What? Your data center is a molten slag?! Eureka! We'll stop by with marshmallows and weenies.

This is one case where publishing the hyperlinks might have been a bad idea. I wonder how many people are hitting their refresh buttons right now. ;^)

--
Toro

Free Software Solution.

[Erris]

The defang you are looking for has been provided by the free software community. Unlike the worms themselves, user and vendor action are required for this to work and it's completely legal. Vendor support is growing every day because everyone now realizes the root cause is a costly software monoculture. IBM, HP and Dell now all sell gnu/linux to desktop users. With a little bit of advertising the problem will go away soon.

Re:Free Software Solution.

Amen!

Glad to know my efforts on aa419.org weren't in vain. Just like with bluefrog.

It's funny that there are so many obviously working solutions to this problem but none of the big players dare to challenge the dark side and step up to the plate. And it really should be Microsoft, since it's who we have to thank for this mess to begin with...

This is not proof

[Rich+Klein]

"I think it shows without a doubt that their efforts to 'get back' at the scammers are working."

I'd like to agree with you, but it makes about as much sense as saying that increased violence in Iraq is proof that the US has terrorists on the run.

The scam-baiters may be doing a lot of good, but DDoS attacks against them aren't proof of it.

testing for Storm

[phrostie]

is there a way to test or check that people who might be part of the bot net how to see if they have it?

rather than gong on about what it is doing, how about we spread the word on how to stop it one computer at a time.

Re:testing for Storm

[killerkalamari]

Several antivirus programs (including some free antivirus programs) detect Storm. See: http://en.wikipedia.org/wiki/Storm_Worm#Feedback

My first thought was that Windows Update should detect/remove these botnet trojans.. but then I realized that those infected probably don't keep their computer updated, use antivirus software, firewalls, etc.

So, the same people seem to be messing things up for everyone, over and over again. Perhaps eventually someone will introduce a new trojan (or heck, even a variation on this Storm "worm", since it seems to work just fine), that spreads around and infects like this for a while. Then after infections slow (or the news starts picking up on it and it makes Slashdot, etc), the owner tells all the infected computers to die. If the drive was just wiped, then it would be too easy just to reinstall Windows. I wonder if there is a collection of routines to corrupt BIOSes (preferrably with a message explaining what happened to their computer). This should harder (but not impossible) to fix, and perhaps these people can be properly educated.

Of course, maybe they are too stupid to be properly educated. Then what?

Re:testing for Storm

[Technician]

is there a way to test or check that people who might be part of the bot net how to see if they have it?

Shut down your e-mail, filesharing, VOIP, chat, and automatic update software, then check the lights on your network switch. If it is busy, it is time to find out what process is using your connection.

rather than gong on about what it is doing, how about we spread the word on how to stop it one computer at a time.

Already doing that. I just gave a copy of Linux on a live CD to my boss. This was after chatting up the cost of Vista + MS office. The cost to install it on several machines at home for desk, laptop, kids machines, etc is substatial. Try this, it comes with a free office suite, photo editor, etc. By the way, by default new users are given user accounts, not administrator accounts. This may be my 4 convert in the last 2 months.

Some movies, some Wikipedia, some angles

[Torodung]

This article is a good place to start.

You could also introduce him to the theory behind Bittorrent, which is a good demonstration of how many computers each doing a small task, given modest bandwidth, can add up to massive distribution and publication power in short order.

Now, what if some distributed network decided to siphon a gig of illegal or embarrassing materials onto a compromised target machine. Perhaps a politician that is voting the wrong way?

Then ask him, not if the entire banking industry is safe, but if an individual's information (SHA hash collision or private key, but that's not "average Joe" speak) could be subject to a distributed brute force attack.

With the growing power of computers making tiny pieces of malware harder and harder to notice (that 1% of processor time is more and more powerful), and malware being able to literally hide files from the user until such time that it chooses to reveal them, it seems like it's only a matter of time before someone with a large enough botnet, and enough imagination, could start attacking individuals and/or siphoning off their money. How you do this is not something I care to discuss, but the black hats (both the actual criminals and the security experts, as an exercise) already have ideas and are working on it. That's why you'll see them periodically calling for stronger encryption (more bits in the keys). If there was no possible threat, they wouldn't be creating and suggesting longer keys. Rootkits would not be a concern, if files hidden from the user were always benign (most are).

But all it takes is the wrong person to have the right idea, a breakthrough that changes the assumptions, especially in cryptography. Show him the movie "Sneakers" if you want to fuel some imagination regarding that. It's crap, but it's also fun and sizes the problem for the average Joe. Assuming that only ethical people work in cryptography is somewhat naive. Assuming that unethical people are not watching the progress of ethical individuals in the field is stupid.

There's nothing to say such solutions and attacks haven't occurred already, but it seems, as your son suggests, unlikely. You can bet if a criminal has figured it out, a little bit of money siphoned off here and there would be almost impossible to detect, especially in an environment where people are unwilling to believe it's even possible. Believe me, if the idea has hit Hollywood, it's old hat. That's exactly how such a criminal would proceed if they had found a way to leverage such distributed computing applications. They would target a distributed network of accounts, one by one, in a way that looked like banking errors (which are numerous and automatically corrected by the bank) and slowly siphon money from the banking industry itself, through compromised individual accounts. No individual would suffer, because of correction processes in the banks, the world's capital reserves would.

Then ask what that money could buy in terms of influence, weapons, elections?

Any compromised machine is a liability to its user. Botnets are a menace to society, and we're lucky all they're (hopefully) being used for is "penis enlargement" ads and DDoS attacks. That's barely scraping the surface of their potential.

If he wants to go on believing that his safety and security are a given, without any effort on his own part, there's little you can do, but anyone with any imagination, who is not in flat out denial, can demonstrate that distributed computing applications have a great deal of power, and that basic security is everyone's concern. It is definitely not good that these ne

Re:Some movies, some Wikipedia, some angles

Then ask him, not if the entire banking industry is safe, but if an individual's information (SHA hash collision or private key, but that's not "average Joe" speak) could be subject to a distributed brute force attack.

Well that would be a completely fuckt*arded question to ask. That's the nice thing about crypto: it has been repeatedly shown that if crypto is done correctly then even a computer made of all the atoms in the universe couldn't break it.

And that's a fact. So, no, I'm not worried about a shitty 50 millions PC botnet breaking SHA-256 nor good PKCS systems...

Re:Some movies, some Wikipedia, some angles

Sometimes the trick isn't to guess the key but to just verify the payload. Thats enough to break most banking systems.

Re:Some movies, some Wikipedia, some angles

[Torodung]

Clearly, I said exactly that later on. We were talking to an "average Joe," remember? The question was meant to spark thought about the power of distributed computing in an infinite time frame, not to frighten anyone.

Formerly insoluble problems are now soluble through these methods, including generating the large prime numbers for future crypto. I'm talking about monkeys and typewriters here, not completely breaking SHA-256.

This isn't useful to crackers, because you can't arbitrarily break any specific crypto problem with brute force, and so the industry itself is completely secure, because there is no solution that is reliable, discrete, specific and practical. You can't target anyone, and so phishing is easier, and more profitable, for the time being.

But dumb luck? Just going at it for an infinite period of time with unknown resources and seeing what shakes out? Freak occurrences are another matter entirely, and playing a long game with a distributed computing network is one (highly tedious, and by current assumptions and methods, fruitless) way to get at these problems.

Don't underestimate the power of dumb luck and persistence, and don't forget that assumptions can radically change. The former is the way most things get done, and the latter is a fact of a fallible human existence.

Truly, the question was meant to fuel imagination, not highlight a cause for alarm. As I later said, it's unlikely any of this has happened yet. I'll make that more emphatic: the likelihood is infinitesimal. There's no current threat, at least not in our current understanding of mathematics, and with competent folks versed in cryptography (e.g.: NSA) making recommendations about cypher strength.

But in my experience, while you can bank on not being outsmarted, dumb luck and persistence are never to be underestimated. While there is no threat, there is a danger.

I'm not willing to be Grand Moff Tarkin in his "moment of triumph."

--
Toro

Hmm..

[StarfishOne]

Would it not be somewhat of an improvement then if services like these would also be massively distributed? Instead of a massive scammer network having a 'force to counter' in the form of a massive anti-scammer network. Surely a p2p/torrent like thing could make this possible?

Well, yes, it does.

[Grendel+Drago]

If Fred Phelps's goal is to piss people off, he's on the right track. If Bush's goal is to anger people, he's doing a heckuva job. The anti-spammers in question have clearly pissed someone off, and it appears to be the same someone who sends a lot of spam. That the anti-spammers have done enough to be noticed seems like the most likely explanation, but of course, there might be others; I just can't think of any.

Hired goons are part of the answer

Step 1: Monitor traffic, locate physical location of botnet controller

Assuming botnet controller is not in country with working legal system:

Step 2: Apply rubber hose cryptanalysis to botnet controller to obtain control of botnet

Step 3: Force all machines on botnet to take themselves down permanently

Step 4: Dispose of botnet controller in appropriate pirhana tank.

Re:Russians

[LuminaireX]

Because they'll send a botnet at you?

Ya DHS are morons

[Sycraft-fu]

We've got a professor at the university where I work that consults for DHS, one of our student workers is in his class. The misinformation this guy hands out is... legendary. For example, did you know that twisted pair only has a bandwidth of 250kHz and a maximum speed of 4Mbps? Really, it must be true, Dr. DHS said so! Never you mind things like Belden 7852A that is rated up in the 400-600MHz range, what do they know? Smarmy cable manufacturer, Dr. DHS says that's just not true!

Well if you've got people like that advising you, I'm going to guess the technical conclusions you come to are probably not going to be the correct ones.

Wait a minute

[Mr.+Freeman]

"Look, these sites are being DDosed, let's post them on slashdot". Doesn't exactly seem like the best idea ever.

The final straw.

[LordSnooty]

It's time for the community to do something about botnets. Forget ethics, we use whatever means necessary. Government and law enforcement agencies appear unwilling or even technically unable to do anything about it (this is a very important point). What better people to sort out this mess than the community who thought up the IRC protocol and whatnot in the first place? It's time to find these machines, break into them and stop this madness. Will govt only do something when their sites get attacked? Can you say weakening Western-Russian relations?

Microsoft "Malicious software removal"....

[Joce640k]

Microsoft "Malicious software removal" to the rescue!!

Maybe.

I mean, this is precisely the sort of thing it's designed for, right?

Re:Microsoft "Malicious software removal"....

DRM DRM DRM DRM. Lovely DRM! Wonderful DRM!

Arrrrgh! You bastard! I'm gonna be stuck with that all day now.

Down with the taliban!

I don't come into your church with a loudspeaker yelling "MICROSOFT IS AN UNFAIR MONOPOLY!" Even though I think it is an important message. I'm sure you would object if I did so, so maybe you should follow the golden rule and not visit technical forums to spread your taliban infested "message".

Feed it a bluepill?

[The+Master+Control+P]

I'm not by any means experienced at modern ASM and low-level stuff; The only instruction set I recognize is 8085. But why wouldn't it be possible to run Windows98 inside something like Bochs, and then just halt the VM and take the keys out of it's memory and order the botnet to self-destruct? Will the worm check for subtle processor state aspects that Bochs misses and not run? That this hasn't been done already implies that I'm missing something...

Re:Feed it a bluepill?

Two words: asymetric crytography

Spammers at it again.

[Lightster]

I remember when this happened against Blue Frog. They were forced to shut their service down due to the DoS attack against them. As soon as the spammers feel threatened by any anti-spam organization they just launch these kind of attacks and shut them down. They seem to easily get away with it. Kind of sad really, there needs to be a fight against spammers on a larger level with Governments and IT corporations getting involved.

Hellooooo Blue Security?

[Spy+der+Mann]

"Those who cannot remember the past are condemned to repeat it."

To put it in other words, why am I not surprised that this happened, after watching Blue Security being obliterated by... guess what, a botnet!

Re:Russians

[TFGeditor]

Uh, can somebody please explain why the parent is modded "Flamebait"?

Re:Russians

[totally+bogus+dude]

Probably because claims to the effect of "all blank are filthy scammers and spammers" are generally considered to be flamebait? Add to that the whole notion of "our cyberspace" and a completely unrealistic proposal (just how do you prevent an entire country from connecting to the internet, anyway?). Yeah, it's flamebait.

A Proper Punishment

[Nom+du+Keyboard]

When the Storm Worm writers are caught, they should be publicly beaten to death immediately, as a warning to all who would follow in their footsteps.

Something like that...

[Xenographic]

Malware means "bad software" so naturally all trojans, viruses, backdoors and worms are included in the term malware, but you can also add to that spyware, adware and unremovable software which may or may not contain trojan, virus or backdoor features.

Obviously, if you had adware that injected ads into unrelated programs, it'd be an adware virus, etc. But you can have something that's merely adware without it being a trojan or anything else.

I think I forgot to mention rootkits, a source of recent controversy. They're an advanced type of backdoor which cloak their presence on the system and thus have anti-removal features. This caused some confusion because a recent game had anti-removal features common to rootkits, but lacked the backdoor part. Further, a Sony USB stick had the cloaking features, but no known backdoor, although some, like F-Secure, called that a rootkit as well, which could be misleading because all traditional rootkits DO include a backdoor... otherwise they wouldn't give you root, and wouldn't that just make them a "kit" or something instead of a rootkit?

Naturally, you can call any unwanted instance of malware an 'infection', although some people are dense enough to knowingly install it on their machines, which could muddy the issue. Some people also might disagree with me for calling _all_ adware "malware" because legitimate programs can be ad-supported in that way. However, I maintain that I will NOT use adware not merely because I hate ads, but because many high profile ad networks have been hacked and made to serve up exploit code which has infected many PCs.

Frankly, I really wish that the media would get these things straight and just describe the bad features things have. E.G. they should issue reports like "infections of the FooBar malware are on the rise, it spreads via e-mail attachments that claim to be greeting cards, then uses a backdoor to connect your computer to the FooBar botnet."

It doesn't prove anything...

[91degrees]

Except that these sites are annoying enough that the fairly trivial effort to set up a DDOS in retribution feels worthwhile.

Scam baiting is great, and I'm delighted that it's causing some annoyance but thinking of it as anything other than a fun way to wind up someone who deserves it, is just deluding yourself.

Re:It doesn't prove anything...

[rbarreira]

While the scammers waste time with scambaiters, they are losing other targets... So yes, scambaiting probably has a non-negligible effect on their activity.

Re:It doesn't prove anything...

Dude, you obviously haven't got a clue what we do. 419eater.com might be mainly a scambaiting site, but AA419.ORG is not! We run and maintain the largest database of fraudulent sites worldwide, listing also the money laundering mule recruitment sites run by the phishers who are behind these DDoS attacks. It has become a regular ressource for law enforcement, regulatory bodies and ISPs/hosters. And we actively report these scam sites, too. We have written thousands of abuse reports to hosting comapnies and service providers and have taken down an equal amount of scam sites. We cost these scammers millions every year.
Our activities actually pissed a few people off enough to pound away at us with 1GBit/s or almost half a Terabyte incoming traffic per hour!

Re:It doesn't prove anything...

[91degrees]

You're quite right. I had no clue what you do. Good work.

Are ISPs doing enough?

[cavebison]

As big as a botnet is, it has only 2 main weapons - spam and DoS. To help fix the first problem, why can't ISPs analyse outgoing mail and if spam-like behaviour appears (which shouldn't be hard to detect), do the following: 1. Completely block customer's traffic, except to allow the following: 2. Direct customer to the ISP's download page of links to virus scanning software & updates. 3. Allow customer to tick a box saying "yes I've done a scan, all ok now" and service resumes. 4. If spam behaviour continues, return to step 1. Customer can resume service immediately if they want, but will get pissed off enough with the interruptions to eventually install/scan and/or learn not to run EXEs. DoS attacks could easily be twarted by building an alert network for all ISPs. If a site is attacked, they alert the network and any ISPs seeing traffic going to that site does the same to the customer as above. Block them until they clear the infection. By badgering the end users until they learn, we might see PCs around the world quickly cleaned up. The government could help by providing free antivirus & firewall software too, or at least make them tax exempt.

A way to fight botnets?

[MasterOfCeremonies]

What would happen if we organized a "good" botnet that would DDOS the machines on the Storm botnet, rendering them incapable? Obviously participation in the good net would be voluntary.

Re:Russians

[argontechnologies]

Taking a country off-line actually been done before (the internet was smaller / less connected then).

This is a Criminal Offense - More Than Just DDOS

[ScamFraudAlert]

This is a fight that the IT profession should take on. This is not just about botnet computers or some hired gun to take down websites. This is a FIGHT for the internet. The fight for GOOD or EVIL. If we allow these thugs or criminals to take down websites or hold companies hostage for ransom, then civilization as we know it is at risk. The internet will become the new weapon of terror if it not already being use to that extent. Those who advocate criminal activities on the internet should be sought out and reported to law enforcement. There is glorification or satisfaction that is to be gain. All scams fighting sites are under attacks. These sites are the fight line of defense against cybercrime whether you agreed or disagreed with their methods. We at http://scamfraudalert.com/ remain resolute to this FIGHT.

The Grey Solution

would be to use 100% of the CPU/Memory/HDD. When the infection is that obvious, it will be found and deleted, removing the infection of the original (black) worm too. If the machine remains open after, then the grey worm will reinfect and manage 100% CPU/Memory/HDD again.

After a while the user will operate their machine safely to avoid it.

The Black worms/botnets will only remain as long as they infect lots of machines so that the DDoS is effective without saturating any one machine and thereby bringing notice to itself.

aa419 (partially) up again

[chr.vinter]

And so it seems, aa419.org is up again, albeit only with a few pages so far. I still cannot get their Muguito to run, since it needs to log in somewhere first. Their forums are also down. Anyway, as several have said here, the determination of the scammers only proves that we are doing a good job annoying them. Neat!