Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anti-Scammers Become Storm Botnet Victims

Posted by CowboyNeal on from the sticking-their-necks-out dept.

capnkr writes "It looks like the efforts of the anti-scammers at sites like 419eater, Scamwarners, Artists Against 419, and possibly others have become the target of the Storm botnet. Spamnation has a post about it, and as of this writing none of the above listed sites are responding. Spamnation reports that CastleCops and other anti-spam forums are being DDoSed as well. Sounds like a massive, concerted effort against the folks who are fighting the good fight. Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working."

10 of 207 comments (clear)

  1. Re:somebody needs to stop... by Constantine+XVI · · Score: 3, Informative

    Storm actually does install updates and checks for viruses on its victims. It just excludes anything that would make life harder on itself.

    --
    "I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
  2. Battle of the Worms.... by CharonX · · Score: 4, Informative

    I recall reading a quite interesting article on this topic a while ago while doing research for a university seminar I had to hold.
    The big crux is that the "worm" needs to show negative behaviour, i.e. exploit it's host bandwith and CPU cycles, at least for a while, to gain sufficient impact to "infect & patch" vulnerable machines. It would turn into a battle of the worms, where "grey" worms attempt to infect as many machines as possible, plug the security holes, seek new machines to "infect and patch" and then, after a while, self-delete themselves - while the "black" worms, attempt almost the same, only that they do not self-delete but instead continue to exploit their host. Most machines that become victims of rootkits or worms are actually patched up once infected, to avoid losing the machine to competing malware.

    --
    +++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
  3. More than just DDoS by weierstrass · · Score: 4, Informative
    At the moment http://www.aa419.org/ gives me the main pages of my own web server on my laptop

    user@my-box:~$ host aa419.org
    aa419.org has address 127.0.0.1
    aa419.org mail is handled by 5 mail.aa419.org.
    --
    my password really is 'stinkypants'
    1. Re:More than just DDoS by cpq · · Score: 5, Informative

      user@my-box:~$ host aa419.org aa419.org has address 127.0.0.1 Actually this is the SMART thing to do. If they're attacking the hostname of the website, any smart admin would change the DNS record to lower the TTL to update, and update their address to 127.0.0.1. This way the botnet boxes end up attacking themselves. I've done it before. Then once the attack is over you update your A name record to the actual IP.
  4. Re:Solution??? by arkhan_jg · · Score: 4, Informative

    It is a backdoor trojan, not a worm - largely spread via email .exe attachments, but also installed by at least one other mass mailer worm, W32.Mixor.Q@mm.

    http://en.wikipedia.org/wiki/Storm_Worm
    http://www.symantec.com/security_response/writeup. jsp?docid=2007-011917-1403-99&tabid=2

    It's detected and removed by the usual array of anti-virus software (it installs a malicious device service %System%\wincom32.sys, that joins it to the private distributed P2P control network). However, it does also have capability to download additional malicious software, and has changed form several times.

    http://www.symantec.com/enterprise/security_respon se/weblog/2007/01/trojanpeacomm_building_a_peert.h tml
    Currently the malware being downloaded is as follows:

    game0.exe: A downloader + rootkit component - detected as Trojan.Abwiz.F
    game1.exe: Proxy Mail Relay for spam which opens port TCP 25 on the infected machine - detected as W32.Mixor.Q@mm
    game2.exe: Mail Harvester which gathers mail addresses on the machine and post them as 1.JPG to a remote server - detected as W32.Mixor.Q@mm
    game3.exe: W32.Mixor.Q@mm
    game4.exe: It contacts a C&C server to download some configuration file - detected as W32.Mixor.Q@mm

    --
    Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
  5. Re:Grey Hat solution by Nintendork · · Score: 4, Informative

    Someone already did this to counter the Blaster worm. See Welchia. The problem with this one though is that it was flooding networks with ICMP pings, causing more network outages than the Blaster worm it was designed to fight.

  6. Almost by Xenographic · · Score: 3, Informative

    * A worm infects without user intervention (e.g. SQL Slammer, which *was* a worm).
    * A trojan is a hidden "feature" of some otherwise legitimate software.
    * A virus is a program that attaches itself to other files.
    * A backdoor gives someone remote control of the machine.
    * A botnet is an advanced backdoor where one can control many machines at once, e.g. from an IRC channel. PCs infected by completely different malware can all join the same person's botnet. Conversely, PCs infected by customized versions of the same malware can join different botnets.

    The problem is that the media doesn't understand ANY of this and that the categories aren't all mutually exclusive. This is a trojan & backdoor that spreads via dumb users executing attachments they shouldn't.

  7. 127.0.0.1'd by cpq · · Score: 2, Informative

    Some of the site's are using DNS records to point back to 127.0.0.1 and lowering their TTL so the botnet machines attack themselves. Easy way to defend (in some way) a DDoS. Don't count on the site(s) being up until the owners are sure more bandwidth / CPU cycles won't be wasted.

  8. Re:Worm / hacker / cracker by Anonymous Coward · · Score: 1, Informative

    > AFAIK, Worm meant it propagated by the Internet.

    Worm meant it was a separate executable, and virus meant it needed attaching to a host file. Viruses in the classic sense are virtually non-existent, but "virus" is still used pretty loosely as a term for malware in the AV industry. But in IDS and network-facing areas, "worm" is the usual term.

    I work for symantec, that's the terms they use. BTW, absolutely no one there says "virii".

  9. Spammers at it again. by Lightster · · Score: 2, Informative

    I remember when this happened against Blue Frog. They were forced to shut their service down due to the DoS attack against them. As soon as the spammers feel threatened by any anti-spam organization they just launch these kind of attacks and shut them down. They seem to easily get away with it. Kind of sad really, there needs to be a fight against spammers on a larger level with Governments and IT corporations getting involved.