Slashdot Mirror
Anti-Scammers Become Storm Botnet Victims
capnkr writes "It looks like the efforts of the anti-scammers at sites like 419eater, Scamwarners, Artists Against 419, and possibly others have become the target of the Storm botnet.
Spamnation has a post about it, and as of this writing none of the above listed sites are responding. Spamnation reports that CastleCops and other anti-spam forums are being DDoSed as well. Sounds like a massive, concerted effort against the folks who are fighting the good fight.
Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working."
Aside from the legalities, perhaps Grey Hats round the world need to start developing "neuter-viri" (self replicating auto-patchers). These zombified machines have got to be defanged somehow, and fast.
Life is not for the lazy.
The counter solution to this is for a big company like Google, Yahoo, Microsoft (yes, Microsoft) should offer either their servers, hosting, bandwidth etc. To these sites that are quite evidently being successful against the scammers. Or at the least they could give the sites some cash injections to buy more capable servers, fatter lines etc.
You blew your load too quickly. The comedy comes from pissing them off and seeing how many hoops you can get them to jump through before telling them that you're just fucking with them.
Not a Twitter sockpuppet... but I wish I was.
I told my oldest son about this botnet yesterday, mentioning that with between 2 million and 20 million CPU's working at any one time, and even that larger figure likely representing only a fraction of the botnet's total capacity, it collectively represented the most powerful supercomputer ever built... and it was effectively under the control of a small group of people with criminal intent - the author, or authors, of the worm. My son responded to me with a great deal of scepticism, first saying that none of these security experts which have made this analysis have any way to estimate what sort of computing power military organizations might have, so saying that it represented the most powerful supercomputer ever was actually a completely meaningless claim, and also, he proclaimed that the story was most probably just hype and over exaggerated. He said that the claim of the most powerful supercomputer ever being controlled by criminals was simply too much to be believable, like the headlines one might see on the front page of the Weekly World News tabloid. He also said that it was ludicrous to see how sending people "penis extension ads" (which is about all he figures a botnet can do) can actually seriously harm anything or anyone.
So this got me to wondering... how much of this actually _is_ something that is of any real concern, and if it really is, how could it be explained to people in such a way that it's not going to sound like some claim from a conspiracy theorist?
File under 'M' for 'Manic ranting'
Is the size of the the Storm network large enough to hold a really big player hostage? Could they eg DDoS Microsoft's update portal? Or Google's homepage? either for ransom or without?
Could they cripple other internet backbone infrastructure stuff, and thereby hold the nation's entire computer infrastructure hostage?
As TFA mentions, a DDoS attack is more expensive for the customer of the botnetters, as is easier to detect and stop at the ISP level, so I wonder if those attacks are really feasible, or if it'd just mean that everyone that's infected loses internet access until they get cleaned up. Which might not be such a bad thing.
But, in short, is the Storm Botnet an actual national security threat? Could a foreign power commission it to do the US computing infrastructure grievous harm; but could it be stopped if the DHS etc took protective action at the ISP level?
--
$tar -xvf
Where I work (local WISP, over 4000 subscribers and growing!), we block nothing to or from a customer's PC (or PCs) unless it trips our antivirus or antispam system with a known signature. We do not do heuristic scanning, so we don't get false positives from malformed data or "something close".
We also have intrusion protection at all of our border routers, that scans incoming and outgoing traffic. Our traffic wipes its feet before going out to the internet, if you know what I mean.
We also have a service plan for customers that covers all labor for anything they need done to their computer systems. So, if we detect that they are sending out viruses or spam (or both), we give them a call, pick up their PC, clean it, and return it to them at no additional charge.
The benefits of this program have been measured in lower support calls from customers, a cleaner internal network, more bandwidth available to everyone, and customers who no longer have to spend hundreds of dollars at a brick and mortar computer store to have their systems cleaned up and repaired. We are proactive in protecting the rest of the internet from whatever someone brought home from work (or any other network) on a laptop.
It's a hell of a lot of work, and a lot of money invested in hardware based IPS/Anti-SPAM/Anti-virus detection and prevention. But, it's an end-to-end service that rivals no other ISP that I know of.
We advertise by word of mouth, BTW, and will break 5000 customers by summer of next year. People on our system love this stuff!
I got a bunch of those e-card emails several weeks ago. Knowing how my Ubuntu box is configured, I went ahead to see how the exploit works. The link is a very sparce page indicating a video download that will start automatically. If it doesn't, click here. The exploit uses both a script and social engineering. Firefox didn't start an automatic download on Ubuntu, so for grins I clicked the link. I was asked where I wanted to save e-card.exe. This exploit page was common to many e-mails indicating cards from my mother, relative, etc. I thought it interesting there was no information passed to load any kind of customized card like a real e-card. Also highly suspicious is the link was an IP address, not a URL. That move alone gets past filtered DNS services and a hosts file.
By the way, the download in Ubuntu asking where to save it has a cancel button. I didn't download it to get a filesize. Sorry.
I know I am not sending any extra data as part of this bot simply because my network switch sits right under my monitor. There is no unusual traffic here. I think everyone should be constantly monitoring their network traffic.
Maybe MS and Ubuntu can make a traffic monitor that sits on the desktop by default. I know most people would ignore it thinking it is Limewire or Torrent traffic.
The truth shall set you free!
I hear you. I work for a small business, and we have our email handled by our ISP. They won't cut off other users who are spamming, and so their mail server is now starting to show up on spam blacklists. It is really embarrassing to have to call our partners and customers and tell them to check their spam box for our email, and then we are lucky if it is even there. We will be changing ISPs soon... I hope.
weirdest thing I ever saw: scientology advertising on slashdot.
Also, all the ip addresses i did a lookup on, resolved to a dynamic host address so it looks like the infected machines are distributing the storm files themselfs to new victims with no central distributing server to shut down.
We've got a professor at the university where I work that consults for DHS, one of our student workers is in his class. The misinformation this guy hands out is... legendary. For example, did you know that twisted pair only has a bandwidth of 250kHz and a maximum speed of 4Mbps? Really, it must be true, Dr. DHS said so! Never you mind things like Belden 7852A that is rated up in the 400-600MHz range, what do they know? Smarmy cable manufacturer, Dr. DHS says that's just not true!
Well if you've got people like that advising you, I'm going to guess the technical conclusions you come to are probably not going to be the correct ones.
It's time for the community to do something about botnets. Forget ethics, we use whatever means necessary. Government and law enforcement agencies appear unwilling or even technically unable to do anything about it (this is a very important point). What better people to sort out this mess than the community who thought up the IRC protocol and whatnot in the first place? It's time to find these machines, break into them and stop this madness. Will govt only do something when their sites get attacked? Can you say weakening Western-Russian relations?
yeah, but then they can just put some new IP's behind their round-robin dns server, and retire the old ones, and your bots will never know!
Gravity Sucks
The GP's comment was saying that the storm worm will install windows updates to make it harder for OTHER viruses/worms to get into the system. I've even heard that it installs a pirated AV program to help 'protect' the zombified machine.
As for your second point, don't be a troll. All software has bugs, microsoft is no different. If you bothered reading about this at all, you'd realize that most anti-virus products will detect and remove this worm. The people who are running windows without an anti-virus program are the same people who don't install windows updates (and the ones who ran 'game1.exe' from a random email). If Microsoft could create an 'ultimate patch' that would make Windows completely secure (stop laughing, there's a point to this), do you really think everyone would install it? There would still be worms and viruses, they'd just target the unpatched systems and prey on people who don't know enough about computer security.