Storm Worm Evolves To Use Tor

← Back to Stories (view on slashdot.org)

Storm Worm Evolves To Use Tor

Posted by CmdrTaco on Sunday September 9, 2007 @01:24AM from the guess-who's-back dept.

An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."

13 of 182 comments (clear)

Min score:

Reason:

Sort:

Are we late to the party? by Jennifer+York · 2007-09-09 01:29 · Score: 5, Interesting

I'm surprised that it took this long for them to try to hide their tracks through anonymizers. Perhaps they've been doing this for quite sometime, and just now are we catching on to the technique...
It just makes sense, and is obvious, and a natural progression of the technology..... Hey! Maybe I should write a patent!

--
Dominant Meme
1. Re:Are we late to the party? by rucs_hack · 2007-09-09 03:30 · Score: 3, Interesting
  
  if you look at sites like gamecopyworld.com you will find a wealth of programs that people will download for legitimate (in the consumers mind) use, to mean they can keep their game dvds in their boxes. Add 'trainers' and 'fun free games' to the list and your looking at the majority of casual downloads not directly involving pron or media.
  
  The main problem though is closed source. If source is closed, then there is no easy way to find malicious code before it is deployed on your system. Ok, I'm speaking as a programmer, so that would be useful for me, not a non coder. Still, the point remains, binary distribution only means trouble, be it storm, a sony rootkit, or just 'phone home' code in a program.
  
  What we need is something sort of like gentoo, where all programs are compiled locally, and the code can be inspected for malicious intent. Alas such technology, while it does exist, does not exist in a form that could be disseminated and used by people with no technological background. This is a pipe dream for the moment, I know this. Especially since I tried once to compile openoffice locally (18 hours I think). Perhaps trusted compile farms that deliver fresh binaries?
  
  Waxing lyrical I know, but there has to be an answer somewhere.
2. Re:Are we late to the party? by Anonymous Coward · 2007-09-09 05:10 · Score: 2, Interesting
  
  > as long as the users have some antivirus...
  
  Since storm is controlled peer-to-peer, shouldn't it be possible to co-opt it into sending out anti-virus spam?
  
  The real problem with a huge/scary bot net like this, is not that a small group of people can control it, but that in theory anyone can take it over for their own purposes.
3. Re:Are we late to the party? by Iron+Condor · 2007-09-09 07:29 · Score: 2, Interesting
  
  The main problem though is closed source. If source is closed, then there is no easy way to find malicious code before it is deployed on your system. Ok, I'm speaking as a programmer, so that would be useful for me, not a non coder. Still, the point remains, binary distribution only means trouble, be it storm, a sony rootkit, or just 'phone home' code in a program.
  
  Not really. In a binary I can at least in principle parse rudimentarily for things like "does this ever call the TCP/IP stack" and raise a flag ("why should tetris initiate outbound connections?"). In source, it is pretty darn easy to obfuscate intent ("// open port for game engine here" or such). I doubt that either is really more secure. Nice that I can get the source for OOo, but am I going to actually read the whole thing and then compile it myself (after compiling my own compiler, of course)? Or am I going to download the binary?
  What we need is something sort of like gentoo, where all programs are compiled locally, and the code can be inspected for malicious intent. Alas such technology, while it does exist, does not exist in a form that could be disseminated and used by people with no technological background
  
  Sure it does: It's called "just-in-time" compilation. Usually used by languages like TCL or Java that compile to bytecode which is then run on a VM. In principle that allows you to inspect code (unless that code is now jar'ed up or such). And unless we are curious how something was programmed, you and I both will just run it without ever looking at the code....
  
  --
  We're all born with nothing.
  If you die in debt, you're ahead.
4. Re:Are we late to the party? by Anonymous Coward · 2007-09-09 08:03 · Score: 1, Interesting
  
  Unlikely. High-end modern botnets like storm are sophisticated, self-healing fully distributed systems with strong end-to-end encryption. The days of just cracking a client exe for the IRC channel password, joining it and gaining control are pretty much over. Of course the difficulty of hijacking isn't much of a consolation given that it's in the hands of unknown criminals already.
Comment removed by account_deleted · 2007-09-09 01:32 · Score: 4, Interesting

Comment removed based on user account deletion
Who is behind the Storm Botnet? by kryptkpr · 2007-09-09 01:43 · Score: 5, Interesting

There is an excellent article in Wired from several weeks ago from when Storm was used to DDoS the entire country of Estonia for 2 weeks. A fantastic read, but here's a particularly scary excerpt: Hackers Take Down the Most Wired Country in Europe
If that is the case -- if Azizov isn't trying to cloud the issue -- the implication is perhaps more troubling. It suggests that there is a group of Russian hackers who, on their own, can disrupt the routine functioning of commerce, media, and government any time they want. If so, these hackers represent a stateless power -- a sort of private militia.

While the article does contain a lot of speculation and sketchy sources (like the above quoted Azizov) the evidence does seem to be pointing in a particular direction:
I ask him why anyone would trust him. After all, he seems to have a suspiciously intimate knowledge of the Estonian attacks. "Russian IT specialists are knowledgeable and experienced enough to destroy the key servers of whole states," he says. "They're the best in the world."

The implication: Clearly you want them on your side, so why not hire them? Maybe Estonia was simply an advertising campaign.

It's starting to look an awful lot like another Cold War is coming, except this time it will be a Cyber war waged by turning your enemy's (and the rest of the world's) poorly secured computers against their critical infrastructure while the actual government absolves itself of blame. Nice.

--
DJ kRYPT's Free MP3s!
Who are the stormbot people? by tjstork · 2007-09-09 01:46 · Score: 2, Interesting

Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators. From there, you can just send in a special forces team and just whack the guys. If one nation allows its citizens to hijacking of the assets of millions of another nation's citizens, isn't that just piracy by any other name, and if so, isn't that kind of an act of war?

--
This is my sig.
1. Re:Who are the stormbot people? by Anonymous Coward · 2007-09-09 02:07 · Score: 5, Interesting
  
  Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators. Theoretically "yes". But in practice the answer is "no".
  
  The people running this botnet can choose from millions of computers they want to use as anonymous bouncers/routers. And they can tripwire their nodes so that after 30 minutes of use as a bouncer, the hard disks are overwritten with 0's (although in most cases this isn't required as IP addresses wouldn't be stored anyway).
  
  A chain of 20 hacked computers spanning the globe operating as routers is not easy to trace. You have to talk to each owner in the chain one-by-one and catch the bounced connection in realtime to reveal the IP for the next node in the chain. And the attackers can obfuscate their presence by programming their bots to simulate these proxy connections at random. Imagine having to trace through 100,000 chains, each containing 20-30 routing nodes. These chains are completely dynamic and randomly change every half an hour.
  
  The Storm botnet is almost the "perfect hack" unless the perpetrators make some big mistakes. If the owners of this botnet installed Freenet on all the bots, we'd have an unenforceable darknet which can only be blocked (maybe! - if you're really lucky) at the ISP. Anyone could tap into this new darknet and do as much internet crime as they like without ever having to worry about getting caught.
2. Re:Who are the stormbot people? by 1u3hr · 2007-09-09 03:32 · Score: 2, Interesting
  
  Theoretically "yes". But in practice the answer is "no". The people running this botnet can choose from millions of computers they want to use as anonymous bouncers/routers
  So work from the other end. How do they make their money? Sending spam, apparently. How does spam make money? Currently, either by getting suckers to send money to them (viagra, Rolexes, etc) or pumping stocks the spammers have bought. In both cases, there must be a money trail, much easier to track than chasing a chain of proxies. Then squeeze these guys till they give up their associates, and eventually the botnet controllers. It takes a government to pressure the stock exchanges, credit card agencies and banks to give up their customers, though, vigilantes aren't going to get anywhere.
I had a different email... by Anonymous Coward · 2007-09-09 02:34 · Score: 1, Interesting

At Thu, 6 Sep 2007 13:46:38 +0300 I got this:
Subject: You are being watched online.

Everyone who is doing file trading is at risk. The RIAA is suing one person after another. Tor will stop them from finding you. Take back your privacy. Download it for free, right now. Download Tor
How did they get my email address?
You don't have to download the file to be infected by sjmurdoch · 2007-09-09 05:00 · Score: 3, Interesting

Actually, if you're using an unpatched browser, you might not even have to download the file they offer to be infected. The web page includes Javascript exploits for half a dozen security vulnerabilities, which will install the trojan without user interaction. I've posted an analysis of the malware code on my blog.

Despite what the article says, Storm isn't using Tor (other than trying to exploit it's reputation) and the download isn't a trojaned version of Tor – it's much too small to be that. What's more, the botnet operators appear to have dropped this strategy. While on Thursday the links in the spam went to a fake Tor download page, on Friday they showed a fake YouTube video, and now they show a fake NFL game tracker.

--
Steven Murdoch.
web: http://www.cl.cam.ac.uk/users/sjm217/
So would IPv6 actually fix this? by tjstork · 2007-09-09 06:15 · Score: 2, Interesting

I've read that IPv6, because it includes the MAC, could theoretically help this. But is that true? Could the MAC be spoofed? Or, could an ISP include coupling hardware that validates the MAC and the packet sent are the same? Theoretically, you could require that in network hardware manufacturing, so that a NIC Card would not be allowed to transmit a packet with an address that wasn't from it. But would that be enough?

Even if you weren't ideologically predisposed to sending in the SEALs to whack people for sending out spyware, you could at least block the source traffic and then gradually clean up the already infested machines or rob them of command and control without firing a shot.

I just get enraged by all of these attacks as, honestly, giving money to security people is a sort of a trampling of my job and freedom. The internet is reduced to, our "white warlords" versus their "black warlords", and I think this arrangement is total crap. I can't stand the world where we can't send EXE's as attachments and even images are suspect because I remember how cool the internet was when you could.

--
This is my sig.