Storm Worm Evolves To Use Tor

An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."

Are we late to the party?

[Jennifer+York]

I'm surprised that it took this long for them to try to hide their tracks through anonymizers. Perhaps they've been doing this for quite sometime, and just now are we catching on to the technique...

It just makes sense, and is obvious, and a natural progression of the technology..... Hey! Maybe I should write a patent!

Re:Are we late to the party?

[rucs_hack]

if you look at sites like gamecopyworld.com you will find a wealth of programs that people will download for legitimate (in the consumers mind) use, to mean they can keep their game dvds in their boxes. Add 'trainers' and 'fun free games' to the list and your looking at the majority of casual downloads not directly involving pron or media.

The main problem though is closed source. If source is closed, then there is no easy way to find malicious code before it is deployed on your system. Ok, I'm speaking as a programmer, so that would be useful for me, not a non coder. Still, the point remains, binary distribution only means trouble, be it storm, a sony rootkit, or just 'phone home' code in a program.

What we need is something sort of like gentoo, where all programs are compiled locally, and the code can be inspected for malicious intent. Alas such technology, while it does exist, does not exist in a form that could be disseminated and used by people with no technological background. This is a pipe dream for the moment, I know this. Especially since I tried once to compile openoffice locally (18 hours I think). Perhaps trusted compile farms that deliver fresh binaries?

Waxing lyrical I know, but there has to be an answer somewhere.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Who is behind the Storm Botnet?

[kryptkpr]

There is an excellent article in Wired from several weeks ago from when Storm was used to DDoS the entire country of Estonia for 2 weeks. A fantastic read, but here's a particularly scary excerpt: Hackers Take Down the Most Wired Country in Europe

If that is the case -- if Azizov isn't trying to cloud the issue -- the implication is perhaps more troubling. It suggests that there is a group of Russian hackers who, on their own, can disrupt the routine functioning of commerce, media, and government any time they want. If so, these hackers represent a stateless power -- a sort of private militia.

While the article does contain a lot of speculation and sketchy sources (like the above quoted Azizov) the evidence does seem to be pointing in a particular direction:

I ask him why anyone would trust him. After all, he seems to have a suspiciously intimate knowledge of the Estonian attacks. "Russian IT specialists are knowledgeable and experienced enough to destroy the key servers of whole states," he says. "They're the best in the world."

The implication: Clearly you want them on your side, so why not hire them? Maybe Estonia was simply an advertising campaign.

It's starting to look an awful lot like another Cold War is coming, except this time it will be a Cyber war waged by turning your enemy's (and the rest of the world's) poorly secured computers against their critical infrastructure while the actual government absolves itself of blame. Nice.

Re:Who are the stormbot people?

Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators. Theoretically "yes". But in practice the answer is "no".

The people running this botnet can choose from millions of computers they want to use as anonymous bouncers/routers. And they can tripwire their nodes so that after 30 minutes of use as a bouncer, the hard disks are overwritten with 0's (although in most cases this isn't required as IP addresses wouldn't be stored anyway).

A chain of 20 hacked computers spanning the globe operating as routers is not easy to trace. You have to talk to each owner in the chain one-by-one and catch the bounced connection in realtime to reveal the IP for the next node in the chain. And the attackers can obfuscate their presence by programming their bots to simulate these proxy connections at random. Imagine having to trace through 100,000 chains, each containing 20-30 routing nodes. These chains are completely dynamic and randomly change every half an hour.

The Storm botnet is almost the "perfect hack" unless the perpetrators make some big mistakes. If the owners of this botnet installed Freenet on all the bots, we'd have an unenforceable darknet which can only be blocked (maybe! - if you're really lucky) at the ISP. Anyone could tap into this new darknet and do as much internet crime as they like without ever having to worry about getting caught.

You don't have to download the file to be infected

[sjmurdoch]

Actually, if you're using an unpatched browser, you might not even have to download the file they offer to be infected. The web page includes Javascript exploits for half a dozen security vulnerabilities, which will install the trojan without user interaction. I've posted an analysis of the malware code on my blog.

Despite what the article says, Storm isn't using Tor (other than trying to exploit it's reputation) and the download isn't a trojaned version of Tor – it's much too small to be that. What's more, the botnet operators appear to have dropped this strategy. While on Thursday the links in the spam went to a fake Tor download page, on Friday they showed a fake YouTube video, and now they show a fake NFL game tracker.