Slashdot Mirror
Storm Worm Botnet Partitions May Be Up For Sale
Bowling for cents writes "There is evidence that the massive Storm Worm botnet is being broken up into smaller networks, and a ZDNet post thinks that's a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. The latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic, meaning that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities."
Being the n00b that I am, I don't know what fast flux DNS is. I know what DNS is, and I know the meaning of fast... but flux to me is something you put on a pipe before you weld it. What does it mean in this context?
Follow the money.
From the article "Stewart, a reverse engineering guru who has been tracking Storm Worm closely" along with his stunning picture can only mean these spammers are TRULY being tracked diligently between his games of WOW and hourly five minute visits to the pr0n sites that these spammers are promoting themselves!
I'm not sure whether to be impressed, depressed, or both.
These things are getting so insidious and vast in scope, I'm honestly wondering if I can safely believe that any Windows machine I come across with problems ISN'T on Storm or one of the other botnets. At what point does having a multi-use computing device become more of a problem than the benefits it provides? If 90% of what you get for connecting to the Internet is problems, what's the point? Bile spewing bloggers, bought-and-paid news reports and total advertising awareness?
This slashvertising has reached a new low. ;)
http://twitter.com/onion2k
How long before Storm is better than the Internet?
It seems to be peer-2-peer, can host files, must be reliable (DNS and all that), encrypted traffic.
If you assume Internet is past its sell by date, what would the next generation network look like?
:-)
(OK, maybe it wouldn't be owned by the mafia (insert USA joke here))
Open source, flash charts
Windows has downloaded a new security update. Do you wish to install?
GetOuttaMySpace - The Anti-Social Network
Can I buy a partition of zombie PC's and use their processing power to crack the 40 bit key?
"Would you, could you, with a goat?" Dr Seuss
... can the partitions be formated with ext2/3 or do have we stick to NTFS?
I remember when we proposed an anonymous P2P system for the anti-spam system "Okopipi" (successor of Blue Frog). We were criticized by saying spammers would use that system to make P2P networks for DNS attacks.
One year later, spammers are ALREADY using a P2P system for such thing, while nobody has the means to counter them.
The lesson: They got ahead of us. It's time we invest in countermeasures of our own, or succumb to the enemy. Because, we're losing.
...and if there aren't, then why are reputable DNS servers allowing these super-fast changes to DNS records anyway? Certainly such trends can be easily detected and stopped dead in its tracks?
http://www.schneier.com/crypto-gram-0710.html#1
A good essay on the Storm Worm and how it works and how it can be prevented (or rather why it CAN'T be prevented in many cases).
One thing we can do? Everyone can just stop accepting mail from servers with short TTL and the fast-flux DNS model is no good to spammers.
Yes, it's inconvenient to some ("wah! but I run sendmail off my laptop on dial-up!" - Yeah, well, go back in time to 1993 and have yourself a ball...). Frankly, they can just get the hell over it and use one of a dozen other methods to send out mail or increase their TTL. Spam is way more inconvenient and it affects everyone.
This doesn't address other uses for these botnets, sure, but every little bit helps. Especially when some estimates now say that the amount of spam in mail traffic may be as high as 80%!
And while we're at it... everyone get their damned DNS records set up properly. OK? It's not an option to have matching PTR and A records, it's required by RFC 1912.
- I am made of meat.
And no, not a rash or anything of that crap :P
I don't leave my pc's at home on 24/7, and I am up to date with everything (AV, FW, Widows Patches).
Could I still be infected ?
Guns are for wimps... Use a crossbow.. this way you can pin them to their chair when you go postal.
I've not been actively following the Storm Worm Botnet stories, but I've picked up a few details which, on the surface, are downright frightening: Storm infects between 1 and 50 million PCs; it's more powerful than the world's supercomputers; dynamically evolves to avoid counteractions by security companies; and only uses 20% of its potential computing power at the moment.
These blurbs, if they're true, paint a bleak picture. Should the hackers leverage the network's full power, couldn't they shut down just about any server on earth? And imagine the bandwidth costs of this thing operating at full force.
So for those in the know, is Storm just a way to propagate spam and annoy people? Or is it something even more dangerous?
It's about time we start calling it Skynet
With Great Power Comes No Love Life! - Samit Basu
Sure there are legitimate reasons to do this - one of them is cheap datacenter fail-over. If I have web servers colocated in two different datacenters with two different ISPs, and one of them goes down, I can change the TTL on my DNS records to, say 30 seconds, and point all the addresses to the other location. The short short TTL will cause global DNS to be updated much more quickly than normal, and my web site's traffic won't dead-end.
On the other hand, I defintiely see ISPs that don't respect DNS TTLs anyway.
Causation can cause correlation
What amazed me about this article is how unsure it is of everything. "Appears that" and "may be" keep coming up. If things are that unsure, how can the potential customers of this segmented spamnet know that there is a service for sale? Wouldn't any marketing that these bot-admins do also be picked up by the white hat guys? I'm confused.
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
Since Storm is probably run by a single person, or a single group, how have they managed to avoid getting caught? Especially if they start make money on it, it should be possible to track them that way.
Presumably, the result of this and further partitioning will be Internet 3.
Step 1: Rent botnet.
Step 2: Have each 'rented' computer run update, anti-virus, anti-malware...
Step 3: Profit! Ok, no profit, but maybe you get to enjoy reduced amounts of spam.
Repeat until bored.
The next time you have to clean up after one of these messes, you might consider how much cheaper it is to use their tactics against them, and put them out of business.
If they are located in a country with lax laws or that is reluctant to support international efforts to shut them down, it could be difficult. There was an article posted just yesterday I believe about the Russian Business Network; they solely exist to promote and host illegal activities, yet the Russian government, due to its laws, has no power to shut them down.
I could see this spun many ways, in the US it is illegal to "make available" as with all the RIAA cases, but that is seemingly not the issue in Russia as the RBN "makes available" so-called "bulletproof hosting" for criminal organizations. So perhaps the owner(s) of Storm are saying "Hey, we're making available some raw processing power, who wants to buy?"
It could be that the only purpose of your life is to serve as a warning to others.
People are hijacking PCs and servers all over the globe and selling access to them to spammers and other shady characters. This is an organized crime of GLOBAL scale. Why the hell isn't Interpol or some large law enforcement body prepared to follow the money to the sources and burn them with it?
And if we don't have the REAL people to work on this, perhaps we should hire Hollywood to get the job done because it seems like the only real law enforcement that happens these days is in the movies or on TV.
First things first, IANAE (I am not a expert)
I've recently read some stories about this botnet. From what I've gathered it's powerfull enough to do some serious damage in a society. Cyber attacks can disrupt our lives in multiple ways after all.
Imo we're just lucky so far that it hasnt been used for some serious attack on money/bank agencies, public transport, etc etc, stuff close to us and vital for average day life. (or am I just being to paranoid now?)
The hosts that are infected will most likely be bad maintained boxes, unattended, never updated. Wouldn't it be possible to write a counterworm/trojan that would delete the bot software and close the holes?
I realise the ethical issues involved here. A Trojan like this would basicly be just as "bad" as the botnet itself, on the other hand it would be for the greater good.
Has anyone ever attempted this? If not, what if someone did? Would you be pissed off if one of your forgotten and infected boxes would be cleaned this way?
Just being curious..
Life starts at the end of your comfort zone.
Small = harder to find unless you area a '133t' programer bragginb about how good youare.
You want to keep a secret you tell NO ONE, you don't go spreading it around.
The real way to kill storm is to basically start having interpol treat it like drug trafficking, getting real cooperation, fairly quickly, instead of just ignoring it as not important.
You have cops not investigate one crime then guess what happens - the criminals FLOURISH.
You start having cops arrest people start investigating and arresting people then it works. Yeah, you have to wait till they move the crime from cyber to real life (i.e. ask for money) but it can be done.
excitingthingstodo.blogspot.com
Where's their online store and to which paypal address do I send the funds?
These two statements pretty much contradict each other. Who are you going to get to cooperate if it's a single individual, or small, well insulated group?
What part of "shall not be infringed" is so hard to understand?
... look at the first four words of the title and think the editors strung four random words together?
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
Not Skynet! A better sci-fi reference is "The Replicators" from SG, LOL!
Ok, but I think the original poster's argument is, the DNS servers that normal consumers connect to (ie. supplied by DHCP when connecting to your ISP) shouldn't normally be receiving lost of responses with very short TTLs.
Is this another one of those things an ISP *could* do to help control this scourge? Could they reject all DNS responses with a TTL below some threshold, even if its 29 seconds, and not break legitimate access? Or keep those responses in the cache and flag/reject follow-on responses if the IP changes too frequently, perhaps...
And if you're one of those setting your TTLs to 30 seconds to facilitate datacenter failover, first, you're increasing the load on the ISP's DNS servers, so they have a legitimate gripe for you using shorter-than-recommended TTLs. Get yourself a real failover system, cheapskate! Plus, if they still wanted to be nice, they could do some research and whitelist those FQDNs with short TTLs that don't fast flux.
Granted, these ideas mean changes to the DNS server behavior, but that's just software. Someone at one of the ISPs needs to research this, run some tests, and submit updates to their DNS server supplier.
Think about it, each machine in the network needs to talk to the other machines. The key has to be stored somewhere on the machine.
Not quite correct. Each machine in the network needs to be able to relay messages to the other machines; it therefore only needs the Public Key half, to verify that the messages it receives should be obeyed and/or passed along further (or simply dropped on the floor). The Private Key need only reside in the hands of the owner; in theory (if they're Diabolical), it could be kept on a high-end calculator, and the encrypted instructions only put onto the internet by 10-finger interface.
ortva 644 RIVY.GKG
Z22=-($R.(%52($R.5$523Q546@U@2$%+24K@55(@6Q]-0QR%6@U@("!.3GG@
(3Q]-($L/30V2
`
raq
Tedious, but possible. Can I haz Patent now?
//Information does not want to be free; it wants to breed.
...Because I use a Mac.
The partition you just purchased is on your own hard drive.
Say hello to my little sig.
It really only makes a difference if your domain's TTL is short before you need to make the change.
The real "Libtards" are the Libertarians!
to seti@home :]
The updates are part of the Slashdot tenth anniversary auction. In addition to the @slashdot.org address and low user id, CmdrTaco has also gotten the operators of the Storm Worm Botnet to auction its use off as part of the charity action.
Some potential uses for the winning bidder:
"Get yourself a real failover system, cheapskate!"
Amen.
- I am made of meat.
Simple answer, complex solution.
First your firewall, useless (against storm). One of the attack paths of storm is to get YOU the user to visit an infected site, often by sending you an email. Unless your firewall somehow knows ALL infected sites and blocks them all (unlikely) the email will arrive, and the site will be visited and the trojan loaded. You could setup a firewall that protects against this, but you don't have one, because if you did, you wouldn't have to ask, you would know. Firewalls only help against worm attacks, were an outside computer probes your network for weaknesses. IF you configure your firewall extremely rigidly and only allow known traffic through it, then malware on your network could be blinded, unable to connect to any command parts of the storm network. It is possible to use for instance iptables (linux) to inspect all packages going through it and simply drop unwanted traffic. Since storm now apparently uses encrypted p2p(edonkey) traffic this shouldn't even be too hard. This would however result in a less userfriendly network. The only experience I got was in a setup that ONLY wanted regular HTTP traffic, and this meant a LOT of stuff failed, even web traffic because not all web application create proper headers. (I wonder what the recent MS stealth update means for windows, did this traffic pass unseen through software firewalls?)
Then your AV software. Forget about it, storm mutates itself. Since AV software mostly works with signatures, it can never be uptodate enough. I read a report that it changes every half hour. How the hell are you going to keep your signature data that uptodate?
Windows patches. They ain't uptodate thanks to MS dreaded patch tuesday. THis means that a security hole can EASILY be unpatched for weeks. COnsidering this is MS we are talking about, practice is far longer. You will be the target of exploits MS does not know about yet, won't develop a patch for for months, that they will delay for weeks to deploy and for which the AV companies do not have signature.
Anyway the most recent big security hole involves PDF's, that is Adobe, nothing to do with MS. You have to be uptodate on EVERYTHING. That includes EVERY codec, every handler EVERY single piece of code on your computer. Have an image browser installed? Are you sure that not a single on of the image codecs it uses has a flaw? If you update one image browser are you sure that not one single program on your computer still uses an old library that is still vulnerable? Remember, if a storm attack only infects a fraction of a percentage of computers, they still got hundreds of thousands of machines.
START TO GET THE PICTURE?
Basically you are like a good soldier, who keeps his gun clean, doesn't screw with hookers and stays awake on guard asking how well he standsup to a full out nuclear war. YOU ARE TOAST PRIVATE!
But there is hope, the most common form of infection is still through user interaction. YOU have to open the PDF, you have to execute the exe/scr/sh/dmg/whatever, you have to visit the link. The most powerfull attack is social engineering, get that soldier in his invincible armour to pickup a grenade and eat it.
The really odd thing is that you do not even have to be paranoid to avoid it. Just don't click on things. IF somebody sends you a story headline, visit the BBC site yourselve. If somebody wants to send you pictures of some celeb flashing her aging bits, don't. There is plenty of fresh porn with nice looking girls out there (cheggit.net).
So what do you need to stay safe?
Mostly, your brain. Disable every bit of automation in software and instead let your brain do the thinking. NEVER just use automatic install (spyware) and never allow for instance outlook to preload crap or preview stuff. Email is for text, not webpages. But mostly ask yourselve WHO is sending me this, and WHY. One of the most amazing attacks I seen was by sending a "joke" attachment to people in your address book. Here is a hint, I am dutch. My brother I
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I don't think it's at all reasonable to say that everyone should be stuck with ISP email only just to help clean up spam. For me personally the value of being able to contact a POP or IMAP server of my choosing does outweigh negatives of spam.
Where's that checklist...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Actually you'll have to change the TTL prior to failing over. So if you use it for active fail-over and not for scheduled maintenance, the other nameservers will be using your 'old' TTL. A common mistake by cheap webhosters.
The other issue is that TTL is a suggested time for keeping your records alive. The other (caching) nameserver can choose to ignore it (to circumvent stuff like this botnet or just to keep it's own load down) or if it can't reach your nameservers after that TTL you specified it will just wait until the next cycle (2*TTL) or until your Maximum TTL (there is another record for that) has been exceeded which means it will not give any results anymore if it can't contact the nameservers. There are also caching nameservers that set up a minimum TTL which overrides your recommended TTL and maximum TTL.
Custom electronics and digital signage for your business: www.evcircuits.com
Does it run Linux?
There's only one way that there'll be enough public outcry to cause solutions to be generated. The spammers will have to overplay their hands hugely. (Think Al Qaeda in Iraq - things are turning around over there at the grassroots level, mainly because AQI was chopping off people's heads and serving roasted children on platters to parents, and the public outcry has been enormous.)
Everyone hates spam, but spam filtering techniques have progressed to the point where we're at an uneasy stalemate with spammers. Everyone hates DDoS attacks, but in truth, how many people have really been the victim of one, and how many companies with muscle are really vulnerable to a normal-sized one? What will have to happen is that some overambitious crook gets it in their head to attack a Google or a Level3 or an Amazon or a national military, and puts the muscle behind it to make it work. It'll take players of that sort of weight to induce ISPs to do what they should have been doing all this time - proactively detecting botnet traffic and suspending the account of any user, individual or corporation, participating in such botnets.
I suppose we could also black hole enough of the world that the botnet controllers are forced into the reach of countries with tough computer anticrime resources, where they can be put behind bars and well out of the reach of any keyboard. I'm just not quite sure the Russians will stand for that....
I'm sorry, I'm probably sounding completely lame to those more firm in cryptography, but I have to ask:
:-)
:-)
What would it take to attack the 40 byte key? Imagine a coordinated effort by the biggest 500 gouverment computing setups around the world. All the blue genes and whatnot pitching in. The Japanese sure have the one or other state-of-the-art mainframe supercomputer, and CERN, ESA, Nasa and few German weather services have a few aswell. There is tons of horsepower laying around idle at agencies, bureaus and the occasional school or corporation. If they all pitch in in a coordinated brute force attack *and* have Seti@Home do a few hours too it should be possible, no? Especially if one takes into account that at least the NSA has mathmatical functions that do some of the dirty work and speed up the process a little. They wouldn't even have to publish them.
Wait, let's just check:
255 to the power of 40 is rougly 1.8 times 10 to the power of 96 (Gulp!). Thats nearly Gogol. (10^100, what Google initially was supposed to be called, the guy registering the domain mixed up the letters...)
Whatever.
On it goes: For the sake of ease I'll roughly estimate that after the overhead has been dealt with, half of the top 500 (or a simular setup) will be doing optimized attacks on an average of 50 billion tries per second. An average state-of-the-art mid-range server has aprox. 20 GigaFLOPS, so I think that's fairly realistic for a large mainframe doing a multi-step operation.
250 * 50 000 000 000 = 1.25*10^13 tries per second.
*60*60*24 makes 1.08*10^18 per day. [Sidenote: This may be way off wack allready and total bollocks but it's fun actually]
*7*52*5 makes 1.96*10^21. Oh, gee. This doesn't look to good. Where at it for 5 years and have only covered less than the fourth root of our total amount of keys. Even if we had 10 times the power it would make up only 1 percent of the keypace. Sheesh. We'll probably be cheaper off in handing out Linux PCs to everyone on the planet.
It's no use. I gotta start working on my next project: Finding an explicit function for prime numbers. Hehehe. I could use the Million from the Fields Medal too.
Bottom line: My question/assumption was lame. But at least I found out myself.
We suffer more in our imagination than in reality. - Seneca
When a machine gets infected, the virus usually patches the system so that it own it without the intervention of other malware. These guys, unfortunately, aren't stupid; sadly, an infected computer is probably more patched than most (not yet) infected boxes. After you steal something, you tend to defend it so that it remains in your possession.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
As horrible as it is, I cant help but find this really neat. Captivating. I hate it, but I love watching what it can do.
insight through the mind
This is the planet's largest ever privately controlled computer grid system. It is larger than google in terms of machines, and by the nature of its design it is about unkillable. It was most likely started by one *really* smart guy, as in uber scary smart, sitting in front of one machine at a console prompt. Think about that in your condescending leetness. And "just big"? This is the world's first Lex Luthor scale hack, because it is controllable, and has several practical (to them) attributes. It's a plan that suceeded, not just random vandalism like some other big ones like slammer. This is something the combined forces of all the other security gurus haven't been able to stop, or even get much of a handle on. It looks like to get rid of it, you would have to both identify and then simultaneously wipe/reformat every single infected machine *simultaneously*, and you say it isn't even all that inventive? Say what?
Having a short TTL is perfectly legitimate, and in a failover, you'll change a lot of records fast, but thst's not something you'll be doing every 5 minutes. It's also fairly common to set a small TTL just before switching to a new server.
Then, as you say, there's those lame ISPs that seem to hold on to expired RRs for 5 days.
Below are URL related to this topic... http://www.pro-networks.org/forum/story98907.html SecureWorks researcher Joe Stewart has seen evidence that the massive Storm Worm botnet is being broken up into smaller networks, a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. Stewart, a reverse engineering guru who has been tracking Storm Worm closely, says the latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic. "This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities," Stewart said in an e-mail message. "If that's the case, we might see a lot more of Storm in the future," he warned. The malware attacks behind this botnet have been relentless all year, using a wide range of clever social engineering lures to trick Windows users into downloading executable files with rootkit components.
Fast Flux works by rapidly changing the DNS server(s) for a domain, but higher level DNS servers are needed to propagate the changes. There needs to be a procedure by which offending domains could have their NS glue records removed at the top level - a kind of "take down" order that could be obtained if proof can be shown that a domain name is used to run a Fast Flux botnet.
It is surprising that it took the botnet people so long to discover public-key cryptography and signing.
You don't even need to encrypt the traffic! Sign the messages and the bots obey. Obviously only the controller would have the private key, and all bots can have that key in addition to the key for their segment. Encrypting would make it harder to track/discover the network however.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Assuming that it isn't a government itself in charge of the network. That would be one hell of an intelligence gathering network, not to mention the processing power and extreme survivability.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
1) they have a bigger, badder upgrade ready
2) need cash badly
3) ???
What other possibilities? They are doubtly getting a a good cash flow from from it already. Are the anti-botnet strategems so effective they're selling out while the price is high?
If #1 is correct, do we have any clue what it will be? Are they splitting the botnet as a defensive measure before the roll the "upgrade?"
I think the question you were looking for was:
Does it Run on GNU+Linux?
with all the high profile of this worm it seems like it is a good way to set up your own VPN, especially if u can then rent half the botnet to attack the other half.
www.tdobson.net #### Dare to Dream #### blog.tdobson.net