Storm Worm Botnet Partitions May Be Up For Sale

Bowling for cents writes "There is evidence that the massive Storm Worm botnet is being broken up into smaller networks, and a ZDNet post thinks that's a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. The latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic, meaning that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities."

Three words

[archeopterix]

Follow the money.

Survival of the fittest in action

[analog_line]

I'm not sure whether to be impressed, depressed, or both.

These things are getting so insidious and vast in scope, I'm honestly wondering if I can safely believe that any Windows machine I come across with problems ISN'T on Storm or one of the other botnets. At what point does having a multi-use computing device become more of a problem than the benefits it provides? If 90% of what you get for connecting to the Internet is problems, what's the point? Bile spewing bloggers, bought-and-paid news reports and total advertising awareness?

Re:Survival of the fittest in action

[SignupRequired]

Actually, they have my admiration. Storm is an amazing piece of work, and for some reason I like the idea that it took criminals to implement something so genius.

Hot bitches sucking their cocks on demand is what they don't deserve.

Re:Survival of the fittest in action

[dave562]

It is my non-expert (I am not certified to say this) opinion that there is no antivirus program or suite that does... anything.

FWIW & YMMV, I setup my family and acquaintances with XP-SP2, IE7, Windows Defender and the latest version of SAV Corporate/Enterprise in Unmanaged mode. I just turn on Automatic Updates in Windows and setup the AV software to update every night. My biggest "problem user" is a girl whose laptop was completely owned by spyware when I first met her. After a pave and rebuild with the above mentioned build two years (I actually gave her IE6 back then), she called me a couple weeks ago because her computer was "broken" again. I figured it was more spyware. Nope. The box was clean. Her problems were that the C: drive was out of space because she wasn't saving anything on the completely unused 40GB D: drive (even though I showed her how to), and MS Messenger wouldn't download files directly because Windows Firewall was blocking it (like it is supposed to). This girl is all over Myspace and clicks on anything that her friends send her in the various IM programs she uses (AIM, MSM, Yahoo, etc.) It isn't THAT hard to keep a Windows box clean these days.

Blue Frog remembrance...

[Spy+der+Mann]

I remember when we proposed an anonymous P2P system for the anti-spam system "Okopipi" (successor of Blue Frog). We were criticized by saying spammers would use that system to make P2P networks for DNS attacks.

One year later, spammers are ALREADY using a P2P system for such thing, while nobody has the means to counter them.

The lesson: They got ahead of us. It's time we invest in countermeasures of our own, or succumb to the enemy. Because, we're losing.

Re:Blue Frog remembrance...

[nuzak]

So if we don't have exactly the same weapons that spammers have, we lose? Oh horseshit. It doesn't take clever technical tricks, it takes ISPs stopping direct port 25 access from their residential ranges. But they won't, because they're criminally negligent. They're also afraid that the zombies will send through the smarthost, that their smarthost will get blacklisted, and that they'll actually have to start paying attention to the security on their own networks. God forbid.

If the dynamic residential ranges were adequately secured, the zombie problem would be a tiny fraction of what it is today.

Re:Blue Frog remembrance...

[norton_I]

The zombies *will* go through the smarthost, and we will be pretty much back where we started, whether or not the smarthosts get blacklisted.

Blocking port 25 is a reasonable idea, and many ISPs do it, but to say to do otherwise is criminally negligent or that doing so would stop worms from spreading is completely absurd.

Pretty much the only effective tool ISPs have is to completely shut down the connection to any infected computer. But people will (rightly) get upset about that.

Re:Break the key with zombies?

[smussman]

Can I buy a partition of zombie PC's and use their processing power to crack the 40 bit key? Unfortunately, it's a 40-byte key. You might look into getting several partitions.

Re:What is fast flux DNS?

[IndustrialComplex]

Botnets can be used to generate huge amounts of revenue. That revenue can purchase a lot of domains.

What is preventing a sting?

[erroneus]

People are hijacking PCs and servers all over the globe and selling access to them to spammers and other shady characters. This is an organized crime of GLOBAL scale. Why the hell isn't Interpol or some large law enforcement body prepared to follow the money to the sources and burn them with it?

And if we don't have the REAL people to work on this, perhaps we should hire Hollywood to get the job done because it seems like the only real law enforcement that happens these days is in the movies or on TV.

Re:Yes. Re:Are there legitimate reasons to do this

[whoever57]

and one of them goes down, I can change the TTL on my DNS records to, say 30 seconds

Changing the TTL when you need to change the records, won't make any difference. Those nameservers that already have cached the IP addresses of your machines will have cached the old TTL also. Those nameservers that need to look up the IP address will pick up the new IP address irrespective of the TTL.

It really only makes a difference if your domain's TTL is short before you need to make the change.

Yes.

[SmallFurryCreature]

Simple answer, complex solution.

First your firewall, useless (against storm). One of the attack paths of storm is to get YOU the user to visit an infected site, often by sending you an email. Unless your firewall somehow knows ALL infected sites and blocks them all (unlikely) the email will arrive, and the site will be visited and the trojan loaded. You could setup a firewall that protects against this, but you don't have one, because if you did, you wouldn't have to ask, you would know. Firewalls only help against worm attacks, were an outside computer probes your network for weaknesses. IF you configure your firewall extremely rigidly and only allow known traffic through it, then malware on your network could be blinded, unable to connect to any command parts of the storm network. It is possible to use for instance iptables (linux) to inspect all packages going through it and simply drop unwanted traffic. Since storm now apparently uses encrypted p2p(edonkey) traffic this shouldn't even be too hard. This would however result in a less userfriendly network. The only experience I got was in a setup that ONLY wanted regular HTTP traffic, and this meant a LOT of stuff failed, even web traffic because not all web application create proper headers. (I wonder what the recent MS stealth update means for windows, did this traffic pass unseen through software firewalls?)

Then your AV software. Forget about it, storm mutates itself. Since AV software mostly works with signatures, it can never be uptodate enough. I read a report that it changes every half hour. How the hell are you going to keep your signature data that uptodate?

Windows patches. They ain't uptodate thanks to MS dreaded patch tuesday. THis means that a security hole can EASILY be unpatched for weeks. COnsidering this is MS we are talking about, practice is far longer. You will be the target of exploits MS does not know about yet, won't develop a patch for for months, that they will delay for weeks to deploy and for which the AV companies do not have signature.

Anyway the most recent big security hole involves PDF's, that is Adobe, nothing to do with MS. You have to be uptodate on EVERYTHING. That includes EVERY codec, every handler EVERY single piece of code on your computer. Have an image browser installed? Are you sure that not a single on of the image codecs it uses has a flaw? If you update one image browser are you sure that not one single program on your computer still uses an old library that is still vulnerable? Remember, if a storm attack only infects a fraction of a percentage of computers, they still got hundreds of thousands of machines.

START TO GET THE PICTURE?

Basically you are like a good soldier, who keeps his gun clean, doesn't screw with hookers and stays awake on guard asking how well he standsup to a full out nuclear war. YOU ARE TOAST PRIVATE!

But there is hope, the most common form of infection is still through user interaction. YOU have to open the PDF, you have to execute the exe/scr/sh/dmg/whatever, you have to visit the link. The most powerfull attack is social engineering, get that soldier in his invincible armour to pickup a grenade and eat it.

The really odd thing is that you do not even have to be paranoid to avoid it. Just don't click on things. IF somebody sends you a story headline, visit the BBC site yourselve. If somebody wants to send you pictures of some celeb flashing her aging bits, don't. There is plenty of fresh porn with nice looking girls out there (cheggit.net).

So what do you need to stay safe?

Mostly, your brain. Disable every bit of automation in software and instead let your brain do the thinking. NEVER just use automatic install (spyware) and never allow for instance outlook to preload crap or preview stuff. Email is for text, not webpages. But mostly ask yourselve WHO is sending me this, and WHY. One of the most amazing attacks I seen was by sending a "joke" attachment to people in your address book. Here is a hint, I am dutch. My brother I

Only one way anything will be done about this

[Dachannien]

There's only one way that there'll be enough public outcry to cause solutions to be generated. The spammers will have to overplay their hands hugely. (Think Al Qaeda in Iraq - things are turning around over there at the grassroots level, mainly because AQI was chopping off people's heads and serving roasted children on platters to parents, and the public outcry has been enormous.)

Everyone hates spam, but spam filtering techniques have progressed to the point where we're at an uneasy stalemate with spammers. Everyone hates DDoS attacks, but in truth, how many people have really been the victim of one, and how many companies with muscle are really vulnerable to a normal-sized one? What will have to happen is that some overambitious crook gets it in their head to attack a Google or a Level3 or an Amazon or a national military, and puts the muscle behind it to make it work. It'll take players of that sort of weight to induce ISPs to do what they should have been doing all this time - proactively detecting botnet traffic and suspending the account of any user, individual or corporation, participating in such botnets.

I suppose we could also black hole enough of the world that the botnet controllers are forced into the reach of countries with tough computer anticrime resources, where they can be put behind bars and well out of the reach of any keyboard. I'm just not quite sure the Russians will stand for that....

Re-infect it how?

[Gazzonyx]

When a machine gets infected, the virus usually patches the system so that it own it without the intervention of other malware. These guys, unfortunately, aren't stupid; sadly, an infected computer is probably more patched than most (not yet) infected boxes. After you steal something, you tend to defend it so that it remains in your possession.

"not truly inventive"??? WTH?

This is the planet's largest ever privately controlled computer grid system. It is larger than google in terms of machines, and by the nature of its design it is about unkillable. It was most likely started by one *really* smart guy, as in uber scary smart, sitting in front of one machine at a console prompt. Think about that in your condescending leetness. And "just big"? This is the world's first Lex Luthor scale hack, because it is controllable, and has several practical (to them) attributes. It's a plan that suceeded, not just random vandalism like some other big ones like slammer. This is something the combined forces of all the other security gurus haven't been able to stop, or even get much of a handle on. It looks like to get rid of it, you would have to both identify and then simultaneously wipe/reformat every single infected machine *simultaneously*, and you say it isn't even all that inventive? Say what?

Re:So, how bad is it?

[kindbud]

Storm infects between 1 and 50 million PCs;

What is the difference between that statement and "I have no idea how many, so I'll toss out scary numbers."

(hint: the second statement is honest)