Slashdot Mirror
Storm Worm Botnet Partitions May Be Up For Sale
Bowling for cents writes "There is evidence that the massive Storm Worm botnet is being broken up into smaller networks, and a ZDNet post thinks that's a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. The latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic, meaning that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities."
It means the spammers register a bunch of domain names to spam in their emails, and rotate the zombie PC IP they're pointing to every few minutes. Makes it harder to shut down.
This slashvertising has reached a new low. ;)
http://twitter.com/onion2k
How long before Storm is better than the Internet?
It seems to be peer-2-peer, can host files, must be reliable (DNS and all that), encrypted traffic.
If you assume Internet is past its sell by date, what would the next generation network look like?
:-)
(OK, maybe it wouldn't be owned by the mafia (insert USA joke here))
Open source, flash charts
Windows has downloaded a new security update. Do you wish to install?
GetOuttaMySpace - The Anti-Social Network
Basically, you set your records to expire in a very, very short time, and constantly change the DNS servers, as well as the records. This makes it very hard to shut down the DNS, since its always moving and changing. I guess a good way to picture it is if at google, every single one of their 1M servers was changing. IE, every 5 seconds, a different machine was the dns server for "Google.com" and the www address changed to a different computer. Then, try to figure out which machine was misbehaving, and displaying the wrong data. It would be difficult.
What are we going to do tonight Brain?
Can I buy a partition of zombie PC's and use their processing power to crack the 40 bit key?
"Would you, could you, with a goat?" Dr Seuss
... can the partitions be formated with ext2/3 or do have we stick to NTFS?
I remember when we proposed an anonymous P2P system for the anti-spam system "Okopipi" (successor of Blue Frog). We were criticized by saying spammers would use that system to make P2P networks for DNS attacks.
One year later, spammers are ALREADY using a P2P system for such thing, while nobody has the means to counter them.
The lesson: They got ahead of us. It's time we invest in countermeasures of our own, or succumb to the enemy. Because, we're losing.
Perhaps it utilizes a flux capacitor - and can thus do single OR double, depending on requirements of the moment? ;-)
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
http://www.schneier.com/crypto-gram-0710.html#1
A good essay on the Storm Worm and how it works and how it can be prevented (or rather why it CAN'T be prevented in many cases).
I've not been actively following the Storm Worm Botnet stories, but I've picked up a few details which, on the surface, are downright frightening: Storm infects between 1 and 50 million PCs; it's more powerful than the world's supercomputers; dynamically evolves to avoid counteractions by security companies; and only uses 20% of its potential computing power at the moment.
These blurbs, if they're true, paint a bleak picture. Should the hackers leverage the network's full power, couldn't they shut down just about any server on earth? And imagine the bandwidth costs of this thing operating at full force.
So for those in the know, is Storm just a way to propagate spam and annoy people? Or is it something even more dangerous?
It's about time we start calling it Skynet
With Great Power Comes No Love Life! - Samit Basu
Here's a small and possibly unrepresentative datapoint from last weekend that would tend to suggest there are a lot of infected PCs out there, some of them with Storm. Basically, 2 of 3 PCs scanned had backdoor trojans and I didn't have time to debug the third PC enough to scan it.
.EXE), ran out of time to debug this so did not install Webroot or any other tools. Also had AVG antivirus, which was up to date, and no anti-spyware. Presumed infected.
I spyware scanned three PCs belonging to two friends/family households. Naturally, they were all Windows. I used Webroot Spysweeper which is pretty good but costs, and Kaspersky online scan, which is good but slow, and virus only.
- PC 1: infected with various spyware and a backdoor trojan (remote access by the bad guys) - had an up to date antivirus (AVG) that didn't spot any of this, but no anti-spyware installed.
- PC 2 (same network as 1): couldn't even install new software (error on running any new
- PC 3: (2nd household) - infected with a different backdoor trojan and several viruses. Had Norton anti-virus that had not updated since 2004.
I would assume the average Windows PC has a high chance of some sort of infection, unless the users are very careful about installing third party software, some of which carries spyware or worse, and clicking on links in IE. Even Firefox had spyware on one of these machines.
Windows PCs run by power users (not the users here) can be somewhat secure, but it's painful to make them so. One colleague who's very techie still got infected by a PDF security hole recently, so you need Secunia PSI to run continuously, as well as monitoring some security blogs, and updating software regularly, as well as using a good anti-spyware tool, not using IE/Outlook, etc etc. However, once you are making this much effort, the work needed to install Ubuntu becomes much less of a hurdle - you might as well just switch over one PC so you have a safe PC for online shopping/banking etc.
The only good thing about this story is that nothing very important was being done on these PCs - little online shopping and no online banking... however, that's the users' self-reported status and they may well not want to admit they are at risk.
I don't do this for a living, I'm just a Windows and Linux user who wondered why there were so many popups on one of these PCs and ended up getting sucked into this when I should have been socialising - fortunately anti-spyware scans can run during dinner...
It really only makes a difference if your domain's TTL is short before you need to make the change.
The real "Libtards" are the Libertarians!
The updates are part of the Slashdot tenth anniversary auction. In addition to the @slashdot.org address and low user id, CmdrTaco has also gotten the operators of the Storm Worm Botnet to auction its use off as part of the charity action.
Some potential uses for the winning bidder:
Simple answer, complex solution.
First your firewall, useless (against storm). One of the attack paths of storm is to get YOU the user to visit an infected site, often by sending you an email. Unless your firewall somehow knows ALL infected sites and blocks them all (unlikely) the email will arrive, and the site will be visited and the trojan loaded. You could setup a firewall that protects against this, but you don't have one, because if you did, you wouldn't have to ask, you would know. Firewalls only help against worm attacks, were an outside computer probes your network for weaknesses. IF you configure your firewall extremely rigidly and only allow known traffic through it, then malware on your network could be blinded, unable to connect to any command parts of the storm network. It is possible to use for instance iptables (linux) to inspect all packages going through it and simply drop unwanted traffic. Since storm now apparently uses encrypted p2p(edonkey) traffic this shouldn't even be too hard. This would however result in a less userfriendly network. The only experience I got was in a setup that ONLY wanted regular HTTP traffic, and this meant a LOT of stuff failed, even web traffic because not all web application create proper headers. (I wonder what the recent MS stealth update means for windows, did this traffic pass unseen through software firewalls?)
Then your AV software. Forget about it, storm mutates itself. Since AV software mostly works with signatures, it can never be uptodate enough. I read a report that it changes every half hour. How the hell are you going to keep your signature data that uptodate?
Windows patches. They ain't uptodate thanks to MS dreaded patch tuesday. THis means that a security hole can EASILY be unpatched for weeks. COnsidering this is MS we are talking about, practice is far longer. You will be the target of exploits MS does not know about yet, won't develop a patch for for months, that they will delay for weeks to deploy and for which the AV companies do not have signature.
Anyway the most recent big security hole involves PDF's, that is Adobe, nothing to do with MS. You have to be uptodate on EVERYTHING. That includes EVERY codec, every handler EVERY single piece of code on your computer. Have an image browser installed? Are you sure that not a single on of the image codecs it uses has a flaw? If you update one image browser are you sure that not one single program on your computer still uses an old library that is still vulnerable? Remember, if a storm attack only infects a fraction of a percentage of computers, they still got hundreds of thousands of machines.
START TO GET THE PICTURE?
Basically you are like a good soldier, who keeps his gun clean, doesn't screw with hookers and stays awake on guard asking how well he standsup to a full out nuclear war. YOU ARE TOAST PRIVATE!
But there is hope, the most common form of infection is still through user interaction. YOU have to open the PDF, you have to execute the exe/scr/sh/dmg/whatever, you have to visit the link. The most powerfull attack is social engineering, get that soldier in his invincible armour to pickup a grenade and eat it.
The really odd thing is that you do not even have to be paranoid to avoid it. Just don't click on things. IF somebody sends you a story headline, visit the BBC site yourselve. If somebody wants to send you pictures of some celeb flashing her aging bits, don't. There is plenty of fresh porn with nice looking girls out there (cheggit.net).
So what do you need to stay safe?
Mostly, your brain. Disable every bit of automation in software and instead let your brain do the thinking. NEVER just use automatic install (spyware) and never allow for instance outlook to preload crap or preview stuff. Email is for text, not webpages. But mostly ask yourselve WHO is sending me this, and WHY. One of the most amazing attacks I seen was by sending a "joke" attachment to people in your address book. Here is a hint, I am dutch. My brother I
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
This is the planet's largest ever privately controlled computer grid system. It is larger than google in terms of machines, and by the nature of its design it is about unkillable. It was most likely started by one *really* smart guy, as in uber scary smart, sitting in front of one machine at a console prompt. Think about that in your condescending leetness. And "just big"? This is the world's first Lex Luthor scale hack, because it is controllable, and has several practical (to them) attributes. It's a plan that suceeded, not just random vandalism like some other big ones like slammer. This is something the combined forces of all the other security gurus haven't been able to stop, or even get much of a handle on. It looks like to get rid of it, you would have to both identify and then simultaneously wipe/reformat every single infected machine *simultaneously*, and you say it isn't even all that inventive? Say what?