Storm Worm Being Reduced to a Squall

Rumours of financial schemes surrounding the botnet aside, PC World has an article that should lower the blood pressure of some SysAdmins. The Storm Worm botnet is apparently shrinking. A researcher out of UC San Diego who has been tracking the network has published a report indicating it is now only 10% of its former size. "Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world's most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time. Enright guessed that a total of about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority of those have been cleaned up and are no longer part of the Storm network."

Spread of Windows

[Prysorra]

Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?

Just wondering.

Re:Spread of Windows

[Colin+Smith]

Hmmm... Windows as a threat to national security ...

Imagines SWAT teams dodging chairs as they storm Microsoft headquarters to screams of "You'll never take me alive copper!"

Re:Spread of Windows

[sakdoctor]

I'd say enforcement of Windows piracy is the least lax that it has ever been.
WGA raises the barrier of casual copying to lusers who's skill wouldn't have been enough to stop them getting pwned by some virus, and being incorporated into a botnet.

Re:Spread of Windows

[$RANDOMLUSER]

Or possibly it's the lax enforcement of security standards by Redmond programmers? Or the lax attitude of Microsoft about all things not directly related to increased sales and world hegemony?

Re:Spread of Windows

Thats part of the problem. One of the ways they protect against privacy is keeping you from getting updates. This leaves unpatched pirated systems out there. Since there is no real legal threat for the average user the only real motivation for a person to get a legit copy is so they can get security updates easily. Joe Six Pack is just going to borrow that pirated copy of XP his buddy picked up at a flea market. OP brings very valid point

Re:Spread of Windows

[rustalot42684]

But then SWAT is beaten back by Clippy:
It looks like you're trying to raid the Redmond campus. Would you like to:

• Hunt and kill all the employees
• Destroy the supercomputer cores
• Uncover the secret plot for world domination
• Just raid the campus without help

# Don't show me this tip again

Re:Spread of Windows

[LO0G]

Huh? According to Microsoft they security updates to pirated versions of Windows. Source: (click on "Will users of non-genuine Windows be blocked from receiving security updates?")

It also appears that the Malicious Software Removal Tool doesn't require validation either.

So you can run the same malware removal tools on pirated versions of Windows as well.

Re:Spread of Windows

[vtcodger]

***Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?***

Why would anyone think that? Windows is Windows whether it's pirated or paid for. Is a drunk weaving through heavy traffic at 135kph any more or less of a menace if he's driving a stolen car rather than a car he "owns"?

Re:Spread of Windows

[Keruo]

> It also appears that the Malicious Software Removal Tool doesn't require validation either.

Fixed your link.

Re:Spread of Windows

[LO0G]

So? First off, the IE team claims that IE7's going to be available without WGA. So part of that is no longer valid.

Also, I was responding to a claim that Microsoft witheld security updates for people who were running pirated versions of Windows. I provided a link from Microsoft that seems to indicate otherwise.

Why is this a problem? Are you saying that Microsoft is lying in their post?

Re:Spread of Windows

[Gerzel]

Balmer is a master of his art. There would be no dodging.

Re:Spread of Windows

[diskis]

That argument is getting a bit dated. Linux is used more and more as servers. More processing power, more bandwidth and not so competent administrators. I know a lot of machines sitting un-updated on 100mbit or faster. They have been sitting for years serving as storage for irc logs, simpsons episodes and funny pictures. Still they are not part of any botnets.

Re:Spread of Windows

[petermgreen]

Huh? According to Microsoft they security updates to pirated versions of Windows.
they do kind of.

If you want to run pirate windows without getting nags and you don't have access to a good (as in allocated by MS and not shitlisted because of wide distribution) corp key you have to either crack windows genunine advantage notifications or keep it off your system. Cracking it has the downside that MS could release an update at any time.

There are two easy ways to keep windows genuine advantage notifications off your system.

1: set automatic update to prompt before installing updates and manually check the list for wga every time (you can reject it but it reappears every so often). This is probablly tolerable if it is your own machine but if you give it to someone else to use then it's not such a good idea.
2: disable automatic updates completely.

Re:Spread of Windows

[thejynxed]

The problem with your solution is:

Some security updates won't be installed even via Automatic Updates if WGA is not found to be installed on the machine. There's a programmed limit tied into a WGA check. It doesn't check if your system is genuine or not, but it checks if WGA is installed and operational. If it is, you get all hotfixes past a certain KB number. If it is found to be a defect WGA install, you only get those hotfixes that are excluded from the check. This is why Autopatcher was so useful. You could install all of those patches if WGA was present or not, because Autopatcher never checked for an operational WGA installation, and the individual hotfixes don't either. It is the MS Automatic Update service that confers with the MS update servers and performs the check.

I've found this out the hard way before I caught on to exactly what was happening, and just used Autopatcher instead for all of my Windows installations. Not that I use any pirated OS mind you, but I've had activation issues that required a funky workaround given to me by MS Support Services for WinXP Pro SP2, which made WGA say my install wasn't Genuine when it is. The issue had to do with something in the SP2 upgrade from SP1a making WinLogon do strange things and give me mystical error messages that only a Russian could possibly decipher (or some lady from China working for MS Support, as was the case here).

On a side note: I know people will probably say "Use Linux". No thanks. It doesn't do what I need it to do (I play many games that require DirectX and don't run under Wine or Cedega, and I use Citrix Metaframe, Solidworks, etc), and my hardware isn't supported via anything other than ugly hacking about in a terminal, which I'll take a pass on doing, because frankly, I don't have the time nor the inclination to do so (Mepis is the only distro that even came close to detecting most of my hardware automatically, and that was minus any networking or accelerated graphics).

It's fine to play around with on a LiveCD (and I have several distros in this form), but until it does what I need it to do aka, "Right Tool For the Job at Hand", right out of the box, it's a non-starter in my situation. Maybe some year. Either that or I need to stop using such obscure hardware (mainly it is lazy manufacturers releasing buggy or totally broken Linux drivers) and software (game devs not using OpenGL and OpenAL).

Re:Spread of Windows

[Bearhouse]

Good post, with which I agree totally, and is probably useful for some, thus 'insightful', I guess.

I've given up on windows activation, for much the same reasons as yourself. I seem to spend my weekends re-installing friends and neighbours windows PCs, and have either purchased, or legal access to, ALL the flavours of XP, (and Vista etc.)

The easiest installs (for 'office' too) are *always* the unattended, slipstreamed 'pirate' versions found on the net, (suitably checked, of course). Update the serial number, and away you go... As for linux, great for servers, but driver hell...and all the abovementioned users are already XP brainwashed anyway.

Too bad you won't get modded up, since you're:
1. 'Pro' windows, and some would say 'pro-pirate'.
2. 'Anti' linux...

*sigh*

Good

[Colin+Smith]

Now that it's down to 5 million we can all breathe a sigh of relief...

don't be sure

[phantomfive]

The researcher determined this with a spider he created to crawl the storm network. How does he know that the network is shrinking and not just being partitioned?

Furthermore, the storm virus is known to be updatable. Is it possible it was updated to be even less obtrusive, thus escaping detection in other ways? Maybe it has gone into dormant mode, because the creator doesn't need so many computers at the moment.

One interesting innovation of the worm, quoted from the article:

"If you're a researcher and you hit the pages hosting the malware too much... there is an automated process that automatically launches a denial of service [attack] against you," he said. This attack, which floods the victim's computer with a deluge of Internet traffic, knocked part of the UC San Diego network offline when it first struck.

I think some part of me must be sick or something, because when I read about this I almost hope the worm will get bigger, become unstoppable, and reveal windows for the insecure piece of crap that it is. Linux, BSD, OSX, Solaris, and heck even Minux could clearly stand up to a threat like this much more easily than Windows.

Re:don't be sure

[John+Hasler]

> I think some part of me must be sick or something, because when I read about this I
> almost hope the worm will get bigger, become unstoppable, and reveal windows for the
> insecure piece of crap that it is.

Already been done. Nobody cares.

Re:don't be sure

[Master+of+Transhuman]

I was wondering about the possibility of it being partitioned myself.

The botnet has always been hard to figure out the size because of its policy of only allowing a limited number of immediate connections in its net. Partitioning and assigning control of sections to other people - and this would presumably entail cutting connections with other portions of the botnet completely in order to enforce "ownership" - would presumably make it look smaller than it is.

This guy may also be overconfident in the crawling ability of his tool.

Re:don't be sure

[phantomfive]

Heh, I knew someone was going to trot out this old troll. The point is, it would be much easier to secure unix-type systems than windows-type systems. Compare Microsoft's budget to that of OpenBSD; now tell me, which is more secure?

For it to be effective as a virus, it is going to have to install itself to startup somehow. What is going to do, add a line to my .bashrc? Add a script to /etc/rc.d? It can't do that, only root can, and I don't browse the internet as root. Nobody does.

You may say, "it will prompt you for the password and idiot users will just type it" but you are showing your Windows bias. On windows, you get so many popup prompts that many users just ignore them and do whatever they ask. OSX has shown that it can be done differently, however. Ask any average OSX user what they would do if a downloaded attachment asked them for their root password, and they will say something to the effect of, "Freak out and delete it immmediately." It's because the warnings and prompts in OSX don't become annoying.

Security on Windows is hard. For any vulnerability, it takes a lot more effort to fix on Windows than a similar vulnerability in a Unix system. In unix-world, fixing the OS is an option.

Bullshit

Myself and some colleagues, along with a couple of anti-malware sites have been tracking Storm infections as best we can over the last couple of months. We've mostly been using honeypots, trapping SMTP traffic and utilizing some nslookup scripts to mine Storm's fast-fluxing domains. It has not shown any sign of shrinking, particularly not by a factor of 10.

The only people who have ever estimated its size to be anywhere near 50 million hosts are paranoid tin-foil hat wearing security analysts and journalists looking to generate some ad revenue with a shocking headline or two. I've never seen any solid evidence pointing towards Storm being larger than 2-3 million hosts, so even assuming there is an exact science at work here, 1.5 million is far from a 10th of 2-3 million.

This phenomenon would be a lot easier to combat if people would stop spreading bullshit stories such as this.

Re:Bullshit

[sg_oneill]

Whatever the case is, its a nasty piece of work. Theres precious little that'll stand up to that thing focusing fire on a target.

Oblig Inverse

[hksdot]

I for one bid farewell to our swarm intelligence worm overlords.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Oblig.

[marcosdumay]

Windows boxes are getting more secure all the time.

But we can only guess when they will be ready for widespread use...

Re:Mac and Linux users

[TheRaven64]

Just breathed a collective sigh of relief... Oh wait, maybe they were just rolling their eyes and sighing. No, we get spam from Windows zombies the same as everyone else.

...reduced to a Squall

[Wonko+the+Sane]

So it now has a scar on it's face, and carries a sword-gun?

Re:Mac and Linux users

[Torvaun]

Windows can be secured. I've got an XP desktop for gaming, and I run Linux on my laptop. Neither of them get viruses. My protection suite is all free software, so there's no annual fee there. And, if enough regular people switched to something with a Unix base, they'd have virus issues too. There are viruses and rootkits for systems other than Windows. They aren't prolific because the average moron who clicks everything is on Windows.

Yes, those systems are more secure than Windows. No, they are not secure enough to deal with the assault of a wave of moronic users. Feel free to dream of an exodus away from Windows, but understand that nothing will change, even if your dream comes true.

Re:Oblig.

[morgan_greywolf]

I think that the problem of viruses would be greatly reduced if people were less ignorant about viruses.

I think the problem of viruses would be greatly reduced if people were less ignorant about how their behavior causes them to get viruses.

Windows can be an okay operating system security-wise, if people didn't do these things:

Run Internet Explorer: IE is buggy and and insecure. If everyone replaced it with Firefox with the NoScript plugin installed, you could watch how much fewer viruses there would be.

Run Outlook or Outlook Express: Mail programs shouldn't have scripting abilities that can take control of the entire OS. Watch how much fewer viruses would exist if people would run Thunderbird instead.

Download programs from untrusted sites: Lots of random malware, spyware and viruses are installed because users the latest 'cute' or 'cool' thing their friend told them about.

Enable VBA macros to autorun in Microsoft Office documents. Turn off macros.

Run as Administrator: Either learn how to use your OS properly or upgrade to Vista. Seriously.


Eliminate these behaviors and you will have removed the most common vectors of infection on Windows machines.

Re:looking for details on storm botnet control

[Kobun]

http://www.securiteam.com/securityreviews/6U00L1P5PY.html
Read this article.

Re:Mac and Linux users

[creativeHavoc]

I wonder how many slashdot windows users are infected. I would venture a guess that there isn't very many. Computers are as smart as their users in a lot of cases, and most often that goes for security as well.

Re:looking for details on storm botnet control

[v1]

That's a very interesting read. I hope the authors release a similar, more up-to-date rundown of Storm. it sounds like Curious Yellow is one step before Storm in terms of worm evolution. (or that it was the successor to it?)

Re:Oblig.

[lattyware]

That is what you think...

Re:Oblig.

[calebt3]

*my* Windows box has never been "hacked". Give me a few more minutes.

Re:One question

[petermgreen]

my understanding is that you get taken to a page that tries a bank of browser exploits (I don't know if they are all for IE or if there are some FF ones in there too) until one works. If they all fail then it tells the user to download and run an exe.

Re:looking for details on storm botnet control

[ymgve]

Doesn't matter that it's 40-byte. It's using simple XOR encryption, and the key is stored in plaintext inside the unpacked executable.

(If anybody cares, the current key, atleast for the botnet partition I've seen, is F3 AA 58 0E 78 DE 9B 37 15 74 2C 8F B3 41 C5 50 33 7A 63 3D E6 13 DF 6C 46 CA BE 9A 77 48 94 02 C0 F3 66 49 EE 87 21 BB.)

Re:looking for details on storm botnet control

[ymgve]

A few days old now, but these IPs are some of the ones that have been taken over to host the malware. Add http:/// to the front, and download the executables from there.

!!! WARNING - THESE SITES CONTAINS JAVASCRIPT EXPLOITS AND POSSIBLY OTHER EXPLOITS - APPROACH WITH CAUTION !!!

70.241.136.75
24.31.16.133
68.58.22.93
69.153.22.0
24.30.230.51
75.23.213.0
76.22.95.226
76.87.15.223
213.85.39.178
68.126.134.102
68.81.124.62
200.127.28.133
68.158.67.73
68.42.159.205
66.30.37.175
12.202.175.97
200.106.170.69
86.127.5.24
195.3.220.153
24.0.96.97

Yes, but at what cost?

[gillbates]

Sure, you can secure Windows. You can also make Linux run Windows programs. If you're willing to put in the effort, I suppose you could run a web server on a C64 (Hey! Some people have!)

But the point is that it's a lot more practical to just buy a Mac if you're a non-technical user. You get ease of use, with none of the security and stability problems of Windows.

And if you are technical, and are going to put in the effort to learn a system in depth, why would you pick Windows? If you learn Linux, you can transfer that knowledge to working on UNIX systems, and the usefulness of your knowledge isn't subject to the capricious actions of a convicted felon (Microsoft). Sure, you could secure Windows, but every time Redmond releases another version, your knowledge becomes obsolete.

But there are a few additional points about Windows:

1. Windows has at least one - if not two or three - orders of magnitude more security vulnerabilities than Linux or Mac. This alone suggests that the problem of Windows security is much greater than that of Linux or Mac security, regardless of the reason.
2. A Windows system requires constant patching to remain relatively secure, and even so, there's always a small window of opportunity when even fully patched systems are vulnerable. (i.e, the time between the black hats discovering the exploit and the time white hats find it; and the time between notification and the time Microsoft is able to issue an update). Even though you are fully patched, your system still contains vulnerabilities yet undiscovered by the security researchers, but known to black hats.
3. Constant patching is not a viable option for most companies which must test patches for interoperability. In many cases, a company's own internal testing takes longer than it takes hackers to publish an exploit for the vulnerability. In such cases, their machines are never truly secure, even though they patch constantly.
4. You don't have the source code, so you can't audit it. Given that Microsoft was recently caught modifying files on their customers' computers without their consent, this is very troubling. You can't trust Microsoft to do what they say they will, nor can you verify they are.
5. You don't control what gets turned on by default, and sometimes a major, required component of Windows has security flaws (Blaster, anyone?). With UNIX like system, you can simply strip the box down to the bare minimum to achieve greater security.
6. Windows has a maze of interdependencies which often means that you simply cannot uninstall a problematic part of the OS. Take IE for example - though it can technically be uninstalled, it is required by even the most basic OS functions, which means that removing it is not a realistic option for the end user. Yet it continues to be a wellspring of security problems, made even worse by the fact that it isn't practical to run a system without it.

So sure, you can make Windows relatively secure, compared to other Windows boxes. But for the same amount of effort, you could secure a Linux machine to a much greater degree, and have a stable, trustworthy system as well. Sure, neither system is perfect, but for the effort you expend, you get a much better system by installing Linux or buying a Mac.

And I suppose a slashdot post wouldn't be complete without some anecdotal evidence. In the 10 years that I've been in the industry, every single one of my Windows using relatives have needed me to recover one of their crashed/unstable/unusably slow Windows systems. In fact, prior to XP, I had only met one person who both ran Windows and had not had it crash on them. And yet, even though Apple commands about 10% of the market, I have only once been asked if I could recover an Apple computer. And even then, it took only about 1/2 hour, and the guy didn't lose any of his data (he tried to update OS X, and botched it, but even then, he still was able to reco

Re:Oblig.

[budgenator]

Windows XP SP2 has been out for long enough that their is no excuse for an application that can't run in a LUA environment; the only company that has gotten it right is Sun Microsystems, installing Java is standard for how all software should install on windows. In most software you have to jump through so many hoops to get it installed that most people give up and just run everything as admin. Here's the killer aunt Millie goes to a website and needs to install a plug-in to see all of the content, let's say Flash for Grins and Giggles.
She kicks yes and saves to the desktop and now she's stuck it won't install, the easy way around it is to switch users to admin, (wait for all of the crapware to auto-load) and try to remember what site and plug-in she needed and of course she can't. So Now She gets and inspiration, and clicks though my computer, Documents and settings to her user area and access is denied! Curses, not she whiches users back and try to right click the installer and chicks run-as admin, still admin has insufficient privileges to open the file, Aunt Millie is stuck and from now on Aunt Millie is going to run as Admin because its easier and her computer is going to be part of the next bot net.

The problem is you say so many legacy apps need to run as root but in windows their is no root, root is the trusted superuser in *nix, in windows there is admin, the untrusted semi-superuser. Root is your Priest/Rabi Doctor and Lawyer all rolled in to one in the computer context, root is privileged as in Dr-patient privilege, Admin is the asshole one level up trying to get leverage over you or the car mechanic in a one horse town ready to cut your fan belt in the blink of an eye as you pass through.

OBTW do you know how to install software saved on a LUA's desktop? Took two years but I figured it out.