Slashdot Mirror
Storm Worm Strikes Back at Security Pros
alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."
The bot-net probes you.
~ I am logged on, therefore I am.
Have them shut down and re-install Windows (not recommended)
or install GNU/Linux.
You are being MICROattacked, from various angles, in a SOFT manner.
...beginning to learn at a geometric rate?
*An overweight bond sits at a computer desk littered with Payday bar wrappers and graphic novles. He struggles to breath as he brushes at the cheetohs crumbs stuck in his stubble. A blinking light flashes on his monitor and he reaches up with his stubby fat fingers to press the 'Accept Transmission Now' key. The video feed of an equally bloated and zit faced man, though somewhat less pastey white, comes up.*
... I would like to discuss your latest attempts to probe my botnets on the interweb. ... SATURATE YOUR BANDWIDTH!
Cats: Good evening, Mr. Bond, I was just hitting up some 3 am Taco Bell for fourth meal
Bond: *wheezes at the site of his archnemisis* Cats! I should have known it was you! You won't get away with this diabolical scheme!
Cats: Oh won't I, Mr. Bond? I have all of the world's computers trapped to do my bidding. What would you say if I told you I could bring any website to its knees with a DDOS attack? I noticed you have an apache http server running, Mr. Bond. Perhaps sharing pictures with your loved ones!? Well, I hope a billion attempts to access those images won't
Bond: My GOD! You've gone mad with power, Cats. You're a madman! You'll never get away with this. How do you even keep your franken net in check? What happens when it turns on you?
Cats: Oh, I think I will, Mr. Bond, Caribbean law is quite kind when it comes to orchestrating botnets. Prepare to say goodnight. Good luck making your raiding schedule, I hope you won't miss those 50 DKP!
*Bond's screen slows to a crawl as he rushes to turn off Apache*
Bond: Nooooooooooo!
My work here is dung.
init 11 - for when you need that edge.
Perhaps people who are probing, should spoof their address to match another command and control unit.
If the "command and control" servers have been found, why haven't the IPs been masked to physical addresses and physical security types with physical balaclavas and physical MP5s probing the physical door?
How can I believe you when you tell me what I don't want to hear?
just wait till it realizes that humans are the ones doing the probing.
Letters of Marque, please?
Can we get a "-1 Wrong" moderation option?
Running scared? Are they serious? Suddenly I see a scene in those old hero flicks where a woman in the crowd stands and says, "Is there no one? No one out there who will save us!?"
Didn't I just hear that the Storm worm was slowing to a crawl?
GetOuttaMySpace - The Anti-Social Network
...the biggest WTF are the comments, well done!
From what I read up on this storm bot it seems the weak point is the registered domains. Why don't they just shut them down? They have proof that certain domain names are implicated in the scam and they know they are doing the fast dns switch thing. It would seem to be a lot easier than trying to get 1 million indiviual pcs patched up.
Yeah and when the Storm Worm drops the whole network segment you are f'ed. Your ISP will drop you if you keep dropping their router's. Because, well, not everything is about you. This botnet has much more power than you think it does.
If they throw enough bandwidth at you, that could be enough to take down your local subnet, regardless of changing your IP.
So, these people are trying to sell these botnets for extortion and spamming purposes right? Well, seems to me that they just opened up a loophole for at least one category of customer to get free "service" by spoofing whoever he wants to DDoS and poking the botnet till it retaliates. Boom, instant DDoS and he didn't have to pay a dime for the service. I do like the idea someone else put out of spoofing as one of the other control nodes, thereby getting the net to DDoS itself, but it may be just smart enough not to do that.
Curiosity was framed, Ignorance killed the cat.
Until, you know, the ISP drops your ass because you have caused their entire dynamic IP pool to be DDOS'ed. Or, the bot net just starts DDOS'ing the routers just before your IP and suddenly everyone's connection dies.
Good luck Mr Bond.
Sure. Then the folks running the botnet identify you based on your DOS'd IP number, find out what your real IP numbers are, and crush you there.
At least, that's what would happen if I were running it.
$nice = $webHosting + $domainNames + $sslCerts
Higher ed had some of their systems attacked in this way going back to at least July. I lost a machine because of this because the system (running FreeBSD) had a marginal disk that eventually died under the load incurred by logging "Limiting icmp ping response from..." messages. Fortunately, we were smart enough to NEVER use systems like our workstations for downloading malware from suspected sources.
Easy lesson for those thinking of doing research: Remember to have a machine dedicated to the task of talking to untrusted outsiders.
Dude, you should be dating LIVE girls. I believe that is your issue. Is she very quiet when you, you know, get down? A little strangely colored? Cold?
Is the Machine War finally at hand?
But, of course, people who commit actual violent crimes would get off much more easily, according to your plan.
Way to get your priorities straight.
Lord High Crapflooder The Right Honourable Vlad Craig Esther McDavenpherson III
Destroyer of Mercatur.Net
.. I'm still waiti
Wouldn't the obvious counter-strategy to this be to give the botstorm enough targets to make their DOS attempts too dilute to be a threat?
You theoretically would not need a comparable number of targets to attackers - just enough to lower the magnitude of the counter attack to the point where you could get acceptable results. You could also have targets that 'play dead' in some ways so the attackers can't fix on a minimum magnitude to counter attack with, and instead have to throw zombies until the target stops moving, where the target just gets right back up after playing dead. That way, the window you have before you 'play dead' might be used to get relatively clear results.
Just one guy's idea.
Ryan Fenton
Something tells me that your method won't work against Storm. This is due to the fact that if you tried such a stunt, it wouldn't be your PC that would be DoS'd, it would be the ISP's local NOC you were using to connect to the internet. If you forced a new DHCP reservation (all that an unplug/plugin does), you'd end up with another IP address (if the DHCP server ever responded to your request) sitting on the same hardware that is being DoS'd by Storm.
What is needed to fight a botnet of this size is a distributed probe net, where if one node is taken out by the botnet, the rest of the cloud keeps on probing it. After all, even a large botnet can only DoS so many locations at a time.
A better solution might be to spoof the IP addresses of other members of the botnet, thereby making it DoS itself into submission.
Yeah, uh, two problems with that. First, by all accounts these people are based out of places that aren't really friendly to any government intervention, let alone foreign governments, so good luck actually getting to them to take any sort of legal action. Second of all, even in mid evil times most forms of execution were relatively quick. Mind you, that's execution, not torture (which itself was often fatal), but then again there's a whole raft of extra-governmental regulations on torturing people, not that that has apparently stopped any of the governments from finding loopholes around it.
Curiosity was framed, Ignorance killed the cat.
Should point out that hacking is not a crime, never has been, never will be [at least without totally eroding all freedoms first]. A hacker is simply someone who takes the time to see how the world around them works. They're not script monkeys who instigate virus attacks, those are criminals.
Stop reading/watching Faux News et al. and get your damn facts straight.
People should be able to call themselves a hacker without fear of reprisal, for it's the hackers who will inevitably find many of the flaws in the world that the corporate greedmongers want hidden. I mean who do you think are the people finding all of the buffer overflows, protocol mistakes, etc in services you use on a daily basis? If hackers went away companies could easily get away with insecure practices and billing like however they feel like.
It's the people who stop questioning how the world works that should get a bitchslap upside the head.
Someday, I'll have a real sig.
What's bigger, the Storm effect... or the Slashdot effect ...
Deleted
Which ISP are you with that will give you a second connection "for like crazy cheap"?
LAWL. Too funny.
"Just unplug the modem and try again XD" ROFL. This is the funniest shit I've seen all day.
Oooh, yeah! And we can do the same to shop lifters, drunk drivers, and illegal immigrants! Perfect! We'll stop all the crime in the world! You are the Brilliantest!!!
DDoS'ing a botnet DDoS'ing... I like how you think.
"I have no special gift, I am only passionately curious." - Albert Einstein
Based on bs like this, I doubt everyone agrees with you. http://software.silicon.com/security/0,39024655,39154136,00.htm
stick to ramen. my money's on them figuring out to dos some address[es] above your current throwaway dynamic ip.
this just in: fuck with packet kids and get packeted. shock.
This is something that has been known and announced for many months now. Additionally, the new variants of it do not seem to trigger DDoS attacks in quite the same way.
Wouldn't it be funny if the worm was never intended to phone home for instructions, meaning any attempt to contact "command centers" would always be the result of probes ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Just do the probing from some network like Google, Akamai, Microsoft, etc. with so much bandwidth to spare that nobody could possibly orchestrate a DDoS attack against them. I can't imagine what it would take to DDoS a network that has multiple 10Gb links and distributes connections among thousands of computers.
dom
Fix it? Just move to the Poconos and take up fishing. Never destroy a source of free bait.
This battle remainds me of the war in The Matrix, part 3 (which most of the /. crowd did not like). Here, as there, are humans fighing against a virus which is developing new methods (Agent Smith) and attacks the humans. So at the end: the matrix is true; we all live in a dream world. If only I could stop bullets.
or you could just have it play tic-tac-toe against itself and realize there is no winning strategy
Well, the death penalty has certainly stopped people from committing murder in the United States. I think you're on to something.
I don't care why you're posting AC
It seems to me that it would be a better use of his time to direct those DDoD attacks at people with money, who are actually willing to part with it. If the guy is directing attacks against insecurity experts, he must be either worried they'll feck up his precious botnet, or he's a muppet (or both I suppose).
You can, but it usually hurts really, really badly.
There is a war going on for your mind.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Was there zero crime in Medieval England, where they did kill criminals publicly and gruesomely? No.
Chernobyl 'not a wildlife haven' - BBC News
find -name "*base*" -exec chown us {} \; ; ln -s
However, say a hobbiest...or someone one with a great deal of time could do it :)
I'm too busy with all the fires and such in San Diego, maybe next week...
I had these morons DDOS my network several times so if some could "eliminate" these people and their botnets I'm welcome to it. I think the Russian mafia got an good idea http://it.slashdot.org/article.pl?sid=07/10/11/2157244 but wee need to get the botnet also. We are just a non-profit research organization so we don't make any money so trying to ransom us is like trying to get blood from a rock (turnips have proteins in it and if someone has the time can convert it to blood).
So? If we do in fact know where they are physically located, local police should go and confiscate them.
Even though I think this idea is basically wrong, I'm intrigued by the potential consequences.
There's a lot of these computers out there, which is the whole point. If every one was subject to seizure, computer security would immediately become part of popular conversation. Helluva social storm, probably.
Tweet, tweet.
From the anti-storm-researchers' secret planning session with Interpol:
OK, I think I know foo is a C&C. Here's the plan: We'll set up our probe machine with external monitors then start probing the hell out of foo.
When the botnet attacks, we'll know it's a C&C.
Now you guys put external monitors on foo and see who is connecting to it. If you can gain physical access undetected, do so.
If anyone accesses foo over any suspicious channel start monitoring them as well.
Once you think you've got a handle on the people involved, raid everyone.
From next year's newspapers:
October 24, 2008: Interpol, in cooperation with police agencies worldwide, announced the capture of Dr. Evil. He is charged with numerous computer crimes.....
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I see the same sort of law-and-order assumptions here that I would like to believe in. Sadly, that phase in my life has ended.
Sure, you can find who is DDoS'ing you. You can then call the ISP/hosting company and complain. If they are in the US they will likely as not just tell you to get a court order. Outside the US they will laugh and suggest you bribe them. Either way, it is their customer's right to operate in whatever manner they choose. If they are presented with a valid court order from a court in their jurisdiction, they will quickly and efficiently comply. Otherwise, your complaint will go in the bit bucket.
Mostly the problem is that to a lot of ISPs their customer (and the revenue from that customer) is a whole lot more important than the negative effects their customer is having. Also, the customer may be Daddy and Sonny is the one causing all the trouble. Why would anyone want to offend bill-paying Daddy by cutting off service?
The problem here is that regardless of the problem - a botnet infested computer, a script kiddy trying to break in, or some other mischief - if you let it go, it gets worse. Every time a script kiddy gets to feel that rush of excitement at breaking to some computer somewhere without any consequences they get bolder. In the US it is not really possible to go after them until they run up at least $25,000 in damages. Because of this, you never hear about the high schooler getting in trouble because they defaced a web site. Instead you hear about someone after many years of mischief and mayhem who is being accused of causing $12,000,000 in damages computed in some creative manner to get the FBI's attention. There is never a thought of stopping this when the cost to everyone is minimal. Minimal doesn't get the FBI involved and local law enforcement is utterly clueless.
Nobody is really going to get taken down for this unless they do something incredibly stupid. Sure, you can find an IP address but you can't get the customer unless the ISP wants to cooperate. Can you get a court order for the ISP to identify the owner of the account? Probably not without at least $25,000 in damages that you can claim. Even then all you have found is an infected computer that the owner doesn't know anything about.
I got the skynet link of course, and it's apt. What we are seeing is the slow transition from single cellular behaviour to a multi cellualr organism. That is instead of being fighting on it's own, it now has a global immune response to an invader (security researcher). With the advent of virtual machine detectors last year these things now commit apoptosis when they detect they have been invaded by the security researcher.
In other words we have changed roles. Instead of us being the host and them being the virus, it now is behaving like a host and us as the invasive organism.
These things certainly have enough global cpu strength to do some serious artifical intelligence. even if it were not efficient, they have millions of cpus to harness. Some already do have code changing algorithms to hide their signature. And the ones that survive, are the fittest in an evolutionary sense. At some point they may actually start changing their own design, and eventually their own requirements.
So skynet may evolve itself naturally, not as an actual construction.
Some drink at the fountain of knowledge. Others just gargle.
People who call themselves hackers aren't.
Is this botnet the one that keep sending the "Viagra Official Site" spam?
There was a time in England when a bloke could talk about the gay time he had passing a fag around amongst his friends behind the school (fun/happy time passing a cigarette around) without any double entendres. Language evolves. Change your manner of communication or prepare for misinterpretation.
string Hackers="hardware hobbyists"
string Crackers="Saltines, safe-crackers, computer-criminals"
...
Hackers="computer-criminals";
Crackers="Saltines";
The Matrix. This botnet might not be man-made. It might turn out that all these own3d computers have created a collective intelligence.
That's why I find it so remarkable that "the authorities" do not take down this botnet. After all, any terrorist can hire its service and take down a good part of the economy. That will cause more damage than destroying a couple of buildings.
yes. and we rapists are tired of being stigmatized, too. people who just want to have some sex shouldn't get a bitchslap upside the head.
if(!in_array($prober,$controlservers)) {
ddos($prober);
}
The guys who are creating this botnet have a history of being clever. I dought they forgot the if statement.
Selling software wont make you money, selling a service will.
The best solution is completely non-technical... a $10,000,000 bounty for the arrest and conviction (in whatever court you may choose) of the owner of the botnet.
The tyrant will always find a pretext for his tyranny - Aesop
Bookmark of cradle the desklamp, or coffee door bird the bubble wrap. Airport barcode of lunch train.
Football.
As one of the "threatened" AV researchers, I was of course interested in getting the bots offline, at least to the degree that I can (I kinda have little chance to put pressure on ISPs in some country that I can't even spell correctly).
So I went and gathered the IP addresses of infected machines. I aggregated them and grouped them to the corresponding ISPs, complete with timestamp (just in case they use dynamic IP addresses and thus need them to contact the corresponding users), then I sent out a mail to 10 different ISPs, just as some kind of test.
The result:
5 didn't reply at all.
2 replied that they are "looking into the issue". I guess they're learning the list by heart 'cause after a month now, still no further reply.
One replied with the question whether I try to infect their system and how I dare to say that their users might do something illegal (talk about knowledge).
One replied that they can't do jack because I could just as well have forged that list to mess with their users and they don't care.
Only a single ISP actually thought the matter is important enough to contact me with a request for more information and whether they can do something proactively.
One.
The smallest one, btw. With 20 infected machines (compared to a few 100 with the biggest one, one of the first group that didn't even care enough to reply).
You can't win this way. ISPs don't care at all, at least until the botnet starts using more bandwidth than their torrent leechers. It would mean work for them, what's worse, it means their customers bother their call center with angry calls and maybe even questions how to clean their machines and maybe they even cancel their service over it. In short, taking things like this serious costs them money but doesn't get them anything, so they won't do it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Damn, these people are treating this damn thing like it's alive. Stop attacking the bot and find the fucker who wrote it. Then beat your answers out of him.
Supporting World Peace Through Nuclear Pacification
I'm pretty sure his *plan* didn't even attempt to address violent crimes, which would be off-topic and derail this thread into a long moral discussion about crime and punishment that would fill volumes of books, wait.. slashdot... volumes of raid protected hard drives.
"Stay on target"
How about designing a new bot-net to attack storm
in kind of the same way as SETI@HOME where you could donate your
computers idle time to fight the storm bot-net.
If enough people contributed, then maybe even storm could be
overpowered.
"A strange game. The only winning move is not to play. How about a nice game of chess?"
I was just thinking the same thing, only it would be even greater justice if you could find multiple nodes and have them attack each other.
As far as the control of the C&C goes my guess is they have a passive way of identifying their boxen. (Likely DNS related.) Crack that, and someone will use the DDoS functionality for endless fun.
Yeah, but the rate of recidivism is ZERO.
Screw the deterrent, I want the cause ELIMINATED.
Yeah, I agree with the point you're making, as murder still goes on quite a bit. However, not a huge amount of murderers actually get the death sentence, and even the ones that do have a few years at least usually before the execution actually happens, and the execution itself is usually relatively painless, and non-public. Having said that, I think the Parent Poster was kidding around, because it's pretty easy to see how ridiculous that solution is.
Wait a minute - how did you manage to type in the squiggly word, press 'preview', wait about 20 seconds for anything to happen, then press 'submit' after being stormed?
Do the probing from a dynamic IP address, like most home DSL connections. If you get DDOSed, reconnect.
:). I wouldn't want a static address on my home connection for a number of reasons.
There's a lot to be said for dynamic IP addresses
>north
You're an immobile computer, remember?
If it's DDOS whatever IP the detections come from, then anybody who can get to the control network need only spoof the IP of the control networks IRC server, or the IP of someone they want to see kicked off line and they get to launch their own DDOS guilt free because somebody elses bot net is doing it.
There was a time in England when a bloke could talk about the gay time he had passing a fag around amongst his friends behind the school (fun/happy time passing a cigarette around) without any double entendres.
;-)
string Hackers="hardware hobbyists"
string Crackers="Saltines, safe-crackers, computer-criminals"
Yeah, but how can crackers be both nefarious and savoury, while cookies, which typically are never savoury, are often nefarious? Seems to me there's a contradiction there. Or is a cracker just a white man's version of a biscuit?
Language evolves. Change your manner of communication or prepare for misinterpretation.
Indeed.
Hi, I need a hobby. Probing the Storm Work Bot Network sounds like fun. But I need an IP address to use. Anybody know of any MediaSentry/MediaDefender/RIAA addresses that might be available?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Isn't it the controller (human) who just checks the access logs and picks up IPs to DDOS a bit? :)
If it was automated, then the easiest way to kill it is to probe it from many distant places.
Then, when it is starting ddos at them, just shut them down.
You could DDOS the botnet
Patents Drive Free Software as Hurricanes Drive Construction Industry
When Storm first started to get noticed there was a lot of talk about it being state-based, or at least state-sponsored. The fact that it is still out there and alive and "the authorities" have not done anything about it either proves these suspicions, or perhaps more plausibly, that "the authorities" are shockingly clueless. I suppose someone could try to get a contract to wield Storm against "the authorities" and see what happens, but that is rather risky and could result in some very bad consequences.
The storm worm grabbed his post, read it, used its immense computing power to determine that funny is > 0, read the CAPTCHA, solved it using aforementioned computing power, and then posted it. Just to fuck with us all.
Life is rarely fair. Cherish the moments when there is a right answer.
...filtering China works miracles with these threats... (seriously !)
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
Won't work, the C&C (as we're calling it in this thread), knows all its own IP's, it'll be in a database somewhere and the botnet will surely cross-reference before starting a DDOS to prevent DDOS'ing itself. Even still, all you would manage to do by triggering an automatic DDOS attack and against a single node would be knocking out a single node - one infected computer means nothing to the what? 10 million node net?
Also, how do we even know that the DDOS's are automatic? I haven't tampered with Storm yet myself but it could be perfectly possible that they have a group of people watching over it all hours who are overseeing Storm's actions, which means your not fighting a clever machine, your fighting a group of hackers with significantly more resources than you.
Anyone remember the 80's?
Again, I haven't been tampering with Storm yet myself, but my guess to counter it - get attacked, log all related IP's, ignore all of them (may require multiple locations since your going to fuck the first few just building your database), and make a move after that - once it's not nearly as effective against you.
Actually I keep thinking of things that might work and keep thinking of counters or reasons it wouldn't work - so now I feel I have no help - maybe I should explore.
Easy human fix. Someone post the IP of the IRC servers and it'll get slashdotted.. the largest human driven ddos effect on the net vs the largest bot driven ddos. What fun.
Seriously though.. spoof the IP of the IRC server(s) that it uses to communicate or an already infected machine. Just let it DoS itself.
The issue here is one of trust -- it's easy to infect a computer with Storm, and then use that computer to poke around -- if you're right and the IP is in an exception database, then the investigator is invulnrable. If you're wrong, then they can spoof and tie up the botnet.
The concept is to have the net attack a single hardened target, and log all the IPs. Then spoof the IPs using the trigger query used to initiate the original attack.
It doesn't really matter if the DDoSes are automatic or not, they either trust your packets or they don't.
I remember the 80's... I lived very close to one of the loops that was an international social centre for phreakers.
Ignoring that many IPs would do you no good... your system would still grind to a halt handling the traffic. One solution I *can* see is for ISPs to get the fingerprint this DDoS puts out, and disconnect any client IP whose packets match the fingerprint. Then, trigger the DDoS once, and all the cloud members start dropping off the internet.
So what you're saying is we need gory public deaths for murderers to discourage murders?
Unfortunately, then this happens:
Look! The murder rates are going down. The public are scared, and cheering for us for catching the murderers!
But wait, we're running out of murderers.
No matter, just rebrand other criminals. Hell, execute a few people who've only committed lesser crimes, it'll make the crime rates for those go down too!
My god, it works. The prisons are even emptying for the first time ever.
-Total government control, anyone who speaks out or is suspected of any crime is executed-
-Uprising, civil war-
-Rinse and repeat because people never learn from history-
You don't make it public. You arrange a sting of obvious and unfortunate "accidents" or people simply disappear. Do it enough and people generally take the hint.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Mission accomplished!
"I was so pissed I couldn't find a fag when I had that torch!"
Sorry dude, but with fast-flux DNS capability, they're not around (IP address-wise) for long.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Can't we just turn off the Internet? Just close the tubes?
is now fighting back against security researchers that seek to destroy it and has them running scared
From "Things A Klingon Programmer Would Say":
Our users will know fear and cower before our software. Ship it! Ship it, and let them flee like the dogs they are!
The Bleeding-Edge rules for Snort has a list of known hosts to be infected with Storm. Would that be a decent place to start collecting activity to/from those hosts?
If not, then why not put a Windows pawn in place, put it behind a good firewall (maybe*), have a switch to mirror the traffic to record everything, then let that pawn be infected and watch what it does and where it goes. I know each infection only has a subset of other known peers, but at least you can start extracting known peers out of the list. Then watch for the C&C traffic, and *poof* there's the 'inner circle' you want.
*maybe a firewall, maybe not.. if you want to watch all the traffic you might not want anything getting in the way, in order to catch all the traffic. You'll have to sacrifice that system anyway. I can see a larger datacenter-type network having available segments and IP space to hang a machine off the core network rather than someone downstream on a T1 or something small like that.
Am I thinking too logically here? This really doesn't seem to be any more difficult than a typical honeynet project challenge. I'm surprised I haven't seen any further posts on various lists like this. Maybe I'm oversimplifying the whole thing, I dunno.
It's evolution baby!
You must be the guy sending me all that spam. Your writing styles are very similar.
I have found there are just two ways to go.
It all comes down to livin' fast or dyin' slow. -REK, Jr.
Blue Frog! Need I say more? They and their support group got nailed! A thousand emails hit my in-box calling me an intruder! Major internet providers need to deal with these issues now! Not by selling us so called "pro-tec-tion" at a price that does not work at times!
Is storm REALLY an evil criminal network? Or are we just being told this by THOSE WHO KNOW BETTER (tm)? Perhaps it's the world's biggest game of core wars, open to all comers, with the "waning" because no one currently has a credible (not immediately beaten down) challenge. Darn those video-game-hating supposed know-betters trying to stop anyone from having a good time! Why I ought to... wait a minute, when did my palms get this hairy? CRAP, THEY'RE RIGHT ABOUT THE PORN!
And for the conspiracy twist, the current winner is... JACK THOMPSON! His lawsuits are all a scam so when he's uncovered as the one who caused so much downtime, people will think he was framed! And he would have gotten away with it too, if it wasn't for you meddling... kids... at Nintendo, who are so afraid of a self-copying game they're hiring the Russian mob to wipe him out, the Viagra spammer was a test run! Next Nintendo and the RIAA join forces to sue MS over a little something nasty they found in cmd.com, something about COPY.
In Communist Russia, our new game-playing overlords welcome you, for one?
Or could the real source and purpose be our favorite search engine? Perhaps this is the only way to get the results we've come to expect at the speed we demand.
In does-no-evil Russia, Google searches you!
(Apologies if I've ripped off a Russia / overlord or conspiracy theory from someone else)
I'm sorry, I thought that singularity was just a game. I'll stop now.
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
They linked to this in their RSS feed and are now down.
Co-incidence?
Who is John Conner?
What if it's run by a state?
Storm doesn't use an IRC server, or any centralized server in the traditional sense. It uses fast flux, the 'central servers' are always in flux.
And i bet whoever controls that botnet also reads /.
This approach might be somewhat unethical and perhaps illegal, but what if one were to unleash a second worm and create a second net with the express intent to wipe the Storm Worm botnet off the face of the earth? Would it also be possible to infect Storm botnet members with another worm? If so, couldn't you create a worm that prevented Storm Worm from calling back home? Distributing the worm is not an issue, basic social engineering could play a key role. Basically what I'm suggesting is to use black hat techniques against black hats. In order to do so, you'd have to dissect Storm Worm... All I'm saying is that it's possible, isn't it?
"I'm glad I'm going to die because, when I do, the world's gonna go to the dogs." -Me on aging and the next generation.
It doesn't use IRC. You're thinking of oldskool botnets, storm is considerably more sophisticated. It uses a hacked version of the eDonkey protocol to form its own p2p network on random ports, is fully distributed, proxies connections to rotating C+C servers and does its communication via spoofed encrypted hashes.
"Then watch for the C&C traffic, and *poof* there's the 'inner circle' you want" I thought all the storm communication was encrypted. Doesn't that throw a wrench into your ability to actually see what the fuck the botnet is doing?
Any fool can criticise, condemn, and complain, and most fools do. - Benjamin Franklin
With a melon.
Sky subscribers are morons. They pay to be advertised at !
shhhh.....
I know of one bigger Y2K issue:
In Germany's capital Berlin, the fire department's central emergency call/dispatch computer system went down.
This resulted in New Year's eve celebrations - year 2000 no less - without fire fighters or ambulances.
A really nice chaotic mess ensued as they partially had to resort back to pen-and-paper for the busiest night of the year, because the old hardware of the previous system that was used as a backup couldn't handle the load that night.
For the same reason the system keeping track of the fire department cars' current whereabouts went down, so the central coordinators had only a vague idea where their cars were deployed or who was available to respond to an emergency.
People had to wait up to 90 minutes for an ambulance or a fire truck to come and sweep up the ashes of their homes.
Instead of ambulances, cabs were taking people to the hospital.
The police (separate emergency number/system) had to double as fire fighters, deploying anti-riot trucks equipped with water cannons.
Since lots of emergency calls got lost, they had to switch to a patrol system and send out the police and FD cars to drive through the streets to look for fires - among all the smoke and fire of the New Years Eve fireworks in the streets.
The data is encrypted, but the traffic patterns most likely aren't obfuscated. After watching it for a while, it should become obvious which traffic (encrypted, but from a source IP) is coming from the C&C group.
As far as dropping an infected box on a high-capacity network, that could be a really bad idea -- unless you put an oBSD box set to transparent mode in the pipeline to log all the data that passes through and also throttles the network connection down to dialup levels so the windows box doesn't become part of the problem.
You know why this type of thing spreads? Because it works.
You know how long it will keep spreading? As long as it keeps working.
Like spam and direct-mail offers, the only thing that will stop it is for the success rate to fall.
How do you reduce the response rate? Help your friends and family upgrade or patch Windows. Help them install Linux or buy a Mac.
That will work.
Until Storm goes cross-platform, anyways.
"Genius may have its limitations, but stupidity is not thus handicapped." --Elbert Hubbard (1856-1915)
Exactly. I wasn't thinking so much as looking into the packets, but perhaps see what hosts keep contacting it over time (develop a pattern). And yeah, do something like QoS to keep the Windows box from compounding matters.
http://packages.debian.org/stable/net/fail2ban
This package monitors the logs for failed login to a variety of services and updates the iptables rules to ban that IP. I use 5 failed logins, results in 24hrs of banning.
On debain's default installation of ssh and other services, fail2ban already has appropriate rule sets so it take 5 minutes to install. In addition you can write your own rule sets for other login services and firewalls.
I don't believe that it it state-sponsored, unless the state in question is the Vatican.
It's plausible if you think about it, and you consider the ubiquitous comment about technology being driven by the porn industry.
May not be the Vatican... could be the Mormons (not to pick on them, but they aren't hurting for money), or any other extremely fundamentalist group out there. They could be waiting for the bot-net to become powerful enough to destroy the modern version of Sodom and Gomorrah (at least in their eyes).
Ramen
The larger ones that didn't reply probably because they have a legal department that restricts what they can and can't say in a reply. They might not be allowed to acknowledge your notification, but might still very well be acting on it. Basically, they have no way of knowing what you'd with any reply they did give (i.e., publicize, criticize, etc.). Smaller ISPs probably don't have as many legal concerns (possibly also because their company isn't an openly traded stock), so they're probably much more eager to work with free tips.