Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Worm Strikes Back at Security Pros

Posted by ScuttleMonkey on from the skynet-worm dept.

alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."

15 of 371 comments (clear)

  1. Re:Contact the users by wile_e_wonka · · Score: 2, Informative

    Interestingly, that might not even help:

    http://it.slashdot.org/article.pl?sid=07/10/05/1234217

  2. Re:oh yeah, so scared by Endloser · · Score: 1, Informative

    Yeah and when the Storm Worm drops the whole network segment you are f'ed. Your ISP will drop you if you keep dropping their router's. Because, well, not everything is about you. This botnet has much more power than you think it does.

  3. Re:Wait a minute... by Bryansix · · Score: 3, Informative

    Because the servers are not actually belonging to the people who wrote Storm.

  4. Re:Sounds ripe for abuse by Lumpy · · Score: 3, Informative

    Dont know about that. only if they though of it to begin with. Back in the early days of undernet a few of us figured out how to get the official administrative bots to fight each other. Wait for a net split, join as a bot's name and start a flood attack on another bot. IT get's triggered and kick/bans you. the net rejoins and the fight starts. it was fun to watch for the week we were able to do that trick until they fixed the bots.

    Unless the dev's think long and hard on how to attack it and work in ways to avoid it I doubt they put that feature in.

    --
    Do not look at laser with remaining good eye.
  5. Re:Wait a minute by lskovlund · · Score: 2, Informative

    Bruce Schneier wrote that the worm was starting to retaliate. It was linked to by a poster on this Slashdot story. The guy who posted the analysis you refer to seems to be a lowly sysadmin (He's affiliated with Network Operations at the UCSD - so not a researcher) - I would tend to believe Bruce more, and viewed that analysis with some skepticism, which now appears to have been justified.

  6. Re:Contact the users by zrq · · Score: 5, Informative

    ... the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file ...

    I see a lot of these all the time, they seem to be cycling through a list of names. At the moment they are trying account names like 'root', 'linux', 'admin', 'test', 'testftp', 'webmaster' etc. and user names like 'melissa', 'danny', 'nicholson' etc.

    I don't think this means that they added a SSH back door, just that they have enough compute resources to try hundreds of combinations of likely names and passwords in the hope they get lucky.

  7. Re:Wait a minute... by Fizzl · · Score: 3, Informative

    The command and control system is rather clever. Some machines of the botnet itself are the C&C servers. They are rotated at random. One server remains a C&C node for only days or hours at a time. I have no idea how the botnet owner figures out how to connect...

    --
    Bot Assisted Blogging
  8. Re:Wait a minute... by Anonymous+Custard · · Score: 2, Informative

    So? If we do in fact know where they are physically located, local police should go and confiscate them.

    --
    $8.95/mo web hosting
  9. Re:Contact the users by Culture20 · · Score: 4, Informative

    then you need fail2ban http://www.fail2ban.org
    just in case they might eventually get lucky...

  10. Re:Kung Fu Style? by db32 · · Score: 2, Informative

    Uhm...what? The TCP sequence number issue is related to Man in the Middle attacks (which in the strictest sense is a type of spoofing, but not usually refered to like this). Spoofing is generally talking about sending packets pretending to be someone else, ie, putting a bad source on them. So now if I am computer A, and you are computer B, and I send you SYN DST A SRC C you will respond ACK/SYN to computer C. Unless my computer has PsychicHackWizard 3.0 or I have installed MagikRouter1337 those packets won't ever make it back to me.

    --
    The only change I can believe in is what I find in my couch cushions.
  11. Re:Contact the users by Anonymous Coward · · Score: 1, Informative

    Have you seen the other front-page story?
    http://it.slashdot.org/article.pl?sid=07/10/05/1234217

    The cracked Linux boxes are controlling the Windows machines.

    It's worse than we thought...far worse.

  12. Re:Contact the users by orclevegam · · Score: 2, Informative

    No, Apache was running in it's own account, but I think they installed a console PHP script and ran some sort of local exploit. Like I said, no clue exactly how they did it, and the log files were pretty well trashed. Our first clue something was screwy was when we logged in and none of the standard utilities like ls were behaving properly (kept complaining that the standard switches like -l and -a were invalid). The whole system was trashed and we had to do a total re-install. The hosting company kept a backup of the old system and we tried to figure out everything we could from the logs left over as well as watching how the attackers behaved after we restored the system, but other than probing for a few files we had cleaned up and a bunch of attempts to log in to SSH with a pair of accounts we didn't see them do anything else. That's part of why I suspect it was some sort of PHP exploit centered around PHPBB, because that didn't get re-installed when we brought the system back up and some of their probes tried to access files that belonged to that.

    --
    Curiosity was framed, Ignorance killed the cat.
  13. Re:Contact the users by edraven · · Score: 2, Informative

    I run SSH on a non-standard port. Probes in the logs went away.

  14. Re:Contact the users by zrq · · Score: 4, Informative

    Yep, mea cupla :-(
    Not keeping up with my sys-admin duties.

    I've seen this kind of thing in the logs for quite a while, but not at this level (1000's of attempts in a day). I hadn't noticed the increasing rate. A case of familiarity breeds contempt, "yep, seen those before .. not much can do about them" without really checking how often they happen.

    I remember when I first saw them appearing I contacted my ISP, and their reaction was much the same "yep, thats what happens when you connect a box to the net". I offered to pass on the IP addresses but they weren't interested. I got the impression they see thing kind of thing all the time.

    What do people suggest I do with the IP addresses of hosts doing the scanning ? Is it worth checking the whois information and contacting the sys admin or abuse email address if there is one ?

  15. Re:Contact the users by pushf+popf · · Score: 2, Informative

    Just run DenyHosts

    Oct 24 19:21:40 UtopiaPlanetia sshd[10319]: Failed password for invalid user staff from 74.86.168.131 port 51218 ssh2
    Oct 24 19:21:43 UtopiaPlanetia sshd[10321]: Failed password for invalid user sales from 74.86.168.131 port 51494 ssh2
    Oct 24 19:21:46 UtopiaPlanetia sshd[10323]: Failed password for invalid user recruit from 74.86.168.131 port 51739 ssh2
    Oct 24 19:21:49 UtopiaPlanetia sshd[10325]: Failed password for invalid user alias from 74.86.168.131 port 51998 ssh2
    Oct 24 19:21:52 UtopiaPlanetia sshd[10328]: Failed password for invalid user office from 74.86.168.131 port 52226 ssh2

    Oct 24 19:21:53 UtopiaPlanetia denyhosts: Added the following hosts to /etc/hosts.deny - 74.86.168.131 (wdbservers.com)

    Oct 24 19:21:55 UtopiaPlanetia sshd[10333]: refused connect from ::ffff:74.86.168.131 (::ffff:74.86.168.131)