Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Worm Strikes Back at Security Pros

Posted by ScuttleMonkey on from the skynet-worm dept.

alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."

6 of 371 comments (clear)

  1. Re:Wait a minute... by Bryansix · · Score: 3, Informative

    Because the servers are not actually belonging to the people who wrote Storm.

  2. Re:Sounds ripe for abuse by Lumpy · · Score: 3, Informative

    Dont know about that. only if they though of it to begin with. Back in the early days of undernet a few of us figured out how to get the official administrative bots to fight each other. Wait for a net split, join as a bot's name and start a flood attack on another bot. IT get's triggered and kick/bans you. the net rejoins and the fight starts. it was fun to watch for the week we were able to do that trick until they fixed the bots.

    Unless the dev's think long and hard on how to attack it and work in ways to avoid it I doubt they put that feature in.

    --
    Do not look at laser with remaining good eye.
  3. Re:Contact the users by zrq · · Score: 5, Informative

    ... the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file ...

    I see a lot of these all the time, they seem to be cycling through a list of names. At the moment they are trying account names like 'root', 'linux', 'admin', 'test', 'testftp', 'webmaster' etc. and user names like 'melissa', 'danny', 'nicholson' etc.

    I don't think this means that they added a SSH back door, just that they have enough compute resources to try hundreds of combinations of likely names and passwords in the hope they get lucky.

  4. Re:Wait a minute... by Fizzl · · Score: 3, Informative

    The command and control system is rather clever. Some machines of the botnet itself are the C&C servers. They are rotated at random. One server remains a C&C node for only days or hours at a time. I have no idea how the botnet owner figures out how to connect...

    --
    Bot Assisted Blogging
  5. Re:Contact the users by Culture20 · · Score: 4, Informative

    then you need fail2ban http://www.fail2ban.org
    just in case they might eventually get lucky...

  6. Re:Contact the users by zrq · · Score: 4, Informative

    Yep, mea cupla :-(
    Not keeping up with my sys-admin duties.

    I've seen this kind of thing in the logs for quite a while, but not at this level (1000's of attempts in a day). I hadn't noticed the increasing rate. A case of familiarity breeds contempt, "yep, seen those before .. not much can do about them" without really checking how often they happen.

    I remember when I first saw them appearing I contacted my ISP, and their reaction was much the same "yep, thats what happens when you connect a box to the net". I offered to pass on the IP addresses but they weren't interested. I got the impression they see thing kind of thing all the time.

    What do people suggest I do with the IP addresses of hosts doing the scanning ? Is it worth checking the whois information and contacting the sys admin or abuse email address if there is one ?