Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Worm Strikes Back at Security Pros

Posted by ScuttleMonkey on from the skynet-worm dept.

alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."

3 of 371 comments (clear)

  1. Re:Contact the users by zrq · · Score: 5, Informative

    ... the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file ...

    I see a lot of these all the time, they seem to be cycling through a list of names. At the moment they are trying account names like 'root', 'linux', 'admin', 'test', 'testftp', 'webmaster' etc. and user names like 'melissa', 'danny', 'nicholson' etc.

    I don't think this means that they added a SSH back door, just that they have enough compute resources to try hundreds of combinations of likely names and passwords in the hope they get lucky.

  2. Re:Contact the users by Culture20 · · Score: 4, Informative

    then you need fail2ban http://www.fail2ban.org
    just in case they might eventually get lucky...

  3. Re:Contact the users by zrq · · Score: 4, Informative

    Yep, mea cupla :-(
    Not keeping up with my sys-admin duties.

    I've seen this kind of thing in the logs for quite a while, but not at this level (1000's of attempts in a day). I hadn't noticed the increasing rate. A case of familiarity breeds contempt, "yep, seen those before .. not much can do about them" without really checking how often they happen.

    I remember when I first saw them appearing I contacted my ISP, and their reaction was much the same "yep, thats what happens when you connect a box to the net". I offered to pass on the IP addresses but they weren't interested. I got the impression they see thing kind of thing all the time.

    What do people suggest I do with the IP addresses of hosts doing the scanning ? Is it worth checking the whois information and contacting the sys admin or abuse email address if there is one ?