Slashdot Mirror
Storm Worm Strikes Back at Security Pros
alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."
So, these people are trying to sell these botnets for extortion and spamming purposes right? Well, seems to me that they just opened up a loophole for at least one category of customer to get free "service" by spoofing whoever he wants to DDoS and poking the botnet till it retaliates. Boom, instant DDoS and he didn't have to pay a dime for the service. I do like the idea someone else put out of spoofing as one of the other control nodes, thereby getting the net to DDoS itself, but it may be just smart enough not to do that.
Curiosity was framed, Ignorance killed the cat.
ooooh sneaky, I like that. Isn't that illegal or something though? I don't think anyone would care but that's probably why they're not doing it. They could at least pull their heads out of their asses and not try and probe the servers using their company's main network!!! Do it on some small, seperate connection that really wouldn't matter if it got DOSed. Hey speaking of that, do it and let them DOS you and then make a log of all the IPs doing it and I'm sure ISPs would agree to disconnect all customers with those IPs until they get rid of storm by reinstalling windows or whatever.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Higher ed had some of their systems attacked in this way going back to at least July. I lost a machine because of this because the system (running FreeBSD) had a marginal disk that eventually died under the load incurred by logging "Limiting icmp ping response from..." messages. Fortunately, we were smart enough to NEVER use systems like our workstations for downloading malware from suspected sources.
Easy lesson for those thinking of doing research: Remember to have a machine dedicated to the task of talking to untrusted outsiders.
Wouldn't the obvious counter-strategy to this be to give the botstorm enough targets to make their DOS attempts too dilute to be a threat?
You theoretically would not need a comparable number of targets to attackers - just enough to lower the magnitude of the counter attack to the point where you could get acceptable results. You could also have targets that 'play dead' in some ways so the attackers can't fix on a minimum magnitude to counter attack with, and instead have to throw zombies until the target stops moving, where the target just gets right back up after playing dead. That way, the window you have before you 'play dead' might be used to get relatively clear results.
Just one guy's idea.
Ryan Fenton
What's bigger, the Storm effect... or the Slashdot effect ...
Deleted
Yeah, buddy of mine had his Gentoo box rooted and used as some sort of base system for rooting others. He found out after his ISP notified him that they shutdown his internet access because his server had been reported as probing other servers for vulnerable PHP apps. Not entirely sure how they rooted the box, but from what I could piece together going through the logs they managed to find a old copy of PHPBB he had been mucking around with on a subdomain (never linked it to anything, so they must have found it by brute force scanning, or maybe combing through DNS records). The traffic logs from other systems and the local logs all showed a series of automated scans for about 2 dozen known vulnerabilities in various pieces of pre-packaged PHP applications in a whole tone of domains. Looked like they just lifted a big chunk of every registered domain between something like ba-fa and were just working their way through it running scans. After we wiped the system and did a fresh install the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file. They really did a number on that system, and we didn't even know about it for a couple weeks because no one actually logs into the server, at most it gets a new file ftped to it every few weeks or so as things are tweaked.
Curiosity was framed, Ignorance killed the cat.
At my job, we started Y2K work in the mid 90's and worked on it quite heavily in 1998-1999 (note the 4 digits ;) ). And, though the sky wouldn't have fallen, I guarantee that if we hadn't fixed the problems, it would have been more than a MINOR inconvienience.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
So? If we do in fact know where they are physically located, local police should go and confiscate them.
Even though I think this idea is basically wrong, I'm intrigued by the potential consequences.
There's a lot of these computers out there, which is the whole point. If every one was subject to seizure, computer security would immediately become part of popular conversation. Helluva social storm, probably.
Tweet, tweet.
I got the skynet link of course, and it's apt. What we are seeing is the slow transition from single cellular behaviour to a multi cellualr organism. That is instead of being fighting on it's own, it now has a global immune response to an invader (security researcher). With the advent of virtual machine detectors last year these things now commit apoptosis when they detect they have been invaded by the security researcher.
In other words we have changed roles. Instead of us being the host and them being the virus, it now is behaving like a host and us as the invasive organism.
These things certainly have enough global cpu strength to do some serious artifical intelligence. even if it were not efficient, they have millions of cpus to harness. Some already do have code changing algorithms to hide their signature. And the ones that survive, are the fittest in an evolutionary sense. At some point they may actually start changing their own design, and eventually their own requirements.
So skynet may evolve itself naturally, not as an actual construction.
Some drink at the fountain of knowledge. Others just gargle.
fail2ban (or something similar) should be a default in the popular distributions if you install openssh/apache/vsftp etc. Not only does it slow, and stop for a period, brute force attacks against the host - the single best feature is the email notification bringing the issue to your notice. That is the most valuable thing it brings to the table. It also highlights the idiots who forget their passwords inside your network providing much needed entertainment.
If it's grain of salt time, let's look at which is more likely:
a) Something big changed and 10 million Windows users suddenly wised up and cleaned up their compromised systems.
b) The people behind Storm have made it harder to detect so we only think that there are fewer compromised systems.
Intron: the portion of DNA which expresses nothing useful.
As one of the "threatened" AV researchers, I was of course interested in getting the bots offline, at least to the degree that I can (I kinda have little chance to put pressure on ISPs in some country that I can't even spell correctly).
So I went and gathered the IP addresses of infected machines. I aggregated them and grouped them to the corresponding ISPs, complete with timestamp (just in case they use dynamic IP addresses and thus need them to contact the corresponding users), then I sent out a mail to 10 different ISPs, just as some kind of test.
The result:
5 didn't reply at all.
2 replied that they are "looking into the issue". I guess they're learning the list by heart 'cause after a month now, still no further reply.
One replied with the question whether I try to infect their system and how I dare to say that their users might do something illegal (talk about knowledge).
One replied that they can't do jack because I could just as well have forged that list to mess with their users and they don't care.
Only a single ISP actually thought the matter is important enough to contact me with a request for more information and whether they can do something proactively.
One.
The smallest one, btw. With 20 infected machines (compared to a few 100 with the biggest one, one of the first group that didn't even care enough to reply).
You can't win this way. ISPs don't care at all, at least until the botnet starts using more bandwidth than their torrent leechers. It would mean work for them, what's worse, it means their customers bother their call center with angry calls and maybe even questions how to clean their machines and maybe they even cancel their service over it. In short, taking things like this serious costs them money but doesn't get them anything, so they won't do it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Since I can't sell you anything to remedy it (nobody can. Don't believe in snakeoil. The best anyone can do is sell you something so you don't become part of the botnet, but nothing saves you from being a target), I can tell you upfront: It is a threat. A big one.
We're facing a huge network here with the capability to strike a single target. It's not that any of those machines are actually a threat to any kind of server. It's the fact that there are thousands (I think millions is a wee bit exaggerated, but we're certainly facing a number in the upper 5 digits or lower 6).
The threat isn't so much to a single server or a single corporation, the threat actually touches international borders (pardon the pun). We're talking something here that threatens the infrastructure of the internet itself.
The reason why the internet doesn't collapse under its own weight is that nobody uses the bandwidth fully all the time, and there isn't a single target node everyone wants to connect to. Now imagine exactly that happens. Everyone (or let's say one out of 10 machines) on the net goes full bandwidth on one target.
The problem isn't so much that this target is dead due to a DDoS. That's a given. The problem is that the backbone gets under serious stress. And that's where not only the single server but the whole infrastructure of the net around it comes under pressure. Not long ago, Denmark had a network blackout. I think it's no longer a secret what was the reason.
What's worse is that the whole mess seems to be nothing more than a test balloon. When you look at the way this is distributed and worked, you notice that it is by far not what could be considered an "all out" attempt at infecting. It's more a rather limited effort, with days and sometimes weeks between the launch of new infections, and very, very few "real" DDoS attacks, mostly defensive. Very few offensive attacks have been launched so far.
That's what worries me.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Because everytime I dared to use more ports than the average Internet Exploiter session they turned me off saying I had a "virus". Didn't matter that I was running a highly locked down Xandros Pro and could show them that my logs only contained my traffic. Some PHB had decided "If it's not Windows and
Point is, just because You and I (and most slashdot readers) know what the signs of a virus/worm/botnet infection is, doesn't mean the PHB who'll write the policy will. I can promise you that you get something like that passed at your ISP and you'll spend every other week trying to explain to them that Emule/Bit torrent/VoIP/VPN/etc is NOT a virus only to get yourself turned off the next time you dare to run a Program/OS/Protocol that they don't understand. Trust me, as someone who has been through this, it just isn't worth it. And if you are in the U.S., and your choices are *hole ISP or dialup, What then? Not everyone can just move like I did.
And let us not forget the "let's screw everyone for big profits" mentality going on in the US right now. The ISP would have a real good excuse-"We can't tell the difference between that (insert competitors program here) and a virus! If they want to run that thing, they should have to pay us triple for the risk!"
I learned a long time ago to look at the absolute worse case, because in the US that's probably what you'll end up with.
ACs don't waste your time replying, your posts are never seen by me.