Slashdot Mirror
Storm Worm Strikes Back at Security Pros
alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."
The bot-net probes you.
~ I am logged on, therefore I am.
Have them shut down and re-install Windows (not recommended)
or install GNU/Linux.
You are being MICROattacked, from various angles, in a SOFT manner.
...beginning to learn at a geometric rate?
*An overweight bond sits at a computer desk littered with Payday bar wrappers and graphic novles. He struggles to breath as he brushes at the cheetohs crumbs stuck in his stubble. A blinking light flashes on his monitor and he reaches up with his stubby fat fingers to press the 'Accept Transmission Now' key. The video feed of an equally bloated and zit faced man, though somewhat less pastey white, comes up.*
... I would like to discuss your latest attempts to probe my botnets on the interweb. ... SATURATE YOUR BANDWIDTH!
Cats: Good evening, Mr. Bond, I was just hitting up some 3 am Taco Bell for fourth meal
Bond: *wheezes at the site of his archnemisis* Cats! I should have known it was you! You won't get away with this diabolical scheme!
Cats: Oh won't I, Mr. Bond? I have all of the world's computers trapped to do my bidding. What would you say if I told you I could bring any website to its knees with a DDOS attack? I noticed you have an apache http server running, Mr. Bond. Perhaps sharing pictures with your loved ones!? Well, I hope a billion attempts to access those images won't
Bond: My GOD! You've gone mad with power, Cats. You're a madman! You'll never get away with this. How do you even keep your franken net in check? What happens when it turns on you?
Cats: Oh, I think I will, Mr. Bond, Caribbean law is quite kind when it comes to orchestrating botnets. Prepare to say goodnight. Good luck making your raiding schedule, I hope you won't miss those 50 DKP!
*Bond's screen slows to a crawl as he rushes to turn off Apache*
Bond: Nooooooooooo!
My work here is dung.
My girlfriend has worms in her pussy I think, or probably maggots the dam thing smells so bad. Does anyone here know how to fix that?
Brilliant!
init 11 - for when you need that edge.
Perhaps people who are probing, should spoof their address to match another command and control unit.
Oh come on, that's ridiculous. I'm 20 and I know how to get around that, let alone huge security company employees. So you get a second cheap connection from your ISP for like crazy cheap. It could even be a standard DSL or cable connection through a standard modem. Then use some temporary computer you just set up on the new connection to poke around. If you start getting DOSed you unplug the modem and try again. Some corporate customer carrying ISPs will even let you just change your IP. You could get on a new IP and keep poking like 50 times in a day at least. It's really not that hard and not that sneaky.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
If the "command and control" servers have been found, why haven't the IPs been masked to physical addresses and physical security types with physical balaclavas and physical MP5s probing the physical door?
How can I believe you when you tell me what I don't want to hear?
just wait till it realizes that humans are the ones doing the probing.
Letters of Marque, please?
Can we get a "-1 Wrong" moderation option?
Running scared? Are they serious? Suddenly I see a scene in those old hero flicks where a woman in the crowd stands and says, "Is there no one? No one out there who will save us!?"
Impose the death penalty for these hackers/crackers or whatever you call them these days.
Public execution. And make it totally Medevil. Gruesome and painful and prolonged.
I guarantee you within one year the hacking/cracking/whatever will have come to an absolute total stop.
I'm not kidding. I'm 100% serious.
These people are vermin. They are the lowest of the low and they deserve to be tortured to death in the most gruesome ways.
Didn't I just hear that the Storm worm was slowing to a crawl?
GetOuttaMySpace - The Anti-Social Network
...the biggest WTF are the comments, well done!
From what I read up on this storm bot it seems the weak point is the registered domains. Why don't they just shut them down? They have proof that certain domain names are implicated in the scam and they know they are doing the fast dns switch thing. It would seem to be a lot easier than trying to get 1 million indiviual pcs patched up.
So, these people are trying to sell these botnets for extortion and spamming purposes right? Well, seems to me that they just opened up a loophole for at least one category of customer to get free "service" by spoofing whoever he wants to DDoS and poking the botnet till it retaliates. Boom, instant DDoS and he didn't have to pay a dime for the service. I do like the idea someone else put out of spoofing as one of the other control nodes, thereby getting the net to DDoS itself, but it may be just smart enough not to do that.
Curiosity was framed, Ignorance killed the cat.
Higher ed had some of their systems attacked in this way going back to at least July. I lost a machine because of this because the system (running FreeBSD) had a marginal disk that eventually died under the load incurred by logging "Limiting icmp ping response from..." messages. Fortunately, we were smart enough to NEVER use systems like our workstations for downloading malware from suspected sources.
Easy lesson for those thinking of doing research: Remember to have a machine dedicated to the task of talking to untrusted outsiders.
Is the Machine War finally at hand?
.. I'm still waiti
Wouldn't the obvious counter-strategy to this be to give the botstorm enough targets to make their DOS attempts too dilute to be a threat?
You theoretically would not need a comparable number of targets to attackers - just enough to lower the magnitude of the counter attack to the point where you could get acceptable results. You could also have targets that 'play dead' in some ways so the attackers can't fix on a minimum magnitude to counter attack with, and instead have to throw zombies until the target stops moving, where the target just gets right back up after playing dead. That way, the window you have before you 'play dead' might be used to get relatively clear results.
Just one guy's idea.
Ryan Fenton
What's bigger, the Storm effect... or the Slashdot effect ...
Deleted
This is something that has been known and announced for many months now. Additionally, the new variants of it do not seem to trigger DDoS attacks in quite the same way.
Wouldn't it be funny if the worm was never intended to phone home for instructions, meaning any attempt to contact "command centers" would always be the result of probes ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Just do the probing from some network like Google, Akamai, Microsoft, etc. with so much bandwidth to spare that nobody could possibly orchestrate a DDoS attack against them. I can't imagine what it would take to DDoS a network that has multiple 10Gb links and distributes connections among thousands of computers.
dom
This battle remainds me of the war in The Matrix, part 3 (which most of the /. crowd did not like). Here, as there, are humans fighing against a virus which is developing new methods (Agent Smith) and attacks the humans. So at the end: the matrix is true; we all live in a dream world. If only I could stop bullets.
It seems to me that it would be a better use of his time to direct those DDoD attacks at people with money, who are actually willing to part with it. If the guy is directing attacks against insecurity experts, he must be either worried they'll feck up his precious botnet, or he's a muppet (or both I suppose).
You can, but it usually hurts really, really badly.
There is a war going on for your mind.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
find -name "*base*" -exec chown us {} \; ; ln -s
I had these morons DDOS my network several times so if some could "eliminate" these people and their botnets I'm welcome to it. I think the Russian mafia got an good idea http://it.slashdot.org/article.pl?sid=07/10/11/2157244 but wee need to get the botnet also. We are just a non-profit research organization so we don't make any money so trying to ransom us is like trying to get blood from a rock (turnips have proteins in it and if someone has the time can convert it to blood).
So? If we do in fact know where they are physically located, local police should go and confiscate them.
Even though I think this idea is basically wrong, I'm intrigued by the potential consequences.
There's a lot of these computers out there, which is the whole point. If every one was subject to seizure, computer security would immediately become part of popular conversation. Helluva social storm, probably.
Tweet, tweet.
From the anti-storm-researchers' secret planning session with Interpol:
OK, I think I know foo is a C&C. Here's the plan: We'll set up our probe machine with external monitors then start probing the hell out of foo.
When the botnet attacks, we'll know it's a C&C.
Now you guys put external monitors on foo and see who is connecting to it. If you can gain physical access undetected, do so.
If anyone accesses foo over any suspicious channel start monitoring them as well.
Once you think you've got a handle on the people involved, raid everyone.
From next year's newspapers:
October 24, 2008: Interpol, in cooperation with police agencies worldwide, announced the capture of Dr. Evil. He is charged with numerous computer crimes.....
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I see the same sort of law-and-order assumptions here that I would like to believe in. Sadly, that phase in my life has ended.
Sure, you can find who is DDoS'ing you. You can then call the ISP/hosting company and complain. If they are in the US they will likely as not just tell you to get a court order. Outside the US they will laugh and suggest you bribe them. Either way, it is their customer's right to operate in whatever manner they choose. If they are presented with a valid court order from a court in their jurisdiction, they will quickly and efficiently comply. Otherwise, your complaint will go in the bit bucket.
Mostly the problem is that to a lot of ISPs their customer (and the revenue from that customer) is a whole lot more important than the negative effects their customer is having. Also, the customer may be Daddy and Sonny is the one causing all the trouble. Why would anyone want to offend bill-paying Daddy by cutting off service?
The problem here is that regardless of the problem - a botnet infested computer, a script kiddy trying to break in, or some other mischief - if you let it go, it gets worse. Every time a script kiddy gets to feel that rush of excitement at breaking to some computer somewhere without any consequences they get bolder. In the US it is not really possible to go after them until they run up at least $25,000 in damages. Because of this, you never hear about the high schooler getting in trouble because they defaced a web site. Instead you hear about someone after many years of mischief and mayhem who is being accused of causing $12,000,000 in damages computed in some creative manner to get the FBI's attention. There is never a thought of stopping this when the cost to everyone is minimal. Minimal doesn't get the FBI involved and local law enforcement is utterly clueless.
Nobody is really going to get taken down for this unless they do something incredibly stupid. Sure, you can find an IP address but you can't get the customer unless the ISP wants to cooperate. Can you get a court order for the ISP to identify the owner of the account? Probably not without at least $25,000 in damages that you can claim. Even then all you have found is an infected computer that the owner doesn't know anything about.
I got the skynet link of course, and it's apt. What we are seeing is the slow transition from single cellular behaviour to a multi cellualr organism. That is instead of being fighting on it's own, it now has a global immune response to an invader (security researcher). With the advent of virtual machine detectors last year these things now commit apoptosis when they detect they have been invaded by the security researcher.
In other words we have changed roles. Instead of us being the host and them being the virus, it now is behaving like a host and us as the invasive organism.
These things certainly have enough global cpu strength to do some serious artifical intelligence. even if it were not efficient, they have millions of cpus to harness. Some already do have code changing algorithms to hide their signature. And the ones that survive, are the fittest in an evolutionary sense. At some point they may actually start changing their own design, and eventually their own requirements.
So skynet may evolve itself naturally, not as an actual construction.
Some drink at the fountain of knowledge. Others just gargle.
Is this botnet the one that keep sending the "Viagra Official Site" spam?
The Matrix. This botnet might not be man-made. It might turn out that all these own3d computers have created a collective intelligence.
The news media has already long ago taken over, subjugated and re-defined the term "Hacker".
It no longer means "clever programmer" or whatever it used to mean a decade ago. It now means "computer break-in criminal".
Quit living in the past and get over it.
You LOST the old definition.
It's gone.
Forever.
Wave bye-bye to it.
As one of the "threatened" AV researchers, I was of course interested in getting the bots offline, at least to the degree that I can (I kinda have little chance to put pressure on ISPs in some country that I can't even spell correctly).
So I went and gathered the IP addresses of infected machines. I aggregated them and grouped them to the corresponding ISPs, complete with timestamp (just in case they use dynamic IP addresses and thus need them to contact the corresponding users), then I sent out a mail to 10 different ISPs, just as some kind of test.
The result:
5 didn't reply at all.
2 replied that they are "looking into the issue". I guess they're learning the list by heart 'cause after a month now, still no further reply.
One replied with the question whether I try to infect their system and how I dare to say that their users might do something illegal (talk about knowledge).
One replied that they can't do jack because I could just as well have forged that list to mess with their users and they don't care.
Only a single ISP actually thought the matter is important enough to contact me with a request for more information and whether they can do something proactively.
One.
The smallest one, btw. With 20 infected machines (compared to a few 100 with the biggest one, one of the first group that didn't even care enough to reply).
You can't win this way. ISPs don't care at all, at least until the botnet starts using more bandwidth than their torrent leechers. It would mean work for them, what's worse, it means their customers bother their call center with angry calls and maybe even questions how to clean their machines and maybe they even cancel their service over it. In short, taking things like this serious costs them money but doesn't get them anything, so they won't do it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Damn, these people are treating this damn thing like it's alive. Stop attacking the bot and find the fucker who wrote it. Then beat your answers out of him.
Supporting World Peace Through Nuclear Pacification
How about designing a new bot-net to attack storm
in kind of the same way as SETI@HOME where you could donate your
computers idle time to fight the storm bot-net.
If enough people contributed, then maybe even storm could be
overpowered.
Wait a minute - how did you manage to type in the squiggly word, press 'preview', wait about 20 seconds for anything to happen, then press 'submit' after being stormed?
Do the probing from a dynamic IP address, like most home DSL connections. If you get DDOSed, reconnect.
:). I wouldn't want a static address on my home connection for a number of reasons.
There's a lot to be said for dynamic IP addresses
>north
You're an immobile computer, remember?
If it's DDOS whatever IP the detections come from, then anybody who can get to the control network need only spoof the IP of the control networks IRC server, or the IP of someone they want to see kicked off line and they get to launch their own DDOS guilt free because somebody elses bot net is doing it.
Hi, I need a hobby. Probing the Storm Work Bot Network sounds like fun. But I need an IP address to use. Anybody know of any MediaSentry/MediaDefender/RIAA addresses that might be available?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Isn't it the controller (human) who just checks the access logs and picks up IPs to DDOS a bit? :)
If it was automated, then the easiest way to kill it is to probe it from many distant places.
Then, when it is starting ddos at them, just shut them down.
You could DDOS the botnet
Patents Drive Free Software as Hurricanes Drive Construction Industry
The storm worm grabbed his post, read it, used its immense computing power to determine that funny is > 0, read the CAPTCHA, solved it using aforementioned computing power, and then posted it. Just to fuck with us all.
Life is rarely fair. Cherish the moments when there is a right answer.
...filtering China works miracles with these threats... (seriously !)
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
Easy human fix. Someone post the IP of the IRC servers and it'll get slashdotted.. the largest human driven ddos effect on the net vs the largest bot driven ddos. What fun.
Seriously though.. spoof the IP of the IRC server(s) that it uses to communicate or an already infected machine. Just let it DoS itself.
Mission accomplished!
Sorry dude, but with fast-flux DNS capability, they're not around (IP address-wise) for long.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
is now fighting back against security researchers that seek to destroy it and has them running scared
From "Things A Klingon Programmer Would Say":
Our users will know fear and cower before our software. Ship it! Ship it, and let them flee like the dogs they are!
It's evolution baby!
Blue Frog! Need I say more? They and their support group got nailed! A thousand emails hit my in-box calling me an intruder! Major internet providers need to deal with these issues now! Not by selling us so called "pro-tec-tion" at a price that does not work at times!
Is storm REALLY an evil criminal network? Or are we just being told this by THOSE WHO KNOW BETTER (tm)? Perhaps it's the world's biggest game of core wars, open to all comers, with the "waning" because no one currently has a credible (not immediately beaten down) challenge. Darn those video-game-hating supposed know-betters trying to stop anyone from having a good time! Why I ought to... wait a minute, when did my palms get this hairy? CRAP, THEY'RE RIGHT ABOUT THE PORN!
And for the conspiracy twist, the current winner is... JACK THOMPSON! His lawsuits are all a scam so when he's uncovered as the one who caused so much downtime, people will think he was framed! And he would have gotten away with it too, if it wasn't for you meddling... kids... at Nintendo, who are so afraid of a self-copying game they're hiring the Russian mob to wipe him out, the Viagra spammer was a test run! Next Nintendo and the RIAA join forces to sue MS over a little something nasty they found in cmd.com, something about COPY.
In Communist Russia, our new game-playing overlords welcome you, for one?
Or could the real source and purpose be our favorite search engine? Perhaps this is the only way to get the results we've come to expect at the speed we demand.
In does-no-evil Russia, Google searches you!
(Apologies if I've ripped off a Russia / overlord or conspiracy theory from someone else)
I'm sorry, I thought that singularity was just a game. I'll stop now.
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
They linked to this in their RSS feed and are now down.
Co-incidence?
Who is John Conner?
Storm doesn't use an IRC server, or any centralized server in the traditional sense. It uses fast flux, the 'central servers' are always in flux.
And i bet whoever controls that botnet also reads /.
It doesn't use IRC. You're thinking of oldskool botnets, storm is considerably more sophisticated. It uses a hacked version of the eDonkey protocol to form its own p2p network on random ports, is fully distributed, proxies connections to rotating C+C servers and does its communication via spoofed encrypted hashes.
shhhh.....
I know of one bigger Y2K issue:
In Germany's capital Berlin, the fire department's central emergency call/dispatch computer system went down.
This resulted in New Year's eve celebrations - year 2000 no less - without fire fighters or ambulances.
A really nice chaotic mess ensued as they partially had to resort back to pen-and-paper for the busiest night of the year, because the old hardware of the previous system that was used as a backup couldn't handle the load that night.
For the same reason the system keeping track of the fire department cars' current whereabouts went down, so the central coordinators had only a vague idea where their cars were deployed or who was available to respond to an emergency.
People had to wait up to 90 minutes for an ambulance or a fire truck to come and sweep up the ashes of their homes.
Instead of ambulances, cabs were taking people to the hospital.
The police (separate emergency number/system) had to double as fire fighters, deploying anti-riot trucks equipped with water cannons.
Since lots of emergency calls got lost, they had to switch to a patrol system and send out the police and FD cars to drive through the streets to look for fires - among all the smoke and fire of the New Years Eve fireworks in the streets.
You know why this type of thing spreads? Because it works.
You know how long it will keep spreading? As long as it keeps working.
Like spam and direct-mail offers, the only thing that will stop it is for the success rate to fall.
How do you reduce the response rate? Help your friends and family upgrade or patch Windows. Help them install Linux or buy a Mac.
That will work.
Until Storm goes cross-platform, anyways.
"Genius may have its limitations, but stupidity is not thus handicapped." --Elbert Hubbard (1856-1915)
http://packages.debian.org/stable/net/fail2ban
This package monitors the logs for failed login to a variety of services and updates the iptables rules to ban that IP. I use 5 failed logins, results in 24hrs of banning.
On debain's default installation of ssh and other services, fail2ban already has appropriate rule sets so it take 5 minutes to install. In addition you can write your own rule sets for other login services and firewalls.
The larger ones that didn't reply probably because they have a legal department that restricts what they can and can't say in a reply. They might not be allowed to acknowledge your notification, but might still very well be acting on it. Basically, they have no way of knowing what you'd with any reply they did give (i.e., publicize, criticize, etc.). Smaller ISPs probably don't have as many legal concerns (possibly also because their company isn't an openly traded stock), so they're probably much more eager to work with free tips.