Slashdot Mirror
Storm Worm Strikes Back at Security Pros
alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."
The bot-net probes you.
~ I am logged on, therefore I am.
Have them shut down and re-install Windows (not recommended)
or install GNU/Linux.
You are being MICROattacked, from various angles, in a SOFT manner.
...beginning to learn at a geometric rate?
*An overweight bond sits at a computer desk littered with Payday bar wrappers and graphic novles. He struggles to breath as he brushes at the cheetohs crumbs stuck in his stubble. A blinking light flashes on his monitor and he reaches up with his stubby fat fingers to press the 'Accept Transmission Now' key. The video feed of an equally bloated and zit faced man, though somewhat less pastey white, comes up.*
... I would like to discuss your latest attempts to probe my botnets on the interweb. ... SATURATE YOUR BANDWIDTH!
Cats: Good evening, Mr. Bond, I was just hitting up some 3 am Taco Bell for fourth meal
Bond: *wheezes at the site of his archnemisis* Cats! I should have known it was you! You won't get away with this diabolical scheme!
Cats: Oh won't I, Mr. Bond? I have all of the world's computers trapped to do my bidding. What would you say if I told you I could bring any website to its knees with a DDOS attack? I noticed you have an apache http server running, Mr. Bond. Perhaps sharing pictures with your loved ones!? Well, I hope a billion attempts to access those images won't
Bond: My GOD! You've gone mad with power, Cats. You're a madman! You'll never get away with this. How do you even keep your franken net in check? What happens when it turns on you?
Cats: Oh, I think I will, Mr. Bond, Caribbean law is quite kind when it comes to orchestrating botnets. Prepare to say goodnight. Good luck making your raiding schedule, I hope you won't miss those 50 DKP!
*Bond's screen slows to a crawl as he rushes to turn off Apache*
Bond: Nooooooooooo!
My work here is dung.
init 11 - for when you need that edge.
If the "command and control" servers have been found, why haven't the IPs been masked to physical addresses and physical security types with physical balaclavas and physical MP5s probing the physical door?
How can I believe you when you tell me what I don't want to hear?
Letters of Marque, please?
Can we get a "-1 Wrong" moderation option?
Running scared? Are they serious? Suddenly I see a scene in those old hero flicks where a woman in the crowd stands and says, "Is there no one? No one out there who will save us!?"
Didn't I just hear that the Storm worm was slowing to a crawl?
GetOuttaMySpace - The Anti-Social Network
So, these people are trying to sell these botnets for extortion and spamming purposes right? Well, seems to me that they just opened up a loophole for at least one category of customer to get free "service" by spoofing whoever he wants to DDoS and poking the botnet till it retaliates. Boom, instant DDoS and he didn't have to pay a dime for the service. I do like the idea someone else put out of spoofing as one of the other control nodes, thereby getting the net to DDoS itself, but it may be just smart enough not to do that.
Curiosity was framed, Ignorance killed the cat.
ooooh sneaky, I like that. Isn't that illegal or something though? I don't think anyone would care but that's probably why they're not doing it. They could at least pull their heads out of their asses and not try and probe the servers using their company's main network!!! Do it on some small, seperate connection that really wouldn't matter if it got DOSed. Hey speaking of that, do it and let them DOS you and then make a log of all the IPs doing it and I'm sure ISPs would agree to disconnect all customers with those IPs until they get rid of storm by reinstalling windows or whatever.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Higher ed had some of their systems attacked in this way going back to at least July. I lost a machine because of this because the system (running FreeBSD) had a marginal disk that eventually died under the load incurred by logging "Limiting icmp ping response from..." messages. Fortunately, we were smart enough to NEVER use systems like our workstations for downloading malware from suspected sources.
Easy lesson for those thinking of doing research: Remember to have a machine dedicated to the task of talking to untrusted outsiders.
.. I'm still waiti
Wouldn't the obvious counter-strategy to this be to give the botstorm enough targets to make their DOS attempts too dilute to be a threat?
You theoretically would not need a comparable number of targets to attackers - just enough to lower the magnitude of the counter attack to the point where you could get acceptable results. You could also have targets that 'play dead' in some ways so the attackers can't fix on a minimum magnitude to counter attack with, and instead have to throw zombies until the target stops moving, where the target just gets right back up after playing dead. That way, the window you have before you 'play dead' might be used to get relatively clear results.
Just one guy's idea.
Ryan Fenton
Something tells me that your method won't work against Storm. This is due to the fact that if you tried such a stunt, it wouldn't be your PC that would be DoS'd, it would be the ISP's local NOC you were using to connect to the internet. If you forced a new DHCP reservation (all that an unplug/plugin does), you'd end up with another IP address (if the DHCP server ever responded to your request) sitting on the same hardware that is being DoS'd by Storm.
What is needed to fight a botnet of this size is a distributed probe net, where if one node is taken out by the botnet, the rest of the cloud keeps on probing it. After all, even a large botnet can only DoS so many locations at a time.
A better solution might be to spoof the IP addresses of other members of the botnet, thereby making it DoS itself into submission.
Should point out that hacking is not a crime, never has been, never will be [at least without totally eroding all freedoms first]. A hacker is simply someone who takes the time to see how the world around them works. They're not script monkeys who instigate virus attacks, those are criminals.
Stop reading/watching Faux News et al. and get your damn facts straight.
People should be able to call themselves a hacker without fear of reprisal, for it's the hackers who will inevitably find many of the flaws in the world that the corporate greedmongers want hidden. I mean who do you think are the people finding all of the buffer overflows, protocol mistakes, etc in services you use on a daily basis? If hackers went away companies could easily get away with insecure practices and billing like however they feel like.
It's the people who stop questioning how the world works that should get a bitchslap upside the head.
Someday, I'll have a real sig.
What's bigger, the Storm effect... or the Slashdot effect ...
Deleted
Well, the death penalty has certainly stopped people from committing murder in the United States. I think you're on to something.
I don't care why you're posting AC
You can, but it usually hurts really, really badly.
There is a war going on for your mind.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
I see that you are heard the word "spoofing". Now go learn what it means.
No, you cannot establish a tcp or any other connection masquerading as someone else. Care to guess why?
Bot Assisted Blogging
I could be polite and specify my question in more novel manner, but:
What the fuck are you talking about?
Bot Assisted Blogging
So? If we do in fact know where they are physically located, local police should go and confiscate them.
Even though I think this idea is basically wrong, I'm intrigued by the potential consequences.
There's a lot of these computers out there, which is the whole point. If every one was subject to seizure, computer security would immediately become part of popular conversation. Helluva social storm, probably.
Tweet, tweet.
I see the same sort of law-and-order assumptions here that I would like to believe in. Sadly, that phase in my life has ended.
Sure, you can find who is DDoS'ing you. You can then call the ISP/hosting company and complain. If they are in the US they will likely as not just tell you to get a court order. Outside the US they will laugh and suggest you bribe them. Either way, it is their customer's right to operate in whatever manner they choose. If they are presented with a valid court order from a court in their jurisdiction, they will quickly and efficiently comply. Otherwise, your complaint will go in the bit bucket.
Mostly the problem is that to a lot of ISPs their customer (and the revenue from that customer) is a whole lot more important than the negative effects their customer is having. Also, the customer may be Daddy and Sonny is the one causing all the trouble. Why would anyone want to offend bill-paying Daddy by cutting off service?
The problem here is that regardless of the problem - a botnet infested computer, a script kiddy trying to break in, or some other mischief - if you let it go, it gets worse. Every time a script kiddy gets to feel that rush of excitement at breaking to some computer somewhere without any consequences they get bolder. In the US it is not really possible to go after them until they run up at least $25,000 in damages. Because of this, you never hear about the high schooler getting in trouble because they defaced a web site. Instead you hear about someone after many years of mischief and mayhem who is being accused of causing $12,000,000 in damages computed in some creative manner to get the FBI's attention. There is never a thought of stopping this when the cost to everyone is minimal. Minimal doesn't get the FBI involved and local law enforcement is utterly clueless.
Nobody is really going to get taken down for this unless they do something incredibly stupid. Sure, you can find an IP address but you can't get the customer unless the ISP wants to cooperate. Can you get a court order for the ISP to identify the owner of the account? Probably not without at least $25,000 in damages that you can claim. Even then all you have found is an infected computer that the owner doesn't know anything about.
I got the skynet link of course, and it's apt. What we are seeing is the slow transition from single cellular behaviour to a multi cellualr organism. That is instead of being fighting on it's own, it now has a global immune response to an invader (security researcher). With the advent of virtual machine detectors last year these things now commit apoptosis when they detect they have been invaded by the security researcher.
In other words we have changed roles. Instead of us being the host and them being the virus, it now is behaving like a host and us as the invasive organism.
These things certainly have enough global cpu strength to do some serious artifical intelligence. even if it were not efficient, they have millions of cpus to harness. Some already do have code changing algorithms to hide their signature. And the ones that survive, are the fittest in an evolutionary sense. At some point they may actually start changing their own design, and eventually their own requirements.
So skynet may evolve itself naturally, not as an actual construction.
Some drink at the fountain of knowledge. Others just gargle.
Uhm...what? The TCP sequence number issue is related to Man in the Middle attacks (which in the strictest sense is a type of spoofing, but not usually refered to like this). Spoofing is generally talking about sending packets pretending to be someone else, ie, putting a bad source on them. So now if I am computer A, and you are computer B, and I send you SYN DST A SRC C you will respond ACK/SYN to computer C. Unless my computer has PsychicHackWizard 3.0 or I have installed MagikRouter1337 those packets won't ever make it back to me.
The only change I can believe in is what I find in my couch cushions.
There was a time in England when a bloke could talk about the gay time he had passing a fag around amongst his friends behind the school (fun/happy time passing a cigarette around) without any double entendres. Language evolves. Change your manner of communication or prepare for misinterpretation.
string Hackers="hardware hobbyists"
string Crackers="Saltines, safe-crackers, computer-criminals"
...
Hackers="computer-criminals";
Crackers="Saltines";
The Matrix. This botnet might not be man-made. It might turn out that all these own3d computers have created a collective intelligence.
The best solution is completely non-technical... a $10,000,000 bounty for the arrest and conviction (in whatever court you may choose) of the owner of the botnet.
The tyrant will always find a pretext for his tyranny - Aesop
Bookmark of cradle the desklamp, or coffee door bird the bubble wrap. Airport barcode of lunch train.
Football.
As one of the "threatened" AV researchers, I was of course interested in getting the bots offline, at least to the degree that I can (I kinda have little chance to put pressure on ISPs in some country that I can't even spell correctly).
So I went and gathered the IP addresses of infected machines. I aggregated them and grouped them to the corresponding ISPs, complete with timestamp (just in case they use dynamic IP addresses and thus need them to contact the corresponding users), then I sent out a mail to 10 different ISPs, just as some kind of test.
The result:
5 didn't reply at all.
2 replied that they are "looking into the issue". I guess they're learning the list by heart 'cause after a month now, still no further reply.
One replied with the question whether I try to infect their system and how I dare to say that their users might do something illegal (talk about knowledge).
One replied that they can't do jack because I could just as well have forged that list to mess with their users and they don't care.
Only a single ISP actually thought the matter is important enough to contact me with a request for more information and whether they can do something proactively.
One.
The smallest one, btw. With 20 infected machines (compared to a few 100 with the biggest one, one of the first group that didn't even care enough to reply).
You can't win this way. ISPs don't care at all, at least until the botnet starts using more bandwidth than their torrent leechers. It would mean work for them, what's worse, it means their customers bother their call center with angry calls and maybe even questions how to clean their machines and maybe they even cancel their service over it. In short, taking things like this serious costs them money but doesn't get them anything, so they won't do it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Granted, but what if we reroute power form the rear deflectors? Shouldn't that give us enough power to bring the forward phaser array back on line? Or maybe they've forgotten to protect the sleep command? What about introducing a logic puzzle that has no answer? The tic -tac toe game is missing, tell it to play with zero players.
Well.. maybe. Or Maybe not. But Definitely not sort of.