Slashdot Mirror
Storm Worm Strikes Back at Security Pros
alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."
The bot-net probes you.
~ I am logged on, therefore I am.
...beginning to learn at a geometric rate?
*An overweight bond sits at a computer desk littered with Payday bar wrappers and graphic novles. He struggles to breath as he brushes at the cheetohs crumbs stuck in his stubble. A blinking light flashes on his monitor and he reaches up with his stubby fat fingers to press the 'Accept Transmission Now' key. The video feed of an equally bloated and zit faced man, though somewhat less pastey white, comes up.*
... I would like to discuss your latest attempts to probe my botnets on the interweb. ... SATURATE YOUR BANDWIDTH!
Cats: Good evening, Mr. Bond, I was just hitting up some 3 am Taco Bell for fourth meal
Bond: *wheezes at the site of his archnemisis* Cats! I should have known it was you! You won't get away with this diabolical scheme!
Cats: Oh won't I, Mr. Bond? I have all of the world's computers trapped to do my bidding. What would you say if I told you I could bring any website to its knees with a DDOS attack? I noticed you have an apache http server running, Mr. Bond. Perhaps sharing pictures with your loved ones!? Well, I hope a billion attempts to access those images won't
Bond: My GOD! You've gone mad with power, Cats. You're a madman! You'll never get away with this. How do you even keep your franken net in check? What happens when it turns on you?
Cats: Oh, I think I will, Mr. Bond, Caribbean law is quite kind when it comes to orchestrating botnets. Prepare to say goodnight. Good luck making your raiding schedule, I hope you won't miss those 50 DKP!
*Bond's screen slows to a crawl as he rushes to turn off Apache*
Bond: Nooooooooooo!
My work here is dung.
init 11 - for when you need that edge.
If the "command and control" servers have been found, why haven't the IPs been masked to physical addresses and physical security types with physical balaclavas and physical MP5s probing the physical door?
How can I believe you when you tell me what I don't want to hear?
Running scared? Are they serious? Suddenly I see a scene in those old hero flicks where a woman in the crowd stands and says, "Is there no one? No one out there who will save us!?"
Contact the users' ISPs and have them cut the connection to the infected machines until they are cleaned up.
Have gnu, will travel.
So, these people are trying to sell these botnets for extortion and spamming purposes right? Well, seems to me that they just opened up a loophole for at least one category of customer to get free "service" by spoofing whoever he wants to DDoS and poking the botnet till it retaliates. Boom, instant DDoS and he didn't have to pay a dime for the service. I do like the idea someone else put out of spoofing as one of the other control nodes, thereby getting the net to DDoS itself, but it may be just smart enough not to do that.
Curiosity was framed, Ignorance killed the cat.
ooooh sneaky, I like that. Isn't that illegal or something though? I don't think anyone would care but that's probably why they're not doing it. They could at least pull their heads out of their asses and not try and probe the servers using their company's main network!!! Do it on some small, seperate connection that really wouldn't matter if it got DOSed. Hey speaking of that, do it and let them DOS you and then make a log of all the IPs doing it and I'm sure ISPs would agree to disconnect all customers with those IPs until they get rid of storm by reinstalling windows or whatever.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
.. I'm still waiti
Wouldn't the obvious counter-strategy to this be to give the botstorm enough targets to make their DOS attempts too dilute to be a threat?
You theoretically would not need a comparable number of targets to attackers - just enough to lower the magnitude of the counter attack to the point where you could get acceptable results. You could also have targets that 'play dead' in some ways so the attackers can't fix on a minimum magnitude to counter attack with, and instead have to throw zombies until the target stops moving, where the target just gets right back up after playing dead. That way, the window you have before you 'play dead' might be used to get relatively clear results.
Just one guy's idea.
Ryan Fenton
Something tells me that your method won't work against Storm. This is due to the fact that if you tried such a stunt, it wouldn't be your PC that would be DoS'd, it would be the ISP's local NOC you were using to connect to the internet. If you forced a new DHCP reservation (all that an unplug/plugin does), you'd end up with another IP address (if the DHCP server ever responded to your request) sitting on the same hardware that is being DoS'd by Storm.
What is needed to fight a botnet of this size is a distributed probe net, where if one node is taken out by the botnet, the rest of the cloud keeps on probing it. After all, even a large botnet can only DoS so many locations at a time.
A better solution might be to spoof the IP addresses of other members of the botnet, thereby making it DoS itself into submission.
Should point out that hacking is not a crime, never has been, never will be [at least without totally eroding all freedoms first]. A hacker is simply someone who takes the time to see how the world around them works. They're not script monkeys who instigate virus attacks, those are criminals.
Stop reading/watching Faux News et al. and get your damn facts straight.
People should be able to call themselves a hacker without fear of reprisal, for it's the hackers who will inevitably find many of the flaws in the world that the corporate greedmongers want hidden. I mean who do you think are the people finding all of the buffer overflows, protocol mistakes, etc in services you use on a daily basis? If hackers went away companies could easily get away with insecure practices and billing like however they feel like.
It's the people who stop questioning how the world works that should get a bitchslap upside the head.
Someday, I'll have a real sig.
Yeah, buddy of mine had his Gentoo box rooted and used as some sort of base system for rooting others. He found out after his ISP notified him that they shutdown his internet access because his server had been reported as probing other servers for vulnerable PHP apps. Not entirely sure how they rooted the box, but from what I could piece together going through the logs they managed to find a old copy of PHPBB he had been mucking around with on a subdomain (never linked it to anything, so they must have found it by brute force scanning, or maybe combing through DNS records). The traffic logs from other systems and the local logs all showed a series of automated scans for about 2 dozen known vulnerabilities in various pieces of pre-packaged PHP applications in a whole tone of domains. Looked like they just lifted a big chunk of every registered domain between something like ba-fa and were just working their way through it running scans. After we wiped the system and did a fresh install the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file. They really did a number on that system, and we didn't even know about it for a couple weeks because no one actually logs into the server, at most it gets a new file ftped to it every few weeks or so as things are tweaked.
Curiosity was framed, Ignorance killed the cat.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Well, the death penalty has certainly stopped people from committing murder in the United States. I think you're on to something.
I don't care why you're posting AC
hmmm... We need to get the word to 10 million infected users. I know! Maybe we could hire someone to send an email to all of them!
Intron: the portion of DNA which expresses nothing useful.
You can, but it usually hurts really, really badly.
There is a war going on for your mind.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
I see that you are heard the word "spoofing". Now go learn what it means.
No, you cannot establish a tcp or any other connection masquerading as someone else. Care to guess why?
Bot Assisted Blogging
I see a lot of these all the time, they seem to be cycling through a list of names. At the moment they are trying account names like 'root', 'linux', 'admin', 'test', 'testftp', 'webmaster' etc. and user names like 'melissa', 'danny', 'nicholson' etc.
I don't think this means that they added a SSH back door, just that they have enough compute resources to try hundreds of combinations of likely names and passwords in the hope they get lucky.
Hey, it's cheaper than bathing.
"Made up/misattributed quote that makes me look smart. I am on
then you need fail2ban http://www.fail2ban.org
just in case they might eventually get lucky...
So? If we do in fact know where they are physically located, local police should go and confiscate them.
Even though I think this idea is basically wrong, I'm intrigued by the potential consequences.
There's a lot of these computers out there, which is the whole point. If every one was subject to seizure, computer security would immediately become part of popular conversation. Helluva social storm, probably.
Tweet, tweet.
There was a time in England when a bloke could talk about the gay time he had passing a fag around amongst his friends behind the school (fun/happy time passing a cigarette around) without any double entendres. Language evolves. Change your manner of communication or prepare for misinterpretation.
string Hackers="hardware hobbyists"
string Crackers="Saltines, safe-crackers, computer-criminals"
...
Hackers="computer-criminals";
Crackers="Saltines";
Well, it would have to sound professional and reputable. Let me see if I can write a quick draft for you:
Dear Sir,
Based on the recommendation made to me by a reputable official of the abuse sector of a Major South African Internet Service Provider who guaranteed me of your reliability and trustworthiness in business dealings, I wish to entrust important information with you believing that it will be of our mutual benefit; this has to be highly confidential. If I may introduce myself, I am Dr Ben Oguejiofor of the Nigerian Network Operations Centre. I was the former Director of Projects and engineering in the Nigerian Army; I retired recently after Nigeria was pwned by the Storm worm. I wish to crave your indulgence in this business relationship that I will like to establish with you...
Bookmark of cradle the desklamp, or coffee door bird the bubble wrap. Airport barcode of lunch train.
Football.
As one of the "threatened" AV researchers, I was of course interested in getting the bots offline, at least to the degree that I can (I kinda have little chance to put pressure on ISPs in some country that I can't even spell correctly).
So I went and gathered the IP addresses of infected machines. I aggregated them and grouped them to the corresponding ISPs, complete with timestamp (just in case they use dynamic IP addresses and thus need them to contact the corresponding users), then I sent out a mail to 10 different ISPs, just as some kind of test.
The result:
5 didn't reply at all.
2 replied that they are "looking into the issue". I guess they're learning the list by heart 'cause after a month now, still no further reply.
One replied with the question whether I try to infect their system and how I dare to say that their users might do something illegal (talk about knowledge).
One replied that they can't do jack because I could just as well have forged that list to mess with their users and they don't care.
Only a single ISP actually thought the matter is important enough to contact me with a request for more information and whether they can do something proactively.
One.
The smallest one, btw. With 20 infected machines (compared to a few 100 with the biggest one, one of the first group that didn't even care enough to reply).
You can't win this way. ISPs don't care at all, at least until the botnet starts using more bandwidth than their torrent leechers. It would mean work for them, what's worse, it means their customers bother their call center with angry calls and maybe even questions how to clean their machines and maybe they even cancel their service over it. In short, taking things like this serious costs them money but doesn't get them anything, so they won't do it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yep, mea cupla :-(
Not keeping up with my sys-admin duties.
I've seen this kind of thing in the logs for quite a while, but not at this level (1000's of attempts in a day). I hadn't noticed the increasing rate. A case of familiarity breeds contempt, "yep, seen those before .. not much can do about them" without really checking how often they happen.
I remember when I first saw them appearing I contacted my ISP, and their reaction was much the same "yep, thats what happens when you connect a box to the net". I offered to pass on the IP addresses but they weren't interested. I got the impression they see thing kind of thing all the time.
What do people suggest I do with the IP addresses of hosts doing the scanning ? Is it worth checking the whois information and contacting the sys admin or abuse email address if there is one ?
Because everytime I dared to use more ports than the average Internet Exploiter session they turned me off saying I had a "virus". Didn't matter that I was running a highly locked down Xandros Pro and could show them that my logs only contained my traffic. Some PHB had decided "If it's not Windows and
Point is, just because You and I (and most slashdot readers) know what the signs of a virus/worm/botnet infection is, doesn't mean the PHB who'll write the policy will. I can promise you that you get something like that passed at your ISP and you'll spend every other week trying to explain to them that Emule/Bit torrent/VoIP/VPN/etc is NOT a virus only to get yourself turned off the next time you dare to run a Program/OS/Protocol that they don't understand. Trust me, as someone who has been through this, it just isn't worth it. And if you are in the U.S., and your choices are *hole ISP or dialup, What then? Not everyone can just move like I did.
And let us not forget the "let's screw everyone for big profits" mentality going on in the US right now. The ISP would have a real good excuse-"We can't tell the difference between that (insert competitors program here) and a virus! If they want to run that thing, they should have to pay us triple for the risk!"
I learned a long time ago to look at the absolute worse case, because in the US that's probably what you'll end up with.
ACs don't waste your time replying, your posts are never seen by me.