Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Dismantled at USENIX LEET Workshop

Posted by Zonk on from the is-that-like-1337-leet dept.

An anonymous reader writes "The USENIX LEET workshop held earlier this week in San Francisco offered neat insights into the Storm botnet, including two papers showing the difficulty of accurately measuring the botnet's size, and one on the way it conducts its spamming campaigns (down to the template language used). There was a bunch of other cool work too, so check out the papers."

17 of 58 comments (clear)

  1. Broken Link on front page by nweaver · · Score: 5, Informative

    It should be http://www.usenix.org/event/leet08/tech/

    --
    Test your net with Netalyzr
  2. Nifty by locokamil · · Score: 4, Insightful

    After reading the article, I'm impressed by both the ingenuity of the researchers in infiltrating the network, and also by the skills of the malware writers. Engineering a DHT-based network is no trivial matter, and the fact that people out there went through the trouble of creating one implies that the payoff must have been commensurate to the effort involved.

    Scary.

    1. Re:Nifty by Pig+Hogger · · Score: 3, Insightful

      After reading the article, I'm impressed by both the ingenuity of the researchers in infiltrating the network, and also by the skills of the malware writers. Engineering a DHT-based network is no trivial matter, and the fact that people out there went through the trouble of creating one implies that the payoff must have been commensurate to the effort involved.
      Given how the "legit" private sector treats it's employees like shit (layoffs, outsourcing, PHBs, etc.), it's no surprise that there is no shortage of disgruntled employees who will gladly write malware for a good payoff or simply for revenge.
    2. Re:Nifty by plover · · Score: 5, Interesting
      Then you should be impressed by the right people, like Enzo Michelangeli, who wrote the KadC DHT library that the storm worm authors used.

      Sure, these guys are somewhat clever, but they're not the real geniuses behind the technology.

      And yes, the researchers did a great job, too. It's not easy picking unknown protocols apart!

      --
      John
  3. My pet love/hate for botnets by Fluffeh · · Score: 5, Insightful

    I hate spam and what botnets do as much as the next fellow, to the point where I stopped checking email on a regular basis from a few accounts due to the insane amounts of spam I got, but I still have to admire the sheer beauty and audacity of putting together such a living thing. If only they could find a useful (even semi-legit) purpose for harnessing so much computing power.

    --
    Moved to http://soylentnews.org/. You are invited to join us too!
    1. Re:My pet love/hate for botnets by Anonymous Coward · · Score: 4, Funny

      I think we should take over the botnet and use it as a spam filter. That would be semi-legit, right?

  4. My only question by Anonymous Coward · · Score: 2, Funny

    Does this run on Linux?

  5. misnomer? by B3ryllium · · Score: 5, Informative

    Is "dismantled" really the right word? Shouldn't it be "vivisected", since the botnet is still running?

    Dismantled implies that it's shut down. Last I heard, it was still running, and sub-botnets (tropical depressions?) were being sold. Botnet franchising, if you will.

  6. "Shatter Her Meat Tunnel and Bash Down Walls..." by falsemover · · Score: 5, Funny

    "... With Your Humongous New Cock." (actual subject header of spam email received)

    Seriously, we haven't had this kind of inspired ribald poetry since William Shakespeare.

    I say bring it on, we need the spam entertainment.

    SAVE THE BOTNET - SPAM IS ART

    Dans la viande a bon marche, il est poesie

    --
    consider coffee a lubricant that helps one penetrate the coding zone
  7. Re:Wow ok. by 77Punker · · Score: 3, Informative

    According to the paper, the creators already make changes to obscure the botnet on a frequent basis. This paper won't make them any more paranoid than they already are.

  8. What user-agent string is it seeking? by symbolset · · Score: 5, Funny

    We used different releases of three web browsers, resulting in a total of eight different browser versions. The results indicate that Storm exploits only web browsers with a specific User-Agent, a HTTP request header field specifying the browser version. If this header field specifies a non-vulnerable browser, the malicious server does not send the exploit to the client. However, if the client seems to be vulnerable, the server sends between three and six different exploits for vulnerabilities commonly found in this browser or in common browser-addons. The goal of all these exploits is to install a copy of the Storm binary on the visitor's machine. We observed that the actual exploit used in the malicious Web sites is polymorphic, i.e., the exploit code changes periodically, in this case every minute, which complicates signature-based detection of these malicious sites.

    So... three guesses what user-agent it's looking for.

    --
    Help stamp out iliturcy.
    1. Re:What user-agent string is it seeking? by Ford+Prefect · · Score: 4, Funny

      So... three guesses what user-agent it's looking for.

      Sarah Connor?

      --
      Tedious Bloggy Stuff - hooray?
    2. Re:What user-agent string is it seeking? by n0dna · · Score: 2, Funny

      See? Not even Botnets use Opera.

      *grin*

  9. Another paper on "Malicious Hardware" by Schnoodledorfer · · Score: 5, Interesting

    How about this one: Designing and Implementing Malicious Hardware? Now that people are figuring out how to deal with Storm, we may have to start worrying about bogus ICs that will be designed to allow your computer to be compromised easily. Damn! Interesting, though. It was awarded "Best Paper".

    --
    Knowledge is the small part of ignorance that we arrange and classify. (Ambrose Bierce)
  10. Re:OMG by socsoc · · Score: 3, Funny

    Kill us all by destroying the Internet? But I learned last night that when the Internet stops working, everyone will just head out the Californee way.

  11. Not all bad! by illama · · Score: 3, Funny
    FTA:

    Second, Storm synchronizes the system time of the infected machine with the help of the Network Time Protocol (NTP). This means that each infected machine has an accurate clock. See, it's not all bad!
  12. Re:"Shatter Her Meat Tunnel and Bash Down Walls... by archkittens · · Score: 2, Funny

    next thing we know, it will be cracking google toolbar and getting a look at search histories associated with gmail accounts, and since all spam is invariably connected with some form of sex industry...

    i cant wait to get the line "get a larger hadron collider with our revolutionary unix-based pill!"