Storm and the Future of Social Engineering

Albert writes "Storm shows several key characteristics, some new and advanced. It uses cunning social engineering techniques — such as tying spam campaigns to a current event or site of interest — as well as a blend of email and the Web to spread. It is highly coordinated, yet decentralized — and with Storm using the latest generation of P2P technology, it cannot be disabled by simply 'cutting off its head.' In addition, Storm is self-propagating — once infected, computers send out massive amounts of Storm spam to keep recruiting new nodes."

How is this news?

[Magada]

The worm's been around for the better part of a year now and these features are in it from the beginning.

Re:How is this news?

[Daver297]

well its OLD news..heh

Re:How is this news?

[jeiler]

Not to mention that many of the "new social engineering tricks" have been used since the beginning of Usenet. Methinks net-security.org is reaching for this story.

Re:How is this news?

[arnoldo.j.nunez]

The worm's been around for the better part of a year now and these features are in it from the beginning. The data is somewhat more up-to-date than last year. I disagree with the article in a few points.

First it says: "IronPort Systems estimates that, at its most destructive point in July 2007..."; I'd argue that it was at its most destructive during the September DDoS against multiple sites.

Re:How is this news?

[ttapper04]

I read the headline, Storm and the future of social engineering, and I thought twice about clicking the link. If one does not have a bit of a healthy neurosis about clicking though anything then they will be infected at some point.

Re:How is this news?

[onion2k]

Exactly. I imagine you'd have to be a complete ***BUY CHEAP MEDS - VIAGRA 100mg * 30 ONLY $89.95*** idiot to fall for any malware trickery these days.

Re:How is this news?

[somersault]

***BUY CHEAP MEDS - VIAGRA 100mg * 30 ONLY $89.95*** Link please?

Re:How is this news?

[somersault]

Unless perhaps you're running IE, clicking through to a news article on the front page of /. probably is a safe enough bet o_0 A healthy bit of neurosis is good, but panicking that an article about the storm worm is probably an evil ploy by the storm worm to propagate itself is a bit far fetched.

Re:How is this news?

[whyloginwhysubscribe]

Maybe storm submitted the link itself?

Re:How is this news?

[Sloppy]

If one does not have a bit of a healthy neurosis about clicking though anything then they will be infected at some point.

That's not true if, instead, they have a healthy neurosis about running network clients that automatically download and execute foreign code.

It blows my mind that anyone still continued to run MSIE after 1995.

Re:How is this news?

[Hoi+Polloi]

I hear there is a new business idea where people offer sex for money.

Re:How is this news?

[bigstrat2003]

Huh. Years of running IE, and I have yet to have any problems with it automatically loading executables. I'd better be careful with that reasoning, though... one might almost come to the conclusion that being knowledgeable is the best security, far more than any browser!

Which, of course, would be crazy talk. Right?

Re:How is this news?

[Torvaun]

Never ran into ActiveX controls?

Re:How is this news?

[bigstrat2003]

ActiveX controls don't run until you give them explicit permission... unless you have your security settings set wide-open, of course.

Re:How is this news?

[Torvaun]

Absolutely true. If only wide-open weren't the default.

Re:How is this news?

[JohnVanVliet]

check your inbox and spam folder It's there i get 1 to 3 a day

Re:How is this news?

[somersault]

was only kidding, I don't have any problems in that area.

aim lower, for the honour of the old school

it cannot be disabled by simply 'cutting off its head.' Off with their goolies!

This is simply an advertisment

[Silver+Sloth]

This is just a puff piece for IronPort - nothing to see here, move along

Re:This is simply an advertisment

[nimbius]

wait...storm uses cunning social engineering? or its administrators use cunning social engineering... yeah, feels like a warm puff of FUD from IronPort.

Re:This is simply an advertisment

[david.emery]

Yeah, I agree with this assessment. It would have been -very helpful- if they provided something like port numbers or other manifestations of infection. I was also looking for some understanding of the distribution of vulnerabilities, in particular any evidence that this mess has gone beyond Windows desktops.

To me it seems that the primary thing we need to do is figure out how to patch all those vulnerable Windows machines that facilitate this kind of crap.

dave

Re:This is simply an advertisment

[BL08N0883N]

Yep - definitely fluff. I think I got a worm infection by just reading this one. Shall we agree to stop commenting at 70 comments?

Self created problem?

Social engineering is often a bit of a self created problem. Look at this (legitimate, yes, I confirmed) email I got today. I reported a very easily reproducible bug, in a internet hosting (for a client) software package. Here is there response:

Hi Eric

Please forward us the username and password that your using so we can login and test this problem

Cheers,

Bruce Renner
Betta Computer Services Pty Ltd
Unit 2 / 55 Tradelink Rd, Hillcrest, 4118
Ph: 3809 2999
Fx: 3809 3999

http://www.bettacomputers.com.au

Note: This message may contain privileged and confidential information that is the property of the intended recipient. The information herein is intended only for use of the addressee. If you are not the intended recipient, then you are requested to return e-mail to Betta Computer Services Pty Ltd and destroy any copies made. Copying or disseminating any of this message is prohibited. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Betta Computer Services Pty Ltd.

Re:Self created problem?

[Chrisq]

I bet you signed a contract with them saying you would never divulge your username and password.

Re:Self created problem?

[Cormacus]

I'm hoping you told them no - what was their response?

Re:Self created problem?

[foniksonik]

So Eric... how's the weather in Australia? Mind if I call up your hosting company and let them know that i will be handling all of your correspondence in the future?

I'm sure your clients won't mind and it looks like Bruce is fairly lax about credentials... surely he will just send me your contact info and let me switch out the email address of record ;-p

Yes, most social engineering exploits ARE self created problems ;-p

Re:Self created problem?

[fotoguzzi]

It's a trap!

Re:Self created problem?

[Alpha+Whisky]

I hope for his sake he never signed a contract with them agreeing the, otherwise unenforceable, clause:

Copying or disseminating any of this message is prohibited. Somehow, I suspect, posting the whole email to Slashdot might just count as disseminating. Actually, come to think of it, I just Copied and disseminated a bit of their email, and do I care?

Re:Self created problem?

[DriedClexler]

Similar problem here. Time Warner Cable claimed I was late on a bill (true, it turns out) and so they called me and asked me to pay immediately. First, I thought, "Okay, they're not stupid enough to have a policy expecting customers to give out their CC info to someone claiming to be from TW. They just want my verbal authorization to bill a number I already gave them."

Then it turns out the guy did want my CC number. When I pointed out that I have no way of knowing that this is really TW or a scammer, so the best I can do is acknowledge his notice and check my own online account, he responded, and I'm not making this up, "Yes, I understand. But I can GUARANTEE YOU that this really is Time Warner."

I replied, "No, you can't." and hung up.

Then of course, after I paid, they tried the same thing then realized mid-call I had paid it.

Re:Self created problem?

[hobbit]

Tell me about it.

Some background to the particular bee in my bonnet: OS X is designed with a certain folder structure repeated in various different places: /System/Library (for Apple), /Library (for systemwide installation), ~/Library (for individual users), /Network/Library (for all machines on a network). These folders form a sort of search path, rather like /usr/local/bin:/usr/bin but for all sorts of things (preferences, fonts, plugins, etc.)

However, the GUI installation tool only allows for installation by default into /Library. It is possible to override this at the command line, but it's not possible to create an installer that gives the user the option of installing into ~/Library, or does so by default.

The upshot of this is that every install that uses Apple's installer asks you for your admin password (so that it can write to /Library). Not because it necessarily needs to write system-wide stuff, but because as an application developer, you'd have to hack it to be able to write to ~/Library.

In other words, Apple has been training users these past 8 years to type their admin password at the drop of a hat.

This will certainly come back to bite them.

Re:Self created problem?

[Chrisq]

I'd rather inseminate than deseminate

Re:Self created problem?

[TrekkieGod]

However, the GUI installation tool only allows for installation by default into /Library. It is possible to override this at the command line, but it's not possible to create an installer that gives the user the option of installing into ~/Library, or does so by default.

I think there are a whole lot of things that Apple does wrong, but in this case, if you're trying to use the installer for something that doesn't need to write system-wide stuff, you're the one doing it wrong. The vast majority of applications don't use installers. You drag the thing to the applications folder, which doesn't ask you for your password (and the 'application' that "looks" like a single file is actually comprised of all the libraries it needs to run). Upon running the application, the application will then write stuff to your ~/Library folder.

Now, my beef with Apple's installer is that there's no easy way to uninstall anything that was installed with an installer. With the other stuff, I can just drag the application from the Applications folder into the trash, but if it requires an installer, you're essentially left to track down all the files and deleting them manually.

Re:Self created problem?

[UNKN]

Yeah, we acquired a company last year and I guess they use some kind of spam filter that if it catches something, it sends you an email with a link. It says to click the link and create a user id and password and all that. I totally thought it was spam until I asked someone at the office and they said it was legit. It had the name of the company and everything, very wierd.

Re:Self created problem?

[egomaniac]

What the hell else would you suggest? Allow software to install itself globally WITHOUT admin privileges? Make it so that software by default only works for the user who installed it?

Re:Self created problem?

[hobbit]

I also prefer apps that are installed by dragging them into the applications folder, but if they create things in ~/Library, you're left with exactly the same uninstallation problem as you bemoan in Apple's installer. Unless that's just ~/Library/Preferences/com.domainname.AppName, I'd prefer a paper trail, i.e., an installer receipt.

Anyway, you or I may not create application installers, but as long as some people do, Apple is culpable in training users to type their password freely.

Re:Self created problem?

[hobbit]

What the hell else would you suggest? Allow software to install itself globally WITHOUT admin privileges? No.

Make it so that software by default only works for the user who installed it? Yes. NB "By default" does not mean "force it on the user"; It's just an extra page in the installer wizard to say "Do you want to install this for the current user or for all users?"

Re:Self created problem?

[snoggeramus]

Got through to a tech chicky on the phone number. She didn't even know what Slashdot was. What on earth is the world coming to? (sobs)

Re:Self created problem?

[yamum_again]

Your all just to simple for words, here is my number to discuses this further but your probably only brave enough to post crap on forums... 0413 839 970

In other news...

Water is still wet.

Oh, and the sun came up this morning.

Sounds like Prey

[Atheose]

Paging Michael Crichton?

http://en.wikipedia.org/wiki/Prey_(novel)

ZOMG BOTZ

[spacefiddle]

hai guise theirs still a thing called 'storm' and itz bad

the blurb doesn't even SAY anything beyond that, and the 'article' is a skinny summary that has a cute lil stupid graph in the middle... and a solid bracing of two columns of ads on either side.

Does any article with the word "storm" in it get published...?

Re:ZOMG BOTZ

[Magada]

Speaking as someone who's in the business... pretty much, yes. Also, IronPort is on a charm offensive because of the takeover - trying to convince everyone that they won't be less nimble now that they're chained to the big ol' dinosaur in the corner.

Re:ZOMG BOTZ

[morgan_greywolf]

trying to convince everyone that they won't be less nimble now that they're chained to the big ol' dinosaur in the corner.

All I gotta say is look what that big ol' dinosaur did to Linksys.

Re:ZOMG BOTZ

[girasquid]

O RLY?

Lets get the ISPs involved!

[thomasdz]

Since the article mentions "and with Storm using the latest generation of P2P technology"
I think the only reasonable solution to this is to for all of us to call our ISPs and demand that this "P2P" thing be either throttled back or somehow forced to stop, perhaps by sending out fake RST packets whenever the ISP sees "P2P traffic. Yeah, let's all do that so we can nip this Storm bot in the bud.

Re:Lets get the ISPs involved!

[Inda]

You jest but deep down you know this is this answer to the problem.

A Little Education can bring calm after the storm

[TechForensics]

How can we teach everyone to pay attention when their computers slow down, the disks thrash, lights on the cable modem go nuts, and strange bounces appear in their email? This isn't rocket science. We need to get the word out!

Opinions:

[ledow]

Not surprised.
Took it's time.
Why isn't every virus doing this?

Seriously, this has always been possible, always been a threat. It's not surprising. It's "different" but you can't even call some parts of that "new"... other people thought of these things years ago.

I wouldn't be surprised if the next step is an "evolution"... instead of a simple worm, we get a virus that changes itself programmatically to avoid detection, uses information from previous successful hacks to propogate itself (e.g. "People click on me if I claim to be from this website... I'll send out some more of me claiming to be from that and similar websites"), or authors piggy-back increasingly more complex viruses on the back of Storm, so that eventually there is just a "swarm", instead of a "Storm".

And then the "virus swarm" will be seen as a single entity and you'll be defending your computers against it and reading adverts for "Anti-SWARM" software, etc.

Re:Opinions:

Then it will become self-aware

Re:A Little Education can bring calm after the sto

[ledow]

Because people don't care.

If you're car display lights up and flashes, people take notice but still I've seen people ignore the warning lights and just drive (sorry, but women are actually the worst culprits).

A computer is a black box to people and a few flashing lights/slowness mean nothing to them. It could be that their P2P app has just kicked in or their printer is printing or a million other things... people can't diagnose it, therefore they don't care about it.

You will *not* educate the masses, no matter what damage you do to their computers - these people are buying new computers every year because "the old one got slow", where in reality it was running at the same speed but just bogged down with viruses.

The way to do it is not to trust them to be able to spot it, or need to. That is, make a computer that takes care of such things. This is what privilege seperation do when they are implemented properly, but even on the strictest controlled networks, you'll find something users can do that wasn't designed for or intended. However, the fix is in the design and execution, not the dumb idiot who just wants to send an email to his family.

Point 2 needs a little fixing...

[redtuxrising]

(2) Fewer than 25 percent of attacks did or did not take advantage of a known or unknown vulnerability...

Pleonasm

[Ksempac]

In addition, Storm is self-propagating -- once infected, computers send out massive amounts of Storm spam to keep recruiting new nodes
No way ! It can do this ? That's unbelievable

For those who need a little reminder about what is a worm (such as the guy who wrote the article), here is the definition of a worm by Wikipedia :

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention.

Why. . ?

[Fantastic+Lad]

Okay. So something has been confusing me for ages now. --The program propagates itself; spreads copies of itself all over the place. So why doesn't somebody look at the code in one of those copies to determine everything anybody would ever want to know about it thus enabling people to pretty much ignore it?

I know that this is what anti-virus companies do, but the way people talk about Storm and similar bot nets, makes it sound as though there is some elusive quality which allows it to do all these unexpected things. What gives? It's just a program. What's the big deal? Or IS there a big deal? I've never been infected.

-FL

Re:Why. . ?

[Cormacus]

Thats exactly what someone who had been infected would say.

Re:Why. . ?

[Fantastic+Lad]

Thats exactly what someone who had been infected would say.

No, I believe you're thinking of the phrase, "It's all so much simpler now. After you get the procedure you'll understand as well."

-FL

Re:Why. . ?

[Rick+Bentley]

The basic idea, it seems to be, is that someone is still controlling these computers and can use them at will in DDoS (Distributed Denial of Service ) attacks ... and maybe it can even go on the offensive automatically.

Wikipedia (http://en.wikipedia.org/wiki/Storm_botnet) has a nice write-up on Storm, the "Methodology" Section is especially informative:

The Storm botnet was observed to be defending itself, and attacking computer systems that scanned for Storm virus-infected computer systems online.[29] The botnet will defend itself with DDoS counter-attacks, to maintain its own internal integrity At certain points in time, the Storm worm used to spread the botnet has attempted to release hundreds or thousands of versions of itself onto the Internet, in a concentrated attempt to overwhelm the defenses of anti-virus and malware security firms.[30] According to Joshua Corman, an IBM security researcher, "This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit."[31] Researchers are still unsure if the botnet's defenses and counter attacks are a form of automation, or manually executed by the system's operators.[31] "If you try to attach a debugger, or query sites it's reporting into, it knows and punishes you instantaneously. [Over at] SecureWorks, a chunk of it DDoS-ed [directed a distributed-denial-of-service attack] a researcher off the network. Every time I hear of an investigator trying to investigate, they're automatically punished. It knows it's being investigated, and it punishes them. It fights back," Corman said.[32] .

Yes, it's not hard to defend against getting infected, but every year there are a bazillion new computer users who want to "punch the clown to win a free i-pod", or whatever, and they get infected by the dumbest stuff. Then their computer can be used to attack others.

Anyway, most any /. reader can keep from getting infected by Storm, it's the 99.99...% of the rest of the computer owners that literally become part of the problem.

Re:Why. . ?

So why doesn't somebody look at the code in one of those copies to determine everything anybody would ever want > to know about it thus enabling people to pretty much ignore it?

I know that this is what anti-virus companies do, but the way people talk about Storm and similar bot nets, makes it sound as though there is some elusive quality which allows it to do all these unexpected things.

The fun thing about botnets is that they can spread sofware updates to themselves almost instantaneously.

For example:

1. New and improved virusscanner update protects against the virus.
   
2. Evil anonymous hacker checks for udpates, say, every hour, and downloads the update.
   
3. Hacker 'improves' the bot software, and tests the improvement against the latest virusscanner.
   
4. Botnet distributes new & improved version 3 hours later.
   

Meanwhile:
Mom & pop's infected computer back home checks for virusscanner updates every week, and never finds anything wrong.

Re:Why. . ?

[kvezach]

They do, and write countermeasure papers like this one. That paper is about how to break the communications network (basically flooding it) - the next step for the Storm authors is to switch to another peer-to-peer network that's more resilient, and then the investigators find another bug, and the arms race continues.

Ultimately, the only way to shortcut the race is to keep the code from being executed, on the assumption that people aren't going to want to have the bot on their computers. Unfortunately, this is going to require heavy retooling of security systems (to lower the chance that bugs can be exploitable, and to let users know exactly what the program they're trying to execute/install wants to do).

To get back from that digression, the big deal is that it uses peer-to-peer and that so many people have fallen for it. AV companies (and other reverse engineers) do look at the code, but they can only react, hence the arms race.

Re:Why. . ?

[Z34107]

The other problem from my limited understanding is that it is incredibly resistant to doing just that - "look at the code."

The executable is encrypted, making disassembly difficult. People have purposefully infected isolated sandbox machines to try to attach a debugger to the decrypted, running process - and the bot kills the debugger. Researchers have found their machines (and the entire network they're connected to!) DDoS'd and effectively shut down as Storm found out and got angry.

Avoiding infection is easy. But, you probably know how to turn your computer on; for the rest of the population, this escapes them.

Never give out your password...

[scrib]

Hi Eric Please forward us the username and password that your using so we can login and test this problem Never give out your password - to people who use the wrong homophone!

Re:Never give out your password...

Hi Eric Please forward us the username and password that your using so we can login and test this problem

Never give out your password - to people who use the wrong homophone!

ummm... "you're" and "your" are not homophones.

Re:Never give out your password...

[cizoozic]

Hi Eric Please forward us the username and password that your using so we can login and test this problem

Never give out your password - to people who use the wrong homophone!

ummm... "you're" and "your" are not homophones. Yeah, yeah, we've all heard it before, they're "just roommates."

as a guy named Storm

[tempest69]

Nope, not everything gets modded up, just most things..

Of course newspapers leave headlines that leave me as a mass murder like --Storm kills 300 in the Philippines -- --Storm leaves orphans homeless-- --Storm invades your privacy-- --Storm discontinued by geo-- --Storm discontinued by Coca Cola--

Storm

Re:A Little Education can bring calm after the sto

[camperdave]

My disks often show activity when the machine is "just sitting there". My DSL modem lights often blink for no apparent reason. When I do a top, I see several dozen processes, any one of which could be logging data, doing garbage collection, looking for updates, or doing any number of innocuous things. Just because a computer is active when you don't think it should be, doesn't necessarily mean that it's infected with anything.

Re:A Little Education can bring calm after the sto

[Sloppy]

How can we teach everyone to pay attention when .. lights on the cable modem go nuts .. ?

Send them a bigger network usage bill the following month.

simple fix

[drew_92123]

I'm tellin ya, find the guys who write a couple of these things, or that run a bot net or even a small spamming operation, charge them with crimes against humanity or some such garbage, and kill them very slowly on live TV... Then take away everything their families own... money, property, put them out on the street. SPAM would stop soon after the second or third execution and the world will be better for it.

Re:simple fix

[deanoaz]

But there isn't any big money behind stopping spam. If you start executing people for computer crimes it will be the pirates getting the chair at the behest of the RIAA, not spammers.

Re:simple fix

[uuxququex]

Also, hefty fines against the stupid people that buy V1@gRa and c1aLi$ online. Somewhere around "everything-they-own-plus-one-dollar". Or just kill them also. It's not like the world will miss them.

Re:Opinions

[genmax]

.. I wouldn't be surprised if the next step is an "evolution"... instead of a simple worm, we get a virus that changes itself programmatically to avoid detection ..

Sorry friend - we've had those kind of viruses for a long time now - http://en.wikipedia.org/wiki/Polymorphic_code http://en.wikipedia.org/wiki/Metamorphic_code

cannot be stopped, eh?

[nuzak]

and with Storm using the latest generation of P2P technology, it cannot be disabled by simply 'cutting off its head.'

I suspect a few public decapitations of the people running Storm would put a pretty quick stop to it. Just gotta pick the right targets, see.

Re:A Little Education can bring calm after the sto

[deanoaz]

How are they supposed to know those symptoms aren't just Vista doing some kind of indexing or whatever on their computer?

Little bleach in the gene pool would go a long way

[Prisoner's+Dilemma]

A little bleach in the gene pool would go a long way

Re:A Little Education can bring calm after the sto

It's indeed very very hard to educate the masses.

I'm not sure if the following can be called "giving up" and I don't want to start a whole X vs. Y war here either, but I've been sending all acquaintances with relatively little computer knowledge to the Apple store for about a year now.

Not because Macs are for people with no technological knowledge and all that kind of nonsensical reasoning, but just because it gives them a pretty interface while being relatively safe. It will not protect the user from every threat, but many of them know that 'iPod-thingy' and can navigate around using the dock etc. relatively quickly after switching.

So far it has saved me a lot of time and frustration while keeping the users quite happy.

Enlist the RIAA!

[dr2chase]

According to this article it is possible to "frame" IP addresses using the bittorrent protocol, and convince the RIAA that a non-infringing IP address (for example, a networked printer) is hosting their precious music.

If worm-compromised hosts can be automatically identified (say, the originator of every piece of spam that I get), why not frame them, and then RIAA will send take-down notices to their ISPs? Either this forces the RIAA to work a little harder before harrassing people, or a bunch of worm hosts get knocked offline (or both).

Step 3: PROFIT!