Storm and the Future of Social Engineering

Albert writes "Storm shows several key characteristics, some new and advanced. It uses cunning social engineering techniques — such as tying spam campaigns to a current event or site of interest — as well as a blend of email and the Web to spread. It is highly coordinated, yet decentralized — and with Storm using the latest generation of P2P technology, it cannot be disabled by simply 'cutting off its head.' In addition, Storm is self-propagating — once infected, computers send out massive amounts of Storm spam to keep recruiting new nodes."

How is this news?

[Magada]

The worm's been around for the better part of a year now and these features are in it from the beginning.

Re:How is this news?

[jeiler]

Not to mention that many of the "new social engineering tricks" have been used since the beginning of Usenet. Methinks net-security.org is reaching for this story.

Re:How is this news?

[somersault]

***BUY CHEAP MEDS - VIAGRA 100mg * 30 ONLY $89.95*** Link please?

This is simply an advertisment

[Silver+Sloth]

This is just a puff piece for IronPort - nothing to see here, move along

Self created problem?

Social engineering is often a bit of a self created problem. Look at this (legitimate, yes, I confirmed) email I got today. I reported a very easily reproducible bug, in a internet hosting (for a client) software package. Here is there response:

Hi Eric

Please forward us the username and password that your using so we can login and test this problem

Cheers,

Bruce Renner
Betta Computer Services Pty Ltd
Unit 2 / 55 Tradelink Rd, Hillcrest, 4118
Ph: 3809 2999
Fx: 3809 3999

http://www.bettacomputers.com.au

Note: This message may contain privileged and confidential information that is the property of the intended recipient. The information herein is intended only for use of the addressee. If you are not the intended recipient, then you are requested to return e-mail to Betta Computer Services Pty Ltd and destroy any copies made. Copying or disseminating any of this message is prohibited. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Betta Computer Services Pty Ltd.

Re:Self created problem?

[TrekkieGod]

However, the GUI installation tool only allows for installation by default into /Library. It is possible to override this at the command line, but it's not possible to create an installer that gives the user the option of installing into ~/Library, or does so by default.

I think there are a whole lot of things that Apple does wrong, but in this case, if you're trying to use the installer for something that doesn't need to write system-wide stuff, you're the one doing it wrong. The vast majority of applications don't use installers. You drag the thing to the applications folder, which doesn't ask you for your password (and the 'application' that "looks" like a single file is actually comprised of all the libraries it needs to run). Upon running the application, the application will then write stuff to your ~/Library folder.

Now, my beef with Apple's installer is that there's no easy way to uninstall anything that was installed with an installer. With the other stuff, I can just drag the application from the Applications folder into the trash, but if it requires an installer, you're essentially left to track down all the files and deleting them manually.

Lets get the ISPs involved!

[thomasdz]

Since the article mentions "and with Storm using the latest generation of P2P technology"
I think the only reasonable solution to this is to for all of us to call our ISPs and demand that this "P2P" thing be either throttled back or somehow forced to stop, perhaps by sending out fake RST packets whenever the ISP sees "P2P traffic. Yeah, let's all do that so we can nip this Storm bot in the bud.

Re:ZOMG BOTZ

[Magada]

Speaking as someone who's in the business... pretty much, yes. Also, IronPort is on a charm offensive because of the takeover - trying to convince everyone that they won't be less nimble now that they're chained to the big ol' dinosaur in the corner.

A Little Education can bring calm after the storm

[TechForensics]

How can we teach everyone to pay attention when their computers slow down, the disks thrash, lights on the cable modem go nuts, and strange bounces appear in their email? This isn't rocket science. We need to get the word out!

Opinions:

[ledow]

Not surprised.
Took it's time.
Why isn't every virus doing this?

Seriously, this has always been possible, always been a threat. It's not surprising. It's "different" but you can't even call some parts of that "new"... other people thought of these things years ago.

I wouldn't be surprised if the next step is an "evolution"... instead of a simple worm, we get a virus that changes itself programmatically to avoid detection, uses information from previous successful hacks to propogate itself (e.g. "People click on me if I claim to be from this website... I'll send out some more of me claiming to be from that and similar websites"), or authors piggy-back increasingly more complex viruses on the back of Storm, so that eventually there is just a "swarm", instead of a "Storm".

And then the "virus swarm" will be seen as a single entity and you'll be defending your computers against it and reading adverts for "Anti-SWARM" software, etc.

Re:A Little Education can bring calm after the sto

[ledow]

Because people don't care.

If you're car display lights up and flashes, people take notice but still I've seen people ignore the warning lights and just drive (sorry, but women are actually the worst culprits).

A computer is a black box to people and a few flashing lights/slowness mean nothing to them. It could be that their P2P app has just kicked in or their printer is printing or a million other things... people can't diagnose it, therefore they don't care about it.

You will *not* educate the masses, no matter what damage you do to their computers - these people are buying new computers every year because "the old one got slow", where in reality it was running at the same speed but just bogged down with viruses.

The way to do it is not to trust them to be able to spot it, or need to. That is, make a computer that takes care of such things. This is what privilege seperation do when they are implemented properly, but even on the strictest controlled networks, you'll find something users can do that wasn't designed for or intended. However, the fix is in the design and execution, not the dumb idiot who just wants to send an email to his family.

Why. . ?

[Fantastic+Lad]

Okay. So something has been confusing me for ages now. --The program propagates itself; spreads copies of itself all over the place. So why doesn't somebody look at the code in one of those copies to determine everything anybody would ever want to know about it thus enabling people to pretty much ignore it?

I know that this is what anti-virus companies do, but the way people talk about Storm and similar bot nets, makes it sound as though there is some elusive quality which allows it to do all these unexpected things. What gives? It's just a program. What's the big deal? Or IS there a big deal? I've never been infected.

-FL

Re:Why. . ?

[Rick+Bentley]

The basic idea, it seems to be, is that someone is still controlling these computers and can use them at will in DDoS (Distributed Denial of Service ) attacks ... and maybe it can even go on the offensive automatically.

Wikipedia (http://en.wikipedia.org/wiki/Storm_botnet) has a nice write-up on Storm, the "Methodology" Section is especially informative:

The Storm botnet was observed to be defending itself, and attacking computer systems that scanned for Storm virus-infected computer systems online.[29] The botnet will defend itself with DDoS counter-attacks, to maintain its own internal integrity At certain points in time, the Storm worm used to spread the botnet has attempted to release hundreds or thousands of versions of itself onto the Internet, in a concentrated attempt to overwhelm the defenses of anti-virus and malware security firms.[30] According to Joshua Corman, an IBM security researcher, "This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit."[31] Researchers are still unsure if the botnet's defenses and counter attacks are a form of automation, or manually executed by the system's operators.[31] "If you try to attach a debugger, or query sites it's reporting into, it knows and punishes you instantaneously. [Over at] SecureWorks, a chunk of it DDoS-ed [directed a distributed-denial-of-service attack] a researcher off the network. Every time I hear of an investigator trying to investigate, they're automatically punished. It knows it's being investigated, and it punishes them. It fights back," Corman said.[32] .

Yes, it's not hard to defend against getting infected, but every year there are a bazillion new computer users who want to "punch the clown to win a free i-pod", or whatever, and they get infected by the dumbest stuff. Then their computer can be used to attack others.

Anyway, most any /. reader can keep from getting infected by Storm, it's the 99.99...% of the rest of the computer owners that literally become part of the problem.