Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Hijack Storm Worm To Track Profits

Posted by Soulskill on from the storm-chasers dept.

An anonymous reader points out a story in the Washington Post, which begins: "A single response from 12 million e-mails is all it takes for spammers to turn annual profits of millions of dollars promoting knockoff pharmaceuticals, according to an unprecedented new study on the economics of spam. Over a period of about a month in the Spring of 2008, researchers at the University of California, San Diego and UC Berkeley sought to measure the conversion rate of spam by quietly infiltrating the Storm worm botnet, a vast collection of compromised computers once responsible for sending an estimated 20 percent of all spam." The academic paper (PDF) is also available. We've previously discussed another group of researchers who were able to infiltrate the botnet for a different purpose.

33 of 128 comments (clear)

  1. Double standards? by Anonymous Coward · · Score: 5, Interesting

    How come they don't track down the IP addresses of infected computers and inform the users their computer is compromised? It seems these researchers also are getting a kick out of the botnet at the cost of the victims.

    1. Re:Double standards? by darkside_al · · Score: 5, Insightful

      Because it's useless, most probably, that user in one hour will enter another p0rn site and get infected again. The big problem in securing home computers is user behavior, doesn't matter that you put a lot of warnings, he will hit install in a sec if is searching for pr0n.

    2. Re:Double standards? by Erikderzweite · · Score: 5, Funny

      Or they could change the worm to format hard disks on infected machines -- once done, a PC cannot send spam till reinstall. And this time, the user will be a bit more careful about PC security.
      Problemo solved!

    3. Re:Double standards? by Bokononist · · Score: 3, Insightful

      The best they could really do with the addresses would be to track down the ISPs of the users. The ISPs would then be faced with spending time (== money) to link an IP and time-window to an actual user, and then inform that user.

      Their reward for this effort would be to have one of their technical support people spend an hour on the phone explaining to a clueless and scared someone that they needed to reinstall their XP & applications. This, they ultimately would not do.

    4. Re:Double standards? by Seth+Kriticos · · Score: 4, Interesting

      That is a bit harsh, but the basic idea is not that wrong. Users don't care about security because it is a bigger inconviniance than the not doing it. The botnets are quiet and Joe Sixpack can't relate insecure OS / config with spam (don't cares).

      Maybe someone should introduce some inconviniance for spam infected bandwitch usage (i.e. charge money for the potnet traffic)? If people have to pay for compromized systems, then maybe they will get up their ass*s. Just a thought.

      And yes, I know, the idea must be elaborated and gives a whole set of new issues.. Just ment as starting point for a discussion.

    5. Re:Double standards? by Seth+Kriticos · · Score: 2, Insightful

      Informing users? How? Most of them don't get how to use a door bell, not to mention complex computer concepts.

      How about some countermesures? I mean, if they can infiltrate the botnet, then is it not possible to track it's traffic? I mean, if the ISP's would do that, then they could block it (the control packages) and the spam clients may loose the spam to send out and idle around?

      Well, they probaby also must replicate and send a "Shut up" command to the clients.

      Messing with the users is mostly bad (no option), because they are a) mostly technically illiterate (dumb) + don't care and b) there is a whole lot of liability issues (see Sony rootkit).

    6. Re:Double standards? by qkan · · Score: 2

      As some smart, responsible and otherwise nice people learned the hard way, one of the possible outcomes of reporting a security issue to the affected entity is being sued for illegal activity, reported to the feds etc. by the said entity. After reading some of these horror stories (and seeing no change in the trend over the last decades), I can say for myself that the only situation where I would report a security issue is to my employer since this is, well, my duty as a loyal employee. Or to a "known sane" party, of course, but we're speaking about contacting total strangers in this particular case.

    7. Re:Double standards? by wvmarle · · Score: 3, Interesting

      It sure is a point that back in the day, the end user was really inconvenienced by viruses. Internet didn't exist yet for end-users, and software was transfered by floppy or over BBSes. Spamming hadn't been invented.

      The first virus I encountered was relatively benign: displaying fake cursors on your screen, something like that. Irritating enough to realise you're infected and figure out what's wrong and doing something about it.

      At the time many viruses were also designed to wipe/corrupt data - something that keeps you on the edge. That risk is much more direct, and much more costly that a slightly slower computer that tries to send out a lot of e-mail.

      Nowadays I do have to admit being less concerned about these viruses, except where it comes to keyloggers and so. That want to steal your banking data. However considering the profilation of fishing (recently I get dozens of mails for "update your Google AdWords payment information") even that seems to be a low risk issue.

      Besides I'm not using Windows... OS/X and Linux only... and I know not to click on links in spam, and browsing with non-IE browsers blocks 99.9% of the drive-by downloads but not all: I have got some requests for where to save a .exe file to; automatic download function. At least not hidden.

    8. Re:Double standards? by X0563511 · · Score: 4, Insightful

      Imagine this scenario:

      You have Bob. Bob has a thing about catching STDs. No matter how many times he gets cleaned up, he turns around and does something stupid and gets a new one, and in turn passes them on.

      Is it unethical to study his infections? The subject won't stop getting the infections, nor will he stop spreading them. However, we can use what we learn from studying the subject further on down the line.

      Not quite so black and white is it? I side with the researchers. The botnet will be there either way, and if we actively destroy it a new one will be made in it's place (and possibly improved, preventing study). Might as well learn what we can from it before making a move.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    9. Re:Double standards? by mixmatch · · Score: 2, Interesting

      Maybe we should popularize free, safe sites like youporn, porntube, and xtube and this can all go away?

  2. Re:HMM... by HexaByte · · Score: 5, Funny

    They must be really smart. After all, how are they able to figure out how it is that I'm in need of a bigger schlong, can't get it up w/o viagra and need a new Rolex at bargain prices and I'm looking for a Russian wife. I mean, what kind of research have they been doing to target me perfectly?

    --
    HexaByte - he's a square and a half!
  3. Spam protection by Andr+T. · · Score: 4, Interesting

    I don't have any data to back this up, but it seems to me that people are migrating from small provider companies to big internet provider companies - and their e-mail is going together. And it also seems to me that all those big companies have good e-mail filters (or they're getting one that will be good in a small period of time). If that's true, spam will face a dead end pretty soon.

    Even if you stay with a small provider company with your personal e-mail, there are many good solutions to avoid spam. I used Popfile for a long time and it worked pretty well.

    Either way, if people will go to their spam box and click that viagra ad, it will be their problem. It doesn't affect me anymore.

    --

    Any life is made up of a single moment, the moment in which a man finds out, once and for all, who he is.

    1. Re:Spam protection by lysergic.acid · · Score: 2, Insightful

      that's a good point. i'm guessing part of the reason why Gmail has such a good spam filter is because they implement collective filtering by allowing users to easily mark spam messages, and also because with such a large user-base they can implement statistical filtering techniques much more effectively.

      what i don't get is why ISPs big and small don't just cooperate with each other and trade/pool information needed to fight spam. it would improve everyone's quality of service, so why not work together to achieve common ends. combating spam is one situation where different businesses don't need to compete with one another because they have shared interests.

      even if you're just a small ISP with only a few thousand users, if you work with 10-20 different similar sized ISPs to collectively implement a shared spam-filter, you would achieve much better results than what each ISP could obtain on their own. not only are there more e-mails to perform statistical analysis and Bayesian filtering on, but there are also more users to identify/catch the spam messages that slip past the filters. that way the job of catching stray spam e-mails is distributed across a much wider user-base. instead of each user having to mark 10 spam messages a day, perhaps they only have to mark 10 messages a month.

  4. Re:HMM... by aaron+alderman · · Score: 5, Funny

    You post on Slashdot?

  5. Re:HMM... by Kandenshi · · Score: 2, Funny

    Suggest an improvement?
    Make them write lines.

    No, before you roll your eyes so hard you sprain something, hear me out.
    Try to get an estimate for how prolific this particular spammer is, and then make them legibly write out every e-mail they have ever sent by hand, using crappy 5 cent pens that splutter and run dry frequently.

    They get released when they're done.

  6. Storm Worm by phazux · · Score: 4, Funny

    Oh, Spam... right.

    When I first read the title, I was thinking more along the lines of:

    Bless the Maker and His water.
    Bless the coming and going of Him,
    may His passage cleanse the world,
    may He keep the world for His people.

    -- Frank Herbert

    --
    -- Working to secure tomorrows technology. Honestly Officer!
  7. the vigilante approach by v1 · · Score: 4, Interesting

    I realize this will either be wildly popular with you or you'll hate it, but what I'd like to see someone do is infiltrate the botnet somehow (either by vulnerability or crack their key or whatever) and send a command to the herd to zero the boot sector and shut down their host. (the zombies, not the herder's machines)

    Nothing enough to cause data loss, but enough to force the naive owners to take their machines to someone to get them fixed/cleaned up. I'm tired of being a victim of computer neglect en masse.

    Not saying there's just one botnet out there, so I'd be greatly entertained to see them fall one by one. Should make a nice spectacle. Wouldn't it be entertaining to get up tomorrow and read front page stories all over the place the likes of which we got with Code Red, that a sizeable chunk of zombies just dropped off the grid and there were long lines at the PC repair shops this morning? Stories of entire businesses being brought to a halt because 95% of the machines in their office were owned? Sorry, but "serves them right", and thank you have a nice day while I go check my mail and see 80% fewer medications for sale.

    --
    I work for the Department of Redundancy Department.
    1. Re:the vigilante approach by mdmkolbe · · Score: 3, Interesting

      No need to zero the boot sector, just pop-up a window that says "you have been infected by the Storm worm" every two minutes. The machine is still functional so it is easier to fix, but recovery is easier and less likely to result in data loss.

      (This all is based on the assumption that doing so would be ethical which I don't think it is, but thought experiments don't hurt.)

    2. Re:the vigilante approach by kvezach · · Score: 3, Interesting

      How about turning the machines on them? As far as I understood from the scientific paper, the proxy hosts are contacted by the botmasters (through servers run on bulletproof hosting). Thus it would seem pretty easy to just substitute the send spam command (when the workers ask) with a "DDoS this target" command, where the target is the botmaster server you got the original spam command from. The stronger the botnet, the harder it falls, and while bulletproof hosting servers may scoff at threats of police action, they sure won't like being DDoSed up the wazoo.

    3. Re:the vigilante approach by Anpheus · · Score: 3, Insightful

      And so next time when malware like that damn Antivirus 2009 trojan is installed, they'll be more likely to follow the instructions: "Your computer is infected, click here to scan your computer."

    4. Re:the vigilante approach by russotto · · Score: 2, Interesting

      I realize this will either be wildly popular with you or you'll hate it, but what I'd like to see someone do is infiltrate the botnet somehow (either by vulnerability or crack their key or whatever) and send a command to the herd to zero the boot sector and shut down their host. (the zombies, not the herder's machines)

      All that will do is get law enforcement after the vigilantes. Law enforcement is much more concerned with effective competition than they are with ordinary lawbreakers, so they won't stop botnet-building spammers but they will come down hard on vigilantes.

      So, don't do that. Instead of shutting down the machines, take them over. And take precautions against anyone taking them back. Set up Bittorrent seeds for pirated films on them, if you like, and watch the MPAA go after the zombie owners. If you just look like another criminal, you probably won't get much attention from law enforcement.

      (disclaimer: the above is a hypothetical scenario. Actually trying to pull it off may result in arrest, hospital time, or death depending on who gets to you first).

    5. Re:the vigilante approach by v1 · · Score: 2, Informative

      The problem is most of them are "fast flux" - the C&C servers move around daily. There's no stationary target to hit. Even if you go after a host channel somewhere etc, they just move to a different IP and change domain name records.

      --
      I work for the Department of Redundancy Department.
  8. Re:HMM... by zappepcs · · Score: 4, Interesting

    Actually, I'd rather they be made to pick up a piece of litter for every spam email they sent, or some other such public service that equates piece for piece to the amount of spam they have sent.

    Repaint a house for someone = 100 spam messages
    Clean up a city block of litter = 100 spam messages

    Well you get the point. Force them to wear bright yellow spandex jumpsuits with the spam logo on it until they have fully atoned.

    Whatever the punishment, it should be public, and only mildly degrading.

    Something that lets us all remember what they did, and what it costs in reparations.

    --
    Support NYCountryLawyer RIAA vs People
  9. Ethics of the study by slashdotmsiriv · · Score: 3, Insightful

    the researchers seem to take the legality of their actions under serious consideration. From TFA:

    "Measurement Ethics:
    We have been careful to design experiments that we believe are both consistent with current U.S. legal doctrine and are fundamentally ethical as well. While it is beyond the scope of this paper to fully describe the complex legal landscape in which active security measurements operate, we believe the ethical basis for our work is far easier to explain: we strictly reduce harm. First, our instrumented proxy bots do not create any new harm. That is, absent our involvement, the same set of users would receive the same set of spam e-mails sent by the same worker bots. Storm is a large self-organizing system and when a proxy fails its worker bots automatically switch to other idle proxies (indeed, when our proxies fail we see workers quickly switch away). Second, our proxies are passive actors and do not themselves engage in any behavior that is intrinsically objectionable; they do not send spam e-mail, they do not compromise hosts, nor do they even contact worker bots asynchronously. Indeed, their only function is to provide a conduit between worker bots making requests and master servers providing responses. Finally, where we do modify C&C messages in transit, these actions themselves strictly reduce harm. Users who click on spam altered by these changes will be directed to one of our innocuous doppelganger Web sites. Unlike the sites normally advertised
    by Storm, our sites do not infect users with malware and do not collect user credit card information. Thus, no user should receive more
    spam due to our involvement, but some users will receive spam that is less dangerous that it would otherwise be."

    However, their premise of "reducing harm" is questionable. How can we be sure that a person who decided to purchase these drugs (against all warnings) really believes that not buying them is the best thing for him? What if this person really wants to purchase a drug that he thinks will enlarge him? Who gives the researchers the right to decide what other people should spend their money on? Under several legal interpretations, forcing a person not to buy something perceived as harmful is not legal: denying to sell cigarettes to a person of legal age may be illegal, under discrimination laws.

    The bottom line is that the researchers have a good point regarding the ethics of their study, however this issue is not 100% resolved.

    1. Re:Ethics of the study by jonbwhite · · Score: 2, Informative

      However, their premise of "reducing harm" is questionable. How can we be sure that a person who decided to purchase these drugs (against all warnings) really believes that not buying them is the best thing for him? What if this person really wants to purchase a drug that he thinks will enlarge him? Who gives the researchers the right to decide what other people should spend their money on? Under several legal interpretations, forcing a person not to buy something perceived as harmful is not legal: denying to sell cigarettes to a person of legal age may be illegal, under discrimination laws.

      The site that the spam normally points to actually sends placebos or mislabled painkillers instead of the actual drugs, so I don't think this is really an ethical issue. However, even if the site did send the real drugs, it is *not* difficult to find an alternative website willing to sell the same items. Not to mention the fact that the sending of the spam was illegal in the first place.

  10. how to get suggestive phrases into a journal. by jmhoule314 · · Score: 2, Funny

    I can now die happy having seen the phrase, "Excellent Hardness is Easy!" in an academic paper.

  11. Re:I've previously been ridiculed for by TheLink · · Score: 2, Informative

    How do you pay?

    So far it's hard to pay random people on the internet. For instance if I want to pay you USD1, it'll cost me more than USD1 in time and money to do so.

    --
  12. Which leaves two possible solutions. by khasim · · Score: 3, Insightful

    #1. The ISP blocks all outgoing port 25 connections. We've been over this one before. It means more expenses for the ISP so they're not going to do it unless they are forced to do it through law.

    #2. The vigilante approach of writing a "virus" that identifies and infects infected computers ... and then removes the existing infection, downloads updates, installs a silent anti-virus app and checks back in at regular intervals for updates. The problem with that is that the people who do it become "criminals" under US law.

    1. Re:Which leaves two possible solutions. by Intron · · Score: 3, Insightful

      I wondered about #1, also. My ISP blocks *inbound* port 25 but not outbound. They don't want to let me run a server on a dynamic home IP address because they want to charge me for a business use. They also block inbound port 80.

      It turns out the reason they don't block outbound 25 is because that would force the spammers to email out through the ISP mail servers which would get them blacklisted. They are fine with letting the home users send spam and get blacklisted. It doesn't cost them anything.

      --
      Intron: the portion of DNA which expresses nothing useful.
    2. Re:Which leaves two possible solutions. by aztektum · · Score: 3, Insightful

      Wouldn't they get blacklisted if a users IP is attached to a block assigned to that ISP?

      --
      :: aztek ::
      No sig for you!!
  13. Re:HMM... by emlyncorrin · · Score: 2, Funny

    Speak for yourself.

    oh wait...

  14. Remove the tcpip stack by Colin+Smith · · Score: 3, Insightful

    Consider it a form of quarantine.
     

    --
    Deleted
  15. Re:HMM... by Whiteox · · Score: 2, Funny

    Damn it! You're right.
    Out of all the spam I've gotten in recent years, I've only got 1 from a Russian bride-to-be:

    Hello! My name is Nataliya, me of 26 years, I the intellectual, nice, sexual girl which at present searches for serious attitudes - I shall tell more search for the man for marriage!
    I only, that have read through your questionnaire and it has very much interested me, I wish to continue to learn you.
    So we can have dialogue!

    Please reply only my personal e-mail: iriska640@yahoo.com

    I look forward to your prompt answer :)
    Nataliya.

    As I'm already married ('nuff said), I can't take advantage of this incredible offer, so you can have her.
    BTW She's blond, petite, late 20's.
    Good Luck

    --
    Don't be apathetic. Procrastinate!