Slashdot Mirror
Storm Worm Botnet "Cracked Wide Open"
Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'
However it seems in practice the elimination process would fall foul of the law.
I'm sure I'm not alone when I say, "So?"
Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
They should just publish their code. Let the individual hackers decide what to do with it...
However it seems in practice the elimination process would fall foul of the law.
Whose law?
The higher the technology, the sharper that two-edged sword.
This falls into that whole super-hero vigilante category. Just ask yourself, what would batman do?
Why not just give the code to the FBI and let them turn it on? I'm sure they'd be more than happy to. Or ask them for immunity on this point. It's not like the Feds don't want this thing gone as much as anyone.
You know, if I had suddenly discovered a way to take down a botnet, I wouldn't have said S*** and just dismantled it.
Can be seen from other point of view. The botnet is already there. Is taking orders already from people definately should not be trusted. What if someone that possibly could be trusted to add some extra order in that process?
In the other hand, the botnet owners could decide that will be better to erase the evidence (and the infected people machines in the process) and put the blame on the ones that announced that will clean that mess.. and of course, start a new botnet in new machines without that vulnerability, lowering profits for a while but feeling untouchables after.
Slovakia is about, if not already launched its only nuclear reactor which has been gathering (radioactive?) dust since the Soviet Era, which technically goes against their EU membership agreements.
But it's sure better than freezing to death without Russian gas... imo.
That's the problem.
The criminals do not care because they were criminals to begin with. This affects the people who are not criminals but who want to clean up the mess made by the criminals.
Now, if the various governments could/would authorize their law enforcement agencies to use this method ...
Some people run some botnet ops from some countries with some loose laws to gain some protection.
Is it not as easy to dismantle a freaking botnet from there?
But instead of individual hackers cleaning up the mess, why not have the government of a country pass a law that machines within its jurisdiction may be cleaned if found to be a zombie?
Then their law enforcement agencies can use the code that the hackers wrote to clean up the machines in their country.
A simple process of identifying the infected boxes, notifying the ISP of those boxes, the ISP notifies the customer in writing and if not cleaned within 30 days then the cops clean it remotely.
The only real problems would be that many of those machines would probably be re-infected soon and the hackers would continually have to reverse engineer the latest zombie upgrades.
Maybe such an approach would finally get the anti-virus companies (and OS vendors) to publicize white lists of code that is known to be okay. Rather than trying to identify all the code that is not okay (and its variants).
If you manage to disable the storm botnet, someone will just great better botnet software. The end result is just a better botnet.
If you want to stop the botnet, you need to remove its incentive. The botnet operates not for someones jollies, but because it is profitable to have a botnet. If you remove the profit motive the botnet will self-disassemble over time.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
After you decode it with base 64 how do you open it? do you just rename it to .c and open it with VS?
if not then how?
I would not be against the law to destroy the storm-bot-net as part of a gov't directed national security project. The latitude to take action under those sorts of circumstances is EXTREMELY broad.
While OS X, Linux and others are inherently more secure than an unpatched Windows, the user is still the weakest part of the whole setup.
Wait until we get enough dumb users who install all sorts of shit onto their computers. Granted, the numbers will be much lower than machines which can get infected without any interaction by its owner, but we WILL get users dumb enough to type their password to install "stupid program XYZ" from unknown sources.
Who said that it would be seized?
The process in the article allows for the system to be remotely identified and remotely cleaned.
And how, specifically, would the average computer user know that their machine was a zombie?
What is the financial benefit to the ISP in that case? It's cheaper for them to buy more bandwidth than it is to pay a tech to handle the incoming call from when the customer's machine cannot get to the Internet.
Try to explain that without getting into "pass a law". You'll see why remotely removing the zombie code is the best use of resources.
Remembering a most preposterous occurrence of a game key stealing trojan on a flash-drive that got lifted to ISS, and the more recent one of a hospital's IT succumbing to some other malware.
How smart-alecky one would look if he takes on this problem thusly: Let all the windows ecosystem die its natural death and take all the botnet scum with it. Or does it take an ueberinsightful, astutely daring sci-fi fellow to see it as one efficient remedy to the dullest problem of modern age?
I would say that it should be. Why waste time and effort trying to find crackers who will only be replaced by different crackers in different countries if you do manage to prosecute them?
Remove the zombies in your country and the zombie problem is pretty much solved.
But to accomplish that, you need to be able to automate the process and perform it remotely. There just are not enough resources to handle each computer individually.
Does there exist a detailed report from the analyze anywhere? I'm thinking about the reversing part nowf.
A law that actively hinders human development and protects criminal activities is immoral.
Immoral laws should not be followed.
Screw the FSM - Real geeks believe in the Invisible Pink Unicorn
IRC operators battling botnets have long been able to take them down, and have long been battling with the ethics.
http://news.cnet.com/IRC-operators-may-out-hack-Fizzer/2100-1002_3-1003894.html
Sounds like the rest of the world is catching up after 8 years.
While OS X, Linux and others are inherently more secure than an unpatched Windows, the user is still the weakest part of the whole setup.
I disagree. Users are a weak link, but currently not the weakest and there is a lot that can be done before modifying users becomes practical.
Wait until we get enough dumb users who install all sorts of shit onto their computers. Granted, the numbers will be much lower than machines which can get infected without any interaction by its owner, but we WILL get users dumb enough to type their password to install "stupid program XYZ" from unknown sources.
Most users have the expectation that installing a program is not the same thing as giving someone else complete control of their computer and the ability to send as many e-mail messages in the background as they desire. This expectation is not met. Most users who install software use many different mechanisms for such installation, some of which do require users to type in their password. Because of this, why would users not type in their password when installing a program?
My basic point is just that we need to fix operating systems and make them relatively secure, consistent, and understandable to users as well as make sure they don't reward unsafe behavior. People interested in making computers and the internet more secure have plenty of room to make improvements. The problem is, they don't have the motivation. The solution is effective enforcement of antitrust laws. Return competition and capitalism to the market and the problem will solve itself in short order.
Hey cool, that's where I studied! :D
The laws must change . . .
We have then an autonomous piece of software which evolved organically and could plausibly have intelligence and control the huge number of networked computers around the world!
Cool hey?
like phosphorescent desert buttons singing one familiar song
Before anyone jumps to any conclusion I do not assume everyone here is American nor that American = Good or good, only that the american idea is valuable(not necessarily right).
Initially in America, at least based on what is known or understood about the founders, the law was meant to create a baseline of protection with the rest of the population opt-ing in to enhance and, eventually, raising that baseline by trying solutions based on volunteers, essentially beta-testing the idea in their community. Why not do that here.
Some people, interested in destroying the botnet could take the solution that is worm-like itself and feed the propagation list with an opt-in mailing list(like most forum boards are on the net now) and further protect people from the risk by providing a confirmation Yes-No form before the "solution" is applied to the individual's PC, and further educate them by storing and displaying a log of the operation.
Another way to make the solution more effective is to make three tiers.
You subscribe and confirm to the "solution" online newsletter style with a clear "At your own risk" disclaimer but it has to be from the Internet IP(if behind NAT) your machine uses. The "solution" is sent out to you within a specified time. When it gets to you it:
Asks with a Yes-No button form "Did you sign up at for the 'solution' and wish to apply the solution now?"
Users selects Yes -> next step.
User selects No -> next step.
Tier 1. "solution" generates a list of steps that you can take as the user to protect your PC. If the user selected No above the "solution" then destroys itself and removes you from the newsletter list. If the user selected Yes then the "solution" asks "Would you like to apply these suggestions now?". A log is saved onto the desktop and opened for the user to see what this "solution" has done to the PC.
User selects Yes -> next step.
User selects No -> "solution" quits and removes itself from the PC but maintains you on the newsletter for further updates.
**This is tier 1 least invasive/risky for the user but also least protection.**
Tier 2. "solution" asks if you would like to remove any bad things that are on this computer and provide the user with full disclosure on what was done including how it did it in a log file saved on the desktop.
User selects Yes -> does it, removes itself from the PC, maintains your email on the newsletter for further updates.
User selects No -> goes to next step.
**This tier is secure but builds in no edge for those protecting the user, however, the paranoid individual/sysadmin can monitor a tool that may be untrusted and this allows the community to build trust and thus increase use and restrict the botnet's size.**
Tier 3. "solution" tells the user that it will now remove any threat and dictate the user only files that where manipulated or deleted and not how or why. Then the "solution" deletes itself and maintains the user on the newsletter for future updates.
**This is the best method but only if the "solution" is trusted by the user, this way the user fosters trust with the "solution" makers allowing an edge for those protecting, keeping the method of protection out of the hands of the bot makers.**
Now I suppose removing tier 2 would avoid any violation of privacy or law but it would also restrict adoption rates. It is possible that this is the model current anti-malware programs use now but at some point the details of the logs and the flow of these steps gets obfuscated too much. I suspect it is usually a fault of marketing and/or an attempt to allow a tool to be left on a system, or perhaps it is just so the makers don't lose business to another company that just uses their solution and markets it seperately. Those few things are issues that could be eradicated here by a decent supportive community of those that know how, and want to help. Personally, I am willing to volunteer to work towards something like this as long as
If a user installs some program on either Linux or OS X, what's to stop that program from making outbound connections to port 6667 (to receive instructions) and to port 25 (to send spam)? I've never understood this "if users wouldn't run as Administrator/root, we'd all be safe" argument, you don't need superuser privs to send email.
Part of the difference with Linux is that downloading random-ass crap from untrusted sources and blindly running an installer is not the usual way to install software. With the major distros, the user will get stuff out of the official repositories, which have been examined and vetted. This is especially true of the "clueless user" type you're describing.
Malware is so prevelent on Windows partially because Windows provides no way for a user to know what the hell is going on. The expected means of installing software is to visit random websites, owned by god-knows-who, download some executable, and run it. You rarely have any means of telling what it's actually installing, where it's installing, and just what these programs actually do. When this is the preferred way of doing things, is it any wonder that people download and install malicious stuff without even knowing it?
A fine example is Chrome, which I installed in the first few days it was released. I didn't notice that stupid Google Updater thing which was silently installed alongside, until much later when I was checking my running processes for unrelated reasons. Getting rid of it was a pain in the ass, too. I'm a veteran user who knows what the hell I'm doing, and Google "should be" a trusted source -- yet this slipped right by me. That thing could easiliy have been malicious (though to my mind, anything that "updates" unknown servers with unknown information about my computer is malicious).
The Linux repository and package management system isn't perfect but it is far and away lightyears ahead of the Windows method.
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
Well, now we'll see if Homeland Security does anything. That's part of what their "National Cyber-Security Center" is supposed to be doing. The current head of that office is a former lobbyist, but Obama's team will probably can him and put in someone with a clue.
Did you honestly just put Windows and Linux people in one boat? Somehow sounded like it. Must be my imagination.
If a user installs some program on either Linux or OS X, what's to stop that program from making outbound connections to port 6667 (to receive instructions) and to port 25 (to send spam)?
Well, one possibility is the firewall, but for most setups it won't by default. Right now what protects OS X and Linux users from that happening is the fact that there are very few trojans in the wild that do that and work on those OS's. For that matter, not too many do that on Windows, because automated worms work better at gathering bots than trojans do.
Now for some Linux distros and potentially for OS X and Windows there are sandboxing technologies that could be implemented to prevent trojans from working in that way. There are signing frameworks to automatically verify the source of programs to inform the user about whether or not some software they are installing is from well known and trustable source. If trojans ever become a real problem for the average Linux or OS X user, then these technologies will be implemented and become default setups.
I've never understood this "if users wouldn't run as Administrator/root, we'd all be safe" argument, you don't need superuser privs to send email.
I made no such argument. Rather I mentioned that boxes could be locked down to prevent the problem. Part of that means implementing finer grained permissions on the application level. I also asserted that the real problem is the broken market, where the one, mainstream OS that really needs such technology has utterly failed to implement it, but because there is no competition, very few users move to alternatives.
Well, the Storm net depends on deniability. Whoever is directing the zombies, they needn't reveal anything about themselves to the botnet, or connect from a particular place The command just needs to find its way into the wild.
Naturally, the cure is going to have to exploit the same dynamic. If we're as careful as the botnet designers were, retribution would be basically impossible.
DRM: Terminator crops for your mind!
Surely the only computers that would be affected by this being released are those whose computers are compromised anyway?
If thats the case, it's better to try to do good rather than do nothing and let it continue. If the computer becomes unusable, oh well, maybe the owner will take care of it once they get someone to clean it.
IMO, they should add a note telling the owners of the computers affected how they can secure their computers.
I know it's terrible form to reply to one's own post, but let me just come out and suggest it:
A collaborative, and perfectly anonymous or pseudonymous code project.
Wicherski, Werner, Leder and SchlÃsser must be protected from punishment for their fine work for the good of humanity. So, informed by their disclosures, I say an open source counter-worm ought to be developed from scratch. To protect those working on it, the collaboration model would have to be a little bit 4channy.
The downside to anonymity (As our good friend the Obama/Library/Poop guy shows us) is that it means people don't have to act accountably. There would probably be tons of ebil coders, seeing a wide-deployment worm accepting code contributions, trying to sneak their own obfuscated backdoors into the code.
But the upside to a system like this is transparency. There are still plenty of eyes on the code, and plenty of coders to call shenanigans on one another.
Whadda ya say?
DRM: Terminator crops for your mind!
Why not just send the purge command through Tor?
If something goes wrong, it can't be traced easily.
It is possible -- there is a patchset for kernel called GrSecurity. In allows you e.g. to prevent user from starting apllications from folders whose owner is not root. So installing programs from a repository is still possible (sudo etc.) but downloading and starting random crap -- close to impossible. Of course, there is always bigger and better idiots, but very few will actually manage to download a file, get root permissions, copy that file to /bin/, change permissions and launch it.
I assume, similar is possible via SELinux too.
User maintains more than a dozen sockpuppet accounts on Slashdot.
Oh the technological frameworks are there and could be implemented in short order. What is lacking is the motivation on the part of mainstream organizations and companies that could implement such a thing and a well polished implementation that deals well with the UI and total usability issues. I've used SELinux, and it has gotten better, but unless it is implemented by default by major distros, developers will never adjust their applications to work well with it and it will always be problematic. It also doesn't integrate with a signing framework or do a good job of giving the user the info and control needed via a usable UI.
My only regret is that I'm not smart enough to be able to contribute directly to a project like this, but as a Mac user, who uses a Mac because "that's what he has", I say hell yes, go for it! I don't like seeing people on any platform being victimized at all. Why ask permission? Just put on the white hats out there and gun it. I could offer some cluster server space if that helps at all.
I also think that the "get the Feds on it" idea is ridiculous. This is about doing the right thing, for the right reason, and we don't need them for that... far from it, really.
As a result, we now have that strange ritual where guys wearing funny-looking caps point funny-looking cones at oncoming cars. And if their funny-looking cone device shows a number that is too high, they'll sign the driver of the "offending" car to stop. And then he has to pay, lose points off his license (or if the number on the cone dingbat was sufficiently high, the license is gone in one time), and that's definitely less funny.
In this analogy, the cars causing high numbers to come up are the botnet computers, and the guys in funny hats with their funny cones are the researchers trying to shut it down.
But, you see, occasionally, SNAFU happens. Sometimes, one of the car drivers is on a really important mission. Such as driving to the intervention center to pick up an ambulance to rescue a patient. Who will die if the driver loses his license. So now, we have a case where it's not speeding that kills, but speeding checks that kill...
That's the analogy for accidentally fouling up a hospital computer.
But for some weird reason this weird cap-and-cone ritual is still done. If we're so concerned about collateral damage, shouldn't we stop that silly ritual first?
In the mean time, the vulnerability has been revealed to those who run the Storm botnet and I bet they're already working to deploy a patch that'll make it inneffective.
By reading this signature, you hereby agree with the content of the above comment.
Why not get the user's consent first ?
If a zombie is detected, it should be isolated in the same way as a commercial wifi node : no access to the net, and web access pointed to a login page. That page would then offer the option of continuing to use the machine offline, or having the bot software neutralised.
No need to worry about knock-on failures from disconnecting a critical machine : any critical system that relies on its net connection is either broken by design or so unusual that it could be handled as a 'do not block' case by the service provider.
A big problem in today's global computer population is the lack of predators. While in the past malware was mostly written by some wannabes
(ever looked as some virus from the DOS area? I hardly saw one that looked like the one that wrote it had more than a slight gasp of programming) and had some highly visible effects causing infected computers to be removed from the population, thus weaking the general population.
But today malware is mostly there to aid some other criminal goal, thus also the malware behaves more like a parasit than a predator: keep your host living so you keep yourself living, too.
The problem is: computers are not like some beasts in the forrests, but what humans depend on. So it is not only criminal to get some predators back, but would also cause massive problems for humans, perhaps even deaths, when emergency calls or nuclear power plants are effected, so it is unethical.
So we are caught in a dillema, which widens our global vulnaribility every day.
With all the fear from terrorist attacks, it is really a wonder, why keeping your PC open for everyone with enough criminal energy to mis-use
is nothing has no consequences for the people doing so.
It is hard not to wish some people would use such a botnet to change e.g. the windows login screen of all infected machines to a green screen with some arabic text on it. One could imagine people would be frightened by this look and learn to clean and protect their machine. Goverments could become uneasy enough to force people to use protective measures. But most likely the code would be buggy and bring doing every thousandths PC endangering many lives and being sure to pain a large amount...
That was my first idea too : the moment you go 'open source' on a Storm-killer, the creators of said botnet will have it patched well before the fix will be finished, let alone deployed. This comes down to the fact that, involuntarily off course, they are in fact contributing to making the botnet 'stronger'.
Sigh, I'm kind of annoyed by these 'researches' that IMHO go /wasting/ time & resources on "hey look, I managed to decompile and understand someones program, let's write a paper about it" attitude. If they're not actually doing anything constructive with it... what's the use ?
If there is one thing to be learned on slashdot, it has to be sarcasm.
I've never understood this "if users wouldn't run as Administrator/root, we'd all be safe" argument, you don't need superuser privs to send email.
A big difference is that although a non-admin bot can run, it can't hide. It can't conceal its existence from OS tools which display processes and files, and so it can't hide from any removal/detection tools.
If government officials have authority to recover stolen goods (cars, property, etc) then they need to start taking care of this sort of thing, too. Why create a "new" organization for it... governments can agree to work together enough to form Interpol, simply extend Interpol to cover cyber crime. It seems like an obvious extension to me. As mentioned previously, the damage was done when the "vehicle" was "stolen"... if the "car" "crashes" in the authority's pursuit to limit its contribution to the victimization of more innocents, that's the fault of the perpetrator(s), not the authorities.
Would seem that MicroSloth could actually do something good here. If this approach to combatting Storm is on the level, they could purchase or license the method and bundle it with 'doze, using their own EULA to cover any possible complaint of 3rd-party tampering. It would become just another level of network security added to the operating system.
This approach would have the widest effect, as it would eliminate the need for people to manually download the package and agree to potential intrusion, should the need arise by their machine becoming infected.
The good publicity sure couldn't hurt, either.
Gosh, never thought I'd actually say M$ could do good by buying out the little guy.
Let's turn this around a little
Imagine that the program to kill the botnet is written by China or Russia. If they released it and allowed it to run on computers in the US there would be a major outcry. "This is eWar!" or "We are under eAttack!" would be heard far and wide and the US would use it as a reason to raise the alert state at the very minimum and could even begin a shooting war to defend the US internet and their citizens.
Now, why do you think it should be any more acceptable to other countries if the US authorises its agencies to do a similar stunt? Running unauthorised software on someone's computer is an offence regardless of who does it. The only way that this could be acceptable is if the program is released publically and users can choose to run it on their own computer.
Have a look at soylentnews.org for a different view
I would think they would hold a gun to the guy who is doing time for writing the original code, and force him to hit the enter key to send the command to dismantle the botnet, and thereby making HIM responsible for criminal activity of undoing the botnet.
He wrote the original, and now he would face charges for making things right, and then some....that would be justice!
If it sounds like there is an intruder in your house, doesn't that gave the police reasonable cause to enter? I see little difference here, though privacy geeks would probably cringe....
FTA: "It's surprising that there is no discussion going on regarding the legal preconditions that would have to be created in order to get rid of the threat."
No, what's surprising is that people are still using Window$ after all these years.
In times of universal deceit, telling the truth gets you modded -1 Troll
Yes there is. OS X hosts have been observed participating in botnets.
http://voices.washingtonpost.com/securityfix/2006/03/when_macs_attack.html
The OS may be secure, but every application running on top of it is not.
If more people were using software written by another guy from Finland 16 years ago, there would be no W32 crime wave and we would not need super cracker cops authorized to violate your privacy.
Right, there would be a Linux crime wave instead. Linux doesn't prevent users from running trojans or force them to get their operating system patched.
I have only one thing to say to that... ... BRAINS....
Not going to say that they are 'inherently' more secure. With Open source (for one atleast) it leaves a lot open to be viewed by attackers. This and they don't have the security pen testing that most people do, sure they get some reports but it doesn't mean everyone reports what they find for the simple fact of using it later. Also, Apple cares not about the security of their product like Microsoft does nowadays. Apple has never had a huge hack, which does not mean it is secure, just because there is a limited number of users that lead to no one attempting to attack them for profit. Nothing is secure.
I say an open source counter-worm
Why? Storm is generally distributed via Trojan payload and/or user stupidity. It's not a worm, and creating one to attack Storm is rather pointless.
Especially since such a worm (if it worked) could just as easily get caught by the Storm operators, and reprogrammed/released to simply start spreading it again. Or worse, or more robust, hardened one.
In any case, once you finally wipe Storm out, it will just get modded slightly, released as Storm v1.1, and all the idiot users that installed it last time will once again click the bunny and join the botnet.
Does anyone else find this amusing? It's the game of security cat and mouse which is typical of microsoft (and other) software, in reverse!
If it turns out that the botnet creators are "better" with security updates than microsoft, well... that would make my day.