Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Worm Botnet "Cracked Wide Open"

Posted by timothy on from the after-honeynets-let's-try-bugzappers dept.

Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'

8 of 301 comments (clear)

  1. Re:Partially disclosed? by ymgve · · Score: 5, Informative

    They should just publish their code.

    They did.

    The Full Disclosure link contains the source code of their program.

  2. Re:If the fix works. . . by Anonymous Coward · · Score: 2, Informative

    It IS illegal even to write or distribute such code thanks to the infamous  202c StGB.

  3. Re:Question by niteice · · Score: 2, Informative

    disregard above post.

    base64 decoding gives a bzipped tarball, decompress with your favorite utility.

    HOWEVER, it it obviously windows-specific, uses the win32 API to install itself and - I think - replicate the storm code in-place.

    --
    ROMANES EUNT DOMUS
  4. Re:Question by nostrad · · Score: 3, Informative

    base64 -d | bzip2 -d | tar -x

  5. Re:Depends ... by Anonymous Coward · · Score: 2, Informative

    No, German law is very clear at this point.
    Unauthorised data manipulation is illegal.
    And you will not get around the judge with: "I just inserted that in the bot in my machine and it spread through the botnet, lulz. Dunno why."

  6. This is not news by Anonymous Coward · · Score: 1, Informative

    IRC operators battling botnets have long been able to take them down, and have long been battling with the ethics.

    http://news.cnet.com/IRC-operators-may-out-hack-Fizzer/2100-1002_3-1003894.html

    Sounds like the rest of the world is catching up after 8 years.

  7. Re:Partially disclosed? by nneonneo · · Score: 4, Informative

    Actually, it's base64, but you are basically correct.

    The tarball contains the following contents:

    Makefile
    autorun.c
    autorun.h
    cmdsrv.c
    cmdsrv.h
    disinfect.c
    disinfect.h
    hash.c
    hash.h
    httpsrv.c
    httpsrv.h
    install.c
    install.h
    libz.a
    message.c
    message.h
    nbcache.c
    nbcache.h
    overnet.c
    overnet.h
    pini.c
    pini.h
    queue.c
    queue.h
    routing.c
    routing.h
    stormfucker.c
    stormfucker.h
    zconf.h
    zlib.h

    The reason why it is "partially disclosed" is because portions of the code have been patched as to make it inoperative. However, all the necessary exposition is there, and by reading the source you can get a pretty good idea of what it is doing.

  8. Re:Tor by shentino · · Score: 2, Informative

    And yet, the anonymous, encrypted nature of Tor gives you plausible deniability.

    In effect, you are a miniature ISP.