Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Worm Botnet "Cracked Wide Open"

Posted by timothy on from the after-honeynets-let's-try-bugzappers dept.

Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'

3 of 301 comments (clear)

  1. Re:Partially disclosed? by ymgve · · Score: 5, Informative

    They should just publish their code.

    They did.

    The Full Disclosure link contains the source code of their program.

  2. Re:Question by nostrad · · Score: 3, Informative

    base64 -d | bzip2 -d | tar -x

  3. Re:Partially disclosed? by nneonneo · · Score: 4, Informative

    Actually, it's base64, but you are basically correct.

    The tarball contains the following contents:

    Makefile
    autorun.c
    autorun.h
    cmdsrv.c
    cmdsrv.h
    disinfect.c
    disinfect.h
    hash.c
    hash.h
    httpsrv.c
    httpsrv.h
    install.c
    install.h
    libz.a
    message.c
    message.h
    nbcache.c
    nbcache.h
    overnet.c
    overnet.h
    pini.c
    pini.h
    queue.c
    queue.h
    routing.c
    routing.h
    stormfucker.c
    stormfucker.h
    zconf.h
    zlib.h

    The reason why it is "partially disclosed" is because portions of the code have been patched as to make it inoperative. However, all the necessary exposition is there, and by reading the source you can get a pretty good idea of what it is doing.