Storm Worm Botnet "Cracked Wide Open"

← Back to Stories (view on slashdot.org)

Storm Worm Botnet "Cracked Wide Open"

Posted by timothy on Sunday January 11, 2009 @08:26AM from the after-honeynets-let's-try-bugzappers dept.

Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'

23 of 301 comments (clear)

Min score:

Reason:

Sort:

so what? by derfy · 2009-01-11 08:28 · Score: 5, Insightful

However it seems in practice the elimination process would fall foul of the law.
I'm sure I'm not alone when I say, "So?"
1. Re:so what? by txoof · 2009-01-11 08:59 · Score: 4, Insightful
  
  Not only is it a problem of breaking the law, but there's the problem of "cleaning gone wrong". What if the cleaning program fouls a hospital's computers? Or fouls up some other important infrastructure. Do you want to be the guy standing next to the enter key in that event?
  Obviously, infrastructure should be configured and secured against such problems, but it's pretty clear that that assumption is false and dangerous. Just a few months ago a trio of London hospitals went down because of an infection. Granted it was mostly the administrative side that went down, but that still costs a crap load. And what if it's not just the administrative side of say a power distribution grid that shits its self because of some unforeseeable problem with the cleaning worm?
  I sure wouldn't want to be the guy responsible for that. There's also the threat that the cleaning will go wrong in completely unexpected ways causing even worse network disruption. If this option is pursued, those that have the magic bullet would probably want to get some sort of pledge of amnesty from their governments to protect them from prosecution in the event that they cause damage.
  
  --
  This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
2. Re:so what? by Kent+Recal · 2009-01-11 11:41 · Score: 4, Insightful
  
  Your post is not unlike the difference between, say, a clueless person using inappropiate analogies, and the proof that car analogies hardly ever make any sense.
  Seriously, all this crap is blown way out of proportion. Firetrucks. Car-Bombs. My ass...
  If they have a tool to eliminate a large botnet then, by all means, do it. Stop crying for attention in the press, just run the damn counter-worm or release the source-code so the scriptkiddies can fragment the worm into insignificance.
  If that wipes out the worm: Great!
  If that bricks all infected machines: Well, still better than what we had before.
  There's no need to worry about collateral damage. Critical, life-supporting systems are not participating in storm. The worst that can happen is that a lot of computer illiterate people will have a "broken PC" over night and will have to ask their "PC guy" to fix it. This is a "risk" that we should be willing to take...
3. Re:so what? by Nazlfrag · 2009-01-11 15:27 · Score: 5, Insightful
  
  If it screws up uninfected machines and networks, oh well, umm whoops?
  If there are actually critical, life-supporting systems affected, damn, I guess we can't say sorry to the dead, perhaps send a nice e-mail to their grieving families?
  There are plenty of scenarios in which the cure is far more catastrophic than the botnet. We should not be reckless or rash in implementing a solution. When taking on something that utilises the worlds stupidity I think we should keep Murphys law foremost in mind.
4. Re:so what? by Kent+Recal · 2009-01-12 01:30 · Score: 4, Insightful
  
  We need a level of response similar to the Y2K audit to cure this, not just another virus in the mix.
  Man, how paranoid can you even be. That's FUD and nonsense!
  Repeat after me: Any system that could be negatively affected by a counter-worm is already at the mercy of the STORM operators today, right now, in this minute!
  If a STORM operator willy-nilly decides to push a broken update to the botnet, or to perform an expensive attack that makes some of the machines break down then your imaginary life-supporting systems will go down right there, today, in 5 minutes, or tomorrow afternoon.
  
  There are plenty of companies including hospitals and power stations running top to bottom Windows solutions
  Nonsense.
  Oh my, do you honestly believe that the heart-lung machine at your hospital is connected to the internet? Or that your nuclear power plant is running on Windows XP? Let me assure you: They are not. And if someone in the world truly misdesigned a critical system in a way that could be affected by a windows worm then we'd better be grateful for the learning expirience that they'll inevitably get (with or without a counter-worm). Or would you really want them to get away with that? Do you really think it'd be good idea to let them get into the habit of building critical stuff upon "cheap" Microsoft infrastructure?
  Even if your nonsensical assumptions were correct: I'd still much prefer to have one powerplant melt down today due to a counter-worm than to have hundreds of powerplants running on vulnerable systems in 30 years because hey, "nothing ever happened".
Depends ... by ScrewMaster · 2009-01-11 08:35 · Score: 3, Insightful

However it seems in practice the elimination process would fall foul of the law.
Whose law?

--
The higher the technology, the sharper that two-edged sword.
Re:Law? by ScrewMaster · 2009-01-11 08:36 · Score: 5, Insightful

Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?
Yes. Governments.

--
The higher the technology, the sharper that two-edged sword.
So you are sued and lose your house. by khasim · 2009-01-11 08:44 · Score: 5, Insightful

That's the problem.
The criminals do not care because they were criminals to begin with. This affects the people who are not criminals but who want to clean up the mess made by the criminals.
Now, if the various governments could/would authorize their law enforcement agencies to use this method ...
1. Re:So you are sued and lose your house. by ushering05401 · 2009-01-11 08:55 · Score: 4, Insightful
  
  "Now, if the various governments could/would authorize their law enforcement agencies to use this method ..."
  That is the worst idea I have heard all week.
2. Re:So you are sued and lose your house. by owlnation · 2009-01-11 09:28 · Score: 5, Insightful
  
  "Now, if the various governments could/would authorize their law enforcement agencies to use this method ..."
  
  That is the worst idea I have heard all week.
  
  No Kidding! The problem with such laws (any laws) in most countries, is that they are open to interpretation. This is why we have courts. Which means, that allowing any government agency the right to access 3rd party computers for any reason sets a very, very dangerous precedent which can be exploited by the more fascist politicians in the world.
  
  We've already seen the UK Governing Regime try to find ways of accessing the public's computers whenever they see fit, and without any court warrant. There is no sane way to allow this kind of exception, without running the risk of opening the door to further Government inspection of your computer, if they decide to exploit precedent.
  
  Be very careful with vigilantism. Especially when a government agency is the vigilante. It WILL be exploited for other reasons.
3. Re:So you are sued and lose your house. by peragrin · 2009-01-11 09:34 · Score: 4, Insightful
  
  up until it crosses national borders then yes it does. But if the guy running the show is in a country without extradition then it is useless. Warrants assume everyone is following similar laws and there is an agency that can police all affected areas equally.
  however If an American warrant was being served against a French botnet controller, even with a treaty they still would let him stay free if he didn't harm any french computer users.
  Governments are like children, no one else can play in their sandbox, or with their toys.
  
  --
  i thought once I was found, but it was only a dream.
4. Re:So you are sued and lose your house. by Yez70 · 2009-01-11 09:52 · Score: 5, Insightful
  
  I don't think the primary goal here is capture and prosecution of the controllers, but shutting the botnet down. Shouldn't that be the priority?
5. Re:So you are sued and lose your house. by Merusdraconis · 2009-01-11 10:23 · Score: 3, Insightful
  
  Following the rules is what makes them the good guys, though.
Question by vawarayer · 2009-01-11 08:49 · Score: 4, Insightful

Some people run some botnet ops from some countries with some loose laws to gain some protection.
Is it not as easy to dismantle a freaking botnet from there?
Just more whack-a-mole by damn_registrars · 2009-01-11 08:56 · Score: 4, Insightful

If you manage to disable the storm botnet, someone will just great better botnet software. The end result is just a better botnet.

If you want to stop the botnet, you need to remove its incentive. The botnet operates not for someones jollies, but because it is profitable to have a botnet. If you remove the profit motive the botnet will self-disassemble over time.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:Just more whack-a-mole by eln · 2009-01-11 09:10 · Score: 4, Insightful
  
  If you want to stop the botnet, you need to remove its incentive. The botnet operates not for someones jollies, but because it is profitable to have a botnet. If you remove the profit motive the botnet will self-disassemble over time.
  And how do you propose we do that? Spam is profitable even when only one in 10,000 people respond to them, so how do you stop something like that? People have been building better and better spam filters for years, and more and more effort has been spent on educating people about the various scams, and yet spam is STILL profitable enough to illegally hack thousands of computers in order to send it out.
  Saying all we have to do to stop botnets forever is remove the profit motive is like saying all we have to do to stop drug smuggling or illegal immigration or home burglaries is to stop the profit motive. Sounds simple, but virtually impossible in practice.
2. Re:Just more whack-a-mole by RandomUsername99 · 2009-01-11 09:22 · Score: 4, Insightful
  
  Could you explain what you mean by removing the profit motive? Though I may be missing something, I think that you might be oversimplifying things here.
  I'm not really sure that it's any more realistic to try and make spamming unprofitable than it would be to make any other successful form of marketing unprofitable, let alone one that is almost free.
  We could just as easily say that the solution to stopping welfare abuse would be to remove the financial incentive to doing so... but without actually suggesting anything useful to come to that end, it's a pretty useless comment.
3. Re:Just more whack-a-mole by damn_registrars · 2009-01-11 09:24 · Score: 5, Insightful
  Spam is profitable even when only one in 10,000 people respond to them
  Spam makes for an excellent case study in the problem, more on that in a moment.
  
  People have been building better and better spam filters for years
  Filters will never solve the spam problem. I have said that before, and I will continue to say it until people start to realize the reality of the situation.
  
  Build better filters, and spammers will send better spam.
  
  You have to remove the profit motive.
  
  And a fair portion of botnet activity is spam-driven or spam-propagating. So if we work on the spam problem, the botnet problem will diminish.
  
  And there is one angle in particular that is available for stopping spam:
  
  The damned registrars
  If you look at spam messages, you'll see that the vast majority of them ask you to go to domains that are on the order of days old, and seldom remain up for more than a few weeks. This is because registration of domains is too easy, with too little liability anywhere along the way.
  
  Spamming and spamvertised domains are registered at a bewildering rate 24/7. And most of them are registered with bogus information to boot. We need a few things to hinder this
  
  Registrars need to sell domains only to valid registration data
  Registrars that willingly sell domains to spammers need to be punished swiftly and severely
  ISPs that willingly offer services repeatedly to spammers need to face the same
  If the virtual storefronts selling the v!@gr@ are shut down promptly, and proper impediments are put in place to hinder their creation, spam will become less profitable. The owners of the spamvertised domains can only afford to pay the spammers for their services as long as they are still selling products.
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Re:I am glad I use a Mac by 99BottlesOfBeerInMyF · 2009-01-11 10:51 · Score: 4, Insightful

While OS X, Linux and others are inherently more secure than an unpatched Windows, the user is still the weakest part of the whole setup.
I disagree. Users are a weak link, but currently not the weakest and there is a lot that can be done before modifying users becomes practical.

Wait until we get enough dumb users who install all sorts of shit onto their computers. Granted, the numbers will be much lower than machines which can get infected without any interaction by its owner, but we WILL get users dumb enough to type their password to install "stupid program XYZ" from unknown sources.
Most users have the expectation that installing a program is not the same thing as giving someone else complete control of their computer and the ability to send as many e-mail messages in the background as they desire. This expectation is not met. Most users who install software use many different mechanisms for such installation, some of which do require users to type in their password. Because of this, why would users not type in their password when installing a program?
My basic point is just that we need to fix operating systems and make them relatively secure, consistent, and understandable to users as well as make sure they don't reward unsafe behavior. People interested in making computers and the internet more secure have plenty of room to make improvements. The problem is, they don't have the motivation. The solution is effective enforcement of antitrust laws. Return competition and capitalism to the market and the problem will solve itself in short order.
Re:Screw the law. by Todd+Knarr · 2009-01-11 12:17 · Score: 5, Insightful

Because we don't need to. The botnet software is readily detectable. Simple solution: require ISPs to warn users if their machines are found to be infected and, if no action is taken (ie. not cleaned up and the user doesn't contact the ISP to discuss it) in a reasonable timeframe, suspend their network access.
If you're driving with a car that's spraying oil all over the road, dropping pieces off and generally posing a hazard to other drivers, the police will cheerfully ticket you and impound the car. They don't try to fix the car, they take it off the road and leave what to do next up to the owner. I fail to see why a similar approach can't be applied (other than "But then they won't be able to use the Internet!", to which I reply "Well, yes, that's kind of the point.").
Re:Me too by spazdor · 2009-01-11 13:31 · Score: 3, Insightful

Well, the Storm net depends on deniability. Whoever is directing the zombies, they needn't reveal anything about themselves to the botnet, or connect from a particular place The command just needs to find its way into the wild.
Naturally, the cure is going to have to exploit the same dynamic. If we're as careful as the botnet designers were, retribution would be basically impossible.

--
DRM: Terminator crops for your mind!
Re:Me too by Lachlan+Hunt · 2009-01-11 21:24 · Score: 4, Insightful

In the mean time, the vulnerability has been revealed to those who run the Storm botnet and I bet they're already working to deploy a patch that'll make it inneffective.

--
By reading this signature, you hereby agree with the content of the above comment.
Re:about 16 years late by Raenex · 2009-01-12 07:46 · Score: 3, Insightful

If more people were using software written by another guy from Finland 16 years ago, there would be no W32 crime wave and we would not need super cracker cops authorized to violate your privacy.
Right, there would be a Linux crime wave instead. Linux doesn't prevent users from running trojans or force them to get their operating system patched.