Slashdot Mirror
Storm Worm Botnet "Cracked Wide Open"
Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'
However it seems in practice the elimination process would fall foul of the law.
I'm sure I'm not alone when I say, "So?"
Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
They should just publish their code. Let the individual hackers decide what to do with it...
I'm sure, too!
However it seems in practice the elimination process would fall foul of the law.
Whose law?
The higher the technology, the sharper that two-edged sword.
This falls into that whole super-hero vigilante category. Just ask yourself, what would batman do?
Why not just give the code to the FBI and let them turn it on? I'm sure they'd be more than happy to. Or ask them for immunity on this point. It's not like the Feds don't want this thing gone as much as anyone.
You know, if I had suddenly discovered a way to take down a botnet, I wouldn't have said S*** and just dismantled it.
Can be seen from other point of view. The botnet is already there. Is taking orders already from people definately should not be trusted. What if someone that possibly could be trusted to add some extra order in that process?
In the other hand, the botnet owners could decide that will be better to erase the evidence (and the infected people machines in the process) and put the blame on the ones that announced that will clean that mess.. and of course, start a new botnet in new machines without that vulnerability, lowering profits for a while but feeling untouchables after.
Slovakia is about, if not already launched its only nuclear reactor which has been gathering (radioactive?) dust since the Soviet Era, which technically goes against their EU membership agreements.
But it's sure better than freezing to death without Russian gas... imo.
That's the problem.
The criminals do not care because they were criminals to begin with. This affects the people who are not criminals but who want to clean up the mess made by the criminals.
Now, if the various governments could/would authorize their law enforcement agencies to use this method ...
Some people run some botnet ops from some countries with some loose laws to gain some protection.
Is it not as easy to dismantle a freaking botnet from there?
But instead of individual hackers cleaning up the mess, why not have the government of a country pass a law that machines within its jurisdiction may be cleaned if found to be a zombie?
Then their law enforcement agencies can use the code that the hackers wrote to clean up the machines in their country.
A simple process of identifying the infected boxes, notifying the ISP of those boxes, the ISP notifies the customer in writing and if not cleaned within 30 days then the cops clean it remotely.
The only real problems would be that many of those machines would probably be re-infected soon and the hackers would continually have to reverse engineer the latest zombie upgrades.
Maybe such an approach would finally get the anti-virus companies (and OS vendors) to publicize white lists of code that is known to be okay. Rather than trying to identify all the code that is not okay (and its variants).
If you manage to disable the storm botnet, someone will just great better botnet software. The end result is just a better botnet.
If you want to stop the botnet, you need to remove its incentive. The botnet operates not for someones jollies, but because it is profitable to have a botnet. If you remove the profit motive the botnet will self-disassemble over time.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
After you decode it with base 64 how do you open it? do you just rename it to .c and open it with VS?
if not then how?
I am glad I use a Mac. It's nice to be completely immune to this stuff that the Windows and Linux users deal with minute by minute.
No such thing as a Storm botnet, or any for that matter on OS X.
I would not be against the law to destroy the storm-bot-net as part of a gov't directed national security project. The latitude to take action under those sorts of circumstances is EXTREMELY broad.
Who said that it would be seized?
The process in the article allows for the system to be remotely identified and remotely cleaned.
And how, specifically, would the average computer user know that their machine was a zombie?
What is the financial benefit to the ISP in that case? It's cheaper for them to buy more bandwidth than it is to pay a tech to handle the incoming call from when the customer's machine cannot get to the Internet.
Try to explain that without getting into "pass a law". You'll see why remotely removing the zombie code is the best use of resources.
Remembering a most preposterous occurrence of a game key stealing trojan on a flash-drive that got lifted to ISS, and the more recent one of a hospital's IT succumbing to some other malware.
How smart-alecky one would look if he takes on this problem thusly: Let all the windows ecosystem die its natural death and take all the botnet scum with it. Or does it take an ueberinsightful, astutely daring sci-fi fellow to see it as one efficient remedy to the dullest problem of modern age?
I would say that it should be. Why waste time and effort trying to find crackers who will only be replaced by different crackers in different countries if you do manage to prosecute them?
Remove the zombies in your country and the zombie problem is pretty much solved.
But to accomplish that, you need to be able to automate the process and perform it remotely. There just are not enough resources to handle each computer individually.
Does there exist a detailed report from the analyze anywhere? I'm thinking about the reversing part nowf.
A law that actively hinders human development and protects criminal activities is immoral.
Immoral laws should not be followed.
Screw the FSM - Real geeks believe in the Invisible Pink Unicorn
IRC operators battling botnets have long been able to take them down, and have long been battling with the ethics.
http://news.cnet.com/IRC-operators-may-out-hack-Fizzer/2100-1002_3-1003894.html
Sounds like the rest of the world is catching up after 8 years.
Hey cool, that's where I studied! :D
The laws must change . . .
We have then an autonomous piece of software which evolved organically and could plausibly have intelligence and control the huge number of networked computers around the world!
Cool hey?
like phosphorescent desert buttons singing one familiar song
Before anyone jumps to any conclusion I do not assume everyone here is American nor that American = Good or good, only that the american idea is valuable(not necessarily right).
Initially in America, at least based on what is known or understood about the founders, the law was meant to create a baseline of protection with the rest of the population opt-ing in to enhance and, eventually, raising that baseline by trying solutions based on volunteers, essentially beta-testing the idea in their community. Why not do that here.
Some people, interested in destroying the botnet could take the solution that is worm-like itself and feed the propagation list with an opt-in mailing list(like most forum boards are on the net now) and further protect people from the risk by providing a confirmation Yes-No form before the "solution" is applied to the individual's PC, and further educate them by storing and displaying a log of the operation.
Another way to make the solution more effective is to make three tiers.
You subscribe and confirm to the "solution" online newsletter style with a clear "At your own risk" disclaimer but it has to be from the Internet IP(if behind NAT) your machine uses. The "solution" is sent out to you within a specified time. When it gets to you it:
Asks with a Yes-No button form "Did you sign up at for the 'solution' and wish to apply the solution now?"
Users selects Yes -> next step.
User selects No -> next step.
Tier 1. "solution" generates a list of steps that you can take as the user to protect your PC. If the user selected No above the "solution" then destroys itself and removes you from the newsletter list. If the user selected Yes then the "solution" asks "Would you like to apply these suggestions now?". A log is saved onto the desktop and opened for the user to see what this "solution" has done to the PC.
User selects Yes -> next step.
User selects No -> "solution" quits and removes itself from the PC but maintains you on the newsletter for further updates.
**This is tier 1 least invasive/risky for the user but also least protection.**
Tier 2. "solution" asks if you would like to remove any bad things that are on this computer and provide the user with full disclosure on what was done including how it did it in a log file saved on the desktop.
User selects Yes -> does it, removes itself from the PC, maintains your email on the newsletter for further updates.
User selects No -> goes to next step.
**This tier is secure but builds in no edge for those protecting the user, however, the paranoid individual/sysadmin can monitor a tool that may be untrusted and this allows the community to build trust and thus increase use and restrict the botnet's size.**
Tier 3. "solution" tells the user that it will now remove any threat and dictate the user only files that where manipulated or deleted and not how or why. Then the "solution" deletes itself and maintains the user on the newsletter for future updates.
**This is the best method but only if the "solution" is trusted by the user, this way the user fosters trust with the "solution" makers allowing an edge for those protecting, keeping the method of protection out of the hands of the bot makers.**
Now I suppose removing tier 2 would avoid any violation of privacy or law but it would also restrict adoption rates. It is possible that this is the model current anti-malware programs use now but at some point the details of the logs and the flow of these steps gets obfuscated too much. I suspect it is usually a fault of marketing and/or an attempt to allow a tool to be left on a system, or perhaps it is just so the makers don't lose business to another company that just uses their solution and markets it seperately. Those few things are issues that could be eradicated here by a decent supportive community of those that know how, and want to help. Personally, I am willing to volunteer to work towards something like this as long as
Well, now we'll see if Homeland Security does anything. That's part of what their "National Cyber-Security Center" is supposed to be doing. The current head of that office is a former lobbyist, but Obama's team will probably can him and put in someone with a clue.
Surely the only computers that would be affected by this being released are those whose computers are compromised anyway?
If thats the case, it's better to try to do good rather than do nothing and let it continue. If the computer becomes unusable, oh well, maybe the owner will take care of it once they get someone to clean it.
IMO, they should add a note telling the owners of the computers affected how they can secure their computers.
Why not just send the purge command through Tor?
If something goes wrong, it can't be traced easily.
A guy from F-secure in Finland has been calling for the formation of an "internetpol" for exactly these reasons.
If more people were using software written by another guy from Finland 16 years ago, there would be no W32 crime wave and we would not need super cracker cops authorized to violate your privacy.
Friends don't help friends install M$ junk.
User maintains more than a dozen sockpuppet accounts on Slashdot.
As a result, we now have that strange ritual where guys wearing funny-looking caps point funny-looking cones at oncoming cars. And if their funny-looking cone device shows a number that is too high, they'll sign the driver of the "offending" car to stop. And then he has to pay, lose points off his license (or if the number on the cone dingbat was sufficiently high, the license is gone in one time), and that's definitely less funny.
In this analogy, the cars causing high numbers to come up are the botnet computers, and the guys in funny hats with their funny cones are the researchers trying to shut it down.
But, you see, occasionally, SNAFU happens. Sometimes, one of the car drivers is on a really important mission. Such as driving to the intervention center to pick up an ambulance to rescue a patient. Who will die if the driver loses his license. So now, we have a case where it's not speeding that kills, but speeding checks that kill...
That's the analogy for accidentally fouling up a hospital computer.
But for some weird reason this weird cap-and-cone ritual is still done. If we're so concerned about collateral damage, shouldn't we stop that silly ritual first?
Why not get the user's consent first ?
If a zombie is detected, it should be isolated in the same way as a commercial wifi node : no access to the net, and web access pointed to a login page. That page would then offer the option of continuing to use the machine offline, or having the bot software neutralised.
No need to worry about knock-on failures from disconnecting a critical machine : any critical system that relies on its net connection is either broken by design or so unusual that it could be handled as a 'do not block' case by the service provider.
A big problem in today's global computer population is the lack of predators. While in the past malware was mostly written by some wannabes
(ever looked as some virus from the DOS area? I hardly saw one that looked like the one that wrote it had more than a slight gasp of programming) and had some highly visible effects causing infected computers to be removed from the population, thus weaking the general population.
But today malware is mostly there to aid some other criminal goal, thus also the malware behaves more like a parasit than a predator: keep your host living so you keep yourself living, too.
The problem is: computers are not like some beasts in the forrests, but what humans depend on. So it is not only criminal to get some predators back, but would also cause massive problems for humans, perhaps even deaths, when emergency calls or nuclear power plants are effected, so it is unethical.
So we are caught in a dillema, which widens our global vulnaribility every day.
With all the fear from terrorist attacks, it is really a wonder, why keeping your PC open for everyone with enough criminal energy to mis-use
is nothing has no consequences for the people doing so.
It is hard not to wish some people would use such a botnet to change e.g. the windows login screen of all infected machines to a green screen with some arabic text on it. One could imagine people would be frightened by this look and learn to clean and protect their machine. Goverments could become uneasy enough to force people to use protective measures. But most likely the code would be buggy and bring doing every thousandths PC endangering many lives and being sure to pain a large amount...
If government officials have authority to recover stolen goods (cars, property, etc) then they need to start taking care of this sort of thing, too. Why create a "new" organization for it... governments can agree to work together enough to form Interpol, simply extend Interpol to cover cyber crime. It seems like an obvious extension to me. As mentioned previously, the damage was done when the "vehicle" was "stolen"... if the "car" "crashes" in the authority's pursuit to limit its contribution to the victimization of more innocents, that's the fault of the perpetrator(s), not the authorities.
Would seem that MicroSloth could actually do something good here. If this approach to combatting Storm is on the level, they could purchase or license the method and bundle it with 'doze, using their own EULA to cover any possible complaint of 3rd-party tampering. It would become just another level of network security added to the operating system.
This approach would have the widest effect, as it would eliminate the need for people to manually download the package and agree to potential intrusion, should the need arise by their machine becoming infected.
The good publicity sure couldn't hurt, either.
Gosh, never thought I'd actually say M$ could do good by buying out the little guy.
Let's turn this around a little
Imagine that the program to kill the botnet is written by China or Russia. If they released it and allowed it to run on computers in the US there would be a major outcry. "This is eWar!" or "We are under eAttack!" would be heard far and wide and the US would use it as a reason to raise the alert state at the very minimum and could even begin a shooting war to defend the US internet and their citizens.
Now, why do you think it should be any more acceptable to other countries if the US authorises its agencies to do a similar stunt? Running unauthorised software on someone's computer is an offence regardless of who does it. The only way that this could be acceptable is if the program is released publically and users can choose to run it on their own computer.
Have a look at soylentnews.org for a different view
I would think they would hold a gun to the guy who is doing time for writing the original code, and force him to hit the enter key to send the command to dismantle the botnet, and thereby making HIM responsible for criminal activity of undoing the botnet.
He wrote the original, and now he would face charges for making things right, and then some....that would be justice!
If it sounds like there is an intruder in your house, doesn't that gave the police reasonable cause to enter? I see little difference here, though privacy geeks would probably cringe....
FTA: "It's surprising that there is no discussion going on regarding the legal preconditions that would have to be created in order to get rid of the threat."
No, what's surprising is that people are still using Window$ after all these years.
In times of universal deceit, telling the truth gets you modded -1 Troll
I have only one thing to say to that... ... BRAINS....