Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Worm Botnet "Cracked Wide Open"

Posted by timothy on from the after-honeynets-let's-try-bugzappers dept.

Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'

80 of 301 comments (clear)

  1. so what? by derfy · · Score: 5, Insightful

    However it seems in practice the elimination process would fall foul of the law.

    I'm sure I'm not alone when I say, "So?"

    1. Re:so what? by txoof · · Score: 4, Insightful

      Not only is it a problem of breaking the law, but there's the problem of "cleaning gone wrong". What if the cleaning program fouls a hospital's computers? Or fouls up some other important infrastructure. Do you want to be the guy standing next to the enter key in that event?

      Obviously, infrastructure should be configured and secured against such problems, but it's pretty clear that that assumption is false and dangerous. Just a few months ago a trio of London hospitals went down because of an infection. Granted it was mostly the administrative side that went down, but that still costs a crap load. And what if it's not just the administrative side of say a power distribution grid that shits its self because of some unforeseeable problem with the cleaning worm?

      I sure wouldn't want to be the guy responsible for that. There's also the threat that the cleaning will go wrong in completely unexpected ways causing even worse network disruption. If this option is pursued, those that have the magic bullet would probably want to get some sort of pledge of amnesty from their governments to protect them from prosecution in the event that they cause damage.

      --
      This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
    2. Re:so what? by Tanktalus · · Score: 2, Insightful

      Just wondering why they don't just post the cleaning executables, and then talk to the local media about their fix for the botnet, and include the URL to the cleaning executable? Invite the public to run it for free. Then convince the media to post their story as a video on their own website (not youtube or anywhere that can be faked).

      It won't get everyone, but it'll start. And then users can pass the story around by word of mouth to extend it to others. Hopefully they'll get media in other countries/languages interested, and then get those to also post their stories on their websites. If the University then tracks these and provides all the links (including languages) back to the media sites, we might be able to convince large numbers of people to clean their own systems without hacking anything. All perfectly legal.

      While I have to admit that hacking the botnet itself is worth huge geek points, they may still be able to do a lot of good for the internet with the work they've done so far without running afoul of the law. If users download and run it themselves, that is authorisation right there (especially if the software does what they claim it does).

    3. Re:so what? by Vellmont · · Score: 5, Interesting


      What if the cleaning program fouls a hospital's computers? Or fouls up some other important infrastructure. Do you want to be the guy standing next to the enter key in that event?

      It seems to me that a computer participating in a botnet is already a threat to the public. If "cleaning gone wrong" fouls a computer that's already infected, that's really just 'collateral damage'. If it happens to be a hospitals computers, well, I'd say the real problem was the hospital trusting critical infra-structure to software that's insecure. If a hospital is really dumb enough to put infra-structure that could harm someones life on a network connected to the internet, I'd say that's criminal negligence.

      I really do think we've hit the point where the people with the vulnerable computers need to start taking SOME of the blame here and stop acting as if they're all just innocent bystanders. There's certainly plenty of blame to go around. (Oh, and the software producers can sure take some of the blame as well).

      --
      AccountKiller
    4. Re:so what? by BradleyUffner · · Score: 2, Insightful

      Following that logic it would be ok for the RIAA to access your computer without permission to stop you from sharing music.

    5. Re:so what? by Kent+Recal · · Score: 4, Insightful

      Your post is not unlike the difference between, say, a clueless person using inappropiate analogies, and the proof that car analogies hardly ever make any sense.

      Seriously, all this crap is blown way out of proportion. Firetrucks. Car-Bombs. My ass...

      If they have a tool to eliminate a large botnet then, by all means, do it. Stop crying for attention in the press, just run the damn counter-worm or release the source-code so the scriptkiddies can fragment the worm into insignificance.

      If that wipes out the worm: Great!
      If that bricks all infected machines: Well, still better than what we had before.

      There's no need to worry about collateral damage. Critical, life-supporting systems are not participating in storm. The worst that can happen is that a lot of computer illiterate people will have a "broken PC" over night and will have to ask their "PC guy" to fix it. This is a "risk" that we should be willing to take...

    6. Re:so what? by Erikderzweite · · Score: 2, Funny

      I'd rather propose that they brick the machines in the first place instead of cleaning it. Cleaning a worm will eliminate the effect only and that for a very short time. Bricking a PC might eliminate the cause -- the clueless user.
      We now have home PCs that are faster than supercomputers from 15 years ago. Operated by users who have no idea of basic computer security, these PCs pose a real threat to individuals and businesses on the net.
      Computing power and bandwidth are so great these days that most users won't even notice a worm or two. So learning how to protect their computers is a bigger inconvenience to them than using machines that send spam and participate in DDoS attacks.
      Should that change, should white- or greyhats who gain control to a botnet simply brick the affected machines or wipe a hard drive, users might care more next time.
      Hell, the researchers can always blame botnet creators and get away with that!

    7. Re:so what? by Nazlfrag · · Score: 5, Insightful

      If it screws up uninfected machines and networks, oh well, umm whoops?
      If there are actually critical, life-supporting systems affected, damn, I guess we can't say sorry to the dead, perhaps send a nice e-mail to their grieving families?

      There are plenty of scenarios in which the cure is far more catastrophic than the botnet. We should not be reckless or rash in implementing a solution. When taking on something that utilises the worlds stupidity I think we should keep Murphys law foremost in mind.

    8. Re:so what? by drolli · · Score: 2, Insightful

      Yes, you are not alone - sadly. I dont like people intentionally meddling around with my computer without giving them my permission, in the same way as I do not appreciate that somebody breaks into my flat to fix damage that somebody else has done when breaking in.

      The only way to handle this correctly is that a law is passwd which allows such things under well-defined circumstances (however i have no idea to to set the boundaries).

    9. Re:so what? by HungryHobo · · Score: 2, Insightful

      keep in mind that every time the botnet herder patches the botnet he runs a risk of bricking those machines, he doesn't care, he has a hundred thousand others.

    10. Re:so what? by Kent+Recal · · Score: 2, Insightful

      If it screws up uninfected machines and networks, oh well, umm whoops?

      Nonsense. If the counter-worm manages to interfere with machines or networks that are not infected by the original worm then these machines and networks were not properly secured and/or isolated in first place. Their admins should be glad that the counter-worm sheds light on the flaws before a malicious operator of the original worm does.

      If there are actually critical, life-supporting systems affected, damn, I guess we can't say sorry to the dead, perhaps send a nice e-mail to their grieving families?

      Nonsense. The heart-lung machine in your hospital does not run windows. The telco systems that dispatch your emergency calls do not run windows. If there are any truly critical systems out there vulnerable to a worm then we'd better find out about that sooner than later. What's the difference between a counter-worm breaking them today versus a "regular" worm breaking them tomorrow?

    11. Re:so what? by Kent+Recal · · Score: 4, Insightful

      We need a level of response similar to the Y2K audit to cure this, not just another virus in the mix.

      Man, how paranoid can you even be. That's FUD and nonsense!

      Repeat after me: Any system that could be negatively affected by a counter-worm is already at the mercy of the STORM operators today, right now, in this minute!

      If a STORM operator willy-nilly decides to push a broken update to the botnet, or to perform an expensive attack that makes some of the machines break down then your imaginary life-supporting systems will go down right there, today, in 5 minutes, or tomorrow afternoon.

      There are plenty of companies including hospitals and power stations running top to bottom Windows solutions

      Nonsense.
      Oh my, do you honestly believe that the heart-lung machine at your hospital is connected to the internet? Or that your nuclear power plant is running on Windows XP? Let me assure you: They are not. And if someone in the world truly misdesigned a critical system in a way that could be affected by a windows worm then we'd better be grateful for the learning expirience that they'll inevitably get (with or without a counter-worm). Or would you really want them to get away with that? Do you really think it'd be good idea to let them get into the habit of building critical stuff upon "cheap" Microsoft infrastructure?

      Even if your nonsensical assumptions were correct: I'd still much prefer to have one powerplant melt down today due to a counter-worm than to have hundreds of powerplants running on vulnerable systems in 30 years because hey, "nothing ever happened".

    12. Re:so what? by redxxx · · Score: 2, Insightful

      I'm pretty sure the cleaning executable you are talking about is the Microsoft Malicious Software Removal Tool, and consumers smart enough to use it have already done so. Maybe more of and ad campaign, but it's not like tool isn't there and wouldn't being automatically used if these people ran updates.

  2. Law? by Opportunist · · Score: 5, Funny

    Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Law? by ScrewMaster · · Score: 5, Insightful

      Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?

      Yes. Governments.

      --
      The higher the technology, the sharper that two-edged sword.
    2. Re:Law? by v1 · · Score: 5, Interesting

      Vigilantism is the result of when the government cannot protect the citizen from something that it's reasonable to believe they should be protected from. It's usually due to the problem of balance between making things illegal and restricting reasonable fredom.

      But in this case it's more toward the issue of the problem not being within the government's charter, or that the government simply does not have the structure (laws, with teeth) required to protect the citizen.

      I'm not a fan of vigilantism in general, but there are times when I approve of it. I'd personally love it if someone would infiltrate the botnets and inject a command to brick (but not erase) every computer that's infected, as a measure to protect millions of innocent people.

      Imagine the city you live in, where 15% of the cars parked on the curbs have the keys in the ignition. And there's a growing problem in the city of kids going on joy rides and trashing cars and property and even killing people. But the car owners don't want to bother with the problem and don't care unless their car gets trashed, and don't wany anyone telling them what to do with their car. I'd lead the effort to walk the blocks, looking for cars with keys in the ignition, and hiding them somewhere in their car. Don't like it? Quit leaving your keys in the ignition. yes, it may violate a right of yours, but by your extending your liberty it's violating the rights of others to a larger degree.

      --
      I work for the Department of Redundancy Department.
    3. Re:Law? by 99BottlesOfBeerInMyF · · Score: 3, Interesting

      Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?

      Both companies and universities who have security researchers on their staff care about laws and more than that the risk of lawsuits. When the network security company I worked for had the ability to shut down several botnets we consulted with our primary council and decided it was not worth risking the company to lawsuits from people whose zombies could be shut down or lose data. The publicity would have been nice, but there are always people looking to cash in. Instead, we collaborate with law enforcement a few times and gave them the ability to shut them down if they wanted to (at least one government did hut down a botnet we handed them the keys to).

      A shorter answer would be, the researchers care about laws because they want to keep their jobs and not go broke or go to prison.

    4. Re:Law? by shentino · · Score: 2, Interesting

      Not to mention that botnet traffic is lucrative for ISP's to carry. Especially if they switch to metered like they've been discussing.

      Unless there's a draught, the water company and your local plumber do not have interests that mesh well

  3. Partially disclosed? by Urkki · · Score: 5, Interesting

    They should just publish their code. Let the individual hackers decide what to do with it...

    1. Re:Partially disclosed? by neo8750 · · Score: 4, Funny

      Yeah and let the botnet owners see it and then write a patch for the botnets...

    2. Re:Partially disclosed? by ymgve · · Score: 5, Informative

      They should just publish their code.

      They did.

      The Full Disclosure link contains the source code of their program.

    3. Re:Partially disclosed? by vbraga · · Score: 2, Funny

      Oh, it's obvious!

      Perl!

      --
      English is not my first language. Corrections and suggestions are welcome.
    4. Re:Partially disclosed? by nneonneo · · Score: 4, Informative

      Actually, it's base64, but you are basically correct.

      The tarball contains the following contents:

      Makefile
      autorun.c
      autorun.h
      cmdsrv.c
      cmdsrv.h
      disinfect.c
      disinfect.h
      hash.c
      hash.h
      httpsrv.c
      httpsrv.h
      install.c
      install.h
      libz.a
      message.c
      message.h
      nbcache.c
      nbcache.h
      overnet.c
      overnet.h
      pini.c
      pini.h
      queue.c
      queue.h
      routing.c
      routing.h
      stormfucker.c
      stormfucker.h
      zconf.h
      zlib.h

      The reason why it is "partially disclosed" is because portions of the code have been patched as to make it inoperative. However, all the necessary exposition is there, and by reading the source you can get a pretty good idea of what it is doing.

    5. Re:Partially disclosed? by threephaseboy · · Score: 2, Funny

      "QlpoOTFBWSZTWZCbNyYBVlN/"

      Looks like perfectly valid Perl to me.

      --
      .
    6. Re:Partially disclosed? by Sentry21 · · Score: 2

      It would be a shame if someone broke into their unprotected servers and found the code sitting in a hidden directory that they thought only they knew about, and then used it to cleanse the world. Like, tragic.

  4. Depends ... by ScrewMaster · · Score: 3, Insightful

    However it seems in practice the elimination process would fall foul of the law.

    Whose law?

    --
    The higher the technology, the sharper that two-edged sword.
    1. Re:Depends ... by Anonymous Coward · · Score: 4, Interesting
      The process looks like this:

      Using this background knowledge, they were able to develop their own client, which links itself into the peer-to-peer structure of a Storm Worm network in such a way that queries from other drones, looking for new command servers, can be reliably routed to it. That enables it to divert drones to a new server. The second step was to analyse the protocol for passing commands. The researchers were astonished to find that the server doesn't have to authenticate itself to clients, so using their knowledge they were able to direct drones to a simple server. The latter could then issue commands to the test Storm worm drones in the laboratory so that, for example, they downloaded a specific program from a server, perhaps a special cleaning program, and ran it. The students then went on to write such a program.

      Seems like the method involves the server communicating with the client - which could be considered "hacking" and thus be problematic.

      Especially here in Germany where even possessing nmap is a crime.

    2. Re:Depends ... by Anonymous Coward · · Score: 2, Informative

      No, German law is very clear at this point.
      Unauthorised data manipulation is illegal.
      And you will not get around the judge with: "I just inserted that in the bot in my machine and it spread through the botnet, lulz. Dunno why."

  5. WWBD? by retech · · Score: 5, Funny

    This falls into that whole super-hero vigilante category. Just ask yourself, what would batman do?

    1. Re:WWBD? by Anonymous Coward · · Score: 3, Funny

      Forget Batman! What would Yagami Light do?

  6. If the fix works. . . by merrickm · · Score: 5, Interesting

    Why not just give the code to the FBI and let them turn it on? I'm sure they'd be more than happy to. Or ask them for immunity on this point. It's not like the Feds don't want this thing gone as much as anyone.

    1. Re:If the fix works. . . by Anonymous Coward · · Score: 2, Informative

      It IS illegal even to write or distribute such code thanks to the infamous  202c StGB.

  7. Pfft... by Neoaikon · · Score: 2

    You know, if I had suddenly discovered a way to take down a botnet, I wouldn't have said S*** and just dismantled it.

    1. Re:Pfft... by gzipped_tar · · Score: 5, Funny

      The guys found the "cure" of Storm Worm are university students. They did the research using the university's facilities. They have to follow the university's regulations and everything they do is pretty open to the public. Should they just triggered the switch and take over, the university may find itself in legal trouble.

      Unless one of them happens to be Batman.

      --
      Colorless green Cthulhu waits dreaming furiously.
    2. Re:Pfft... by Kingrames · · Score: 4, Funny

      It's a botnet, not a batnet.

      --
      If you can read this, I forgot to post anonymously.
  8. So you are sued and lose your house. by khasim · · Score: 5, Insightful

    That's the problem.

    The criminals do not care because they were criminals to begin with. This affects the people who are not criminals but who want to clean up the mess made by the criminals.

    Now, if the various governments could/would authorize their law enforcement agencies to use this method ...

    1. Re:So you are sued and lose your house. by ushering05401 · · Score: 4, Insightful

      "Now, if the various governments could/would authorize their law enforcement agencies to use this method ..."

      That is the worst idea I have heard all week.

    2. Re:So you are sued and lose your house. by maxume · · Score: 5, Funny

      Just require a warrant from some level of federal judge.

      Things might not work great at first, but the whole warrant system works pretty well, and it would provide a framework for preventing abuse and overuse.

      --
      Nerd rage is the funniest rage.
    3. Re:So you are sued and lose your house. by owlnation · · Score: 5, Insightful

      "Now, if the various governments could/would authorize their law enforcement agencies to use this method ..."

      That is the worst idea I have heard all week.

      No Kidding! The problem with such laws (any laws) in most countries, is that they are open to interpretation. This is why we have courts. Which means, that allowing any government agency the right to access 3rd party computers for any reason sets a very, very dangerous precedent which can be exploited by the more fascist politicians in the world.

      We've already seen the UK Governing Regime try to find ways of accessing the public's computers whenever they see fit, and without any court warrant. There is no sane way to allow this kind of exception, without running the risk of opening the door to further Government inspection of your computer, if they decide to exploit precedent.

      Be very careful with vigilantism. Especially when a government agency is the vigilante. It WILL be exploited for other reasons.

    4. Re:So you are sued and lose your house. by aurispector · · Score: 4, Interesting

      Yeah, but it's an international problem. A guy from F-secure in Finland has been calling for the formation of an "internetpol" for exactly these reasons. I think he's right because otherwise international net crime will continue unabated, since nobody is in charge of combating it. An international body designed to coordinate .crime policing efforts is sorely needed.

      --
      I have mod points. The reign of terror begins now.
    5. Re:So you are sued and lose your house. by peragrin · · Score: 4, Insightful

      up until it crosses national borders then yes it does. But if the guy running the show is in a country without extradition then it is useless. Warrants assume everyone is following similar laws and there is an agency that can police all affected areas equally.

      however If an American warrant was being served against a French botnet controller, even with a treaty they still would let him stay free if he didn't harm any french computer users.

      Governments are like children, no one else can play in their sandbox, or with their toys.

      --
      i thought once I was found, but it was only a dream.
    6. Re:So you are sued and lose your house. by Anonymous Coward · · Score: 3, Funny

      That is the worst idea I have heard all week.

      Just curious. What was the one of the previous week??

    7. Re:So you are sued and lose your house. by Yez70 · · Score: 5, Insightful

      I don't think the primary goal here is capture and prosecution of the controllers, but shutting the botnet down. Shouldn't that be the priority?

    8. Re:So you are sued and lose your house. by Merusdraconis · · Score: 3, Insightful

      Following the rules is what makes them the good guys, though.

    9. Re:So you are sued and lose your house. by Rich0 · · Score: 5, Interesting

      Yeah, but if you do that then the botnet will be patched against the specific takedown code before it makes it through congressional committee.

      What probably should happen is that some major world government (US, EU?) should decide that the botnet is a major headache and a threat to national security. Then the info warfare devision of the military would prepare a suitable script that would only disable the bots (perhaps installing a security patch on the way out to prevent reinfection).

      Then they just do it. The operation would be classified and launched in a way that would be extremely difficult to trace.

      All the pundits on the internet would cry about how horrible an action it was (though nobody would complain about the 95% reduction in spam). However, everybody would blame their favorite love-to-hate government (China, the US, France, whatever :)), while the folks in on the classified operation in the Netherlands laugh every time they get to work. And if by some miracle somebody actually figures out where it came from (large governments could just inject packets on any random telecom line, and even route them through tor if they want), what is anybody going to do about it? Launch a war on Belgium for ridding the world of spam? Levy economic sanctions for saving every company with an email server millions every year.

      Big governments kill people all the time in the interest of public safety and security. What's the worse that could happen - a few million home PCs lock up from a poorly-designed script? That could already happen any day if one of Storm's owners makes a mistake.

      I'm not big on government trespass on private property. However, if somebody's row home catches on fire and the owner refuses to let in those responsible for putting out the fire, then the police will simply put them in cuffs and let the firemen axe open the door. They might not do it for a single family home, but they'd not let a block go up in flames because some guy refused to cooperate.

      If you want to be really nice about it then just put a public service annocement on TV stating that in the coming month the government is going to wipe out the Storm botnet, and that anybody who doesn't like the idea of having the government clean up their PC should opt out by removing their computer from the botnet in the next seven days...

    10. Re:So you are sued and lose your house. by Barsteward · · Score: 2, Funny

      I love the smell of bitter coffee in the morning. It smells like... starbucks.

      --
      "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
  9. Question by vawarayer · · Score: 4, Insightful

    Some people run some botnet ops from some countries with some loose laws to gain some protection.

    Is it not as easy to dismantle a freaking botnet from there?

    1. Re:Question by niteice · · Score: 2, Informative

      disregard above post.

      base64 decoding gives a bzipped tarball, decompress with your favorite utility.

      HOWEVER, it it obviously windows-specific, uses the win32 API to install itself and - I think - replicate the storm code in-place.

      --
      ROMANES EUNT DOMUS
    2. Re:Question by nostrad · · Score: 3, Informative

      base64 -d | bzip2 -d | tar -x

  10. Just more whack-a-mole by damn_registrars · · Score: 4, Insightful

    If you manage to disable the storm botnet, someone will just great better botnet software. The end result is just a better botnet.

    If you want to stop the botnet, you need to remove its incentive. The botnet operates not for someones jollies, but because it is profitable to have a botnet. If you remove the profit motive the botnet will self-disassemble over time.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:Just more whack-a-mole by eln · · Score: 4, Insightful

      If you want to stop the botnet, you need to remove its incentive. The botnet operates not for someones jollies, but because it is profitable to have a botnet. If you remove the profit motive the botnet will self-disassemble over time.

      And how do you propose we do that? Spam is profitable even when only one in 10,000 people respond to them, so how do you stop something like that? People have been building better and better spam filters for years, and more and more effort has been spent on educating people about the various scams, and yet spam is STILL profitable enough to illegally hack thousands of computers in order to send it out.

      Saying all we have to do to stop botnets forever is remove the profit motive is like saying all we have to do to stop drug smuggling or illegal immigration or home burglaries is to stop the profit motive. Sounds simple, but virtually impossible in practice.

    2. Re:Just more whack-a-mole by Anonymous Coward · · Score: 4, Funny

      Don't be silly. If they read SLashdot, they certainly aren't going to have RTFA, so how are they going to know what the vulnerabilities actually *are*?

    3. Re:Just more whack-a-mole by RandomUsername99 · · Score: 4, Insightful

      Could you explain what you mean by removing the profit motive? Though I may be missing something, I think that you might be oversimplifying things here.

      I'm not really sure that it's any more realistic to try and make spamming unprofitable than it would be to make any other successful form of marketing unprofitable, let alone one that is almost free.

      We could just as easily say that the solution to stopping welfare abuse would be to remove the financial incentive to doing so... but without actually suggesting anything useful to come to that end, it's a pretty useless comment.

    4. Re:Just more whack-a-mole by damn_registrars · · Score: 5, Insightful

      Spam is profitable even when only one in 10,000 people respond to them

      Spam makes for an excellent case study in the problem, more on that in a moment.

      People have been building better and better spam filters for years

      Filters will never solve the spam problem. I have said that before, and I will continue to say it until people start to realize the reality of the situation.

      Build better filters, and spammers will send better spam.

      You have to remove the profit motive.

      And a fair portion of botnet activity is spam-driven or spam-propagating. So if we work on the spam problem, the botnet problem will diminish.

      And there is one angle in particular that is available for stopping spam:

      • The damned registrars

      If you look at spam messages, you'll see that the vast majority of them ask you to go to domains that are on the order of days old, and seldom remain up for more than a few weeks. This is because registration of domains is too easy, with too little liability anywhere along the way.

      Spamming and spamvertised domains are registered at a bewildering rate 24/7. And most of them are registered with bogus information to boot. We need a few things to hinder this

      • Registrars need to sell domains only to valid registration data
      • Registrars that willingly sell domains to spammers need to be punished swiftly and severely
      • ISPs that willingly offer services repeatedly to spammers need to face the same

      If the virtual storefronts selling the v!@gr@ are shut down promptly, and proper impediments are put in place to hinder their creation, spam will become less profitable. The owners of the spamvertised domains can only afford to pay the spammers for their services as long as they are still selling products.

      --
      Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    5. Re:Just more whack-a-mole by _Sprocket_ · · Score: 4, Funny

      If you want to stop the botnet, you need to remove its incentive. The botnet operates not for someones jollies, but because it is profitable to have a botnet. If you remove the profit motive the botnet will self-disassemble over time.

      By Jove, I think you've got it! All we need to do is remove the incentive and crime just fades away! I wonder why nobody's thought of that before.

    6. Re:Just more whack-a-mole by innocent_white_lamb · · Score: 3, Interesting

      While your point is valid to a certain extent, there's no reason why spamvertized stuff can't be purchased from http://123.321.456.654/crap instead of http://abcdefghijk.cn/morecrap

      In fact, I'm not sure why spammers go to the trouble of registering domains. If it's just for the ease of transferring the dns record to a new ip address, why bother? Just send out a new batch of garbage with a new ip address instead.

      --
      If you're a zombie and you know it, bite your friend!
    7. Re:Just more whack-a-mole by Fumus · · Score: 2, Interesting

      It'll be more bothersome, but if DNSes won't be available, they'll just say click here for free viagra!

      What makes you think people buying stuff from spam will notice if it's a domain name, or IP address?

    8. Re:Just more whack-a-mole by Bungie · · Score: 2, Interesting

      The bigger problem with that idea is that there are plenty of users on the internet who are happily using old un-patched systems running windows 9x, or even win2k or XP logged in as admin (also unpatched).

      Luckily many bots need newer libraries that the ones installed in the older versions of Windows. I've seen a few 98, NT4 and 2K boxes where the bot exploited and installed itself but couldn't run.

      Many of these people don't care how great your latest OS is. They are fine with what they have and they don't want anything else. You can propose all the OS-level security changes you want and you'll never get those changes out to those legions of users.

      My grandfather is a good example of that. He started out using Windows 2.0 and worked his way through each release finally arriving at NT Workstation 4.0. At that point he told me that was the last system he was going to learn, and that was the end of it. He would have been content to run NT workstation till the end of time. Luckily, his ISP gave him a new Vista system last year which he decided he would learn.

      --
      The clash of honour calls, to stand when others fall.
  11. Question by Anonymous Coward · · Score: 2, Funny

    After you decode it with base 64 how do you open it? do you just rename it to .c and open it with VS?
    if not then how?

  12. Re:I am glad I use a Mac by Yvan256 · · Score: 2, Insightful

    While OS X, Linux and others are inherently more secure than an unpatched Windows, the user is still the weakest part of the whole setup.

    Wait until we get enough dumb users who install all sorts of shit onto their computers. Granted, the numbers will be much lower than machines which can get infected without any interaction by its owner, but we WILL get users dumb enough to type their password to install "stupid program XYZ" from unknown sources.

  13. I would say that it should be. by khasim · · Score: 4, Interesting

    I don't think the primary goal here is capture and prosecution of the controllers, but shutting the botnet down. Shouldn't that be the priority?

    I would say that it should be. Why waste time and effort trying to find crackers who will only be replaced by different crackers in different countries if you do manage to prosecute them?

    Remove the zombies in your country and the zombie problem is pretty much solved.

    But to accomplish that, you need to be able to automate the process and perform it remotely. There just are not enough resources to handle each computer individually.

  14. Re:Screw the law. by Todd+Knarr · · Score: 3, Interesting

    You don't want to go there. The law is the one that says someone installing software on your computer without your permission is illegal. In your zeal to stop the Storm botnet, do you want to make it legal for the Storm botnet runners to break into your computer and install their software? That's what you'll be doing.

  15. Re:I am glad I use a Mac by 99BottlesOfBeerInMyF · · Score: 4, Insightful

    While OS X, Linux and others are inherently more secure than an unpatched Windows, the user is still the weakest part of the whole setup.

    I disagree. Users are a weak link, but currently not the weakest and there is a lot that can be done before modifying users becomes practical.

    Wait until we get enough dumb users who install all sorts of shit onto their computers. Granted, the numbers will be much lower than machines which can get infected without any interaction by its owner, but we WILL get users dumb enough to type their password to install "stupid program XYZ" from unknown sources.

    Most users have the expectation that installing a program is not the same thing as giving someone else complete control of their computer and the ability to send as many e-mail messages in the background as they desire. This expectation is not met. Most users who install software use many different mechanisms for such installation, some of which do require users to type in their password. Because of this, why would users not type in their password when installing a program?

    My basic point is just that we need to fix operating systems and make them relatively secure, consistent, and understandable to users as well as make sure they don't reward unsafe behavior. People interested in making computers and the internet more secure have plenty of room to make improvements. The problem is, they don't have the motivation. The solution is effective enforcement of antitrust laws. Return competition and capitalism to the market and the problem will solve itself in short order.

  16. Re:I am glad I use a Mac by GvG · · Score: 2, Insightful

    If a user installs some program on either Linux or OS X, what's to stop that program from making outbound connections to port 6667 (to receive instructions) and to port 25 (to send spam)? I've never understood this "if users wouldn't run as Administrator/root, we'd all be safe" argument, you don't need superuser privs to send email.

  17. Re:Screw the law. by Todd+Knarr · · Score: 5, Insightful

    Because we don't need to. The botnet software is readily detectable. Simple solution: require ISPs to warn users if their machines are found to be infected and, if no action is taken (ie. not cleaned up and the user doesn't contact the ISP to discuss it) in a reasonable timeframe, suspend their network access.

    If you're driving with a car that's spraying oil all over the road, dropping pieces off and generally posing a hazard to other drivers, the police will cheerfully ticket you and impound the car. They don't try to fix the car, they take it off the road and leave what to do next up to the owner. I fail to see why a similar approach can't be applied (other than "But then they won't be able to use the Internet!", to which I reply "Well, yes, that's kind of the point.").

  18. Re:I am glad I use a Mac by rantingkitten · · Score: 2, Insightful

    Part of the difference with Linux is that downloading random-ass crap from untrusted sources and blindly running an installer is not the usual way to install software. With the major distros, the user will get stuff out of the official repositories, which have been examined and vetted. This is especially true of the "clueless user" type you're describing.

    Malware is so prevelent on Windows partially because Windows provides no way for a user to know what the hell is going on. The expected means of installing software is to visit random websites, owned by god-knows-who, download some executable, and run it. You rarely have any means of telling what it's actually installing, where it's installing, and just what these programs actually do. When this is the preferred way of doing things, is it any wonder that people download and install malicious stuff without even knowing it?

    A fine example is Chrome, which I installed in the first few days it was released. I didn't notice that stupid Google Updater thing which was silently installed alongside, until much later when I was checking my running processes for unrelated reasons. Getting rid of it was a pain in the ass, too. I'm a veteran user who knows what the hell I'm doing, and Google "should be" a trusted source -- yet this slipped right by me. That thing could easiliy have been malicious (though to my mind, anything that "updates" unknown servers with unknown information about my computer is malicious).

    The Linux repository and package management system isn't perfect but it is far and away lightyears ahead of the Windows method.

    --
    mirrorshades radio -- darkwave, industrial, futurepop, ebm.
  19. Re:I am glad I use a Mac by Seth+Kriticos · · Score: 2, Funny

    I am glad I use a Mac. It's nice to be completely immune to this stuff that the Windows and Linux users deal with minute by minute.

    Did you honestly just put Windows and Linux people in one boat? Somehow sounded like it. Must be my imagination.

  20. Re:I am glad I use a Mac by 99BottlesOfBeerInMyF · · Score: 2, Interesting

    If a user installs some program on either Linux or OS X, what's to stop that program from making outbound connections to port 6667 (to receive instructions) and to port 25 (to send spam)?

    Well, one possibility is the firewall, but for most setups it won't by default. Right now what protects OS X and Linux users from that happening is the fact that there are very few trojans in the wild that do that and work on those OS's. For that matter, not too many do that on Windows, because automated worms work better at gathering bots than trojans do.

    Now for some Linux distros and potentially for OS X and Windows there are sandboxing technologies that could be implemented to prevent trojans from working in that way. There are signing frameworks to automatically verify the source of programs to inform the user about whether or not some software they are installing is from well known and trustable source. If trojans ever become a real problem for the average Linux or OS X user, then these technologies will be implemented and become default setups.

    I've never understood this "if users wouldn't run as Administrator/root, we'd all be safe" argument, you don't need superuser privs to send email.

    I made no such argument. Rather I mentioned that boxes could be locked down to prevent the problem. Part of that means implementing finer grained permissions on the application level. I also asserted that the real problem is the broken market, where the one, mainstream OS that really needs such technology has utterly failed to implement it, but because there is no competition, very few users move to alternatives.

  21. Re:Me too by spazdor · · Score: 3, Insightful

    Well, the Storm net depends on deniability. Whoever is directing the zombies, they needn't reveal anything about themselves to the botnet, or connect from a particular place The command just needs to find its way into the wild.

    Naturally, the cure is going to have to exploit the same dynamic. If we're as careful as the botnet designers were, retribution would be basically impossible.

    --
    DRM: Terminator crops for your mind!
  22. Re:Me too by spazdor · · Score: 5, Interesting

    I know it's terrible form to reply to one's own post, but let me just come out and suggest it:

    A collaborative, and perfectly anonymous or pseudonymous code project.

    Wicherski, Werner, Leder and SchlÃsser must be protected from punishment for their fine work for the good of humanity. So, informed by their disclosures, I say an open source counter-worm ought to be developed from scratch. To protect those working on it, the collaboration model would have to be a little bit 4channy.

    The downside to anonymity (As our good friend the Obama/Library/Poop guy shows us) is that it means people don't have to act accountably. There would probably be tons of ebil coders, seeing a wide-deployment worm accepting code contributions, trying to sneak their own obfuscated backdoors into the code.

    But the upside to a system like this is transparency. There are still plenty of eyes on the code, and plenty of coders to call shenanigans on one another.

    Whadda ya say?

    --
    DRM: Terminator crops for your mind!
  23. Tor by shentino · · Score: 2, Interesting

    Why not just send the purge command through Tor?

    If something goes wrong, it can't be traced easily.

    1. Re:Tor by yahwotqa · · Score: 2, Insightful

      One more reason not to use tor. What if the "purge command" leaves tor network through me, something goes wrong, the "purge command" is traced back to me, and I find my door being knocked on by few officers wanting to have a little friendly chat?

    2. Re:Tor by shentino · · Score: 2, Informative

      And yet, the anonymous, encrypted nature of Tor gives you plausible deniability.

      In effect, you are a miniature ISP.

  24. Re:I am glad I use a Mac by Erikderzweite · · Score: 2, Interesting

    It is possible -- there is a patchset for kernel called GrSecurity. In allows you e.g. to prevent user from starting apllications from folders whose owner is not root. So installing programs from a repository is still possible (sudo etc.) but downloading and starting random crap -- close to impossible. Of course, there is always bigger and better idiots, but very few will actually manage to download a file, get root permissions, copy that file to /bin/, change permissions and launch it.
    I assume, similar is possible via SELinux too.

  25. Re:Me too by Lord+Flipper · · Score: 2, Insightful

    Whadda ya say?

    My only regret is that I'm not smart enough to be able to contribute directly to a project like this, but as a Mac user, who uses a Mac because "that's what he has", I say hell yes, go for it! I don't like seeing people on any platform being victimized at all. Why ask permission? Just put on the white hats out there and gun it. I could offer some cluster server space if that helps at all.

    I also think that the "get the Feds on it" idea is ridiculous. This is about doing the right thing, for the right reason, and we don't need them for that... far from it, really.

  26. Re:Me too by Lachlan+Hunt · · Score: 4, Insightful

    In the mean time, the vulnerability has been revealed to those who run the Storm botnet and I bet they're already working to deploy a patch that'll make it inneffective.

    --
    By reading this signature, you hereby agree with the content of the above comment.
  27. No need for illegal operations by artg · · Score: 2, Insightful

    Why not get the user's consent first ?
    If a zombie is detected, it should be isolated in the same way as a commercial wifi node : no access to the net, and web access pointed to a login page. That page would then offer the option of continuing to use the machine offline, or having the bot software neutralised.
    No need to worry about knock-on failures from disconnecting a critical machine : any critical system that relies on its net connection is either broken by design or so unusual that it could be handled as a 'do not block' case by the service provider.

  28. Interpol by Kataire · · Score: 2, Interesting

    If government officials have authority to recover stolen goods (cars, property, etc) then they need to start taking care of this sort of thing, too. Why create a "new" organization for it... governments can agree to work together enough to form Interpol, simply extend Interpol to cover cyber crime. It seems like an obvious extension to me. As mentioned previously, the damage was done when the "vehicle" was "stolen"... if the "car" "crashes" in the authority's pursuit to limit its contribution to the victimization of more innocents, that's the fault of the perpetrator(s), not the authorities.

  29. Permission To Fire, Sir! by jman.org · · Score: 2, Interesting

    Would seem that MicroSloth could actually do something good here. If this approach to combatting Storm is on the level, they could purchase or license the method and bundle it with 'doze, using their own EULA to cover any possible complaint of 3rd-party tampering. It would become just another level of network security added to the operating system.

    This approach would have the widest effect, as it would eliminate the need for people to manually download the package and agree to potential intrusion, should the need arise by their machine becoming infected.

    The good publicity sure couldn't hurt, either.

    Gosh, never thought I'd actually say M$ could do good by buying out the little guy.

  30. Re:about 16 years late by Raenex · · Score: 3, Insightful

    If more people were using software written by another guy from Finland 16 years ago, there would be no W32 crime wave and we would not need super cracker cops authorized to violate your privacy.

    Right, there would be a Linux crime wave instead. Linux doesn't prevent users from running trojans or force them to get their operating system patched.