Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Worm Botnet "Cracked Wide Open"

Posted by timothy on from the after-honeynets-let's-try-bugzappers dept.

Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'

19 of 301 comments (clear)

  1. so what? by derfy · · Score: 5, Insightful

    However it seems in practice the elimination process would fall foul of the law.

    I'm sure I'm not alone when I say, "So?"

    1. Re:so what? by Vellmont · · Score: 5, Interesting


      What if the cleaning program fouls a hospital's computers? Or fouls up some other important infrastructure. Do you want to be the guy standing next to the enter key in that event?

      It seems to me that a computer participating in a botnet is already a threat to the public. If "cleaning gone wrong" fouls a computer that's already infected, that's really just 'collateral damage'. If it happens to be a hospitals computers, well, I'd say the real problem was the hospital trusting critical infra-structure to software that's insecure. If a hospital is really dumb enough to put infra-structure that could harm someones life on a network connected to the internet, I'd say that's criminal negligence.

      I really do think we've hit the point where the people with the vulnerable computers need to start taking SOME of the blame here and stop acting as if they're all just innocent bystanders. There's certainly plenty of blame to go around. (Oh, and the software producers can sure take some of the blame as well).

      --
      AccountKiller
    2. Re:so what? by Nazlfrag · · Score: 5, Insightful

      If it screws up uninfected machines and networks, oh well, umm whoops?
      If there are actually critical, life-supporting systems affected, damn, I guess we can't say sorry to the dead, perhaps send a nice e-mail to their grieving families?

      There are plenty of scenarios in which the cure is far more catastrophic than the botnet. We should not be reckless or rash in implementing a solution. When taking on something that utilises the worlds stupidity I think we should keep Murphys law foremost in mind.

  2. Law? by Opportunist · · Score: 5, Funny

    Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Law? by ScrewMaster · · Score: 5, Insightful

      Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?

      Yes. Governments.

      --
      The higher the technology, the sharper that two-edged sword.
    2. Re:Law? by v1 · · Score: 5, Interesting

      Vigilantism is the result of when the government cannot protect the citizen from something that it's reasonable to believe they should be protected from. It's usually due to the problem of balance between making things illegal and restricting reasonable fredom.

      But in this case it's more toward the issue of the problem not being within the government's charter, or that the government simply does not have the structure (laws, with teeth) required to protect the citizen.

      I'm not a fan of vigilantism in general, but there are times when I approve of it. I'd personally love it if someone would infiltrate the botnets and inject a command to brick (but not erase) every computer that's infected, as a measure to protect millions of innocent people.

      Imagine the city you live in, where 15% of the cars parked on the curbs have the keys in the ignition. And there's a growing problem in the city of kids going on joy rides and trashing cars and property and even killing people. But the car owners don't want to bother with the problem and don't care unless their car gets trashed, and don't wany anyone telling them what to do with their car. I'd lead the effort to walk the blocks, looking for cars with keys in the ignition, and hiding them somewhere in their car. Don't like it? Quit leaving your keys in the ignition. yes, it may violate a right of yours, but by your extending your liberty it's violating the rights of others to a larger degree.

      --
      I work for the Department of Redundancy Department.
  3. Partially disclosed? by Urkki · · Score: 5, Interesting

    They should just publish their code. Let the individual hackers decide what to do with it...

    1. Re:Partially disclosed? by ymgve · · Score: 5, Informative

      They should just publish their code.

      They did.

      The Full Disclosure link contains the source code of their program.

  4. WWBD? by retech · · Score: 5, Funny

    This falls into that whole super-hero vigilante category. Just ask yourself, what would batman do?

  5. If the fix works. . . by merrickm · · Score: 5, Interesting

    Why not just give the code to the FBI and let them turn it on? I'm sure they'd be more than happy to. Or ask them for immunity on this point. It's not like the Feds don't want this thing gone as much as anyone.

  6. So you are sued and lose your house. by khasim · · Score: 5, Insightful

    That's the problem.

    The criminals do not care because they were criminals to begin with. This affects the people who are not criminals but who want to clean up the mess made by the criminals.

    Now, if the various governments could/would authorize their law enforcement agencies to use this method ...

    1. Re:So you are sued and lose your house. by maxume · · Score: 5, Funny

      Just require a warrant from some level of federal judge.

      Things might not work great at first, but the whole warrant system works pretty well, and it would provide a framework for preventing abuse and overuse.

      --
      Nerd rage is the funniest rage.
    2. Re:So you are sued and lose your house. by owlnation · · Score: 5, Insightful

      "Now, if the various governments could/would authorize their law enforcement agencies to use this method ..."

      That is the worst idea I have heard all week.

      No Kidding! The problem with such laws (any laws) in most countries, is that they are open to interpretation. This is why we have courts. Which means, that allowing any government agency the right to access 3rd party computers for any reason sets a very, very dangerous precedent which can be exploited by the more fascist politicians in the world.

      We've already seen the UK Governing Regime try to find ways of accessing the public's computers whenever they see fit, and without any court warrant. There is no sane way to allow this kind of exception, without running the risk of opening the door to further Government inspection of your computer, if they decide to exploit precedent.

      Be very careful with vigilantism. Especially when a government agency is the vigilante. It WILL be exploited for other reasons.

    3. Re:So you are sued and lose your house. by Yez70 · · Score: 5, Insightful

      I don't think the primary goal here is capture and prosecution of the controllers, but shutting the botnet down. Shouldn't that be the priority?

    4. Re:So you are sued and lose your house. by Rich0 · · Score: 5, Interesting

      Yeah, but if you do that then the botnet will be patched against the specific takedown code before it makes it through congressional committee.

      What probably should happen is that some major world government (US, EU?) should decide that the botnet is a major headache and a threat to national security. Then the info warfare devision of the military would prepare a suitable script that would only disable the bots (perhaps installing a security patch on the way out to prevent reinfection).

      Then they just do it. The operation would be classified and launched in a way that would be extremely difficult to trace.

      All the pundits on the internet would cry about how horrible an action it was (though nobody would complain about the 95% reduction in spam). However, everybody would blame their favorite love-to-hate government (China, the US, France, whatever :)), while the folks in on the classified operation in the Netherlands laugh every time they get to work. And if by some miracle somebody actually figures out where it came from (large governments could just inject packets on any random telecom line, and even route them through tor if they want), what is anybody going to do about it? Launch a war on Belgium for ridding the world of spam? Levy economic sanctions for saving every company with an email server millions every year.

      Big governments kill people all the time in the interest of public safety and security. What's the worse that could happen - a few million home PCs lock up from a poorly-designed script? That could already happen any day if one of Storm's owners makes a mistake.

      I'm not big on government trespass on private property. However, if somebody's row home catches on fire and the owner refuses to let in those responsible for putting out the fire, then the police will simply put them in cuffs and let the firemen axe open the door. They might not do it for a single family home, but they'd not let a block go up in flames because some guy refused to cooperate.

      If you want to be really nice about it then just put a public service annocement on TV stating that in the coming month the government is going to wipe out the Storm botnet, and that anybody who doesn't like the idea of having the government clean up their PC should opt out by removing their computer from the botnet in the next seven days...

  7. Re:Pfft... by gzipped_tar · · Score: 5, Funny

    The guys found the "cure" of Storm Worm are university students. They did the research using the university's facilities. They have to follow the university's regulations and everything they do is pretty open to the public. Should they just triggered the switch and take over, the university may find itself in legal trouble.

    Unless one of them happens to be Batman.

    --
    Colorless green Cthulhu waits dreaming furiously.
  8. Re:Just more whack-a-mole by damn_registrars · · Score: 5, Insightful

    Spam is profitable even when only one in 10,000 people respond to them

    Spam makes for an excellent case study in the problem, more on that in a moment.

    People have been building better and better spam filters for years

    Filters will never solve the spam problem. I have said that before, and I will continue to say it until people start to realize the reality of the situation.

    Build better filters, and spammers will send better spam.

    You have to remove the profit motive.

    And a fair portion of botnet activity is spam-driven or spam-propagating. So if we work on the spam problem, the botnet problem will diminish.

    And there is one angle in particular that is available for stopping spam:

    • The damned registrars

    If you look at spam messages, you'll see that the vast majority of them ask you to go to domains that are on the order of days old, and seldom remain up for more than a few weeks. This is because registration of domains is too easy, with too little liability anywhere along the way.

    Spamming and spamvertised domains are registered at a bewildering rate 24/7. And most of them are registered with bogus information to boot. We need a few things to hinder this

    • Registrars need to sell domains only to valid registration data
    • Registrars that willingly sell domains to spammers need to be punished swiftly and severely
    • ISPs that willingly offer services repeatedly to spammers need to face the same

    If the virtual storefronts selling the v!@gr@ are shut down promptly, and proper impediments are put in place to hinder their creation, spam will become less profitable. The owners of the spamvertised domains can only afford to pay the spammers for their services as long as they are still selling products.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  9. Re:Screw the law. by Todd+Knarr · · Score: 5, Insightful

    Because we don't need to. The botnet software is readily detectable. Simple solution: require ISPs to warn users if their machines are found to be infected and, if no action is taken (ie. not cleaned up and the user doesn't contact the ISP to discuss it) in a reasonable timeframe, suspend their network access.

    If you're driving with a car that's spraying oil all over the road, dropping pieces off and generally posing a hazard to other drivers, the police will cheerfully ticket you and impound the car. They don't try to fix the car, they take it off the road and leave what to do next up to the owner. I fail to see why a similar approach can't be applied (other than "But then they won't be able to use the Internet!", to which I reply "Well, yes, that's kind of the point.").

  10. Re:Me too by spazdor · · Score: 5, Interesting

    I know it's terrible form to reply to one's own post, but let me just come out and suggest it:

    A collaborative, and perfectly anonymous or pseudonymous code project.

    Wicherski, Werner, Leder and SchlÃsser must be protected from punishment for their fine work for the good of humanity. So, informed by their disclosures, I say an open source counter-worm ought to be developed from scratch. To protect those working on it, the collaboration model would have to be a little bit 4channy.

    The downside to anonymity (As our good friend the Obama/Library/Poop guy shows us) is that it means people don't have to act accountably. There would probably be tons of ebil coders, seeing a wide-deployment worm accepting code contributions, trying to sneak their own obfuscated backdoors into the code.

    But the upside to a system like this is transparency. There are still plenty of eyes on the code, and plenty of coders to call shenanigans on one another.

    Whadda ya say?

    --
    DRM: Terminator crops for your mind!