Storm Worm Rising

The Storm worm has been an increasing problem in the last few months, but a change in tactics may mean something big is going to happen. The article discusses a bit of back story about the worm, including the somewhat frightening numbers about the millions of spam emails carrying the worm payload. They estimate between a quarter and a million infected systems usable for spam or DDOS attacks.

How are these numbers calculated?

They estimate between a quarter and a million infected systems usable for spam or DDOS attacks.

0.25 to 1,000,000 is a pretty large range.

Seriously though, how does one go about estimating these numbers? Is it something as simple as an estimate of what proportion of infected e-mails are expected to result in an infected desktop? I doubt that would give a very accurate figure.

Re:How are these numbers calculated?

Article says how they are calculated:

"Joe Stewart, senior security researcher at managed security company SecureWorks, at the Black Hat conference. .....

From the number of infected machines he's found, Stewart estimates that the Storm botnet could comprise anywhere from 250,000 to 1 million infected computers. And that raises questions, along with eyebrows. "

Re:How are these numbers calculated?

The estimate is based on the number of unique IPs we've seen attacking networks we monitor, coupled with our knowledge of how the Storm botnet works. We've seen up to 100,000 bots sending the attack (the ecard spam) in a single day. Storm is a multi-tiered botnet, meaning that not all the bots are tasked with sending the emails. Some are supernodes (first-tier), designed to serve up the ecard executables via HTTP and facilitate communication between the regular (second-tier) nodes. Another factor is that some second-tier nodes will never be seen attacking, since they may be behind firewalls that block port 25 outbound or at an ISP that is doing SMTP blocking, so they may be part of the botnet but difficult to count.

In reality, the only source that can give you a precise count for the Storm botnet is the Storm controller - and he/she's not talking. So we do the best we can at estimating its size given the data available.

Re:How are these numbers calculated?

Seriously though, how does one go about estimating these numbers?

• 1. Roll 2D6
• 2. Take the number rolled, and multiply it times the number of worm messages that have arrived in your inbox.
• 3. If your computer is actually infected, square the result.
• 4. Play a game of Solitare
• 5. Add your final score to the result
• 6. Divide the result by your Boss's vigilance.
• 7. Make a saving throw against discovery, and multiply the result by 1000
• 8. Round up to the nearest 100,000
• 9. Publish
• 10. Profit!

Lower bounds are trickier as they will require you to actually care about what you're doing.

Microsoft is going to lose big

If they can't find a way to reach customers and get them fixes for the rampant insecurity of these machines that are compromised. The silent majority of customers are getting frustrated with this sham of a performance [chron.com], and while saner heads recognize that Redmond does a lot right and some wrong, the emotional response is going to shove them out of dominance in operating systems. Maybe that's why they're better on spacy Web3.x "cloud" and "distributed OS" technologies instead of what made them big, which was getting things done the hard way consistently.

"The silent majority" is uninformed.

No. "The silent majority" believe that this is the way computers just "work".

They've been shown that in countless movies and TV shows and by "experts" on the news.

They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases.

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

Re:"The silent majority" is uninformed.

No. "The silent majority" believe that this is the way computers just "work".

More accurate, perhaps, to say that they think this is just the way computers don't work.

There was a program on last week where they had a collection of self proclaimed grumpy old women listing things they hated about computers - and you know what? Every single complaint was not about computers per se, but about Microsoft software.

There's got to be an opportunity in there somewhere for the FOSS movement. Imagine if we could convince the "I hate computers" brigade that what they mainly hate is Microsoft ...

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

That's just silly. People have different convincer strategies. If nothing else, there are people out there who still haven't heard that there's an alternative. There's a lot of meat left on that bone.

Re:"The silent majority" is uninformed.

None of those things are with Windows itself though.

No, but they are Microsoft though - which is what I said in the first place.

Annoyances.org isn't the collection of old ladies you discussed

You're right, I just used it as a loose example. I'd be more specific about the complaints, but I wasn't expecting a test, and I forgot to make notes. All I can do is report what I remember from the show.

I'm willing to be quite a bit of /.ers post over there, so I doubt its unbiased.

meh. It's a support forum, not an advocacy site. It's not so much "Microsoft sucks" as "what do I do when when the registry fills up?". You don't get a lot of penguin heads there because... well, because we all use Linux and it's a windows support forum.

Annoying things are hardly a reason to HATE MS though.

Hatred isn't a rational act, though, is it? I mean, most people don't wake up in the morning and say "now who shall I hate today? Who is the most rational target for my hatred?". It's not like that. On the other hand, there's no shortage of people who think "if that computer crashes and loses my document one more time today, it's going through that window..." My point is that a lot of the things I heard cited as inspiring this hatred were typical MS grumbling points.

And if it's a good enough reason to hate computers, it's good enough to hate Microsoft. It's just a question of education ;)

I'd also have to think that the group would find a whole new slew of anoyances with Linux as well.

Oh quite possibly, although the latest Ubuntu is getting very good in that respect. But they'd be spared the malware, and the viruses and the worms... which is the starting point for this discussion.

(does YouTube work w/Linux?).

Yes, perfectly. At least since flash 9 was released for Linux.

Re:"The silent majority" is uninformed.

That is the last straw for me! I can't get cards from my "friend". I am going back to Windows where I can open cards.
--
Try to hack my 31337 firewall! [127.0.0.1]

Yeah, you really should do; you clearly need a more secure OS than the one you're running now. I just hacked your firewall, and man have you got a lot of weird stuff on there. :-) You're lucky I'm not a black-hat.

Re:"The silent majority" is uninformed.

They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases.

Out of curiosity, what aspects of the OSX/BSD and Linux architectures are going to stop:

• An uneducated user from executing a binary file they download from a URL they are given
• A process that user is running from executing further code with that user's privileges
• That user's processes from making outbound TCP/UDP connections
• That user's processes from accessing an SMTP server to send emails
• A user from configuring a process to run on logging in

By my thinking, that's really all that's needed for a botnet to work on a given platform. I am certainly ignorant of many details regarding the BSD/Linux kernels and I stand ready to be corrected, but I believe I've seen all those things happening individually as part of day to day user life on my linux box.

Re:Microsoft is going to lose big

If they can't find a way to reach customers and get them fixes for the rampant insecurity of these machines that are compromised.

WTF are you talking about? RTFA, please. If you actually did that before funboying around, you'd notice that the program in question is not a worm at all, but a trojan. User has to manually run the attachment, probably clicking through a couple of dialogs practically begging him not to. But, since the user really, really _wants_ to see the cute kittens, or a naked celebrity, or whatever the trojan claims to be, trojan will be run. No OS can defend against the user being a sucker.

So, move along, please. Your tirade is totally off topic here.

Love the tag "situationnormal"

I remember freaking out 10 years ago every time I saw someone running that cutesy little "fireworks display" email attachment. Despite my best efforts, I couldn't get the users to stop unzipping and opening it*. Glad to see that things haven't changed much.

SNAFU (Situation Normal: All F***ed Up)

* Before I get 10 million suggestions for a decade-past issue, yes we did find more effective ways of blocking it.

Naked teens attack home director

Now I've got your attention worm style, click this link for more information:

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]

Question on that article

Now I've got your attention worm style, click this link for more information:

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]

I'm interested in something from that wikipedia article; it mentions that the source code to storm specifically avoids infecting Windows Server 2003 boxes. Anyone know why the author would go out of his way to not hit 2K3 boxes?

Perhaps to avoid infecting government servers (and upping the ante, if he got caught)? That's the only thing I could think of. I'm sure there's a very logical reason, but I have no idea what it might be.

worth worrying about

As the publisher of two fairly popular websites, this is something to worry about. Recently all our sites spread across a few dedicated servers in one data center were down. Not because of a direct DDOS attack, but because of a peripheral attack which swamped the network infrastructure at the center. Really, if these guys decided to do more frequent DDOS attacks, anyone could be a target and calling the FBI is cold comfort since in the meantime your sites are down and out.

Catalyst for change?

Let's look at DDoS attacks.

#1. Spoofed IP addresses - not that common anymore. It used to be that you'd tie up a machine by having it send replies to machines that did not initiate the connection. There is a simple solution to this. Anyone assigned a block of IP addresses has to make sure that all outbound traffic references IP addresses on that block.

#2. Thousands of machines eating up your bandwidth - the most common type now. This is where the zombie army each makes continued requests of your machine. For webservers, they can request a page over and over and over until they use up all your bandwidth and legitimate visitors cannot get through. This is more difficult to fix. It can partially be handled by blocking the range of addresses that host the zombies. Such as Comcast and Verizon and so forth. There are more complicated attacks. Such has sending half a request.

There's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.

More information

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]

...names ranging from "postcard.exe" to "Flash Postcard.exe,"...

Shouldn't everyone be blocking .exe attackments at the MTA? Also look for a service running called wincom32 on infected machines.

NO!

Shouldn't everyone be blocking .exe attackments at the MTA?

NO! It's annoying enough that Google rapes through my .zip files looking for .exe's.

If I'm working on a c++ program at work and zip it up and gmail it home (lock the computer while it uploads) and forget to 'make clean' ... I don't get my code. I know its nitpicky and a make clean or a thumb drive will cure my problems but I'm forgetful which tend to preclude both.

Re:NO!

Try password protecting your zip file.

Re:NO!

It makes no difference if you password protect them or not as to list the zip file content no password is needed. You only need the password to correct extract the files.

I've just switched to using RAR and as for now Google is leaving my attachments alone...

M Addario

Re:More information

The examples I've seen of this don't have an attachment. It's a "click here! to view your postcard!" link in the email. Clikcing the link takes you to a site that says something like "We're trying a new feature on our site, please click here if you do not see your postcard". This link is then to an executable which of course prompts you to download or run. It seems to me you'd have to be pretty naive or just plain stupid to click through to the point of infection but I'm guessing a lot of people do...

For me the biggest problem with these is that there is no attachment for AV to pick off and there is hardly any text and no real advertising in the email so our spam filters don't block it either.

What does God need with a starship?

"Why do you need a botnet that big?" he asks. "You don't need a million [infected computers] to send spam."

For spam, a million-strong botnet might be overkill. But botnets can do much more - like launching denial-of-service attacks. These attacks aim to overwhelm a Web site or Internet server by sending it a constant stream of garbage data at a particular Web site or Internet server.

So the question is, who is controlling these botnets and why? DDoS attacks can be pretty useful if someone wants to get a point across or to extort money from someone or some company. It will be interesting to see if they can trace it back to the source.

Re:What does God need with a starship?

"Why do you need a botnet that big?" he asks. "You don't need a million [infected computers] to send spam." For spam, a million-strong botnet might be overkill. But botnets can do much more - like launching denial-of-service attacks.

So the question is, who is controlling these botnets and why?

It is possible that the creators of this worm did not have any idea how successful they would be. They may have figured they'd get 5,000 PC's, not 500,000. Now suddenly they have a monster by the tail and are not sure what to do with it.

Removal Tool

http://www.teamfurry.com/wordpress/2007/07/19/suns hine-on-a-stormy-day/ [teamfurry.com]

Re:Removal Tool

No fukcing way am I going anywhere near a site called Team Furry.

The goggle really might do nothing.

Re:Removal Tool

http://www.teamfurry.com/wordpress/2007/07/19/suns hine-on-a-stormy-day/

I'm too scared to look. On a scale of goatse to tubgirl, how's it rate?

that is why

That is why I always do my online banking BEFORE I browse for porn

Maybe there's a silver lining here...

I dunno - maybe this is what we need ~ a botnet big enough to do some real damage could actually catalyze some public awareness. Imagine if they DDoS'd MS, or Amazon, heck, Google? Maybe these guys (esp. Google) could handle this kind of slamming, but they've got lobbyists now. I really wouldn't mind seeing a well-funded FBI task force with the express purpose of rooting out botnets and going after their creators. Yeah, yeah, most of them are not on US soil. I know. However, imagine legislation that actually required the disconnection of infected bots from an ISP until it was cleaned, and a public awareness campaign that painted users who allow this to happen as idiots, and the ISPs as protectors of the rest of the internet users. Most people are concerned that there would be a backlash against the ISPs and they would stop complying for fear of loss of business, but that's where the legislation comes in. It's a quarantine situation - just like IRL, if you've got something nasty and contagious, the CDC can legally quarantine (forcibly, if you're an idiot like the TB guy) you because you're endangering the lives of others by going out and exposing them. Same thing here - don't give the botnets a chance to expand, cut them off, force a windows-cleaning (ISPs could offer a cleanup disk, $5.95 plus tax, or something, to help make it worth it for them - don't want to hurt the small ISPs, even though I think TW and the rest are bastards), and let them reconnect afterwards. Simple, painless, and will definitely make sure people learn their lesson for next time.

Beyond the slashdot effect...

From the article: > For spam, a million-strong botnet might be overkill. > But botnets can do much more - like launching denial-of-service attacks. > These attacks aim to overwhelm a Web site or Internet server by sending > it a constant stream of garbage data at a particular Web site or Internet server.
A few years back there was a spate of DDOS attacks on root servers, for example: http://www.informationweek.com/news/showArticle.jh tml?articleID=197004237 [informationweek.com] which were described at the time as "possibly featuring millions of computers".
So, is this really such an enormous number? There seems to be a precedent for botnets of this scale....

Whats Worse? Storm or Nugache

We all know that the Storm botnet is a big ol' spambotnet but what about Nugache? Thats the one I'm more concerned as it is fairly huge and just sits there in the dark waiting!!! Has anyone identified WTH that one is prepping for yet or are we still all in wait mode...

Insert Scary Music Here

If you'd like to know more...

...let me know and I'll forward you some e-mail...

An email warning I got yesterday

Yesterday, a non-expert computer user I know sent me an email warning about emails with "postcard for you" in the subject being a carrier for the "worst virus ever". It could erase your entire hard drive!!! The histrionics convinced me it was bogus, so I blew it off. But seems there is something going on after all? That email now looks like it was deliberately timed and edited to ride the next wave of panic.

As much as I hate to suggest this...

...but perhaps we need a law that would require ISPs to disconnect customers with compromised computers, and inform them that they will remain disconnected until the computer(s) has been cleaned.

Us conscientious customers shouldn't have to suffer the conditions imposed on us by people who can't bother to take even the most simple precautions. How much better would service be without all these botnets clogging the tubes?

Military?

It's well-known that the Chinese government has an active computer warfare department. A botnet on this scale is way beyond anything needed for mere industrial blackmail. But if you wanted to bring down large chunks of some nation's Internet quickly, without the attack coming from an obvious (and blockable) source, this would be a great weapon. Let's say you wanted to disable the Internet in Taiwan, or South Korea, or Japan, or all three, just prior to military action. Or let's say you wanted to disrupt financial markets to be sure that your intentional crashing of the dollar [telegraph.co.uk] had maximal effects.

how to know

People who have all mail to a domain going to one gmail account (ok, me) noticed a bunch of this testing the waters looking spam leaking through the filters, one every two minutes or so, with both the subject and the body being a different short 6-10 character string of mostly numbers. No actual selling content.

Incidentally, for Windows lusers who realize they may have been practicing unsafe computing, is there any way to tell that you've been zombified? I know some of these worms are fairly stealthy. Some sort of external monitoring box between the router and the cable modem?

Had this show up

We had this show up in our infrastructure. All the emails were this:

Hi. Worshipper has sent you a greeting card.

See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:

http://682.81.0.23/?9907cd64e28cae3d7703a3b01bda de (Poster's note: This URL has been altered to protect the rampant mad clickers amongst us)

Or copy and paste it into your browser's "Location" box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best, Administrator, americangreetings.com

Mandatory Disconnect of Infected Computers

Make it a Federal Law that ISPs must disconnect infected computers, and users would be forced to fix things very quickly.

Then if a botnet attack comes, turn off the overseas pipes as needed. Yeah I am a dreamer, but I am at least half way practical.

SPAM - the stupid side of things...

Government and Big Corp always seem to be there when you don't want them. But they're never there when you do.

For year's I've wondered why we have such a persistant SPAM problem. There are number of things that can be done - but aren't.

- I don't believe there is ANY excuse for old viruses to circulate the web. I understand a new virus, but once a virus is known it should be stopped at the ISP & backbone levels.

- Where is the government? SPAM supposedly costs business' billions of dollars a year. That would mean to me that a portion of the trillions of dollars paid to the U.S. government in taxes should be allocated to it's cessation. Nail the spammers, and nail them hard.

- I get the same Myspace SPAM message a few times a week for a year now. So do most others on MySpace. The spam uses the same image for finance loans over and over. WHY? It should have been stopped ages ago.

- How to stop it...well, the easy way is to have a government or corporate entity utilize the SPAM service and trace the money back to it's source. Oh, and don't tell me that it's outside of our jurisdiction in some 3rd world country.

- If it's in a third world country. Let's help that nation's economic situation. A nice reward for x individual and company to be shut down would do wonders. Now, if that $10,000 reward happens to have Storm Controller's head removed from his body. It'd be a downright dirty shame...but not much more.

*growls*

Cool

With a bit of luck it will kill the entire net for days, perhaps weeks.

Then perhaps something might actually be done about this nonsense once and for all. The only way something will get done is if hits the pocket books of enough 'big players'

Re:Cool

Do you realize the kind of productivity spike we could get if the 'net was down for, say, a week? One day would be lost to people trying to get back up, admittedly, but then we'd all just start doing work, checking the 'net connection more and more infrequently. After a week, we'd probably run out of work on our desks that didn't need internet lookups, though most of us still have paper catalogs around so it wouldn't be a total loss. Faxing would get popular again, as would phones and voicemail...but no outside IM and email to deal with.

I'm going to call it a net win for productivity and busniess in general. Which means that it's most likely that big business is behind the internet shutdown...and the Storm worm.

Shit, where'd I put that damned tinfoil hat...

not important

ahh. that explains my hour's worth of BSOD yesterday. couldn't have been anything i intentionally did. heh.

Why not an anti-virus virus?

Could you imagine an anti-virus virus?

A virus that searches your memory/drive for other viruses/spam/spyware, kills and removes them if any are found, replicates, then cleans up after itself....

-CF

Linux won't run it! :(

I'm sitting here all pissed off because I just can't get that trojan to run. I've been fiddling with wine for hours and even tried it under crossover office, and damn it, I just can't get my machine infected. The next step is going to be installing Windows into a qemu image because I just don't want to miss out on full Windows compatibility! Grrrr.

Seriously though, I thought Windows was supposed to be more secure, and less prone to this stuff than Linux? I mean, that's what Microsoft's Get The Facts campaign was all about wasn't it? I know, one can claim that Linux just isn't much of a target because of market share, but the reality is that the security model is vastly superior.

Windows can be made secure, but so many programs are STILL coded such that administrative access is provided that backwards compatibility is Windows' Achilles' Heel. I was hoping Microsoft would use XP (and more recently, Vista) as a breaking point (like Apple did with OS X) but sadly they didn't in either case.

I hope these infections REALLY blow up and cripple the Internet for a few days, because it would make many people question the wisdom in continuing to pay for cosmetic updates to Windows.

Vigilante worms

Does anyone make these? I'm thinking of worms that purposefully go out and deactivate malicious worms without trying to form botnets themselves. I've heard of virii deleting each other, but this is still for the purpose of controlling the box.

sigh

windows is one nasty piece of crap

What is Affected?

Just another in a long list of security sites that seem incapable of describing who is affected and what should be done about it.

[REN-ISAC]Storm Worm DDoS Threat to the EDU Sector

Here's a notice to the education sector and what the Storm Worm can mean to universities: http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind 0708&L=cio&T=0&F=&S=&P=4540 [educause.edu]

Re:Nebulous numbers

short hand for "between a quarter million and one million"

A quarter million to a full million is still a large range.

Re:Nebulous numbers

English is not too difficult to understand if you look at the clues.

You're talking about the game, right?

----
Mods, that joke is on topic, look up the parent original post.

Re:What about the Twinkie?

But is it better than carrying an unlicensed nuclear accelerator on our backs? :)
Kris

Re:Question on attachments

I've seen a huge spike in SPAM on my hotmail accounts.

Also, the PDF's emails are simply a way to get past spam filters; they're all viagra/meds style ads. These started appearing about a month ago.