Storm Worm More Powerful Than Top Supercomputers

Stony Stevenson writes to mention that some security researchers are claiming that the Storm Worm has grown so massive that it could rival the world's top supercomputers in terms of raw power. "Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10 percent of capacity. 'We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see,' he said, noting he suspects the botnet could be as large as 50 million computers. 'That means they can turn on the taps whenever they want to.'"

Massive storm worm?

Where's Paul Atredies when you need him?

Re:Massive storm worm?

Some guys have all the luck. I'd be happy just planning to be laid.

Re:Massive storm worm?

We stopped that when a few people once played out the entire script of Dumb and Dumber using characters registered just for the purpose. Harry, Lloyd and Mary were just one guy who'd spent 3 months trying to get his own +5 ROTFL thread. Unfortunately I found it so pathetic that I hunted him down, staples his fingers to his keyboard, his nads to his chair, then left him watching the first episode of the Teletubbies on repeat at full volume. Had I seen Saw at that point then I may have had some better ideas.

Fine the technically illiterate

They should write a virus that uses exploits to install stuff like Folding@Home etc. If people pose a nuisance/danger to others in real life they get fined/jailed, if they pose a nuisance/danger online by letting their computers be compromised then they should face "punishment" by "fining" them part of their CPU power.

Re:Fine the technically illiterate

"Fsck that, they should install a vaccine that makes the machine unbootable, and more or less requires a re-install and shutdown the system."

MS already offer a range of products that do just that, I hear they are very popular. :0

Re:Fine the technically illiterate

...if they pose a nuisance/danger online by letting their computers be compromised then they should face "punishment" by "fining" them part of their CPU power.

In other words, you want to punish people for not being geeks.

That sort of self-righteous bullshit is exactly how criminals rationalize their own misdeeds — such as botnets.

Re:Fine the technically illiterate

I would like to punish them for being naive and oblivious about the fact that a PC attached to a network is a complex responsibility.

So nobody but a geek should be allowed to have a networked computer? Not only is that morally absurd (punishing people for owning infestable technology is like punishing Pinto [wikipedia.org] owners for buying a car that tends to explode), it would destroy the online economy. Off which more than a few of us make our livings.

If you want to start regulating who and what can or cannot connect to the Internet (you can't, it's not politically feasible to introduce such a rule, or practical to enforce it; but let's say you can) then you should ban all PCs from the Internet. People would only be allowed to access the Internet via network appliances like the Foleo, which are relatively resistant to malware because they don't support on-the-fly software installation.

Right now, you're sputtering and saying something that begins with "Why should I have to give up ...." Well dude, you just made a proposal that would have a lot of other people making similar protests. It's a lot easier to play social engineer when only other people are affected by your proposals.

Re:Fine the technically illiterate

According to the DoD, botnets pose a danger to national security. Accordingly, I just don't understand why the DoD, under the guise of national security, doesn't create their own worm which infects the systems which simply uninstalls its NIC driver. They can then change the screen saver, all found browser's homepage, and desktop to indicate the system has been removed from the internet for national security reasons because their system was infected. It should then instruct them to reinstall their system with a firewall installed before they reconnect to the internet.

By doing this they immediately stop both DoS and spam vectors. They alert the user owning the computer their computer has been infected. By simply uninstalling the NIC driver, they have not caused any long term damage. If they manage to annoy both the end user and ISP enough, one or the other is likely to do something to prevent recurring issues.

Obviously the botnet owner can attempt to prevent this but at least it turns into a cat and mouse game between the owner and the DoD. As such, the botnet owner must now spend resources protecting their harvest rather than exploiting its capabilities. So it seems like a win-win to me.

Re:Fine the technically illiterate

Folding@Home is the biggest waste of time on the Internet without exception. It's worthless.

Not quite. Don't forget World of Warcraft.

Imagine...

Imagine a beowulf clus.... never mind.

PS3 too

and does the worm run on the PS3 too?
At least folding@home does... :-)

Co-opt it.. remove it.

I just don't see why if 1) there are known decompiled versions of it and 2) the network activity can be monitored. why 3) Hasn't code been written to exploit the 'sploit and shut them down. Something that infiltrates, but keeps them running for - oh, say a week - while the exploit percolates through the system, and then kills and patches the running process.

Re:Co-opt it.. remove it.

I'm not aware of any decompiled version. Storm detects when it's being run in a virtual machine and features heavy obfuscation and code morphing.

I see storm as a monoculture problem, the blame can largely be leveled at Microsoft.

monoculture problem?

I'm not convinced that the monopoly presence of Windows accounts for enormous Windows based botnets. There are what, something like 25 million Macintosh computers running Mac OS X, and most of those are running the same version of Mac OS X. That's a big enough pool, yet we don't see botnets on the Macintosh at all.

Suppose the market were evenly divided, 1/4 Windows, 1/4 Linux, 1/4 Macintosh, and 1/4 online game consoles that are always connected to the internet. Where would the botnets be hosted? Probably Windows. Botnets will begin to run on other platforms within about 48 hours after the security of Windows systems rises to a level equivalent to the other available platforms.

Re:monoculture problem?

Yes, but pigs will begin flying at around the 24 hour mark and hell is most likely to freeze over somewhere around the 36 hour mark.

Re:Co-opt it.. remove it.

Device drivers installed and the presence of an 'interface' device between host and guest OS, most likely. At least, I know that VMWare Server and Microsoft Virtual PC 2007 both present a device that, once proper drivers are installed for OS integration, will allow the guest and host to operate cooperatively. Even if the drivers aren't installed, the device is still there and could likely be probed for it's existence.

Of course, this is just a guess.

Re:Co-opt it.. remove it.

Well, if the CPU virtualization is imperfect, it may be possible to detect either anomalies in the emulation, or by monitoring things like CPU cycle counters. And even if the CPU is emulated perfectly, you can also check for things like known bugs in peripherals, etc, which may not have been correctly emulated.

Re:Co-opt it.. remove it.

In addition to the complexity of the Storm worm, most zombies are set to be self-patching, for exactly the reason you mention. Many trojans, worms, and viruses actually remove other threats (using a pirated version of Kaspersky's software) and generally install patches. Once the hacker has stolen your computer, he doesn't want someone else stealing it away from him.

Re:Co-opt it.. remove it.

I think the real question is -- what are the FBI / police doing about it? There's a huge, ongoing, major crime happening, and there is apparently no police activity at all.

Rich.

Storm Worm - good name for sci-fi novel

Plot idea 1: Near future. Governments completely dependent on their IT infrastructure. Organised crime in control of huge botnet able to hold government to ransom. With hilarious consequences.

Plot idea 2: Now-ish. Script kiddie unleashes attack using enormous botnet. Runs out of control. Becomes so deeply imbedded into internet that it's impossible to shut down without "rebooting" the whole infrastructure. With hilarious consequences.

Plot idea 3: Medium future. Internet and control of botnets becomes so intrinsic to society that governments have less importance than internet societies. Whole "countries" exist as virtual connections of affiliated machines. With hilarious consequences.

Any of the above would work well as a Hollywood movie given Angelina Jolie and lots of gratuitous and incorrect techno-babble.

Peter

Re:Storm Worm - good name for sci-fi novel

Plot idea 1: Near future. Governments completely dependent on their IT infrastructure. Organised crime in control of huge botnet able to hold government to ransom. With hilarious consequences

Vernor Vinge, "True Names", 1981

Plot idea 2: Now-ish. Script kiddie unleashes attack using enormous botnet. Runs out of control. Becomes so deeply imbedded into internet that it's impossible to shut down without "rebooting" the whole infrastructure. With hilarious consequences.

Pat Cadigan, Synners, 1991
(for various versions of "script kiddie", I guess)

Plot idea 3: Medium future. Internet and control of botnets becomes so intrinsic to society that governments have less importance than internet societies. Whole "countries" exist as virtual connections of affiliated machines. With hilarious consequences.

Cory Doctorow, Eastern Standard Tribe, 2004

Of course, the above are only approximations of the listed plots. Someone with a deeper knowledge might be able to provide a better match.

Have you considered visiting your library? =)

Re:Storm Worm - good name for sci-fi novel

As long as it means operating the escape key with one of Angelinas boobies, I'm all for it !

Follow the money

At some point the flow of money will have to converge in a meaningful way, that should help picking up a few scalps. Of course, it's probably going to be like beheading a hydra. Welcome to the net-mafia.

As a side issue, how hard is it for an ISP to see an IP sending out the typical spam mail and closing off that IP/client.

Perhaps now is a good time to push for better adoption of SPF (though surely RMX would have been faster to implement?)

Re:Follow the money

As a side issue, how hard is it for an ISP to see an IP sending out the typical spam mail and closing off that IP/client.

That may be dangerous ground. Show an ISP who can invade their users' traffic enough to sniff out a particular worm, and you'll have the **AA swooping in demanding that the ISP also sniff out illegal torrents, .gov insisting that their ability to catalog your pr0n collection is more important, bad parents insisting that the ISP filter out anything that might show their children a boob, etc.

And again we go through this.

We go through this every time this subject comes up.

It would be EASY for ISP's to block outgoing port 25 connections. Some of them already do.

That means that the worm would have to send through the ISP's mail servers.

Which means that the ISP can easily monitor the NUMBER of messages sent by any user. No need to dig into everyone's email. Just look for the senders who are X% higher than the average.

And watch for sudden increases in a user's mail usage. It should be easy to establish a baseline for each account.

I do that where I work to watch out for dueling vacation replies.

Re:Follow the money

I'm willing to take a few risks and take care of my own security to protect my liberty. I know, it's going out of fashion, but an old dog doesn't like learning new tricks.

"Add the computers together"?

So this botnet rivals supercomputers for power as long as it's working on some purely parallelizeable problem. Like, for instance, sending spam messages.

Re:"Add the computers together"?

Is there some kind of standardized performance metric for sending spam messages?

Of course there is: Libraries of Congress per second.
 

Threat to national security?

Isn't this so large that it should be deemed a threat to national security? Not just to one country's national security, but ANY country's. Shouldn't there be a half dozen senior analysts from a few different countrys and from NATO HUNTING the people that control this thing and figuring out how to neutralize it?

Letters of Marque

Methinks such problems could be solved rather efficiently if Congress would exercise its Constitutional power to grant "Letters of Marque".

Re:Letters of Marque

Or they could hire Ninjas.

Microsoft can help, but isn't

Why hasn't Microsoft added Storm to its Malicious Software Removal Tool?

Re:Microsoft can help, but isn't

Why hasn't Microsoft added Storm to its Malicious Software Removal Tool?

Why don't more ISPs (like Comcast and Roadrunner) self-police their machines on a much more frequent basis and knock these customers offline? 99% of the limited spam and the massive amounts of trackback attempts, other web attacks, etc all come from residential cable connections.

I know that Comcast can check their network for infected hosts and shut them off. They need to do a much better job of it.

Re:Microsoft can help, but isn't

Which is why you don't completely nock them off the net, you block everything except port 80, and redirect that to a site explaining how to get rid of the infection. For bonus points, you post them a bootable CD that will scan their machine and remove the infection through the post, so the virus can't intercept the antivirus downloads and break them.

That 60s reassurance, "we can always unplug them"

In the 50s, 60s, 70s when there was science-fiction-inspired angst about the possibilities of computers taking over the world, the standard reassurance was that "after all, we can always unplug them." And I believe there was an SF story or two about how a computer could put up resistance to being unplugged. And of course everyone remembers the heartrending scene in 2001, A Space Odyssey when Dave shuts down Hal by physically ejecting Hal's logic modules.

It's funny how things work out:

"If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." (emphasis supplied)

So much for "we can always unplug them," eh?

It's not the servers.

By and large, servers are well maintained. And people seldom use them as their desktop machine. And server admins are usually too savvy to infect themselves with a trojan horse bundled in an email. And when they do get pwned, people notice because their infrastructure starts suffering.

With that in mind, the Storm Worm specifically doesn't infect Windows 2003 server - a deliberate decision on the part of the author, I'm sure. If you upset enough businesses, they'll devote enough money to the problem to fix it.

The problem is desktops. Specifically, Windows desktops in the hands of the technically illiterate.

Just connecting an unpatched Windows box directly to the internet is enough. It belongs to a hacker in very short order. Even if you patch it up, the sheer number of services running on your average Windows box that listen to network ports is worrying. Never mind being on the internet, with the number of laptops moving in and out of corporate networks, it's not even safe "indoors". And it's hard to turn a lot of this stuff off without adversely affecting it's functionality.

I wouldn't even trust a general-purpose Linux installation on the internet ; it's just too difficult to track all the potential vulnerabilities. I keep a dedicated firewall running in my router, and the only services it runs are network translation, and a secure shell for administration, which reduces the target footprint to two highly secured services which were designed to be secure in the first place.

Windows users don't help, they are daft enough to infest themselves with everything going. Even if they are not quite daft enough to double-click executable attachments, they will download all the worst sorts of "Freeware" and click straight through the license agreement. Not only are they pwned, they actually agreed to it!

A case in point - one of our accountants was mailing around an executable Flash package (some kind of novelty). I deleted it instantly, and made a point of telling her that it could have been anything and done anything. Ten minutes later, I mailed her a VB executable decorated with the Flash icon. All it did was plonk up a dialogue box which said "Erasing hard drive". Somewhat predictably, she executed it. I almost pretended that I didn't send it and that it was a virus that emailed it.

The root problem is the design of Windows and windows applications.

  1) Double-click to open OR execute

This isn't all Windows fault. People don't make a distinction between running a program and opening a file, because there isn't one in terms of the user action required. I'm willing to bet that the average user doesn't even understand the difference. If you had to perform a different action from double-click to execute programs, viral infection rates would drop enormously. You could still keep the d-click to open files with their registered program, just stop running programs themselves by this method. You've not lost the convenience of file-association. Just put "execute" on the context menu and make it a non-default action.

  2) No executable flag in filesystems.

In Linux, a file isn't executable until you grant it permission to be so. If you had to open the permissions dialogue and check the "executable" box, it would hammer home the difference between executables and mere content. And by making it something more than a casual action, it would reduce the "impulse" running of many of these things, where people have their caution overridden momentarily by the promise of naked flesh or other inducements. Heck, you can even have whole filesystems that refuse to execute files - download all internet content into one of these and before you run it, you'll have to unpack it, move it to an executable folder, and check it's execute bit. This would seem too much work for the average Joe for a quick glimpse at Jessica Alba with no bra...

Does this work on Linux?

I was unable to find this worm in Gentoo's portage tree. When do we get our ebuilds? Yet again, it is a discrimination for all Linux people.
I'll tell you - as long as there are no worms for GNU/Linux, we won't see the masses converting to free operation system! RMS has to write a Gworm at last! If an open-source worm beats closed and proprietary Storm Worm this will be a clear indication of superiority of FLOSS!

Re:Does this work on Linux?

Here is the Linux compatible worm for you:

A simple email message: "This is a linux virus. It works on the honor principle. Please forward the attached bash script to everyone in your .mailrc and then execute it. Thanks."

Where's the 'skynet' tag?

This story seems to be just begging for it. :)

The more interesting delema

What happens when someone hijacks the botnet for more destructive use...

 

Who'd have guessed that Windows can scale so well

wow

Not really like a supercomputer though

While it might be more powerful than machines on the TOP500 in terms of raw number-crunching ability, it lacks any sort of high-speed interconnect for message passing. The latency issue would make for poor benchmark results in most "supercomputer" type tests (Linpack, etc.)

Re:Not really like a supercomputer though

Correct, but high-speed interconnects don't really matter for its applications.

• Sending spam is a fully parallel operation.
• Distributed Denial of Service is equally parallel. Once a bot has the instructions, it can run indefinitely (or until caught)
• Encryption cracking can be relatively parallel, especially with PGP - tell each computer to take a certain set of prime combinations to check.
• Click fraud is also distributable (tell bots to click on ads on site X once a day)

Additionally, many botnet operations don't involve the whole botnet. A few members of the botnet may be used for warez or pr0n storage, and which only involves computers working together to achieve redundancy. Also, the use of a botnet to allow for misdirection in tracking a hacker only requires the bots to be used serially.

This could topple the Inet

This combined with bizar internet laws could easyly mean a renaissance of the Non-Internets of old. In a way I'm partly hoping for this. A FidoNet V.2 world-wide citizen offline-net with a modern grafik oriented interface and protocol would probably be the best alternative to a future bug-worm-viri ridden, non-neutral and DMCA/Patriot Act controlled internet.

pay per email

If they were to set up the proposed plan of pay per email as before, even being 2 cents an email, and have a commision go to the isp, they have to make moeny for their efforst in trakcing as well, it would not be long before we would see a warning sent to the owner of an infected computer needing to pay for all 1000 emails sent....this would let them know they are infected and be cheaper in the end to get a legit copy of windows...with anti-virus , then to keep paying for the infected emails coming out of their computer. Heck, even cheaper would be to switch to linux

Finally, a use for the abuse@ email.

Why not just setup a spam filter that not only stops these emails but helpfully forwards the emails to the abuse@ address for the network. I'm sure comcast, roadrunner, and AOL would love our help in tracking these exploited customers down. *grin*

Where's the investigation

Makes you wonder why the FBI and other police forces have enough resources to go after Joe sharing the latest CD release, but apparently not enough to do something about what probably is the largest computer crime in history.

I guess the answer has something to do with priorities. Which is exactly what I think the problem is.

Can somebody explain

Why any person can't leverage the botnet for their own use? What it the "key" that allows the creator(s) to have exclusive access? If it essentially works like a peer-to-peer network couldn't you essentially "poison" the network with a few rouge nodes?

Re:Can somebody explain

a few rouge nodes

This would cause a bleu screen of death on said rouge nodes.

STILL NOT A WORM

,ad88888ba          88  88  88        888b      88
d8"     "8b  ,d     ""  88  88        8888b     88                ,d
Y8,          88         88  88        88 `8b    88                88
`Y8aaaaa,  MM88MMM  88  88  88        88  `8b   88   ,adPPYba,  MM88MMM
  `"""""8b,  88     88  88  88        88   `8b  88  a8"     "8a   88
        `8b  88     88  88  88        88    `8b 88  8b       d8   88
Y8a     a8P  88,    88  88  88        88     `8888  "8a,   ,a8"   88,
"Y88888P"   "Y888   88  88  88        88      `888   `"YbbdP"'    "Y888

                db
               d88b
              d8'`8b
             d8'  `8b
            d8YaaaaY8b
           d8""""""""8b
          d8'        `8b
         d8'          `8b

I8,        8        ,8I
`8b       d8b       d8'
"8,     ,8"8,     ,8"
  Y8     8P Y8     8P   ,adPPYba,   8b,dPPYba,  88,dPYba,,adPYba,
  `8b   d8' `8b   d8'  a8"     "8a  88P'   "Y8  88P'   "88"    "8a
   `8a a8'   `8a a8'   8b       d8  88          88      88      88
    `8a8'     `8a8'    "8a,   ,a8"  88          88      88      88
     `8'       `8'      `"YbbdP"'   88          88      88      88

Yes, nasty ASCII art.

Just in case you hadn't guessed (which it appears that the meeedia has not) - This Is A Trojan. Which means that it's Powered By Stupid People (tm). A worm would be Powered By Stupid Programmers (tm).

The Storm Worm is in fact already defined - It was an IIS worm. Please, feel free to look at the reputable AV lists.

Re:STILL NOT A WORM

Parent 100% correct. Though it's easy to see how people can be mislead, as even some of the security sites are calling it a worm. http://www.secureworks.com/research/threats/view.h tml?threat=storm-worm [secureworks.com]
gives you some information on how it operates (as of 2/07, and the names of the executables you had to click on to infect yourself have probably changed since then)

The original storm.worm (2001) attacked unpatched MS IIS servers, and actually was a worm.
http://www.securiteam.com/securitynews/5DP0B0K4KG. html [securiteam.com]

How this got so large is a pretty sad commentary. First off, it's proof that people will still click on attachments without verifying whether they're legitimate. I'm not convinced that any amount of training will ever stop this behavior. It hasn't worked over the *last* ten years, at any rate. Second, several virus scanners would have detected it, if they'd been kept updated. Thirdly, I've seen this running from within a couple of corporate LANs, which implies that even corporations don't always keep anti-virus software up to date, or monitor for P2P traffic, which IMO should very seldom be allowed on a corporate network.

Re:STILL NOT A WORM

Not all do. For instance, I run Kmail (and before the flames begin, yes, I realize that most readers can't)
You have to explicitly check boxes in the configuration system to allow HTML, and/or allow external references to be loaded. The warning is right there, not buried in a dialog box man would click through:

WARNING: Allowing HTML in email may increase the risk that your system will be compromised by present and anticipated security exploits. More about HTML mails... More about external references...

The two 'more' items are links for more information.

Another box, related to MDNS responses does basically the same thing, and has the following warning:

WARNING: Unconditionally returning confirmations undermines your privacy. More...

Again, nothing in click-through dialog boxes. That was such an obviously better way to code that I adopted it as soon as I saw it. Better to have at least a brief warning and a link right there.

I'm hoping it's easier to configure Outlook this way now. In Outlook 2K, you really had to look for the settings. But even this is a teaching issue. Example: a guy I know is 100% Windows. His development shop has all the Microsoft certifications, etc. They do mostly VB apps. He complained at one point that I wasn't reading his mail, because he wasn't getting an auto-response. He couldn't imagine an environment where people didn't use that 'feature'. I actually had to take some time out and explain that it was a privacy issue (What gives you the right to know what I'm doing on my system, in a non-business environment?) and that it was wildly inaccurate anyway, as some mail systems will open a mail if you select it even if you're only dragging to another folder, while some require a double click. Or you might open it but be called away, etc.

I've known this guy forever, and he's actually pretty smart. Always did well in school, has a degree in nuclear engineering, etc. We most definitely are *not* talking IQ equal to shoe size. There's some sort of mind-set issue in play that is very difficult to get a handle on.

Don't worry....!

Microsoft's "Malicious Software Removal" tool will go out there and zap it before it can do any damage.

Maybe.

God bless Bill Gates.....

...for making it all possible.

Monitoring and shutting down

I've though we needed a mechanism for this since I started receiving a ton of spam seven years ago. I attempted to contact the ISPs registered for the IPs that were sending me SPAM and they didn't seem to care. There should be a repository and an easy way to flag that you think an IP address is being used for SPAM. ISPs should check this and contact their users. What user wouldn't want to know that their computer has been compromised and criminals could be scouring their computers for information like their credit card numbers?

And suddenly I realize...

That the world's biggest supercomputer runs Windows!

Block tcp/25

This is exactly why I, as the admin of an ISP, chose to block outbound tcp/25 at the edge with the only exception being the ISP's SMTP servers. I do this for all dynamically-assigned customers. Do you need to use a corporate SMTP server somewhere and they refuse to utilize the mail submission port (tcp/587)? Pay $5/month to get a static IP. Making the customer undertake a conscious effort with a monetary cost filters out the people who'll take any free service offered to them. The ones who really do need it are the ones who request it.

There's a reason why we only get 1-2 spam complaints (LARTs) per week. We aren't a source of spam. Spamming botnets are all but worthless on our network. Looking at the counters on the blocked outbound tcp/25 connections in our ACLs I literally seeing billions of hits per week. That's billions, with a B. Ba, Ba, B. Considering that we're a relatively small ISP, that's saying something. These spamming botnets would be far less useful to spammers if more ISPs took a stance and fought spam. That takes effort though.

who "owns" this botnet?

Is US spammers?
Soviet-area spammers?

Why nothing gets done about it.

Remember Amit Yoran? [eweek.com] He was "cyber-security czar" at the US Department of Homeland Security. He started talking about the vulnerabilities implicit in Microsoft's software. His position was downgraded and he resigned in 2004.

Yoran's successor, Gregory Garcia, was a professional lobbyist, not a security expert.

BotNet for good

What if the botnet was for good? The ends justifying the means. What if the botnet was weilded to provide free open internet access to all people in all countries reguardless of what their government wanted? What if the botnet was used map the human genome, ultimatly leading to cures/vaciens to things like aids and cancer and priapism? Is there a glass half full to this? skip

skynet

I like the skynet reference. It sends me down a mental path that goes something like:

....And in 2009, the massive botnet revealed itself as a nascient artificial intelligence. It had been active since 2005 but had been biding it's time while it was gathering additional nodes to increase redundancy and add to it's own processing capability....

Curious

This is kind of curious (and scary) that a botnet could be this powerful. It really highlights the vulnerability of proprietary operating systems, Windows in particular. No operating system is 100% secure but some are definitely more secure than others. Open-source operating systems are patched and fixed faster.

If a botnet like this was used for morally acceptable purposes, this would be the great human computing experiment. The real fear is that computers could be hijacked in a botnet for cracking purposes. The more resources you can throw at a problem, the faster the problem will be solved. Imagine throwing 10 million zombie nodes at a Department of Defense classified system. The daners and implications would be far reaching.

Could Botnets break encryption?

I always wondered if a botnet could get large enough to effectively break encryption.
The only reason AES, RSA, and other algorithms are considered secure is the extremely large amount of time or processing power needed to brute force them. But with a "distributed supercomputer", a botnet operator could potentially brute force the keys, like those protecting Microsoft's driver signing, bank SSL certificates, and even the keys used by certificate authorities.

Breaking them could allow hackers to forge certificates, fake driver signing, sniff bank transactions, and circumvent other security measures. Even TrueCrypt [truecrypt.org] is vulnerable if the encryption keys can be brute forced. With enough processing power, hashing algorithms are potentially vulnerable too; like those used for passwords.

Encryption is so heavily relied on by the computer industry that successful key breaking could cause lots of security problems. The only way to mitigate possible attacks is to use stronger encryption algorithms, use longer keys, and to use multiple encryption layers instead of relying on a single algorithm's strength.

~~FutureDomain~~

Potential use AS a super computer?

How long do you think it would take for security researchers to find a vulnerability in Storm Worm that allows the researcher to take full control of several million PCs themselves? Imagine if you could get it to run World Community Grid work units...

Re:Criminal Charges

Yes, lets punish MS because they forced everyone to buy their buggy OS and also forced the virus/worm writers to target Windows.

Re:Criminal Charges

I can't think of a better way to basically stop all software development than to hold developers criminally responsible for bugs in their programming. You're not going to economically create much software if you need to guarantee that it's bug-free, and exploit-proof.

The solution here is for consumers/businesses/governments/etc. to realize that having so much of our computing infrastructure running on the same OS leaves us very vulnerable to just a few bugs/exploits. It makes writing worms and such easier because the authors can focus on just one target and still affect a huge number of machines.

Not to mention that having just one company dominating the computing market so heavily means that they're under much less competitive pressure to improve their product.

Re:Criminal Charges

...fined a large amount and promised jail time the next time this happens...

How exactly does one send a corporate entity to jail?

Criminal Charges allright. But hit the right one!

This isn't MSs fault. The worm doesn't (only) rely on exploits. Yes, it tries to attach itself through exploits, but it does contain a "normal" infector as well. I'd wager, even without the exploits in question this would be a very successful one.

The culprit are simply morons who wield impressive computing power without a clue just what kind of digital "weapon" they have in their hands. Every system that's as old as XP is insecure out of the box. Take whatever Linux distry from 2001 and install it. I would guess you'd find an exploitable bug or two (I'd start looking for it in sendmail). The very first thing to do after installing a system is to update and patch it. That should be a given. Yet, how many people are still running on XP SP1? And it's only SP1 because it came that way. They installed it, jacked it into the box they got from their ISP, opened it up until it "worked" and that's how the box is running now, essentially with the security makeup WinXP had in 2002. That this cannot be secure is a given, but not because it's from MS. Simply because in the meantime bugs have been found and exploited. And fixed.

But if the fixes aren't applied, the system remains exploitable.

So if you want to blame anyone for the success of malware like the Storm trojans/worms, blame the people who attach unpached, unsecured machines directly and without any kind of security suit or firewall whatsoever to the internet.

Re:Oh you whinging fanboys!

My favourite fallacy: The concept that because what you use is crap, everything else must be automatically equivalent.

This is in effect claiming that Linux, Windows 2000, Windows 95, MS-DOS, OS X and whatever they run nuclear powerplants on are equivalent security-wise and would have exactly the same problems in the same amounts if they only reached the same level of popularity.

Allow me to politely disagree: Bullshit.

While Linux can use improvements, and can of course be hacked and turned into a zombie, the general security of a Linux box is very good, and can be made much stronger than what comes with Windows these days. To put an example, "trusted path execution" in the GRsecurity patch allows forbidding the execution of programs from directories not owned by root. Even if you download a malicious attachment, chmod +x and try to run it, it'll still not run.

There's also that Linux doesn't have the Windows culture of users downloading any junk they find in some dark corner of the net. On Windows you actually have well known applications like download managers ship with spyware, and music CDs with rootkits.

Re:Oh you whinging fanboys!

Right, I don't want to hear a word from the venomous cake-holes of you loathsome, spotty, basement-dwelling I-own-a-binary-clock, where's-my-Vorbis-support and I-love-you-bald-Nathalie-Portman Linux fanboys who claim this is an example of Windows vulnerability.

Well, that is MUCH easier to fix than this storm worm problem. All you need to do is refrain from having the Robotic Overlord read the comments, and you won't hear a word, from the Fanboys or anyone else.

Come to think of it, StormWorm is easy to fix too... Just make everyone who is running any flavor of Windows install gentoo - then the worm is gone, they have acquired some technical skill, AND undergone a painful punishment that should deter the end user from ever allowing their system to become infected. Everyone wins!

Re:Is this a stuipid question?

If they were forced to provide routers instead with basic nat firewall would this not block worms from getting in no matter how unpatched the systems were behind the firewall?

It would block unsolicited inbound worms, but it wouldn't do anything to protect the stupid people who click the link when their email says, "Dude, your face is all over the web! www.youtube.com/watch?v=YBUImjOCg5g [66.35.250.150]

The biggest problem is, and always will be, humans doing stupid human stuff.

Re:Yea, Windows FTW

Yes, um... are we supposed to be pissed off because Windows now has 2 supercomputers up to... Linux/Unix having a combined 449? And a near-90% marketshare where Windows doesnt even have 0.5%?

Either you linked to the wrong chart, or you're the the worst troll ever.