Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Storm Dismantled at USENIX LEET Workshop

Posted by Zonk on Thu Apr 17, 2008 06:36 PM
from the is-that-like-1337-leet dept.
Security Science
An anonymous reader writes "The USENIX LEET workshop held earlier this week in San Francisco offered neat insights into the Storm botnet, including two papers showing the difficulty of accurately measuring the botnet's size, and one on the way it conducts its spamming campaigns (down to the template language used). There was a bunch of other cool work too, so check out the papers."
+ -
story

Related Stories

Firehose:Storm dismantled at USENIX LEET workshop by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Storm Dismantled at USENIX LEET Workshop 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Broken Link on front page (Score:5, Informative)

    by nweaver (113078) on Thursday April 17 2008, @06:41PM (#23111888) Homepage
    It should be http://www.usenix.org/event/leet08/tech/ [usenix.org]

  • Nifty (Score:5, Insightful)

    by locokamil (850008) on Thursday April 17 2008, @06:52PM (#23111994) Homepage
    After reading the article, I'm impressed by both the ingenuity of the researchers in infiltrating the network, and also by the skills of the malware writers. Engineering a DHT-based network is no trivial matter, and the fact that people out there went through the trouble of creating one implies that the payoff must have been commensurate to the effort involved.

    Scary.

    • Re:Nifty (Score:4, Insightful)

      by Pig Hogger (10379) <pig DOT hogger AT gmail DOT com> on Thursday April 17 2008, @07:23PM (#23112216) Homepage Journal

      After reading the article, I'm impressed by both the ingenuity of the researchers in infiltrating the network, and also by the skills of the malware writers. Engineering a DHT-based network is no trivial matter, and the fact that people out there went through the trouble of creating one implies that the payoff must have been commensurate to the effort involved.
      Given how the "legit" private sector treats it's employees like shit (layoffs, outsourcing, PHBs, etc.), it's no surprise that there is no shortage of disgruntled employees who will gladly write malware for a good payoff or simply for revenge.

    • Re:Nifty (Score:5, Interesting)

      by plover (150551) * on Thursday April 17 2008, @09:27PM (#23113064) Homepage Journal
      Then you should be impressed by the right people, like Enzo Michelangeli, who wrote the KadC [sourceforge.net] DHT library that the storm worm authors used.

      Sure, these guys are somewhat clever, but they're not the real geniuses behind the technology.

      And yes, the researchers did a great job, too. It's not easy picking unknown protocols apart!

    • These are serious computer scientists. You can tell because they write their pseudocode in a variant of Algol [wikipedia.org].

  • My pet love/hate for botnets (Score:5, Insightful)

    by Fluffeh (1273756) on Thursday April 17 2008, @06:55PM (#23112020)
    I hate spam and what botnets do as much as the next fellow, to the point where I stopped checking email on a regular basis from a few accounts due to the insane amounts of spam I got, but I still have to admire the sheer beauty and audacity of putting together such a living thing. If only they could find a useful (even semi-legit) purpose for harnessing so much computing power.

    • to the point where I stopped checking email on a regular basis from a few accounts due to the insane amounts of spam I got
      Are you able to set up Spamassassin for any of those accounts? (it can even run client side through some email apps) I've been using it for awhile now and on a fairly dense setting (level 2) it gets practically all of my spam, and still lets the good stuff through.

    • Re:My pet love/hate for botnets (Score:4, Funny)

      by Anonymous Coward on Thursday April 17 2008, @07:09PM (#23112116)
      I think we should take over the botnet and use it as a spam filter. That would be semi-legit, right?
    • I get 3 spams per day in my inbox, and my email address is in Google from unscrubbed UNIX mailing lists. My Spam folder is a mess, but I rarely have to do much there.

      +1 on the other poster regarding SpamAssassin. I maintain a server install of it and it rocks. If you are a user, you can still run RBL checks on email (header parsing), and URIBL gets rid of tons or Google-hosted (Blocgspot) spam.

      Now, the SA ruleset is good (organization could be better from a developer perspective... lots of overlapping rules
    • If you start by hacking into somebody's computer and stealing both CPU time and network bandwidth, you've already lost any legitimacy, no matter how you use the resources you've stolen. But yeah, these botnets are an impressive achievement.

  • My only question (Score:2, Funny)

    by Anonymous Coward
    Does this run on Linux?
        • It's good to study zombies before the dawn of the dead (when all windows boxen are part of some botnet), because they affect unix boxen via the 'net

  • misnomer? (Score:5, Informative)

    by B3ryllium (571199) on Thursday April 17 2008, @07:07PM (#23112102) Homepage
    Is "dismantled" really the right word? Shouldn't it be "vivisected", since the botnet is still running?

    Dismantled implies that it's shut down. Last I heard, it was still running, and sub-botnets (tropical depressions?) were being sold. Botnet franchising, if you will.
    • That's the first thing I thought of, too. Vivisected is a cool word, or something more mundane like dissected being as it wasn't really "alive" to begin with.

      But hey, why let a little thing like clear communication force you to do boring things like "learning" and "reading". It's much more fun to throw random semi-related words together with meanings that aren't what you're actually trying to say.

      The ironing is delicious.
      • Well, it's capable of communication ... and it's constructed sort of like a neural network. If it gains sentience, the term will apply.

        However, since it hasn't yet, perhaps I should have used a calmer and more rational word, such as "analyzed".

        It doesn't have the same visceral impact as "vivisected", but it makes up for that by being both academic and explanatory - unlike "dismantled", which makes it sound like it has a cameo in WALL-E.

  • "... With Your Humongous New Cock." (actual subject header of spam email received)

    Seriously, we haven't had this kind of inspired ribald poetry since William Shakespeare.

    I say bring it on, we need the spam entertainment.

    SAVE THE BOTNET - SPAM IS ART

    Dans la viande a bon marche, il est poesie

  • What user-agent string is it seeking? (Score:5, Funny)

    by symbolset (646467) on Thursday April 17 2008, @07:53PM (#23112460) Journal

    We used different releases of three web browsers, resulting in a total of eight different browser versions. The results indicate that Storm exploits only web browsers with a specific User-Agent, a HTTP request header field specifying the browser version. If this header field specifies a non-vulnerable browser, the malicious server does not send the exploit to the client. However, if the client seems to be vulnerable, the server sends between three and six different exploits for vulnerabilities commonly found in this browser or in common browser-addons. The goal of all these exploits is to install a copy of the Storm binary on the visitor's machine. We observed that the actual exploit used in the malicious Web sites is polymorphic, i.e., the exploit code changes periodically, in this case every minute, which complicates signature-based detection of these malicious sites.

    So... three guesses what user-agent it's looking for.

  • Another paper on "Malicious Hardware" (Score:5, Interesting)

    by Schnoodledorfer (1223854) on Thursday April 17 2008, @08:30PM (#23112690)
    How about this one: Designing and Implementing Malicious Hardware [usenix.org]? Now that people are figuring out how to deal with Storm, we may have to start worrying about bogus ICs that will be designed to allow your computer to be compromised easily. Damn! Interesting, though. It was awarded "Best Paper".
    • The primary obstacle I see with their "malicious hardware" design is that of the actual malicious hardware creation. They create a FPGA processor that they can use to steal shadow password files, but are most modern processors purchased by most individuals or organizations able to be reproduced with FPGAs? Perhaps in the intermediate to distant future, but if you can't fake a new Intel or AMD chip, your targets seem limited...

  • Not all bad! (Score:3, Funny)

    by illama (1275186) on Thursday April 17 2008, @10:57PM (#23113600)
    FTA:

    Second, Storm synchronizes the system time of the infected machine with the help of the Network Time Protocol (NTP). This means that each infected machine has an accurate clock.
    See, it's not all bad!
    • Kill us all by destroying the Internet? But I learned last night that when the Internet stops working, everyone will just head out the Californee way.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.