Storm Worm Rising

The Storm worm has been an increasing problem in the last few months, but a change in tactics may mean something big is going to happen. The article discusses a bit of back story about the worm, including the somewhat frightening numbers about the millions of spam emails carrying the worm payload. They estimate between a quarter and a million infected systems usable for spam or DDOS attacks.

worth worrying about

[esconsult1]

As the publisher of two fairly popular websites, this is something to worry about. Recently all our sites spread across a few dedicated servers in one data center were down. Not because of a direct DDOS attack, but because of a peripheral attack which swamped the network infrastructure at the center. Really, if these guys decided to do more frequent DDOS attacks, anyone could be a target and calling the FBI is cold comfort since in the meantime your sites are down and out.

Maybe there's a silver lining here...

[Novae D'Arx]

I dunno - maybe this is what we need ~ a botnet big enough to do some real damage could actually catalyze some public awareness. Imagine if they DDoS'd MS, or Amazon, heck, Google? Maybe these guys (esp. Google) could handle this kind of slamming, but they've got lobbyists now. I really wouldn't mind seeing a well-funded FBI task force with the express purpose of rooting out botnets and going after their creators. Yeah, yeah, most of them are not on US soil. I know. However, imagine legislation that actually required the disconnection of infected bots from an ISP until it was cleaned, and a public awareness campaign that painted users who allow this to happen as idiots, and the ISPs as protectors of the rest of the internet users. Most people are concerned that there would be a backlash against the ISPs and they would stop complying for fear of loss of business, but that's where the legislation comes in. It's a quarantine situation - just like IRL, if you've got something nasty and contagious, the CDC can legally quarantine (forcibly, if you're an idiot like the TB guy) you because you're endangering the lives of others by going out and exposing them. Same thing here - don't give the botnets a chance to expand, cut them off, force a windows-cleaning (ISPs could offer a cleanup disk, $5.95 plus tax, or something, to help make it worth it for them - don't want to hurt the small ISPs, even though I think TW and the rest are bastards), and let them reconnect afterwards. Simple, painless, and will definitely make sure people learn their lesson for next time.

Re:NO!

[dr_strang]

Try password protecting your zip file.

Re:NO!

[LiquidCoooled]

Actually, if they are clever enough to scan the zips, maybe they could be clever enough to just filter the exes out leaving the rest.
It annoys me as well, the number of zips I have called .aaa .abc .bmp around because of this is stupid.

Maybe - just maybe - google could consider allowing zips to account users who have specified it as a preference (default block as currently occurs).

Catalyst for change?

[khasim]

Let's look at DDoS attacks.

#1. Spoofed IP addresses - not that common anymore. It used to be that you'd tie up a machine by having it send replies to machines that did not initiate the connection. There is a simple solution to this. Anyone assigned a block of IP addresses has to make sure that all outbound traffic references IP addresses on that block.

#2. Thousands of machines eating up your bandwidth - the most common type now. This is where the zombie army each makes continued requests of your machine. For webservers, they can request a page over and over and over until they use up all your bandwidth and legitimate visitors cannot get through. This is more difficult to fix. It can partially be handled by blocking the range of addresses that host the zombies. Such as Comcast and Verizon and so forth. There are more complicated attacks. Such has sending half a request.

There's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.

Re:"The silent majority" is uninformed.

[NickFortune]

No. "The silent majority" believe that this is the way computers just "work".

More accurate, perhaps, to say that they think this is just the way computers don't work.

There was a program on last week where they had a collection of self proclaimed grumpy old women listing things they hated about computers - and you know what? Every single complaint was not about computers per se, but about Microsoft software.

There's got to be an opportunity in there somewhere for the FOSS movement. Imagine if we could convince the "I hate computers" brigade that what they mainly hate is Microsoft ...

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

That's just silly. People have different convincer strategies. If nothing else, there are people out there who still haven't heard that there's an alternative. There's a lot of meat left on that bone.

An email warning I got yesterday

[bzipitidoo]

Yesterday, a non-expert computer user I know sent me an email warning about emails with "postcard for you" in the subject being a carrier for the "worst virus ever". It could erase your entire hard drive!!! The histrionics convinced me it was bogus, so I blew it off. But seems there is something going on after all? That email now looks like it was deliberately timed and edited to ride the next wave of panic.

Military?

[wytcld]

It's well-known that the Chinese government has an active computer warfare department. A botnet on this scale is way beyond anything needed for mere industrial blackmail. But if you wanted to bring down large chunks of some nation's Internet quickly, without the attack coming from an obvious (and blockable) source, this would be a great weapon. Let's say you wanted to disable the Internet in Taiwan, or South Korea, or Japan, or all three, just prior to military action. Or let's say you wanted to disrupt financial markets to be sure that your intentional crashing of the dollar [telegraph.co.uk] had maximal effects.

Question on that article

[Gazzonyx]

Now I've got your attention worm style, click this link for more information:

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]

I'm interested in something from that wikipedia article; it mentions that the source code to storm specifically avoids infecting Windows Server 2003 boxes. Anyone know why the author would go out of his way to not hit 2K3 boxes?

Perhaps to avoid infecting government servers (and upping the ante, if he got caught)? That's the only thing I could think of. I'm sure there's a very logical reason, but I have no idea what it might be.

Why not offer to swap them ahead of time?

[khasim]

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages. I mean other then the whole aww factor this plan will work.

Why wait?

Why not take a few pro-active measures? Such as emailing all your clients with the new rules and offering to assist them in evaluating their systems ... automatically?

hell i personally consider myself a higher end user and i don't even know what the most popular/newest worms out there are.

Why would you need to know about the newest worms? The focus should be on the security of the system.

A default installation of Ubuntu does not have any open ports. It is immune to all worms except anything that might attack the TCP/IP stack itself.

It's still susceptible to trojans, but even those can be mitigated.

And it is easy to check most Linux distributions with a Live CD. So the idea is to limit the possible avenues of attack and have a system in place so that successful attacks can be recognized and removed.

Had this show up

[sanjacguy]

We had this show up in our infrastructure. All the emails were this:

Hi. Worshipper has sent you a greeting card.

See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:

http://682.81.0.23/?9907cd64e28cae3d7703a3b01bda de (Poster's note: This URL has been altered to protect the rampant mad clickers amongst us)

Or copy and paste it into your browser's "Location" box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best, Administrator, americangreetings.com

Re:Cool

[Overzeetop]

Do you realize the kind of productivity spike we could get if the 'net was down for, say, a week? One day would be lost to people trying to get back up, admittedly, but then we'd all just start doing work, checking the 'net connection more and more infrequently. After a week, we'd probably run out of work on our desks that didn't need internet lookups, though most of us still have paper catalogs around so it wouldn't be a total loss. Faxing would get popular again, as would phones and voicemail...but no outside IM and email to deal with.

I'm going to call it a net win for productivity and busniess in general. Which means that it's most likely that big business is behind the internet shutdown...and the Storm worm.

Shit, where'd I put that damned tinfoil hat...

Re:Maybe there's a silver lining here...

[GlL]

I work for a small ISP in Tacoma, WA. We tried selling a cleanup disk. It didn't work because a $9.95 disk cost us 1 hour of phone support per computer on average. The reality is that most of our customers who get infected aren't technically savvy enough to install and run anti-malware software. We now have a flat-rate tech bench fee of $89 to clean up the computer. We still lose money on the deal, but not as much.
What technically minded people in general forget is that most users want their security solution to "just work" with as little contact from the end user as possible. If I were to ask my customers when their AV expires, the answer I would get would be either "I don't know." or "I think I saw a little window pop-up saying something about that." or my favorite "I got rid of that cause it was making my computer run slow."
Now, to speak to the first part of your post, I can guarantee you that there will not be a DDOS against the big sites who have lobbyists. You may ask why, and here is my reasoning:
1)Worms are used primarily for making money.
2)Actions that threaten revenue streams are bad.
3)People with lobbyists can threaten a botnet owner's revenue stream.
4)Because of that a botnet owner will avoid attacking people who can threaten their revenue stream.
Even though it is an illegal business, it is still a business, so will do whatever it deems neccesary to ensure its profit.

Re:"The silent majority" is uninformed.

[NickFortune]

Such as what?

The usual stuff. Clippy, Outlook, "you appear to be writing a letter", Word's grammar checker... that sort of thing. Nip over to annoyances.org and you'll find a hundred or so examples.

And alternatives that don't run the software people want won't function as alternatives.

Oh do behave. That argument might fly for specialist drafting or accountancy software, but not here. For the market segment under discussion, all people want is a browser, a word processor, something to check their email. Maybe an instant messenger if they're a bit advanced.

And something like Ubuntu can do all that quite nicely, thank you.

Re:"The silent majority" is uninformed.

[NickFortune]

Soylent gre^W^W Strategies is people!

And all of them so very tast^Wdifferent, too! :)

Convincer strategies was something they told us about on a training course I went on a while back. A convincer strategy is what has to happen inside someone's head before they accept a given proposition as being true.

So, one person's convincer strategy might be that he needs to hear it a certain number of times (and all you need to do is keep on at them) while someone else might need to try it for themselves. Some people need to hear it from someone they consider an authority, and ... well you get the idea. I'm told this is something that good salesmen are very aware of.

So, in the context of switching away from Microsoft, some people out there are going to (say) need 99 virus infestations before they say "enough!", and some of them are currently on number 98. Some of them are going to need to have four or five friends switch first before they consider it seriously; some of them are going need their fave tech blogger to switch and write it all up... to suggest that everyone who is going to switch has already switched ... is wishful thinking at best.

Sorry to follow up a joke post with a serious one - it just occurred to me that I hadn't explained that part at all.