Storm Botnet Is Behind Two New Attacks 226
We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.
Re:How does the infection spread? (Score:2, Informative)
If that doesn't work, they usually bring up a page saying something like 'If you are seeing this message, please download our secure login software', along with a link.
I'm surprised they even try something as obvious as this, but I assume that it works to some extent, based on the fact that I'm still getting the spam.
Re:Ha! (Score:4, Informative)
this kind of hubris is what can make osx/linux/whatever a zombie just as fast as anything else out there.
i guess you never heard of the old sendmail worm, php-based exploits, etc etc
if you do no work to insure your OS is as tight as necessary, regardless of what that OS is, you will leave yourself open to being improperly utilized as a system.
-r
Windows is inherently less secure (Score:5, Informative)
If that was the case, then why are Microsoft applications (like IIS) more often compromised than non-Microsoft applications even in areas where Microsoft is NOT dominant?
Windows is inherently less secure than most of the competition in a number of ways.
1. The Microsoft HTML control's use of ActiveX is inherently insecure and can not be fixed without breaking every application that uses the HTML control.
1a. This insecure design was deliberate and Microsoft fought the Justice Department to a standstill rather than change or replace it.
2. Windows requires a number of insecure services to run to perform routine operations.
2a. There is no way to force these services to be run local-only without using a firewall.
2b. This means that Windows Firewall has to be used to secure Windows to the same degree as a UNIX based system WITHOUT a firewall.
3. Windows document formats are still based on serialized COM objects. It's even possible for them to include serialized COM objects in XML files.
3a. Serialized COM objects can refer to or even contain insecure code that can be used for an attack.
The idea that any one of these three issues and theor consequent corollaries are accepted boggles my mind. The idea that they're defended by the claim that the only reason Windows is more often compromised is that it is more common...I can not conceive of the confusion in the mind that would lead to such a conclusion.
Re:Windows is inherently less secure (Score:3, Informative)
Re:Ha! (Score:5, Informative)
Comment removed (Score:3, Informative)
Re:Arggg! (Score:2, Informative)
This is what I'm talking about. The entrance barrier is much lower, and the users of Windows are more likely be gullible enough to fall for these kinds of tricks. But don't fool yourself into thinking UNIX/Linux are somehow inherently "more secure," save for the fact that most distributions don't enable useless services by default any more. I have seen very large botnets involving BSD/Linux machines before too, and these are very devastating (e.g. the 8Gbps attack on eBay/CNN/Yahoo -- which was a stacheldraht net maintained by the "49ers" EFNet takeover group, if I recall). Some of these consisted of somewhere in the neighborhood of 5,000 machines. That was probably 6-7 years ago.
* Contrary to what the first article said, an attack from a single source is not necessarily 'easier to deal with' than a multi-sourced attack:
This is only true for weak attacks that aren't sufficient to kill the upstream. If the upstream router goes, it doesn't matter. You can't filter (which seems to be what they're implying by saying a single source attack is less effective) an attack when it's saturated the entire link.
And even if the attack is relatively weak, the single host may be able to spoof its source address. Randomized addresses would be even more difficult to filter. Of course, ratelimiting isn't out of the question, in either case.
Most times, botnets today are comprised of cable modems / DSL connections on Windows machines, which might get you 100KB/s upstream per node at the most (there are exceptions). Average is probably 256Kbps today. This doesn't result in a lot of bandwidth. Of course, some of my friends back then did use DDoS networks, like stacheldraht, trinoo, and tfn2k. These were also used on high bandwidth servers, which could be a VERY big problem -- much different than the scenario of Windows machines on cable modems.
Personally, I would use about 10-15 machines to perform an attack at the most. A couple of machines had 100Mbps or fiber uplinks to OC-3s. I got just under 20MB/s for a couple of hosts in South Korea. I suspect these were on OC-3s. There was a large problem, back then, with networks in eastern Asian countries being notorious for their insecurity. Netscan.org, when it was around, largely consisted of incorrectly configured broadcast networks in Japan and South Korea, if I recall correctly. Smurf (as well as THC) was a fairly big attack then. I used it a few times, but, at others, I would just use stream or something else on a few single hosts. I don't really remember the program I used most. But I could reach about 500-800Mbps of bandwidth, and this was probably from 1998-2001, and maybe 2002.
This would probably be different now. The climate is
Re:I had a 500% increase in Spam on Tuesday Last W (Score:3, Informative)
Re:Arggg! (Score:1, Informative)
A lot of people are talking out of their ass these days when it comes to Win9x. Have you actually verified what you wrote? I don't think so, because Win9x by default does NOT open ports! No, not even NetBIOS! Win95, by default, doesn't even install TCP/IP.
Re:It's not just windows they're exploiting... (Score:5, Informative)
As far as xhost, You can get a free account [xhost.ro] too
Make sure you run logwatch and logrotate and md5 the logs when they rotate (and rotate frequently, like every minute). Then store the checksum somewhere innocent after rotating. Have logwatch automatically check the checksums on all existing logs and report on that also. hosts.deny everything but your own personal IP address (in hosts.allow) on all ports except those you need to do business. SSH ONLY, don't use telnet or other unencrypted connections. Don't allow root to connect from SSH. Don't allow su from ssh (if possible). Compile your own stuff (including your compiler), never run binaries. Use shadow passwords. Put all of your binaries on a read-only mounted partition, with
Most of this is duh stuff and easy to do, and you should have it written in your procedures for building a new box. I believe the NSA has some guidelines also.