Storm Botnet Is Behind Two New Attacks

We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.

Re:How does the infection spread?

[Lobster Quadrille]

Generally, you click the link and it takes you to a page that will try one of many (mostly patched) javascript exploits to install malware on your system. I reverse engineered a few of these pages last week and, while they weren't amazingly clever, it is interesting.

If that doesn't work, they usually bring up a page saying something like 'If you are seeing this message, please download our secure login software', along with a link.

I'm surprised they even try something as obvious as this, but I assume that it works to some extent, based on the fact that I'm still getting the spam.

Re:Ha!

[uncleFester]

Never will happen to os x or other *nix systems. .. and just where the hell do you think the term 'rootkit' came from?

this kind of hubris is what can make osx/linux/whatever a zombie just as fast as anything else out there.

i guess you never heard of the old sendmail worm, php-based exploits, etc etc ... ? and i guess i just imagine those security advisories IBM puts out for AIX...

if you do no work to insure your OS is as tight as necessary, regardless of what that OS is, you will leave yourself open to being improperly utilized as a system.

-r

Windows is inherently less secure

[argent]

the reason Windows gets hacked is because there are so many more MS machines than any other type of machine.

If that was the case, then why are Microsoft applications (like IIS) more often compromised than non-Microsoft applications even in areas where Microsoft is NOT dominant?

Windows is inherently less secure than most of the competition in a number of ways.

1. The Microsoft HTML control's use of ActiveX is inherently insecure and can not be fixed without breaking every application that uses the HTML control.
1a. This insecure design was deliberate and Microsoft fought the Justice Department to a standstill rather than change or replace it.
2. Windows requires a number of insecure services to run to perform routine operations.
2a. There is no way to force these services to be run local-only without using a firewall.
2b. This means that Windows Firewall has to be used to secure Windows to the same degree as a UNIX based system WITHOUT a firewall.
3. Windows document formats are still based on serialized COM objects. It's even possible for them to include serialized COM objects in XML files.
3a. Serialized COM objects can refer to or even contain insecure code that can be used for an attack.

The idea that any one of these three issues and theor consequent corollaries are accepted boggles my mind. The idea that they're defended by the claim that the only reason Windows is more often compromised is that it is more common...I can not conceive of the confusion in the mind that would lead to such a conclusion.

Re:Windows is inherently less secure

[Anonymous Coward]

IIS 6 has never had a remote root, and it's four years old.

Re:Ha!

[WhatAmIDoingHere]

I think what he meant was you can install but not use the app while logged in as an Administrator account, encouraging people to log in as users.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Arggg!

[kayditty]

It's just a matter of philosophy. I used to be a "cracker" and a "DoS kid" on EFNet. I didn't use Windows machines (I also didn't need/use "DDoS" networks*). Most everyone on EFNet used Linux/UNIX machines with high bandwidth connections. Now, Windows nodes with cable modems seem to be a lot more popular. I think the kids on EFNet know a little bit about what they're doing, since I was one of them (but I was never as stupid as most of them seem to be). A few of them went on to become security experts, last I've heard of them. Many of them were idiots, however. But things have changed. It's a lot easier for "script kiddies" to do this kind of thing, and Windows is just a good, easy philosophical choice. It's a choice: do I want a few hosts with high bandwidth, or many hosts with relatively small bandwidth? They can both equal the same overall amount of transfer speed in the end. The Windows vector allows for an easier entrance into the "DoS" game, though. In fact, even for an experienced attacker, it might be a better choice, for the simple fact that this kind of attack will spread relatively easy. I have seen website forums for so called "h4X0rz" (read: retards) before, where they ask one another how to write an "on join" mIRC script to send an EXE backdoor to someone joining an IRC channel.

This is what I'm talking about. The entrance barrier is much lower, and the users of Windows are more likely be gullible enough to fall for these kinds of tricks. But don't fool yourself into thinking UNIX/Linux are somehow inherently "more secure," save for the fact that most distributions don't enable useless services by default any more. I have seen very large botnets involving BSD/Linux machines before too, and these are very devastating (e.g. the 8Gbps attack on eBay/CNN/Yahoo -- which was a stacheldraht net maintained by the "49ers" EFNet takeover group, if I recall). Some of these consisted of somewhere in the neighborhood of 5,000 machines. That was probably 6-7 years ago.

* Contrary to what the first article said, an attack from a single source is not necessarily 'easier to deal with' than a multi-sourced attack:

This is only true for weak attacks that aren't sufficient to kill the upstream. If the upstream router goes, it doesn't matter. You can't filter (which seems to be what they're implying by saying a single source attack is less effective) an attack when it's saturated the entire link.

And even if the attack is relatively weak, the single host may be able to spoof its source address. Randomized addresses would be even more difficult to filter. Of course, ratelimiting isn't out of the question, in either case.

Most times, botnets today are comprised of cable modems / DSL connections on Windows machines, which might get you 100KB/s upstream per node at the most (there are exceptions). Average is probably 256Kbps today. This doesn't result in a lot of bandwidth. Of course, some of my friends back then did use DDoS networks, like stacheldraht, trinoo, and tfn2k. These were also used on high bandwidth servers, which could be a VERY big problem -- much different than the scenario of Windows machines on cable modems.

Personally, I would use about 10-15 machines to perform an attack at the most. A couple of machines had 100Mbps or fiber uplinks to OC-3s. I got just under 20MB/s for a couple of hosts in South Korea. I suspect these were on OC-3s. There was a large problem, back then, with networks in eastern Asian countries being notorious for their insecurity. Netscan.org, when it was around, largely consisted of incorrectly configured broadcast networks in Japan and South Korea, if I recall correctly. Smurf (as well as THC) was a fairly big attack then. I used it a few times, but, at others, I would just use stream or something else on a few single hosts. I don't really remember the program I used most. But I could reach about 500-800Mbps of bandwidth, and this was probably from 1998-2001, and maybe 2002.

This would probably be different now. The climate is

Re:I had a 500% increase in Spam on Tuesday Last W

[LilGuy]

It may behoove you to invest in some services from Postini rather than spend money on more infrastructure. They handle such massive spam mail volumes with relative ease and their customer support is top-notch when a rare spam happens to slip through.

Re:Arggg!

[BenoitRen]

Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there

A lot of people are talking out of their ass these days when it comes to Win9x. Have you actually verified what you wrote? I don't think so, because Win9x by default does NOT open ports! No, not even NetBIOS! Win95, by default, doesn't even install TCP/IP.

Re:It's not just windows they're exploiting...

[inKubus]

Yeah, that link is just to an eggdrop-based bot. It connects to the irc channel and probably lets the next layer of the botnet know it's alive. This is one of many tools they use to fully exploit an open box. The bot probably has the ability to remote run commands. That script in the GP looked a lot like a human was doing the typing though, due to spelling errors, etc.

As far as xhost, You can get a free account [xhost.ro] too :). Storm is pretty scary, and there's bad people out there wanting to use your computing resources illegally.

Make sure you run logwatch and logrotate and md5 the logs when they rotate (and rotate frequently, like every minute). Then store the checksum somewhere innocent after rotating. Have logwatch automatically check the checksums on all existing logs and report on that also. hosts.deny everything but your own personal IP address (in hosts.allow) on all ports except those you need to do business. SSH ONLY, don't use telnet or other unencrypted connections. Don't allow root to connect from SSH. Don't allow su from ssh (if possible). Compile your own stuff (including your compiler), never run binaries. Use shadow passwords. Put all of your binaries on a read-only mounted partition, with /var /tmp on a read/write (this is pretty good to do if you have a stable setup, such as a web server). If you can't do that, break your services into virtualized boxes using Xen or VMware or something so you can quickly recover from a saved image if something does happen. Regularly nmap, nessus and satan your box for holes. Put a passive hardware sniffer between your box and the 'net to look for suspicious packets. Etc.

Most of this is duh stuff and easy to do, and you should have it written in your procedures for building a new box. I believe the NSA has some guidelines also.