Storm Worm More Powerful Than Top Supercomputers 390
Stony Stevenson writes to mention that some security researchers are claiming that the Storm Worm has grown so massive that it could rival the world's top supercomputers in terms of raw power. "Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10 percent of capacity. 'We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see,' he said, noting he suspects the botnet could be as large as 50 million computers. 'That means they can turn on the taps whenever they want to.'"
Co-opt it.. remove it. (Score:5, Interesting)
Follow the money (Score:4, Interesting)
As a side issue, how hard is it for an ISP to see an IP sending out the typical spam mail and closing off that IP/client.
Perhaps now is a good time to push for better adoption of SPF (though surely RMX would have been faster to implement?)
Threat to national security? (Score:5, Interesting)
Microsoft can help, but isn't (Score:5, Interesting)
Re:Co-opt it.. remove it. (Score:5, Interesting)
I see storm as a monoculture problem, the blame can largely be leveled at Microsoft.
Re:Microsoft can help, but isn't (Score:5, Interesting)
Why don't more ISPs (like Comcast and Roadrunner) self-police their machines on a much more frequent basis and knock these customers offline? 99% of the limited spam and the massive amounts of trackback attempts, other web attacks, etc all come from residential cable connections.
I know that Comcast can check their network for infected hosts and shut them off. They need to do a much better job of it.
That 60s reassurance, "we can always unplug them" (Score:5, Interesting)
It's funny how things work out:
"If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." (emphasis supplied)
So much for "we can always unplug them," eh?
The more interesting delema (Score:3, Interesting)
Re:Storm Worm - good name for sci-fi novel (Score:5, Interesting)
(for various versions of "script kiddie", I guess)
Of course, the above are only approximations of the listed plots. Someone with a deeper knowledge might be able to provide a better match.
Have you considered visiting your library? =)
Re:Co-opt it.. remove it. (Score:5, Interesting)
Letters of Marque (Score:4, Interesting)
Re:Microsoft can help, but isn't (Score:5, Interesting)
Can somebody explain (Score:5, Interesting)
And again we go through this. (Score:4, Interesting)
It would be EASY for ISP's to block outgoing port 25 connections. Some of them already do.
That means that the worm would have to send through the ISP's mail servers.
Which means that the ISP can easily monitor the NUMBER of messages sent by any user. No need to dig into everyone's email. Just look for the senders who are X% higher than the average.
And watch for sudden increases in a user's mail usage. It should be easy to establish a baseline for each account.
I do that where I work to watch out for dueling vacation replies.
Re:Co-opt it.. remove it. (Score:5, Interesting)
Re:monoculture problem? (Score:3, Interesting)
1) Windows security by design is good- unfortunately it's implementation, because the ACLs, etc. are effectively like Swamp Castle, is about as secure as the first three attempts he made at it before the fourth one stayed up. (Vista might be the fourth pass, but it's not looking so good for Microsoft on that count...)
2) There's a LOT of those effectively insecure systems out there on the net because of the Windows Monoculture comprising some 75-95% of the machines that people use out there.
Re:Yea, Windows FTW (Score:3, Interesting)
Either you linked to the wrong chart, or you're the the worst troll ever.
Block tcp/25 (Score:5, Interesting)
There's a reason why we only get 1-2 spam complaints (LARTs) per week. We aren't a source of spam. Spamming botnets are all but worthless on our network. Looking at the counters on the blocked outbound tcp/25 connections in our ACLs I literally seeing billions of hits per week. That's billions, with a B. Ba, Ba, B. Considering that we're a relatively small ISP, that's saying something. These spamming botnets would be far less useful to spammers if more ISPs took a stance and fought spam. That takes effort though.
Why nothing gets done about it. (Score:5, Interesting)
Remember Amit Yoran? [eweek.com] He was "cyber-security czar" at the US Department of Homeland Security. He started talking about the vulnerabilities implicit in Microsoft's software. His position was downgraded and he resigned in 2004.
Yoran's successor, Gregory Garcia, was a professional lobbyist, not a security expert.
Re:That 60s reassurance, "we can always unplug the (Score:3, Interesting)
Ah yes, one of my favorite (very) short stories, Answer by Fredric Brown [alteich.com]:
"Dwar Ev ceremoniously soldered the final connection with gold. The eyes of a dozen television cameras watched him and the subether bore through the universe a dozen pictures of what he was doing.
He straightened and nodded to Dwar Reyn, then moved to a position beside the switch that would complete the contact when he threw it. The switch that would connect, all at once, all of the monster computing machines of all the populated planets in the universe--ninety-six billion planets--into the supercircuit that would connect them all into the one supercalculator, one cybernetics machine that would combine all the knowledge of all the galaxies.
Dwar Reyn spoke briefly to the watching and listening trillions. Then, after a moment's silence, he said, "Now, Dwar Ev."
Dwar Ev threw the switch. There was a mighty hum, the surge of power from ninety-six billion planets. Lights flashed and quieted along the miles-long panel.
Dwar Ev stepped back and drew a deep breath. "The honor of asking the first question is yours, Dwar Reyn."
"Thank you," said Dwar Reyn. "It shall be a question that no single cybernetics machine has been able to answer."
He turned to face the machine. "Is there a God?"
The mighty voice answered without hesitation, without the clicking of single relay.
"Yes, now there is a God."
Sudden fear flashed on the face of Dwar Ev. He leaped to grab the switch.
A bolt of lightning from the cloudless sky struck him down and fused the switch shut.* "
It's not the servers. (Score:4, Interesting)
With that in mind, the Storm Worm specifically doesn't infect Windows 2003 server - a deliberate decision on the part of the author, I'm sure. If you upset enough businesses, they'll devote enough money to the problem to fix it.
The problem is desktops. Specifically, Windows desktops in the hands of the technically illiterate.
Just connecting an unpatched Windows box directly to the internet is enough. It belongs to a hacker in very short order. Even if you patch it up, the sheer number of services running on your average Windows box that listen to network ports is worrying. Never mind being on the internet, with the number of laptops moving in and out of corporate networks, it's not even safe "indoors". And it's hard to turn a lot of this stuff off without adversely affecting it's functionality.
I wouldn't even trust a general-purpose Linux installation on the internet ; it's just too difficult to track all the potential vulnerabilities. I keep a dedicated firewall running in my router, and the only services it runs are network translation, and a secure shell for administration, which reduces the target footprint to two highly secured services which were designed to be secure in the first place.
Windows users don't help, they are daft enough to infest themselves with everything going. Even if they are not quite daft enough to double-click executable attachments, they will download all the worst sorts of "Freeware" and click straight through the license agreement. Not only are they pwned, they actually agreed to it!
A case in point - one of our accountants was mailing around an executable Flash package (some kind of novelty). I deleted it instantly, and made a point of telling her that it could have been anything and done anything. Ten minutes later, I mailed her a VB executable decorated with the Flash icon. All it did was plonk up a dialogue box which said "Erasing hard drive". Somewhat predictably, she executed it. I almost pretended that I didn't send it and that it was a virus that emailed it.
The root problem is the design of Windows and windows applications.
1) Double-click to open OR execute
This isn't all Windows fault. People don't make a distinction between running a program and opening a file, because there isn't one in terms of the user action required. I'm willing to bet that the average user doesn't even understand the difference. If you had to perform a different action from double-click to execute programs, viral infection rates would drop enormously. You could still keep the d-click to open files with their registered program, just stop running programs themselves by this method. You've not lost the convenience of file-association. Just put "execute" on the context menu and make it a non-default action.
2) No executable flag in filesystems.
In Linux, a file isn't executable until you grant it permission to be so. If you had to open the permissions dialogue and check the "executable" box, it would hammer home the difference between executables and mere content. And by making it something more than a casual action, it would reduce the "impulse" running of many of these things, where people have their caution overridden momentarily by the promise of naked flesh or other inducements. Heck, you can even have whole filesystems that refuse to execute files - download all internet content into one of these and before you run it, you'll have to unpack it, move it to an executable folder, and check it's execute bit. This would seem too much work for the average Joe for a quick glimpse at Jessica Alba with no bra...
Re:STILL NOT A WORM (Score:4, Interesting)
You have to explicitly check boxes in the configuration system to allow HTML, and/or allow external references to be loaded. The warning is right there, not buried in a dialog box man would click through:
WARNING: Allowing HTML in email may increase the risk that your system will be compromised by present and anticipated security exploits. More about HTML mails... More about external references...
The two 'more' items are links for more information.
Another box, related to MDNS responses does basically the same thing, and has the following warning:
WARNING: Unconditionally returning confirmations undermines your privacy. More...
Again, nothing in click-through dialog boxes. That was such an obviously better way to code that I adopted it as soon as I saw it. Better to have at least a brief warning and a link right there.
I'm hoping it's easier to configure Outlook this way now. In Outlook 2K, you really had to look for the settings. But even this is a teaching issue. Example: a guy I know is 100% Windows. His development shop has all the Microsoft certifications, etc. They do mostly VB apps. He complained at one point that I wasn't reading his mail, because he wasn't getting an auto-response. He couldn't imagine an environment where people didn't use that 'feature'. I actually had to take some time out and explain that it was a privacy issue (What gives you the right to know what I'm doing on my system, in a non-business environment?) and that it was wildly inaccurate anyway, as some mail systems will open a mail if you select it even if you're only dragging to another folder, while some require a double click. Or you might open it but be called away, etc.
I've known this guy forever, and he's actually pretty smart. Always did well in school, has a degree in nuclear engineering, etc. We most definitely are *not* talking IQ equal to shoe size. There's some sort of mind-set issue in play that is very difficult to get a handle on.
Re:Could Botnets break encryption? (Score:3, Interesting)
"Now, the annual energy output of our sun is about 1.21*10^41 ergs. This is enough to power about 2.7*10^56 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all of its energy for 32 years, without any loss, we could power a computer to count up to 2^192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter.
"But that's just one star, and a measly one at that. A typical supernova releases something like 10^51 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.
"These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space."
- Bruce Schneier, Applied Cryptography, 2nd ed., p. 158