Forgot your password?
typodupeerror
The Internet Worms Security

Anti-Scammers Become Storm Botnet Victims 207

Posted by CowboyNeal
from the sticking-their-necks-out dept.
capnkr writes "It looks like the efforts of the anti-scammers at sites like 419eater, Scamwarners, Artists Against 419, and possibly others have become the target of the Storm botnet. Spamnation has a post about it, and as of this writing none of the above listed sites are responding. Spamnation reports that CastleCops and other anti-spam forums are being DDoSed as well. Sounds like a massive, concerted effort against the folks who are fighting the good fight. Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working."
This discussion has been archived. No new comments can be posted.

Anti-Scammers Become Storm Botnet Victims

Comments Filter:
  • Slashdotted (Score:5, Insightful)

    by elh_inny (557966) on Saturday September 08, 2007 @11:36AM (#20520955) Homepage Journal
    Posting the info and having people slashdot the mentioned sites is not going to help them either :)
    • Re:Slashdotted (Score:4, Insightful)

      by MollyB (162595) * on Saturday September 08, 2007 @11:51AM (#20521073) Journal
      To an extent, you are correct. But I got the impression from the Spamnation link (#4) that this has been going on for days. Heck, the Update on that site was dated Sept. 6. We only have n number of users. The Russians (read TFA) have lots and lots (technical term) of botnets and are assumed to be taking revenge on their tormentors. I think this trumps the slashdot effect, but that's just my opinion.
      • More than just DDoS (Score:5, Informative)

        by weierstrass (669421) on Saturday September 08, 2007 @12:13PM (#20521227) Homepage Journal
        At the moment http://www.aa419.org/ [aa419.org] gives me the main pages of my own web server on my laptop

        user@my-box:~$ host aa419.org
        aa419.org has address 127.0.0.1
        aa419.org mail is handled by 5 mail.aa419.org.
        • by cpq (1153697) on Saturday September 08, 2007 @01:20PM (#20521661)

          user@my-box:~$ host aa419.org aa419.org has address 127.0.0.1
          Actually this is the SMART thing to do. If they're attacking the hostname of the website, any smart admin would change the DNS record to lower the TTL to update, and update their address to 127.0.0.1. This way the botnet boxes end up attacking themselves. I've done it before. Then once the attack is over you update your A name record to the actual IP.
          • by garett_spencley (193892) on Saturday September 08, 2007 @03:54PM (#20522843) Journal
            How do you know when the attack is over if they're no longer attacking your machine thanks to the DNS record pointing to 127.0.0.1 ?

            How long do you wait ?

            I suppose you can try to identify the specific worm that's doing the attack and infect a test machine and watch it. Or if you can reverse engineer it you might be able to find out when the end date is. Beyond that you've effectively taken your entire web site / business offline for an undetermined period of time. I'm not sure it's any better than riding out the attack. The attack could stop and you wouldn't even know it.

            Plus, the minute you unplug your network cable or change your DNS records to a machine that doesn't host your web site you've just handed yourself to the attackers. Taking your business offline is *exactly* what they intended to do. And you did it for them.
            • Heh, what if the ddos zombies don't use DNS?
              I would surely instruct my botnet to attack IP numbers instead of names (it is faster).
              • Re: (Score:2, Interesting)

                by fbartho (840012)
                yeah, but then they can just put some new IP's behind their round-robin dns server, and retire the old ones, and your bots will never know!
            • Re: (Score:3, Insightful)

              by timmarhy (659436)
              Taking the website off the air isn't their only objective, they are trying to cost them $ in bandwidth. Face it, once you've been targeted by a big ddos your screwed, all you can do is try mitigate some of the damage.
        • Re: (Score:2, Funny)

          by Short Circuit (52384)
          I thought that webserver looked poorly configured...
    • 127.0.0.1'd (Score:2, Informative)

      by cpq (1153697)
      Some of the site's are using DNS records to point back to 127.0.0.1 and lowering their TTL so the botnet machines attack themselves. Easy way to defend (in some way) a DDoS. Don't count on the site(s) being up until the owners are sure more bandwidth / CPU cycles won't be wasted.
    • by bl8n8r (649187)
      > Posting the info and having people slashdot the mentioned sites is not going to help them either :)

      *l* at this point, it's not going to hurt either.
  • Such that no one wants to say any...
  • by digitalsushi (137809) <slashdot@digitalsushi.com> on Saturday September 08, 2007 @11:38AM (#20520975) Journal
    I screwed with a craigslist scammer this week. It was sorta fun.

    http://digitalsushi.com/goraku/fakecheck/story.htm l [digitalsushi.com]

    Getting him to mail a check made out to "Pownd Uholot" was entertaining. :)
  • Grey Hat solution (Score:4, Interesting)

    by DigiShaman (671371) on Saturday September 08, 2007 @11:43AM (#20520999) Homepage
    Aside from the legalities, perhaps Grey Hats round the world need to start developing "neuter-viri" (self replicating auto-patchers). These zombified machines have got to be defanged somehow, and fast.
    • Re: (Score:2, Insightful)

      by snsr (917423)
      "neuter-viri" (self replicating auto-patchers).
      This is a great idea. I wonder how well this would be recieved- I guess ideally it wouldn't even be noticed.
      • Re: (Score:3, Insightful)

        by saskboy (600063)
        The authors would have to be extremely careful. If they include a bug, the results could be worse than doing nothing at all. And if they include a backdoor or auto-update feature, the blackhats could end up using machines with the auto-patcher infection instead.
    • Re:Grey Hat solution (Score:4, Interesting)

      by Evi1BastardFromHe11 (986822) on Saturday September 08, 2007 @11:56AM (#20521115)
      What would this accomplish? The lusers have to be hit hard to start to care about what sort of malware resides on their machines. I would rather see a solution where someone exploits a hole in the Storm control implementation and distributes a disk shredding update to all nodes.

      50M dead HDDs would be fun in the oldschool spirit and at the same time would generate enough of fuss for people to start actually caring about security.
    • by CharonX (522492) on Saturday September 08, 2007 @12:11PM (#20521211) Journal
      I recall reading a quite interesting article on this topic a while ago while doing research for a university seminar I had to hold.
      The big crux is that the "worm" needs to show negative behaviour, i.e. exploit it's host bandwith and CPU cycles, at least for a while, to gain sufficient impact to "infect & patch" vulnerable machines. It would turn into a battle of the worms, where "grey" worms attempt to infect as many machines as possible, plug the security holes, seek new machines to "infect and patch" and then, after a while, self-delete themselves - while the "black" worms, attempt almost the same, only that they do not self-delete but instead continue to exploit their host. Most machines that become victims of rootkits or worms are actually patched up once infected, to avoid losing the machine to competing malware.
    • Re:Grey Hat solution (Score:5, Informative)

      by Nintendork (411169) on Saturday September 08, 2007 @01:00PM (#20521527) Homepage
      Someone already did this to counter the Blaster worm. See Welchia [wikipedia.org]. The problem with this one though is that it was flooding networks with ICMP pings, causing more network outages [internetnews.com] than the Blaster worm it was designed to fight.
      • Re: (Score:3, Interesting)

        by Anonymous Coward
        That is because Welchia was poorly designed. A properly designed counter-worm would not actively seek out targets. Instead, it would patch the system and wait for an infected system to contact it, where it would then spread to that infected system.
        • Re: (Score:2, Interesting)

          by Sigma 7 (266129)

          A properly designed counter-worm would not actively seek out targets. Instead, it would patch the system and wait for an infected system to contact it, where it would then spread to that infected system.

          This design of counter-worm is ineffective against worms that also patch the system against the vulnerability in question. While I don't know any names, such a design isn't far fetched.

          The only way to counter such a worm is to perform active scanning, even if it floods the networks. Of course, a gray hat designer would prefer a flooded network over a botnet - per minimal collateral damage guidelines.

    • by Joebert (946227)
      That's the mindset that's getting Sony in hot water with rootkits.
    • The defang you are looking for has been provided by the free software community. Unlike the worms themselves, user and vendor action are required for this to work and it's completely legal. Vendor support is growing every day because everyone now realizes the root cause is a costly software monoculture. IBM, HP and Dell now all sell gnu/linux to desktop users. With a little bit of advertising the problem will go away soon.

    • by guruevi (827432)
      No, the Grey Hat's would have to include something that destroys the boot sector from the hard drive, then shut down the machine. All of a sudden, we would have a massive drop in power usage (saving the environment) and a whole lot of dumbasses that in turn will provide a job to low-wage Circuit City and Best Buy employees. I guess a lot of computers would just stay off because no-one knows that they are running.

      So to make it easy:
      1) Create or take over Storm botnet
      2a) (Optional): dd if=/dev/null of=/dev/hd
    • by Lehk228 (705449)
      better to use time bombs using more efficient and agressive search patterns then a machine suicide scrambling the hard drive and if possible damaging hardware through software overclocking and other dark arts.

      the ONLY way to cause botnets and other infections to be taken seriously is to deprive the lusers of their porn, mp3's and possibly their hardware. a few crispy video cards, region-locked DVD players set to only play japanese DVDs and corrupted documents will force them to but at least basic security
  • The counter-solution (Score:3, Interesting)

    by EvilMonkeySlayer (826044) on Saturday September 08, 2007 @11:48AM (#20521047) Journal
    The counter solution to this is for a big company like Google, Yahoo, Microsoft (yes, Microsoft) should offer either their servers, hosting, bandwidth etc. To these sites that are quite evidently being successful against the scammers. Or at the least they could give the sites some cash injections to buy more capable servers, fatter lines etc.
    • by Joebert (946227)
      These are corporations you're talking about, they're just happy the botnets' attention isn't on them. Why would they want to draw fire to themselves, what's in it for them ?
      • Re: (Score:3, Interesting)

        What on earth makes you think people like Microsoft and Google don't get hit by these people?

        I have no data you don't, but I'd be amazed if no-one has ever threatened the richest IT companies in the world with outages if they don't pay up.

        • by Joebert (946227)
          If the portion of the botnet is attacking sites not on Corporation property, it's obviously not attacking Corporation property.
          Why do somthing to bring it to Corporation property, what's in it for them other than an increased workload ?
        • by ncc74656 (45571) *

          What on earth makes you think people like Microsoft and Google don't get hit by these people?

          ...especially since Google wasn't working for me a few hours ago. I have to wonder a bit if they had also been hit by this botnet, or if someone else in the connection between there and here was hit. Everything else I tried (/., Yahoo, my own website, etc.) worked, but Google's search and reader pages timed out.

          (Google Reader is working now. Search works, too.)

    • by xtracto (837672)
      Wasnt the "Make love no spam" lycos screensaver TRYING to achieve something similar? I remember it was widely critizised for what it was doing. I ran it for some tiem though.
  • Hopefully these guys don't get assassinated.
  • Solution??? (Score:5, Insightful)

    by Glock27 (446276) on Saturday September 08, 2007 @12:02PM (#20521153)
    Why have I seen several articles on this Storm worm, and yet no one seems concerned with how to remove it from systems?

    Is there a scanner and fix available? It does require executing an email attachment, right?

    It really shouldn't be called a worm unless it can worm its way in without social engineering...

    • Re: (Score:3, Insightful)

      It is delivered as a Trojan. People don't discuss removal techniques because the answer is so painfully obvious that most here don't think it is worth mentioning. Norton, AVG, clamAV, any anti-virus on the market or available for free will detect storms various incarnations, and most of them will disable it. Problem is, there are just millions and millions of (windows) users who don't bother with the most basic security.
      • Re:Solution??? (Score:5, Insightful)

        by Anonymous Brave Guy (457657) on Saturday September 08, 2007 @02:48PM (#20522349)

        Problem is, there are just millions and millions of (windows) users who don't bother with the most basic security.

        And the solution is for ISPs to cut off any machine that appears to have been compromised, and for ISPs to collectively isolate and cut off other ISPs that allow significant amounts of bad traffic out of their networks.

        I'm all for due process, but in cases like this, a real-time response is required and there isn't much doubt whether a machine/network is emitting significant amounts of bad traffic or not. You just have to make people get their own house in order, and if they don't, kick them off the Internet until they do.

        • Re: (Score:3, Interesting)

          I hear you. I work for a small business, and we have our email handled by our ISP. They won't cut off other users who are spamming, and so their mail server is now starting to show up on spam blacklists. It is really embarrassing to have to call our partners and customers and tell them to check their spam box for our email, and then we are lucky if it is even there. We will be changing ISPs soon... I hope.
    • It usually comes as an email with an enticing subject line such as "xxxx has sent you an E-card" and inviting you to click on a link in the email to view the ecard...

      I'm expecting a waver of emails inviting the reader to "click here [address.ru] to see Vannessa Hudgens's naughty pics, the ones Disney tried to ban..."

      • Re:Solution??? (Score:4, Interesting)

        by Technician (215283) on Saturday September 08, 2007 @02:21PM (#20522171)
        I got a bunch of those e-card emails several weeks ago. Knowing how my Ubuntu box is configured, I went ahead to see how the exploit works. The link is a very sparce page indicating a video download that will start automatically. If it doesn't, click here. The exploit uses both a script and social engineering. Firefox didn't start an automatic download on Ubuntu, so for grins I clicked the link. I was asked where I wanted to save e-card.exe. This exploit page was common to many e-mails indicating cards from my mother, relative, etc. I thought it interesting there was no information passed to load any kind of customized card like a real e-card. Also highly suspicious is the link was an IP address, not a URL. That move alone gets past filtered DNS services and a hosts file.

        By the way, the download in Ubuntu asking where to save it has a cancel button. I didn't download it to get a filesize. Sorry.

        I know I am not sending any extra data as part of this bot simply because my network switch sits right under my monitor. There is no unusual traffic here. I think everyone should be constantly monitoring their network traffic.

        Maybe MS and Ubuntu can make a traffic monitor that sits on the desktop by default. I know most people would ignore it thinking it is Limewire or Torrent traffic.
        • Re: (Score:2, Interesting)

          by freedumb2000 (966222)
          Also, all the ip addresses i did a lookup on, resolved to a dynamic host address so it looks like the infected machines are distributing the storm files themselfs to new victims with no central distributing server to shut down.
          • Also, all the ip addresses i did a lookup on, resolved to a dynamic host address so it looks like the infected machines are distributing the storm files themselfs to new victims with no central distributing server to shut down.

            I noticed that also, but didn't mention it. Even though every e-mail had an IP address link, all the links were unique, but the content on the resulting pages was identical.
          • by arkhan_jg (618674)
            Yup, spot on. The scary thing about this botnet - and why it's not been shut down - is it's using the overnet p2p protocol to establish a private P2P command and control network. The updates and additional malware (including a rootkit, spam proxy and mass mailer) are delivered from other compromised machines on the network. Each zombie connects to about 30-50 other computers, thus making shutting it down or even getting a true estimate of its size virtually impossible. The method of infection also uses a nu
    • Re:Solution??? (Score:5, Informative)

      by arkhan_jg (618674) on Saturday September 08, 2007 @12:51PM (#20521471)
      It is a backdoor trojan, not a worm - largely spread via email .exe attachments, but also installed by at least one other mass mailer worm, W32.Mixor.Q@mm.

      http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]
      http://www.symantec.com/security_response/writeup. jsp?docid=2007-011917-1403-99&tabid=2 [symantec.com]

      It's detected and removed by the usual array of anti-virus software (it installs a malicious device service %System%\wincom32.sys, that joins it to the private distributed P2P control network). However, it does also have capability to download additional malicious software, and has changed form several times.

      http://www.symantec.com/enterprise/security_respon se/weblog/2007/01/trojanpeacomm_building_a_peert.h tml [symantec.com]
      Currently the malware being downloaded is as follows:

      game0.exe: A downloader + rootkit component - detected as Trojan.Abwiz.F
      game1.exe: Proxy Mail Relay for spam which opens port TCP 25 on the infected machine - detected as W32.Mixor.Q@mm
      game2.exe: Mail Harvester which gathers mail addresses on the machine and post them as 1.JPG to a remote server - detected as W32.Mixor.Q@mm
      game3.exe: W32.Mixor.Q@mm
      game4.exe: It contacts a C&C server to download some configuration file - detected as W32.Mixor.Q@mm

    • Microsoft "Malicious software removal" to the rescue!!

      Maybe.

      I mean, this is precisely the sort of thing it's designed for, right?
  • by mark-t (151149) <markt@@@lynx...bc...ca> on Saturday September 08, 2007 @12:20PM (#20521279) Journal

    I told my oldest son about this botnet yesterday, mentioning that with between 2 million and 20 million CPU's working at any one time, and even that larger figure likely representing only a fraction of the botnet's total capacity, it collectively represented the most powerful supercomputer ever built... and it was effectively under the control of a small group of people with criminal intent - the author, or authors, of the worm. My son responded to me with a great deal of scepticism, first saying that none of these security experts which have made this analysis have any way to estimate what sort of computing power military organizations might have, so saying that it represented the most powerful supercomputer ever was actually a completely meaningless claim, and also, he proclaimed that the story was most probably just hype and over exaggerated. He said that the claim of the most powerful supercomputer ever being controlled by criminals was simply too much to be believable, like the headlines one might see on the front page of the Weekly World News tabloid. He also said that it was ludicrous to see how sending people "penis extension ads" (which is about all he figures a botnet can do) can actually seriously harm anything or anyone.

    So this got me to wondering... how much of this actually _is_ something that is of any real concern, and if it really is, how could it be explained to people in such a way that it's not going to sound like some claim from a conspiracy theorist?

    • by Torodung (31985) on Saturday September 08, 2007 @03:29PM (#20522679) Journal
      This article [wikipedia.org] is a good place to start.

      You could also introduce him to the theory behind Bittorrent [wikipedia.org], which is a good demonstration of how many computers each doing a small task, given modest bandwidth, can add up to massive distribution and publication power in short order.

      Now, what if some distributed network decided to siphon a gig of illegal or embarrassing materials onto a compromised target machine. Perhaps a politician that is voting the wrong way?

      Then ask him, not if the entire banking industry is safe, but if an individual's information (SHA hash collision or private key, but that's not "average Joe" speak) could be subject to a distributed brute force attack [wikipedia.org].

      With the growing power of computers making tiny pieces of malware harder and harder to notice (that 1% of processor time is more and more powerful), and malware being able to literally hide files from the user until such time that it chooses to reveal them, it seems like it's only a matter of time before someone with a large enough botnet, and enough imagination, could start attacking individuals and/or siphoning off their money. How you do this is not something I care to discuss, but the black hats (both the actual criminals and the security experts, as an exercise) already have ideas and are working on it. That's why you'll see them periodically calling for stronger encryption (more bits in the keys). If there was no possible threat, they wouldn't be creating and suggesting longer keys. Rootkits [microsoft.com] would not be a concern, if files hidden from the user were always benign (most are).

      But all it takes is the wrong person to have the right idea, a breakthrough that changes the assumptions, especially in cryptography. Show him the movie "Sneakers [imdb.com]" if you want to fuel some imagination regarding that. It's crap, but it's also fun and sizes the problem for the average Joe. Assuming that only ethical people work in cryptography is somewhat naive. Assuming that unethical people are not watching the progress of ethical individuals in the field is stupid.

      There's nothing to say such solutions and attacks haven't occurred already, but it seems, as your son suggests, unlikely. You can bet if a criminal has figured it out, a little bit of money siphoned off here and there would be almost impossible to detect, especially in an environment where people are unwilling to believe it's even possible. Believe me, if the idea has hit Hollywood [imdb.com], it's old hat. That's exactly how such a criminal would proceed if they had found a way to leverage such distributed computing applications. They would target a distributed network of accounts, one by one, in a way that looked like banking errors (which are numerous and automatically corrected by the bank) and slowly siphon money from the banking industry itself, through compromised individual accounts. No individual would suffer, because of correction processes in the banks, the world's capital reserves would.

      Then ask what that money could buy in terms of influence, weapons, elections?

      Any compromised machine is a liability to its user. Botnets are a menace to society, and we're lucky all they're (hopefully) being used for is "penis enlargement" ads and DDoS attacks. That's barely scraping the surface of their potential.

      If he wants to go on believing that his safety and security are a given, without any effort on his own part, there's little you can do, but anyone with any imagination, who is not in flat out denial, can demonstrate that distributed computing applications have a great deal of power, and that basic security is everyone's concern. It is definitely not good that these ne
    • Just demonstrate that several unconnected sites that cover anti-scamming are down, and one site with 46k hits on Google is resolving to localhost. That ought to show what damage botnets can do. It cannot be a coincidence.
    • by RAMMS+EIN (578166) on Saturday September 08, 2007 @06:17PM (#20523685) Homepage Journal
      ``So this got me to wondering... how much of this actually _is_ something that is of any real concern, and if it really is, how could it be explained to people in such a way that it's not going to sound like some claim from a conspiracy theorist?''

      A few days ago, I figured that the great difficulty in explaining this to people who don't know already is that, in the Real World, preposterous conspiracy theories are often false. In fact, much more innocuous ones usually are, too. This is something I figured while actually taking some time away from computer security and traveling through the Real World. In the Real World, you can leave your expensive laptop in your unlocked yacht in an unguarded marina, and then leave thousands of dollars worth of electronics equipment in a restaurant to recharge overnight, and none of it will get stolen.

      On the Internet, if your computer is reachable, it will be attacked in a matter of minutes. Any hole that is found in the software you run is likely to get exploited. Most of the email you get is spam sent by exploited Windows machines people have at home. Corporations are watching you, some with orders from the government. You can legitimately wonder _who_ controls your computer. It's not really an exaggeration to say that everything that can go wrong not only will, but has.

      It only starts to get _really_ scary when you consider how much of the Real World is actually dependent on computers these days...
  • Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working.

    By that logic, does all the hate mail Fred Phelps get mean that he's on the right track?
    Does it mean that all those protesting Bush's speeches validate his argument?
    Odd way for the author to phrase it. I don't think there's a cause and effect here. They might be publicly opposed to the spamming and phishing scams, but they fact that they're getting at
    • by Angostura (703910)
      Nope, you've got yourself into a logical twist.

      By that logic, does all the hate mail Fred Phelps get mean that he's on the right track?

      It's a poor analogy. It wouldn't be someone sending hate mail to Fred Phelps. It would be someone putting up posters about the problems with Fred Phelps, and then Phelps setting out to kill the Poster-makers.

      Does it mean that all those protesting Bush's speeches validate his argument?

      Wrong analogy again. A correct analogy would be If those protesting against Bush's speeches

    • If Fred Phelps's goal is to piss people off, he's on the right track. If Bush's goal is to anger people, he's doing a heckuva job. The anti-spammers in question have clearly pissed someone off, and it appears to be the same someone who sends a lot of spam. That the anti-spammers have done enough to be noticed seems like the most likely explanation, but of course, there might be others; I just can't think of any.
  • Solution (Score:2, Redundant)

    by JamesRose (1062530)
    Right a piece of code that detects if the storm bot virii are present, then have it format the hard drive. If their computer is putting other computers with real work to do in danger they should be deleted until the administrator learns to use it. Seems harsh but trying to fix a computer thats already infected is almost impossible to do, as they keep changing the virii, so carpet bomb it.
  • Didn't some internet provider at one time threaten or attempt to disconnect customers whose computer were suspected to have spyware or a virus infection? I think more internet provider (errr.. high speed internet providers) should take charge and disconnect computers that are (or might be) part of a large botnet. This brings me to the point that like most people don't have a clue how a car functions under the hood, most people also don't know how a computer functions inside its case. So ignorance should
    • Re: (Score:2, Insightful)

      by wubboy (96276)
      Something like, if os = Windows then deny?
    • Re: (Score:2, Insightful)

      by pokerdad (1124121)

      Didn't some internet provider at one time threaten or attempt to disconnect customers whose computer were suspected to have spyware or a virus infection?

      Virtually all ISPs do this, its just that what they count as "suspected to have spyware or a virus infection" is pretty lax. Usually the only thing that counts is sending out more than x many emails in a certain time frame. Of course, I would rather have them be lax than be intruding to my system.

      • Re: (Score:2, Interesting)

        by Anonymous Coward
        Where I work (local WISP, over 4000 subscribers and growing!), we block nothing to or from a customer's PC (or PCs) unless it trips our antivirus or antispam system with a known signature. We do not do heuristic scanning, so we don't get false positives from malformed data or "something close".

        We also have intrusion protection at all of our border routers, that scans incoming and outgoing traffic. Our traffic wipes its feet before going out to the internet, if you know what I mean.

        We also have a service p
    • by mike2R (721965)
      Comcast [slashdot.org] back in 2004 did some selective blocking of port 25. Could have been a coincidence but a heavy (about 100MB an hour) dictionary spam run at our company domain cut off at around that time IIRC.
  • I mean, don't they have better things to do with these resources? Seems like the choice of targets tells us a lot about the opportunities - or perhaps lack of opportunities - that this resource (i.e., the Storm botnet) can be put to.

    I mean, why not use it to make money? Attacking these sites ain't gonna directly generate any revenue. And one must consider such a resource as having a time value; what is the half life of a bot net anyhow? Is this one, given it's size, likely to be significantly different?
    • It might be a test or demonstration of the botnet. Like any weapon it needs to be test fired before actual use. The persons controlling this might be trying to kill two birds with one stone - test the botnet, and knock those who taunt you off the air.

  • size (Score:2, Interesting)


    Is the size of the the Storm network large enough to hold a really big player hostage? Could they eg DDoS Microsoft's update portal? Or Google's homepage? either for ransom or without?

    Could they cripple other internet backbone infrastructure stuff, and thereby hold the nation's entire computer infrastructure hostage?
    As TFA mentions, a DDoS attack is more expensive for the customer of the botnetters, as is easier to detect and stop at the ISP level, so I wonder if those attacks are really feasible, or i
    • Re:size (Score:5, Insightful)

      by maztuhblastah (745586) on Saturday September 08, 2007 @03:25PM (#20522651) Journal

      if the DHS etc took protective action at the ISP level?


      Oh please god.... no....

      Think of what you're saying! The same group of people who color-code our paranoia, who decide that waterbottles are dangerous, and who advise us to purchase duct tape... you want to turn to them for help securing the Internet? Do you have any idea how painful that would be?

      No -- the responsibility here lies with the users and (to some extent) the carriers. If the user's machines are infected, disconnect them. If the carriers detect a large, coordinated traffic pattern, investigate -- and if it's a DDOS attack, block it at the firewall level (before the traffic leaves your network segments.)
      • Ya DHS are morons (Score:4, Interesting)

        by Sycraft-fu (314770) on Saturday September 08, 2007 @04:26PM (#20523037)
        We've got a professor at the university where I work that consults for DHS, one of our student workers is in his class. The misinformation this guy hands out is... legendary. For example, did you know that twisted pair only has a bandwidth of 250kHz and a maximum speed of 4Mbps? Really, it must be true, Dr. DHS said so! Never you mind things like Belden 7852A that is rated up in the 400-600MHz range, what do they know? Smarmy cable manufacturer, Dr. DHS says that's just not true!

        Well if you've got people like that advising you, I'm going to guess the technical conclusions you come to are probably not going to be the correct ones.
  • Sorry guys, we know your suffering a DDoS attack right now, but we just thought we'd publish links to your sites on Slashdot to compound the issue. Think of it as an experiment to see what effect a massive storm of legitimate traffic will have on an ongoing DDoS attack.

    What? Your data center is a molten slag?! Eureka! We'll stop by with marshmallows and weenies.

    This is one case where publishing the hyperlinks might have been a bad idea. I wonder how many people are hitting their refresh buttons right now. ;
  • This is not proof (Score:3, Insightful)

    by Rich Klein (699591) on Saturday September 08, 2007 @03:09PM (#20522515) Homepage Journal
    "I think it shows without a doubt that their efforts to 'get back' at the scammers are working."

    I'd like to agree with you, but it makes about as much sense as saying that increased violence in Iraq is proof that the US has terrorists on the run.

    The scam-baiters may be doing a lot of good, but DDoS attacks against them aren't proof of it.
  • is there a way to test or check that people who might be part of the bot net how to see if they have it?

    rather than gong on about what it is doing, how about we spread the word on how to stop it one computer at a time.
  • Would it not be somewhat of an improvement then if services like these would also be massively distributed? Instead of a massive scammer network having a 'force to counter' in the form of a massive anti-scammer network. Surely a p2p/torrent like thing could make this possible?
  • Wait a minute (Score:2, Redundant)

    by Mr. Freeman (933986)
    "Look, these sites are being DDosed, let's post them on slashdot". Doesn't exactly seem like the best idea ever.
  • The final straw. (Score:2, Interesting)

    by LordSnooty (853791)
    It's time for the community to do something about botnets. Forget ethics, we use whatever means necessary. Government and law enforcement agencies appear unwilling or even technically unable to do anything about it (this is a very important point). What better people to sort out this mess than the community who thought up the IRC protocol and whatnot in the first place? It's time to find these machines, break into them and stop this madness. Will govt only do something when their sites get attacked? Can you
  • by Lightster (1084511)
    I remember when this happened against Blue Frog. They were forced to shut their service down due to the DoS attack against them. As soon as the spammers feel threatened by any anti-spam organization they just launch these kind of attacks and shut them down. They seem to easily get away with it. Kind of sad really, there needs to be a fight against spammers on a larger level with Governments and IT corporations getting involved.
  • "Those who cannot remember the past are condemned to repeat it."

    To put it in other words, why am I not surprised that this happened, after watching Blue Security being obliterated by... guess what, a botnet!

  • When the Storm Worm writers are caught, they should be publicly beaten to death immediately, as a warning to all who would follow in their footsteps.

The world is moving so fast these days that the man who says it can't be done is generally interrupted by someone doing it. -- E. Hubbard

Working...