Anti-Scammers Become Storm Botnet Victims

capnkr writes "It looks like the efforts of the anti-scammers at sites like 419eater, Scamwarners, Artists Against 419, and possibly others have become the target of the Storm botnet. Spamnation has a post about it, and as of this writing none of the above listed sites are responding. Spamnation reports that CastleCops and other anti-spam forums are being DDoSed as well. Sounds like a massive, concerted effort against the folks who are fighting the good fight. Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working."

Re:somebody needs to stop...

[Constantine XVI]

Storm actually does install updates and checks for viruses on its victims. It just excludes anything that would make life harder on itself.

Battle of the Worms....

[CharonX]

I recall reading a quite interesting article on this topic a while ago while doing research for a university seminar I had to hold.
The big crux is that the "worm" needs to show negative behaviour, i.e. exploit it's host bandwith and CPU cycles, at least for a while, to gain sufficient impact to "infect & patch" vulnerable machines. It would turn into a battle of the worms, where "grey" worms attempt to infect as many machines as possible, plug the security holes, seek new machines to "infect and patch" and then, after a while, self-delete themselves - while the "black" worms, attempt almost the same, only that they do not self-delete but instead continue to exploit their host. Most machines that become victims of rootkits or worms are actually patched up once infected, to avoid losing the machine to competing malware.

More than just DDoS

[weierstrass]

At the moment http://www.aa419.org/ [aa419.org] gives me the main pages of my own web server on my laptop

user@my-box:~$ host aa419.org
aa419.org has address 127.0.0.1
aa419.org mail is handled by 5 mail.aa419.org.

Re:Solution???

[arkhan_jg]

It is a backdoor trojan, not a worm - largely spread via email .exe attachments, but also installed by at least one other mass mailer worm, W32.Mixor.Q@mm.

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]
http://www.symantec.com/security_response/writeup. jsp?docid=2007-011917-1403-99&tabid=2 [symantec.com]

It's detected and removed by the usual array of anti-virus software (it installs a malicious device service %System%\wincom32.sys, that joins it to the private distributed P2P control network). However, it does also have capability to download additional malicious software, and has changed form several times.

http://www.symantec.com/enterprise/security_respon se/weblog/2007/01/trojanpeacomm_building_a_peert.h tml [symantec.com]
Currently the malware being downloaded is as follows:

game0.exe: A downloader + rootkit component - detected as Trojan.Abwiz.F
game1.exe: Proxy Mail Relay for spam which opens port TCP 25 on the infected machine - detected as W32.Mixor.Q@mm
game2.exe: Mail Harvester which gathers mail addresses on the machine and post them as 1.JPG to a remote server - detected as W32.Mixor.Q@mm
game3.exe: W32.Mixor.Q@mm
game4.exe: It contacts a C&C server to download some configuration file - detected as W32.Mixor.Q@mm

Re:Grey Hat solution

[Nintendork]

Someone already did this to counter the Blaster worm. See Welchia [wikipedia.org]. The problem with this one though is that it was flooding networks with ICMP pings, causing more network outages [internetnews.com] than the Blaster worm it was designed to fight.

Re:More than just DDoS

[cpq]

user@my-box:~$ host aa419.org aa419.org has address 127.0.0.1

Actually this is the SMART thing to do. If they're attacking the hostname of the website, any smart admin would change the DNS record to lower the TTL to update, and update their address to 127.0.0.1. This way the botnet boxes end up attacking themselves. I've done it before. Then once the attack is over you update your A name record to the actual IP.

Almost

[Xenographic]

* A worm infects without user intervention (e.g. SQL Slammer, which *was* a worm).
* A trojan is a hidden "feature" of some otherwise legitimate software.
* A virus is a program that attaches itself to other files.
* A backdoor gives someone remote control of the machine.
* A botnet is an advanced backdoor where one can control many machines at once, e.g. from an IRC channel. PCs infected by completely different malware can all join the same person's botnet. Conversely, PCs infected by customized versions of the same malware can join different botnets.

The problem is that the media doesn't understand ANY of this and that the categories aren't all mutually exclusive. This is a trojan & backdoor that spreads via dumb users executing attachments they shouldn't.

127.0.0.1'd

[cpq]

Some of the site's are using DNS records to point back to 127.0.0.1 and lowering their TTL so the botnet machines attack themselves. Easy way to defend (in some way) a DDoS. Don't count on the site(s) being up until the owners are sure more bandwidth / CPU cycles won't be wasted.

Re:Worm / hacker / cracker

[Anonymous Coward]

> AFAIK, Worm meant it propagated by the Internet.

Worm meant it was a separate executable, and virus meant it needed attaching to a host file. Viruses in the classic sense are virtually non-existent, but "virus" is still used pretty loosely as a term for malware in the AV industry. But in IDS and network-facing areas, "worm" is the usual term.

I work for symantec, that's the terms they use. BTW, absolutely no one there says "virii".

Spammers at it again.

[Lightster]

I remember when this happened against Blue Frog. They were forced to shut their service down due to the DoS attack against them. As soon as the spammers feel threatened by any anti-spam organization they just launch these kind of attacks and shut them down. They seem to easily get away with it. Kind of sad really, there needs to be a fight against spammers on a larger level with Governments and IT corporations getting involved.