Anti-Scammers Become Storm Botnet Victims 207
capnkr writes "It looks like the efforts of the anti-scammers at sites like 419eater, Scamwarners, Artists Against 419, and possibly others have become the target of the Storm botnet.
Spamnation has a post about it, and as of this writing none of the above listed sites are responding. Spamnation reports that CastleCops and other anti-spam forums are being DDoSed as well. Sounds like a massive, concerted effort against the folks who are fighting the good fight.
Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working."
Re:somebody needs to stop... (Score:4, Informative)
Battle of the Worms.... (Score:5, Informative)
The big crux is that the "worm" needs to show negative behaviour, i.e. exploit it's host bandwith and CPU cycles, at least for a while, to gain sufficient impact to "infect & patch" vulnerable machines. It would turn into a battle of the worms, where "grey" worms attempt to infect as many machines as possible, plug the security holes, seek new machines to "infect and patch" and then, after a while, self-delete themselves - while the "black" worms, attempt almost the same, only that they do not self-delete but instead continue to exploit their host. Most machines that become victims of rootkits or worms are actually patched up once infected, to avoid losing the machine to competing malware.
More than just DDoS (Score:5, Informative)
Re:Solution??? (Score:5, Informative)
http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]
http://www.symantec.com/security_response/writeup
It's detected and removed by the usual array of anti-virus software (it installs a malicious device service %System%\wincom32.sys, that joins it to the private distributed P2P control network). However, it does also have capability to download additional malicious software, and has changed form several times.
http://www.symantec.com/enterprise/security_respo
Currently the malware being downloaded is as follows:
game0.exe: A downloader + rootkit component - detected as Trojan.Abwiz.F
game1.exe: Proxy Mail Relay for spam which opens port TCP 25 on the infected machine - detected as W32.Mixor.Q@mm
game2.exe: Mail Harvester which gathers mail addresses on the machine and post them as 1.JPG to a remote server - detected as W32.Mixor.Q@mm
game3.exe: W32.Mixor.Q@mm
game4.exe: It contacts a C&C server to download some configuration file - detected as W32.Mixor.Q@mm
Re:Grey Hat solution (Score:5, Informative)
Re:More than just DDoS (Score:5, Informative)
Almost (Score:4, Informative)
* A trojan is a hidden "feature" of some otherwise legitimate software.
* A virus is a program that attaches itself to other files.
* A backdoor gives someone remote control of the machine.
* A botnet is an advanced backdoor where one can control many machines at once, e.g. from an IRC channel. PCs infected by completely different malware can all join the same person's botnet. Conversely, PCs infected by customized versions of the same malware can join different botnets.
The problem is that the media doesn't understand ANY of this and that the categories aren't all mutually exclusive. This is a trojan & backdoor that spreads via dumb users executing attachments they shouldn't.
127.0.0.1'd (Score:2, Informative)
Re:Worm / hacker / cracker (Score:1, Informative)
Worm meant it was a separate executable, and virus meant it needed attaching to a host file. Viruses in the classic sense are virtually non-existent, but "virus" is still used pretty loosely as a term for malware in the AV industry. But in IDS and network-facing areas, "worm" is the usual term.
I work for symantec, that's the terms they use. BTW, absolutely no one there says "virii".
Spammers at it again. (Score:2, Informative)