Anti-Scammers Become Storm Botnet Victims

capnkr writes "It looks like the efforts of the anti-scammers at sites like 419eater, Scamwarners, Artists Against 419, and possibly others have become the target of the Storm botnet. Spamnation has a post about it, and as of this writing none of the above listed sites are responding. Spamnation reports that CastleCops and other anti-spam forums are being DDoSed as well. Sounds like a massive, concerted effort against the folks who are fighting the good fight. Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working."

Slashdotted

[elh_inny]

Posting the info and having people slashdot the mentioned sites is not going to help them either :)

Re:Grey Hat solution

[snsr]

"neuter-viri" (self replicating auto-patchers).

This is a great idea. I wonder how well this would be recieved- I guess ideally it wouldn't even be noticed.

Re:Slashdotted

[MollyB]

To an extent, you are correct. But I got the impression from the Spamnation link (#4) that this has been going on for days. Heck, the Update on that site was dated Sept. 6. We only have n number of users. The Russians (read TFA) have lots and lots (technical term) of botnets and are assumed to be taking revenge on their tormentors. I think this trumps the slashdot effect, but that's just my opinion.

Re:Grey Hat solution

[saskboy]

The authors would have to be extremely careful. If they include a bug, the results could be worse than doing nothing at all. And if they include a backdoor or auto-update feature, the blackhats could end up using machines with the auto-patcher infection instead.

Solution???

[Glock27]

Why have I seen several articles on this Storm worm, and yet no one seems concerned with how to remove it from systems?

Is there a scanner and fix available? It does require executing an email attachment, right?

It really shouldn't be called a worm unless it can worm its way in without social engineering...

Re:Solution???

[an.echte.trilingue]

It is delivered as a Trojan. People don't discuss removal techniques because the answer is so painfully obvious that most here don't think it is worth mentioning. Norton, AVG, clamAV, any anti-virus on the market or available for free will detect storms various incarnations, and most of them will disable it. Problem is, there are just millions and millions of (windows) users who don't bother with the most basic security.

Possible solution: treat computers like a car

[Swavek]

Didn't some internet provider at one time threaten or attempt to disconnect customers whose computer were suspected to have spyware or a virus infection? I think more internet provider (errr.. high speed internet providers) should take charge and disconnect computers that are (or might be) part of a large botnet. This brings me to the point that like most people don't have a clue how a car functions under the hood, most people also don't know how a computer functions inside its case. So ignorance should not be an excuse for having a computer that's infected with every virus or malware under the sun which is connected to the internet. If a person had a car that kept causing problems on the road than it would eventually find itself towed away or shoved off the road (much like a computer might be forcefully disconnected from it's internet provider).
Much like the local police or the local transportation dept. might maintain roads and highways, so should the super information highway be maintained by internet providers and various security experts. Ignorance cannot be an excuse! It certainly doesn't work when you're being arrested for vehicular manslaughter. "But officer, I didn't see that old lady crossing the road..."

Re:Possible solution: treat computers like a car

[wubboy]

Something like, if os = Windows then deny?

Re:How do you explain this to the average joe?

[garompeta]

You are underestimating how valuable and powerful distributed computing is, my friend.
It has been used as a distributed MD5 crackers, collisions in SHA-1, and search for extraterrestrial life... (eer... yeah)
Having a gigantic botnet of at least 100,000 computers to unimaginable millions of infected computers that we'll probably ignoring or we are unable to detect, this gives a tremendous asset to a malicious hacker.

It is a very fat milking cow:

1) Crack passwords that it is not considered crackeable in a reasonable amount of time
2) Botnets to attack whoever he wants (at a reasonable price or for a reasonable cause)
3) Millions of Passwords, logins accounts, paypal, amazon, credit card, identity, whatever, stolen.
4) Millions of proxies to hop on and chain hiding the source of a real meticulous attack. 5) Millions of illegal distributed server to host for illegal materials (eg: virii, worms, child pornography)

Etc...

Re:Big deal?

[cpq]

Doesn't that seem like a poor allocation of resources on behalf of the bot net controllers? I mean, how long could a DDOS attack possibly be carried on? A few hours? Maybe a day at most? I can see that, for a retailer, that sort of thing would seriously impact business but if these sites go down for a day, does that really matter?

They could have it run for a month or two. With the lack of knowledge of PC users, and the mass-spreading technique, and the fact we have cable infected PCs and now have zombied Verizon FiOS machines, that's some serious bandwidth. This is just a slap on the wrists from the runners of the botnet, perhaps making a point?

Re:Possible solution: treat computers like a car

[pokerdad]

Didn't some internet provider at one time threaten or attempt to disconnect customers whose computer were suspected to have spyware or a virus infection?

Virtually all ISPs do this, its just that what they count as "suspected to have spyware or a virus infection" is pretty lax. Usually the only thing that counts is sending out more than x many emails in a certain time frame. Of course, I would rather have them be lax than be intruding to my system.

It might be a demonstration/test

[quanticle]

It might be a test or demonstration of the botnet. Like any weapon it needs to be test fired before actual use. The persons controlling this might be trying to kill two birds with one stone - test the botnet, and knock those who taunt you off the air.

Re:Solution???

[Joebert]

This is exactly how people get infected.

Who the fuck are you, & who the fuck is "Team Fury" ?

Re:Solution???

[Anonymous Brave Guy]

Problem is, there are just millions and millions of (windows) users who don't bother with the most basic security.

And the solution is for ISPs to cut off any machine that appears to have been compromised, and for ISPs to collectively isolate and cut off other ISPs that allow significant amounts of bad traffic out of their networks.

I'm all for due process, but in cases like this, a real-time response is required and there isn't much doubt whether a machine/network is emitting significant amounts of bad traffic or not. You just have to make people get their own house in order, and if they don't, kick them off the Internet until they do.

This is not proof

[Rich Klein]

"I think it shows without a doubt that their efforts to 'get back' at the scammers are working."

I'd like to agree with you, but it makes about as much sense as saying that increased violence in Iraq is proof that the US has terrorists on the run.

The scam-baiters may be doing a lot of good, but DDoS attacks against them aren't proof of it.

Re:size

[maztuhblastah]

if the DHS etc took protective action at the ISP level?

Oh please god.... no....

Think of what you're saying! The same group of people who color-code our paranoia, who decide that waterbottles are dangerous, and who advise us to purchase duct tape... you want to turn to them for help securing the Internet? Do you have any idea how painful that would be?

No -- the responsibility here lies with the users and (to some extent) the carriers. If the user's machines are infected, disconnect them. If the carriers detect a large, coordinated traffic pattern, investigate -- and if it's a DDOS attack, block it at the firewall level (before the traffic leaves your network segments.)

Some movies, some Wikipedia, some angles

[Torodung]

This article [wikipedia.org] is a good place to start.

You could also introduce him to the theory behind Bittorrent [wikipedia.org], which is a good demonstration of how many computers each doing a small task, given modest bandwidth, can add up to massive distribution and publication power in short order.

Now, what if some distributed network decided to siphon a gig of illegal or embarrassing materials onto a compromised target machine. Perhaps a politician that is voting the wrong way?

Then ask him, not if the entire banking industry is safe, but if an individual's information (SHA hash collision or private key, but that's not "average Joe" speak) could be subject to a distributed brute force attack [wikipedia.org].

With the growing power of computers making tiny pieces of malware harder and harder to notice (that 1% of processor time is more and more powerful), and malware being able to literally hide files from the user until such time that it chooses to reveal them, it seems like it's only a matter of time before someone with a large enough botnet, and enough imagination, could start attacking individuals and/or siphoning off their money. How you do this is not something I care to discuss, but the black hats (both the actual criminals and the security experts, as an exercise) already have ideas and are working on it. That's why you'll see them periodically calling for stronger encryption (more bits in the keys). If there was no possible threat, they wouldn't be creating and suggesting longer keys. Rootkits [microsoft.com] would not be a concern, if files hidden from the user were always benign (most are).

But all it takes is the wrong person to have the right idea, a breakthrough that changes the assumptions, especially in cryptography. Show him the movie "Sneakers [imdb.com]" if you want to fuel some imagination regarding that. It's crap, but it's also fun and sizes the problem for the average Joe. Assuming that only ethical people work in cryptography is somewhat naive. Assuming that unethical people are not watching the progress of ethical individuals in the field is stupid.

There's nothing to say such solutions and attacks haven't occurred already, but it seems, as your son suggests, unlikely. You can bet if a criminal has figured it out, a little bit of money siphoned off here and there would be almost impossible to detect, especially in an environment where people are unwilling to believe it's even possible. Believe me, if the idea has hit Hollywood [imdb.com], it's old hat. That's exactly how such a criminal would proceed if they had found a way to leverage such distributed computing applications. They would target a distributed network of accounts, one by one, in a way that looked like banking errors (which are numerous and automatically corrected by the bank) and slowly siphon money from the banking industry itself, through compromised individual accounts. No individual would suffer, because of correction processes in the banks, the world's capital reserves would.

Then ask what that money could buy in terms of influence, weapons, elections?

Any compromised machine is a liability to its user. Botnets are a menace to society, and we're lucky all they're (hopefully) being used for is "penis enlargement" ads and DDoS attacks. That's barely scraping the surface of their potential.

If he wants to go on believing that his safety and security are a given, without any effort on his own part, there's little you can do, but anyone with any imagination, who is not in flat out denial, can demonstrate that distributed computing applications have a great deal of power, and that basic security is everyone's concern. It is definitely not good that these ne

Re:More than just DDoS

[garett_spencley]

How do you know when the attack is over if they're no longer attacking your machine thanks to the DNS record pointing to 127.0.0.1 ?

How long do you wait ?

I suppose you can try to identify the specific worm that's doing the attack and infect a test machine and watch it. Or if you can reverse engineer it you might be able to find out when the end date is. Beyond that you've effectively taken your entire web site / business offline for an undetermined period of time. I'm not sure it's any better than riding out the attack. The attack could stop and you wouldn't even know it.

Plus, the minute you unplug your network cable or change your DNS records to a machine that doesn't host your web site you've just handed yourself to the attackers. Taking your business offline is *exactly* what they intended to do. And you did it for them.

Re:More than just DDoS

[timmarhy]

Taking the website off the air isn't their only objective, they are trying to cost them $ in bandwidth. Face it, once you've been targeted by a big ddos your screwed, all you can do is try mitigate some of the damage.

Re:How do you explain this to the average joe?

[RAMMS+EIN]

``So this got me to wondering... how much of this actually _is_ something that is of any real concern, and if it really is, how could it be explained to people in such a way that it's not going to sound like some claim from a conspiracy theorist?''

A few days ago, I figured that the great difficulty in explaining this to people who don't know already is that, in the Real World, preposterous conspiracy theories are often false. In fact, much more innocuous ones usually are, too. This is something I figured while actually taking some time away from computer security and traveling through the Real World. In the Real World, you can leave your expensive laptop in your unlocked yacht in an unguarded marina, and then leave thousands of dollars worth of electronics equipment in a restaurant to recharge overnight, and none of it will get stolen.

On the Internet, if your computer is reachable, it will be attacked in a matter of minutes. Any hole that is found in the software you run is likely to get exploited. Most of the email you get is spam sent by exploited Windows machines people have at home. Corporations are watching you, some with orders from the government. You can legitimately wonder _who_ controls your computer. It's not really an exaggeration to say that everything that can go wrong not only will, but has.

It only starts to get _really_ scary when you consider how much of the Real World is actually dependent on computers these days...

Re:Russians

[totally bogus dude]

Probably because claims to the effect of "all blank are filthy scammers and spammers" are generally considered to be flamebait? Add to that the whole notion of "our cyberspace" and a completely unrealistic proposal (just how do you prevent an entire country from connecting to the internet, anyway?). Yeah, it's flamebait.