Storm Worm Evolves To Use Tor 182
An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."
Are we late to the party? (Score:5, Interesting)
It just makes sense, and is obvious, and a natural progression of the technology..... Hey! Maybe I should write a patent!
Comment removed (Score:5, Interesting)
Who is behind the Storm Botnet? (Score:5, Interesting)
While the article does contain a lot of speculation and sketchy sources (like the above quoted Azizov) the evidence does seem to be pointing in a particular direction:
It's starting to look an awful lot like another Cold War is coming, except this time it will be a Cyber war waged by turning your enemy's (and the rest of the world's) poorly secured computers against their critical infrastructure while the actual government absolves itself of blame. Nice.
Who are the stormbot people? (Score:2, Interesting)
Re:Who are the stormbot people? (Score:5, Interesting)
The people running this botnet can choose from millions of computers they want to use as anonymous bouncers/routers. And they can tripwire their nodes so that after 30 minutes of use as a bouncer, the hard disks are overwritten with 0's (although in most cases this isn't required as IP addresses wouldn't be stored anyway).
A chain of 20 hacked computers spanning the globe operating as routers is not easy to trace. You have to talk to each owner in the chain one-by-one and catch the bounced connection in realtime to reveal the IP for the next node in the chain. And the attackers can obfuscate their presence by programming their bots to simulate these proxy connections at random. Imagine having to trace through 100,000 chains, each containing 20-30 routing nodes. These chains are completely dynamic and randomly change every half an hour.
The Storm botnet is almost the "perfect hack" unless the perpetrators make some big mistakes. If the owners of this botnet installed Freenet on all the bots, we'd have an unenforceable darknet which can only be blocked (maybe! - if you're really lucky) at the ISP. Anyone could tap into this new darknet and do as much internet crime as they like without ever having to worry about getting caught.
I had a different email... (Score:1, Interesting)
Re:Are we late to the party? (Score:4, Interesting)
The main problem though is closed source. If source is closed, then there is no easy way to find malicious code before it is deployed on your system. Ok, I'm speaking as a programmer, so that would be useful for me, not a non coder. Still, the point remains, binary distribution only means trouble, be it storm, a sony rootkit, or just 'phone home' code in a program.
What we need is something sort of like gentoo, where all programs are compiled locally, and the code can be inspected for malicious intent. Alas such technology, while it does exist, does not exist in a form that could be disseminated and used by people with no technological background. This is a pipe dream for the moment, I know this. Especially since I tried once to compile openoffice locally (18 hours I think). Perhaps trusted compile farms that deliver fresh binaries?
Waxing lyrical I know, but there has to be an answer somewhere.
Re:Who are the stormbot people? (Score:3, Interesting)
So work from the other end. How do they make their money? Sending spam, apparently. How does spam make money? Currently, either by getting suckers to send money to them (viagra, Rolexes, etc) or pumping stocks the spammers have bought. In both cases, there must be a money trail, much easier to track than chasing a chain of proxies. Then squeeze these guys till they give up their associates, and eventually the botnet controllers. It takes a government to pressure the stock exchanges, credit card agencies and banks to give up their customers, though, vigilantes aren't going to get anywhere.
You don't have to download the file to be infected (Score:4, Interesting)
Actually, if you're using an unpatched browser, you might not even have to download the file they offer to be infected. The web page includes Javascript exploits for half a dozen security vulnerabilities, which will install the trojan without user interaction. I've posted an analysis [lightbluetouchpaper.org] of the malware code on my blog.
Despite what the article says, Storm isn't using Tor (other than trying to exploit it's reputation) and the download isn't a trojaned version of Tor – it's much too small to be that. What's more, the botnet operators appear to have dropped this strategy. While on Thursday the links in the spam went to a fake Tor download [lightbluetouchpaper.org] page, on Friday they showed a fake YouTube video [lightbluetouchpaper.org], and now they show a fake NFL game tracker [johnhsawyer.com].
Re:Are we late to the party? (Score:2, Interesting)
Since storm is controlled peer-to-peer, shouldn't it be possible to co-opt it into sending out anti-virus spam?
The real problem with a huge/scary bot net like this, is not that a small group of people can control it, but that in theory anyone can take it over for their own purposes.
So would IPv6 actually fix this? (Score:2, Interesting)
Even if you weren't ideologically predisposed to sending in the SEALs to whack people for sending out spyware, you could at least block the source traffic and then gradually clean up the already infested machines or rob them of command and control without firing a shot.
I just get enraged by all of these attacks as, honestly, giving money to security people is a sort of a trampling of my job and freedom. The internet is reduced to, our "white warlords" versus their "black warlords", and I think this arrangement is total crap. I can't stand the world where we can't send EXE's as attachments and even images are suspect because I remember how cool the internet was when you could.
Re:Are we late to the party? (Score:3, Interesting)
The main problem though is closed source. If source is closed, then there is no easy way to find malicious code before it is deployed on your system. Ok, I'm speaking as a programmer, so that would be useful for me, not a non coder. Still, the point remains, binary distribution only means trouble, be it storm, a sony rootkit, or just 'phone home' code in a program.
Not really. In a binary I can at least in principle parse rudimentarily for things like "does this ever call the TCP/IP stack" and raise a flag ("why should tetris initiate outbound connections?"). In source, it is pretty darn easy to obfuscate intent ("// open port for game engine here" or such). I doubt that either is really more secure. Nice that I can get the source for OOo, but am I going to actually read the whole thing and then compile it myself (after compiling my own compiler, of course)? Or am I going to download the binary?
What we need is something sort of like gentoo, where all programs are compiled locally, and the code can be inspected for malicious intent. Alas such technology, while it does exist, does not exist in a form that could be disseminated and used by people with no technological background
Sure it does: It's called "just-in-time" compilation. Usually used by languages like TCL or Java that compile to bytecode which is then run on a VM. In principle that allows you to inspect code (unless that code is now jar'ed up or such). And unless we are curious how something was programmed, you and I both will just run it without ever looking at the code....
Re:Are we late to the party? (Score:1, Interesting)