Storm Worm Botnet Partitions May Be Up For Sale 192
Bowling for cents writes "There is evidence that the massive Storm Worm botnet is being broken up into smaller networks, and a ZDNet post thinks that's a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. The latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic, meaning that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities."
Re:What is fast flux DNS? (Score:5, Informative)
Re:What is fast flux DNS? (Score:2, Informative)
Re:What is fast flux DNS? (Score:4, Informative)
Bruce Schneier discusses the Storm Worm (Score:5, Informative)
A good essay on the Storm Worm and how it works and how it can be prevented (or rather why it CAN'T be prevented in many cases).
Re:Yes. Re:Are there legitimate reasons to do this (Score:3, Informative)
The other issue is that TTL is a suggested time for keeping your records alive. The other (caching) nameserver can choose to ignore it (to circumvent stuff like this botnet or just to keep it's own load down) or if it can't reach your nameservers after that TTL you specified it will just wait until the next cycle (2*TTL) or until your Maximum TTL (there is another record for that) has been exceeded which means it will not give any results anymore if it can't contact the nameservers. There are also caching nameservers that set up a minimum TTL which overrides your recommended TTL and maximum TTL.
Re:Yes. (Score:3, Informative)
Re:Yes. (Score:3, Informative)
The only way to know if your operating system has been infected is to be lucky enough to have the bad guys screw up and flood your system with enough bad stuff to affect performance. Even then, plain old operating system cruft can have much the same effect (especially on Windows, and often on Macs, even on Linux depending on how you muck around with it). Thankfully for most of us, criminals have been unable (through lack of ability or knowlege) to design software that hides well at all. When something bad got on your system, it could at least be found, if not directly dealt with beyond a nuke from orbit.
Storm is the most highly publicized way that this is all changing. These people are smart, motivated, and well funded. As opposed to merely reacting to AV companies, they've begun anticipating the kind of things that AV companies will be trying, and working out ways to protect against those attacks, and hiding in the host is the single most important part of that. Old computer viruses killed the host, but that's not a good survival trait for a virus. Viruses that hide around under the covers and do their spreading with a mimimum of impact on their hosts are the most successful. See: the common cold. And computer viruses do things that the common cold could never dream of doing, like mutating every half hour to avoid the body's own antivirus defenses.