Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

Storm Worm Botnet Partitions May Be Up For Sale 192

Posted by Zonk from the if-only-they'd-use-their-powers-for-good dept.
Bowling for cents writes "There is evidence that the massive Storm Worm botnet is being broken up into smaller networks, and a ZDNet post thinks that's a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. The latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic, meaning that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities."
This discussion has been archived. No new comments can be posted.

Storm Worm Botnet Partitions May Be Up For Sale More

Storm Worm Botnet Partitions May Be Up For Sale

Comments Filter:

  • Re:What is fast flux DNS? (Score:5, Informative)

    by Ant P. ( 974313 ) on Tuesday October 16, 2007 @12:08PM (#20997041)
    It means the spammers register a bunch of domain names to spam in their emails, and rotate the zombie PC IP they're pointing to every few minutes. Makes it harder to shut down.

  • Re:What is fast flux DNS? (Score:2, Informative)

    by bobs666 ( 146801 ) on Tuesday October 16, 2007 @12:11PM (#20997101)
    http://en.wikipedia.org/wiki/Fast_flux [wikipedia.org]

  • Re:What is fast flux DNS? (Score:4, Informative)

    by QuantumRiff ( 120817 ) on Tuesday October 16, 2007 @12:13PM (#20997125)
    Basically, you set your records to expire in a very, very short time, and constantly change the DNS servers, as well as the records. This makes it very hard to shut down the DNS, since its always moving and changing. I guess a good way to picture it is if at google, every single one of their 1M servers was changing. IE, every 5 seconds, a different machine was the dns server for "Google.com" and the www address changed to a different computer. Then, try to figure out which machine was misbehaving, and displaying the wrong data. It would be difficult.

  • Bruce Schneier discusses the Storm Worm (Score:5, Informative)

    by Zymergy ( 803632 ) * on Tuesday October 16, 2007 @12:34PM (#20997503)
    http://www.schneier.com/crypto-gram-0710.html#1 [schneier.com]
    A good essay on the Storm Worm and how it works and how it can be prevented (or rather why it CAN'T be prevented in many cases).

  • Re:Yes. Re:Are there legitimate reasons to do this (Score:3, Informative)

    by guruevi ( 827432 ) on Tuesday October 16, 2007 @03:42PM (#21000547)
    Actually you'll have to change the TTL prior to failing over. So if you use it for active fail-over and not for scheduled maintenance, the other nameservers will be using your 'old' TTL. A common mistake by cheap webhosters.

    The other issue is that TTL is a suggested time for keeping your records alive. The other (caching) nameserver can choose to ignore it (to circumvent stuff like this botnet or just to keep it's own load down) or if it can't reach your nameservers after that TTL you specified it will just wait until the next cycle (2*TTL) or until your Maximum TTL (there is another record for that) has been exceeded which means it will not give any results anymore if it can't contact the nameservers. There are also caching nameservers that set up a minimum TTL which overrides your recommended TTL and maximum TTL.

  • Re:Yes. (Score:3, Informative)

    by jimicus ( 737525 ) on Tuesday October 16, 2007 @04:14PM (#21001053)
    Or you could run Linux.

  • Re:Yes. (Score:3, Informative)

    by analog_line ( 465182 ) on Tuesday October 16, 2007 @09:03PM (#21004433)
    Basically, it's impossible to know for certain that you're infected, because the people that design and implement these botnets are the best in the world at what they do. They are paid quite a lot, regularly, have no scruples about how they conduct their research, and can do their research totally anonymously.

    The only way to know if your operating system has been infected is to be lucky enough to have the bad guys screw up and flood your system with enough bad stuff to affect performance. Even then, plain old operating system cruft can have much the same effect (especially on Windows, and often on Macs, even on Linux depending on how you muck around with it). Thankfully for most of us, criminals have been unable (through lack of ability or knowlege) to design software that hides well at all. When something bad got on your system, it could at least be found, if not directly dealt with beyond a nuke from orbit.

    Storm is the most highly publicized way that this is all changing. These people are smart, motivated, and well funded. As opposed to merely reacting to AV companies, they've begun anticipating the kind of things that AV companies will be trying, and working out ways to protect against those attacks, and hiding in the host is the single most important part of that. Old computer viruses killed the host, but that's not a good survival trait for a virus. Viruses that hide around under the covers and do their spreading with a mimimum of impact on their hosts are the most successful. See: the common cold. And computer viruses do things that the common cold could never dream of doing, like mutating every half hour to avoid the body's own antivirus defenses.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close