Forgot your password?
typodupeerror
Security Worms IT

Storm Worm Being Reduced to a Squall 183

Posted by Zonk
from the blood-pressure-lowering-sight-returning dept.
Rumours of financial schemes surrounding the botnet aside, PC World has an article that should lower the blood pressure of some SysAdmins. The Storm Worm botnet is apparently shrinking. A researcher out of UC San Diego who has been tracking the network has published a report indicating it is now only 10% of its former size. "Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world's most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time. Enright guessed that a total of about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority of those have been cleaned up and are no longer part of the Storm network."
This discussion has been archived. No new comments can be posted.

Storm Worm Being Reduced to a Squall

Comments Filter:
  • Spread of Windows (Score:3, Interesting)

    by Prysorra (1040518) on Sunday October 21, 2007 @01:25PM (#21064185)
    Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?

    Just wondering.
    • by Colin Smith (2679) on Sunday October 21, 2007 @01:32PM (#21064237)
      Hmmm... Windows as a threat to national security ...

      Imagines SWAT teams dodging chairs as they storm Microsoft headquarters to screams of "You'll never take me alive copper!"

       
      • by rustalot42684 (1055008) <.moc.tnuocca. .ta. .ekaf.> on Sunday October 21, 2007 @02:19PM (#21064593)
        But then SWAT is beaten back by Clippy:
        It looks like you're trying to raid the Redmond campus. Would you like to:
        • Hunt and kill all the employees
        • Destroy the supercomputer cores
        • Uncover the secret plot for world domination
        • Just raid the campus without help
        # Don't show me this tip again
        • by Colin Smith (2679)
          Ah. This explains volumes about American foreign policy...

           
        • Psst, It's Bob, the avitar that went underground years ago, he's the mastermind behind it, Clippy is just the stooge up front to thake all of the heat, Kill Bob.
      • Re: (Score:3, Funny)

        by Gerzel (240421) *
        Balmer is a master of his art. There would be no dodging.
    • by khasim (1285)
      From TFA:

      Then on September 11, Microsoft added Storm detection (Microsoft's name for Storm's components is Win32/Nuwar) into its Malicious Software Removal tool, which ships with every Windows system. Overnight, Storm infections dropped by another 20 percent.

      Anyone have any info on whether Microsoft's tool would detect it earlier?
    • Re: (Score:2, Insightful)

      by sakdoctor (1087155)
      I'd say enforcement of Windows piracy is the least lax that it has ever been.
      WGA raises the barrier of casual copying to lusers who's skill wouldn't have been enough to stop them getting pwned by some virus, and being incorporated into a botnet.
      • Re: (Score:2, Insightful)

        by Anonymous Coward
        Thats part of the problem. One of the ways they protect against privacy is keeping you from getting updates. This leaves unpatched pirated systems out there. Since there is no real legal threat for the average user the only real motivation for a person to get a legit copy is so they can get security updates easily. Joe Six Pack is just going to borrow that pirated copy of XP his buddy picked up at a flea market. OP brings very valid point
        • Re: (Score:3, Informative)

          by LO0G (606364)
          Huh? According to Microsoft they security updates to pirated versions of Windows. Source: (click on "Will users of non-genuine Windows be blocked from receiving security updates?") [microsoft.com]

          It also appears that the Malicious Software Removal Tool [microsoft.com] doesn't require validation either.

          So you can run the same malware removal tools on pirated versions of Windows as well.
          • by Keruo (771880) on Sunday October 21, 2007 @04:23PM (#21065591)
            > It also appears that the Malicious Software Removal Tool [goodbye-microsoft.com] doesn't require validation either.

            Fixed your link.
          • Re: (Score:3, Informative)

            by petermgreen (876956)
            Huh? According to Microsoft they security updates to pirated versions of Windows.
            they do kind of.

            If you want to run pirate windows without getting nags and you don't have access to a good (as in allocated by MS and not shitlisted because of wide distribution) corp key you have to either crack windows genunine advantage notifications or keep it off your system. Cracking it has the downside that MS could release an update at any time.

            There are two easy ways to keep windows genuine advantage notifications off
            • Re: (Score:2, Informative)

              by thejynxed (831517)
              The problem with your solution is:

              Some security updates won't be installed even via Automatic Updates if WGA is not found to be installed on the machine. There's a programmed limit tied into a WGA check. It doesn't check if your system is genuine or not, but it checks if WGA is installed and operational. If it is, you get all hotfixes past a certain KB number. If it is found to be a defect WGA install, you only get those hotfixes that are excluded from the check. This is why Autopatcher was so useful. You c
              • Re: (Score:3, Interesting)

                by Bearhouse (1034238)
                Good post, with which I agree totally, and is probably useful for some, thus 'insightful', I guess.

                I've given up on windows activation, for much the same reasons as yourself. I seem to spend my weekends re-installing friends and neighbours windows PCs, and have either purchased, or legal access to, ALL the flavours of XP, (and Vista etc.)

                The easiest installs (for 'office' too) are *always* the unattended, slipstreamed 'pirate' versions found on the net, (suitably checked, of course). Update the serial num
    • Re: (Score:3, Insightful)

      by $RANDOMLUSER (804576)
      Or possibly it's the lax enforcement of security standards by Redmond programmers? Or the lax attitude of Microsoft about all things not directly related to increased sales and world hegemony?
    • Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?
      no. windows does just fine getting infected by its self, it doesn't need a pirate's help arrrr.
    • Re: (Score:3, Insightful)

      by vtcodger (957785)
      ***Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?***

      Why would anyone think that? Windows is Windows whether it's pirated or paid for. Is a drunk weaving through heavy traffic at 135kph any more or less of a menace if he's driving a stolen car rather than a car he "owns"?

    • Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?
      IMO anti piracy measures are contributing to insecurity. The fact is that such measures WILL be cracked and those using cracked versions will be reluctant to install updates both from the point of view of MS possibly breaking thier system (I don't think WGA actually disables your system on XP but it does give annoying nag messages they could change it to be nastier at any time, sure yo
    • by shish (588640)

      Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?
      No.
    • by s_p_oneil (795792)
      Are you trying to say there may actually be a good side to the WGA stuff Microsoft is forcing everyone to install? ;-)
  • Good (Score:5, Funny)

    by Colin Smith (2679) on Sunday October 21, 2007 @01:30PM (#21064227)
    Now that it's down to 5 million we can all breathe a sigh of relief...

     
  • Oblig. (Score:2, Interesting)

    Couldn't this just be the 'eye' of the Storm?

    Or is it possible that Windows boxes really are just getting more secure? Ohh shit I asked THAT on Slashdot?! Charles Stross will have my soul. /owenwilson
    • Re:Oblig. (Score:4, Funny)

      by marcosdumay (620877) <marcosdumay@@@gmail...com> on Sunday October 21, 2007 @02:02PM (#21064461) Homepage Journal

      Windows boxes are getting more secure all the time.

      But we can only guess when they will be ready for widespread use...

  • don't be sure (Score:5, Insightful)

    by phantomfive (622387) on Sunday October 21, 2007 @01:49PM (#21064359) Journal
    The researcher determined this with a spider he created to crawl the storm network. How does he know that the network is shrinking and not just being partitioned? [slashdot.org]

    Furthermore, the storm virus is known to be updatable. Is it possible it was updated to be even less obtrusive, thus escaping detection in other ways? Maybe it has gone into dormant mode, because the creator doesn't need so many computers at the moment.

    One interesting innovation of the worm, quoted from the article:

    "If you're a researcher and you hit the pages hosting the malware too much... there is an automated process that automatically launches a denial of service [attack] against you," he said. This attack, which floods the victim's computer with a deluge of Internet traffic, knocked part of the UC San Diego network offline when it first struck.

    I think some part of me must be sick or something, because when I read about this I almost hope the worm will get bigger, become unstoppable, and reveal windows for the insecure piece of crap that it is. Linux, BSD, OSX, Solaris, and heck even Minux could clearly stand up to a threat like this much more easily than Windows.

    • Re:don't be sure (Score:5, Insightful)

      by John Hasler (414242) on Sunday October 21, 2007 @02:09PM (#21064513) Homepage
      > I think some part of me must be sick or something, because when I read about this I
      > almost hope the worm will get bigger, become unstoppable, and reveal windows for the
      > insecure piece of crap that it is.

      Already been done. Nobody cares.
    • by MoogMan (442253)
      Linux, BSD, OSX, Solaris, and heck even Minux could clearly stand up to a threat like this much more easily than Windows.

      Bzzzt! Wrong. There are many attack vectors for Storm's entry into someone's computer (one of which is indeed an OS vulnerability). AFAIK, the majority of the attack vectors rely on people downloading some bootstrapper program via their email or web browser. Nothing is going to stop this happening to a "normal" user on *NIX.
      • OTOH, the bot has to communicate out. As a normal user not running as root, that means it has to open a port. Many Linux distro firewalls - and some Windows third party firewalls, but not the standard Windows firewall - block incoming and outgoing ports by default unless explicitly opened. If the bot can't commmunicate, it's worthless to the botnet.

        Of course, the Worm might be smart enough to trick the user into opening a port by popping up a message and requesting it masquerading as a legit program - but I
        • by Sancho (17056)
          Which Linux firewalls block outgoing connections by default? In my 12+ years of using Linux, I have never seen this behavior configured by default.
          • I don't know, I assume some of them do. I know most firewalls are configured to allow outbound by default, but I would assume some of them don't - or can be configured not to, so it would depend on the distro to set the default.

            If none do, then Linux definitely is no better than Windows in this regard.

            • I don't know, I assume some of them do. I know most firewalls are configured to allow outbound by default, but I would assume some of them don't - or can be configured not to, so it would depend on the distro to set the default.
              Blocking outbound by default would make a distro practically unusuable for anyone who didn't understand firewall configuration.

            • Re: (Score:2, Informative)

              by Sancho (17056)
              I'm not trying to be rude here, you probably shouldn't make a statement of fact based upon your own assumptions.

              I've mostly used Debian-based Linux distributions, though I've also used Gentoo. I've installed Red Hat's enterprise solution, though I've never used it on the desktop. None of these have any special firewall beyond Netfilter (commonly called iptables.) Some are configured to block inbound packets that aren't part of an established connection, some don't have any rules by default (and use impli
      • Re:don't be sure (Score:5, Insightful)

        by phantomfive (622387) on Sunday October 21, 2007 @04:14PM (#21065543) Journal

        Heh, I knew someone was going to trot out this old troll. The point is, it would be much easier to secure unix-type systems than windows-type systems. Compare Microsoft's budget to that of OpenBSD; now tell me, which is more secure?

        For it to be effective as a virus, it is going to have to install itself to startup somehow. What is going to do, add a line to my .bashrc? Add a script to /etc/rc.d? It can't do that, only root can, and I don't browse the internet as root. Nobody does.

        You may say, "it will prompt you for the password and idiot users will just type it" but you are showing your Windows bias. On windows, you get so many popup prompts that many users just ignore them and do whatever they ask. OSX has shown that it can be done differently, however. Ask any average OSX user what they would do if a downloaded attachment asked them for their root password, and they will say something to the effect of, "Freak out and delete it immmediately." It's because the warnings and prompts in OSX don't become annoying.

        Security on Windows is hard. For any vulnerability, it takes a lot more effort to fix on Windows than a similar vulnerability in a Unix system. In unix-world, fixing the OS is an option.

        • by Sancho (17056)
          With Windows, almost everyone runs as Administrator, so the software doesn't have to do anything special to hook into the OS while beings stealthy. On Linux, being stealthy (against most non-knowledgeable users) would just mean adding a line to .xinitrc or .bashrc. If you set your parents up with Ubuntu, would they know to look there? Would most people who aren't deep into the Unix culture?

          Viruses on Linux would be easier to clean as long as the user isn't running as Root all the time (and the virus does
          • See, this is where it breaks down. If you are clever, I'm sure you can think of half a dozen ways to defend against this. The easiest I can think of in 10 seconds is to replace the .bashrc/.xinitrc with something standard every time a user logs in. A bit annoying, maybe; but effective.

            This is why unix is so much easier to harden. Because of it is well-designed, there is much more flexibility when trying to think of a defense.

            • by Sancho (17056)
              Are you suggesting that the user not be able to run things at startup? That would certainly work. You could also restrict what can be run to only things which have been approved by the vendor (in any particular OS), but it doesn't mean that it's a good solution.

              Keep in mind that Windows could re-image itself every time that the computer is restarted, or every X hours. The registry startup entries could be cleared, each boot. The problem is that you lose functionality with any of these solutions. They'r
              • by DarkOx (621550)
                I can see it being perfectly resonable to do that on work station at a business. The bad news is it won't make sense to do on a home PC. But try locking down windows PCs in a small or medium size shop where peoples job functions require a wide range of software. Chances are there is something every organization job function in that business requres that WONT run right on a hardened windows box.

                There is just to much legacy on windows, period. The security architecture is probably *OK* now if best practic
            • by lachlan76 (770870)
              Just chmod .bashrc, .bash_login, etc. to 500, so that only root can make things run on startup.
          • and the virus doesn't wait for them to legitimately type in their password and then sneak in on the 5-minute timer that sudo has
            It has always seemed to me that it would be pretty trivial for malware to hijack a users use of su/sudo/gksu/similar. The easiest way would be to modify the users bash profile and desktop menus so that instead of running the real elevation tool the users ran a program supplied by the malware. This program would then use the information it gathered to do both what the user wanted an
            • by Sancho (17056)
              sudo, at least, needs to be suid. A trojan would have to act as a wrapper, which could certainly work, but it would probably be more suspicious than /home/bin/happyfungame, which would just start a background process and wait for the user to run sudo.

              Then again, we're talking about the more ignorant userbase, so a wrapper in their home directory might go unnoticed.
              • Unless you go looking at the list of environment variables (something that most people only do occasionally afaict, probablly far less often than you use su) you won't notice something new on the start of your path and I very much doubt you will notice a binary sitting in some deep subdir under your homedir or even somewhere under /tmp .

                for menu based stuff it is even easier, are you really going to notice a couple of menu item customisations?
          • by trifish (826353)
            With Windows, almost everyone runs as Administrator,

            You mean Windows XP, not Windows in general. As on Vista, almost everyone runs as non-admin.
            • by Sancho (17056)
              Almost.

              I recently bought a new off-the-shelf computer with Vista. It was a Major Brand, so I imagine that there are a lot of this particular computer out there.

              On this computer, Vista is set up such that the first user you create is in the Administrators group. What this means is that you never have to enter any passwords to do administrative tasks--you just have to click "Continue" a few dozen times. The user will probably do this to get back to whatever they're doing without even reading the prompt or
              • by trifish (826353)
                Um, I'm not sure what point you are trying to make. Again, do you admit that your blanket statement was wrong? I mean this one: "With Windows, almost everyone runs as Administrator"

                If you said Windows XP/2000 you would be right. Because on Vista almost everyone runs as non-admin and can comfortably elevate with per-app granularity if needed.
                • by Sancho (17056)
                  No, see the point is that you're still running as admin--it's just that administrative duties still require an extra (few) clicks. If you think that the extra clicks makes it more secure, then I'm afraid we won't be finding much common ground in this discussion.
                  • by trifish (826353)
                    You know what? You either don't know what you're talking about, or you do (and then you are... a good old anti-MS troll).

                    the point is that you're still running as admin

                    You're not. Read something about it.

                    If you think that the extra clicks makes it more secure

                    Yes, it does.
        • "Freak out and delete it immmediately." Nope - in my experience, OSX users have no idea what their root (or for that matter any) password is. They logged in some time a few years ago, and never rebooted or logged out again, so they just don't know - got it on a piece of paper in a drawer somewhere...
        • by trifish (826353)
          It can't do that, only root can, and I don't browse the internet as root.

          Uh, ever heard of privilege escalation vulnerabilities? FYI, these affect Linux too (both kernel and user-space apps like Firefox).
        • by MoogMan (442253)
          I agree, any flavour of BSD and the majority of Linux distros are shamelessly secure out of the box, whilst Windows is not. This is not the point I was making.

          The issue is this: People (i.e. your average Joe). A normal user will fall for the same phishing scam regardless of the OS they run on. Once a rogue program gets onto your system, it really doesn't matter if it hasn't got root access. A few trivial solutions that come to mind, with a bit of thought I'm sure you can come up with many more:
          - Adding it t
    • Re: (Score:3, Interesting)

      I was wondering about the possibility of it being partitioned myself.

      The botnet has always been hard to figure out the size because of its policy of only allowing a limited number of immediate connections in its net. Partitioning and assigning control of sections to other people - and this would presumably entail cutting connections with other portions of the botnet completely in order to enforce "ownership" - would presumably make it look smaller than it is.

      This guy may also be overconfident in the crawli
    • First of all, this is a case where nix is no more protected than windows. I would even claim that these networks were started in nix land in the mid 90s, and ported to windows due to the much larger user base.

      Also, the researcher is spidering multiple partitions. When one of the storm researchers gets a new variant with a new key, they extract that key, and then spider that partition. They may not have all of them, but from what I understand they have enough sources that they probably have most of them.
  • Bullshit (Score:5, Interesting)

    by Anonymous Coward on Sunday October 21, 2007 @01:51PM (#21064383)
    Myself and some colleagues, along with a couple of anti-malware sites have been tracking Storm infections as best we can over the last couple of months. We've mostly been using honeypots, trapping SMTP traffic and utilizing some nslookup scripts to mine Storm's fast-fluxing domains. It has not shown any sign of shrinking, particularly not by a factor of 10.

    The only people who have ever estimated its size to be anywhere near 50 million hosts are paranoid tin-foil hat wearing security analysts and journalists looking to generate some ad revenue with a shocking headline or two. I've never seen any solid evidence pointing towards Storm being larger than 2-3 million hosts, so even assuming there is an exact science at work here, 1.5 million is far from a 10th of 2-3 million.

    This phenomenon would be a lot easier to combat if people would stop spreading bullshit stories such as this.
    • Re: (Score:3, Insightful)

      by sg_oneill (159032)
      Whatever the case is, its a nasty piece of work. Theres precious little that'll stand up to that thing focusing fire on a target.
      • Whatever the case is, its a nasty piece of work. Theres precious little that'll stand up to that thing focusing fire on a target.

        Actually, I heard that in an attempt to bolster its strength, it posts stories on slashdot that link to security companies sites. If it can't take our Mac, BSD, and *nix boxes, it'll just have to do some social engineering! Did you notice every time someone has new information about storm, we end up slashdotting it? :)

        I was only kidding when I started writing this, but on second thought... manual override of slashdot via front page stories isn't such a bad idea... Let's post a story about Mcaffee as a

    • by vtcodger (957785)
      If you read the article, the belief that the storm botnet is shrinking is based on the fact that the guy has a tool for actively crawling the Storm network. His estimates are based on the number of machines he can see vs the number that he used to be able to see. He agrees with you that there never were 50 million machines in the network BTW. He says maybe 15 million total over time and most of those have been deloused.

      Since a tenfold reduction in the number of infected machines seems sort of optimisti

  • by hksdot (1128515)
    I for one bid farewell to our swarm intelligence worm overlords.
  • by Wonko the Sane (25252) on Sunday October 21, 2007 @03:27PM (#21065189) Journal
    So it now has a scar on it's face, and carries a sword-gun?

"Right now I feel that I've got my feet on the ground as far as my head is concerned." -- Baseball pitcher Bo Belinsky

Working...