Storm Worm Being Reduced to a Squall

Rumours of financial schemes surrounding the botnet aside, PC World has an article that should lower the blood pressure of some SysAdmins. The Storm Worm botnet is apparently shrinking. A researcher out of UC San Diego who has been tracking the network has published a report indicating it is now only 10% of its former size. "Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world's most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time. Enright guessed that a total of about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority of those have been cleaned up and are no longer part of the Storm network."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Spread of Windows

[LO0G]

Huh? According to Microsoft they security updates to pirated versions of Windows. Source: (click on "Will users of non-genuine Windows be blocked from receiving security updates?") [microsoft.com]

It also appears that the Malicious Software Removal Tool [microsoft.com] doesn't require validation either.

So you can run the same malware removal tools on pirated versions of Windows as well.

Re:Spread of Windows

[Anonymous Coward]

No. Regardless of genuine status, users will not be denied access to critical security updates. Users who have not validated their computers as genuine, however, will not be able to install many updates, including Internet Explorer 7.0 and Windows Defender. Microsoft strongly recommends that users of non-genuine systems correct their problem immediately.

Re:Spread of Windows

[LO0G]

So? First off, the IE team claims that IE7's going to be available without WGA [msdn.com]. So part of that is no longer valid.

Also, I was responding to a claim that Microsoft witheld security updates for people who were running pirated versions of Windows. I provided a link from Microsoft that seems to indicate otherwise.

Why is this a problem? Are you saying that Microsoft is lying in their post?

Re:Spread of Windows

[petermgreen]

Huh? According to Microsoft they security updates to pirated versions of Windows.
they do kind of.

If you want to run pirate windows without getting nags and you don't have access to a good (as in allocated by MS and not shitlisted because of wide distribution) corp key you have to either crack windows genunine advantage notifications or keep it off your system. Cracking it has the downside that MS could release an update at any time.

There are two easy ways to keep windows genuine advantage notifications off your system.

1: set automatic update to prompt before installing updates and manually check the list for wga every time (you can reject it but it reappears every so often). This is probablly tolerable if it is your own machine but if you give it to someone else to use then it's not such a good idea.
2: disable automatic updates completely.

Re:Oblig.

[lattyware]

That is what you think...

Re:don't be sure

[Sancho]

I'm not trying to be rude here, you probably shouldn't make a statement of fact based upon your own assumptions.

I've mostly used Debian-based Linux distributions, though I've also used Gentoo. I've installed Red Hat's enterprise solution, though I've never used it on the desktop. None of these have any special firewall beyond Netfilter (commonly called iptables.) Some are configured to block inbound packets that aren't part of an established connection, some don't have any rules by default (and use implicit pass in/out), but of the three, none have had implicit outbound-blocking. I've also never seen a Linux firewall that worked like ZoneAlarm (blocking by default, but alerting you and offering to let you allow the connection.)

No better than Windows on this front? Well, only as far as the defaults go. You're quite capable of blocking egress (outbound) traffic in Linux, you just have to turn it on yourself. In XP, you aren't even capable of blocking outbound traffic without third-party software--the Windows firewall only blocks incoming connections (as far as I can tell--since I don't run Windows myself, my experiences are limited to times when I've had to learn enough to support a user.) So Linux is a little better--at least the capability exists.

Re:looking for details on storm botnet control

[ymgve]

Doesn't matter that it's 40-byte. It's using simple XOR encryption, and the key is stored in plaintext inside the unpacked executable.

(If anybody cares, the current key, atleast for the botnet partition I've seen, is F3 AA 58 0E 78 DE 9B 37 15 74 2C 8F B3 41 C5 50 33 7A 63 3D E6 13 DF 6C 46 CA BE 9A 77 48 94 02 C0 F3 66 49 EE 87 21 BB.)

Re:looking for details on storm botnet control

[ymgve]

A few days old now, but these IPs are some of the ones that have been taken over to host the malware. Add http:/// [http] to the front, and download the executables from there.

!!! WARNING - THESE SITES CONTAINS JAVASCRIPT EXPLOITS AND POSSIBLY OTHER EXPLOITS - APPROACH WITH CAUTION !!!

70.241.136.75
24.31.16.133
68.58.22.93
69.153.22.0
24.30.230.51
75.23.213.0
76.22.95.226
76.87.15.223
213.85.39.178
68.126.134.102
68.81.124.62
200.127.28.133
68.158.67.73
68.42.159.205
66.30.37.175
12.202.175.97
200.106.170.69
86.127.5.24
195.3.220.153
24.0.96.97

Re:Spread of Windows

[thejynxed]

The problem with your solution is:

Some security updates won't be installed even via Automatic Updates if WGA is not found to be installed on the machine. There's a programmed limit tied into a WGA check. It doesn't check if your system is genuine or not, but it checks if WGA is installed and operational. If it is, you get all hotfixes past a certain KB number. If it is found to be a defect WGA install, you only get those hotfixes that are excluded from the check. This is why Autopatcher was so useful. You could install all of those patches if WGA was present or not, because Autopatcher never checked for an operational WGA installation, and the individual hotfixes don't either. It is the MS Automatic Update service that confers with the MS update servers and performs the check.

I've found this out the hard way before I caught on to exactly what was happening, and just used Autopatcher instead for all of my Windows installations. Not that I use any pirated OS mind you, but I've had activation issues that required a funky workaround given to me by MS Support Services for WinXP Pro SP2, which made WGA say my install wasn't Genuine when it is. The issue had to do with something in the SP2 upgrade from SP1a making WinLogon do strange things and give me mystical error messages that only a Russian could possibly decipher (or some lady from China working for MS Support, as was the case here).

On a side note: I know people will probably say "Use Linux". No thanks. It doesn't do what I need it to do (I play many games that require DirectX and don't run under Wine or Cedega, and I use Citrix Metaframe, Solidworks, etc), and my hardware isn't supported via anything other than ugly hacking about in a terminal, which I'll take a pass on doing, because frankly, I don't have the time nor the inclination to do so (Mepis is the only distro that even came close to detecting most of my hardware automatically, and that was minus any networking or accelerated graphics).

It's fine to play around with on a LiveCD (and I have several distros in this form), but until it does what I need it to do aka, "Right Tool For the Job at Hand", right out of the box, it's a non-starter in my situation. Maybe some year. Either that or I need to stop using such obscure hardware (mainly it is lazy manufacturers releasing buggy or totally broken Linux drivers) and software (game devs not using OpenGL and OpenAL).