Storm Worm Being Reduced to a Squall

Rumours of financial schemes surrounding the botnet aside, PC World has an article that should lower the blood pressure of some SysAdmins. The Storm Worm botnet is apparently shrinking. A researcher out of UC San Diego who has been tracking the network has published a report indicating it is now only 10% of its former size. "Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world's most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time. Enright guessed that a total of about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority of those have been cleaned up and are no longer part of the Storm network."

Spread of Windows

[Prysorra]

Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?

Just wondering.

Oblig.

[The Living Fractal]

Couldn't this just be the 'eye' of the Storm?

Or is it possible that Windows boxes really are just getting more secure? Ohh shit I asked THAT on Slashdot?! Charles Stross will have my soul. /owenwilson

Bullshit

[Anonymous Coward]

Myself and some colleagues, along with a couple of anti-malware sites have been tracking Storm infections as best we can over the last couple of months. We've mostly been using honeypots, trapping SMTP traffic and utilizing some nslookup scripts to mine Storm's fast-fluxing domains. It has not shown any sign of shrinking, particularly not by a factor of 10.

The only people who have ever estimated its size to be anywhere near 50 million hosts are paranoid tin-foil hat wearing security analysts and journalists looking to generate some ad revenue with a shocking headline or two. I've never seen any solid evidence pointing towards Storm being larger than 2-3 million hosts, so even assuming there is an exact science at work here, 1.5 million is far from a 10th of 2-3 million.

This phenomenon would be a lot easier to combat if people would stop spreading bullshit stories such as this.

Storm

[Tibixe]

An unstoppable botnet... quite beautiful. (Well, unstoppable as long as Windows is not exactly secure.) I know it's probably done for money, but wouldn't it be funny if ten years later someone announced he made the Storm to compute big prime numbers, and he found 10000 more than ever? :) By the way, what is the use of big computers/networks if not maths?

Re:don't be sure

[Master of Transhuman]

I was wondering about the possibility of it being partitioned myself.

The botnet has always been hard to figure out the size because of its policy of only allowing a limited number of immediate connections in its net. Partitioning and assigning control of sections to other people - and this would presumably entail cutting connections with other portions of the botnet completely in order to enforce "ownership" - would presumably make it look smaller than it is.

This guy may also be overconfident in the crawling ability of his tool.

Re:looking for details on storm botnet control

[Kobun]

http://www.securiteam.com/securityreviews/6U00L1P5PY.html [securiteam.com]
Read this article.

Re:looking for details on storm botnet control

[v1]

That's a very interesting read. I hope the authors release a similar, more up-to-date rundown of Storm. it sounds like Curious Yellow is one step before Storm in terms of worm evolution. (or that it was the successor to it?)

Re:One question

[petermgreen]

my understanding is that you get taken to a page that tries a bank of browser exploits (I don't know if they are all for IE or if there are some FF ones in there too) until one works. If they all fail then it tells the user to download and run an exe.

Yes, but at what cost?

[gillbates]

Sure, you can secure Windows. You can also make Linux run Windows programs. If you're willing to put in the effort, I suppose you could run a web server on a C64 (Hey! Some people have!)

But the point is that it's a lot more practical to just buy a Mac if you're a non-technical user. You get ease of use, with none of the security and stability problems of Windows.

And if you are technical, and are going to put in the effort to learn a system in depth, why would you pick Windows? If you learn Linux, you can transfer that knowledge to working on UNIX systems, and the usefulness of your knowledge isn't subject to the capricious actions of a convicted felon (Microsoft). Sure, you could secure Windows, but every time Redmond releases another version, your knowledge becomes obsolete.

But there are a few additional points about Windows:

1. Windows has at least one - if not two or three - orders of magnitude more security vulnerabilities than Linux or Mac. This alone suggests that the problem of Windows security is much greater than that of Linux or Mac security, regardless of the reason.
2. A Windows system requires constant patching to remain relatively secure, and even so, there's always a small window of opportunity when even fully patched systems are vulnerable. (i.e, the time between the black hats discovering the exploit and the time white hats find it; and the time between notification and the time Microsoft is able to issue an update). Even though you are fully patched, your system still contains vulnerabilities yet undiscovered by the security researchers, but known to black hats.
3. Constant patching is not a viable option for most companies which must test patches for interoperability. In many cases, a company's own internal testing takes longer than it takes hackers to publish an exploit for the vulnerability. In such cases, their machines are never truly secure, even though they patch constantly.
4. You don't have the source code, so you can't audit it. Given that Microsoft was recently caught modifying files on their customers' computers without their consent, this is very troubling. You can't trust Microsoft to do what they say they will, nor can you verify they are.
5. You don't control what gets turned on by default, and sometimes a major, required component of Windows has security flaws (Blaster, anyone?). With UNIX like system, you can simply strip the box down to the bare minimum to achieve greater security.
6. Windows has a maze of interdependencies which often means that you simply cannot uninstall a problematic part of the OS. Take IE for example - though it can technically be uninstalled, it is required by even the most basic OS functions, which means that removing it is not a realistic option for the end user. Yet it continues to be a wellspring of security problems, made even worse by the fact that it isn't practical to run a system without it.

So sure, you can make Windows relatively secure, compared to other Windows boxes. But for the same amount of effort, you could secure a Linux machine to a much greater degree, and have a stable, trustworthy system as well. Sure, neither system is perfect, but for the effort you expend, you get a much better system by installing Linux or buying a Mac.

And I suppose a slashdot post wouldn't be complete without some anecdotal evidence. In the 10 years that I've been in the industry, every single one of my Windows using relatives have needed me to recover one of their crashed/unstable/unusably slow Windows systems. In fact, prior to XP, I had only met one person who both ran Windows and had not had it crash on them. And yet, even though Apple commands about 10% of the market, I have only once been asked if I could recover an Apple computer. And even then, it took only about 1/2 hour, and the guy didn't lose any of his data (he tried to update OS X, and botched it, but even then, he still was able to reco

Re:Spread of Windows

[Bearhouse]

Good post, with which I agree totally, and is probably useful for some, thus 'insightful', I guess.

I've given up on windows activation, for much the same reasons as yourself. I seem to spend my weekends re-installing friends and neighbours windows PCs, and have either purchased, or legal access to, ALL the flavours of XP, (and Vista etc.)

The easiest installs (for 'office' too) are *always* the unattended, slipstreamed 'pirate' versions found on the net, (suitably checked, of course). Update the serial number, and away you go... As for linux, great for servers, but driver hell...and all the abovementioned users are already XP brainwashed anyway.

Too bad you won't get modded up, since you're:
1. 'Pro' windows, and some would say 'pro-pirate'.
2. 'Anti' linux...

*sigh*