Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Spam

Storm Worm Strikes Back at Security Pros 371

Posted by ScuttleMonkey from the skynet-worm dept.
alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."
This discussion has been archived. No new comments can be posted.

Storm Worm Strikes Back at Security Pros More

Storm Worm Strikes Back at Security Pros

Comments Filter:

  • Re:Contact the users (Score:3, Informative)

    by wile_e_wonka ( 934864 ) on Wednesday October 24, 2007 @01:35PM (#21102265)
    Interestingly, that might not even help:

    http://it.slashdot.org/article.pl?sid=07/10/05/1234217 [slashdot.org]

  • Re:oh yeah, so scared (Score:1, Informative)

    by Endloser ( 1170279 ) on Wednesday October 24, 2007 @01:36PM (#21102293)
    Yeah and when the Storm Worm drops the whole network segment you are f'ed. Your ISP will drop you if you keep dropping their router's. Because, well, not everything is about you. This botnet has much more power than you think it does.

  • Re:Wait a minute... (Score:4, Informative)

    by Bryansix ( 761547 ) on Wednesday October 24, 2007 @01:40PM (#21102383) Homepage
    Because the servers are not actually belonging to the people who wrote Storm.

  • Re:Sounds ripe for abuse (Score:4, Informative)

    by Lumpy ( 12016 ) on Wednesday October 24, 2007 @01:49PM (#21102525) Homepage
    Dont know about that. only if they though of it to begin with. Back in the early days of undernet a few of us figured out how to get the official administrative bots to fight each other. Wait for a net split, join as a bot's name and start a flood attack on another bot. IT get's triggered and kick/bans you. the net rejoins and the fight starts. it was fun to watch for the week we were able to do that trick until they fixed the bots.

    Unless the dev's think long and hard on how to attack it and work in ways to avoid it I doubt they put that feature in.

  • Re:Wait a minute (Score:2, Informative)

    by lskovlund ( 469142 ) on Wednesday October 24, 2007 @02:24PM (#21103037)
    Bruce Schneier wrote that the worm was starting to retaliate [schneier.com]. It was linked to by a poster on this Slashdot story [slashdot.org]. The guy who posted the analysis you refer to seems to be a lowly sysadmin (He's affiliated with Network Operations at the UCSD - so not a researcher) - I would tend to believe Bruce more, and viewed that analysis with some skepticism, which now appears to have been justified.

  • Re:Contact the users (Score:5, Informative)

    by zrq ( 794138 ) on Wednesday October 24, 2007 @02:25PM (#21103047) Journal

    ... the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file ...

    I see a lot of these all the time, they seem to be cycling through a list of names. At the moment they are trying account names like 'root', 'linux', 'admin', 'test', 'testftp', 'webmaster' etc. and user names like 'melissa', 'danny', 'nicholson' etc.

    I don't think this means that they added a SSH back door, just that they have enough compute resources to try hundreds of combinations of likely names and passwords in the hope they get lucky.

  • Re:Wait a minute... (Score:4, Informative)

    by Fizzl ( 209397 ) <fizzl@@@fizzl...net> on Wednesday October 24, 2007 @02:25PM (#21103061) Homepage Journal
    The command and control system is rather clever. Some machines of the botnet itself are the C&C servers. They are rotated at random. One server remains a C&C node for only days or hours at a time. I have no idea how the botnet owner figures out how to connect...

  • Re:Wait a minute... (Score:3, Informative)

    by Anonymous Custard ( 587661 ) on Wednesday October 24, 2007 @02:26PM (#21103069) Homepage Journal
    So? If we do in fact know where they are physically located, local police should go and confiscate them.

  • Re:Contact the users (Score:4, Informative)

    by Culture20 ( 968837 ) on Wednesday October 24, 2007 @02:41PM (#21103251)
    then you need fail2ban http://www.fail2ban.org [fail2ban.org]
    just in case they might eventually get lucky...

  • Re:Kung Fu Style? (Score:3, Informative)

    by db32 ( 862117 ) on Wednesday October 24, 2007 @02:56PM (#21103481) Journal
    Uhm...what? The TCP sequence number issue is related to Man in the Middle attacks (which in the strictest sense is a type of spoofing, but not usually refered to like this). Spoofing is generally talking about sending packets pretending to be someone else, ie, putting a bad source on them. So now if I am computer A, and you are computer B, and I send you SYN DST A SRC C you will respond ACK/SYN to computer C. Unless my computer has PsychicHackWizard 3.0 or I have installed MagikRouter1337 those packets won't ever make it back to me.

  • Re:Contact the users (Score:1, Informative)

    by Anonymous Coward on Wednesday October 24, 2007 @03:39PM (#21104051)
    Have you seen the other front-page story?
    http://it.slashdot.org/article.pl?sid=07/10/05/1234217 [slashdot.org]

    The cracked Linux boxes are controlling the Windows machines.

    It's worse than we thought...far worse.

  • Re:Contact the users (Score:3, Informative)

    by orclevegam ( 940336 ) on Wednesday October 24, 2007 @04:34PM (#21104825) Journal
    No, Apache was running in it's own account, but I think they installed a console PHP script and ran some sort of local exploit. Like I said, no clue exactly how they did it, and the log files were pretty well trashed. Our first clue something was screwy was when we logged in and none of the standard utilities like ls were behaving properly (kept complaining that the standard switches like -l and -a were invalid). The whole system was trashed and we had to do a total re-install. The hosting company kept a backup of the old system and we tried to figure out everything we could from the logs left over as well as watching how the attackers behaved after we restored the system, but other than probing for a few files we had cleaned up and a bunch of attempts to log in to SSH with a pair of accounts we didn't see them do anything else. That's part of why I suspect it was some sort of PHP exploit centered around PHPBB, because that didn't get re-installed when we brought the system back up and some of their probes tried to access files that belonged to that.

  • Re:Contact the users (Score:3, Informative)

    by edraven ( 45764 ) on Wednesday October 24, 2007 @04:44PM (#21104987)
    I run SSH on a non-standard port. Probes in the logs went away.

  • Re:Contact the users (Score:5, Informative)

    by zrq ( 794138 ) on Wednesday October 24, 2007 @04:58PM (#21105147) Journal

    Yep, mea cupla :-(
    Not keeping up with my sys-admin duties.

    I've seen this kind of thing in the logs for quite a while, but not at this level (1000's of attempts in a day). I hadn't noticed the increasing rate. A case of familiarity breeds contempt, "yep, seen those before .. not much can do about them" without really checking how often they happen.

    I remember when I first saw them appearing I contacted my ISP, and their reaction was much the same "yep, thats what happens when you connect a box to the net". I offered to pass on the IP addresses but they weren't interested. I got the impression they see thing kind of thing all the time.

    What do people suggest I do with the IP addresses of hosts doing the scanning ? Is it worth checking the whois information and contacting the sys admin or abuse email address if there is one ?

  • Re:Contact the users (Score:2, Informative)

    by pushf popf ( 741049 ) on Wednesday October 24, 2007 @11:05PM (#21108895)
    Just run DenyHosts [sourceforge.net]

    Oct 24 19:21:40 UtopiaPlanetia sshd[10319]: Failed password for invalid user staff from 74.86.168.131 port 51218 ssh2
    Oct 24 19:21:43 UtopiaPlanetia sshd[10321]: Failed password for invalid user sales from 74.86.168.131 port 51494 ssh2
    Oct 24 19:21:46 UtopiaPlanetia sshd[10323]: Failed password for invalid user recruit from 74.86.168.131 port 51739 ssh2
    Oct 24 19:21:49 UtopiaPlanetia sshd[10325]: Failed password for invalid user alias from 74.86.168.131 port 51998 ssh2
    Oct 24 19:21:52 UtopiaPlanetia sshd[10328]: Failed password for invalid user office from 74.86.168.131 port 52226 ssh2

    Oct 24 19:21:53 UtopiaPlanetia denyhosts: Added the following hosts to /etc/hosts.deny - 74.86.168.131 (wdbservers.com)

    Oct 24 19:21:55 UtopiaPlanetia sshd[10333]: refused connect from ::ffff:74.86.168.131 (::ffff:74.86.168.131)

Slashdot Top Deals

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Close