Storm Worm Strikes Back at Security Pros

alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."

Who really knows

[Silver Sloth]

From TFA

Still, the power of Storm, also known as Peacomm, is still hotly debated. Earlier this week another expert said the worm had pretty much run its course and was subsiding.

I have a seaking suspicion that all the Storm Worm doomsayers are out to sell us their solution. This has echoes reminiscent of the Y2K fiasco.

Re:Contact the users

[PPH]

Contact the users' ISPs and have them cut the connection to the infected machines until they are cleaned up.

Re:Who really knows

[fredrated]

The Y2K fiasco? What was that? Was it a fiasco because programmers had not programmed for 4 digit years, because a lot of money was spent correcting this, or because nothing happened and you interpret this as meaning nothing was going to happen?

Re:Contact the users

[Anonymous Coward]

A normal user on Linux would be just as bad as a normal user on Windows...

Recommended: Learn to user your computer like a non-idiot.

Re:oh yeah, so scared

[Em Adespoton]

If you start getting DOSed you unplug the modem and try again. Some corporate customer carrying ISPs will even let you just change your IP. You could get on a new IP and keep poking like 50 times in a day at least. It's really not that hard and not that sneaky.

Something tells me that your method won't work against Storm. This is due to the fact that if you tried such a stunt, it wouldn't be your PC that would be DoS'd, it would be the ISP's local NOC you were using to connect to the internet. If you forced a new DHCP reservation (all that an unplug/plugin does), you'd end up with another IP address (if the DHCP server ever responded to your request) sitting on the same hardware that is being DoS'd by Storm.

What is needed to fight a botnet of this size is a distributed probe net, where if one node is taken out by the botnet, the rest of the cloud keeps on probing it. After all, even a large botnet can only DoS so many locations at a time.

A better solution might be to spoof the IP addresses of other members of the botnet, thereby making it DoS itself into submission.

Re:Who really knows

[Silver Sloth]

We all spent a lot of time fixing things - and earning a small fortune - but the computer press, and a lot of the popular press, was full of stories about how planes would fall from the sky, autotellers would stop working, and life as we know it would self destruct. I work for a major UK financial institution and I was very much part of the Y2K effort and, after all the man hours, what did we find, one or two minor inconveniences. Still I took my wife to the Canary Islands for a holiday on the money I earnt staying sober on new years eve.

Re:The Latest Bond Script

[kalirion]

Because it's a Hollywood film?

Re:A very simple solution.

[tomstdenis]

Should point out that hacking is not a crime, never has been, never will be [at least without totally eroding all freedoms first]. A hacker is simply someone who takes the time to see how the world around them works. They're not script monkeys who instigate virus attacks, those are criminals.

Stop reading/watching Faux News et al. and get your damn facts straight.

People should be able to call themselves a hacker without fear of reprisal, for it's the hackers who will inevitably find many of the flaws in the world that the corporate greedmongers want hidden. I mean who do you think are the people finding all of the buffer overflows, protocol mistakes, etc in services you use on a daily basis? If hackers went away companies could easily get away with insecure practices and billing like however they feel like.

It's the people who stop questioning how the world works that should get a bitchslap upside the head.

Re:A very simple solution.

[multisync]

Impose the death penalty for these hackers/crackers or whatever you call them these days.
Public execution. And make it totally Medevil. Gruesome and painful and prolonged.

I guarantee you within one year the hacking/cracking/whatever will have come to an absolute total stop.

Well, the death penalty has certainly stopped people from committing murder in the United States. I think you're on to something.

Use this against them.

[darkonc]

1. Let various ISPs know that you're about to do this,
2. Do something to trigger a DDOS,
3. Track which machines the attacks are coming from, (basically, log the source of every packet aimed at your IP address)
4. shut down and clean every machine that is shown to be part of the DDOS
5. (profit???)

Re:Contact the users

[blhack]

You know what costs ISPs even more money?
Not having any customers.

You're the type of person who gets looked at by their boss and told "This code is terrible, it is unbelievably user-unfriendly, and it barely even accomplishes the task required because you have implemented so many hoops that people have to jump over just to get anything done"
to which you respond:
"Well we should start requiring all of our receptionists to have degrees in computer science from now on!"

FAIL!
If you make your system so "secure" that even your own users cant use it...then you have basically just DOS'd yourself..... = fail.

Re:Who really knows

[Marcos Eliziario]

I can't hardly wait for 2038.
I only need to make sure I keep my copy of Stevens and Rago in a good shape till there.

Naieve

[cdrguru]

I see the same sort of law-and-order assumptions here that I would like to believe in. Sadly, that phase in my life has ended.

Sure, you can find who is DDoS'ing you. You can then call the ISP/hosting company and complain. If they are in the US they will likely as not just tell you to get a court order. Outside the US they will laugh and suggest you bribe them. Either way, it is their customer's right to operate in whatever manner they choose. If they are presented with a valid court order from a court in their jurisdiction, they will quickly and efficiently comply. Otherwise, your complaint will go in the bit bucket.

Mostly the problem is that to a lot of ISPs their customer (and the revenue from that customer) is a whole lot more important than the negative effects their customer is having. Also, the customer may be Daddy and Sonny is the one causing all the trouble. Why would anyone want to offend bill-paying Daddy by cutting off service?

The problem here is that regardless of the problem - a botnet infested computer, a script kiddy trying to break in, or some other mischief - if you let it go, it gets worse. Every time a script kiddy gets to feel that rush of excitement at breaking to some computer somewhere without any consequences they get bolder. In the US it is not really possible to go after them until they run up at least $25,000 in damages. Because of this, you never hear about the high schooler getting in trouble because they defaced a web site. Instead you hear about someone after many years of mischief and mayhem who is being accused of causing $12,000,000 in damages computed in some creative manner to get the FBI's attention. There is never a thought of stopping this when the cost to everyone is minimal. Minimal doesn't get the FBI involved and local law enforcement is utterly clueless.

Nobody is really going to get taken down for this unless they do something incredibly stupid. Sure, you can find an IP address but you can't get the customer unless the ISP wants to cooperate. Can you get a court order for the ISP to identify the owner of the account? Probably not without at least $25,000 in damages that you can claim. Even then all you have found is an infected computer that the owner doesn't know anything about.

Re:A very simple solution.

[Culture20]

There was a time in England when a bloke could talk about the gay time he had passing a fag around amongst his friends behind the school (fun/happy time passing a cigarette around) without any double entendres. Language evolves. Change your manner of communication or prepare for misinterpretation.

string Hackers="hardware hobbyists"
string Crackers="Saltines, safe-crackers, computer-criminals"

...
Hackers="computer-criminals";
Crackers="Saltines";

Re:Wait a minute...

[Professional Slacker]

Are you honestly suggesting that the police start kicking down Joe Idiot User and Grandma's door? Sure the own the CnC machines, but odds are they have no idea that they been compromised, which is why they haven't cleaned it up yet. Confiscating them is only going to piss people off, by the time anybody could do any sort of analysis on them the entire network would have shifted around.

Storm is an entirely new breed of beast, bots change locations and roles all the time, a zombie could be a spam relay today, a DDoS grunt tomorrow, a web server the day after that, and a CnC machine on Friday. Physically locating a CnC box tells you nothing, good job you've located an infected box, by the time you get your hands on it it's role may have changed.

Re:oh yeah, so scared

[Have Brain Will Rent]

The best solution is completely non-technical... a $10,000,000 bounty for the arrest and conviction (in whatever court you may choose) of the owner of the botnet.

Re:Wait a minute...

[asuffield]

Where did you get the idea that the police gave a damn about this?

Governments are not interested in computer crime. They don't investigate it, they don't prosecute it (unless it's against them directly).

Re:Counter-DOS

[wtarreau]

The real source of the problem is microsoft selling an easy-to-use, insecure OS with too many fancy gadgets which nobody can reasonably maintain in a safe state. The single concept of an anti-virus should not even exist in the first place. It's a fix for the symptoms and not for the cause. The real fix would be to educate users into not being too much demanding for ease of use. Noone would like a car which does not need a key to start up, because it would get stolen. Why do they accept an OS which does not ask them for a correct password ?

Re:Who really knows

[Opportunist]

I dread 2038. Unlike 2k, it will be near impossible to explain to management why that date (especially some odd day in January) is even more a threat to IT than 2k was. 2k was something they could understand, and why it would be bad for your insurance calculations to think it's 1900 for someone who was (or, is going to be) born in 1968. That without 4 digits, rolling over from 1999 would get you to 1900.

Now try to explain why the day after January 19th 2038 will be December 13th 1901.

Re:Contact the users

[Nazlfrag]

Ironically, the storm worm is one of the few idiot proof pieces of software floating around. It requires absolutely no skill on the part of the user to get the job done, hell a certain level of incompetence is a benefit. Perhaps this is the key to making linux user friendly - just rewrite it as a worm!