Storm Worm Strikes Back at Security Pros

alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."

Sounds ripe for abuse

[orclevegam]

So, these people are trying to sell these botnets for extortion and spamming purposes right? Well, seems to me that they just opened up a loophole for at least one category of customer to get free "service" by spoofing whoever he wants to DDoS and poking the botnet till it retaliates. Boom, instant DDoS and he didn't have to pay a dime for the service. I do like the idea someone else put out of spoofing as one of the other control nodes, thereby getting the net to DDoS itself, but it may be just smart enough not to do that.

Re:Kung Fu Style?

[ILuvRamen]

ooooh sneaky, I like that. Isn't that illegal or something though? I don't think anyone would care but that's probably why they're not doing it. They could at least pull their heads out of their asses and not try and probe the servers using their company's main network!!! Do it on some small, seperate connection that really wouldn't matter if it got DOSed. Hey speaking of that, do it and let them DOS you and then make a log of all the IPs doing it and I'm sure ISPs would agree to disconnect all customers with those IPs until they get rid of storm by reinstalling windows or whatever.

Old news

[Anonymous Coward]

Higher ed had some of their systems attacked in this way going back to at least July. I lost a machine because of this because the system (running FreeBSD) had a marginal disk that eventually died under the load incurred by logging "Limiting icmp ping response from..." messages. Fortunately, we were smart enough to NEVER use systems like our workstations for downloading malware from suspected sources.

Easy lesson for those thinking of doing research: Remember to have a machine dedicated to the task of talking to untrusted outsiders.

Counter-DOS

[RyanFenton]

Wouldn't the obvious counter-strategy to this be to give the botstorm enough targets to make their DOS attempts too dilute to be a threat?

You theoretically would not need a comparable number of targets to attackers - just enough to lower the magnitude of the counter attack to the point where you could get acceptable results. You could also have targets that 'play dead' in some ways so the attackers can't fix on a minimum magnitude to counter attack with, and instead have to throw zombies until the target stops moving, where the target just gets right back up after playing dead. That way, the window you have before you 'play dead' might be used to get relatively clear results.

Just one guy's idea.

Ryan Fenton

Ponders ...

[Colin Smith]

What's bigger, the Storm effect... or the Slashdot effect ...

 

Re:Contact the users

[orclevegam]

Yeah, buddy of mine had his Gentoo box rooted and used as some sort of base system for rooting others. He found out after his ISP notified him that they shutdown his internet access because his server had been reported as probing other servers for vulnerable PHP apps. Not entirely sure how they rooted the box, but from what I could piece together going through the logs they managed to find a old copy of PHPBB he had been mucking around with on a subdomain (never linked it to anything, so they must have found it by brute force scanning, or maybe combing through DNS records). The traffic logs from other systems and the local logs all showed a series of automated scans for about 2 dozen known vulnerabilities in various pieces of pre-packaged PHP applications in a whole tone of domains. Looked like they just lifted a big chunk of every registered domain between something like ba-fa and were just working their way through it running scans. After we wiped the system and did a fresh install the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file. They really did a number on that system, and we didn't even know about it for a couple weeks because no one actually logs into the server, at most it gets a new file ftped to it every few weeks or so as things are tweaked.

Re:Counter-DOS

[Quietust]

Alternatively, trick them into launching a DDoS on a site more than capable of sinking all of the attack with plenty of bandwidth to spare - there's nothing quite like trying to flood an internet backbone. Plus, if it actually did have a noticeable effect, such a massive outage would be more likely encourage appropriate law enforcement agencies (of whatever nations) to get off their collective asses and actually solve the problem at its source.

Not particularly likely to happen, but we can all dream, can't we?

Re:Who really knows

[Cro Magnon]

At my job, we started Y2K work in the mid 90's and worked on it quite heavily in 1998-1999 (note the 4 digits ;) ). And, though the sky wouldn't have fallen, I guarantee that if we hadn't fixed the problems, it would have been more than a MINOR inconvienience.

Now *then* we'd see a storm

[weston]

So? If we do in fact know where they are physically located, local police should go and confiscate them.

Even though I think this idea is basically wrong, I'm intrigued by the potential consequences.

There's a lot of these computers out there, which is the whole point. If every one was subject to seizure, computer security would immediately become part of popular conversation. Helluva social storm, probably.

Multi cellular

[goombah99]

I got the skynet link of course, and it's apt. What we are seeing is the slow transition from single cellular behaviour to a multi cellualr organism. That is instead of being fighting on it's own, it now has a global immune response to an invader (security researcher). With the advent of virtual machine detectors last year these things now commit apoptosis when they detect they have been invaded by the security researcher.

In other words we have changed roles. Instead of us being the host and them being the virus, it now is behaving like a host and us as the invasive organism.

These things certainly have enough global cpu strength to do some serious artifical intelligence. even if it were not efficient, they have millions of cpus to harness. Some already do have code changing algorithms to hide their signature. And the ones that survive, are the fittest in an evolutionary sense. At some point they may actually start changing their own design, and eventually their own requirements.

So skynet may evolve itself naturally, not as an actual construction.

Re:Now *then* we'd see a storm

[gad_zuki!]

Even though I think this idea is basically wrong, I'm intrigued by the potential consequences.

What so wrong about it? If my car is pumping out noxious fumes then the state takes away my license. Thus people maintain their emissions. Or if I park by as hydrant I get a ticket. I dont see why computers should be immune from this kind of policing.

Re:Contact the users

[Anonymous Coward]

fail2ban (or something similar) should be a default in the popular distributions if you install openssh/apache/vsftp etc. Not only does it slow, and stop for a period, brute force attacks against the host - the single best feature is the email notification bringing the issue to your notice. That is the most valuable thing it brings to the table. It also highlights the idiots who forget their passwords inside your network providing much needed entertainment.

Re:Wait a minute

[Intron]

If it's grain of salt time, let's look at which is more likely:

a) Something big changed and 10 million Windows users suddenly wised up and cleaned up their compromised systems.

b) The people behind Storm have made it harder to detect so we only think that there are fewer compromised systems.

I tried and failed

[Opportunist]

As one of the "threatened" AV researchers, I was of course interested in getting the bots offline, at least to the degree that I can (I kinda have little chance to put pressure on ISPs in some country that I can't even spell correctly).

So I went and gathered the IP addresses of infected machines. I aggregated them and grouped them to the corresponding ISPs, complete with timestamp (just in case they use dynamic IP addresses and thus need them to contact the corresponding users), then I sent out a mail to 10 different ISPs, just as some kind of test.

The result:

5 didn't reply at all.
2 replied that they are "looking into the issue". I guess they're learning the list by heart 'cause after a month now, still no further reply.
One replied with the question whether I try to infect their system and how I dare to say that their users might do something illegal (talk about knowledge).
One replied that they can't do jack because I could just as well have forged that list to mess with their users and they don't care.

Only a single ISP actually thought the matter is important enough to contact me with a request for more information and whether they can do something proactively.

One.

The smallest one, btw. With 20 infected machines (compared to a few 100 with the biggest one, one of the first group that didn't even care enough to reply).

You can't win this way. ISPs don't care at all, at least until the botnet starts using more bandwidth than their torrent leechers. It would mean work for them, what's worse, it means their customers bother their call center with angry calls and maybe even questions how to clean their machines and maybe they even cancel their service over it. In short, taking things like this serious costs them money but doesn't get them anything, so they won't do it.

Re:Who really knows

[Opportunist]

Since I can't sell you anything to remedy it (nobody can. Don't believe in snakeoil. The best anyone can do is sell you something so you don't become part of the botnet, but nothing saves you from being a target), I can tell you upfront: It is a threat. A big one.

We're facing a huge network here with the capability to strike a single target. It's not that any of those machines are actually a threat to any kind of server. It's the fact that there are thousands (I think millions is a wee bit exaggerated, but we're certainly facing a number in the upper 5 digits or lower 6).

The threat isn't so much to a single server or a single corporation, the threat actually touches international borders (pardon the pun). We're talking something here that threatens the infrastructure of the internet itself.

The reason why the internet doesn't collapse under its own weight is that nobody uses the bandwidth fully all the time, and there isn't a single target node everyone wants to connect to. Now imagine exactly that happens. Everyone (or let's say one out of 10 machines) on the net goes full bandwidth on one target.

The problem isn't so much that this target is dead due to a DDoS. That's a given. The problem is that the backbone gets under serious stress. And that's where not only the single server but the whole infrastructure of the net around it comes under pressure. Not long ago, Denmark had a network blackout. I think it's no longer a secret what was the reason.

What's worse is that the whole mess seems to be nothing more than a test balloon. When you look at the way this is distributed and worked, you notice that it is by far not what could be considered an "all out" attempt at infecting. It's more a rather limited effort, with days and sometimes weeks between the launch of new infections, and very, very few "real" DDoS attacks, mostly defensive. Very few offensive attacks have been launched so far.

That's what worries me.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I tried and failed

[GlL]

Ok, I work for an ISP and our customers do get temporarily locked down if they are spewing infection or spam to the universe. When they call in, we tell them exactly what kind of Spam or virus, or botnet they are currently spewing. On the first offence you get asked to scan your machines with AdAware, Spybot and AVG until it runs clean and then to call us when that happens for us to reactivate their connection so they can send us screenshots of the successful removal scans. If the abov scenario happens three times we require them to either format and reinstall their OS or have their pc certified clean by a reputable tech shop (of which we have a list) or by our technicians, we charge significantly LESS then the others around us, or ask them if they have an unsecured wireless network, and if so ask them to disconnect it until they turn the security on. We will set that up for them for a fee, and most of our customers are pretty OK with paying for technical services. I guess that we are lucky, but we also are pretty good at training our customers as well. Some of us ISPs do care about our customers, and do our best to be good net-neighbors.