Storm Worm Strikes Back at Security Pros 371
alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."
Sounds ripe for abuse (Score:5, Interesting)
Re:Kung Fu Style? (Score:4, Interesting)
Old news (Score:2, Interesting)
Easy lesson for those thinking of doing research: Remember to have a machine dedicated to the task of talking to untrusted outsiders.
Counter-DOS (Score:5, Interesting)
You theoretically would not need a comparable number of targets to attackers - just enough to lower the magnitude of the counter attack to the point where you could get acceptable results. You could also have targets that 'play dead' in some ways so the attackers can't fix on a minimum magnitude to counter attack with, and instead have to throw zombies until the target stops moving, where the target just gets right back up after playing dead. That way, the window you have before you 'play dead' might be used to get relatively clear results.
Just one guy's idea.
Ryan Fenton
Ponders ... (Score:3, Interesting)
Re:Contact the users (Score:5, Interesting)
Re:Counter-DOS (Score:5, Interesting)
Not particularly likely to happen, but we can all dream, can't we?
Re:Who really knows (Score:3, Interesting)
Now *then* we'd see a storm (Score:5, Interesting)
Even though I think this idea is basically wrong, I'm intrigued by the potential consequences.
There's a lot of these computers out there, which is the whole point. If every one was subject to seizure, computer security would immediately become part of popular conversation. Helluva social storm, probably.
Multi cellular (Score:3, Interesting)
In other words we have changed roles. Instead of us being the host and them being the virus, it now is behaving like a host and us as the invasive organism.
These things certainly have enough global cpu strength to do some serious artifical intelligence. even if it were not efficient, they have millions of cpus to harness. Some already do have code changing algorithms to hide their signature. And the ones that survive, are the fittest in an evolutionary sense. At some point they may actually start changing their own design, and eventually their own requirements.
So skynet may evolve itself naturally, not as an actual construction.
Re:Now *then* we'd see a storm (Score:4, Interesting)
What so wrong about it? If my car is pumping out noxious fumes then the state takes away my license. Thus people maintain their emissions. Or if I park by as hydrant I get a ticket. I dont see why computers should be immune from this kind of policing.
Re:Contact the users (Score:2, Interesting)
Re:Wait a minute (Score:4, Interesting)
a) Something big changed and 10 million Windows users suddenly wised up and cleaned up their compromised systems.
b) The people behind Storm have made it harder to detect so we only think that there are fewer compromised systems.
I tried and failed (Score:5, Interesting)
So I went and gathered the IP addresses of infected machines. I aggregated them and grouped them to the corresponding ISPs, complete with timestamp (just in case they use dynamic IP addresses and thus need them to contact the corresponding users), then I sent out a mail to 10 different ISPs, just as some kind of test.
The result:
5 didn't reply at all.
2 replied that they are "looking into the issue". I guess they're learning the list by heart 'cause after a month now, still no further reply.
One replied with the question whether I try to infect their system and how I dare to say that their users might do something illegal (talk about knowledge).
One replied that they can't do jack because I could just as well have forged that list to mess with their users and they don't care.
Only a single ISP actually thought the matter is important enough to contact me with a request for more information and whether they can do something proactively.
One.
The smallest one, btw. With 20 infected machines (compared to a few 100 with the biggest one, one of the first group that didn't even care enough to reply).
You can't win this way. ISPs don't care at all, at least until the botnet starts using more bandwidth than their torrent leechers. It would mean work for them, what's worse, it means their customers bother their call center with angry calls and maybe even questions how to clean their machines and maybe they even cancel their service over it. In short, taking things like this serious costs them money but doesn't get them anything, so they won't do it.
Re:Who really knows (Score:5, Interesting)
We're facing a huge network here with the capability to strike a single target. It's not that any of those machines are actually a threat to any kind of server. It's the fact that there are thousands (I think millions is a wee bit exaggerated, but we're certainly facing a number in the upper 5 digits or lower 6).
The threat isn't so much to a single server or a single corporation, the threat actually touches international borders (pardon the pun). We're talking something here that threatens the infrastructure of the internet itself.
The reason why the internet doesn't collapse under its own weight is that nobody uses the bandwidth fully all the time, and there isn't a single target node everyone wants to connect to. Now imagine exactly that happens. Everyone (or let's say one out of 10 machines) on the net goes full bandwidth on one target.
The problem isn't so much that this target is dead due to a DDoS. That's a given. The problem is that the backbone gets under serious stress. And that's where not only the single server but the whole infrastructure of the net around it comes under pressure. Not long ago, Denmark had a network blackout. I think it's no longer a secret what was the reason.
What's worse is that the whole mess seems to be nothing more than a test balloon. When you look at the way this is distributed and worked, you notice that it is by far not what could be considered an "all out" attempt at infecting. It's more a rather limited effort, with days and sometimes weeks between the launch of new infections, and very, very few "real" DDoS attacks, mostly defensive. Very few offensive attacks have been launched so far.
That's what worries me.
Comment removed (Score:5, Interesting)
Re:I tried and failed (Score:5, Interesting)