Storm and the Future of Social Engineering

Albert writes "Storm shows several key characteristics, some new and advanced. It uses cunning social engineering techniques — such as tying spam campaigns to a current event or site of interest — as well as a blend of email and the Web to spread. It is highly coordinated, yet decentralized — and with Storm using the latest generation of P2P technology, it cannot be disabled by simply 'cutting off its head.' In addition, Storm is self-propagating — once infected, computers send out massive amounts of Storm spam to keep recruiting new nodes."

ZOMG BOTZ

[spacefiddle]

hai guise theirs still a thing called 'storm' and itz bad

the blurb doesn't even SAY anything beyond that, and the 'article' is a skinny summary that has a cute lil stupid graph in the middle... and a solid bracing of two columns of ads on either side.

Does any article with the word "storm" in it get published...?

Re:How is this news?

[jeiler]

Not to mention that many of the "new social engineering tricks" have been used since the beginning of Usenet. Methinks net-security.org is reaching for this story.

Re:How is this news?

[arnoldo.j.nunez]

The worm's been around for the better part of a year now and these features are in it from the beginning.

The data is somewhat more up-to-date than last year. I disagree with the article in a few points.

First it says: "IronPort Systems estimates that, at its most destructive point in July 2007..."; I'd argue that it was at its most destructive during the September DDoS against multiple sites.

Re:ZOMG BOTZ

[morgan_greywolf]

trying to convince everyone that they won't be less nimble now that they're chained to the big ol' dinosaur in the corner.

All I gotta say is look what that big ol' dinosaur did to Linksys.

A Little Education can bring calm after the storm

[TechForensics]

How can we teach everyone to pay attention when their computers slow down, the disks thrash, lights on the cable modem go nuts, and strange bounces appear in their email? This isn't rocket science. We need to get the word out!

Re:A Little Education can bring calm after the sto

[ledow]

Because people don't care.

If you're car display lights up and flashes, people take notice but still I've seen people ignore the warning lights and just drive (sorry, but women are actually the worst culprits).

A computer is a black box to people and a few flashing lights/slowness mean nothing to them. It could be that their P2P app has just kicked in or their printer is printing or a million other things... people can't diagnose it, therefore they don't care about it.

You will *not* educate the masses, no matter what damage you do to their computers - these people are buying new computers every year because "the old one got slow", where in reality it was running at the same speed but just bogged down with viruses.

The way to do it is not to trust them to be able to spot it, or need to. That is, make a computer that takes care of such things. This is what privilege seperation do when they are implemented properly, but even on the strictest controlled networks, you'll find something users can do that wasn't designed for or intended. However, the fix is in the design and execution, not the dumb idiot who just wants to send an email to his family.

Re:How is this news?

[ttapper04]

I read the headline, Storm and the future of social engineering, and I thought twice about clicking the link. If one does not have a bit of a healthy neurosis about clicking though anything then they will be infected at some point.

Re:How is this news?

[somersault]

Unless perhaps you're running IE, clicking through to a news article on the front page of /. probably is a safe enough bet o_0 A healthy bit of neurosis is good, but panicking that an article about the storm worm is probably an evil ploy by the storm worm to propagate itself is a bit far fetched.

Re:Why. . ?

[Rick Bentley]

The basic idea, it seems to be, is that someone is still controlling these computers and can use them at will in DDoS (Distributed Denial of Service ) attacks ... and maybe it can even go on the offensive automatically.

Wikipedia (http://en.wikipedia.org/wiki/Storm_botnet) has a nice write-up on Storm, the "Methodology" Section is especially informative:

The Storm botnet was observed to be defending itself, and attacking computer systems that scanned for Storm virus-infected computer systems online.[29] The botnet will defend itself with DDoS counter-attacks, to maintain its own internal integrity At certain points in time, the Storm worm used to spread the botnet has attempted to release hundreds or thousands of versions of itself onto the Internet, in a concentrated attempt to overwhelm the defenses of anti-virus and malware security firms.[30] According to Joshua Corman, an IBM security researcher, "This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit."[31] Researchers are still unsure if the botnet's defenses and counter attacks are a form of automation, or manually executed by the system's operators.[31] "If you try to attach a debugger, or query sites it's reporting into, it knows and punishes you instantaneously. [Over at] SecureWorks, a chunk of it DDoS-ed [directed a distributed-denial-of-service attack] a researcher off the network. Every time I hear of an investigator trying to investigate, they're automatically punished. It knows it's being investigated, and it punishes them. It fights back," Corman said.[32]

.

Yes, it's not hard to defend against getting infected, but every year there are a bazillion new computer users who want to "punch the clown to win a free i-pod", or whatever, and they get infected by the dumbest stuff. Then their computer can be used to attack others.

Anyway, most any /. reader can keep from getting infected by Storm, it's the 99.99...% of the rest of the computer owners that literally become part of the problem.

Re:A Little Education can bring calm after the sto

[camperdave]

My disks often show activity when the machine is "just sitting there". My DSL modem lights often blink for no apparent reason. When I do a top, I see several dozen processes, any one of which could be logging data, doing garbage collection, looking for updates, or doing any number of innocuous things. Just because a computer is active when you don't think it should be, doesn't necessarily mean that it's infected with anything.

Re:How is this news?

[Sloppy]

If one does not have a bit of a healthy neurosis about clicking though anything then they will be infected at some point.

That's not true if, instead, they have a healthy neurosis about running network clients that automatically download and execute foreign code.

It blows my mind that anyone still continued to run MSIE after 1995.

simple fix

[drew_92123]

I'm tellin ya, find the guys who write a couple of these things, or that run a bot net or even a small spamming operation, charge them with crimes against humanity or some such garbage, and kill them very slowly on live TV... Then take away everything their families own... money, property, put them out on the street. SPAM would stop soon after the second or third execution and the world will be better for it.

cannot be stopped, eh?

[nuzak]

and with Storm using the latest generation of P2P technology, it cannot be disabled by simply 'cutting off its head.'

I suspect a few public decapitations of the people running Storm would put a pretty quick stop to it. Just gotta pick the right targets, see.

Re:simple fix

[deanoaz]

But there isn't any big money behind stopping spam. If you start executing people for computer crimes it will be the pirates getting the chair at the behest of the RIAA, not spammers.

Re:Self created problem?

[hobbit]

I also prefer apps that are installed by dragging them into the applications folder, but if they create things in ~/Library, you're left with exactly the same uninstallation problem as you bemoan in Apple's installer. Unless that's just ~/Library/Preferences/com.domainname.AppName, I'd prefer a paper trail, i.e., an installer receipt.

Anyway, you or I may not create application installers, but as long as some people do, Apple is culpable in training users to type their password freely.

Re:Self created problem?

[hobbit]

What the hell else would you suggest? Allow software to install itself globally WITHOUT admin privileges?

No.

Make it so that software by default only works for the user who installed it?

Yes. NB "By default" does not mean "force it on the user"; It's just an extra page in the installer wizard to say "Do you want to install this for the current user or for all users?"