Storm Worm Botnet "Cracked Wide Open" 301
Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'
Re:Partially disclosed? (Score:5, Informative)
They should just publish their code.
They did.
The Full Disclosure link contains the source code of their program.
Re:If the fix works. . . (Score:2, Informative)
It IS illegal even to write or distribute such code thanks to the infamous  202c StGB.
Re:Question (Score:3, Informative)
base64 decoding gives a bzipped tarball, decompress with your favorite utility.
HOWEVER, it it obviously windows-specific, uses the win32 API to install itself and - I think - replicate the storm code in-place.
Re:Question (Score:3, Informative)
Re:Depends ... (Score:2, Informative)
No, German law is very clear at this point.
Unauthorised data manipulation is illegal.
And you will not get around the judge with: "I just inserted that in the bot in my machine and it spread through the botnet, lulz. Dunno why."
This is not news (Score:1, Informative)
IRC operators battling botnets have long been able to take them down, and have long been battling with the ethics.
http://news.cnet.com/IRC-operators-may-out-hack-Fizzer/2100-1002_3-1003894.html [cnet.com]
Sounds like the rest of the world is catching up after 8 years.
Re:Partially disclosed? (Score:5, Informative)
Actually, it's base64, but you are basically correct.
The tarball contains the following contents:
Makefile
autorun.c
autorun.h
cmdsrv.c
cmdsrv.h
disinfect.c
disinfect.h
hash.c
hash.h
httpsrv.c
httpsrv.h
install.c
install.h
libz.a
message.c
message.h
nbcache.c
nbcache.h
overnet.c
overnet.h
pini.c
pini.h
queue.c
queue.h
routing.c
routing.h
stormfucker.c
stormfucker.h
zconf.h
zlib.h
The reason why it is "partially disclosed" is because portions of the code have been patched as to make it inoperative. However, all the necessary exposition is there, and by reading the source you can get a pretty good idea of what it is doing.
Re:Tor (Score:2, Informative)
And yet, the anonymous, encrypted nature of Tor gives you plausible deniability.
In effect, you are a miniature ISP.