Storm Worm Botnet "Cracked Wide Open" 301
Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'
Partially disclosed? (Score:5, Interesting)
They should just publish their code. Let the individual hackers decide what to do with it...
If the fix works. . . (Score:5, Interesting)
Re:Depends ... (Score:4, Interesting)
Using this background knowledge, they were able to develop their own client, which links itself into the peer-to-peer structure of a Storm Worm network in such a way that queries from other drones, looking for new command servers, can be reliably routed to it. That enables it to divert drones to a new server. The second step was to analyse the protocol for passing commands. The researchers were astonished to find that the server doesn't have to authenticate itself to clients, so using their knowledge they were able to direct drones to a simple server. The latter could then issue commands to the test Storm worm drones in the laboratory so that, for example, they downloaded a specific program from a server, perhaps a special cleaning program, and ran it. The students then went on to write such a program.
Seems like the method involves the server communicating with the client - which could be considered "hacking" and thus be problematic.
Especially here in Germany where even possessing nmap is a crime.
Re:Law? (Score:5, Interesting)
Vigilantism is the result of when the government cannot protect the citizen from something that it's reasonable to believe they should be protected from. It's usually due to the problem of balance between making things illegal and restricting reasonable fredom.
But in this case it's more toward the issue of the problem not being within the government's charter, or that the government simply does not have the structure (laws, with teeth) required to protect the citizen.
I'm not a fan of vigilantism in general, but there are times when I approve of it. I'd personally love it if someone would infiltrate the botnets and inject a command to brick (but not erase) every computer that's infected, as a measure to protect millions of innocent people.
Imagine the city you live in, where 15% of the cars parked on the curbs have the keys in the ignition. And there's a growing problem in the city of kids going on joy rides and trashing cars and property and even killing people. But the car owners don't want to bother with the problem and don't care unless their car gets trashed, and don't wany anyone telling them what to do with their car. I'd lead the effort to walk the blocks, looking for cars with keys in the ignition, and hiding them somewhere in their car. Don't like it? Quit leaving your keys in the ignition. yes, it may violate a right of yours, but by your extending your liberty it's violating the rights of others to a larger degree.
Re:Law? (Score:4, Interesting)
Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?
Both companies and universities who have security researchers on their staff care about laws and more than that the risk of lawsuits. When the network security company I worked for had the ability to shut down several botnets we consulted with our primary council and decided it was not worth risking the company to lawsuits from people whose zombies could be shut down or lose data. The publicity would have been nice, but there are always people looking to cash in. Instead, we collaborate with law enforcement a few times and gave them the ability to shut them down if they wanted to (at least one government did hut down a botnet we handed them the keys to).
A shorter answer would be, the researchers care about laws because they want to keep their jobs and not go broke or go to prison.
Re:So you are sued and lose your house. (Score:5, Interesting)
Yeah, but it's an international problem. A guy from F-secure in Finland has been calling for the formation of an "internetpol" for exactly these reasons. I think he's right because otherwise international net crime will continue unabated, since nobody is in charge of combating it. An international body designed to coordinate .crime policing efforts is sorely needed.
I would say that it should be. (Score:5, Interesting)
I would say that it should be. Why waste time and effort trying to find crackers who will only be replaced by different crackers in different countries if you do manage to prosecute them?
Remove the zombies in your country and the zombie problem is pretty much solved.
But to accomplish that, you need to be able to automate the process and perform it remotely. There just are not enough resources to handle each computer individually.
Re:so what? (Score:5, Interesting)
What if the cleaning program fouls a hospital's computers? Or fouls up some other important infrastructure. Do you want to be the guy standing next to the enter key in that event?
It seems to me that a computer participating in a botnet is already a threat to the public. If "cleaning gone wrong" fouls a computer that's already infected, that's really just 'collateral damage'. If it happens to be a hospitals computers, well, I'd say the real problem was the hospital trusting critical infra-structure to software that's insecure. If a hospital is really dumb enough to put infra-structure that could harm someones life on a network connected to the internet, I'd say that's criminal negligence.
I really do think we've hit the point where the people with the vulnerable computers need to start taking SOME of the blame here and stop acting as if they're all just innocent bystanders. There's certainly plenty of blame to go around. (Oh, and the software producers can sure take some of the blame as well).
Re:Just more whack-a-mole (Score:3, Interesting)
While your point is valid to a certain extent, there's no reason why spamvertized stuff can't be purchased from http://123.321.456.654/crap [123.321.456.654] instead of http://abcdefghijk.cn/morecrap [abcdefghijk.cn]
In fact, I'm not sure why spammers go to the trouble of registering domains. If it's just for the ease of transferring the dns record to a new ip address, why bother? Just send out a new batch of garbage with a new ip address instead.
Re:Just more whack-a-mole (Score:3, Interesting)
It'll be more bothersome, but if DNSes won't be available, they'll just say click here for free viagra! [127.0.0.1]
What makes you think people buying stuff from spam will notice if it's a domain name, or IP address?
Re:Screw the law. (Score:4, Interesting)
You don't want to go there. The law is the one that says someone installing software on your computer without your permission is illegal. In your zeal to stop the Storm botnet, do you want to make it legal for the Storm botnet runners to break into your computer and install their software? That's what you'll be doing.
Re:So you are sued and lose your house. (Score:5, Interesting)
Yeah, but if you do that then the botnet will be patched against the specific takedown code before it makes it through congressional committee.
What probably should happen is that some major world government (US, EU?) should decide that the botnet is a major headache and a threat to national security. Then the info warfare devision of the military would prepare a suitable script that would only disable the bots (perhaps installing a security patch on the way out to prevent reinfection).
Then they just do it. The operation would be classified and launched in a way that would be extremely difficult to trace.
All the pundits on the internet would cry about how horrible an action it was (though nobody would complain about the 95% reduction in spam). However, everybody would blame their favorite love-to-hate government (China, the US, France, whatever :)), while the folks in on the classified operation in the Netherlands laugh every time they get to work. And if by some miracle somebody actually figures out where it came from (large governments could just inject packets on any random telecom line, and even route them through tor if they want), what is anybody going to do about it? Launch a war on Belgium for ridding the world of spam? Levy economic sanctions for saving every company with an email server millions every year.
Big governments kill people all the time in the interest of public safety and security. What's the worse that could happen - a few million home PCs lock up from a poorly-designed script? That could already happen any day if one of Storm's owners makes a mistake.
I'm not big on government trespass on private property. However, if somebody's row home catches on fire and the owner refuses to let in those responsible for putting out the fire, then the police will simply put them in cuffs and let the firemen axe open the door. They might not do it for a single family home, but they'd not let a block go up in flames because some guy refused to cooperate.
If you want to be really nice about it then just put a public service annocement on TV stating that in the coming month the government is going to wipe out the Storm botnet, and that anybody who doesn't like the idea of having the government clean up their PC should opt out by removing their computer from the botnet in the next seven days...
Re:I am glad I use a Mac (Score:3, Interesting)
If a user installs some program on either Linux or OS X, what's to stop that program from making outbound connections to port 6667 (to receive instructions) and to port 25 (to send spam)?
Well, one possibility is the firewall, but for most setups it won't by default. Right now what protects OS X and Linux users from that happening is the fact that there are very few trojans in the wild that do that and work on those OS's. For that matter, not too many do that on Windows, because automated worms work better at gathering bots than trojans do.
Now for some Linux distros and potentially for OS X and Windows there are sandboxing technologies that could be implemented to prevent trojans from working in that way. There are signing frameworks to automatically verify the source of programs to inform the user about whether or not some software they are installing is from well known and trustable source. If trojans ever become a real problem for the average Linux or OS X user, then these technologies will be implemented and become default setups.
I've never understood this "if users wouldn't run as Administrator/root, we'd all be safe" argument, you don't need superuser privs to send email.
I made no such argument. Rather I mentioned that boxes could be locked down to prevent the problem. Part of that means implementing finer grained permissions on the application level. I also asserted that the real problem is the broken market, where the one, mainstream OS that really needs such technology has utterly failed to implement it, but because there is no competition, very few users move to alternatives.
Re:Me too (Score:5, Interesting)
I know it's terrible form to reply to one's own post, but let me just come out and suggest it:
A collaborative, and perfectly anonymous or pseudonymous code project.
Wicherski, Werner, Leder and SchlÃsser must be protected from punishment for their fine work for the good of humanity. So, informed by their disclosures, I say an open source counter-worm ought to be developed from scratch. To protect those working on it, the collaboration model would have to be a little bit 4channy.
The downside to anonymity (As our good friend the Obama/Library/Poop guy shows us) is that it means people don't have to act accountably. There would probably be tons of ebil coders, seeing a wide-deployment worm accepting code contributions, trying to sneak their own obfuscated backdoors into the code.
But the upside to a system like this is transparency. There are still plenty of eyes on the code, and plenty of coders to call shenanigans on one another.
Whadda ya say?
Re:Law? (Score:2, Interesting)
Not to mention that botnet traffic is lucrative for ISP's to carry. Especially if they switch to metered like they've been discussing.
Unless there's a draught, the water company and your local plumber do not have interests that mesh well
Tor (Score:2, Interesting)
Why not just send the purge command through Tor?
If something goes wrong, it can't be traced easily.
Re:I am glad I use a Mac (Score:3, Interesting)
It is possible -- there is a patchset for kernel called GrSecurity. In allows you e.g. to prevent user from starting apllications from folders whose owner is not root. So installing programs from a repository is still possible (sudo etc.) but downloading and starting random crap -- close to impossible. Of course, there is always bigger and better idiots, but very few will actually manage to download a file, get root permissions, copy that file to /bin/, change permissions and launch it.
I assume, similar is possible via SELinux too.
Re:Just more whack-a-mole (Score:3, Interesting)
The bigger problem with that idea is that there are plenty of users on the internet who are happily using old un-patched systems running windows 9x, or even win2k or XP logged in as admin (also unpatched).
Luckily many bots need newer libraries that the ones installed in the older versions of Windows. I've seen a few 98, NT4 and 2K boxes where the bot exploited and installed itself but couldn't run.
Many of these people don't care how great your latest OS is. They are fine with what they have and they don't want anything else. You can propose all the OS-level security changes you want and you'll never get those changes out to those legions of users.
My grandfather is a good example of that. He started out using Windows 2.0 and worked his way through each release finally arriving at NT Workstation 4.0. At that point he told me that was the last system he was going to learn, and that was the end of it. He would have been content to run NT workstation till the end of time. Luckily, his ISP gave him a new Vista system last year which he decided he would learn.
The lack of predators in the computer population. (Score:1, Interesting)
A big problem in today's global computer population is the lack of predators. While in the past malware was mostly written by some wannabes
(ever looked as some virus from the DOS area? I hardly saw one that looked like the one that wrote it had more than a slight gasp of programming) and had some highly visible effects causing infected computers to be removed from the population, thus weaking the general population.
But today malware is mostly there to aid some other criminal goal, thus also the malware behaves more like a parasit than a predator: keep your host living so you keep yourself living, too.
The problem is: computers are not like some beasts in the forrests, but what humans depend on. So it is not only criminal to get some predators back, but would also cause massive problems for humans, perhaps even deaths, when emergency calls or nuclear power plants are effected, so it is unethical.
So we are caught in a dillema, which widens our global vulnaribility every day.
With all the fear from terrorist attacks, it is really a wonder, why keeping your PC open for everyone with enough criminal energy to mis-use
is nothing has no consequences for the people doing so.
It is hard not to wish some people would use such a botnet to change e.g. the windows login screen of all infected machines to a green screen with some arabic text on it. One could imagine people would be frightened by this look and learn to clean and protect their machine. Goverments could become uneasy enough to force people to use protective measures. But most likely the code would be buggy and bring doing every thousandths PC endangering many lives and being sure to pain a large amount...
Interpol (Score:2, Interesting)
Permission To Fire, Sir! (Score:2, Interesting)
This approach would have the widest effect, as it would eliminate the need for people to manually download the package and agree to potential intrusion, should the need arise by their machine becoming infected.
The good publicity sure couldn't hurt, either.
Gosh, never thought I'd actually say M$ could do good by buying out the little guy.