Storm Worm Evolves To Use Tor

An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."

Are we late to the party?

[Jennifer York]

I'm surprised that it took this long for them to try to hide their tracks through anonymizers. Perhaps they've been doing this for quite sometime, and just now are we catching on to the technique...

It just makes sense, and is obvious, and a natural progression of the technology..... Hey! Maybe I should write a patent!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Are we late to the party?

[VGPowerlord]

I'm still not sure why people would actually listen to that. I mean... why would anyone just download a random program from a website without looking up said program in, say, google to see what it actually does?

Unlikely

[Anonymous Coward]

Yeah, if people would do crazy shit like that then we'd have botnets consisting of billions of computers... oh wait.

Re:

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

> as long as the users have some antivirus...

Since storm is controlled peer-to-peer, shouldn't it be possible to co-opt it into sending out anti-virus spam?

The real problem with a huge/scary bot net like this, is not that a small group of people can control it, but that in theory anyone can take it over for their own purposes.

Re:

[maxwell demon]

I'm still not sure why people would actually listen to that. I mean... why would anyone just download a random program from a website without looking up said program in, say, google to see what it actually does?

That's easy to solve. Just add a helpful comment to the mail saying:

If you are not sure if you should install this program, get more information at http://www.evil.org/malware/installer.exe!

Re:Are we late to the party?

[rucs_hack]

if you look at sites like gamecopyworld.com you will find a wealth of programs that people will download for legitimate (in the consumers mind) use, to mean they can keep their game dvds in their boxes. Add 'trainers' and 'fun free games' to the list and your looking at the majority of casual downloads not directly involving pron or media.

The main problem though is closed source. If source is closed, then there is no easy way to find malicious code before it is deployed on your system. Ok, I'm speaking as a programmer, so that would be useful for me, not a non coder. Still, the point remains, binary distribution only means trouble, be it storm, a sony rootkit, or just 'phone home' code in a program.

What we need is something sort of like gentoo, where all programs are compiled locally, and the code can be inspected for malicious intent. Alas such technology, while it does exist, does not exist in a form that could be disseminated and used by people with no technological background. This is a pipe dream for the moment, I know this. Especially since I tried once to compile openoffice locally (18 hours I think). Perhaps trusted compile farms that deliver fresh binaries?

Waxing lyrical I know, but there has to be an answer somewhere.

Re:

[ThisNukes4u]

Only if you can also trust the compiler chain [cmu.edu].

Re:

[fractoid]

And all administrative, software engineering, and other personal; including the janitor at night.

And don't forget the social security of the firm. A simple "Hi, [Security Firm] here, we're doing an audit of your systems and [..bla bla stuff..] we're checking for insecure or easily crackable passwords, may I have yours?" is a hell of a lot quicker than cracking some 2048-bit public key.

Re:

[Heembo]

LAUGH. A technique like this was effective in getting 60% of a section of IRS employees to give up their password. When I brought this up to my dad (who works there) his answer was, why, you want mine? here it is....

Re:

[CastrTroy]

Just because somebody can verify the code, doesn't mean I want to spend days/weeks looking through all the code in a newly downloaded program, just to verify that it isn't doing something I don't want it to, and hope that I didn't miss anything in the millions of lines of code. Do most people who use Gentoo even bother reading more than 1% of the code? Sure it's good after the fact if you find malware that you can pin it on someone, but the best way to deal with this stuff is don't run software from untru

Real programmers don't need source code.

[sowth]

Oh come on! You aren't a real programmer. Everyone knows the binary is the source code. My uncle eddy doesn't even need those fancy disassemblers or debuggers. He edits memory by looking at LEDs and flipping dip switches. Now that is a real programmer.

Re:

[Iron Condor]

The main problem though is closed source. If source is closed, then there is no easy way to find malicious code before it is deployed on your system. Ok, I'm speaking as a programmer, so that would be useful for me, not a non coder. Still, the point remains, binary distribution only means trouble, be it storm, a sony rootkit, or just 'phone home' code in a program.

Not really. In a binary I can at least in principle parse rudimentarily for things like "does this ever call the TCP/IP stack" and raise a fl

Re:Are we late to the party?

[plover]

Because the modestly intelligent person you are hoping for might think, "This says to install tor, let me open a new window and google for it. Hey, this tor thing looks pretty good!" It's the sort of reaction we encourage people to have, to do some research before installing.

Of course, they then follow the original link from the worm and they still get the trojan. So close, and yet so far... sigh.

Re:

[Marcos Eliziario]

Come on, if there was such kind of stupid people on earth, we would have Bush as the President of the USA, people telling Cuba is a Democracy, and Lula would be president of Brasil. No way I can see this as a likely scenario.

Re:

[VGPowerlord]

True, but chances are you've heard of Opera. Besides, nothing's stopping you from googling Opera.

Re:Are we late to the party?

[Urd.Yggdrasil]

They aren't using Tor to hide their traffic, their trying to trick users into download a Trojan saying that it is a Tor executable and they need to protect their privacy. The Storm bot net uses a system called Fast Flux to hide traffic.

Re:

[zippthorne]

Surely they are also using their compromised TOR nodes for some nefarious deeds. Like de-anonymizing...

Re:

[Goaway]

Why the hell would they care about de-anonymizing? No money in that.

Re:

[plover]

Why the hell would they care about de-anonymizing? No money in that.

Are you kidding? If you could trace back a tor link to gaysex.com/bathroomEncounters.mpg to Senator Larry Craig's machine, don't you think TV shows like Dateline would be offering you tens of thousands of dollars for it?

Um... excuse you?

[Linkiroth]

Your link didn't work.

Re:

[Goaway]

You're expecting a SENATOR to be able to use TOR?

Storm is still a trojan, not a worm

[A beautiful mind]

As always, it works based on user stupidity, not programmer stupidity.

Re:Storm is still a trojan, not a worm

[Spy der Mann]

As always, it works based on user stupidity

Oh no, the internet's doomed! :(

Re:

[account_deleted]

Comment removed based on user account deletion

Ummm.

[crhylove]

Anybody here taking this activity more seriously? For instance, is there a possibility that this is a military operation? Seems a lot more advanced than most of the usual spam/bot/virus stuff I read about. I hope they don't screw up TOR, especially since I'm living in more and more of a police state these days (US).

Re:

[memnock]

if TOR goes down, it's likely another network would pop up in it's place.

Re:Ummm.

[Colin Smith]

Seems a lot more advanced than most of the usual spam/bot/virus stuff I read about.

You mean... More intelligently designed?

 

Re:

[Silver Sloth]

For instance, is there a possibility that this is a military operation?

No, this is private entrprise at its best - the high tech goes where the money is.

What is surprising is that it's taken so long for the spammers to realise that by investing ih a high tech, well engineered solution they can make far more money than the low tech solutions we've seen in the past.

Re:

[AaronLawrence]

Most spammers are very stupid, looking for "big profits" with little or no efforts.

Unfortunately over time they have hired some reasonably smart programmers and those guys have built up techniques that are now hard to beat. Also, a lot of the small fry spammers have been closed down by filters and controls (the main problem they now generate is funding the hard core spamemrs by buying their spamming services and software). So spamming has evolved by survival of the fittest.

Re:

[fractoid]

I thought it was to piss off the virus writers. Apparently later versions had some text in the executable saying "It's skynet, morons, not netsky" or something. :P

Spelling...

[rumith]

using spam to try and convince users of the necessity of using Tor for there communications.

It took me a second to understand what the author meant. Spell-checking, anyone?

Speaking on topic, I'd like to correct one of the previous posters: it's not a mere variation on the "Use XXX Bank" theme; as far as I understand, Tor has been picked among tons of other software that could be infected and supplied to users because it helps the spammers in covering their tracks, since their email is routed through Tor now.

Re:

[lmpeters]

as far as I understand, Tor has been picked among tons of other software that could be infected and supplied to users because it helps the spammers in covering their tracks, since their email is routed through Tor now.

I had always heard that Tor was not useful for sending spam, since it imposes so much overhead (ever notice how much slower everything is on Tor?). Besides, if a botnet is being used to send spam, what would Tor be useful for, except maybe anonymizing traffic between the bots and the master

Need editors who EDIT

[The Monster]

Arguably, what is needed is the low-tech sort of spell-checker. Before we had automated computer programs, newspapers had people called 'copy editors' who would proofread the articles submitted by the reporters. They were looking not only for spelling, grammar, and usage problems, but they also would do fact-checking.

Perhaps we could make the distinction clear this way: A machine that sells soft drinks is often referred to as a 'vender', while the guy selling hot dogs is more likely to be called a 'vendor'. With that in mind, I have toyed with a similar convention for other verb+er nouns:

The person who checks spelling could be a spell-checkor, and the computer program would remain the spell-checker; the human surfing the Web would be a browsor, using a browser program. Programs such as vi or emacs would be editers....

It's got as good a chance of adoption as *bibyte does.

Now, if Cmdr Taco could just get editors who actually EDIT... Oh. He's the 'editor' who ran this story? Never mind.

Re:

[HAKdragon]

It's got as good a chance of adoption as *bibyte does.

Dear God, I hope not. It (*bibyte) has polluted Wikipedia for damn near every article dealing with storage space, communications, and data.

Who is behind the Storm Botnet?

[kryptkpr]

There is an excellent article in Wired from several weeks ago from when Storm was used to DDoS the entire country of Estonia for 2 weeks. A fantastic read, but here's a particularly scary excerpt: Hackers Take Down the Most Wired Country in Europe [wired.com]

If that is the case -- if Azizov isn't trying to cloud the issue -- the implication is perhaps more troubling. It suggests that there is a group of Russian hackers who, on their own, can disrupt the routine functioning of commerce, media, and government any time they want. If so, these hackers represent a stateless power -- a sort of private militia.

While the article does contain a lot of speculation and sketchy sources (like the above quoted Azizov) the evidence does seem to be pointing in a particular direction:

I ask him why anyone would trust him. After all, he seems to have a suspiciously intimate knowledge of the Estonian attacks. "Russian IT specialists are knowledgeable and experienced enough to destroy the key servers of whole states," he says. "They're the best in the world."

The implication: Clearly you want them on your side, so why not hire them? Maybe Estonia was simply an advertising campaign.

It's starting to look an awful lot like another Cold War is coming, except this time it will be a Cyber war waged by turning your enemy's (and the rest of the world's) poorly secured computers against their critical infrastructure while the actual government absolves itself of blame. Nice.

Re:

[Opportunist]

And who made it all possible? Clueless morons who can't keep their computer updated and click everything sent to them. But of course, you can't do a thing against them. After all, they're who make everyone happy. ISPs, because they pay without using bandwidth. "Service" providers, because they pay for crap they could get easily for free. And of course various other companies who sell crap through the net. And hey, they even give me absolute job security, because for as long as those idiots litter the net, I

Re:

[fractoid]

So, now mod me flamebait and let's go on with our lives as long as we can. Sorry for the rant, but I'm really getting fed up. For every crappy thing in life you need some license, some test, some qualification, or at least you're liable if you turn out to be too stupid to operate it safely. But on the 'net...

Why? Personally, I think you're 100% on target. Fifteen years ago, loss of internet connectivity was a nuisance at worst. Now, it could be the difference between your business turning a profit or folding. The 'net is central to many businesses, and if if an entire country can be taken offline, it'd be trivial to do it to, say, a rival corporation. Most banks are pushing their online banking systems for all they're worth - I can easily see a bank taking out a hit on their opposition's website, complete loss

Re:

[Opportunist]

Why mod me flamebait? Because I say something uncomfortable. I ask for a license to do something. And personally, I'd love to go without, instead using some kind of system of logic and brains, where you sit down, educate yourself and use common sense when using the internet. By that system, we'd neither need licenses for driving, owning firearms or dangerous animals, etc.

Unfortunately, people are too stupid, careless or simply negligant to work that way. We want to have rights, but we'd rather not deal with

Re:

[Opportunist]

Which country would you say can currently continue to do meaningful business without internet? Which company would you say can continue without interruption if their email is suddenly cut off?

Re:

[KZigurs]

Why, exactly, do you think that Estonia affair had anything to do with "THE STORM"?
In fact is there even a reference to this in the article you cite?

Re:

[kryptkpr]

I put two and two together. There are references to "almost a million computers world-wide" participating in the attack. Typical botnets only have on the order of 10k-100k machines, only Storm is big enough to have reached millions of zombies.

Re:

[KZigurs]

You are missing one more detail - given the heat of the issue almost any kiddie wannabies in russia (and there are a lot of them) with any kinda control over some machines (and almost any of those kiddie wannabies actually have a few spare servers/machines hijacked there and here - on order of 10-20k machines for an average scene group is not unusual) rised to arms, not to mention state groups chiming in. Had it had anything to do with the superadvertised storm it would have been a totally different story.
F

Re:

[Opportunist]

"Hackers"? "Crackers"? Could we simply say "assholes" and concentrate on something meaningful? Like, finding some solution to it before our politicians get active and replace their cluelessness with operative hectic? It's fairly certain that some kind of law will be created, most likely one that has nothing to do with the problem, doesn't adress it at all, doesn't solve a thing and cripples the net.

Who are the stormbot people?

[tjstork]

Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators. From there, you can just send in a special forces team and just whack the guys. If one nation allows its citizens to hijacking of the assets of millions of another nation's citizens, isn't that just piracy by any other name, and if so, isn't that kind of an act of war?

Re:Who are the stormbot people?

[Urd.Yggdrasil]

The group running the system is taking precautions to avoid detection, such as using Fast Flux [honeynet.org] Also it is speculated that they are in a former Soviet block country, which tend to have very poor laws and few resources to go after such people.

Re:

[Colin Smith]

Damnit. The bad guys get all the best software!
 

So would IPv6 actually fix this?

[tjstork]

I've read that IPv6, because it includes the MAC, could theoretically help this. But is that true? Could the MAC be spoofed? Or, could an ISP include coupling hardware that validates the MAC and the packet sent are the same? Theoretically, you could require that in network hardware manufacturing, so that a NIC Card would not be allowed to transmit a packet with an address that wasn't from it. But would that be enough?

Even if you weren't ideologically predisposed to sending in the SEALs to whack people

Re:

[Workaphobia]

> "I've read that IPv6, because it includes the MAC, could theoretically help this. But is that true? Could the MAC be spoofed? Or, could an ISP include coupling hardware that validates the MAC and the packet sent are the same? Theoretically, you could require that in network hardware manufacturing, so that a NIC Card would not be allowed to transmit a packet with an address that wasn't from it. But would that be enough?"

I only have a cursory knowledge of IPv6 but I don't believe there's anything in ther

Re:

[ThinkingInBinary]

I've read that IPv6, because it includes the MAC...

IPv6 only includes the MAC if it is configured using Stateless Autoconfiguration, and if Privacy Extensions are not turned on. If it is configured using some stateful method, like DHCPv6 or a static IPv6 address, the address could be anything. Likewise, if Privacy Extensions are turned on, then Stateless Autoconfiguration will rotate among random address that don't include the MAC, but are still unlikely to collide with other hosts' addresses.

But what g

Re:Who are the stormbot people?

[Anonymous Coward]

Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators.

Theoretically "yes". But in practice the answer is "no".

The people running this botnet can choose from millions of computers they want to use as anonymous bouncers/routers. And they can tripwire their nodes so that after 30 minutes of use as a bouncer, the hard disks are overwritten with 0's (although in most cases this isn't required as IP addresses wouldn't be stored anyway).

A chain of 20 hacked computers spanning the globe operating as routers is not easy to trace. You have to talk to each owner in the chain one-by-one and catch the bounced connection in realtime to reveal the IP for the next node in the chain. And the attackers can obfuscate their presence by programming their bots to simulate these proxy connections at random. Imagine having to trace through 100,000 chains, each containing 20-30 routing nodes. These chains are completely dynamic and randomly change every half an hour.

The Storm botnet is almost the "perfect hack" unless the perpetrators make some big mistakes. If the owners of this botnet installed Freenet on all the bots, we'd have an unenforceable darknet which can only be blocked (maybe! - if you're really lucky) at the ISP. Anyone could tap into this new darknet and do as much internet crime as they like without ever having to worry about getting caught.

Re:

[1u3hr]

Theoretically "yes". But in practice the answer is "no". The people running this botnet can choose from millions of computers they want to use as anonymous bouncers/routers

So work from the other end. How do they make their money? Sending spam, apparently. How does spam make money? Currently, either by getting suckers to send money to them (viagra, Rolexes, etc) or pumping stocks the spammers have bought. In both cases, there must be a money trail, much easier to track than chasing a chain of proxies. T

Re:

[LehiNephi]

There are a couple other ways these people make money:
--Phishing, with the fake sites hosted on compromised machines
--Racketeering - "That's a nice website you got there. It'd be a shame if something....happened to it, capiche?"
--Mercenary - one company/country/individual pays the botnet owner to DDoS or crack an enemy's machine

Now the first of these leaves a money trail of some sort, as long as the phisher does a wire transfer. If it's a credit-card phishing scheme, it's much harder to trace, partic

Re:

[1u3hr]

Now the first of these leaves a money trail of some sort....

Yes, some would be hard, some easy. But these guys probably launch attacks very frequently, Once a week -- once a day? If even a small percentage of attacks/scams/etc could be tracked back to them, and they faced criminal charges they wouldn't be so cocky. Now only a few are caught per year through incredible stupidity or carelessness. They feel invulnerable. Pick some of them off and this would change quickly. Perhaps attacking infrastructure is

Re:

[Eunuchswear]

None, because the people behind storm are probably the same people behind the polonium injection.

Re:

[Afecks]

There you have it folks. Murder, the answer for everything.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Look at the timeline.

[khasim]

But less so than a year ago. sectarian killings are down. Anbar is quieting up. Baghdad is, yes, basically being ethnically cleansed, and right we're really more presiding over a partition of the country than its unification.. but it is what the people of Iraq really want...

The killings are "down" in that each section has pretty much killed everyone they didn't like in that section. Or the people that were being targeted have run away.

But warlordism is not a basis for a stable country. Which is why Iraq's "

Re:

[tjstork]

The killings are "down" in that each section has pretty much killed everyone they didn't like in that section. Or the people that were being targeted have run away.

That's not true, particuarly, in Anbar. What happened in Anbar was that Al Qaeda was very popular because the people saw two things: a) the USA was overwhelmingly pro-shiite at Sunni expense, and that b) Al Qaeda said they were anti-American. However, Al Qaeda tried to establish a very strict brand of Islam, and started doing things like execut

Re:

[MrNaz]

When I read opinions like yours, I am left speechless every time. Even though by now I am used to head-up-the-arse, totally ignorant people on Slashdot, people like you never cease to amaze me. You are truly a leader among fools.

Re:

[Colin Smith]

US contractor trying to build schools for them

You're aware that "US Contractor" is a euphemism for mercenary soldier?

e.g.
http://www.blackwaterusa.com/ [blackwaterusa.com]

 

Re:

[RAMMS+EIN]

``Given time, eventually, the truth will be revealed and they will see which side is really evil and which side is really good, and those people are going to choose to live for themselves, or to be enslaved by the very dictators that you left wing traitors continually support.''

I do hope that given time, the truth will be revealed. However, with lies being spread and believed on both sides, it's sometimes hard to be optimistic.

As for dictators enslaving people, that is something I have never supported and n

Re:

[quanticle]

I would note that millions of people who liked the USA in Vietnam were executed after you left wingers sold them out.

First, it was Nixon (hardly a left-winger) who finally got us out of that shit-hole. Second, that assertion handily ignores the fact that there was no reason for us to be in Vietnam in the first place. South Vietnam was not in a strategic location and it was hardly a paragon of representative democracy.

In the meantime, the USA has liberated Afghanistan from the Taliban, Iraq is on the

Re:

[account_deleted]

Comment removed based on user account deletion

When your users are illiterate ...

[DrSkwid]

it is easier to infiltrate there[sic] communications.

Re:

[DrSkwid]

are you su're ?

Misleading headline

[yuna49]

The Storm worm isn't using Tor.

The spam email in question tells the reader that, if they are running torrents, they should use this Tor thing to cover their tracks. The link points to the trojan. The file in question is about 150K in size, or about 20x smaller than the Windows version of Tor (2-3 MB) on the actual site [eff.org].

I posted a warning about this very email on a well-known anime site since I suspected some people there might download it in response to the e-mail.

There's also a version that poses as a YouTube video.

Most of these emails have URLs that use IP addresses, not domain names. Between my SpamAssassin rules and Mozilla Thunderbird's built-in anti-malware protections, messages like these are either quarantined or tagged as dangerous. I've not seen an legitimate email from any correspondent that uses URLs with IP addresses in the host part.

I opened the YouTube version in a Windows VM that had Kaspersky installed. It identified an attempted replacement of tcpip.sys and told me it should be quarantined. Unfortunately a ClamAV scan of the file did not detect anything suspicious.

The largest problem with Anti-Virus software is...

[Svartalf]

...that it's akin to closing the barn door after all your livestock's gone out it.

In order for pretty much all Anti-Virus software to work, you're skimming for signatures patterns in the bytes
that leave a tell-tale for the software to "identify" it. It's always lagging by a bit, by the reality of the situation, so
it's truly a reactive solution to a problem that needs more of a proactive one.

That's not to say that the software is not useful for detection of attacks (much like an IDS is for networking...)

Re:The largest problem with Anti-Virus software is

[RootWind]

Which is why any AV worth its salt is adding virtual machine heuristics. Some like Kaspersky are even integrating HIPS in their pro-active detection module.

Re:

[yuna49]

Just an update.

Today's version of these scams is a phony NFL Game Tracker.

"Football Season Is Finally here!
We can keep you on top of every single game this season.
Get all your game info daily from our online game tracker:"

Once again the spam sends you to a site using a URL with an IP address in the host part.

I propose a nationwide education campaign

[Bananatree3]

Seriously, the BEST tool against botnets, virii, worms, etc. is Education. If all computer users understood basic key ideas about not downloading crap from emails, running firewall software and keeping their A/V software up-to-date there would be a huge reduction in the number of infections. The sad fact though is that only a select few people understand these basic ideas and arte actually VIGILANT about sticking to them.

My suggestion:

Setup a nationwide network of community educators. Local organizers

Re:

[westyvw]

Education maybe, like get away from windows as soon as possible? Obviously. But your second statement is very worrying: I dont want my ISP to give me any software or cut access, and I dont what them thinking that way at all. They already try and force me to use their crapware. No thanks.

Re:

[Bananatree3]

Moving people away from windows to say Ubuntu works for newbies who have never used the computer before, as they're learning something new. What makes it really difficult for the masses is that most people have already gotten used to Windows, and would give their right arm to keep using Windows. Trying to entice them to use something else is extremely difficult because they love the status quo. At that point its more effective to teach them how to be safe than uproot what they have already learned.

I think

Re:

[Xtravar]

I think these people are learning through experience!

When their ISPs cut them off for spamming, or their personal information is stolen, or any other number of malware things happen... maybe they'll get a clue.

My question is..

[XenophileJKO]

If the command and control and updating is done via peer to peer instead of a centralized server, why has nobody created a "Vaccine" that would spread itself back to all the infected nodes. The code can't be that hard to crack to determine how to insert new functionality into the infected hosts. Just inject a new command to spread this update to all your peers and after you succeed, close down all of the command and control vectors. Cleanup and fixing the holes originally used for infection would clearly be useful too, but unnecessary to contain the damage. Really there are tons of things you could do.

I mean this might create an "arms race" where they continue to lock down access to the botnet, but I would love to see the looks on their faces when large sections of the botnet stop responding to commands.

Seriously as "Brilliant" as these guys are I guarantee there are probably people smarter that can crack their network. I know what I am talking about is probably not legal, but it surely is ethical.

There was such a anti-worm worm...

[Bananatree3]

The Nachi worm [nai.com] was written to search out computers infected with the now-famous Blaster worm and patch the computer with a Microsoft patch. It replicated itself around the world, and once the patch had been implemented and the Blaster worm deleted it deleted itself. Unfortunately it created a heck of a lot of traffic on infected networks [zdnet.com], which slowed them down considerably.

from the above article.

[Bananatree3]

It notes that:

Railway and freight hauler CSX had to stop trains because of the Nachi worm, the Associated Press reported.

Airline Air Canada canceled flights on Tuesday because its network couldn't deal with the amount of traffic generated by the Nachi worm.

Though it cleared out the blaster worm, it created a hell of a lot of damage itself by the mere fact that it clogged networks with traffic.

Re:

[XenophileJKO]

Yes, but you understand the fundamental difference I hope. The Nachi worm was a worm that had to FIND infected hosts. Therefore it had to look using a port scanner which when you have thousands of machines scanning thousands of IP's creates huge amout of traffic.

In this situation, the beauty is that you don't have to create a "worm" in the classical sense. Each infected client maintains a "peer" list so all you do is "fix" it's peers, it would cause a cascade failure of the botnet and use up much much less

antibot p2p worm

[Bananatree3]

As you point out, an antibotnet worm spreading across the 'net would be not be nearly as much traffic as portscanning as the IP addresses are already known. I agree it is possible. The complexities of taking sections of the net offline though without the botnet owners noticing and dynamically patching the rest of the 'net are incredibly difficult though. It would be an incredibly complex game of cat and mouse, but it is possible.

Re:

[sjames]

There is a certain beauty to playing core wars on the live internet.

As for why not, law enforcement and the courts (at least in the U.S.) are notorious for not taking intent into account when it comes to computer related activity. Even if the person was eventually aquitted, it sounds like a great deal of life disruption. In addition, rumor has it that the botnets are under control of the Russian Mafia.

So, the only people who will want to try this are those who are out of reach of the Russian Mafia and th

Re:

[Just Some Guy]

Just inject a new command to spread this update to all your peers and after you succeed, close down all of the command and control vectors.

No. Spread like wildfire, then after a short delay, wipe the drives.

Really.

Excepting the possibility of the worms using some 0-day exploit we don't know about yet, these are caused by people who couldn't be bothered to patch their systems, run AV scanners, use a firewall, or not click every OmGPupp1es.jpg.exe they come across. We've been telling people to do this stuff for years but no one listens because there's no real penalty for not doing so, other than the occasional sluggish computer (which pe

time traveller from 1987 goes 20 years in future,

[circletimessquare]

gets a sneak peek at Slashdot headlines:

"hmmm, what is going on in the far off fantastical future of 2007?"

Bringing Science and Math Into Writing?

"Ah, an age old problem"

Libraries Defend Open Access

"Some sort of Fahrenheit 451 situation? has the government gone fascist? or the russians won the cold war?"

New Legislation Proposed For Nuclear Safety

"Ah! Chernobyl is still fresh in their minds! At least it seems we didn't nuke each other"

Storm Worm Evolves to Use Tor

"SWEET JESUS! DUNE IS REAL!? AND IN CAHOOTS WITH THE SCANDINAVIAN GODS? WHATR SORT OF SCIFI FANTASY FUTURE IS THIS!"

Could it be a bit more misleading?

[Opportunist]

Storm isn't using TOR, it claims its installer to be a TOR proxy. C'mon, malware has been claiming to be something useful for ages, why's this news?

You don't have to download the file to be infected

[sjmurdoch]

Actually, if you're using an unpatched browser, you might not even have to download the file they offer to be infected. The web page includes Javascript exploits for half a dozen security vulnerabilities, which will install the trojan without user interaction. I've posted an analysis [lightbluetouchpaper.org] of the malware code on my blog.

Despite what the article says, Storm isn't using Tor (other than trying to exploit it's reputation) and the download isn't a trojaned version of Tor – it's much too small to be that. What's more, the botnet operators appear to have dropped this strategy. While on Thursday the links in the spam went to a fake Tor download [lightbluetouchpaper.org] page, on Friday they showed a fake YouTube video [lightbluetouchpaper.org], and now they show a fake NFL game tracker [johnhsawyer.com].

This is *not* using the Tor network or software

[shava]

This attack is not using our network or our software, only abusing our reputation. We sent this release to slashdot and others, days ago:

====
The Tor Project, a US non-profit organisation producing Internet
privacy software, is issuing an urgent warning about a spam email
being circulated as a fake promotion for their software.

The real Tor software provides privacy on the Internet to journalists,
bloggers and human rights activists all over the world. The spam email
promotes the virtues of the software, but then directs people to a
series of fake websites that contain malicious code that will attempt
to take over visiting machines, and the downloaded software is fake
and equally dangerous to run.

The real website is hosted at http://tor.eff.org/ [eff.org] and the Tor
software can be downloaded from there. Users are able to check that
they have received the official version by following the instructions
at: http://wiki.noreply.org/noreply/TheOnionRouter/Ver ifyingSignatures [noreply.org]

Shava Nerad, Development Director for the Tor Project said, "I am
disgusted that criminals who want to recruit more machines for their
illegal activities should trade on our reputation for providing
privacy on the Internet. Fortunately we already have systems in place
so that people can verify that they are downloading the official
software. But this is a distraction from our work that we could do
without."
====

This stuff makes us sad. But you won't even get a trojanned client, just a trojan. And the page you click through to will try to exploit holes in your browser security, so don't even click through.

Yrs,
Shava Nerad
Development Director
The Tor Project

It means that Tor is compromised

[Anonymous Coward]

If they add a large number of trojaned Tor clients to the network, it will undermine the privacy of Tor communications and allow things like traffic analysis.

This isn't necessarily a ploy to use Tor, this may be a ploy to compromise Tor.

Any chance that storm might be the work of a government?

Note to world: computer programs don't evolve

[gatkinso]

Human beings modify them, fix bugs, and upgrade them. Be it a computer virus, spreadsheet, or operating system.

Sometimes they intentionally break them.

But they don't spontaneously "evolve", "mutate", or any other such thing.

Christ.

Re:

[Frozen Void]

A program can be coded to rewrite its own code using random parameters with obfuscated junk code in between real content(often encrypted).
read http://en.wikipedia.org/wiki/Polymorphic_code [wikipedia.org]

Is Windows to blame for this situation?

[master_p]

Apart from user stupidity, is Windows to blame for this situation? if Windows had a better security model, would there be such problems?

Can a massive lawsuit against Microsoft work?

Storm trojan depends on users, however...

[Bananatree3]

In this particular case its social engineering of ignorant users that is the biggest culprit. Saying that however, Windows in my opinion should have much better safeguards against the trojan once downloaded. At that point is like trying to control a bull in a china shop with the way Windows is built.

I don't think such a lawsuit against Microsoft would work, granted the legions of lawyers at their dispoal. Also the fact that the user is infact at fault, though unknowingly for letting it in.

A zero-day worm

Re:

[ScrewMaster]

You'd think they would have picked something more appealing to the masses.

Probably they have. Odds are they're sending out a ton of different emails recommending various downloads. My server extracts all incoming attachments and puts them in a shared folder (my client machines never see attachments, just a note saying that there was one) but I see all kinds of executables coming in, with all kinds of rationales to convince people that clicking the link is a good idea. Tor is just one of them. Unfortunate

several ways

[Bananatree3]

There are several ways [findarticles.com] spammers get emails. They can do massive internet searches for emails and harvest them that way (if you post on USENET with your email addy its almost gueranteed to be spammed). They also guess a username and if it doesn't bounce back they know they've got a hit.

Re:

[Inda]

They got mine from an Uncle's friend who was infected with a nasty email harvester... The thing that annoys my most is that I have warned him ten times about sending emails like this. BCC uncle FFS!!!

To: Inda, some.friend@aol.com, another.friend@aol.com, one.more@aol.com...

Hi everyone,

My new email address is uncle@aol.com

regards,

Uncle

Re:

[yuna49]

I run a store-and-forward listener on port 25 for our email services. I have a vast array of rules that block mail from known spamsites and certain types of dynamic IPs. When a message is blocked, I send back a 503 error that includes an email address real people can use to report an incorrect decision. This address has never appeared in any public location like a website where it might have been harvested by spammers through the usual methods.

Nevertheless within about a week after instituting these poli

Re:

[MLease]

I'm not so sure about that. The general public has been hearing all kinds of things about identity theft, spyware, etc. (even though these are different issues). This might cause them to leap to the conclusion that anonymizing their Internet activities might protect them, and think "Oh, look; I've heard of Tor, and here's an installer!" Spam works on enough people to make it worthwhile to the spammers; that's why it keeps coming.

-Mike

"Evolve" is an apt description

[jamrock]

I love how they use words like 'evolve' to describe the actions of programs and viruses, it makes the internet seem like a primal battleground.

It's the perfect description of how the attacks are responding to changes in their operating environment, and developing gradually into more complex forms. And you're more correct than you give yourself credit for: the Internet is in fact a primal battleground, between criminals intent on exploiting weaknesses wherever they can find them, and security professionals

*sigh*

[jamrock]

Here I go, breaking a personal cardinal rule by replying to an AC....

Way to drum up it up even more. Quit spreading this movie drama crap. Leviathans of the deep? It's a fucking computer network. Do you know what the fuck you're talking about?

I'm sure that the people of the Republic of Estonia would wholeheartedly agree with you that it's just "a fucking computer network". That is, until their entire electronic infrastructure locked up tight for two whole weeks and as far as the rest of the world was conc

Re:

[fractoid]

Am I the only one that's annoyed by the Crusade Too Stop Bad Speelers and Jihad Too Correct There Misused Words?

Of course you are! Everyone else obviously supports the Institute For Kids Who Can't Read Good and Want To Learn To Do Other Stuff Good Too.