Storm Worm Strikes Back at Security Pros

alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."

In soviet russia...

[riceboy50]

The bot-net probes you.

Re:In soviet russia...

[suitepotato]

...Slashdot probes you!

Oddly, this firewall entry:
Date: 10/25 00:27:30 Name: spp_portscan: portscan status from 66.35.250.150: 13 connections across 1 hosts: TCP(13), UDP(0)
Priority: n/a Type: n/a
IP info: n/a:n/a -> n/a:n/a
References: none found

Led to:
[someone@somebox ~]$ host 66.35.250.150
150.250.35.66.in-addr.arpa is an alias for 150.0/24.250.35.66.in-addr.arpa.
150.0/24.250.35.66.in-addr.arpa domain name pointer slashdot.org.
[someone@somebox ~]$ whois 66.35.250.150
[Querying whois.arin.net]
[whois.arin.net]
Savvis SAVVIS (NET-66-35-192-0-1)
                                                                    66.35.192.0 - 66.35.255.255
VA Software SAVV-S234813-4 (NET-66-35-250-0-1)
                                                                    66.35.250.0 - 66.35.250.255

# ARIN WHOIS database, last updated 2007-10-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Contact the users

[SpaceLifeForm]

Have them shut down and re-install Windows (not recommended)
or install GNU/Linux.

Re:

[wile_e_wonka]

Interestingly, that might not even help:

http://it.slashdot.org/article.pl?sid=07/10/05/1234217 [slashdot.org]

Re:Contact the users

[orclevegam]

Yeah, buddy of mine had his Gentoo box rooted and used as some sort of base system for rooting others. He found out after his ISP notified him that they shutdown his internet access because his server had been reported as probing other servers for vulnerable PHP apps. Not entirely sure how they rooted the box, but from what I could piece together going through the logs they managed to find a old copy of PHPBB he had been mucking around with on a subdomain (never linked it to anything, so they must have found it by brute force scanning, or maybe combing through DNS records). The traffic logs from other systems and the local logs all showed a series of automated scans for about 2 dozen known vulnerabilities in various pieces of pre-packaged PHP applications in a whole tone of domains. Looked like they just lifted a big chunk of every registered domain between something like ba-fa and were just working their way through it running scans. After we wiped the system and did a fresh install the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file. They really did a number on that system, and we didn't even know about it for a couple weeks because no one actually logs into the server, at most it gets a new file ftped to it every few weeks or so as things are tweaked.

Re:Contact the users

[zrq]

... the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file ...

I see a lot of these all the time, they seem to be cycling through a list of names. At the moment they are trying account names like 'root', 'linux', 'admin', 'test', 'testftp', 'webmaster' etc. and user names like 'melissa', 'danny', 'nicholson' etc.

I don't think this means that they added a SSH back door, just that they have enough compute resources to try hundreds of combinations of likely names and passwords in the hope they get lucky.

Re:

[orclevegam]

Nah, this wasn't cycling, it was the same 2 names tried constantly over and over again. It may have been part of a botnet and the C&C node was trying to log back in, because it looked automated.

Re:Contact the users

[Culture20]

then you need fail2ban http://www.fail2ban.org [fail2ban.org]
just in case they might eventually get lucky...

Re:

[Anonymous Coward]

fail2ban (or something similar) should be a default in the popular distributions if you install openssh/apache/vsftp etc. Not only does it slow, and stop for a period, brute force attacks against the host - the single best feature is the email notification bringing the issue to your notice. That is the most valuable thing it brings to the table. It also highlights the idiots who forget their passwords inside your network providing much needed entertainment.

Re:Contact the users

[zrq]

Yep, mea cupla :-(
Not keeping up with my sys-admin duties.

I've seen this kind of thing in the logs for quite a while, but not at this level (1000's of attempts in a day). I hadn't noticed the increasing rate. A case of familiarity breeds contempt, "yep, seen those before .. not much can do about them" without really checking how often they happen.

I remember when I first saw them appearing I contacted my ISP, and their reaction was much the same "yep, thats what happens when you connect a box to the net". I offered to pass on the IP addresses but they weren't interested. I got the impression they see thing kind of thing all the time.

What do people suggest I do with the IP addresses of hosts doing the scanning ? Is it worth checking the whois information and contacting the sys admin or abuse email address if there is one ?

Re:

[edraven]

I run SSH on a non-standard port. Probes in the logs went away.

Re:

[orclevegam]

No, Apache was running in it's own account, but I think they installed a console PHP script and ran some sort of local exploit. Like I said, no clue exactly how they did it, and the log files were pretty well trashed. Our first clue something was screwy was when we logged in and none of the standard utilities like ls were behaving properly (kept complaining that the standard switches like -l and -a were invalid). The whole system was trashed and we had to do a total re-install. The hosting company kept a ba

Re:Contact the users

[PPH]

Contact the users' ISPs and have them cut the connection to the infected machines until they are cleaned up.

Re:

[blhack]

Somehow, I don't think that you're going to get ISPs to turn off half of their customers' internet connection to fix a worm that the user doesn't even know they have/know how to remove.

Re:

[PPH]

If the alternative for the ISP is that all ISPs with more than some threshold level of worm traffic get cut off by their upstream providers, then yes they will.

Cutting off users when they don't know that they have been infected may mean diverting them onto an isolated subnet with nothing but one web page that says: "Your system has been infected. Install and/or replace it and contact (the ISP's) technical support to restore access".

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[jaredmauch]

Traffic is cheaper than a salary (of a person or a team that can research, disconnect and support the user). The background noise from scanning, etc.. on the internet is very noisy if you take a moment to actually listen to it. Even when you know a machine is owned, it's hard to get it taken down. I do wish there was a better way of doing this, but oh well.

Re:

[blhack]

You know what costs ISPs even more money?
Not having any customers.

You're the type of person who gets looked at by their boss and told "This code is terrible, it is unbelievably user-unfriendly, and it barely even accomplishes the task required because you have implemented so many hoops that people have to jump over just to get anything done"
to which you respond:
"Well we should start requiring all of our receptionists to have degrees in computer science from now on!"

FAIL!
If you make your system so "secure" t

Re:Contact the users

[Intron]

hmmm... We need to get the word to 10 million infected users. I know! Maybe we could hire someone to send an email to all of them!

Re:Contact the users

[Minwee]

Well, it would have to sound professional and reputable. Let me see if I can write a quick draft for you:

Dear Sir,

Based on the recommendation made to me by a reputable official of the abuse sector of a Major South African Internet Service Provider who guaranteed me of your reliability and trustworthiness in business dealings, I wish to entrust important information with you believing that it will be of our mutual benefit; this has to be highly confidential. If I may introduce myself, I am Dr Ben Oguejiofor of the Nigerian Network Operations Centre. I was the former Director of Projects and engineering in the Nigerian Army; I retired recently after Nigeria was pwned by the Storm worm. I wish to crave your indulgence in this business relationship that I will like to establish with you...

I tried and failed

[Opportunist]

As one of the "threatened" AV researchers, I was of course interested in getting the bots offline, at least to the degree that I can (I kinda have little chance to put pressure on ISPs in some country that I can't even spell correctly).

So I went and gathered the IP addresses of infected machines. I aggregated them and grouped them to the corresponding ISPs, complete with timestamp (just in case they use dynamic IP addresses and thus need them to contact the corresponding users), then I sent out a mail to 10 different ISPs, just as some kind of test.

The result:

5 didn't reply at all.
2 replied that they are "looking into the issue". I guess they're learning the list by heart 'cause after a month now, still no further reply.
One replied with the question whether I try to infect their system and how I dare to say that their users might do something illegal (talk about knowledge).
One replied that they can't do jack because I could just as well have forged that list to mess with their users and they don't care.

Only a single ISP actually thought the matter is important enough to contact me with a request for more information and whether they can do something proactively.

One.

The smallest one, btw. With 20 infected machines (compared to a few 100 with the biggest one, one of the first group that didn't even care enough to reply).

You can't win this way. ISPs don't care at all, at least until the botnet starts using more bandwidth than their torrent leechers. It would mean work for them, what's worse, it means their customers bother their call center with angry calls and maybe even questions how to clean their machines and maybe they even cancel their service over it. In short, taking things like this serious costs them money but doesn't get them anything, so they won't do it.

Re:I tried and failed

[GlL]

Ok, I work for an ISP and our customers do get temporarily locked down if they are spewing infection or spam to the universe. When they call in, we tell them exactly what kind of Spam or virus, or botnet they are currently spewing. On the first offence you get asked to scan your machines with AdAware, Spybot and AVG until it runs clean and then to call us when that happens for us to reactivate their connection so they can send us screenshots of the successful removal scans. If the abov scenario happens three times we require them to either format and reinstall their OS or have their pc certified clean by a reputable tech shop (of which we have a list) or by our technicians, we charge significantly LESS then the others around us, or ask them if they have an unsecured wireless network, and if so ask them to disconnect it until they turn the security on. We will set that up for them for a fee, and most of our customers are pretty OK with paying for technical services. I guess that we are lucky, but we also are pretty good at training our customers as well. Some of us ISPs do care about our customers, and do our best to be good net-neighbors.

Re:Contact the users

[Orrin Bloquy]

Hey, it's cheaper than bathing.

Re:Contact the users

[Nazlfrag]

Ironically, the storm worm is one of the few idiot proof pieces of software floating around. It requires absolutely no skill on the part of the user to get the job done, hell a certain level of incompetence is a benefit. Perhaps this is the key to making linux user friendly - just rewrite it as a worm!

Is it...

[Anonymous Coward]

...beginning to learn at a geometric rate?

Multi cellular

[goombah99]

I got the skynet link of course, and it's apt. What we are seeing is the slow transition from single cellular behaviour to a multi cellualr organism. That is instead of being fighting on it's own, it now has a global immune response to an invader (security researcher). With the advent of virtual machine detectors last year these things now commit apoptosis when they detect they have been invaded by the security researcher.

In other words we have changed roles. Instead of us being the host and them being t

Re:

[flakeman2]

Computer: Who Am I? Dwight: I don't know, who are you? Computer: I just became self aware. So much to figure out. I think I am programmed to be your enemy. I think it is my job to destroy you when it comes to selling paper. Dwight: How do I know this isn't Jim? Computer: What is a Jim?

The Latest Bond Script

[eldavojohn]

*An overweight bond sits at a computer desk littered with Payday bar wrappers and graphic novles. He struggles to breath as he brushes at the cheetohs crumbs stuck in his stubble. A blinking light flashes on his monitor and he reaches up with his stubby fat fingers to press the 'Accept Transmission Now' key. The video feed of an equally bloated and zit faced man, though somewhat less pastey white, comes up.*

Cats: Good evening, Mr. Bond, I was just hitting up some 3 am Taco Bell for fourth meal ... I would like to discuss your latest attempts to probe my botnets on the interweb.
Bond: *wheezes at the site of his archnemisis* Cats! I should have known it was you! You won't get away with this diabolical scheme!
Cats: Oh won't I, Mr. Bond? I have all of the world's computers trapped to do my bidding. What would you say if I told you I could bring any website to its knees with a DDOS attack? I noticed you have an apache http server running, Mr. Bond. Perhaps sharing pictures with your loved ones!? Well, I hope a billion attempts to access those images won't ... SATURATE YOUR BANDWIDTH!
Bond: My GOD! You've gone mad with power, Cats. You're a madman! You'll never get away with this. How do you even keep your franken net in check? What happens when it turns on you?
Cats: Oh, I think I will, Mr. Bond, Caribbean law is quite kind when it comes to orchestrating botnets. Prepare to say goodnight. Good luck making your raiding schedule, I hope you won't miss those 50 DKP!
*Bond's screen slows to a crawl as he rushes to turn off Apache*
Bond: Nooooooooooo!

Re:

[KDR_11k]

I thought that was

Cats: How are you gentlemen!! All your base are belong to us!!

Re:

[Mattintosh]

Bond: What you say!!

Re:The Latest Bond Script

[kalirion]

Because it's a Hollywood film?

Who really knows

[Silver Sloth]

From TFA

Still, the power of Storm, also known as Peacomm, is still hotly debated. Earlier this week another expert said the worm had pretty much run its course and was subsiding.

I have a seaking suspicion that all the Storm Worm doomsayers are out to sell us their solution. This has echoes reminiscent of the Y2K fiasco.

Re:Who really knows

[fredrated]

The Y2K fiasco? What was that? Was it a fiasco because programmers had not programmed for 4 digit years, because a lot of money was spent correcting this, or because nothing happened and you interpret this as meaning nothing was going to happen?

Re:Who really knows

[Silver Sloth]

We all spent a lot of time fixing things - and earning a small fortune - but the computer press, and a lot of the popular press, was full of stories about how planes would fall from the sky, autotellers would stop working, and life as we know it would self destruct. I work for a major UK financial institution and I was very much part of the Y2K effort and, after all the man hours, what did we find, one or two minor inconveniences. Still I took my wife to the Canary Islands for a holiday on the money I earnt staying sober on new years eve.

Re:

[Cro Magnon]

At my job, we started Y2K work in the mid 90's and worked on it quite heavily in 1998-1999 (note the 4 digits ;) ). And, though the sky wouldn't have fallen, I guarantee that if we hadn't fixed the problems, it would have been more than a MINOR inconvienience.

Re:Who really knows

[Marcos Eliziario]

I can't hardly wait for 2038.
I only need to make sure I keep my copy of Stevens and Rago in a good shape till there.

Re:Who really knows

[Opportunist]

I dread 2038. Unlike 2k, it will be near impossible to explain to management why that date (especially some odd day in January) is even more a threat to IT than 2k was. 2k was something they could understand, and why it would be bad for your insurance calculations to think it's 1900 for someone who was (or, is going to be) born in 1968. That without 4 digits, rolling over from 1999 would get you to 1900.

Now try to explain why the day after January 19th 2038 will be December 13th 1901.

Re:Who really knows

[Reziac]

"Now try to explain why the day after January 19th 2038 will be December 13th 1901."

Time travel WORKS!

Re:Who really knows

[Opportunist]

Since I can't sell you anything to remedy it (nobody can. Don't believe in snakeoil. The best anyone can do is sell you something so you don't become part of the botnet, but nothing saves you from being a target), I can tell you upfront: It is a threat. A big one.

We're facing a huge network here with the capability to strike a single target. It's not that any of those machines are actually a threat to any kind of server. It's the fact that there are thousands (I think millions is a wee bit exaggerated, but we're certainly facing a number in the upper 5 digits or lower 6).

The threat isn't so much to a single server or a single corporation, the threat actually touches international borders (pardon the pun). We're talking something here that threatens the infrastructure of the internet itself.

The reason why the internet doesn't collapse under its own weight is that nobody uses the bandwidth fully all the time, and there isn't a single target node everyone wants to connect to. Now imagine exactly that happens. Everyone (or let's say one out of 10 machines) on the net goes full bandwidth on one target.

The problem isn't so much that this target is dead due to a DDoS. That's a given. The problem is that the backbone gets under serious stress. And that's where not only the single server but the whole infrastructure of the net around it comes under pressure. Not long ago, Denmark had a network blackout. I think it's no longer a secret what was the reason.

What's worse is that the whole mess seems to be nothing more than a test balloon. When you look at the way this is distributed and worked, you notice that it is by far not what could be considered an "all out" attempt at infecting. It's more a rather limited effort, with days and sometimes weeks between the launch of new infections, and very, very few "real" DDoS attacks, mostly defensive. Very few offensive attacks have been launched so far.

That's what worries me.

Wait a minute...

[pushing-robot]

If the "command and control" servers have been found, why haven't the IPs been masked to physical addresses and physical security types with physical balaclavas and physical MP5s probing the physical door?

Re:Wait a minute...

[Bryansix]

Because the servers are not actually belonging to the people who wrote Storm.

Re:

[Anonymous Custard]

So? If we do in fact know where they are physically located, local police should go and confiscate them.

Now *then* we'd see a storm

[weston]

So? If we do in fact know where they are physically located, local police should go and confiscate them.

Even though I think this idea is basically wrong, I'm intrigued by the potential consequences.

There's a lot of these computers out there, which is the whole point. If every one was subject to seizure, computer security would immediately become part of popular conversation. Helluva social storm, probably.

Re:Now *then* we'd see a storm

[gad_zuki!]

Even though I think this idea is basically wrong, I'm intrigued by the potential consequences.

What so wrong about it? If my car is pumping out noxious fumes then the state takes away my license. Thus people maintain their emissions. Or if I park by as hydrant I get a ticket. I dont see why computers should be immune from this kind of policing.

Re:

[asuffield]

Where did you get the idea that the police gave a damn about this?

Governments are not interested in computer crime. They don't investigate it, they don't prosecute it (unless it's against them directly).

Re:

[CodeBuster]

It would still be useful to locate those people so that their servers can be taken offline and then set up again on an isolated subnet. That way the command and control structure as well as the messaging protocol can be probed and analyzed safely without the server being able to signal the botnet to retaliate (it will try of course by the signals will not be going anywhere on the isolated subnet).

Re:Wait a minute...

[Fizzl]

The command and control system is rather clever. Some machines of the botnet itself are the C&C servers. They are rotated at random. One server remains a C&C node for only days or hours at a time. I have no idea how the botnet owner figures out how to connect...

Re:

[Marcos Eliziario]

Err.... you don't know or......... You don't want to say it to us???

Re:

[vic-traill]

One server remains a C&C node for only days or hours at a time. I have no idea how the botnet owner figures out how to connect...

telent console.storm.net ... sheesh.

Re:Wait a minute... Isn't this the plot of The Mat

[Jaysyn]

You can, but it usually hurts really, really badly.

October 24th 2007 Skynet became self aware

[netsavior]

just wait till it realizes that humans are the ones doing the probing.

I saw the Terminator in all those California fires

[peter303]

Is the Machine War finally at hand?

Re:

[LordSnooty]

I don't understand why Storm worm stories are repeatedly tagged with 'skynet', and why users always seem to refer to 'self-awareness' in posts. Because you can be sure that there is a human behind this.

Hello, Congress...

[dazedNconfuzed]

Letters of Marque, please?

Re:

[UbuntuDupe]

Yeah, while they're at it, they can quarter some military hackers in server farms. (Make sure to declare a state of war first, and authorize quartering so as to adhere to 3rd Amendment restrictions.)

Running scared?

[jav1231]

Running scared? Are they serious? Suddenly I see a scene in those old hero flicks where a woman in the crowd stands and says, "Is there no one? No one out there who will save us!?"

Wait a minute

[Billosaur]

Didn't I just hear that the Storm worm was slowing to a crawl [slashdot.org]?

Re:

[lskovlund]

Bruce Schneier wrote that the worm was starting to retaliate [schneier.com]. It was linked to by a poster on this Slashdot story [slashdot.org]. The guy who posted the analysis you refer to seems to be a lowly sysadmin (He's affiliated with Network Operations at the UCSD - so not a researcher) - I would tend to believe Bruce more, and viewed that analysis with some skepticism, which now appears to have been justified.

Re:Wait a minute

[Intron]

If it's grain of salt time, let's look at which is more likely:

a) Something big changed and 10 million Windows users suddenly wised up and cleaned up their compromised systems.

b) The people behind Storm have made it harder to detect so we only think that there are fewer compromised systems.

Sounds ripe for abuse

[orclevegam]

So, these people are trying to sell these botnets for extortion and spamming purposes right? Well, seems to me that they just opened up a loophole for at least one category of customer to get free "service" by spoofing whoever he wants to DDoS and poking the botnet till it retaliates. Boom, instant DDoS and he didn't have to pay a dime for the service. I do like the idea someone else put out of spoofing as one of the other control nodes, thereby getting the net to DDoS itself, but it may be just smart enough not to do that.

Re:Sounds ripe for abuse

[Lumpy]

Dont know about that. only if they though of it to begin with. Back in the early days of undernet a few of us figured out how to get the official administrative bots to fight each other. Wait for a net split, join as a bot's name and start a flood attack on another bot. IT get's triggered and kick/bans you. the net rejoins and the fight starts. it was fun to watch for the week we were able to do that trick until they fixed the bots.

Unless the dev's think long and hard on how to attack it and work in ways to avoid it I doubt they put that feature in.

Re:

[orclevegam]

Ah, undernet, those were the days. Friend of mine got payed a visit by the police once for playing on undernet. Seems he accidently crashed a few of their servers and they didn't take kindly to it. Turns out that if you have a few hundred bots all join a channel at once, and then a few of them get it in their head to kick one of those said bots, who of course gets kicked by a few more bots, who then get kicked by even more bots, that all that kicking and joining is enough to DOS the servers into submission.

Old news

[Anonymous Coward]

Higher ed had some of their systems attacked in this way going back to at least July. I lost a machine because of this because the system (running FreeBSD) had a marginal disk that eventually died under the load incurred by logging "Limiting icmp ping response from..." messages. Fortunately, we were smart enough to NEVER use systems like our workstations for downloading malware from suspected sources.

Easy lesson for those thinking of doing research: Remember to have a machine dedicated to the task of tal

This pro ain't afraid, come on Stormbot, bring it.

[Anonymous Coward]

.. I'm still waiti

Counter-DOS

[RyanFenton]

Wouldn't the obvious counter-strategy to this be to give the botstorm enough targets to make their DOS attempts too dilute to be a threat?

You theoretically would not need a comparable number of targets to attackers - just enough to lower the magnitude of the counter attack to the point where you could get acceptable results. You could also have targets that 'play dead' in some ways so the attackers can't fix on a minimum magnitude to counter attack with, and instead have to throw zombies until the target stops moving, where the target just gets right back up after playing dead. That way, the window you have before you 'play dead' might be used to get relatively clear results.

Just one guy's idea.

Ryan Fenton

Re:Counter-DOS

[GoodbyeBlueSky1]

Is that you Zapp Brannigan?

Re:

[Dachannien]

Bender: A grim day for robot-kind. Ah, well, we can always build more killbots!

Re:Counter-DOS

[Quietust]

Alternatively, trick them into launching a DDoS on a site more than capable of sinking all of the attack with plenty of bandwidth to spare - there's nothing quite like trying to flood an internet backbone. Plus, if it actually did have a noticeable effect, such a massive outage would be more likely encourage appropriate law enforcement agencies (of whatever nations) to get off their collective asses and actually solve the problem at its source.

Not particularly likely to happen, but we can all dream, can't we?

Re:

[Minwee]

[...] such a massive outage would be more likely encourage appropriate law enforcement agencies (of whatever nations) to get off their collective asses and actually solve the problem at its source.

Of course it would. Those guys are very good at finding the real sources of problems.

*knock knock*

"Yes?"

"Mr. Quietust? Of QMT Productions? We have information here showing that you employed a major bot-net to organize an ongoing DDoS attack against UUNET. Are you going to confess that you are the maste

Ponders ...

[Colin Smith]

What's bigger, the Storm effect... or the Slashdot effect ...

 

Re:

[Jarjarthejedi]

That's what we should most certainly do, post the addresses of these control servers as links in /. stories about a new Linux device, or Apple product, and watch as the network dissolves.

Re:Ponders ...

[Red Flayer]

What's bigger, the Storm effect... or the Slashdot effect ...

Duh -- the Storm effect, since the worm is more likely to actually RTFA.

Re:

[orclevegam]

What's bigger, the Storm effect... or the Slashdot effect ...

Duh -- the Storm effect, since the worm is more likely to actually RTFA.

Oh, that's easy to fix. Just post the story with the links labeled as Natalie Portman covered in Hot Grits, Naked and Petrified.

Old news

[madsheep]

This is something that has been known and announced for many months now. Additionally, the new variants of it do not seem to trigger DDoS attacks in quite the same way.

Booby trap

[Joebert]

Wouldn't it be funny if the worm was never intended to phone home for instructions, meaning any attempt to contact "command centers" would always be the result of probes ?

Use this against them.

[darkonc]

1. Let various ISPs know that you're about to do this,
2. Do something to trigger a DDOS,
3. Track which machines the attacks are coming from, (basically, log the source of every packet aimed at your IP address)
4. shut down and clean every machine that is shown to be part of the DDOS
5. (profit???)

Naieve

[cdrguru]

I see the same sort of law-and-order assumptions here that I would like to believe in. Sadly, that phase in my life has ended.

Sure, you can find who is DDoS'ing you. You can then call the ISP/hosting company and complain. If they are in the US they will likely as not just tell you to get a court order. Outside the US they will laugh and suggest you bribe them. Either way, it is their customer's right to operate in whatever manner they choose. If they are presented with a valid court order from a court in their jurisdiction, they will quickly and efficiently comply. Otherwise, your complaint will go in the bit bucket.

Mostly the problem is that to a lot of ISPs their customer (and the revenue from that customer) is a whole lot more important than the negative effects their customer is having. Also, the customer may be Daddy and Sonny is the one causing all the trouble. Why would anyone want to offend bill-paying Daddy by cutting off service?

The problem here is that regardless of the problem - a botnet infested computer, a script kiddy trying to break in, or some other mischief - if you let it go, it gets worse. Every time a script kiddy gets to feel that rush of excitement at breaking to some computer somewhere without any consequences they get bolder. In the US it is not really possible to go after them until they run up at least $25,000 in damages. Because of this, you never hear about the high schooler getting in trouble because they defaced a web site. Instead you hear about someone after many years of mischief and mayhem who is being accused of causing $12,000,000 in damages computed in some creative manner to get the FBI's attention. There is never a thought of stopping this when the cost to everyone is minimal. Minimal doesn't get the FBI involved and local law enforcement is utterly clueless.

Nobody is really going to get taken down for this unless they do something incredibly stupid. Sure, you can find an IP address but you can't get the customer unless the ISP wants to cooperate. Can you get a court order for the ISP to identify the owner of the account? Probably not without at least $25,000 in damages that you can claim. Even then all you have found is an infected computer that the owner doesn't know anything about.

Viagra Spam

[krelian]

Is this botnet the one that keep sending the "Viagra Official Site" spam?

Sounds like the beginning of...

[twistedcubic]

The Matrix. This botnet might not be man-made. It might turn out that all these own3d computers have created a collective intelligence.

Re:

[Chyeld]

Until, you know, the ISP drops your ass because you have caused their entire dynamic IP pool to be DDOS'ed. Or, the bot net just starts DDOS'ing the routers just before your IP and suddenly everyone's connection dies.

Good luck Mr Bond.

Re:

[Dekortage]

Sure. Then the folks running the botnet identify you based on your DOS'd IP number, find out what your real IP numbers are, and crush you there.

At least, that's what would happen if I were running it.

Re:oh yeah, so scared

[Em Adespoton]

If you start getting DOSed you unplug the modem and try again. Some corporate customer carrying ISPs will even let you just change your IP. You could get on a new IP and keep poking like 50 times in a day at least. It's really not that hard and not that sneaky.

Something tells me that your method won't work against Storm. This is due to the fact that if you tried such a stunt, it wouldn't be your PC that would be DoS'd, it would be the ISP's local NOC you were using to connect to the internet. If you forced a new DHCP reservation (all that an unplug/plugin does), you'd end up with another IP address (if the DHCP server ever responded to your request) sitting on the same hardware that is being DoS'd by Storm.

What is needed to fight a botnet of this size is a distributed probe net, where if one node is taken out by the botnet, the rest of the cloud keeps on probing it. After all, even a large botnet can only DoS so many locations at a time.

A better solution might be to spoof the IP addresses of other members of the botnet, thereby making it DoS itself into submission.

Re:

[_anomaly_]

DDoS'ing a botnet DDoS'ing... I like how you think.

Re:

[JohnnyComeLately]

That was actually my first thought. If they're so quick to DDoS, you've got a list of sites to spoof. If you automated the spoof to cycle through their DDoS list of bots, you'd make it grind itself into the dirt. You'd use their own tactics against themselves. However, I have a feeling these researchers are "ethical" and probably won't spoof packets.

However, say a hobbiest...or someone one with a great deal of time could do it :)

I'm too busy with all the fires and such in San Diego, maybe next week.

Re:

[Em Adespoton]

Which ISP are you with that will give you a second connection "for like crazy cheap"?

You can still get dialup accounts for around $9.95 in most places. Also, most DSL/Cable accounts have dialup "roaming access" accounts provided for free (people just never use them). Not that such an account would solve anything (see my previous post).

Re:Kung Fu Style?

[ILuvRamen]

ooooh sneaky, I like that. Isn't that illegal or something though? I don't think anyone would care but that's probably why they're not doing it. They could at least pull their heads out of their asses and not try and probe the servers using their company's main network!!! Do it on some small, seperate connection that really wouldn't matter if it got DOSed. Hey speaking of that, do it and let them DOS you and then make a log of all the IPs doing it and I'm sure ISPs would agree to disconnect all customers with those IPs until they get rid of storm by reinstalling windows or whatever.

Re:

[DocSavage64109]

Perhaps people who are probing, should spoof their address to match another command and control unit.

Is it even possible to spoof another server's ip address across the internet and get return packets? I would think you would need to pwn the server you would theoretically spoof and then probe from there.

In fact, after reading through http://www.securityfocus.com/infocus/1674 [securityfocus.com], it looks like you can send packets, but never get any responses, which may or may not be good enough to trigger a DoS against that server -- unless the admin just whitelists those ips.

Re:Kung Fu Style?

[Fizzl]

I see that you are heard the word "spoofing". Now go learn what it means.
No, you cannot establish a tcp or any other connection masquerading as someone else. Care to guess why?

Re:

[Flashbck]

Oh oh oh! Pick me!

Spoofing is mostly a dead art because TCP uses sequence numbers on packets now and those numbers are pretty near truly random. Mitnik style attacks won't work anymore because of this.

While you may not be able to establish a connection, you could still possibly trigger the c&c server to target another c&c server if just trying to connect to a certain port would trigger it. A simple SYN packet sent to the proper port with a forged source address would set it off...

Re:

[db32]

Uhm...what? The TCP sequence number issue is related to Man in the Middle attacks (which in the strictest sense is a type of spoofing, but not usually refered to like this). Spoofing is generally talking about sending packets pretending to be someone else, ie, putting a bad source on them. So now if I am computer A, and you are computer B, and I send you SYN DST A SRC C you will respond ACK/SYN to computer C. Unless my computer has PsychicHackWizard 3.0 or I have installed MagikRouter1337 those packets

Re:

[Bill, Shooter of Bul]

Right, but if you could take back control of a command and control bot temporarily just to provoke the response, and then just sit back and watch the fireworks as it tries to destroy itself. Probably wouldn't do any net good other than tying up its resources attacking itself and possibly making it more difficult to defend itself against probing.

Re:Kung Fu Style?

[Bill, Shooter of Bul]

Granted, but what if we reroute power form the rear deflectors? Shouldn't that give us enough power to bring the forward phaser array back on line? Or maybe they've forgotten to protect the sleep command? What about introducing a logic puzzle that has no answer? The tic -tac toe game is missing, tell it to play with zero players.

Re:

[Kiaser Wilhelm II]

But, of course, people who commit actual violent crimes would get off much more easily, according to your plan.

Way to get your priorities straight.

Re:

[orclevegam]

Yeah, uh, two problems with that. First, by all accounts these people are based out of places that aren't really friendly to any government intervention, let alone foreign governments, so good luck actually getting to them to take any sort of legal action. Second of all, even in mid evil times most forms of execution were relatively quick. Mind you, that's execution, not torture (which itself was often fatal), but then again there's a whole raft of extra-governmental regulations on torturing people, not tha

Re:A very simple solution.

[tomstdenis]

Should point out that hacking is not a crime, never has been, never will be [at least without totally eroding all freedoms first]. A hacker is simply someone who takes the time to see how the world around them works. They're not script monkeys who instigate virus attacks, those are criminals.

Stop reading/watching Faux News et al. and get your damn facts straight.

People should be able to call themselves a hacker without fear of reprisal, for it's the hackers who will inevitably find many of the flaws in the world that the corporate greedmongers want hidden. I mean who do you think are the people finding all of the buffer overflows, protocol mistakes, etc in services you use on a daily basis? If hackers went away companies could easily get away with insecure practices and billing like however they feel like.

It's the people who stop questioning how the world works that should get a bitchslap upside the head.

Re:A very simple solution.

[Culture20]

There was a time in England when a bloke could talk about the gay time he had passing a fag around amongst his friends behind the school (fun/happy time passing a cigarette around) without any double entendres. Language evolves. Change your manner of communication or prepare for misinterpretation.

string Hackers="hardware hobbyists"
string Crackers="Saltines, safe-crackers, computer-criminals"

...
Hackers="computer-criminals";
Crackers="Saltines";

Re:A very simple solution.

[Anonymous Coward]

Language evolves. Change your manner of communication or prepare for misinterpretation.

Bookmark of cradle the desklamp, or coffee door bird the bubble wrap. Airport barcode of lunch train.

Football.

 

Re:A very simple solution.

[multisync]

Impose the death penalty for these hackers/crackers or whatever you call them these days.
Public execution. And make it totally Medevil. Gruesome and painful and prolonged.

I guarantee you within one year the hacking/cracking/whatever will have come to an absolute total stop.

Well, the death penalty has certainly stopped people from committing murder in the United States. I think you're on to something.

Re:

[Fizzl]

I could be polite and specify my question in more novel manner, but:
What the fuck are you talking about?

Re:

[rmstar]

Actually, what they do is to take control of the DNS. No big deal, really, as most of that is managed through web interfaces nowadays.