Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Storm Dismantled at USENIX LEET Workshop

Zonk posted more than 6 years ago | from the is-that-like-1337-leet dept.

Security 58

An anonymous reader writes "The USENIX LEET workshop held earlier this week in San Francisco offered neat insights into the Storm botnet, including two papers showing the difficulty of accurately measuring the botnet's size, and one on the way it conducts its spamming campaigns (down to the template language used). There was a bunch of other cool work too, so check out the papers."

Sorry! There are no comments related to the filter you selected.

Meteorologist (0, Offtopic)

Plazmid (1132467) | more than 6 years ago | (#23111892)

Hey these people should be called meteorologists, as they are studying a "storm."

Re:Meteorologist (1)

smitty_one_each (243267) | more than 6 years ago | (#23116164)

Also, this study of bots takes place in "the wild", as if the environment were somehow not a 100% human production.

wrong link (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#23111918)

correct link is http://www.usenix.org/event/leet08/tech/ [usenix.org]

Nifty (4, Insightful)

locokamil (850008) | more than 6 years ago | (#23111994)

After reading the article, I'm impressed by both the ingenuity of the researchers in infiltrating the network, and also by the skills of the malware writers. Engineering a DHT-based network is no trivial matter, and the fact that people out there went through the trouble of creating one implies that the payoff must have been commensurate to the effort involved.

Scary.

Re:Nifty (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23112070)

Think about it in this way:
You can hire PhD level programmer for around £500 per month full time. Think how much for 18 year old whizz kid?

Believe me those guys are good. No questions asked.

Re:Nifty (0)

Anonymous Coward | more than 6 years ago | (#23114416)

Only on Slashdot can you have a Score:0,Insightful...

Re:Nifty (3, Insightful)

Pig Hogger (10379) | more than 6 years ago | (#23112216)

After reading the article, I'm impressed by both the ingenuity of the researchers in infiltrating the network, and also by the skills of the malware writers. Engineering a DHT-based network is no trivial matter, and the fact that people out there went through the trouble of creating one implies that the payoff must have been commensurate to the effort involved.
Given how the "legit" private sector treats it's employees like shit (layoffs, outsourcing, PHBs, etc.), it's no surprise that there is no shortage of disgruntled employees who will gladly write malware for a good payoff or simply for revenge.

Re:Nifty (1)

RealGrouchy (943109) | more than 6 years ago | (#23113856)

Or maybe they're just padding their resume to get a new job?

- RG>

Re:Nifty (1)

archkittens (1272770) | more than 6 years ago | (#23115748)

yeah, if you can build a botnet like that, chances are very good you could get a job at the air force... i heard they're doing some attacks of their own, which the ability to covertly take control of millions of computers for simultaneous internetwork traffic would certainly be useful for. imagine every computer on the botnet loading OPEC's website at the same time!

http://it.slashdot.org/article.pl?sid=08/04/04/1639219 [slashdot.org]

Re:Nifty (5, Interesting)

plover (150551) | more than 6 years ago | (#23113064)

Then you should be impressed by the right people, like Enzo Michelangeli, who wrote the KadC [sourceforge.net] DHT library that the storm worm authors used.

Sure, these guys are somewhat clever, but they're not the real geniuses behind the technology.

And yes, the researchers did a great job, too. It's not easy picking unknown protocols apart!

Re:Nifty (0)

Anonymous Coward | more than 6 years ago | (#23124260)

Then you should be impressed by the right people, like Enzo Michelangeli, who wrote the KadC [sourceforge.net] DHT library that the storm worm authors used.
But but but... that would mean Storm has to be GPLed! Where can I download the source code?

Re:Nifty (1)

fm6 (162816) | more than 6 years ago | (#23113152)

These are serious computer scientists. You can tell because they write their pseudocode in a variant of Algol [wikipedia.org] .

Re:Nifty (1)

RiotingPacifist (1228016) | more than 6 years ago | (#23113642)

Ill hand my geek card in at the door

Re:Nifty (0)

Anonymous Coward | more than 6 years ago | (#23120064)

After reading the article,
I stopped reading your post right there, because I know you are a dirty liar.

My pet love/hate for botnets (5, Insightful)

Fluffeh (1273756) | more than 6 years ago | (#23112020)

I hate spam and what botnets do as much as the next fellow, to the point where I stopped checking email on a regular basis from a few accounts due to the insane amounts of spam I got, but I still have to admire the sheer beauty and audacity of putting together such a living thing. If only they could find a useful (even semi-legit) purpose for harnessing so much computing power.

Re:My pet love/hate for botnets (1)

pwizard2 (920421) | more than 6 years ago | (#23112056)

to the point where I stopped checking email on a regular basis from a few accounts due to the insane amounts of spam I got
Are you able to set up Spamassassin for any of those accounts? (it can even run client side through some email apps) I've been using it for awhile now and on a fairly dense setting (level 2) it gets practically all of my spam, and still lets the good stuff through.

Re:My pet love/hate for botnets (1)

Fluffeh (1273756) | more than 6 years ago | (#23112528)

I have tried a large number of anti-spam products, both on the servers themselves and client side. At the moment, I generally just purge the account before I am expecting something to come in. The main emails are pulling in 12-1600 spams a day :(

Re:My pet love/hate for botnets (4, Funny)

Anonymous Coward | more than 6 years ago | (#23112116)

I think we should take over the botnet and use it as a spam filter. That would be semi-legit, right?

Re:My pet love/hate for botnets (1)

joshmobile (836033) | more than 6 years ago | (#23112406)

Thats an excellent idea.

Re:My pet love/hate for botnets (1)

Skrynesaver (994435) | more than 6 years ago | (#23115290)

In a strange way you could be right.
How wrong would sending the command for a DDOS attack on 127.0.0.1 into the P2P network be.
Maybe if their own machines were banjaxed the owners of these botnet hosts might take a look at getting them fixed?

This is just a first thought as I read through the paper and I may have over simplified massively?

Re:My pet love/hate for botnets (1)

redxxx (1194349) | more than 6 years ago | (#23118456)

Where's the fun in that?

Wouldn't it be more entertaining to introduce the ability for the clients to modify themselves(such as new methods of distribution and concealment) based on modules that could be distributed across the network.

Maybe eventually make modules that let it look for other malware, and replace the payload with itself(which would also be distributed around the network. Wouldn't need to be all that efficient or effective with a few hundred thousand computers running it. A success here or there would be fine...

Take over the botnet (1)

Keybounce (226364) | more than 6 years ago | (#23121264)

Why not just take it over and use it for something constructive, like protein folding or something?

Oh, right -- because then we'd be breaking the law, and the botnet operators might sue us.

Re:My pet love/hate for botnets (1)

Sleepy (4551) | more than 6 years ago | (#23112392)

I get 3 spams per day in my inbox, and my email address is in Google from unscrubbed UNIX mailing lists. My Spam folder is a mess, but I rarely have to do much there.

+1 on the other poster regarding SpamAssassin. I maintain a server install of it and it rocks. If you are a user, you can still run RBL checks on email (header parsing), and URIBL gets rid of tons or Google-hosted (Blocgspot) spam.

Now, the SA ruleset is good (organization could be better from a developer perspective... lots of overlapping rules to catch 'viagra' typos, but hey it works).

Re:My pet love/hate for botnets (1)

fm6 (162816) | more than 6 years ago | (#23113170)

If you start by hacking into somebody's computer and stealing both CPU time and network bandwidth, you've already lost any legitimacy, no matter how you use the resources you've stolen. But yeah, these botnets are an impressive achievement.

My only question (2, Funny)

Anonymous Coward | more than 6 years ago | (#23112082)

Does this run on Linux?

Re:My only question (1)

calebt3 (1098475) | more than 6 years ago | (#23112226)

No. It's Windows malware.

Re:My only question (1)

that this is not und (1026860) | more than 6 years ago | (#23112916)

For that reason, I have been wondering why USENIX is wasting time on it.

Didn't USENIX used to be about Unix and interesting stuff?

Re:My only question (1)

Culture20 (968837) | more than 6 years ago | (#23113090)

It's good to study zombies before the dawn of the dead (when all windows boxen are part of some botnet), because they affect unix boxen via the 'net

Re:My only question (1)

adelporto (104675) | more than 6 years ago | (#23119364)

Key is "used to". 20 or 30 years ago interesting stuff, or advanced computer research, was limited to *nix (BSD vs SysV - fight!). USENIX has conferences on a bunch of research areas, file systems, security, sysadmin, etc. See:

http://www.usenix.org/about/

And yes, I work for USENIX, but I'm posting on my own.

Re:My only question (0)

Anonymous Coward | more than 6 years ago | (#23112228)

Yes.

* All the researchers use Linux.
* Storm uses Linux-based infrastructure.

misnomer? (5, Informative)

B3ryllium (571199) | more than 6 years ago | (#23112102)

Is "dismantled" really the right word? Shouldn't it be "vivisected", since the botnet is still running?

Dismantled implies that it's shut down. Last I heard, it was still running, and sub-botnets (tropical depressions?) were being sold. Botnet franchising, if you will.

Re:misnomer? (0)

Anonymous Coward | more than 6 years ago | (#23112130)

You're right. Storm is still running. Sub-botnets are not being sold. It was entirely reasonable for Joe Stewart to suggest that would happen; it just hasn't happened yet.

Re:misnomer? (1)

PitaBred (632671) | more than 6 years ago | (#23112906)

That's the first thing I thought of, too. Vivisected is a cool word, or something more mundane like dissected being as it wasn't really "alive" to begin with.

But hey, why let a little thing like clear communication force you to do boring things like "learning" and "reading". It's much more fun to throw random semi-related words together with meanings that aren't what you're actually trying to say.

The ironing is delicious.

Re:misnomer? (1)

B3ryllium (571199) | more than 6 years ago | (#23113092)

Well, it's capable of communication ... and it's constructed sort of like a neural network. If it gains sentience, the term will apply.

However, since it hasn't yet, perhaps I should have used a calmer and more rational word, such as "analyzed".

It doesn't have the same visceral impact as "vivisected", but it makes up for that by being both academic and explanatory - unlike "dismantled", which makes it sound like it has a cameo in WALL-E.

Re:misnomer? (1)

modulo (172960) | more than 6 years ago | (#23119204)

I think "deconstructed" is what they had in mind (in the loose sense of "analyzed"), using literature as a metaphor, but "dismantled" makes a better headline.

Wow ok. (0)

Anonymous Coward | more than 6 years ago | (#23112140)

So now the creators can read this and adapt. Great.

Re:Wow ok. (3, Informative)

77Punker (673758) | more than 6 years ago | (#23112426)

According to the paper, the creators already make changes to obscure the botnet on a frequent basis. This paper won't make them any more paranoid than they already are.

"Shatter Her Meat Tunnel and Bash Down Walls..." (5, Funny)

falsemover (190073) | more than 6 years ago | (#23112344)

"... With Your Humongous New Cock." (actual subject header of spam email received)

Seriously, we haven't had this kind of inspired ribald poetry since William Shakespeare.

I say bring it on, we need the spam entertainment.

SAVE THE BOTNET - SPAM IS ART

Dans la viande a bon marche, il est poesie

Re:"Shatter Her Meat Tunnel and Bash Down Walls... (1)

justinlee37 (993373) | more than 6 years ago | (#23115012)

Funny, I got one with a subject line reading "Attention! Chi/d Pomo!"

Re:"Shatter Her Meat Tunnel and Bash Down Walls... (1)

phoenixwade (997892) | more than 6 years ago | (#23115552)

Funny, I got one with a subject line reading "Attention! Chi/d Pomo!"
Well, the botnet seems to be evolving into targeted marketing, then.

Re:"Shatter Her Meat Tunnel and Bash Down Walls... (2, Funny)

archkittens (1272770) | more than 6 years ago | (#23115796)

next thing we know, it will be cracking google toolbar and getting a look at search histories associated with gmail accounts, and since all spam is invariably connected with some form of sex industry...

i cant wait to get the line "get a larger hadron collider with our revolutionary unix-based pill!"

Re:"Shatter Her Meat Tunnel and Bash Down Walls... (1)

OdessaCG (442168) | more than 6 years ago | (#23117510)

I say bring it on, we need the spam entertainment.

ITYM "spamtertainment".

OMG (2, Insightful)

PenguSven (988769) | more than 6 years ago | (#23112368)

After reading up a little more on botnets, it's clear now that SkyNet will in fact originate as a spam and DOS attack/delivery "platform", which will become sentient, and try to kill us all by destroying the internet!

Re:OMG (3, Funny)

socsoc (1116769) | more than 6 years ago | (#23112786)

Kill us all by destroying the Internet? But I learned last night that when the Internet stops working, everyone will just head out the Californee way.

What user-agent string is it seeking? (5, Funny)

symbolset (646467) | more than 6 years ago | (#23112460)

We used different releases of three web browsers, resulting in a total of eight different browser versions. The results indicate that Storm exploits only web browsers with a specific User-Agent, a HTTP request header field specifying the browser version. If this header field specifies a non-vulnerable browser, the malicious server does not send the exploit to the client. However, if the client seems to be vulnerable, the server sends between three and six different exploits for vulnerabilities commonly found in this browser or in common browser-addons. The goal of all these exploits is to install a copy of the Storm binary on the visitor's machine. We observed that the actual exploit used in the malicious Web sites is polymorphic, i.e., the exploit code changes periodically, in this case every minute, which complicates signature-based detection of these malicious sites.

So... three guesses what user-agent it's looking for.

Re:What user-agent string is it seeking? (0)

Anonymous Coward | more than 6 years ago | (#23112944)

So... three guesses what user-agent it's looking for.

1. Opera? No...
2. Firefox? Closer...
3. Safari? No... damnit!

I give uI am terrible at this game.

Re:What user-agent string is it seeking? (4, Funny)

Ford Prefect (8777) | more than 6 years ago | (#23113074)

So... three guesses what user-agent it's looking for.

Sarah Connor?

Re:What user-agent string is it seeking? (2, Funny)

n0dna (939092) | more than 6 years ago | (#23113866)

See? Not even Botnets use Opera.

*grin*

I'm of the paranoid opinion... (0)

Anonymous Coward | more than 6 years ago | (#23112650)

that the storm botnet is basically run by a government entity fronted by criminals, either the US or Russia.

Another paper on "Malicious Hardware" (5, Interesting)

Schnoodledorfer (1223854) | more than 6 years ago | (#23112690)

How about this one: Designing and Implementing Malicious Hardware [usenix.org] ? Now that people are figuring out how to deal with Storm, we may have to start worrying about bogus ICs that will be designed to allow your computer to be compromised easily. Damn! Interesting, though. It was awarded "Best Paper".

Re:Another paper on "Malicious Hardware" (1)

FooAtWFU (699187) | more than 6 years ago | (#23113502)

The primary obstacle I see with their "malicious hardware" design is that of the actual malicious hardware creation. They create a FPGA processor that they can use to steal shadow password files, but are most modern processors purchased by most individuals or organizations able to be reproduced with FPGAs? Perhaps in the intermediate to distant future, but if you can't fake a new Intel or AMD chip, your targets seem limited...

Re:Another paper on "Malicious Hardware" (1)

AuMatar (183847) | more than 6 years ago | (#23120032)

Not that I see this as a practical attack anytime soon, but it doesn't need to target the main processor. It would be far more efficient to target a smaller subprocessor. The one that comes to mine is the PIC, its an extremely simple chip thats well over a decade old. Easily done via FPGA. Northbridge and southbridge might be targets as well.

Not all bad! (3, Funny)

illama (1275186) | more than 6 years ago | (#23113600)

FTA:

Second, Storm synchronizes the system time of the infected machine with the help of the Network Time Protocol (NTP). This means that each infected machine has an accurate clock.
See, it's not all bad!

Re:Not all bad! (1)

oblivionboy (181090) | more than 6 years ago | (#23114408)

First question that pops into my mind is would changing your time to some "wrong" value be a potential litmus test for this botnet? If you did and it changed back at some point and you were sure there were no other synchronization processes running on your machine, it might be a clue that you were infected. .o.

Broken clock (1)

Thelasko (1196535) | more than 6 years ago | (#23117048)

Second, Storm synchronizes the system time of the infected machine with the help of the Network Time Protocol (NTP). This means that each infected machine has an accurate clock.
My fiancee's computer never has the correct time. I guess that rules out the cause as being storm worm related.

bootdisk scanner? (1)

Sczi (1030288) | more than 6 years ago | (#23117560)

Microsoft needs to quit screwing with the interface of Office 07 and spend some time doing something useful like creating a CD image of WinPE or even a bartpe plugin that includes a scanner for (at least) the major botnet software. Just release a new one every month or two, burn it, reboot, scan. I mean, really, this crap is getting ridiculous. MS just needs to take a bank of 1000 pc's, load xp with no service packs or security and live ip addresses, wait about 20 minutes, and then turn on the sniffers. I don't see how they are not on the receiving end of a class action lawsuit by now.

Why is information about what we know online... (1)

brassmaster (950537) | more than 6 years ago | (#23121048)

...when the guys behind it are still RUNNING it right now? I mean, sure it's a wonderful what these researchers were able to find out, but when the potential exists for even more serious crimes to be committed by means of this mechanism, why are we telling the people behind it what they need to think about when designing version 4.0?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?