Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Storm Worm Botnet "Cracked Wide Open"

timothy posted more than 5 years ago | from the after-honeynets-let's-try-bugzappers dept.

Security 301

Heise Security reports that a 'team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed. Quite the reverse, for in theory it can be rapidly eliminated using software developed and at least partially disclosed by Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser. However it seems in practice the elimination process would fall foul of the law.'

cancel ×

301 comments

Sorry! There are no comments related to the filter you selected.

so what? (5, Insightful)

derfy (172944) | more than 5 years ago | (#26409379)

However it seems in practice the elimination process would fall foul of the law.

I'm sure I'm not alone when I say, "So?"

Me too (-1, Redundant)

G3ckoG33k (647276) | more than 5 years ago | (#26409421)

I'm sure, too!

So you are sued and lose your house. (5, Insightful)

khasim (1285) | more than 5 years ago | (#26409533)

That's the problem.

The criminals do not care because they were criminals to begin with. This affects the people who are not criminals but who want to clean up the mess made by the criminals.

Now, if the various governments could/would authorize their law enforcement agencies to use this method ...

Re:So you are sued and lose your house. (4, Insightful)

ushering05401 (1086795) | more than 5 years ago | (#26409633)

"Now, if the various governments could/would authorize their law enforcement agencies to use this method ..."

That is the worst idea I have heard all week.

Re:So you are sued and lose your house. (5, Funny)

maxume (22995) | more than 5 years ago | (#26409801)

Just require a warrant from some level of federal judge.

Things might not work great at first, but the whole warrant system works pretty well, and it would provide a framework for preventing abuse and overuse.

Re:So you are sued and lose your house. (4, Interesting)

aurispector (530273) | more than 5 years ago | (#26409955)

Yeah, but it's an international problem. A guy from F-secure in Finland has been calling for the formation of an "internetpol" for exactly these reasons. I think he's right because otherwise international net crime will continue unabated, since nobody is in charge of combating it. An international body designed to coordinate .crime policing efforts is sorely needed.

Re:So you are sued and lose your house. (1, Funny)

Anonymous Coward | more than 5 years ago | (#26410273)

"I think he's right because otherwise international net crime will continue unabated,..."

We need to call Netman, he will save us from those Jokers.

Re:So you are sued and lose your house. (4, Insightful)

peragrin (659227) | more than 5 years ago | (#26409967)

up until it crosses national borders then yes it does. But if the guy running the show is in a country without extradition then it is useless. Warrants assume everyone is following similar laws and there is an agency that can police all affected areas equally.

however If an American warrant was being served against a French botnet controller, even with a treaty they still would let him stay free if he didn't harm any french computer users.

Governments are like children, no one else can play in their sandbox, or with their toys.

Re:So you are sued and lose your house. (5, Insightful)

Yez70 (924200) | more than 5 years ago | (#26410139)

I don't think the primary goal here is capture and prosecution of the controllers, but shutting the botnet down. Shouldn't that be the priority?

I would say that it should be. (4, Interesting)

khasim (1285) | more than 5 years ago | (#26410227)

I don't think the primary goal here is capture and prosecution of the controllers, but shutting the botnet down. Shouldn't that be the priority?

I would say that it should be. Why waste time and effort trying to find crackers who will only be replaced by different crackers in different countries if you do manage to prosecute them?

Remove the zombies in your country and the zombie problem is pretty much solved.

But to accomplish that, you need to be able to automate the process and perform it remotely. There just are not enough resources to handle each computer individually.

Re:So you are sued and lose your house. (5, Insightful)

owlnation (858981) | more than 5 years ago | (#26409923)

"Now, if the various governments could/would authorize their law enforcement agencies to use this method ..."

That is the worst idea I have heard all week.

No Kidding! The problem with such laws (any laws) in most countries, is that they are open to interpretation. This is why we have courts. Which means, that allowing any government agency the right to access 3rd party computers for any reason sets a very, very dangerous precedent which can be exploited by the more fascist politicians in the world.

We've already seen the UK Governing Regime try to find ways of accessing the public's computers whenever they see fit, and without any court warrant. There is no sane way to allow this kind of exception, without running the risk of opening the door to further Government inspection of your computer, if they decide to exploit precedent.

Be very careful with vigilantism. Especially when a government agency is the vigilante. It WILL be exploited for other reasons.

Re:So you are sued and lose your house. (0)

Anonymous Coward | more than 5 years ago | (#26410167)

We've already seen the UK Governing Regime try to find ways of accessing the public's computers whenever they see fit, and without any court warrant. There is no sane way to allow this kind of exception, without running the risk of opening the door to further Government inspection of your computer, if they decide to exploit precedent.

Here is model legislation that will allow for [agency] to clean up the Storm Botnet:
1. [agency] is authorized to clean up the Storm Worm Botnet (hereafter known as "Botnet")
2. [agency] will do so by infiltrating the Botnet with client ABC [SHA hash value of DEF]
3. [agency] may only use client ABC to infiltrate Botnet
4. Client ABC may only issue commands G,H,J,[etc]
5. Commands G,H,J,[etc] may only cause Botnet uninstaller STU [SHA hash value of VWX] to run
6. Uninstaller STU may only issue commands Y,Z,[etc]
7. [agency], ABC, and STU may not do anything other than cause Botnet to be uninstalled from infected computers
8. [oversight]
9. [penalties for doing anything other than 1-6]
10. [A million or two in coupons to fix computers the uninstaller breaks]

You get the idea.

It isn't very hard to write a good law (assuming you've thought through all the unintended consequences), politicians & think tanks just aren't usually very interested in writing such specific legislation unless it is to steer money towards a specific company.

Re:So you are sued and lose your house. (3, Funny)

Anonymous Coward | more than 5 years ago | (#26409987)

That is the worst idea I have heard all week.

Just curious. What was the one of the previous week??

Re:so what? (1)

Vectronic (1221470) | more than 5 years ago | (#26409575)

I'd have to agree, similar to Blaster [wikipedia.org] I think it was, where someone/people developed a counter-blaster worm, that went around patching peoples systems using the same hole that Blaster used to fuck up peoples systems.

Seems sort of logical to me, sort of like how our immune system works, and once the "good guys" have won, they just naturally die out, and the system goes back to normal (usually).

Re:so what? (4, Insightful)

txoof (553270) | more than 5 years ago | (#26409671)

Not only is it a problem of breaking the law, but there's the problem of "cleaning gone wrong". What if the cleaning program fouls a hospital's computers? Or fouls up some other important infrastructure. Do you want to be the guy standing next to the enter key in that event?

Obviously, infrastructure should be configured and secured against such problems, but it's pretty clear that that assumption is false and dangerous. Just a few months ago a trio of London hospitals [theregister.co.uk] went down because of an infection. Granted it was mostly the administrative side that went down, but that still costs a crap load. And what if it's not just the administrative side of say a power distribution grid that shits its self because of some unforeseeable problem with the cleaning worm?

I sure wouldn't want to be the guy responsible for that. There's also the threat that the cleaning will go wrong in completely unexpected ways causing even worse network disruption. If this option is pursued, those that have the magic bullet would probably want to get some sort of pledge of amnesty from their governments to protect them from prosecution in the event that they cause damage.

Re:so what? (2, Insightful)

Tanktalus (794810) | more than 5 years ago | (#26410233)

Just wondering why they don't just post the cleaning executables, and then talk to the local media about their fix for the botnet, and include the URL to the cleaning executable? Invite the public to run it for free. Then convince the media to post their story as a video on their own website (not youtube or anywhere that can be faked).

It won't get everyone, but it'll start. And then users can pass the story around by word of mouth to extend it to others. Hopefully they'll get media in other countries/languages interested, and then get those to also post their stories on their websites. If the University then tracks these and provides all the links (including languages) back to the media sites, we might be able to convince large numbers of people to clean their own systems without hacking anything. All perfectly legal.

While I have to admit that hacking the botnet itself is worth huge geek points, they may still be able to do a lot of good for the internet with the work they've done so far without running afoul of the law. If users download and run it themselves, that is authorisation right there (especially if the software does what they claim it does).

Re:so what? (5, Interesting)

Vellmont (569020) | more than 5 years ago | (#26410303)


What if the cleaning program fouls a hospital's computers? Or fouls up some other important infrastructure. Do you want to be the guy standing next to the enter key in that event?

It seems to me that a computer participating in a botnet is already a threat to the public. If "cleaning gone wrong" fouls a computer that's already infected, that's really just 'collateral damage'. If it happens to be a hospitals computers, well, I'd say the real problem was the hospital trusting critical infra-structure to software that's insecure. If a hospital is really dumb enough to put infra-structure that could harm someones life on a network connected to the internet, I'd say that's criminal negligence.

I really do think we've hit the point where the people with the vulnerable computers need to start taking SOME of the blame here and stop acting as if they're all just innocent bystanders. There's certainly plenty of blame to go around. (Oh, and the software producers can sure take some of the blame as well).

Re:so what? (1)

iminplaya (723125) | more than 5 years ago | (#26409745)

You are correct [thinkprogress.org] , sir

Re:so what? (1)

WTF Chuck (1369665) | more than 5 years ago | (#26409859)

However it seems in practice the elimination process would fall foul of the law.

I'm sure I'm not alone when I say, "So?"

<sarcasm>But don't you know, all those people with zombie machines will suddenly start complaining when their computers start running faster and they have better internet connection speeds.</sarcasm>

I do have to agree, so what if it runs foul of the law. If the relevant laws were effective, we wouldn't have the botnet problem in the first place.

Just how many people will complain once they get better performance from their machines that are no longer owned.

Re:so what? (0)

Anonymous Coward | more than 5 years ago | (#26409881)

They've made all the code you need available, go for it. The issue is they don't want to do it, because they'll get in trouble. Someone needs to do it anonymously.

Re:so what? (1)

szlwzl (801203) | more than 5 years ago | (#26410279)

However it seems in practice the elimination process would fall foul of the law.

Before we know it skynet will have control....

Law? (5, Funny)

Opportunist (166417) | more than 5 years ago | (#26409383)

Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?

Re:Law? (5, Insightful)

ScrewMaster (602015) | more than 5 years ago | (#26409471)

Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?

Yes. Governments.

Re:Law? (1)

lordsid (629982) | more than 5 years ago | (#26409577)

Which one?

Re:Law? (5, Interesting)

v1 (525388) | more than 5 years ago | (#26409691)

Vigilantism is the result of when the government cannot protect the citizen from something that it's reasonable to believe they should be protected from. It's usually due to the problem of balance between making things illegal and restricting reasonable fredom.

But in this case it's more toward the issue of the problem not being within the government's charter, or that the government simply does not have the structure (laws, with teeth) required to protect the citizen.

I'm not a fan of vigilantism in general, but there are times when I approve of it. I'd personally love it if someone would infiltrate the botnets and inject a command to brick (but not erase) every computer that's infected, as a measure to protect millions of innocent people.

Imagine the city you live in, where 15% of the cars parked on the curbs have the keys in the ignition. And there's a growing problem in the city of kids going on joy rides and trashing cars and property and even killing people. But the car owners don't want to bother with the problem and don't care unless their car gets trashed, and don't wany anyone telling them what to do with their car. I'd lead the effort to walk the blocks, looking for cars with keys in the ignition, and hiding them somewhere in their car. Don't like it? Quit leaving your keys in the ignition. yes, it may violate a right of yours, but by your extending your liberty it's violating the rights of others to a larger degree.

Re:Law? (0)

Anonymous Coward | more than 5 years ago | (#26409905)

It's almost always illegal (in the states) to leave your keys in the car at all, just the same as leaving them in the ignition. Pretty hefty ticket.

Re:Law? (1)

TwistedSymmetry (1354405) | more than 5 years ago | (#26410171)

In the city where I live, people leave their cars running unattended with keys in the ignition all the time.

On the other hand I see police cars patrolling the streets all the time as well.

Re:Law? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26410251)

Brick every computer affected? Are you stupid?

What if it's a hospital network that you just destroyed? Traffic light controls? Hell, anything?

What if the code to remove the botnet isn't perfect? What if it targets innocent system?

This is exactly the reason vigilantes shouldn't be allowed under any circumstance. Once you hold no regard for the law, anarchy reigns.

Re:Law? (0)

Anonymous Coward | more than 5 years ago | (#26410291)

Yeah, its just like killing people... Didn't we learn that to reason by analogy is to reason in error? OH lets see about 300 to 500 years ago?

Re:Law? (1)

Opportunist (166417) | more than 5 years ago | (#26410131)

Really? Gee, some of the actions or our politicians could have fooled me.

Oh! Oh, it's one of those "do as I say, don't do as I do" things?

Re:Law? (1)

dimethylxanthine (946092) | more than 5 years ago | (#26409593)

In Soviet Russia, the government controls the commerce.

"When buying and selling are controlled by legislation, the first things to be bought and sold are legislators."

-- P.J. O'Rourke

Re:Law? (3, Interesting)

99BottlesOfBeerInMyF (813746) | more than 5 years ago | (#26409873)

Who cares about laws? I mean, the criminals don't, the government doesn't care, is anyone still clinging to this outdated model of a coexistance standard?

Both companies and universities who have security researchers on their staff care about laws and more than that the risk of lawsuits. When the network security company I worked for had the ability to shut down several botnets we consulted with our primary council and decided it was not worth risking the company to lawsuits from people whose zombies could be shut down or lose data. The publicity would have been nice, but there are always people looking to cash in. Instead, we collaborate with law enforcement a few times and gave them the ability to shut them down if they wanted to (at least one government did hut down a botnet we handed them the keys to).

A shorter answer would be, the researchers care about laws because they want to keep their jobs and not go broke or go to prison.

Re:Law? (1)

Opportunist (166417) | more than 5 years ago | (#26410077)

That's basically what made me post this snide and cynic comment. I'm in the same boat. Care to tell me what government actually cared enough to send a reply that wasn't a winded and wordy version of "meh"?

Partially disclosed? (5, Interesting)

Urkki (668283) | more than 5 years ago | (#26409385)

They should just publish their code. Let the individual hackers decide what to do with it...

Re:Partially disclosed? (4, Funny)

neo8750 (566137) | more than 5 years ago | (#26409425)

Yeah and let the botnet owners see it and then write a patch for the botnets...

Re:Partially disclosed? (1)

EyyySvenne (999534) | more than 5 years ago | (#26409487)

I bet quite a few of us are going to fix the change(s) and run it many times before the botnet owners could get a patch out.

You're on to something there. (1)

khasim (1285) | more than 5 years ago | (#26409613)

But instead of individual hackers cleaning up the mess, why not have the government of a country pass a law that machines within its jurisdiction may be cleaned if found to be a zombie?

Then their law enforcement agencies can use the code that the hackers wrote to clean up the machines in their country.

A simple process of identifying the infected boxes, notifying the ISP of those boxes, the ISP notifies the customer in writing and if not cleaned within 30 days then the cops clean it remotely.

The only real problems would be that many of those machines would probably be re-infected soon and the hackers would continually have to reverse engineer the latest zombie upgrades.

Maybe such an approach would finally get the anti-virus companies (and OS vendors) to publicize white lists of code that is known to be okay. Rather than trying to identify all the code that is not okay (and its variants).

Re:You're on to something there. (0, Troll)

gandhi_2 (1108023) | more than 5 years ago | (#26409701)

So a possible infection becomes grounds for the government to seize your property so it can be "cleaned"?

Here's an idea: if your computer is under attack from someone's compromised computer. It's your responsibility to defend yourself with technological and litigious means as you deem necessary. If your computer is being used to attack someone else, it is your legal responsibility to stop it. If you are an ISP, just disconnect offenders until they can prove they are clean.

Re:You're on to something there. (1)

davolfman (1245316) | more than 5 years ago | (#26409763)

If your computer is being used for an attack who says you're going to know?

Re:You're on to something there. (0)

Anonymous Coward | more than 5 years ago | (#26409857)

Did you *read* your parent? Perhaps the part about ISP?

Re:You're on to something there. (1)

gandhi_2 (1108023) | more than 5 years ago | (#26409865)

When your ISP calls you because a) they got a call from a target or b) they see a shitload of smtp traffic coming from you.

Who said "seize"? (1)

khasim (1285) | more than 5 years ago | (#26410101)

So a possible infection becomes grounds for the government to seize your property so it can be "cleaned"?

Who said that it would be seized?

The process in the article allows for the system to be remotely identified and remotely cleaned.

If your computer is being used to attack someone else, it is your legal responsibility to stop it.

And how, specifically, would the average computer user know that their machine was a zombie?

If you are an ISP, just disconnect offenders until they can prove they are clean.

What is the financial benefit to the ISP in that case? It's cheaper for them to buy more bandwidth than it is to pay a tech to handle the incoming call from when the customer's machine cannot get to the Internet.

Try to explain that without getting into "pass a law". You'll see why remotely removing the zombie code is the best use of resources.

Re:You're on to something there. (0)

Anonymous Coward | more than 5 years ago | (#26409747)

Ok, define "Zombie". No really, try to define what actually makes a zombie. When it comes down to it, the law would end up saying something like "and if a machine is suspected of running undesirable code...", then you get into all sorts of sticky areas that are just ripe for abuse.
Besides, I wouldn't want my Government scanning my computer for ANY reason.

Re:You're on to something there. (1)

speculatrix (678524) | more than 5 years ago | (#26409861)

define zombie.. machine running undesirable code
anything that came on a disk with "(C) Microsoft" would be the main candidate!

ok, slightly more seriously. if Windows were banned and all computers running windows were disconnected, for how long would the internet be clean until the blackhats succesfully targeted OSX and Linux. My guess is about a month till they were able to take control of older unpatched machines. They might get a small percentage of OSX, linux and FreeBSD boxes, but it'd still be enought to be a nuisance!

Re:Partially disclosed? (5, Informative)

ymgve (457563) | more than 5 years ago | (#26409627)

They should just publish their code.

They did.

The Full Disclosure link contains the source code of their program.

Re:Partially disclosed? (1)

Urkki (668283) | more than 5 years ago | (#26409715)

Well, excuse me for not having RTFA... Summary talks about partial disclosure.

Anyway, it'll be interesting to see what happens with this botnet next...

Re:Partially disclosed? (1)

j741 (788258) | more than 5 years ago | (#26410249)

They should just publish their code.

They did.

The Full Disclosure link contains the source code of their program.

I don't know where you got your definition of "source code", but what was disclosed was definitely not the source, but something else entirely. I mean really, the first line isn't C, C++, C#, java, command scrips, Pascal, or any other source code language I have ever seen. Seriosly, what language is this: "QlpoOTFBWSZTWZCbNyYBVlN/"?

Depends ... (3, Insightful)

ScrewMaster (602015) | more than 5 years ago | (#26409453)

However it seems in practice the elimination process would fall foul of the law.

Whose law?

Re:Depends ... (4, Interesting)

Anonymous Coward | more than 5 years ago | (#26409547)

The process looks like this:

Using this background knowledge, they were able to develop their own client, which links itself into the peer-to-peer structure of a Storm Worm network in such a way that queries from other drones, looking for new command servers, can be reliably routed to it. That enables it to divert drones to a new server. The second step was to analyse the protocol for passing commands. The researchers were astonished to find that the server doesn't have to authenticate itself to clients, so using their knowledge they were able to direct drones to a simple server. The latter could then issue commands to the test Storm worm drones in the laboratory so that, for example, they downloaded a specific program from a server, perhaps a special cleaning program, and ran it. The students then went on to write such a program.

Seems like the method involves the server communicating with the client - which could be considered "hacking" and thus be problematic.

Especially here in Germany where even possessing nmap is a crime.

Re:Depends ... (1)

Nasajin (967925) | more than 5 years ago | (#26409563)

From the article:

From a legal point of view, that could involve many problems. Any unauthorised access to third-party computers could be regarded as tampering with data, which is punishable under paragraph  303a of the German Penal Code.

So, in response to your query, Germany's laws.

Re:Depends ... (0)

Anonymous Coward | more than 5 years ago | (#26409739)

The beauty of victimizing criminals is that they tend not to call the authorities to report it.

IMHO, they should have just shut the fuck up, quitly lit the candle on their little fix, and then anonymously leaked some details a couple weeks after the botnet was reduced to a smoking ruin.

Re:Depends ... (1)

Nursie (632944) | more than 5 years ago | (#26410223)

It seems to me to be a very grey area. All you would need to do is get yourself (or a test VM) infected and hooked up to Storm and then inject the "change server" message into your own drone machine. Then everything else is autonomous - the other drones ask your drone for instructions and then voluntarily download a cleaner.....

Re:Depends ... (2, Informative)

Anonymous Coward | more than 5 years ago | (#26410315)

No, German law is very clear at this point.
Unauthorised data manipulation is illegal.
And you will not get around the judge with: "I just inserted that in the bot in my machine and it spread through the botnet, lulz. Dunno why."

Re:Depends ... (0)

Anonymous Coward | more than 5 years ago | (#26409703)

All I'm thinking is "Lets find a country where it's completely legal", problem solved. How anyone can reason themselves out of down right murdering a botnet is beyond me.

Re:Depends ... (0)

Anonymous Coward | more than 5 years ago | (#26410293)

Murphy's.

WWBD? (5, Funny)

retech (1228598) | more than 5 years ago | (#26409467)

This falls into that whole super-hero vigilante category. Just ask yourself, what would batman do?

Re:WWBD? (3, Funny)

Anonymous Coward | more than 5 years ago | (#26409643)

Forget Batman! What would Yagami Light do?

Re:WWBD? (1)

Creepy Crawler (680178) | more than 5 years ago | (#26409833)

Take detailed notes in his notebook.

Why, look at all those botnet handlers die of heart attacks..

Re:WWBD? (0)

Anonymous Coward | more than 5 years ago | (#26409919)

Oh, you're suggesting that we become plum crazy and start killing the police too?

Re:WWBD? (1)

theTerribleRobbo (661592) | more than 5 years ago | (#26410175)

Take a potato chip, and eat it. :|

Re:WWBD? (0, Redundant)

frankie (91710) | more than 5 years ago | (#26409783)

He'd use his detective skills to learn the identities of the cyrillic mobsters who own the botnet. The next night he'd incapacitate a number of guards, then dangle the bosses headfirst off of an onion-domed cathedral until they give him all their passwords. And lastly fight a corrupt former-KGB super-enforcer.

So your philosophy may not be very applicable here.

Re:WWBD? (0)

Anonymous Coward | more than 5 years ago | (#26409921)

Just keep in mind that he's not wearing hockey pants.

If the fix works. . . (5, Interesting)

merrickm (1192625) | more than 5 years ago | (#26409479)

Why not just give the code to the FBI and let them turn it on? I'm sure they'd be more than happy to. Or ask them for immunity on this point. It's not like the Feds don't want this thing gone as much as anyone.

Re:If the fix works. . . (1)

OverlordQ (264228) | more than 5 years ago | (#26409609)

<tinfoilhat>Maybe it's the FBIs Botnet! OHMYGOOSES!</tinfoilhat>

Re:If the fix works. . . (1)

Muckluck (759718) | more than 5 years ago | (#26409819)

No, it is definitely not our, um I mean their, botnet. Nothing to see here. Just move along..

Re:If the fix works. . . (0)

Anonymous Coward | more than 5 years ago | (#26409611)

Since when can the FBI grant immunity for german citizens? There are other countries than the USA and they are - this might be shocking - independent.

Re:If the fix works. . . (1)

99BottlesOfBeerInMyF (813746) | more than 5 years ago | (#26409813)

Since when can the FBI grant immunity for german citizens?

Why would they need to? It's not illegal to write the code in Germany, just to run it. They can almost certainly give the code to the FBI who can run it in the US without too much legal risk. Back in the day researchers at my company broke into a botnet that was DDoSing Danish cable networks rather incompetently. Once our research was done we handed our access over to the Danish authorities and they took action to shut it down, something that we could not do without incurring risk of litigation.

Re:If the fix works. . . (2, Informative)

Anonymous Coward | more than 5 years ago | (#26409845)

It IS illegal even to write or distribute such code thanks to the infamous  202c StGB.

Re:If the fix works. . . (0)

Anonymous Coward | more than 5 years ago | (#26409615)

Why not just give the code to the FBI and let them turn it on?

The FBI are the ones running the botnet.

Re:If the fix works. . . (0)

Anonymous Coward | more than 5 years ago | (#26409681)

...unless the feds really run the Storm botnet...

Quick spread the word! The vans... I can hear them coming.

*dashes away*

Re:If the fix works. . . (0)

Anonymous Coward | more than 5 years ago | (#26409707)

Why not just give the code to the FBI and let them turn it on? I'm sure they'd be more than happy to. Or ask them for immunity on this point. It's not like the Feds don't want this thing gone as much as anyone.

Considering where they're from, I'd expect them to turn it over to BSI (http://www.bsi.bund.de/english/index.htm), if anything :)

Pfft... (2)

Neoaikon (1313119) | more than 5 years ago | (#26409481)

You know, if I had suddenly discovered a way to take down a botnet, I wouldn't have said S*** and just dismantled it.

Re:Pfft... (1)

geekmux (1040042) | more than 5 years ago | (#26409557)

You know, if I had suddenly discovered a way to take down a botnet, I wouldn't have said S*** and just dismantled it.

Awww, c'mon, it's only Slashdot. Just a small band of merry geeks here, nothing to see...

If it makes you feel better, I won't tell.

Re:Pfft... (5, Funny)

gzipped_tar (1151931) | more than 5 years ago | (#26409683)

The guys found the "cure" of Storm Worm are university students. They did the research using the university's facilities. They have to follow the university's regulations and everything they do is pretty open to the public. Should they just triggered the switch and take over, the university may find itself in legal trouble.

Unless one of them happens to be Batman.

Diseases (0, Offtopic)

gmuslera (3436) | more than 5 years ago | (#26409491)

Those people (computers) are sick, even they would be scared if you tell them so, and very willing to take a vaccine. So, what if you do that without telling all of them?

Can be seen from other point of view. The botnet is already there. Is taking orders already from people definately should not be trusted. What if someone that possibly could be trusted to add some extra order in that process?

In the other hand, the botnet owners could decide that will be better to erase the evidence (and the infected people machines in the process) and put the blame on the ones that announced that will clean that mess.. and of course, start a new botnet in new machines without that vulnerability, lowering profits for a while but feeling untouchables after.

Re:Diseases (1)

davolfman (1245316) | more than 5 years ago | (#26409787)

Unfortunately anyone telling you your computer is infected through digital channels want so infect it. Working through official channels would take a long time.

Re:Diseases (1)

WTF Chuck (1369665) | more than 5 years ago | (#26410007)

In the other hand, the botnet owners could decide that will be better to erase the evidence (and the infected people machines in the process) and put the blame on the ones that announced that will clean that mess.. and of course, start a new botnet in new machines without that vulnerability, lowering profits for a while but feeling untouchables after.

But the machines whose drives were erased "hadn't been cleaned yet". That would also be good for the repair shops getting paid to reinstall the OS and setting up firewalls to help prevent such a thing from happening in the future. Sounds like a win-win-win situation, machines get removed from the botnet, techs get paid, ISP's have lower bandwidth utilization.

A simple little primer could also be given to people getting their machines fixed:
1. That is not a nude picture of <Hot Celebrity Name Here>, it is a virus.
2. You do not need to update your flashplayer or whatever to view that video you got a link to in your e-mail from some random stranger. The video does not exist, the update they are trying to push on you is a virus. If you truly need to update your flashplayer or whatever, you will be provided a link to the official site, but google for the correct site anyway.
3. Their is no rich prince in Nigeria that needs your help, it is just some scammer trying to get your money.
4. Your bank is not e-mailing you wanting you to update your account information, if you really think that it is your bank, look up their number in the phone book and call them first to verify.
...

Law (0, Offtopic)

dimethylxanthine (946092) | more than 5 years ago | (#26409511)

process would fall foul of the law

Slovakia is about, if not already launched [slashdot.org] its only nuclear reactor which has been gathering (radioactive?) dust since the Soviet Era, which technically goes against their EU membership agreements.

But it's sure better than freezing to death without Russian gas... imo.

Question (4, Insightful)

vawarayer (1035638) | more than 5 years ago | (#26409589)

Some people run some botnet ops from some countries with some loose laws to gain some protection.

Is it not as easy to dismantle a freaking botnet from there?

Just more whack-a-mole (4, Insightful)

damn_registrars (1103043) | more than 5 years ago | (#26409639)

If you manage to disable the storm botnet, someone will just great better botnet software. The end result is just a better botnet.

If you want to stop the botnet, you need to remove its incentive. The botnet operates not for someones jollies, but because it is profitable to have a botnet. If you remove the profit motive the botnet will self-disassemble over time.

Re:Just more whack-a-mole (1)

DaveV1.0 (203135) | more than 5 years ago | (#26409695)

Of course, if the writers of the storm botnet software read slashdot, they may be busy writing a better botnet to neutralize the vulnerability found and published.

Re:Just more whack-a-mole (4, Funny)

Anonymous Coward | more than 5 years ago | (#26409853)

Don't be silly. If they read SLashdot, they certainly aren't going to have RTFA, so how are they going to know what the vulnerabilities actually *are*?

Re:Just more whack-a-mole (4, Insightful)

eln (21727) | more than 5 years ago | (#26409773)

If you want to stop the botnet, you need to remove its incentive. The botnet operates not for someones jollies, but because it is profitable to have a botnet. If you remove the profit motive the botnet will self-disassemble over time.

And how do you propose we do that? Spam is profitable even when only one in 10,000 people respond to them, so how do you stop something like that? People have been building better and better spam filters for years, and more and more effort has been spent on educating people about the various scams, and yet spam is STILL profitable enough to illegally hack thousands of computers in order to send it out.

Saying all we have to do to stop botnets forever is remove the profit motive is like saying all we have to do to stop drug smuggling or illegal immigration or home burglaries is to stop the profit motive. Sounds simple, but virtually impossible in practice.

Re:Just more whack-a-mole (5, Insightful)

damn_registrars (1103043) | more than 5 years ago | (#26409891)

Spam is profitable even when only one in 10,000 people respond to them

Spam makes for an excellent case study in the problem, more on that in a moment.

People have been building better and better spam filters for years

Filters will never solve the spam problem. I have said that before, and I will continue to say it until people start to realize the reality of the situation.

Build better filters, and spammers will send better spam.

You have to remove the profit motive.

And a fair portion of botnet activity is spam-driven or spam-propagating. So if we work on the spam problem, the botnet problem will diminish.

And there is one angle in particular that is available for stopping spam:

  • The damned registrars

If you look at spam messages, you'll see that the vast majority of them ask you to go to domains that are on the order of days old, and seldom remain up for more than a few weeks. This is because registration of domains is too easy, with too little liability anywhere along the way.

Spamming and spamvertised domains are registered at a bewildering rate 24/7. And most of them are registered with bogus information to boot. We need a few things to hinder this

  • Registrars need to sell domains only to valid registration data
  • Registrars that willingly sell domains to spammers need to be punished swiftly and severely
  • ISPs that willingly offer services repeatedly to spammers need to face the same

If the virtual storefronts selling the v!@gr@ are shut down promptly, and proper impediments are put in place to hinder their creation, spam will become less profitable. The owners of the spamvertised domains can only afford to pay the spammers for their services as long as they are still selling products.

Re:Just more whack-a-mole (0)

Anonymous Coward | more than 5 years ago | (#26410201)

Please, use paragraphs. You've got sentences down; now start bundling the related ones together. - Your readers

Re:Just more whack-a-mole (3, Interesting)

innocent_white_lamb (151825) | more than 5 years ago | (#26410311)

While your point is valid to a certain extent, there's no reason why spamvertized stuff can't be purchased from http://123.321.456.654/crap [123.321.456.654] instead of http://abcdefghijk.cn/morecrap [abcdefghijk.cn]

In fact, I'm not sure why spammers go to the trouble of registering domains. If it's just for the ease of transferring the dns record to a new ip address, why bother? Just send out a new batch of garbage with a new ip address instead.

Re:Just more whack-a-mole (0)

Anonymous Coward | more than 5 years ago | (#26410021)

Spam is profitable even when only one in 10,000 people respond to them, so how do you stop something like that?

You add "disprofits" to the system such that the expected value of spamming is less than the expected costs of the disincentives applied.

I don't claim to have the solution, but one way is to track the spammers down and extract "payment"/"retribution" from them. You could jail them, fine them, or even simply cut off their internet access. The trick, though, is that no one is bothered enough by spam to actually go through the trouble of tracking down the spammers and jumping through the hoops to get them punished. We could get law enforcement to treat spam as a serious issue. We could change our email infrastructure so that it either harder to spam or easier to track down/cut off offenders, but most people are not inconvenienced by spam enough to bite the bullet and spend the time/money/effort/inconvenience to do so.

Saying all we have to do to stop botnets forever is remove the profit motive is like saying all we have to do to stop drug smuggling or illegal immigration or home burglaries is to stop the profit motive.

Exactly. We employ a full time professional police force to track down thieves and drug smugglers. We have no hesitation at throwing stacks of money at law enforcement. Because we disincentivize theft, we see less theft than if we didn't, and for most people the thought of being burgled is something that they rarely have to think about.

We don't put the same amount of effort behind eliminating spamming, because we simply don't care as much. I'm not saying that we'd ever be able to completely get rid of spamming, but we could probably knock it down to much lower levels, rather than it being something people have to deal with every day.

Re:Just more whack-a-mole (4, Insightful)

RandomUsername99 (574692) | more than 5 years ago | (#26409877)

Could you explain what you mean by removing the profit motive? Though I may be missing something, I think that you might be oversimplifying things here.

I'm not really sure that it's any more realistic to try and make spamming unprofitable than it would be to make any other successful form of marketing unprofitable, let alone one that is almost free.

We could just as easily say that the solution to stopping welfare abuse would be to remove the financial incentive to doing so... but without actually suggesting anything useful to come to that end, it's a pretty useless comment.

Re:Just more whack-a-mole (1)

damn_registrars (1103043) | more than 5 years ago | (#26409951)

Could you explain what you mean by removing the profit motive?

I explained it in more detail above [slashdot.org]

But the short answer is the profit motive for the botnet is largely tied in to the profit motive for spamming. The answer therefore is to remove the profitability of spamming, or more so to remove the profitability of the spamvertised businesses (both those directly [merchants] and indirectly [registrars and ISPs] profiting from the spam-generated business). If the spamvertised business is no longer making money then they will no longer pay the spammer (botnet operator) and the motive to maintain the botnet will dry up.

Re:Just more whack-a-mole (4, Funny)

_Sprocket_ (42527) | more than 5 years ago | (#26410025)

If you want to stop the botnet, you need to remove its incentive. The botnet operates not for someones jollies, but because it is profitable to have a botnet. If you remove the profit motive the botnet will self-disassemble over time.

By Jove, I think you've got it! All we need to do is remove the incentive and crime just fades away! I wonder why nobody's thought of that before.

Question (2, Funny)

Anonymous Coward | more than 5 years ago | (#26409737)

After you decode it with base 64 how do you open it? do you just rename it to .c and open it with VS?
if not then how?

Re:Question (0)

Anonymous Coward | more than 5 years ago | (#26409879)

For me, base64 decoding (base64 -d -i)just produces garbage. :(

Re:Question (1)

niteice (793961) | more than 5 years ago | (#26410057)

I think it's bzipped, I'm not on a machine with file(1) available to test.

Re:Question (2, Informative)

niteice (793961) | more than 5 years ago | (#26410095)

disregard above post.

base64 decoding gives a bzipped tarball, decompress with your favorite utility.

HOWEVER, it it obviously windows-specific, uses the win32 API to install itself and - I think - replicate the storm code in-place.

Re:Question (3, Informative)

nostrad (879390) | more than 5 years ago | (#26410107)

base64 -d | bzip2 -d | tar -x

I am glad I use a Mac (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26409863)

I am glad I use a Mac. It's nice to be completely immune to this stuff that the Windows and Linux users deal with minute by minute.

No such thing as a Storm botnet, or any for that matter on OS X.

Re:I am glad I use a Mac (2, Insightful)

Yvan256 (722131) | more than 5 years ago | (#26410065)

While OS X, Linux and others are inherently more secure than an unpatched Windows, the user is still the weakest part of the whole setup.

Wait until we get enough dumb users who install all sorts of shit onto their computers. Granted, the numbers will be much lower than machines which can get infected without any interaction by its owner, but we WILL get users dumb enough to type their password to install "stupid program XYZ" from unknown sources.

Not against the law (1)

misterjava66 (1265146) | more than 5 years ago | (#26409901)

I would not be against the law to destroy the storm-bot-net as part of a gov't directed national security project. The latitude to take action under those sorts of circumstances is EXTREMELY broad.

let them all die their natural death (1)

SMOKEING (1176111) | more than 5 years ago | (#26410149)

Remembering a most preposterous occurrence of a game key stealing trojan on a flash-drive that got lifted to ISS, and the more recent one of a hospital's IT succumbing to some other malware.

How smart-alecky one would look if he takes on this problem thusly: Let all the windows ecosystem die its natural death and take all the botnet scum with it. Or does it take an ueberinsightful, astutely daring sci-fi fellow to see it as one efficient remedy to the dullest problem of modern age?

The analyze report (1)

ouchast (1234508) | more than 5 years ago | (#26410309)

Does there exist a detailed report from the analyze anywhere? I'm thinking about the reversing part nowf.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>