Storm Worm Rising

The Storm worm has been an increasing problem in the last few months, but a change in tactics may mean something big is going to happen. The article discusses a bit of back story about the worm, including the somewhat frightening numbers about the millions of spam emails carrying the worm payload. They estimate between a quarter and a million infected systems usable for spam or DDOS attacks.

How are these numbers calculated?

[IndieKid]

They estimate between a quarter and a million infected systems usable for spam or DDOS attacks.

0.25 to 1,000,000 is a pretty large range.

Seriously though, how does one go about estimating these numbers? Is it something as simple as an estimate of what proportion of infected e-mails are expected to result in an infected desktop? I doubt that would give a very accurate figure.

Re:

[everphilski]

250,000. Quarter of a million. Typo.

Re:

[Slarty]

Speaking of typos, I find it funny that the crack editorial staff of Network World managed to let a typo slip through in the *2nd word* of the article. All fear "the swifly spiking onslaught of the Storm Worm!"

Re:

[Qzukk]

All fear "the swifly spiking onslaught of the Storm Worm!"

It's product placement for Swiffer dusters, able to swifly swiff up dust, viruses and worms.

Re:

[John Nowak]

VOOOOOOOOOOOOOSH

Re:How are these numbers calculated?

[strongmace]

Article says how they are calculated:

"Joe Stewart, senior security researcher at managed security company SecureWorks, at the Black Hat conference. .....

From the number of infected machines he's found, Stewart estimates that the Storm botnet could comprise anywhere from 250,000 to 1 million infected computers. And that raises questions, along with eyebrows. "

Re:

[IndieKid]

Yeah I just read that. If 20 million e-mails (according to Joe Stewart in the article) have been found and he estimates that 250k to 1m machines are infected, that implies that somewhere between 1 in 20 and 1 in 80 of the machines he's looked at are infected. I'm assuming somewhere in the middle is what he actually discovered before applying a margin of error - so 1 in 50. I wonder how many machines he actually checked? 50? 500? Were these machines known to have received the e-mail or just random machines?

Re:How are these numbers calculated?

[httptech]

The estimate is based on the number of unique IPs we've seen attacking networks we monitor, coupled with our knowledge of how the Storm botnet works. We've seen up to 100,000 bots sending the attack (the ecard spam) in a single day. Storm is a multi-tiered botnet, meaning that not all the bots are tasked with sending the emails. Some are supernodes (first-tier), designed to serve up the ecard executables via HTTP and facilitate communication between the regular (second-tier) nodes. Another factor is that some second-tier nodes will never be seen attacking, since they may be behind firewalls that block port 25 outbound or at an ISP that is doing SMTP blocking, so they may be part of the botnet but difficult to count.

In reality, the only source that can give you a precise count for the Storm botnet is the Storm controller - and he/she's not talking. So we do the best we can at estimating its size given the data available.

I don't think we'll ever see a solution...

[Anonymous Coward]

...until software companies are forced to include normal consumer warranties (as in suitable for purpose, ability to access the internet with better security out of the box) and until individual zombie owners can get charged with "maintaining an attractive nuisance". The software sellers don't give a crap, as they have zero liability because of their ridiculous EULA and because the law let's them get away with it, and big corporations are scared to sue the 800 lb gorilla over this issue obviously-buncha pan

Re:

[hondo77]

I believe what we have here is a free market. If you don't like the non-warranty offered by one company, don't buy their product. Buy the one product from a company that does give the warranty you want.

Or one could buy the product that doesn't get turned into a zombie. Thus spake the Apple fanboy. ;-)

Re:

[LurkerXXX]

I've seen numerous Apple users blindly type in the administrator username/password when prompted to by a program without having any idea why they needed to. If Apple's market share ever gets high enough to make it a juicy target, there are going to be Apple botnets as well.

Re:How are these numbers calculated?

[ObsessiveMathsFreak]

Seriously though, how does one go about estimating these numbers?

• 1. Roll 2D6
• 2. Take the number rolled, and multiply it times the number of worm messages that have arrived in your inbox.
• 3. If your computer is actually infected, square the result.
• 4. Play a game of Solitare
• 5. Add your final score to the result
• 6. Divide the result by your Boss's vigilance.
• 7. Make a saving throw against discovery, and multiply the result by 1000
• 8. Round up to the nearest 100,000
• 9. Publish
• 10. Profit!

Lower bounds are trickier as they will require you to actually care about what you're doing.

Re:

[Fnord666]

Seriously though, how does one go about estimating these numbers?

Simple really. Just call Microsoft and ask how many systems are running their OS.

Microsoft is going to lose big

[athloi]

If they can't find a way to reach customers and get them fixes for the rampant insecurity of these machines that are compromised. The silent majority of customers are getting frustrated with this sham of a performance [chron.com], and while saner heads recognize that Redmond does a lot right and some wrong, the emotional response is going to shove them out of dominance in operating systems. Maybe that's why they're better on spacy Web3.x "cloud" and "distributed OS" technologies instead of what made them big, which was getting things done the hard way consistently.

"The silent majority" is uninformed.

[khasim]

No. "The silent majority" believe that this is the way computers just "work".

They've been shown that in countless movies and TV shows and by "experts" on the news.

They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases.

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

Re:"The silent majority" is uninformed.

[NickFortune]

No. "The silent majority" believe that this is the way computers just "work".

More accurate, perhaps, to say that they think this is just the way computers don't work.

There was a program on last week where they had a collection of self proclaimed grumpy old women listing things they hated about computers - and you know what? Every single complaint was not about computers per se, but about Microsoft software.

There's got to be an opportunity in there somewhere for the FOSS movement. Imagine if we could convince the "I hate computers" brigade that what they mainly hate is Microsoft ...

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

That's just silly. People have different convincer strategies. If nothing else, there are people out there who still haven't heard that there's an alternative. There's a lot of meat left on that bone.

Re:

[lymond01]

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

Response: That's just silly. People have different convincer strategies. If nothing else, there are people out there who still haven't heard that there's an alternative. There's a lot of meat left on that bone.

True. I'd say the long, dark tunnel from XP to Vista has a few side corridors.

Re:

[Lord Apathy]

That's one long fucking tunnel that they are dragging us kicking and scream all the way.

Re:

[NickFortune]

Such as what?

The usual stuff. Clippy, Outlook, "you appear to be writing a letter", Word's grammar checker... that sort of thing. Nip over to annoyances.org and you'll find a hundred or so examples.

And alternatives that don't run the software people want won't function as alternatives.

Oh do behave. That argument might fly for specialist drafting or accountancy software, but not here. For the market segment under discussion, all people want is a browser, a word processor, something to check their em

Re:

[pjbgravely]

All of the Linux distros I've seen pack in much more than that, which seems like overkill to me. I'd also have to think that the group would find a whole new slew of anoyances with Linux as well. Especially if they can't playback music or watch videos (does YouTube work w/Linux?).

Why wouldn't YouTube work with Linux? YouTube runs on Linux. http://uptime.netcraft.com/up/graph?site=youtube.c om [netcraft.com]
There is a Linux version of flash, it was behind for a while but YouTube still worked even then. I have no probl

Re:"The silent majority" is uninformed.

[NickFortune]

None of those things are with Windows itself though.

No, but they are Microsoft though - which is what I said in the first place.

Annoyances.org isn't the collection of old ladies you discussed

You're right, I just used it as a loose example. I'd be more specific about the complaints, but I wasn't expecting a test, and I forgot to make notes. All I can do is report what I remember from the show.

I'm willing to be quite a bit of /.ers post over there, so I doubt its unbiased.

meh. It's a support forum, not an advocacy site. It's not so much "Microsoft sucks" as "what do I do when when the registry fills up?". You don't get a lot of penguin heads there because... well, because we all use Linux and it's a windows support forum.

Annoying things are hardly a reason to HATE MS though.

Hatred isn't a rational act, though, is it? I mean, most people don't wake up in the morning and say "now who shall I hate today? Who is the most rational target for my hatred?". It's not like that. On the other hand, there's no shortage of people who think "if that computer crashes and loses my document one more time today, it's going through that window..." My point is that a lot of the things I heard cited as inspiring this hatred were typical MS grumbling points.

And if it's a good enough reason to hate computers, it's good enough to hate Microsoft. It's just a question of education ;)

I'd also have to think that the group would find a whole new slew of anoyances with Linux as well.

Oh quite possibly, although the latest Ubuntu is getting very good in that respect. But they'd be spared the malware, and the viruses and the worms... which is the starting point for this discussion.

(does YouTube work w/Linux?).

Yes, perfectly. At least since flash 9 was released for Linux.

Re:

[NickFortune]

Those "grumpy, old ladies" could be running their knitting/sewing machines hooked up to their computer.

They could indeed. Probably not those particular ones however. The show is callled Grumpy Old Women [bbc.co.uk] and takes a handful of the BBC's more curmudgeonly female celebs and gives them free rein to gripe about the things that wind them up. Not as good as Grumpy Old Men (IMHO) but that could be down to gender bias on my part.

The "silent majority" however (and no, it's not my choice of phrase, either) don'

Re:

[NickFortune]

Soylent gre^W^W Strategies is people!

And all of them so very tast^Wdifferent, too! :)

Convincer strategies was something they told us about on a training course I went on a while back. A convincer strategy is what has to happen inside someone's head before they accept a given proposition as being true.

So, one person's convincer strategy might be that he needs to hear it a certain number of times (and all you need to do is keep on at them) while someone else might need to try it for themselves. Some

Re:

[Starker_Kull]

No. "The silent majority" believe that this is the way computers just "work". They've been shown that in countless movies and TV shows and by "experts" on the news. They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases. With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

I don't think that's quite the case any more. Many of the people

Re:

[Mr. Flibble]

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

Well, it is changing it for me! I got an ecard from "friend" and I downloaded the exe on my iMac, and it won't work. I could not see the card. I tried again on my Red Hat Enterprise 4 server, and even after chmod +x *AND* running as root with X windows going, the card would not open.

That is the last straw for me! I can't get cards from my "friend". I a

Re:"The silent majority" is uninformed.

[jez9999]

That is the last straw for me! I can't get cards from my "friend". I am going back to Windows where I can open cards.
--
Try to hack my 31337 firewall! [127.0.0.1]

Yeah, you really should do; you clearly need a more secure OS than the one you're running now. I just hacked your firewall, and man have you got a lot of weird stuff on there. :-) You're lucky I'm not a black-hat.

Re:"The silent majority" is uninformed.

[Stefanwulf]

They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases.

Out of curiosity, what aspects of the OSX/BSD and Linux architectures are going to stop:

• An uneducated user from executing a binary file they download from a URL they are given
• A process that user is running from executing further code with that user's privileges
• That user's processes from making outbound TCP/UDP connections
• That user's processes from accessing an SMTP server to send emails
• A user from configuring a process to run on logging in

By my thinking, that's really all that's needed for a botnet to work on a given platform. I am certainly ignorant of many details regarding the BSD/Linux kernels and I stand ready to be corrected, but I believe I've seen all those things happening individually as part of day to day user life on my linux box.

Re:Microsoft is going to lose big

[jpop32]

If they can't find a way to reach customers and get them fixes for the rampant insecurity of these machines that are compromised.

WTF are you talking about? RTFA, please. If you actually did that before funboying around, you'd notice that the program in question is not a worm at all, but a trojan. User has to manually run the attachment, probably clicking through a couple of dialogs practically begging him not to. But, since the user really, really _wants_ to see the cute kittens, or a naked celebrity, or whatever the trojan claims to be, trojan will be run. No OS can defend against the user being a sucker.

So, move along, please. Your tirade is totally off topic here.

Re:

[OriginalArlen]

Microsoft's recent thing about "the cloud" might have something to do with their recent purchase of FrontBridge [google.co.uk], an "in-the-cloud" traffic filtering company. (Note the 'E' word is in the titles of most of those articles though it's not in the search...)

Love the tag "situationnormal"

[AKAImBatman]

I remember freaking out 10 years ago every time I saw someone running that cutesy little "fireworks display" email attachment. Despite my best efforts, I couldn't get the users to stop unzipping and opening it*. Glad to see that things haven't changed much.

SNAFU (Situation Normal: All F***ed Up)

* Before I get 10 million suggestions for a decade-past issue, yes we did find more effective ways of blocking it.

Naked teens attack home director

[tttonyyy]

Now I've got your attention worm style, click this link for more information:

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]

Re:

[neo8750]

So where is this naked teen? and why do i not see her nakedness attacking her director? Aww crap not again...

Question on that article

[Gazzonyx]

Now I've got your attention worm style, click this link for more information:

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]

I'm interested in something from that wikipedia article; it mentions that the source code to storm specifically avoids infecting Windows Server 2003 boxes. Anyone know why the author would go out of his way to not hit 2K3 boxes?

Perhaps to avoid infecting government servers (and upping the ante, if he got caught)? That's the only thing I could think of. I'm sure there's a very logical reason, but I have no idea what it might be.

Re:

[necro2607]

Anyone know why the author would go out of his way to not hit 2K3 boxes? ... I'm sure there's a very logical reason, but I have no idea what it might be.

Well, all "windows server reliability" jokes aside, it could just be that the author's code had some issues running as expected on the 2003 server machines (due to some behaviour in that version of the OS as opposed to other versions), that perhaps he/she didn't feel like debugging or figuring out.

Re:

[anilg]

My best guess is related to the way security companies work (the pay-per-problem model).

The companies that care enough about their security issues are those with critical servers, and many of these use win 2K3.

Storm affecting these boxes would mean quicker detection of the virus, and lesser migration. Without these (and with users who dont update anti-virus signatures very regularly), the virus has a greater potential of spreading. Of course, the author didn't imagine Storm would be this popular, and that t

worth worrying about

[esconsult1]

As the publisher of two fairly popular websites, this is something to worry about. Recently all our sites spread across a few dedicated servers in one data center were down. Not because of a direct DDOS attack, but because of a peripheral attack which swamped the network infrastructure at the center. Really, if these guys decided to do more frequent DDOS attacks, anyone could be a target and calling the FBI is cold comfort since in the meantime your sites are down and out.

Catalyst for change?

[khasim]

Let's look at DDoS attacks.

#1. Spoofed IP addresses - not that common anymore. It used to be that you'd tie up a machine by having it send replies to machines that did not initiate the connection. There is a simple solution to this. Anyone assigned a block of IP addresses has to make sure that all outbound traffic references IP addresses on that block.

#2. Thousands of machines eating up your bandwidth - the most common type now. This is where the zombie army each makes continued requests of your machine. For webservers, they can request a page over and over and over until they use up all your bandwidth and legitimate visitors cannot get through. This is more difficult to fix. It can partially be handled by blocking the range of addresses that host the zombies. Such as Comcast and Verizon and so forth. There are more complicated attacks. Such has sending half a request.

There's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.

Re:

[neo8750]

here's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages. I mean oth

Why not offer to swap them ahead of time?

[khasim]

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages. I mean other then the whole aww factor this plan will work.

Why wait?

Why not take a few pro-active measures? Such as emailing all your clients with the new rules and offering to assist them in evaluating their systems ... automatically?

hell i personally c

Re:

[neo8750]

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages. I mean other then the whole aww factor this plan will work.

Why wait?

I never said it shouldn't be put into affect i said really only problem is the whole "aww poor them" factor and we know that can be looked over easily especially when you slap them

Re:

[jpop32]

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages.

Well, maybe they will then realise that a computer can be a nuisance for others, and learn to treat it as such. Owning a computer is a responsibilty.

I am in favour of some form of punishment for zombied computers for some time now. You would be fined with

Re:

[teh_chrizzle]

There's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.

people do not take responsibility for their anything that involves computers. evar. people don't take responsibility for their actions on the computer (i did not delete it! the computer just ate it!), they don't take responsibility for the computer itself (how does

Re:

[Leto-II]

#1. Spoofed IP addresses - not that common anymore. It used to be that you'd tie up a machine by having it send replies to machines that did not initiate the connection. There is a simple solution to this. Anyone assigned a block of IP addresses has to make sure that all outbound traffic references IP addresses on that block.

There might be a simple solution to #1, namely ingress/egress filtering as you suggest, but its not very effective unless deployed nearly everywhere. Anywhere that doesn't use filtering can be used to basically spoof anywhere. Plus, according to results from the Spoofer Project at MIT [mit.edu], even those networks where there is some level of ingress/egress filtering are able to spoof large amounts of IP addresses. Note the percentages in those results are percentages for hosts which do encounter some filtering.

More information

[apachetoolbox]

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]

...names ranging from "postcard.exe" to "Flash Postcard.exe,"...

Shouldn't everyone be blocking .exe attackments at the MTA? Also look for a service running called wincom32 on infected machines.

NO!

[everphilski]

Shouldn't everyone be blocking .exe attackments at the MTA?

NO! It's annoying enough that Google rapes through my .zip files looking for .exe's.

If I'm working on a c++ program at work and zip it up and gmail it home (lock the computer while it uploads) and forget to 'make clean' ... I don't get my code. I know its nitpicky and a make clean or a thumb drive will cure my problems but I'm forgetful which tend to preclude both.

Re:NO!

[dr_strang]

Try password protecting your zip file.

Re:NO!

[dark-br]

It makes no difference if you password protect them or not as to list the zip file content no password is needed. You only need the password to correct extract the files.

I've just switched to using RAR and as for now Google is leaving my attachments alone...

M Addario

Re:

[Just Some Guy]

As a sibling pointed out, that won't work. But you can nest an un-passworded "mycode.zip" inside a password-protected "wrapper.zip" file. Spam filters will see that wrapper.zip contains mycode.zip (because of Zip's stupid encryption (hah!) doesn't protect its content list), but won't be able to examine mycode.zip.

Alternatively, use GPG and go forward.

getting around google virus scans

[lightyear4]

tac yourarchive.zip > reversed.zip

attach reversed.zip, download remotely and then

tac reversed.zip > yourarchive.zip

works perfectly :) ***

***"man tac" if youre unaware of it

Re:

[LiquidCoooled]

Actually, if they are clever enough to scan the zips, maybe they could be clever enough to just filter the exes out leaving the rest.
It annoys me as well, the number of zips I have called .aaa .abc .bmp around because of this is stupid.

Maybe - just maybe - google could consider allowing zips to account users who have specified it as a preference (default block as currently occurs).

Re:

[everphilski]

Maybe - just maybe - google could consider allowing zips to account users who have specified it as a preference (default block as currently occurs)

Especially when a user is sending it to himself :) I mean, what, am I trying to infest myself with a virus?

Re:

[everphilski]

can't say I've ever tried drafting an attachment ... that's a thought though.

Re:

[cyfer2000]

I use 7zip.

encapsulate the zip

[Gazzonyx]

They don't (or didn't, as of the last time I sent myself an executable - within the last year) scan RAR or 7Zips for executables. Also, they won't check a doubly encapsulated archive; if you RAR or 7zip or gzip the folder, and then zip that, you should be fine. The best method is to use a lower compression method on the folder first (zip or gzip), and then encapsulate it with an archiver that uses a larger library (like 7zip or bzip2). This will keep it from 'bloating' on the second compression.

Re:

[oglueck]

You're honestly abusing email as kind of a SCM tool? Creative...

Re:

[everphilski]

2.8 gigs of space ... why not? :) submitting it automatically tags it with a time and date and stores it where you can get to it 99.99% of the time. And as I mentioned elsewehere, I tend to be scatterbrained, and misplace/forget my thumb drive, so its nice to have it a website away. The particular pet projects I'm working on, I'm not paranoid about someone getting a hold of, so I really don't give a crap about having the code on a web mail account.

I did this extensively while working on my masters, now p

Re:

[oglueck]

You get implicit (web) backup as well :-)

Re:

[^Case^]

Make a "package" make target that copies all relevant files into a package directory, zips the directory and ship of the mail. If you're using OS X or another un*x variant you can do all this with a single make target.

Why you aren't using version control is another question.

Re:

[Sylver Dragon]

Simple answer:
Use FTP and quit abusing email. If you are working in an environment where you are coding for a living, my guess is that you can harass the IT folks into setting up an FTP server and access for you.

File host service!

[antdude]

Get a secure file host or use YouSendIt [yousendit.com] (SSL supported).

Re:More information

[just_another_sean]

The examples I've seen of this don't have an attachment. It's a "click here! to view your postcard!" link in the email. Clikcing the link takes you to a site that says something like "We're trying a new feature on our site, please click here if you do not see your postcard". This link is then to an executable which of course prompts you to download or run. It seems to me you'd have to be pretty naive or just plain stupid to click through to the point of infection but I'm guessing a lot of people do...

For me the biggest problem with these is that there is no attachment for AV to pick off and there is hardly any text and no real advertising in the email so our spam filters don't block it either.

What does God need with a starship?

[Billosaur]

"Why do you need a botnet that big?" he asks. "You don't need a million [infected computers] to send spam."

For spam, a million-strong botnet might be overkill. But botnets can do much more - like launching denial-of-service attacks. These attacks aim to overwhelm a Web site or Internet server by sending it a constant stream of garbage data at a particular Web site or Internet server.

So the question is, who is controlling these botnets and why? DDoS attacks can be pretty useful if someone wants to get a point across or to extort money from someone or some company. It will be interesting to see if they can trace it back to the source.

Re:What does God need with a starship?

[ktappe]

"Why do you need a botnet that big?" he asks. "You don't need a million [infected computers] to send spam." For spam, a million-strong botnet might be overkill. But botnets can do much more - like launching denial-of-service attacks.

So the question is, who is controlling these botnets and why?

It is possible that the creators of this worm did not have any idea how successful they would be. They may have figured they'd get 5,000 PC's, not 500,000. Now suddenly they have a monster by the tail and are not sure what to do with it.

Removal Tool

[apachetoolbox]

http://www.teamfurry.com/wordpress/2007/07/19/suns hine-on-a-stormy-day/ [teamfurry.com]

Re:Removal Tool

[ben0207]

No fukcing way am I going anywhere near a site called Team Furry.

The goggle really might do nothing.

Re:Removal Tool

[jollyreaper]

http://www.teamfurry.com/wordpress/2007/07/19/suns hine-on-a-stormy-day/

I'm too scared to look. On a scale of goatse to tubgirl, how's it rate?

Re:

[Wilson_6500]

You know, you have to admit that would be one upside to being furry: it hardens you to just about anything, and it does it quick.

Hm. You know, I thought I'd made a poor choice of words (I should've said "inured" you to anything) but, to judge from most furries I've seen, I was probably right the first time.

Re:

[jollyreaper]

You know, you have to admit that would be one upside to being furry: it hardens you to just about anything, and it does it quick.

Hm. You know, I thought I'd made a poor choice of words (I should've said "inured" you to anything) but, to judge from most furries I've seen, I was probably right the first time.

I still remember how I discovered one of my best friends in high school was a furry. I was doing a global search on his computer to find a file and ended up with a picture of two gay mice engaging in hardcore bdsm. Fucking Christ, warn a person, will ya? I could handle the gay part but you add furry to it and it all goes downhill. He's probably into pedo vore by now.

Re:

[n-baxley]

Anyone care to verify this? I'm not about to download an exe that's "supposed" to remove a nasty virus. No offense apachetoolbox.

that is why

[clubhi]

That is why I always do my online banking BEFORE I browse for porn

Maybe there's a silver lining here...

[Novae D'Arx]

I dunno - maybe this is what we need ~ a botnet big enough to do some real damage could actually catalyze some public awareness. Imagine if they DDoS'd MS, or Amazon, heck, Google? Maybe these guys (esp. Google) could handle this kind of slamming, but they've got lobbyists now. I really wouldn't mind seeing a well-funded FBI task force with the express purpose of rooting out botnets and going after their creators. Yeah, yeah, most of them are not on US soil. I know. However, imagine legislation that actually required the disconnection of infected bots from an ISP until it was cleaned, and a public awareness campaign that painted users who allow this to happen as idiots, and the ISPs as protectors of the rest of the internet users. Most people are concerned that there would be a backlash against the ISPs and they would stop complying for fear of loss of business, but that's where the legislation comes in. It's a quarantine situation - just like IRL, if you've got something nasty and contagious, the CDC can legally quarantine (forcibly, if you're an idiot like the TB guy) you because you're endangering the lives of others by going out and exposing them. Same thing here - don't give the botnets a chance to expand, cut them off, force a windows-cleaning (ISPs could offer a cleanup disk, $5.95 plus tax, or something, to help make it worth it for them - don't want to hurt the small ISPs, even though I think TW and the rest are bastards), and let them reconnect afterwards. Simple, painless, and will definitely make sure people learn their lesson for next time.

Re:

[Neil Watson]

Being jaded I see only the chance for broken legislation. I see new laws making it illegal to possess or use legitimate security tools.

Re:

[DerekLyons]

dunno - maybe this is what we need ~ a botnet big enough to do some real damage could actually catalyze some public awareness. Imagine if they DDoS'd MS, or Amazon, heck, Google?

I can imagine it easily - 99% of the surfers denied acess would simply go "damm internet" and surf elsewhere, or go do something off-net.

ISP Solution

[ancientt]

Every web page the infected connection tries to go to says: This is a message from [YourISP]. In accordance with Federal regulations, your Internet access has been temporarily suspended. Your connection has been identified as one which has the [Virus flavor of the week]. You can download a removal tool: [link here] or contact us at 800-whatever. If you prefer, you may contact us at the phone number listed on your service bill.

Every email gets bounced/returned with the same message.

It would work without th

Re:

[DerekLyons]

The funny part is - in any other context Slashdot would be screaming about ISP's monitoring their traffic and/or vigilante justice (being susceptible to abuse as it is).

Re:

[fotbr]

And when $ISP decides they'll only support Windows $Version anyone who hasn't "upgraded" is now SOL. Thanks to monopolies and near monopolies, this will turn into a legislated "upgrade or no internet for you" money maker.

Thanks, but no.

Re:

[shish]

Yeah, yeah, most of them are not on US soil

Since when has that ever stopped them? [slashdot.org]

Re:

[UID30]

This is most definitely not what we need. Botnets and viruses are either the result of immature over intelligence, or outright malicious criminal act. They cost real people real time/money to combat.

The solution is neither simple, nor painless. If detection of a botnet infection is (as it is now) left to the end user, one would merely have to "not check" in order to circumvent quarantine. And lets face it ... how many users would really allow their ISP to deep scan their system for possible botnet infec

Re:

[jpop32]

If the problem were easily solvable, it would have been solved long ago. There is no financial incentive for Redmond to produce a invulnerable OS ...

Barking up a wrong tree, dude.

This thing is a trojan, OS has nothing to do with it. User decided to run the malicious program.

But, I agree with your conclusion. Those responsible should be held accountable. Users that trojaned their machines should be cut off from the net, possibly even fined.

Re:

[GlL]

I work for a small ISP in Tacoma, WA. We tried selling a cleanup disk. It didn't work because a $9.95 disk cost us 1 hour of phone support per computer on average. The reality is that most of our customers who get infected aren't technically savvy enough to install and run anti-malware software. We now have a flat-rate tech bench fee of $89 to clean up the computer. We still lose money on the deal, but not as much.
What technically minded people in general forget is that most users want their security soluti

Re:

[jpop32]

(1) the idiots in congress do not have a clue as to what a botnet is and therefore are incapable of creating anything remotely usable;

Well, I'm sure that someone is able to explain it to them. If noone else, then Googles lobbyists.

(2) the average user would not know why his computer cannot access the internet;

Maybe user support could clue him in? If he's doesn't care to call them up, then he doesn't need connectivity anyways.

(3) many flat out refuse to learn good online habits until forced to and even then

Beyond the slashdot effect...

[annamadrigal]

From the article: > For spam, a million-strong botnet might be overkill. > But botnets can do much more - like launching denial-of-service attacks. > These attacks aim to overwhelm a Web site or Internet server by sending > it a constant stream of garbage data at a particular Web site or Internet server.
A few years back there was a spate of DDOS attacks on root servers, for example: http://www.informationweek.com/news/showArticle.jh tml?articleID=197004237 [informationweek.com] which were described at the time as "

Re:

[rel4x]

In past years, they really exaggerated the sizes of botnets. They had a lot of trouble telling the different controllers and whatnot.
This one, I have a feeling actually IS that large.
Especially for a few worms, where different variants were released by different groups who bought the source code and modified it. This one quite possibly is that large.
ALSO, 250,000 computers, while it is a massive botnet, is not truly excessive in regards to spam. Take a look at what is being filtered for nowadays. NJABL, DSB

Whats Worse? Storm or Nugache

[Evil W1zard]

We all know that the Storm botnet is a big ol' spambotnet but what about Nugache? Thats the one I'm more concerned as it is fairly huge and just sits there in the dark waiting!!! Has anyone identified WTH that one is prepping for yet or are we still all in wait mode...

Insert Scary Music Here

An email warning I got yesterday

[bzipitidoo]

Yesterday, a non-expert computer user I know sent me an email warning about emails with "postcard for you" in the subject being a carrier for the "worst virus ever". It could erase your entire hard drive!!! The histrionics convinced me it was bogus, so I blew it off. But seems there is something going on after all? That email now looks like it was deliberately timed and edited to ride the next wave of panic.

As much as I hate to suggest this...

[goldspider]

...but perhaps we need a law that would require ISPs to disconnect customers with compromised computers, and inform them that they will remain disconnected until the computer(s) has been cleaned.

Us conscientious customers shouldn't have to suffer the conditions imposed on us by people who can't bother to take even the most simple precautions. How much better would service be without all these botnets clogging the tubes?

Re:

[necro2607]

Actually Shaw cable here in western Canada already does so. A friend of mine was kicked offline for a week because one of the computers in his home network had some spyware or botnet-type trojan running on it which my friend didn't know about. He finally called the ISP wondering why the hell he couldn't get online after many days only to find out that they had disconnected his net connection without even notifying him. It seemed like a pretty harsh treatment of a customer - they didn't even let him know

Re:

[goldspider]

The "victims" here are everyone who has to deal with the spam, DDoS attacks, and whatever else these botnets are spewing. And it's not a problem that can be limited to or by individual ISPs.

The public has been aware of computer viruses for 20 years now, and there are plenty of free tools (many of which are provided at no cost by ISPs) to prevent an infection. It's long past time people took responsibility for their own computers.

Re:

[scharkalvin]

Most people do NOT know how to protect computers from the internet, NOR SHOULD THEY!
The computer makers and the OS writers should handle this, it's THEIR PRODUCT!!!

Hey DELL and M$! I bought this computer from you and it got itself infected with
spambots because YOU didn't provide the security to prevent this. So (to quote
Weird Al) I'LL SUE YA!

Re:

[goldspider]

Most people do NOT know how to protect computers from the internet, NOR SHOULD THEY!

Yet we expect people to maintain their own cars. Are you suggesting it's unrealistic to expect people to get regular oil changes?

The computer makers and the OS writers should handle this, it's THEIR PRODUCT!!!

So let's sue automakers when a negligent owner lets their car's engine seize.

Re:

[Gazzonyx]

True. But perhaps the ISP should just filter out malicious traffic at the edge, before it takes the first hop into their network?

Military?

[wytcld]

It's well-known that the Chinese government has an active computer warfare department. A botnet on this scale is way beyond anything needed for mere industrial blackmail. But if you wanted to bring down large chunks of some nation's Internet quickly, without the attack coming from an obvious (and blockable) source, this would be a great weapon. Let's say you wanted to disable the Internet in Taiwan, or South Korea, or Japan, or all three, just prior to military action. Or let's say you wanted to disrupt financial markets to be sure that your intentional crashing of the dollar [telegraph.co.uk] had maximal effects.

how to know

[kisrael]

People who have all mail to a domain going to one gmail account (ok, me) noticed a bunch of this testing the waters looking spam leaking through the filters, one every two minutes or so, with both the subject and the body being a different short 6-10 character string of mostly numbers. No actual selling content.

Incidentally, for Windows lusers who realize they may have been practicing unsafe computing, is there any way to tell that you've been zombified? I know some of these worms are fairly stealthy. Some

Had this show up

[sanjacguy]

We had this show up in our infrastructure. All the emails were this:

Hi. Worshipper has sent you a greeting card.

See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:

http://682.81.0.23/?9907cd64e28cae3d7703a3b01bda de (Poster's note: This URL has been altered to protect the rampant mad clickers amongst us)

Or copy and paste it into your browser's "Location" box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best, Administrator, americangreetings.com

Mandatory Disconnect of Infected Computers

[BoRegardless]

Make it a Federal Law that ISPs must disconnect infected computers, and users would be forced to fix things very quickly.

Then if a botnet attack comes, turn off the overseas pipes as needed. Yeah I am a dreamer, but I am at least half way practical.

SPAM - the stupid side of things...

[PortHaven]

Government and Big Corp always seem to be there when you don't want them. But they're never there when you do.

For year's I've wondered why we have such a persistant SPAM problem. There are number of things that can be done - but aren't.

- I don't believe there is ANY excuse for old viruses to circulate the web. I understand a new virus, but once a virus is known it should be stopped at the ISP & backbone levels.

- Where is the government? SPAM supposedly costs business' billions of dollars a year. That wo

Cool

[nurb432]

With a bit of luck it will kill the entire net for days, perhaps weeks.

Then perhaps something might actually be done about this nonsense once and for all. The only way something will get done is if hits the pocket books of enough 'big players'

Re:Cool

[Overzeetop]

Do you realize the kind of productivity spike we could get if the 'net was down for, say, a week? One day would be lost to people trying to get back up, admittedly, but then we'd all just start doing work, checking the 'net connection more and more infrequently. After a week, we'd probably run out of work on our desks that didn't need internet lookups, though most of us still have paper catalogs around so it wouldn't be a total loss. Faxing would get popular again, as would phones and voicemail...but no outside IM and email to deal with.

I'm going to call it a net win for productivity and busniess in general. Which means that it's most likely that big business is behind the internet shutdown...and the Storm worm.

Shit, where'd I put that damned tinfoil hat...

Linux won't run it! :(

[kimvette]

I'm sitting here all pissed off because I just can't get that trojan to run. I've been fiddling with wine for hours and even tried it under crossover office, and damn it, I just can't get my machine infected. The next step is going to be installing Windows into a qemu image because I just don't want to miss out on full Windows compatibility! Grrrr.

Seriously though, I thought Windows was supposed to be more secure, and less prone to this stuff than Linux? I mean, that's what Microsoft's Get The Facts campaig

Re:

[Poltras]

English is not too difficult to understand if you look at the clues.

You're talking about the game, right?

----
Mods, that joke is on topic, look up the parent original post.