Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Storm Worm Rising

CmdrTaco posted more than 7 years ago | from the goggles-do-nothing dept.

Worms 218

The Storm worm has been an increasing problem in the last few months, but a change in tactics may mean something big is going to happen. The article discusses a bit of back story about the worm, including the somewhat frightening numbers about the millions of spam emails carrying the worm payload. They estimate between a quarter and a million infected systems usable for spam or DDOS attacks.

Sorry! There are no comments related to the filter you selected.

My fp worm (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20157267)

has risen and is hard and ready!

Nebulous numbers (0)

Anonymous Coward | more than 7 years ago | (#20157273)

They estimate between a quarter and a million infected systems usable for spam or DDOS attacks

Wow, you'd think they could narrow the numbers down a bit more. 0.25 - 1M is a pretty big spread.

Re:Nebulous numbers (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#20157741)

0.25 - 1M is a pretty big spread

You must be a machine. Any normal human would be able to determine from context that "between a quarter and a million" is short hand for "between a quarter million and one million"

And it's pretty much impossible for only 25% of a machine to be infected, it's all or nothing.

English is not too difficult to understand if you look at the clues.

--
Anonymous Coward: Feeding the trolls for over a decade.

Re:Nebulous numbers (1)

another_fanboy (987962) | more than 7 years ago | (#20158065)

short hand for "between a quarter million and one million"

A quarter million to a full million is still a large range.

Re:Nebulous numbers (1)

Poltras (680608) | more than 7 years ago | (#20158263)

English is not too difficult to understand if you look at the clues.

You're talking about the game, right?


----
Mods, that joke is on topic, look up the parent original post.

How are these numbers calculated? (5, Funny)

IndieKid (1061106) | more than 7 years ago | (#20157299)

They estimate between a quarter and a million infected systems usable for spam or DDOS attacks.
0.25 to 1,000,000 is a pretty large range.

Seriously though, how does one go about estimating these numbers? Is it something as simple as an estimate of what proportion of infected e-mails are expected to result in an infected desktop? I doubt that would give a very accurate figure.

Re:How are these numbers calculated? (1)

everphilski (877346) | more than 7 years ago | (#20157447)

250,000. Quarter of a million. Typo.

Re:How are these numbers calculated? (1)

Slarty (11126) | more than 7 years ago | (#20157723)

Speaking of typos, I find it funny that the crack editorial staff of Network World managed to let a typo slip through in the *2nd word* of the article. All fear "the swifly spiking onslaught of the Storm Worm!"

Re:How are these numbers calculated? (2, Funny)

Qzukk (229616) | more than 7 years ago | (#20158073)

All fear "the swifly spiking onslaught of the Storm Worm!"

It's product placement for Swiffer dusters, able to swifly swiff up dust, viruses and worms.

Re:How are these numbers calculated? (4, Informative)

strongmace (890237) | more than 7 years ago | (#20157511)

Article says how they are calculated:

"Joe Stewart, senior security researcher at managed security company SecureWorks, at the Black Hat conference. .....

From the number of infected machines he's found, Stewart estimates that the Storm botnet could comprise anywhere from 250,000 to 1 million infected computers. And that raises questions, along with eyebrows. "

Re:How are these numbers calculated? (2, Insightful)

IndieKid (1061106) | more than 7 years ago | (#20157887)

Yeah I just read that. If 20 million e-mails (according to Joe Stewart in the article) have been found and he estimates that 250k to 1m machines are infected, that implies that somewhere between 1 in 20 and 1 in 80 of the machines he's looked at are infected. I'm assuming somewhere in the middle is what he actually discovered before applying a margin of error - so 1 in 50. I wonder how many machines he actually checked? 50? 500? Were these machines known to have received the e-mail or just random machines?

All I'm saying is that I doubt the methods used to estimate these numbers would stand up to close scrutiny. That's not to say this isn't interesting (the number could be higher than the estimate after all), but I'd rather the article just said "we don't know how many machines are infected, but it's likely to be a lot".

Re:How are these numbers calculated? (5, Informative)

httptech (5553) | more than 7 years ago | (#20157627)

The estimate is based on the number of unique IPs we've seen attacking networks we monitor, coupled with our knowledge of how the Storm botnet works. We've seen up to 100,000 bots sending the attack (the ecard spam) in a single day. Storm is a multi-tiered botnet, meaning that not all the bots are tasked with sending the emails. Some are supernodes (first-tier), designed to serve up the ecard executables via HTTP and facilitate communication between the regular (second-tier) nodes. Another factor is that some second-tier nodes will never be seen attacking, since they may be behind firewalls that block port 25 outbound or at an ISP that is doing SMTP blocking, so they may be part of the botnet but difficult to count.

In reality, the only source that can give you a precise count for the Storm botnet is the Storm controller - and he/she's not talking. So we do the best we can at estimating its size given the data available.

Re:How are these numbers calculated? (1)

IndieKid (1061106) | more than 7 years ago | (#20157953)

Thank you, that's much more informative than the original article :-)

I don't think we'll ever see a solution... (2, Insightful)

Anonymous Coward | more than 7 years ago | (#20158631)

...until software companies are forced to include normal consumer warranties (as in suitable for purpose, ability to access the internet with better security out of the box) and until individual zombie owners can get charged with "maintaining an attractive nuisance". The software sellers don't give a crap, as they have zero liability because of their ridiculous EULA and because the law let's them get away with it, and big corporations are scared to sue the 800 lb gorilla over this issue obviously-buncha pansie asses if you ask me), and the people who get infected don't care enough to do much about it, as the last decade has proven over and over again. Make it hurt both parties there financially, you'll see better coding and much reduced malwarez. And I could care less if this means much longer release cycles and the engineers take precedence over the marketing weasels and the PHB investor class. It will have to *hurt* those folks deeply in the wallet to get them to enter the 21st century and assume normal adult business responsibility for their alleged "products".

Without those measures, we'll never have any sort of decent widespread security, it will always be too little, too late, catch up crap and the big dogs still raking in the billions for perpetual beta-crapware

Now free software I don't have as much of a problem with, as they don't charge any money for it, but the stuff that costs serious folding money-needs a normal consumer warranty.

Re:How are these numbers calculated? (5, Funny)

ObsessiveMathsFreak (773371) | more than 7 years ago | (#20157803)

Seriously though, how does one go about estimating these numbers?
  • 1. Roll 2D6
  • 2. Take the number rolled, and multiply it times the number of worm messages that have arrived in your inbox.
  • 3. If your computer is actually infected, square the result.
  • 4. Play a game of Solitare
  • 5. Add your final score to the result
  • 6. Divide the result by your Boss's vigilance.
  • 7. Make a saving throw against discovery, and multiply the result by 1000
  • 8. Round up to the nearest 100,000
  • 9. Publish
  • 10. Profit!
Lower bounds are trickier as they will require you to actually care about what you're doing.

Re:How are these numbers calculated? (1)

pete.com (741064) | more than 7 years ago | (#20157809)

It is a very scientific process, you reach inside your ass and pull.

Microsoft is going to lose big (2, Insightful)

athloi (1075845) | more than 7 years ago | (#20157357)

If they can't find a way to reach customers and get them fixes for the rampant insecurity of these machines that are compromised. The silent majority of customers are getting frustrated with this sham of a performance [chron.com] , and while saner heads recognize that Redmond does a lot right and some wrong, the emotional response is going to shove them out of dominance in operating systems. Maybe that's why they're better on spacy Web3.x "cloud" and "distributed OS" technologies instead of what made them big, which was getting things done the hard way consistently.

"The silent majority" is uninformed. (4, Insightful)

khasim (1285) | more than 7 years ago | (#20157533)

No. "The silent majority" believe that this is the way computers just "work".

They've been shown that in countless movies and TV shows and by "experts" on the news.

They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases.

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

Re:"The silent majority" is uninformed. (4, Interesting)

NickFortune (613926) | more than 7 years ago | (#20157721)

No. "The silent majority" believe that this is the way computers just "work".

More accurate, perhaps, to say that they think this is just the way computers don't work.

There was a program on last week where they had a collection of self proclaimed grumpy old women listing things they hated about computers - and you know what? Every single complaint was not about computers per se, but about Microsoft software.

There's got to be an opportunity in there somewhere for the FOSS movement. Imagine if we could convince the "I hate computers" brigade that what they mainly hate is Microsoft ...

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

That's just silly. People have different convincer strategies. If nothing else, there are people out there who still haven't heard that there's an alternative. There's a lot of meat left on that bone.

Re:"The silent majority" is uninformed. (1)

lymond01 (314120) | more than 7 years ago | (#20158797)

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

Response: That's just silly. People have different convincer strategies. If nothing else, there are people out there who still haven't heard that there's an alternative. There's a lot of meat left on that bone.

True. I'd say the long, dark tunnel from XP to Vista has a few side corridors.

Re:"The silent majority" is uninformed. (1)

Starker_Kull (896770) | more than 7 years ago | (#20157867)

No. "The silent majority" believe that this is the way computers just "work". They've been shown that in countless movies and TV shows and by "experts" on the news. They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases. With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

I don't think that's quite the case any more. Many of the people I work with, toting around notebooks running XP or Vista on them, now openly admire and know about OS X (Linux.... not so much. One step at a time...), and say they would switch 'IF'... and the usual reasons, some quite legitimate, are brought out. However, the fact that many people are AWARE there is an alternative that appears better in their eyes, is a new & positive development. It just takes time, time where products from Redmond continue to be mediocre, and time where other OS's consistently improve in stability, security, usability, and interoperability. These conditions have been occuring consistently for the last 5 years now.

We might get to see Microsoft's OSes slowly head the way of the dino in the next 5 years, especially the more incidents like the above 'worm' occur.

Re:"The silent majority" is uninformed. (2, Funny)

Mr. Flibble (12943) | more than 7 years ago | (#20158783)

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.


Well, it is changing it for me! I got an ecard from "friend" and I downloaded the exe on my iMac, and it won't work. I could not see the card. I tried again on my Red Hat Enterprise 4 server, and even after chmod +x *AND* running as root with X windows going, the card would not open.

That is the last straw for me! I can't get cards from my "friend". I am going back to Windows where I can open cards.

Re:Microsoft is going to lose big (4, Informative)

jpop32 (596022) | more than 7 years ago | (#20159077)

If they can't find a way to reach customers and get them fixes for the rampant insecurity of these machines that are compromised.

WTF are you talking about? RTFA, please. If you actually did that before funboying around, you'd notice that the program in question is not a worm at all, but a trojan. User has to manually run the attachment, probably clicking through a couple of dialogs practically begging him not to. But, since the user really, really _wants_ to see the cute kittens, or a naked celebrity, or whatever the trojan claims to be, trojan will be run. No OS can defend against the user being a sucker.

So, move along, please. Your tirade is totally off topic here.

Love the tag "situationnormal" (2, Informative)

AKAImBatman (238306) | more than 7 years ago | (#20157379)

I remember freaking out 10 years ago every time I saw someone running that cutesy little "fireworks display" email attachment. Despite my best efforts, I couldn't get the users to stop unzipping and opening it*. Glad to see that things haven't changed much.

SNAFU (Situation Normal: All F***ed Up)

* Before I get 10 million suggestions for a decade-past issue, yes we did find more effective ways of blocking it.

Naked teens attack home director (5, Informative)

tttonyyy (726776) | more than 7 years ago | (#20157385)

Now I've got your attention worm style, click this link for more information:

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]

Re:Naked teens attack home director (1)

neo8750 (566137) | more than 7 years ago | (#20157765)

So where is this naked teen? and why do i not see her nakedness attacking her director? Aww crap not again...

Question on that article (3, Interesting)

Gazzonyx (982402) | more than 7 years ago | (#20158147)

Now I've got your attention worm style, click this link for more information:

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]
I'm interested in something from that wikipedia article; it mentions that the source code to storm specifically avoids infecting Windows Server 2003 boxes. Anyone know why the author would go out of his way to not hit 2K3 boxes?


Perhaps to avoid infecting government servers (and upping the ante, if he got caught)? That's the only thing I could think of. I'm sure there's a very logical reason, but I have no idea what it might be.

Re:Question on that article (1)

bpfinn (557273) | more than 7 years ago | (#20159169)

The FBI won't usually investigate a computer intrusion unless there has been a significant amount of money lost because of it. Perhaps the author believes that avoiding Windows 2003 Servers will reduce the chances of infecting some big corporation's "very important server".

Re:Question on that article (1)

necro2607 (771790) | more than 7 years ago | (#20159279)

Anyone know why the author would go out of his way to not hit 2K3 boxes? ... I'm sure there's a very logical reason, but I have no idea what it might be.

Well, all "windows server reliability" jokes aside, it could just be that the author's code had some issues running as expected on the 2003 server machines (due to some behaviour in that version of the OS as opposed to other versions), that perhaps he/she didn't feel like debugging or figuring out.

worth worrying about (3, Interesting)

esconsult1 (203878) | more than 7 years ago | (#20157393)

As the publisher of two fairly popular websites, this is something to worry about. Recently all our sites spread across a few dedicated servers in one data center were down. Not because of a direct DDOS attack, but because of a peripheral attack which swamped the network infrastructure at the center. Really, if these guys decided to do more frequent DDOS attacks, anyone could be a target and calling the FBI is cold comfort since in the meantime your sites are down and out.

Catalyst for change? (3, Interesting)

khasim (1285) | more than 7 years ago | (#20157719)

Let's look at DDoS attacks.

#1. Spoofed IP addresses - not that common anymore. It used to be that you'd tie up a machine by having it send replies to machines that did not initiate the connection. There is a simple solution to this. Anyone assigned a block of IP addresses has to make sure that all outbound traffic references IP addresses on that block.

#2. Thousands of machines eating up your bandwidth - the most common type now. This is where the zombie army each makes continued requests of your machine. For webservers, they can request a page over and over and over until they use up all your bandwidth and legitimate visitors cannot get through. This is more difficult to fix. It can partially be handled by blocking the range of addresses that host the zombies. Such as Comcast and Verizon and so forth. There are more complicated attacks. Such has sending half a request.

There's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.

Re:Catalyst for change? (1)

neo8750 (566137) | more than 7 years ago | (#20157957)

here's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.
I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages. I mean other then the whole aww factor this plan will work.

I personally think that ISPs should notify their users that there are worms/viruses going around (hey got an idea for a company one that works with isps to keep them up to date on worms/viruses and hell maybe even setup the mass mailing needed to get the word out). Through it would probably be best just make it so that the user can't get any of their mail till they read the message from the isp. Sure this may take some recoding to add a feature to smtpd but i think if we are going to help fight these worms we need too make it so the end user is aware of them. (this option may exist)

hell i personally consider myself a higher end user and i don't even know what the most popular/newest worms out there are. But then again i don't open an email unless i know the person for one and i also don't if the topic is off. But then again i don't count on my contacts to keep me upto date on stuff plus if its that crazy they will sooner call then email me.

Why not offer to swap them ahead of time? (2, Interesting)

khasim (1285) | more than 7 years ago | (#20158201)

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages. I mean other then the whole aww factor this plan will work.

Why wait?

Why not take a few pro-active measures? Such as emailing all your clients with the new rules and offering to assist them in evaluating their systems ... automatically?

hell i personally consider myself a higher end user and i don't even know what the most popular/newest worms out there are.

Why would you need to know about the newest worms? The focus should be on the security of the system.

A default installation of Ubuntu does not have any open ports. It is immune to all worms except anything that might attack the TCP/IP stack itself.

It's still susceptible to trojans, but even those can be mitigated.

And it is easy to check most Linux distributions with a Live CD. So the idea is to limit the possible avenues of attack and have a system in place so that successful attacks can be recognized and removed.

Re:Why not offer to swap them ahead of time? (1)

neo8750 (566137) | more than 7 years ago | (#20158829)

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages. I mean other then the whole aww factor this plan will work.
Why wait?
I never said it shouldn't be put into affect i said really only problem is the whole "aww poor them" factor and we know that can be looked over easily especially when you slap them with a we told you in an email/letter.

you can have your system locked down from the outside world but still doesn't stop the user from creating a hole by running malicious code. And having an up to date knowledge of worms and viruses floating about would significantly hinder spreading of them.

Re:Catalyst for change? (1)

teh_chrizzle (963897) | more than 7 years ago | (#20159227)

There's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.

people do not take responsibility for their anything that involves computers. evar. people don't take responsibility for their actions on the computer (i did not delete it! the computer just ate it!), they don't take responsibility for the computer itself (how does all of this crap get on my computer?) and therefore will never ever take responsibility for their computer's actions. evar.

Mneh (0, Offtopic)

Helen Keller (842669) | more than 7 years ago | (#20157413)

MnaehD'yatttGnthiGnnnnk amIGnnnnnninfecgnnnted?

More information (4, Informative)

apachetoolbox (456499) | more than 7 years ago | (#20157419)

http://en.wikipedia.org/wiki/Storm_Worm [wikipedia.org]

...names ranging from "postcard.exe" to "Flash Postcard.exe,"...

Shouldn't everyone be blocking .exe attackments at the MTA? Also look for a service running called wincom32 on infected machines.

NO! (4, Insightful)

everphilski (877346) | more than 7 years ago | (#20157491)

Shouldn't everyone be blocking .exe attackments at the MTA?

NO! It's annoying enough that Google rapes through my .zip files looking for .exe's.

If I'm working on a c++ program at work and zip it up and gmail it home (lock the computer while it uploads) and forget to 'make clean' ... I don't get my code. I know its nitpicky and a make clean or a thumb drive will cure my problems but I'm forgetful which tend to preclude both.

Re:NO! (3, Interesting)

dr_strang (32799) | more than 7 years ago | (#20157611)

Try password protecting your zip file.

Re:NO! (0)

Anonymous Coward | more than 7 years ago | (#20157671)

Or just rename the .zip to .piz

Then when you download it, switch it back.

Re:NO! (3, Informative)

dark-br (473115) | more than 7 years ago | (#20157897)

It makes no difference if you password protect them or not as to list the zip file content no password is needed. You only need the password to correct extract the files.

I've just switched to using RAR and as for now Google is leaving my attachments alone...

M Addario

Re:NO! (0)

Anonymous Coward | more than 7 years ago | (#20158497)

Or using svn.

Re:NO! (1)

Just Some Guy (3352) | more than 7 years ago | (#20158585)

As a sibling pointed out, that won't work. But you can nest an un-passworded "mycode.zip" inside a password-protected "wrapper.zip" file. Spam filters will see that wrapper.zip contains mycode.zip (because of Zip's stupid encryption (hah!) doesn't protect its content list), but won't be able to examine mycode.zip.

Alternatively, use GPG and go forward.

Re:NO! (2, Interesting)

LiquidCoooled (634315) | more than 7 years ago | (#20157651)

Actually, if they are clever enough to scan the zips, maybe they could be clever enough to just filter the exes out leaving the rest.
It annoys me as well, the number of zips I have called .aaa .abc .bmp around because of this is stupid.

Maybe - just maybe - google could consider allowing zips to account users who have specified it as a preference (default block as currently occurs).

Re:NO! (1)

everphilski (877346) | more than 7 years ago | (#20157697)

Maybe - just maybe - google could consider allowing zips to account users who have specified it as a preference (default block as currently occurs)

Especially when a user is sending it to himself :) I mean, what, am I trying to infest myself with a virus?

Re:NO! (1)

LiquidCoooled (634315) | more than 7 years ago | (#20157839)

If you are sending it to yourself what happens if add the attachment and leave it in the drafts without actually sending it?

Is the drafts subject to capacity limit (since you haven't sent it) ?

I never tried that 'cos when I am sending code home (if I forgot my mem stick) I send via the work account (right click send to mail recipient is easier than opening browser, logging in, creating a mail, adding attachment...).

Re:NO! (1)

everphilski (877346) | more than 7 years ago | (#20158169)

can't say I've ever tried drafting an attachment ... that's a thought though.

Re:NO! (1)

LiquidCoooled (634315) | more than 7 years ago | (#20158273)

I just tested it, it works nicely.
Google warns you if you try sending though...

Re:NO! (1)

Chatterton (228704) | more than 7 years ago | (#20157699)

You can put a single letter password on your zip files?

Re:NO! (0)

Anonymous Coward | more than 7 years ago | (#20157761)

How hard would it be to add a rule to your Makefile that generates the zip file for you and makes sure that there is no .exe in the zip file?

Re:NO! (2, Informative)

cyfer2000 (548592) | more than 7 years ago | (#20157827)

I use 7zip.

Re:NO! (1)

Andrewkov (140579) | more than 7 years ago | (#20159253)

Ah yes, the 7-Up of Zip programs!

Re:NO! (1)

jamsessionjay (802511) | more than 7 years ago | (#20158211)

Rename your zip files .dat - google won't know it's a zip file and assumes it's random junk data. When you get home rename it .zip

encapsulate the zip (1)

Gazzonyx (982402) | more than 7 years ago | (#20158303)

They don't (or didn't, as of the last time I sent myself an executable - within the last year) scan RAR or 7Zips for executables. Also, they won't check a doubly encapsulated archive; if you RAR or 7zip or gzip the folder, and then zip that, you should be fine. The best method is to use a lower compression method on the folder first (zip or gzip), and then encapsulate it with an archiver that uses a larger library (like 7zip or bzip2). This will keep it from 'bloating' on the second compression.

Re:NO! (1)

oglueck (235089) | more than 7 years ago | (#20158661)

You're honestly abusing email as kind of a SCM tool? Creative...

Re:NO! (2, Informative)

^Case^ (135042) | more than 7 years ago | (#20158697)

Make a "package" make target that copies all relevant files into a package directory, zips the directory and ship of the mail. If you're using OS X or another un*x variant you can do all this with a single make target.

Why you aren't using version control is another question.

What does God need with a starship? (1, Redundant)

Billosaur (927319) | more than 7 years ago | (#20157439)

"Why do you need a botnet that big?" he asks. "You don't need a million [infected computers] to send spam."

For spam, a million-strong botnet might be overkill. But botnets can do much more - like launching denial-of-service attacks. These attacks aim to overwhelm a Web site or Internet server by sending it a constant stream of garbage data at a particular Web site or Internet server.

So the question is, who is controlling these botnets and why? DDoS attacks can be pretty useful if someone wants to get a point across or to extort money from someone or some company. It will be interesting to see if they can trace it back to the source.

Re:What does God need with a starship? (3, Insightful)

ktappe (747125) | more than 7 years ago | (#20158693)

"Why do you need a botnet that big?" he asks. "You don't need a million [infected computers] to send spam." For spam, a million-strong botnet might be overkill. But botnets can do much more - like launching denial-of-service attacks.
So the question is, who is controlling these botnets and why?
It is possible that the creators of this worm did not have any idea how successful they would be. They may have figured they'd get 5,000 PC's, not 500,000. Now suddenly they have a monster by the tail and are not sure what to do with it.

Removal Tool (2, Informative)

apachetoolbox (456499) | more than 7 years ago | (#20157459)

Re:Removal Tool (5, Funny)

ben0207 (845105) | more than 7 years ago | (#20157519)

No fukcing way am I going anywhere near a site called Team Furry.

The goggle really might do nothing.

Re:Removal Tool (4, Funny)

jollyreaper (513215) | more than 7 years ago | (#20157633)

http://www.teamfurry.com/wordpress/2007/07/19/suns hine-on-a-stormy-day/
I'm too scared to look. On a scale of goatse to tubgirl, how's it rate?

Re:Removal Tool (1)

Johnny_Law (701208) | more than 7 years ago | (#20157865)

http://www.teamfurry.com/wordpress/2007/07/19/su ns hine-on-a-stormy-day/

I'm too scared to look. On a scale of goatse to tubgirl, how's it rate?
Lemon Party

Re:Removal Tool (1)

n-baxley (103975) | more than 7 years ago | (#20158445)

Anyone care to verify this? I'm not about to download an exe that's "supposed" to remove a nasty virus. No offense apachetoolbox.

Re:Removal Tool (1)

teamfurry (1139967) | more than 7 years ago | (#20158907)

Hi, as the blogentry and the tool itself suggests, feel free to ask any question from me by mailing me at toni(_at_)teamfurry.com. Shortly put: The tool works a bit similarly to the StormWorm dropper itself. When stormworm is infecting a machine, it checks certain services to see if there is already an earlier variant of itself on the machine. If it detects one, it will remove it. My tool uses the same principle, and effectively removes the infection from the host. If you have any other questions, don't hesitate to mail. Regards, Toni Koivunen Teamfurry.com

that is why (5, Funny)

clubhi (1086577) | more than 7 years ago | (#20157463)

That is why I always do my online banking BEFORE I browse for porn

Maybe there's a silver lining here... (5, Interesting)

Novae D'Arx (1104915) | more than 7 years ago | (#20157481)

I dunno - maybe this is what we need ~ a botnet big enough to do some real damage could actually catalyze some public awareness. Imagine if they DDoS'd MS, or Amazon, heck, Google? Maybe these guys (esp. Google) could handle this kind of slamming, but they've got lobbyists now. I really wouldn't mind seeing a well-funded FBI task force with the express purpose of rooting out botnets and going after their creators. Yeah, yeah, most of them are not on US soil. I know. However, imagine legislation that actually required the disconnection of infected bots from an ISP until it was cleaned, and a public awareness campaign that painted users who allow this to happen as idiots, and the ISPs as protectors of the rest of the internet users. Most people are concerned that there would be a backlash against the ISPs and they would stop complying for fear of loss of business, but that's where the legislation comes in. It's a quarantine situation - just like IRL, if you've got something nasty and contagious, the CDC can legally quarantine (forcibly, if you're an idiot like the TB guy) you because you're endangering the lives of others by going out and exposing them. Same thing here - don't give the botnets a chance to expand, cut them off, force a windows-cleaning (ISPs could offer a cleanup disk, $5.95 plus tax, or something, to help make it worth it for them - don't want to hurt the small ISPs, even though I think TW and the rest are bastards), and let them reconnect afterwards. Simple, painless, and will definitely make sure people learn their lesson for next time.

Re:Maybe there's a silver lining here... (1)

Neil Watson (60859) | more than 7 years ago | (#20157787)

Being jaded I see only the chance for broken legislation. I see new laws making it illegal to possess or use legitimate security tools.

Re:Maybe there's a silver lining here... (1)

DerekLyons (302214) | more than 7 years ago | (#20158007)

dunno - maybe this is what we need ~ a botnet big enough to do some real damage could actually catalyze some public awareness. Imagine if they DDoS'd MS, or Amazon, heck, Google?

I can imagine it easily - 99% of the surfers denied acess would simply go "damm internet" and surf elsewhere, or go do something off-net.

Re:Maybe there's a silver lining here... (1)

fotbr (855184) | more than 7 years ago | (#20158341)

And when $ISP decides they'll only support Windows $Version anyone who hasn't "upgraded" is now SOL. Thanks to monopolies and near monopolies, this will turn into a legislated "upgrade or no internet for you" money maker.

Thanks, but no.

Re:Maybe there's a silver lining here... (1)

another_fanboy (987962) | more than 7 years ago | (#20158487)

imagine legislation that actually required the disconnection of infected bots from an ISP until it was cleaned

The problems with legislation are:
(1) the idiots in congress do not have a clue as to what a botnet is and therefore are incapable of creating anything remotely usable;
(2) the average user would not know why his computer cannot access the internet;
(3) many flat out refuse to learn good online habits until forced to and even then they will fight to the bitter end.

Re:Maybe there's a silver lining here... (1)

Novae D'Arx (1104915) | more than 7 years ago | (#20158945)

That's the wonderful thing about having lobbyists - they "inform" the legislators. In this case, they could let Joe Sixpack Senator (R-TX) about how EEEVIL botnet creators are, how they're harming the InterTubes and online businessess and hence the GNP. The common good doesn't cut much ice anymore, but tell them how it's making businesses lose *money*, and stand back...

Also nice about lobbyists: they can even help these guys draft bills in ways that actually help make things work. MS and Google, at least, have lobbyists now... let's see them get their money's worth.

Re:Maybe there's a silver lining here... (1)

shish (588640) | more than 7 years ago | (#20158509)

Yeah, yeah, most of them are not on US soil
Since when has that ever stopped them? [slashdot.org]

Re:Maybe there's a silver lining here... (1)

UID30 (176734) | more than 7 years ago | (#20158817)

This is most definitely not what we need. Botnets and viruses are either the result of immature over intelligence, or outright malicious criminal act. They cost real people real time/money to combat.

The solution is neither simple, nor painless. If detection of a botnet infection is (as it is now) left to the end user, one would merely have to "not check" in order to circumvent quarantine. And lets face it ... how many users would really allow their ISP to deep scan their system for possible botnet infection? The situation only gets worse if botnet scans are mandated by a government body ... can you imagine every PC in the country running some mandated bloatware developed by the lowest bidder on the government contract? Nope. No chance of that happening.

If the problem were easily solvable, it would have been solved long ago. There is no financial incentive for Redmond to produce a invulnerable OS ... an entire anti-virus industry exists based on their buggy OS ... one in which Redmond actively participates with their own anti-virus solution. Conflict of interest? You do the math.

The only real answer is in accountability. Make both OS manufacturers and virus creators accountable, to some degree, for losses. What would Redmond's bottom line look like if they had to pay damages based on man-hours lost because of holes in their buggy OS? You could even limit the damages to the actual cost of the original OS. I'd be willing to bet on 2 things ... 1) that Bill Gates wouldn't be cashing out his options to the tune of $1B / quarter... and 2) that the next Redmond OS would be a little bit more secure.

Virus creators are another problem ... once identified, they need to spend hard time in a Federal PMITA Prison ... 1 day of time served per infected system. That should make the point. A small sized infection could easily churn up a 20 year sentence. At the current rate of technological change, am pretty sure the perp would have some degree of difficulty repeating the offense at the end of that kind of prison term.

Beyond the slashdot effect... (2, Informative)

annamadrigal (1134821) | more than 7 years ago | (#20157517)

From the article: > For spam, a million-strong botnet might be overkill. > But botnets can do much more - like launching denial-of-service attacks. > These attacks aim to overwhelm a Web site or Internet server by sending > it a constant stream of garbage data at a particular Web site or Internet server.
A few years back there was a spate of DDOS attacks on root servers, for example: http://www.informationweek.com/news/showArticle.jh tml?articleID=197004237 [informationweek.com] which were described at the time as "possibly featuring millions of computers".
So, is this really such an enormous number? There seems to be a precedent for botnets of this scale....

Re:Beyond the slashdot effect... (1)

rel4x (783238) | more than 7 years ago | (#20157937)

In past years, they really exaggerated the sizes of botnets. They had a lot of trouble telling the different controllers and whatnot.
This one, I have a feeling actually IS that large.
Especially for a few worms, where different variants were released by different groups who bought the source code and modified it. This one quite possibly is that large.
ALSO, 250,000 computers, while it is a massive botnet, is not truly excessive in regards to spam. Take a look at what is being filtered for nowadays. NJABL, DSBL, and the DROP Spamhaus list(ZEN too?) all take the various residential IP ranges out of the mix, or make it much harder to get inboxed with them. The XBL does a good job of listing bots as well. Some botnets that I have seen, there was 96% XBLed. The XBL is enough to doom a message in most cases. None of the dynamic/residential IP blacklists by themselves are enough to bulk folder a message on their own(with most configurations), but also the chances are that a IP that shows up in one, will show up in more than one. Also, on the off chance some administrator was ridiculous enough to use the APEWS list, entire ISPs also will throw a few extra points into the mix. All of this means that whatever numbers someone gets, are worth their time.
For example, let's say 70% of this botnet is RBLed(which is possible, especially given the fact that spamhaus says that the storm worm DDOSed them, and I have trouble believing the logs of that did not factor into the RBL). That leaves 62,500 computers NOT xbled. Subtract another 5-10% for computers that cannot have outgoing port 25 connections. Subtract even more for computers listed in multiple dynamic IP/residential blocklists.
THAT is why this botnet grew to the size that it did.

Thank God !! (0)

Anonymous Coward | more than 7 years ago | (#20157579)

Glad I got that memo . Oh wait it is an attachmen...

Whats Worse? Storm or Nugache (1)

Evil W1zard (832703) | more than 7 years ago | (#20157785)

We all know that the Storm botnet is a big ol' spambotnet but what about Nugache? Thats the one I'm more concerned as it is fairly huge and just sits there in the dark waiting!!! Has anyone identified WTH that one is prepping for yet or are we still all in wait mode...

Insert Scary Music Here

If you'd like to know more... (1)

fahrbot-bot (874524) | more than 7 years ago | (#20157903)

...let me know and I'll forward you some e-mail...

An email warning I got yesterday (2, Interesting)

bzipitidoo (647217) | more than 7 years ago | (#20157921)

Yesterday, a non-expert computer user I know sent me an email warning about emails with "postcard for you" in the subject being a carrier for the "worst virus ever". It could erase your entire hard drive!!! The histrionics convinced me it was bogus, so I blew it off. But seems there is something going on after all? That email now looks like it was deliberately timed and edited to ride the next wave of panic.

Re:An email warning I got yesterday (0)

Anonymous Coward | more than 7 years ago | (#20159019)

Tell me now.
  Wont ail major updated antivirus programs detect and remove this threat?

So those responsible for its proliferation arr just computer security lame and don't have a clue ? right?

They see an executable and execute it like fools ? Is that about it?

As much as I hate to suggest this... (1)

goldspider (445116) | more than 7 years ago | (#20158029)

...but perhaps we need a law that would require ISPs to disconnect customers with compromised computers, and inform them that they will remain disconnected until the computer(s) has been cleaned.

Us conscientious customers shouldn't have to suffer the conditions imposed on us by people who can't bother to take even the most simple precautions. How much better would service be without all these botnets clogging the tubes?

Re:As much as I hate to suggest this... (0)

Anonymous Coward | more than 7 years ago | (#20158157)

we need no such law. There should never be a law that punishes a victim for failing to respond to their situation, and that is all such a law would do. Live with the inconvenience, or convince your ISP to chance their TOS and voluntarily do what you suggest.

Re:As much as I hate to suggest this... (1)

goldspider (445116) | more than 7 years ago | (#20158343)

The "victims" here are everyone who has to deal with the spam, DDoS attacks, and whatever else these botnets are spewing. And it's not a problem that can be limited to or by individual ISPs.

The public has been aware of computer viruses for 20 years now, and there are plenty of free tools (many of which are provided at no cost by ISPs) to prevent an infection. It's long past time people took responsibility for their own computers.

Re:As much as I hate to suggest this... (1)

scharkalvin (72228) | more than 7 years ago | (#20158755)

Most people do NOT know how to protect computers from the internet, NOR SHOULD THEY!
The computer makers and the OS writers should handle this, it's THEIR PRODUCT!!!

Hey DELL and M$! I bought this computer from you and it got itself infected with
spambots because YOU didn't provide the security to prevent this. So (to quote
Weird Al) I'LL SUE YA!

Re:As much as I hate to suggest this... (1)

goldspider (445116) | more than 7 years ago | (#20159091)

Most people do NOT know how to protect computers from the internet, NOR SHOULD THEY!

Yet we expect people to maintain their own cars. Are you suggesting it's unrealistic to expect people to get regular oil changes?

The computer makers and the OS writers should handle this, it's THEIR PRODUCT!!!

So let's sue automakers when a negligent owner lets their car's engine seize.

Re:As much as I hate to suggest this... (1)

Gazzonyx (982402) | more than 7 years ago | (#20158389)

True. But perhaps the ISP should just filter out malicious traffic at the edge, before it takes the first hop into their network?

Re:As much as I hate to suggest this... (0)

Anonymous Coward | more than 7 years ago | (#20158881)

Here in the Netherlands @home is doing just this, if they find out your computer is producing spam or emitting virus emails they just cut you off. You need to send in a screendump with proof of a recent antivirusprogram running and saying 'no virus found' before they will connect you again.

Done and done (1)

wezeldog (982156) | more than 7 years ago | (#20158983)

Brighthouse in my area does this. Let us say that I had my windows laptop infected (hypothetically, of course) one evening. The next morning I fire up my Linux desktop to check news, read Penny Arcade, etc. Brighthouse redirected my first request to a page stating that a machine attached to my cable modem is blasting out emails and I need to address it or some further action would be taken. Sure enough, it sent out over 30,000 emails overnight. I fixed and let them know. I don't know what the further action would have been, but they were on it.

Re:As much as I hate to suggest this... (1)

necro2607 (771790) | more than 7 years ago | (#20159443)

Actually Shaw cable here in western Canada already does so. A friend of mine was kicked offline for a week because one of the computers in his home network had some spyware or botnet-type trojan running on it which my friend didn't know about. He finally called the ISP wondering why the hell he couldn't get online after many days only to find out that they had disconnected his net connection without even notifying him. It seemed like a pretty harsh treatment of a customer - they didn't even let him know that one of his machines infected with some potentially malicious software (until after he called), and intentionally booted him offline indefinitely because of this. Of course it would have been understandable had they actually let him know what was going on. How long would it have been if he hadn't contacted the ISP himself? Pretty amateur for such a large company [wikipedia.org] (2.3 million customers)...

Military? (5, Interesting)

wytcld (179112) | more than 7 years ago | (#20158081)

It's well-known that the Chinese government has an active computer warfare department. A botnet on this scale is way beyond anything needed for mere industrial blackmail. But if you wanted to bring down large chunks of some nation's Internet quickly, without the attack coming from an obvious (and blockable) source, this would be a great weapon. Let's say you wanted to disable the Internet in Taiwan, or South Korea, or Japan, or all three, just prior to military action. Or let's say you wanted to disrupt financial markets to be sure that your intentional crashing of the dollar [telegraph.co.uk] had maximal effects.

how to know (1)

kisrael (134664) | more than 7 years ago | (#20158083)

People who have all mail to a domain going to one gmail account (ok, me) noticed a bunch of this testing the waters looking spam leaking through the filters, one every two minutes or so, with both the subject and the body being a different short 6-10 character string of mostly numbers. No actual selling content.

Incidentally, for Windows lusers who realize they may have been practicing unsafe computing, is there any way to tell that you've been zombified? I know some of these worms are fairly stealthy. Some sort of external monitoring box between the router and the cable modem?

Re:how to know (1)

dmpyron (1069290) | more than 7 years ago | (#20158955)

Snort your outbound traffic. Not something the naive user can do, but anyone reading and posting to /. probably won't class as "naive". But if you're not naive, you're probably running several different protection schemes. As much as I hate it, ZA Pro will do a good job of detecting and blocking most outbound traffic that you don't want to get out. AdAwatch does a pretty good job of preventing software from installing. It even makes it a real PITA to do things like upgrade Acrobat. Or Windows. But if you really want to know for sure, re-image your system from time to time. Or install something like PC Vive (www.pcvive.com) on your clean system.

Had this show up (3, Interesting)

sanjacguy (908392) | more than 7 years ago | (#20158305)

We had this show up in our infrastructure. All the emails were this:

Hi. Worshipper has sent you a greeting card.

See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:

http://682.81.0.23/?9907cd64e28cae3d7703a3b01bda de (Poster's note: This URL has been altered to protect the rampant mad clickers amongst us)

Or copy and paste it into your browser's "Location" box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best, Administrator, americangreetings.com

Mandatory Disconnect of Infected Computers (2, Insightful)

BoRegardless (721219) | more than 7 years ago | (#20158551)

Make it a Federal Law that ISPs must disconnect infected computers, and users would be forced to fix things very quickly.

Then if a botnet attack comes, turn off the overseas pipes as needed. Yeah I am a dreamer, but I am at least half way practical.

What about the Twinkie? (0)

Anonymous Coward | more than 7 years ago | (#20158715)

Imagine this twinkie represents the total amount of Storm Worm spam in the financial sector networks alone...

...That's a big twinkie...

Re:What about the Twinkie? (1)

Kris_B_04 (883011) | more than 7 years ago | (#20158847)

But is it better than carrying an unlicensed nuclear accelerator on our backs? :)
Kris

SPAM - the stupid side of things... (1)

PortHaven (242123) | more than 7 years ago | (#20159121)

Government and Big Corp always seem to be there when you don't want them. But they're never there when you do.

For year's I've wondered why we have such a persistant SPAM problem. There are number of things that can be done - but aren't.

- I don't believe there is ANY excuse for old viruses to circulate the web. I understand a new virus, but once a virus is known it should be stopped at the ISP & backbone levels.

- Where is the government? SPAM supposedly costs business' billions of dollars a year. That would mean to me that a portion of the trillions of dollars paid to the U.S. government in taxes should be allocated to it's cessation. Nail the spammers, and nail them hard.

- I get the same Myspace SPAM message a few times a week for a year now. So do most others on MySpace. The spam uses the same image for finance loans over and over. WHY? It should have been stopped ages ago.

- How to stop it...well, the easy way is to have a government or corporate entity utilize the SPAM service and trace the money back to it's source. Oh, and don't tell me that it's outside of our jurisdiction in some 3rd world country.

- If it's in a third world country. Let's help that nation's economic situation. A nice reward for x individual and company to be shut down would do wonders. Now, if that $10,000 reward happens to have Storm Controller's head removed from his body. It'd be a downright dirty shame...but not much more.

*growls*

Cool (1)

nurb432 (527695) | more than 7 years ago | (#20159165)

With a bit of luck it will kill the entire net for days, perhaps weeks.

Then perhaps something might actually be done about this nonsense once and for all. The only way something will get done is if hits the pocket books of enough 'big players'

Question on attachments (0)

Anonymous Coward | more than 7 years ago | (#20159203)

In the past few weeks I've been seeing a lot of the "greeting card" mail. But in the past few days I've seen a huge increase in spam, most of it with a .pdf attachment. More of the same or something else?

not important (1)

memnock (466995) | more than 7 years ago | (#20159449)

ahh. that explains my hour's worth of BSOD yesterday. couldn't have been anything i intentionally did. heh.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?