Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Storm Worm Evolves To Use Tor

CmdrTaco posted more than 7 years ago | from the guess-who's-back dept.

Security 182

An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."

Sorry! There are no comments related to the filter you selected.

Are we late to the party? (5, Interesting)

Jennifer York (1021509) | more than 7 years ago | (#20528035)

I'm surprised that it took this long for them to try to hide their tracks through anonymizers. Perhaps they've been doing this for quite sometime, and just now are we catching on to the technique...

It just makes sense, and is obvious, and a natural progression of the technology..... Hey! Maybe I should write a patent!

Re:Are we late to the party? (4, Interesting)

liquidpele (663430) | more than 7 years ago | (#20528053)

It's not that it's using anonymizing techniques that's new (they've always done this by using links to files already available on public webservers, or going through proxies, or spoofing where possible). This is just that the emails have changed from "verify your credentials with Bank XXX" to "Protect your privacy, downl0ad Tor (not trojan, we promise!)"

Re:Are we late to the party? (4, Funny)

VGPowerlord (621254) | more than 7 years ago | (#20528101)

I'm still not sure why people would actually listen to that. I mean... why would anyone just download a random program from a website without looking up said program in, say, google to see what it actually does?

Unlikely (5, Funny)

Anonymous Coward | more than 7 years ago | (#20528119)

Yeah, if people would do crazy shit like that then we'd have botnets consisting of billions of computers... oh wait.

Re:Are we late to the party? (3, Informative)

liquidpele (663430) | more than 7 years ago | (#20528133)

If it's something they've never heard of before, people are more likely to download and try it out of curiosity I suppose. But I do agree that it's the same old thing where you have to not be thinking to clearly or just not understand computers to be fooled to run it.

TFA says it's already detected by antivirus as Email-Worm:W32/Zhelatin.IL. so as long as the users have some antivirus they should still be okay too.

Re:Are we late to the party? (0)

Anonymous Coward | more than 7 years ago | (#20528275)

Zhelatin sounds like one of those fake/cheap drugs they sell in spam.

Re:Are we late to the party? (2, Interesting)

Anonymous Coward | more than 7 years ago | (#20529451)

> as long as the users have some antivirus...

Since storm is controlled peer-to-peer, shouldn't it be possible to co-opt it into sending out anti-virus spam?

The real problem with a huge/scary bot net like this, is not that a small group of people can control it, but that in theory anyone can take it over for their own purposes.

Re:Are we late to the party? (2, Funny)

maxwell demon (590494) | more than 7 years ago | (#20528527)

I'm still not sure why people would actually listen to that. I mean... why would anyone just download a random program from a website without looking up said program in, say, google to see what it actually does?
That's easy to solve. Just add a helpful comment to the mail saying:

If you are not sure if you should install this program, get more information at http://www.evil.org/malware/installer.exe!

Re:Are we late to the party? (3, Interesting)

rucs_hack (784150) | more than 7 years ago | (#20528637)

if you look at sites like gamecopyworld.com you will find a wealth of programs that people will download for legitimate (in the consumers mind) use, to mean they can keep their game dvds in their boxes. Add 'trainers' and 'fun free games' to the list and your looking at the majority of casual downloads not directly involving pron or media.

The main problem though is closed source. If source is closed, then there is no easy way to find malicious code before it is deployed on your system. Ok, I'm speaking as a programmer, so that would be useful for me, not a non coder. Still, the point remains, binary distribution only means trouble, be it storm, a sony rootkit, or just 'phone home' code in a program.

What we need is something sort of like gentoo, where all programs are compiled locally, and the code can be inspected for malicious intent. Alas such technology, while it does exist, does not exist in a form that could be disseminated and used by people with no technological background. This is a pipe dream for the moment, I know this. Especially since I tried once to compile openoffice locally (18 hours I think). Perhaps trusted compile farms that deliver fresh binaries?

Waxing lyrical I know, but there has to be an answer somewhere.

Re:Are we late to the party? (2, Insightful)

ThisNukes4u (752508) | more than 7 years ago | (#20528925)

Only if you can also trust the compiler chain [cmu.edu] .

Re:Are we late to the party? (2, Insightful)

CastrTroy (595695) | more than 7 years ago | (#20529113)

Just because somebody can verify the code, doesn't mean I want to spend days/weeks looking through all the code in a newly downloaded program, just to verify that it isn't doing something I don't want it to, and hope that I didn't miss anything in the millions of lines of code. Do most people who use Gentoo even bother reading more than 1% of the code? Sure it's good after the fact if you find malware that you can pin it on someone, but the best way to deal with this stuff is don't run software from untrusted sources, regardless of whether or not it's open source. I'd much rather run most of my stuff out of some sort of sandbox, at least the stuff that isn't speed critical (like RDBMSs and such) so that I can monitor what they are trying to do. Things such as going on the internet should be flagged, as well as writing to certain folders. Think of it like a firewall, only for all conceivably bad actions, not just network traffic.

Re:Are we late to the party? (5, Insightful)

plover (150551) | more than 7 years ago | (#20528865)

Because the modestly intelligent person you are hoping for might think, "This says to install tor, let me open a new window and google for it. Hey, this tor thing looks pretty good!" It's the sort of reaction we encourage people to have, to do some research before installing.

Of course, they then follow the original link from the worm and they still get the trojan. So close, and yet so far... sigh.

Re:Are we late to the party? (5, Informative)

Urd.Yggdrasil (1127899) | more than 7 years ago | (#20528105)

They aren't using Tor to hide their traffic, their trying to trick users into download a Trojan saying that it is a Tor executable and they need to protect their privacy. The Storm bot net uses a system called Fast Flux to hide traffic.

Re:Are we late to the party? (1)

zippthorne (748122) | more than 7 years ago | (#20528267)

Surely they are also using their compromised TOR nodes for some nefarious deeds. Like de-anonymizing...

Re:Are we late to the party? (1)

Goaway (82658) | more than 7 years ago | (#20528691)

Why the hell would they care about de-anonymizing? No money in that.

Re:Are we late to the party? (2, Insightful)

plover (150551) | more than 7 years ago | (#20528895)

Why the hell would they care about de-anonymizing? No money in that.

Are you kidding? If you could trace back a tor link to gaysex.com/bathroomEncounters.mpg to Senator Larry Craig's machine, don't you think TV shows like Dateline would be offering you tens of thousands of dollars for it?

Um... excuse you? (4, Funny)

Linkiroth (952123) | more than 7 years ago | (#20529397)

Your link didn't work.

Re:Are we late to the party? (0)

Anonymous Coward | more than 7 years ago | (#20529349)

No. They aren't using Tor at all, other than the name. The binary you download is just a bunch of trojans. They have no compromised nodes. The story title is wrong.

Re:Are we late to the party? (0)

Anonymous Coward | more than 7 years ago | (#20529537)

As has been pointed out above, they are not using Tor. You don't need something like Tor if you are willing to hack into a bunch of computers yourself, and you you don't need the added protection of a mix network. They have been using proxy chains that exploit legal and cultural barriers for some time now. This is enough of a problem for law enforcement that the focus tends to stay on the money trail, Western Union, people letting them use their bank accounts for money laundering, and so on.

creators' newclear power evolves to impede... (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20528057)

unprecedented evile's hostage style stranglehold on most of US.

you call this weather?

it's only a matter of time/space/circumstance.

previous post:
mynuts won 'off t(r)opic'???
(Score:-1, Offtopic)
by Anonymous Coward on Thursday August 30, @10:22AM (#20411119)
eye gas you could call this 'weather'?

http://video.google.com/videoplay?docid=8004881114 [google.com] [google.com] 646406827 [google.com]

be careful, the whack(off)job in the next compartment may be a high RANKing corepirate nazi official.

previous post:
whoreabull corepirate nazi felons planning trips
(Score: mynuts won, robbIE's 'secret' censorship score)
by Anonymous Coward on Wednesday August 01, @12:13PM (#20072457)
in orbit perhaps? we wouldn't want to be within 500 miles of the naykid furor at this power point.

better days ahead?

as in payper liesense hypenosys stock markup FraUD felons are on their way out? what a revolutionary concept.

from previous post: many demand corepirate nazi execrable stop abusing US

we the peepoles?

how is it allowed? just like corn passing through a bird's butt eye gas.

all they (the felonious nazi execrable) want is... everything. at what cost to US?

for many of US, the only way out is up.

don't forget, for each of the creators' innocents harmed (in any way) there is a debt that must/will be repaid by you/US as the perpetrators/minions of unprecedented evile will not be available after the big flash occurs.

'vote' with (what's left in) yOUR wallet. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi life0cidal glowbull warmongering execrable.

some of US should consider ourselves very fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate.

it's right in the manual, 'world without end', etc....

as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis.

concern about the course of events that will occur should the corepirate nazi life0cidal execrable fail to be intervened upon is in order.

'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

Re:creators' newclear power evolves to impede... (-1, Offtopic)

VGPowerlord (621254) | more than 7 years ago | (#20528077)

Thank you for showing us what comment spam looks like. Unfortunately, and I'm sure I speak for others when I say this, we already know what spam looks like, so STFU.

yeah butt,,,,, presenting as a lord of some sort (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20528131)

do you really know your .asp from a hole in the ground/your soul, or imploding solar system? or, anything except fear/ignorance based criticism?

so, kma

it's only a matter of time/space/circumstance.

previous post:
mynuts won 'off t(r)opic'???
(Score:-1, Offtopic)
by Anonymous Coward on Thursday August 30, @10:22AM (#20411119)
eye gas you could call this 'weather'?

http://video.google.com/videoplay?docid=8004881114 [google.com] [google.com] 646406827 [google.com]

be careful, the whack(off)job in the next compartment may be a high RANKing corepirate nazi official.

previous post:
whoreabull corepirate nazi felons planning trips
(Score: mynuts won, robbIE's 'secret' censorship score)
by Anonymous Coward on Wednesday August 01, @12:13PM (#20072457)
in orbit perhaps? we wouldn't want to be within 500 miles of the naykid furor at this power point.

better days ahead?

as in payper liesense hypenosys stock markup FraUD felons are on their way out? what a revolutionary concept.

from previous post: many demand corepirate nazi execrable stop abusing US

we the peepoles?

how is it allowed? just like corn passing through a bird's butt eye gas.

all they (the felonious nazi execrable) want is... everything. at what cost to US?

for many of US, the only way out is up.

don't forget, for each of the creators' innocents harmed (in any way) there is a debt that must/will be repaid by you/US as the perpetrators/minions of unprecedented evile will not be available after the big flash occurs.

'vote' with (what's left in) yOUR wallet. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi life0cidal glowbull warmongering execrable.

some of US should consider ourselves very fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate.

it's right in the manual, 'world without end', etc....

as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis.

concern about the course of events that will occur should the corepirate nazi life0cidal execrable fail to be intervened upon is in order.

'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

Storm is still a trojan, not a worm (4, Insightful)

A beautiful mind (821714) | more than 7 years ago | (#20528061)

As always, it works based on user stupidity, not programmer stupidity.

Re:Storm is still a trojan, not a worm (3, Insightful)

Spy der Mann (805235) | more than 7 years ago | (#20528385)

As always, it works based on user stupidity

Oh no, the internet's doomed! :(

Ummm. (1)

crhylove (205956) | more than 7 years ago | (#20528065)

Anybody here taking this activity more seriously? For instance, is there a possibility that this is a military operation? Seems a lot more advanced than most of the usual spam/bot/virus stuff I read about. I hope they don't screw up TOR, especially since I'm living in more and more of a police state these days (US).

Re:Ummm. (2, Insightful)

memnock (466995) | more than 7 years ago | (#20528103)

if TOR goes down, it's likely another network would pop up in it's place.

Re:Ummm. (4, Funny)

Colin Smith (2679) | more than 7 years ago | (#20528115)

Seems a lot more advanced than most of the usual spam/bot/virus stuff I read about.
You mean... More intelligently designed?

 

Re:Ummm. (1)

Urd.Yggdrasil (1127899) | more than 7 years ago | (#20528127)

It's more advanced to prevent zombies from being found and cleaned as easily. The gang running the Storm bot net are making money hand over fist using it and don't want to lose it.

Re:Ummm. (2, Informative)

Silver Sloth (770927) | more than 7 years ago | (#20528223)

For instance, is there a possibility that this is a military operation?
No, this is private entrprise at its best - the high tech goes where the money is.

What is surprising is that it's taken so long for the spammers to realise that by investing ih a high tech, well engineered solution they can make far more money than the low tech solutions we've seen in the past.

storm=skynet (0)

Anonymous Coward | more than 7 years ago | (#20529177)

storm=skynet

Re:Ummm. (1)

bakuun (976228) | more than 7 years ago | (#20529485)

I think it perfectly possible that it's a military operation. Perhaps not very likely - there are more cyber criminals out there than there are governments interested in this sort of stuff - but not impossible. A government having control over this sort of network could cause immense destruction of the infrastructure of an enemy country. And if it was a military operation, of course they would like it to look like a private thing - until they unleash it in full scale against whatever target they choose. It doesn't even need to have been constructed in anticipation of such an operation - it might just have been created for the having the capabilities if need would arise.

Re:Ummm. (0)

Anonymous Coward | more than 7 years ago | (#20529401)

<tinfoil hat="on">
Is it inconceivable in the face of the eroding of the USAPATRIOT act and warrantless wiretapping via constitutionality claims that the U.S. Government would engage in a very sophisticated attack against the things that Americans hold so dear, such as anonymity and the fear of cyber-warfare, in an effort to pass even more intrusive legislation in an otherwise unregulated market? They can get AT&T to tap the phone lines but haven't been so successful with the myriad independent ISPs. Who have been the latest victims of the attack -- file sharers and Estonia (!) Estonia is merely a proving ground to install (yet more) global fear. File sharers of course are destroying "Intellectual Property" - practically the only thing the U.S. even exports any more. This thing goes from being virtually unheard of to global domination nearly overnight based solely on the ability to manipulate a gullible populace, a tactic with which this administration is highly prolific. So, you tell me - is it _inconceivable_?
</tinfoil>

If they start providing nodes this could be good (0)

Anonymous Coward | more than 7 years ago | (#20528107)

If some of their hijacked machines become tor nodes (either kind) this could be helpful. It would allow for more bandwidth through tor and reduce the fraction of nodes run by the NSA making traffic analysis harder.

Spelling... (4, Insightful)

rumith (983060) | more than 7 years ago | (#20528109)

using spam to try and convince users of the necessity of using Tor for there communications.
It took me a second to understand what the author meant. Spell-checking, anyone?

Speaking on topic, I'd like to correct one of the previous posters: it's not a mere variation on the "Use XXX Bank" theme; as far as I understand, Tor has been picked among tons of other software that could be infected and supplied to users because it helps the spammers in covering their tracks, since their email is routed through Tor now.

Re:Spelling... (1, Informative)

Anonymous Coward | more than 7 years ago | (#20528175)

"there" looks to be spelled correct to me.... I think you could use the spell checker and the previous poster could use a lesson in grammar "there" vs. "their" :)

Need editors who EDIT (4, Funny)

The Monster (227884) | more than 7 years ago | (#20529105)

Arguably, what is needed is the low-tech sort of spell-checker. Before we had automated computer programs, newspapers had people called 'copy editors' who would proofread the articles submitted by the reporters. They were looking not only for spelling, grammar, and usage problems, but they also would do fact-checking.

Perhaps we could make the distinction clear this way: A machine that sells soft drinks is often referred to as a 'vender', while the guy selling hot dogs is more likely to be called a 'vendor'. With that in mind, I have toyed with a similar convention for other verb+er nouns:

The person who checks spelling could be a spell-checkor, and the computer program would remain the spell-checker; the human surfing the Web would be a browsor, using a browser program. Programs such as vi or emacs would be editers....
It's got as good a chance of adoption as *bibyte does.

Now, if Cmdr Taco could just get editors who actually EDIT... Oh. He's the 'editor' who ran this story? Never mind.

Re:Spelling... (1, Informative)

RAMMS+EIN (578166) | more than 7 years ago | (#20528189)

``

using spam to try and convince users of the necessity of using Tor for there communications.


It took me a second to understand what the author meant. Spell-checking, anyone?''

Wouldn't help here. It's a correctly spelled word...just not the right word.

Re:Spelling... (1, Informative)

Anonymous Coward | more than 7 years ago | (#20528217)

It looks like a variation on the "Use XXX Bank" theme to me. The spam mail looks like this:

-8<-8<-8<-
Do you trade files online? Then they will come after you. Read the news on
RIAA and what they are doing to everyone they find. Tor will keep them
from finding you. Keep the internet private and down load our program for
free. <a
href="http://69.255.111.145/">Download Tor</a>
-8<-8<-8<-

The tor.exe file isn't a real tor executable, but it contains the storm trojan instead.

Who is behind the Storm Botnet? (5, Interesting)

kryptkpr (180196) | more than 7 years ago | (#20528113)

There is an excellent article in Wired from several weeks ago from when Storm was used to DDoS the entire country of Estonia for 2 weeks. A fantastic read, but here's a particularly scary excerpt: Hackers Take Down the Most Wired Country in Europe [wired.com]

If that is the case -- if Azizov isn't trying to cloud the issue -- the implication is perhaps more troubling. It suggests that there is a group of Russian hackers who, on their own, can disrupt the routine functioning of commerce, media, and government any time they want. If so, these hackers represent a stateless power -- a sort of private militia.

While the article does contain a lot of speculation and sketchy sources (like the above quoted Azizov) the evidence does seem to be pointing in a particular direction:

I ask him why anyone would trust him. After all, he seems to have a suspiciously intimate knowledge of the Estonian attacks. "Russian IT specialists are knowledgeable and experienced enough to destroy the key servers of whole states," he says. "They're the best in the world."

The implication: Clearly you want them on your side, so why not hire them? Maybe Estonia was simply an advertising campaign.

It's starting to look an awful lot like another Cold War is coming, except this time it will be a Cyber war waged by turning your enemy's (and the rest of the world's) poorly secured computers against their critical infrastructure while the actual government absolves itself of blame. Nice.

Re:Who is behind the Storm Botnet? (1)

X0563511 (793323) | more than 7 years ago | (#20528531)

It is a hell of a lot easier to shut off (parts of) the internet than to shut off another countries nuclear weapons. This isn't going to be a "cold war".

It will just result in things like IPSec and Kerberos being used on a wider, more general, and lower level... if it results in anything at all.

(what I mean is: can't authenticate? Can't send data beyond this switch, sorry.)

Re:Who is behind the Storm Botnet? (0, Offtopic)

zeromorph (1009305) | more than 7 years ago | (#20528601)

Nice article. My main fear is, when the internet community won't do anything the governments will even more try to regulate, monitor and control the internet. And their solution won't be to disconnect all poorly patched MSWindows machines.

As bad as it is for tor, Estonia or individual sites, let this happen two three times and someone will start crying we have to monitor this, we have to outlaw that...

-my2cents

Oh and I hate this "Hackers Take Down the Most Wired Country in Europe" -- hackers? Crackers or what ever! But that is probably really a lost cyber (discourse) war.

Re:Who is behind the Storm Botnet? (2, Insightful)

Opportunist (166417) | more than 7 years ago | (#20529385)

"Hackers"? "Crackers"? Could we simply say "assholes" and concentrate on something meaningful? Like, finding some solution to it before our politicians get active and replace their cluelessness with operative hectic? It's fairly certain that some kind of law will be created, most likely one that has nothing to do with the problem, doesn't adress it at all, doesn't solve a thing and cripples the net.

Re:Who is behind the Storm Botnet? (1, Flamebait)

Opportunist (166417) | more than 7 years ago | (#20529351)

And who made it all possible? Clueless morons who can't keep their computer updated and click everything sent to them. But of course, you can't do a thing against them. After all, they're who make everyone happy. ISPs, because they pay without using bandwidth. "Service" providers, because they pay for crap they could get easily for free. And of course various other companies who sell crap through the net. And hey, they even give me absolute job security, because for as long as those idiots litter the net, I will have a job trying to create a defense against the flood of malware their botted machines spew out.

Well, now they enabled the criminal elements to hold companies, countries and whole regions hostage.

So, now mod me flamebait and let's go on with our lives as long as we can. Sorry for the rant, but I'm really getting fed up. For every crappy thing in life you need some license, some test, some qualification, or at least you're liable if you turn out to be too stupid to operate it safely. But on the 'net...

Ok, ok, I stop the rambling. I think I'll just go out and check if the sky's still blue. Haven't seen it since the advent of MPack.

Who are the stormbot people? (2, Interesting)

tjstork (137384) | more than 7 years ago | (#20528135)

Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators. From there, you can just send in a special forces team and just whack the guys. If one nation allows its citizens to hijacking of the assets of millions of another nation's citizens, isn't that just piracy by any other name, and if so, isn't that kind of an act of war?

Re:Who are the stormbot people? (5, Informative)

Urd.Yggdrasil (1127899) | more than 7 years ago | (#20528165)

The group running the system is taking precautions to avoid detection, such as using Fast Flux [honeynet.org] Also it is speculated that they are in a former Soviet block country, which tend to have very poor laws and few resources to go after such people.

Re:Who are the stormbot people? (2, Funny)

Colin Smith (2679) | more than 7 years ago | (#20528735)

Damnit. The bad guys get all the best software!
 

So would IPv6 actually fix this? (2, Interesting)

tjstork (137384) | more than 7 years ago | (#20529965)

I've read that IPv6, because it includes the MAC, could theoretically help this. But is that true? Could the MAC be spoofed? Or, could an ISP include coupling hardware that validates the MAC and the packet sent are the same? Theoretically, you could require that in network hardware manufacturing, so that a NIC Card would not be allowed to transmit a packet with an address that wasn't from it. But would that be enough?

Even if you weren't ideologically predisposed to sending in the SEALs to whack people for sending out spyware, you could at least block the source traffic and then gradually clean up the already infested machines or rob them of command and control without firing a shot.

I just get enraged by all of these attacks as, honestly, giving money to security people is a sort of a trampling of my job and freedom. The internet is reduced to, our "white warlords" versus their "black warlords", and I think this arrangement is total crap. I can't stand the world where we can't send EXE's as attachments and even images are suspect because I remember how cool the internet was when you could.

Re:Who are the stormbot people? (5, Interesting)

Anonymous Coward | more than 7 years ago | (#20528229)

Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators.
Theoretically "yes". But in practice the answer is "no".

The people running this botnet can choose from millions of computers they want to use as anonymous bouncers/routers. And they can tripwire their nodes so that after 30 minutes of use as a bouncer, the hard disks are overwritten with 0's (although in most cases this isn't required as IP addresses wouldn't be stored anyway).

A chain of 20 hacked computers spanning the globe operating as routers is not easy to trace. You have to talk to each owner in the chain one-by-one and catch the bounced connection in realtime to reveal the IP for the next node in the chain. And the attackers can obfuscate their presence by programming their bots to simulate these proxy connections at random. Imagine having to trace through 100,000 chains, each containing 20-30 routing nodes. These chains are completely dynamic and randomly change every half an hour.

The Storm botnet is almost the "perfect hack" unless the perpetrators make some big mistakes. If the owners of this botnet installed Freenet on all the bots, we'd have an unenforceable darknet which can only be blocked (maybe! - if you're really lucky) at the ISP. Anyone could tap into this new darknet and do as much internet crime as they like without ever having to worry about getting caught.

Re:Who are the stormbot people? (0)

Anonymous Coward | more than 7 years ago | (#20528343)

The people running this botnet can choose from millions of computers they want to use as anonymous bouncers/routers.


That's not how they'll be identified and isn't even necessary when investigators can follow the money. The prospects for criminal charges are slim [wikipedia.org] .

Re:Who are the stormbot people? (2, Interesting)

1u3hr (530656) | more than 7 years ago | (#20528651)

Theoretically "yes". But in practice the answer is "no". The people running this botnet can choose from millions of computers they want to use as anonymous bouncers/routers

So work from the other end. How do they make their money? Sending spam, apparently. How does spam make money? Currently, either by getting suckers to send money to them (viagra, Rolexes, etc) or pumping stocks the spammers have bought. In both cases, there must be a money trail, much easier to track than chasing a chain of proxies. Then squeeze these guys till they give up their associates, and eventually the botnet controllers. It takes a government to pressure the stock exchanges, credit card agencies and banks to give up their customers, though, vigilantes aren't going to get anywhere.

Re:Who are the stormbot people? (1)

LehiNephi (695428) | more than 7 years ago | (#20529193)

There are a couple other ways these people make money:
--Phishing, with the fake sites hosted on compromised machines
--Racketeering - "That's a nice website you got there. It'd be a shame if something....happened to it, capiche?"
--Mercenary - one company/country/individual pays the botnet owner to DDoS or crack an enemy's machine

Now the first of these leaves a money trail of some sort, as long as the phisher does a wire transfer. If it's a credit-card phishing scheme, it's much harder to trace, particularly if the phisher creates a duplicate card. If the racketeer is smart, he won't leave a money trail from that one--an envelope of cash is difficult to trace. The mercenary side will also be very hard to trace, since the money only changes hands between the botnetter and his customer, leaving the victim with no clues as to the origin of the attack or any idea where the money trail starts.

The problem with cracking down on this sort of crime is one of simple economics: the botnetters are providing a service which some people consider valuable (for whatever reason), and for which these people are willing to pay. As long as that is the case, and as long as the risk of getting caught is low, and as long as the consequences of getting caught remain relatively light, there will continue to be people willing to provide the service, legal or not. The same thing happened with Prohibition, and is common now with respect to things like speeding limits and violating copyright online.

Re:Who are the stormbot people? (1, Insightful)

RAMMS+EIN (578166) | more than 7 years ago | (#20528239)

Oh my. I hate to say it, but you sound so much like a stereotypical right-wing ignoramus right now. I mean no personal offense, but you just gloss over the technicalities of finding the criminals as if it's not difficult at all, then propose violence...almost _war_ against a sovereign nation as recourse.

Send the marines, yeah! Violence is the solution! If it doesn't work, use more!

It worked before, right? I mean, we've caught Osama, Afghanistan and Iraq are all peaceful and dandy now, there is no anti-American sentiment in Vietnam or anywhere in the world. Everybody loves the USA, because of brililant minds like you!

*pins a medal on tjstork*

Re:Who are the stormbot people? (-1, Flamebait)

tjstork (137384) | more than 7 years ago | (#20528247)

It worked before, right? I mean, we've caught Osama, Afghanistan and Iraq are all peaceful and dandy now, there is no anti-American sentiment in Vietnam or anywhere in the world. Everybody loves the USA, because of brililant minds like you!

I would note that millions of people who liked the USA in Vietnam were executed after you left wingers sold them out. Hopefully, we won't make THAT mistake again!

In the meantime, the USA has liberated Afghanistan from the Taliban, Iraq is on the upswing, and yes, the forces of Freedom are on the march. Maybe you can delude yourself into thinking that a 8th century mullah threatening to blow up someone's children for getting a job is the same as a US contractor trying to build schools for them. Given time, eventually, the truth will be revealed and they will see which side is really evil and which side is really good, and those people are going to choose to live for themselves, or to be enslaved by the very dictators that you left wing traitors continually support.

Re:Who are the stormbot people? (3, Insightful)

liquidpele (663430) | more than 7 years ago | (#20528295)

"Iraq is on the upswing"

If by upswing, you mean on the verge of civil war...
I'd recommend reading bbc.co.uk instead of Fox news there buddy.

I really hope Iraq turns for the better, but right now everyone educated there is packing up and leaving so It's going to be really hard.

Re:Who are the stormbot people? (1, Insightful)

tjstork (137384) | more than 7 years ago | (#20528505)

If by upswing, you mean on the verge of civil war...

But less so than a year ago. sectarian killings are down. Anbar is quieting up. Baghdad is, yes, basically being ethnically cleansed, and right we're really more presiding over a partition of the country than its unification.. but it is what the people of Iraq really want...

I'd recommend reading bbc.co.uk instead of Fox news there buddy.

bbc.co.uk is farther to the left than Fox is to the right. Ideologically, the BBC is absolutely an absurdly liberal institution but even their radio commentators on the BBC News Hour on NPR will tell you that the United States has an obligation to remain in Iraq.

Mostly, I'm basing my assesment on the military blogs and people that I know who are there. Petreaus is the general we should have had from the get go, but the USA has a history of going to war with incompetent generals and then switching gears to "get er done"... the civil war is the most famous example, but we sure had a few sore spots in WWII as well.

It seems like life is improving in Anbar, which was a difficult province for us. It's the shiite areas that are problematic now, but, even so, Kurdish + Sunni areas already give us a peaceful majority of Iraq, which is certainly an improvement. If you would have asked me about Iraq, pre-surge, I would have said, let's just leave and let them all kill each other. they are all muslims anyway... but, it seems like that bigotry is proving remarkably unfounded. The vast majority of Iraqis are not suicide bombing each other.

Look at the timeline. (1)

khasim (1285) | more than 7 years ago | (#20528707)

But less so than a year ago. sectarian killings are down. Anbar is quieting up. Baghdad is, yes, basically being ethnically cleansed, and right we're really more presiding over a partition of the country than its unification.. but it is what the people of Iraq really want...

The killings are "down" in that each section has pretty much killed everyone they didn't like in that section. Or the people that were being targeted have run away.

But warlordism is not a basis for a stable country. Which is why Iraq's "government" is completely ineffectual.

Ideologically, the BBC is absolutely an absurdly liberal institution but even their radio commentators on the BBC News Hour on NPR will tell you that the United States has an obligation to remain in Iraq.

Try addressing their specific points rather than dismissing them because of a "ideology" that you ascribe to them.

Mostly, I'm basing my assesment on the military blogs and people that I know who are there.

Sure you are. Always the anonymous sources.

Petreaus is the general...

And when he fails, the next general will be the one "we should have had from the get go".

And when that one fails, the general after him will be the one.

Repeat until we, eventually, leave.

It seems like life is improving in Anbar, which was a difficult province for us.

Again, give one side enough time and it will settle down because it will have killed everyone it doesn't like.

It's called "warlordism" and it does not make for a stable government.

It's the shiite areas that are problematic now, but, even so, Kurdish + Sunni areas already give us a peaceful majority of Iraq, which is certainly an improvement.

The Kurds have been fairly peaceful ever since we established the "no fly zones" over their territory after Gulf War I. So don't go claiming that that is any improvement.

Now it is just over who controls the oil fields and who gets stuck with the worthless territory.

If you would have asked me about Iraq, pre-surge, I would have said, let's just leave and let them all kill each other.

That is what you are advocating right now.

That is what you are touting as the "success" here.

they are all muslims anyway

Gotta love that kind of insightful commentary.

Re:Look at the timeline. (2, Insightful)

tjstork (137384) | more than 7 years ago | (#20529577)

The killings are "down" in that each section has pretty much killed everyone they didn't like in that section. Or the people that were being targeted have run away.

That's not true, particuarly, in Anbar. What happened in Anbar was that Al Qaeda was very popular because the people saw two things: a) the USA was overwhelmingly pro-shiite at Sunni expense, and that b) Al Qaeda said they were anti-American. However, Al Qaeda tried to establish a very strict brand of Islam, and started doing things like execute Iraqi Sunnis for crimes such as smoking a cigarette. Meanwhile, the USA switched its tactics, and, through a mixture of killing Al Qaeda, greasing a few palms, and outright negotations with the very Sunnis we were fighting, established the belief that we weren't out to destroy the Sunnis, and that, we were really after AQ, and that we wanted a stable Iraq. Pushing Maliki to include Sunnis was a huge part of that.

And when he fails, the next general will be the one "we should have had from the get go".

If he fails. Signs are, he has not.

The Kurds have been fairly peaceful ever since we established the "no fly zones" over their territory after Gulf War I. So don't go claiming that that is any improvement

Boy, that's a way to whitewash things. The Kurds aren't just peaceful, they are actually starting to have an economy.

Now it is just over who controls the oil fields and who gets stuck with the worthless territory.

The fact of the matter, is that the USA is pushing the Malika government to adopt something like the Alaska model for oil revenues - where every Iraqi would just get a piece of the oil money.

Gotta love that kind of insightful commentary.

My commentary is a thousand times more insightful than yours will ever be. You should really just be reading everything I write and become my disciple. I don't hold your ignorance against you. I really just want to save you, because, as a fellow human being, I kinda like you!

Further refutations... (1)

tjstork (137384) | more than 7 years ago | (#20529627)

First off, the BBC's bias is legendary and self admitted.

http://www.dailymail.co.uk/pages/live/articles/new s/news.html?in_article_id=411846&in_page_id=1770 [dailymail.co.uk]

They admit they are biased liberals because they feel that their view of society is intrisincally better. It doesn't mean that you can't just not listen to them, any more than you would tune out Fox. It just means that you need to know what their agenda is, and not take what they say without a grain of salt.

Sure you are. Always the anonymous sources.

As opposed to you, merely making things up, to suit your political agenda.

Re:Who are the stormbot people? (1)

MrNaz (730548) | more than 7 years ago | (#20528485)

When I read opinions like yours, I am left speechless every time. Even though by now I am used to head-up-the-arse, totally ignorant people on Slashdot, people like you never cease to amaze me. You are truly a leader among fools.

Re:Who are the stormbot people? (1)

Colin Smith (2679) | more than 7 years ago | (#20528889)

US contractor trying to build schools for them
You're aware that "US Contractor" is a euphemism for mercenary soldier?

e.g.
http://www.blackwaterusa.com/ [blackwaterusa.com]

 

Re:Who are the stormbot people? (1)

RAMMS+EIN (578166) | more than 7 years ago | (#20528903)

``Given time, eventually, the truth will be revealed and they will see which side is really evil and which side is really good, and those people are going to choose to live for themselves, or to be enslaved by the very dictators that you left wing traitors continually support.''

I do hope that given time, the truth will be revealed. However, with lies being spread and believed on both sides, it's sometimes hard to be optimistic.

As for dictators enslaving people, that is something I have never supported and never will. If I have my history right, the USA has helped to power and/or supported many dictators in South America and the Middle East. I would have opposed this, had I been alive and a citizen of the USA at the time. As it is, I can only refer to these historical events as examples of the USA not being the angels many people believe they are, and remind people that violence does not usually make people have friendly feelings towards you.

I don't hold Bush and his administration responsible for the 9/11 attacks. Really, I don't think you can be blamed if a determined enemy breaks trough your defenses, and to the extent that the attack was provoked, it was provoked a long time before Bush came to power. I do, however, hold him, his government, and everybody who supported them (especially those who re-elected him) responsible for the actions they took afterwards, including the invasions of Iraq and Afghanistan (resulting in many more deaths than the 9/11 attacks), the deterioration of liberties of American citizens, inhumane treatments of suspects in Abu Ghraib, Guantanamo Bay, and elsewhere, just to name a few of the worst things that come to mind.

I feel I'm doing my part. I try to do my own research (rather than swallowing what the media feeds me). I listen to people and talk to people. I try to understand everybody's point of view and how they came to it. I try to get people to think for themselves, rather then taking their pick among the phrases they hear from others (Assuming you had to choose one, would you kill Osama no matter the cost, or would you rather stop the aggresison against the USA, even if it meant letting some of your declared enemies walk free?). I've spoken out against my country's participation in Iraq, and am currently trying to convince people that silencing those who have criticized that participation wasn't a good idea. Yes, you read that right. The people in charge ignored the criticism before the invasion, and when, a few years later, one minister proposed a re-evaluation of the decission, he was told to shut his mouth in so many words. In the face of that, I can only assume something is wrong, the powers that be know it, and they are afraid of it getting out in the open.

And yet, of course, I am the boogeyman and the supporter of dictators. Well, believe what you believe...but _please_ do so because you actually made a credible effort to get at the truth, and not because "they are on the other side, so everything they say must be wrong" or some other bogus reason. I think there are plenty of bad things being said by all parties here, and so I'm really not on anybody's side, but I want to know the truth, and I want an end to the madness and violence. It saddens me that some politicians apparently have opposing goals. If they spread lies and cause violence, and that seems to be the case, I feel I have not only the right, but the duty to be angry with them.

Re:Who are the stormbot people? (1)

Afecks (899057) | more than 7 years ago | (#20529531)

There you have it folks. Murder, the answer for everything.

When your users are illiterate ... (2, Funny)

DrSkwid (118965) | more than 7 years ago | (#20528149)

it is easier to infiltrate there[sic] communications.

Re:When your users are illiterate ... (0, Offtopic)

pimpimpim (811140) | more than 7 years ago | (#20528255)

You misspelled "you're".

[tin_foil_hat=on] All this is just collateral damage of the great "dumbing the people down" scheme that is needed to get more votes and support for political parties and ideas that make no common sense.

As a side note, as a non-native speaker I have the feeling (based on very unscientific incidental data) that these spelling errors are more often made by native speakers than by foreigners. Maybe because as a foreigner you are thought to be more aware of the differences of these words (that holds for any language).

Re:When your users are illiterate ... (3, Funny)

DrSkwid (118965) | more than 7 years ago | (#20528757)

are you su're ?

skynet? (1)

kicks-ass (977232) | more than 7 years ago | (#20528161)

seems kinda familiar.

Misleading headline (5, Insightful)

yuna49 (905461) | more than 7 years ago | (#20528285)

The Storm worm isn't using Tor.

The spam email in question tells the reader that, if they are running torrents, they should use this Tor thing to cover their tracks. The link points to the trojan. The file in question is about 150K in size, or about 20x smaller than the Windows version of Tor (2-3 MB) on the actual site [eff.org] .

I posted a warning about this very email on a well-known anime site since I suspected some people there might download it in response to the e-mail.

There's also a version that poses as a YouTube video.

Most of these emails have URLs that use IP addresses, not domain names. Between my SpamAssassin rules and Mozilla Thunderbird's built-in anti-malware protections, messages like these are either quarantined or tagged as dangerous. I've not seen an legitimate email from any correspondent that uses URLs with IP addresses in the host part.

I opened the YouTube version in a Windows VM that had Kaspersky installed. It identified an attempted replacement of tcpip.sys and told me it should be quarantined. Unfortunately a ClamAV scan of the file did not detect anything suspicious.

The largest problem with Anti-Virus software is... (1)

Svartalf (2997) | more than 7 years ago | (#20528523)

...that it's akin to closing the barn door after all your livestock's gone out it.

In order for pretty much all Anti-Virus software to work, you're skimming for signatures patterns in the bytes
that leave a tell-tale for the software to "identify" it. It's always lagging by a bit, by the reality of the situation, so
it's truly a reactive solution to a problem that needs more of a proactive one.

That's not to say that the software is not useful for detection of attacks (much like an IDS is for networking...) but that
to rely on it solely as most people in the Windows world does is really being foolhardy. It is only as good as the signature
files are, and a Zero Day or a tough to catch mutator spells the kinds of problems we're seeing right now.

Re:The largest problem with Anti-Virus software is (1)

RootWind (993172) | more than 7 years ago | (#20528733)

Which is why any AV worth its salt is adding virtual machine heuristics. Some like Kaspersky are even integrating HIPS in their pro-active detection module.

Re:Misleading headline (0)

Anonymous Coward | more than 7 years ago | (#20529437)

There's also a version that poses as a YouTube video.

It's not the music video of Whitesnake singing 'Is this love?', now is it? youtube-dl seems to fail in downloading it, but I can view it. For research reasons, that sort of thing...

honest...is what the captchka asked me to type

I had a different email... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#20528327)

At Thu, 6 Sep 2007 13:46:38 +0300 I got this:

Subject: You are being watched online.

Everyone who is doing file trading is at risk. The RIAA is suing one person after another. Tor will stop them from finding you. Take back your privacy. Download it for free, right now. Download Tor [24.15.62.80]
How did they get my email address?

several ways (2, Insightful)

Bananatree3 (872975) | more than 7 years ago | (#20528783)

There are several ways [findarticles.com] spammers get emails. They can do massive internet searches for emails and harvest them that way (if you post on USENET with your email addy its almost gueranteed to be spammed). They also guess a username and if it doesn't bounce back they know they've got a hit.

"there communications"? (0, Offtopic)

BarnabyWilde (948425) | more than 7 years ago | (#20528361)

That's "their", you idiot.

Re:"there communications"? (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#20528435)

And your the 15th person to report this.

Am I the only one that's annoyed by the Crusade Too Stop Bad Speelers and Jihad Too Correct There Misused Words?

Seriously... No one cares outside of High School. Most of the world isn't natural English speakers, and most people have more to do with they're life then give a shit about "oh my god I misused their/there/they're"

Re:"there communications"? (0)

Anonymous Coward | more than 7 years ago | (#20528843)

Seriously... No one cares outside of High School.


Good luck keeping your future job.

Re:"there communications"? (1)

BarnabyWilde (948425) | more than 7 years ago | (#20529291)

I pity you.

You are handicapped if you really believe what you say.

Seriously.

Re:"there communications"? (1)

dasimms (644188) | more than 7 years ago | (#20529387)

OFF TOPIC

I don't know what kind of job you have but luckily I can misspell many things without anyone being an ass and pointing out my mistakes - provided my message is clear. "Their"," there", and "they're" mistakes are easily overlooked and often go unnoticed.

I think what the grammar/spelling nit-pickers fail to realize is while most of us would like to spell perfectly and use grammar correctly, we all do not have access to copy editors to revise our posts to slashdot and make corrections for errors. And if the nit-picker would truly help with a "I think you meant" or even a "I believe you misspelled ...", most of us would acknowledge our mistakes and in the future, attempt to correct our spelling and use correct grammar. Unfortunately, it appears to take a "special" someone to correct other peoples spelling and grammar and politeness does not seem to be their strong suit.

So to all those who correct grammar/spelling, please try to be polite and you may see your pet peeve of bad grammar and incorrect spelling reduced. And to all those whose grammar and spelling are corrected, even though the delivery is poor or even rude, attempting to communicate more clearly and effectively is a noble goal so ignore the delivery but not the message.

Now, back to our regularly scheduled topic - what was it again?

spam for freedom (1)

pandaba (38513) | more than 7 years ago | (#20528519)

I'm wondering if these emails were partially inspired by a Slashdot post. Assuming I'm remembering it correctly, there was a story here about possibly spamming people in China and other internet-restricted places telling them about anonymous proxies, Tor, and other tools to get around gov't censorship.

Thats what I was thinking when I first got one of these emails. I thought that someone went ahead and actually sent out the privacy-oriented spam. Tor is something that your ordinary Pogo-playing, pr0n-surfing user isn't going to know about, so why use Tor in a phishing, bot-infection scenario?

Still strikes me as odd that they would use Tor as the bait. You'd think they would have picked something more appealing to the masses.

Re:spam for freedom (1)

ScrewMaster (602015) | more than 7 years ago | (#20528633)

You'd think they would have picked something more appealing to the masses.

Probably they have. Odds are they're sending out a ton of different emails recommending various downloads. My server extracts all incoming attachments and puts them in a shared folder (my client machines never see attachments, just a note saying that there was one) but I see all kinds of executables coming in, with all kinds of rationales to convince people that clicking the link is a good idea. Tor is just one of them. Unfortunately, my domain is over a decade old so I'm on pretty much everyone's hit list.

Bastards.

Very Dramatic. (1)

G33kGuy (1152863) | more than 7 years ago | (#20528665)

I love how they use words like 'evolve' to describe the actions of programs and viruses, it makes the internet seem like a primal battleground.

I propose a nationwide education campaign (1)

Bananatree3 (872975) | more than 7 years ago | (#20528717)

Seriously, the BEST tool against botnets, virii, worms, etc. is Education. If all computer users understood basic key ideas about not downloading crap from emails, running firewall software and keeping their A/V software up-to-date there would be a huge reduction in the number of infections. The sad fact though is that only a select few people understand these basic ideas and arte actually VIGILANT about sticking to them.

My suggestion:

Setup a nationwide network of community educators. Local organizers in a particular community who get a group togeather to distribute pamflets, door-to-door visitations, etc. Sure its time consuming, takes money to print stuff. But simply sending letters in the mail or broadcasting this kind of information on the news media isn't going to hit it home. Develop small catch phrases that get the idea across and stick.

Sure, some people won't give a shit and will continue to download crap from spam messages even after being told not to. This is where I think ISPs should become vigilant about cutting access to their internet and give them help in cleaning their computer (either with patches, a live-CD, etc.).

Re:I propose a nationwide education campaign (0)

someone1234 (830754) | more than 7 years ago | (#20528943)

The best tool is cutting off zombie machines.
That surely works as an education to the dimwits who let their machine become zombie.
All we need is a law that mandates ISP's to do this.

Re:I propose a nationwide education campaign (1)

westyvw (653833) | more than 7 years ago | (#20529235)

Education maybe, like get away from windows as soon as possible? Obviously. But your second statement is very worrying: I dont want my ISP to give me any software or cut access, and I dont what them thinking that way at all. They already try and force me to use their crapware. No thanks.

Re:I propose a nationwide education campaign (1)

Bananatree3 (872975) | more than 7 years ago | (#20529327)

Moving people away from windows to say Ubuntu works for newbies who have never used the computer before, as they're learning something new. What makes it really difficult for the masses is that most people have already gotten used to Windows, and would give their right arm to keep using Windows. Trying to entice them to use something else is extremely difficult because they love the status quo. At that point its more effective to teach them how to be safe than uproot what they have already learned.

I think ISPs need to take more action in notifying a user that their computer has been compromised. Cutting off may be left for the last resort, but certainly sending them emails, calling them or mailing them letters should be required. The user's ignorance to the issue hurts the internet

Re:I propose a nationwide education campaign (1)

Xtravar (725372) | more than 7 years ago | (#20529917)

I think these people are learning through experience!

When their ISPs cut them off for spamming, or their personal information is stolen, or any other number of malware things happen... maybe they'll get a clue.

My question is.. (3, Insightful)

XenophileJKO (988224) | more than 7 years ago | (#20528781)

If the command and control and updating is done via peer to peer instead of a centralized server, why has nobody created a "Vaccine" that would spread itself back to all the infected nodes. The code can't be that hard to crack to determine how to insert new functionality into the infected hosts. Just inject a new command to spread this update to all your peers and after you succeed, close down all of the command and control vectors. Cleanup and fixing the holes originally used for infection would clearly be useful too, but unnecessary to contain the damage. Really there are tons of things you could do.

I mean this might create an "arms race" where they continue to lock down access to the botnet, but I would love to see the looks on their faces when large sections of the botnet stop responding to commands.

Seriously as "Brilliant" as these guys are I guarantee there are probably people smarter that can crack their network. I know what I am talking about is probably not legal, but it surely is ethical.

There was such a anti-worm worm... (2, Informative)

Bananatree3 (872975) | more than 7 years ago | (#20528915)

The Nachi worm [nai.com] was written to search out computers infected with the now-famous Blaster worm and patch the computer with a Microsoft patch. It replicated itself around the world, and once the patch had been implemented and the Blaster worm deleted it deleted itself. Unfortunately it created a heck of a lot of traffic on infected networks [zdnet.com] , which slowed them down considerably.

from the above article. (1)

Bananatree3 (872975) | more than 7 years ago | (#20528933)

It notes that:

Railway and freight hauler CSX had to stop trains because of the Nachi worm, the Associated Press reported.

Airline Air Canada canceled flights on Tuesday because its network couldn't deal with the amount of traffic generated by the Nachi worm.

Though it cleared out the blaster worm, it created a hell of a lot of damage itself by the mere fact that it clogged networks with traffic.

Re:from the above article. (2, Insightful)

XenophileJKO (988224) | more than 7 years ago | (#20529079)

Yes, but you understand the fundamental difference I hope. The Nachi worm was a worm that had to FIND infected hosts. Therefore it had to look using a port scanner which when you have thousands of machines scanning thousands of IP's creates huge amout of traffic.

In this situation, the beauty is that you don't have to create a "worm" in the classical sense. Each infected client maintains a "peer" list so all you do is "fix" it's peers, it would cause a cascade failure of the botnet and use up much much less overhead than the Nachi example.

Re:There was such a anti-worm worm... (1)

XenophileJKO (988224) | more than 7 years ago | (#20528971)

Yeah, but again it raises the question about why nobody has tried that with this botnet. The situation is drastically different. The Nachi worm had to FIND other infected computers, which caused a lot of traffic. In this situation we have infected machines with a command and control framework that works through peer-to-peer, therefore each infected machine already knows a set of infected peers. You should be able to instigate a cascade failure of their botnet but inserting commands into the network.

antibot p2p worm (1)

Bananatree3 (872975) | more than 7 years ago | (#20529173)

As you point out, an antibotnet worm spreading across the 'net would be not be nearly as much traffic as portscanning as the IP addresses are already known. I agree it is possible. The complexities of taking sections of the net offline though without the botnet owners noticing and dynamically patching the rest of the 'net are incredibly difficult though. It would be an incredibly complex game of cat and mouse, but it is possible.

time traveller from 1987 goes 20 years in future, (2, Funny)

circletimessquare (444983) | more than 7 years ago | (#20528997)

gets a sneak peek at Slashdot headlines:

"hmmm, what is going on in the far off fantastical future of 2007?"

Bringing Science and Math Into Writing?

"Ah, an age old problem"

Libraries Defend Open Access

"Some sort of Fahrenheit 451 situation? has the government gone fascist? or the russians won the cold war?"

New Legislation Proposed For Nuclear Safety

"Ah! Chernobyl is still fresh in their minds! At least it seems we didn't nuke each other"

Storm Worm Evolves to Use Tor

"SWEET JESUS! DUNE IS REAL!? AND IN CAHOOTS WITH THE SCANDINAVIAN GODS? WHATR SORT OF SCIFI FANTASY FUTURE IS THIS!"

Sounds a bit daft. (1)

EddyPearson (901263) | more than 7 years ago | (#20529229)

This sounds a little stupid to me, as the kind of privicy aware person who'll want to use Tor, is also the kind of person who'll have Anti-Virus software and won't fall for classic malware tricks.

Could it be a bit more misleading? (1)

Opportunist (166417) | more than 7 years ago | (#20529269)

Storm isn't using TOR, it claims its installer to be a TOR proxy. C'mon, malware has been claiming to be something useful for ages, why's this news?

Woud you kindly (0)

Anonymous Coward | more than 7 years ago | (#20529297)

install a trojan-infested Tor?

You don't have to download the file to be infected (3, Interesting)

sjmurdoch (193425) | more than 7 years ago | (#20529359)

Actually, if you're using an unpatched browser, you might not even have to download the file they offer to be infected. The web page includes Javascript exploits for half a dozen security vulnerabilities, which will install the trojan without user interaction. I've posted an analysis [lightbluetouchpaper.org] of the malware code on my blog.

Despite what the article says, Storm isn't using Tor (other than trying to exploit it's reputation) and the download isn't a trojaned version of Tor – it's much too small to be that. What's more, the botnet operators appear to have dropped this strategy. While on Thursday the links in the spam went to a fake Tor download [lightbluetouchpaper.org] page, on Friday they showed a fake YouTube video [lightbluetouchpaper.org] , and now they show a fake NFL game tracker [johnhsawyer.com] .

This is *not* using the Tor network or software (5, Informative)

shava (56341) | more than 7 years ago | (#20529423)

This attack is not using our network or our software, only abusing our reputation. We sent this release to slashdot and others, days ago:

====
The Tor Project, a US non-profit organisation producing Internet
privacy software, is issuing an urgent warning about a spam email
being circulated as a fake promotion for their software.

The real Tor software provides privacy on the Internet to journalists,
bloggers and human rights activists all over the world. The spam email
promotes the virtues of the software, but then directs people to a
series of fake websites that contain malicious code that will attempt
to take over visiting machines, and the downloaded software is fake
and equally dangerous to run.

The real website is hosted at http://tor.eff.org/ [eff.org] and the Tor
software can be downloaded from there. Users are able to check that
they have received the official version by following the instructions
at: http://wiki.noreply.org/noreply/TheOnionRouter/Ver ifyingSignatures [noreply.org]

Shava Nerad, Development Director for the Tor Project said, "I am
disgusted that criminals who want to recruit more machines for their
illegal activities should trade on our reputation for providing
privacy on the Internet. Fortunately we already have systems in place
so that people can verify that they are downloading the official
software. But this is a distraction from our work that we could do
without."
====

This stuff makes us sad. But you won't even get a trojanned client, just a trojan. And the page you click through to will try to exploit holes in your browser security, so don't even click through.

Yrs,
Shava Nerad
Development Director
The Tor Project

Maybe not so new, and not just e-mail? (0)

Anonymous Coward | more than 7 years ago | (#20529553)

This might have been going on for a while: I've noticed an increase in usenet spam with subjects relating to anonymity in several usenet newsgroups.

It seems to have been going on for several weeks in some newsgroups, but around the first of this month it's started to turn up in groups that were "clean" before, and the number of spams per group seems to be higher than before (much higher, in some groups).

I haven't followed any of the links, but the variety of URLs seems to indicate a multitude of throw-away servers - i.e. a botnet, or at least a lot of throw-away domain names (I just took a look at some more messages, and haven't found two that 'advertized' the same URL).

It could be the same gang.

trO7l (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20529635)

obssesed - give [goat.cx]

Intriuging. (0)

Anonymous Coward | more than 7 years ago | (#20529769)

So if the Storm botnet installed Tor on all of their machines would they effectively have the plurality to compromise the anonymity of the Tor network?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?