Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Storm Worm Botnet Partitions May Be Up For Sale

Zonk posted more than 6 years ago | from the if-only-they'd-use-their-powers-for-good dept.

192

Bowling for cents writes "There is evidence that the massive Storm Worm botnet is being broken up into smaller networks, and a ZDNet post thinks that's a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. The latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic, meaning that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities."

cancel ×

192 comments

What is fast flux DNS? (2, Interesting)

Shimdaddy (898354) | more than 6 years ago | (#20996965)

Being the n00b that I am, I don't know what fast flux DNS is. I know what DNS is, and I know the meaning of fast... but flux to me is something you put on a pipe before you weld it. What does it mean in this context?

Re:What is fast flux DNS? (5, Informative)

Ant P. (974313) | more than 6 years ago | (#20997041)

It means the spammers register a bunch of domain names to spam in their emails, and rotate the zombie PC IP they're pointing to every few minutes. Makes it harder to shut down.

Re:What is fast flux DNS? (1)

gt_mattex (1016103) | more than 6 years ago | (#20997175)

I've read TFA, however it didn't mention if the botnet used single or double flux. Anyone happen to know?

Re:What is fast flux DNS? (3, Funny)

Wolfrider (856) | more than 6 years ago | (#20997355)

Perhaps it utilizes a flux capacitor - and can thus do single OR double, depending on requirements of the moment? ;-)

Re:What is fast flux DNS? (2, Funny)

shotgunsaint (968677) | more than 6 years ago | (#20997569)

1.21 Gigabots? Why, the only thing that can generate that kind of current is... the Storm Botnet!

Re:What is fast flux DNS? (3, Informative)

QuantumRiff (120817) | more than 6 years ago | (#20997125)

Basically, you set your records to expire in a very, very short time, and constantly change the DNS servers, as well as the records. This makes it very hard to shut down the DNS, since its always moving and changing. I guess a good way to picture it is if at google, every single one of their 1M servers was changing. IE, every 5 seconds, a different machine was the dns server for "Google.com" and the www address changed to a different computer. Then, try to figure out which machine was misbehaving, and displaying the wrong data. It would be difficult.

Are there legitimate reasons to do this... (2, Interesting)

Animaether (411575) | more than 6 years ago | (#20997431)

...and if there aren't, then why are reputable DNS servers allowing these super-fast changes to DNS records anyway? Certainly such trends can be easily detected and stopped dead in its tracks?

Yes. Re:Are there legitimate reasons to do this... (2, Interesting)

algae (2196) | more than 6 years ago | (#20997709)

Sure there are legitimate reasons to do this - one of them is cheap datacenter fail-over. If I have web servers colocated in two different datacenters with two different ISPs, and one of them goes down, I can change the TTL on my DNS records to, say 30 seconds, and point all the addresses to the other location. The short short TTL will cause global DNS to be updated much more quickly than normal, and my web site's traffic won't dead-end.

On the other hand, I defintiely see ISPs that don't respect DNS TTLs anyway.

Re:Are there legitimate reasons to do this? (1)

PetiePooo (606423) | more than 6 years ago | (#20998713)

Ok, but I think the original poster's argument is, the DNS servers that normal consumers connect to (ie. supplied by DHCP when connecting to your ISP) shouldn't normally be receiving lost of responses with very short TTLs.

Is this another one of those things an ISP *could* do to help control this scourge? Could they reject all DNS responses with a TTL below some threshold, even if its 29 seconds, and not break legitimate access? Or keep those responses in the cache and flag/reject follow-on responses if the IP changes too frequently, perhaps...

And if you're one of those setting your TTLs to 30 seconds to facilitate datacenter failover, first, you're increasing the load on the ISP's DNS servers, so they have a legitimate gripe for you using shorter-than-recommended TTLs. Get yourself a real failover system, cheapskate! Plus, if they still wanted to be nice, they could do some research and whitelist those FQDNs with short TTLs that don't fast flux.

Granted, these ideas mean changes to the DNS server behavior, but that's just software. Someone at one of the ISPs needs to research this, run some tests, and submit updates to their DNS server supplier.

Re:Yes. Re:Are there legitimate reasons to do this (3, Insightful)

whoever57 (658626) | more than 6 years ago | (#20999571)

and one of them goes down, I can change the TTL on my DNS records to, say 30 seconds
Changing the TTL when you need to change the records, won't make any difference. Those nameservers that already have cached the IP addresses of your machines will have cached the old TTL also. Those nameservers that need to look up the IP address will pick up the new IP address irrespective of the TTL.

It really only makes a difference if your domain's TTL is short before you need to make the change.

Re:Are there legitimate reasons to do this... (1)

BiOFH (267622) | more than 6 years ago | (#20998003)

Some 'legitimate' fast-flux DNS uses:
* Some (IMHO misguided) sysadmins think "oh, I'll put in a super short TTL and I can swap out servers/services/whatever at a moment's notice".
Quite frankly, most never end up needing to do this super-fast swapping or round-robin switching and it's just one of those 'good ideas' that have very little practical value for the majority of those using it. And it's often trivial to do using other less-burdensome methods especially for mail servers -- MX has built in fail-over. It also means more traffic is generated for each such DNS entry.
* Also dial-up and wireless clients typically receive short TTL as they are transient connections.

As far as using this for spambots, personally I believe anyone willing to accept mail from a source with a short TTL is just asking for it.

Re:What is fast flux DNS? (1)

jmyers (208878) | more than 6 years ago | (#20997567)

why wouldn't you just kill it at the registrar? That seems the only logical place to kill a domain name, DNS shouldn't even matter.

Re:What is fast flux DNS? (2, Insightful)

IndustrialComplex (975015) | more than 6 years ago | (#20997655)

Botnets can be used to generate huge amounts of revenue. That revenue can purchase a lot of domains.

Re:What is fast flux DNS? (2, Interesting)

asuffield (111848) | more than 6 years ago | (#20997947)

Registrars are extremely reluctant to remove domains just because somebody claims that they are part of a botnet. Basically, you need a court order. You'll only get a court order if a judge rules against the botnet operator. You'll only get a ruling if somebody takes the botnet operator to court in a criminal case. That will only happen if a government intervenes.

No governments are interested in dealing with this problem.

Three words (2, Insightful)

archeopterix (594938) | more than 6 years ago | (#20996981)

Follow the money.

How long before.. (5, Interesting)

monk.e.boy (1077985) | more than 6 years ago | (#20997057)

How long before Storm is better than the Internet?

It seems to be peer-2-peer, can host files, must be reliable (DNS and all that), encrypted traffic.

If you assume Internet is past its sell by date, what would the next generation network look like?

:-)

(OK, maybe it wouldn't be owned by the mafia (insert USA joke here))

Re:Three words (1)

ozmanjusri (601766) | more than 6 years ago | (#20997513)

Follow the money.

Microsoft?

Re:Three words (1)

ILuvRamen (1026668) | more than 6 years ago | (#20998721)

they're probably already doing that. The CIA is big on that sort of thing. What I wanna know is why instead of trying to catch these losers, someone doesn't just release an antivirus worm. You know a worm that cures the storm infection. They did that for blaster I think.

Re:Three words (1)

Jerinaw (1038444) | more than 6 years ago | (#20999535)

Why not go after the people buying these botnets? Or using them. Meaning the people selling stuff. The ads right there. I know who's trying to sell me something. Go after them for using a botnet to sell their product.

The dude is a playa (0, Flamebait)

WwWonka (545303) | more than 6 years ago | (#20996999)

From the article "Stewart, a reverse engineering guru who has been tracking Storm Worm closely" along with his stunning picture [zdnet.com] can only mean these spammers are TRULY being tracked diligently between his games of WOW and hourly five minute visits to the pr0n sites that these spammers are promoting themselves!

Survival of the fittest in action (2, Insightful)

analog_line (465182) | more than 6 years ago | (#20997015)

I'm not sure whether to be impressed, depressed, or both.

These things are getting so insidious and vast in scope, I'm honestly wondering if I can safely believe that any Windows machine I come across with problems ISN'T on Storm or one of the other botnets. At what point does having a multi-use computing device become more of a problem than the benefits it provides? If 90% of what you get for connecting to the Internet is problems, what's the point? Bile spewing bloggers, bought-and-paid news reports and total advertising awareness?

Re:Survival of the fittest in action (1)

cromar (1103585) | more than 6 years ago | (#20997343)

I'm extremely impressed. Security has been lax for far too long, and I can't really blame anyone for taking advantage of that.

Plus, botnets are pretty sweet. I wouldn't mind having one myself, for, you know, distributed compiles or something ;) Or maybe a beowulf cluster of botnets...

Re:Survival of the fittest in action (1)

IndustrialComplex (975015) | more than 6 years ago | (#20997627)

Security has been lax for far too long, and I can't really blame anyone for taking advantage of that.

You may not be able to blame anyone. But I can certainly assign blame.

Is the person/group that designed this botnet talented? Without a doubt. Do they deserve respect? Hell, no.

If you respect this person, then you would have to also respect the people who put together those televangelist networks and faith-healers. Liars, cheats, and thieves. They deserve no respect.

Re:Survival of the fittest in action (1)

analog_line (465182) | more than 6 years ago | (#20998173)

Respect is probably something they should have. You respect the man with a gun to our head unless you're blessed with an immunity to bullets, or you don't care about living any longer.

Admiration, that they shouldn't have.

Re:Survival of the fittest in action (2, Insightful)

SignupRequired (1165001) | more than 6 years ago | (#20998413)

Actually, they have my admiration. Storm is an amazing piece of work, and for some reason I like the idea that it took criminals to implement something so genius.

Hot bitches sucking their cocks on demand is what they don't deserve.

Re:Survival of the fittest in action (1)

MadUndergrad (950779) | more than 6 years ago | (#20999029)

That's the same attitude my ex had, that when someone has power over you you automatically have to respect them. I think that's a bad use of the word "respect". Respect isn't something that can be forced. It has to be earned. Someone can have enough power over you for you to be willing to obey them, but that doesn't mean you respect them. Respect entails holding someone in high esteem. I certainly wouldn't hold someone with a gun to my head in high esteem, even though I may obey his commands. I could see the storm creator(s) having earned a bit of respect for their skill, but not for their douchebaggery.

Re:Survival of the fittest in action (1)

Tpl2000 (1174767) | more than 6 years ago | (#20997397)

I vote both...actually, i vote depressed, since impression is often implied by something being new and unusual. Not the case, here.

Re:Survival of the fittest in action (4, Interesting)

Cato (8296) | more than 6 years ago | (#20997673)

Here's a small and possibly unrepresentative datapoint from last weekend that would tend to suggest there are a lot of infected PCs out there, some of them with Storm. Basically, 2 of 3 PCs scanned had backdoor trojans and I didn't have time to debug the third PC enough to scan it.

I spyware scanned three PCs belonging to two friends/family households. Naturally, they were all Windows. I used Webroot Spysweeper which is pretty good but costs, and Kaspersky online scan, which is good but slow, and virus only.

- PC 1: infected with various spyware and a backdoor trojan (remote access by the bad guys) - had an up to date antivirus (AVG) that didn't spot any of this, but no anti-spyware installed.

- PC 2 (same network as 1): couldn't even install new software (error on running any new .EXE), ran out of time to debug this so did not install Webroot or any other tools. Also had AVG antivirus, which was up to date, and no anti-spyware. Presumed infected.

- PC 3: (2nd household) - infected with a different backdoor trojan and several viruses. Had Norton anti-virus that had not updated since 2004.

I would assume the average Windows PC has a high chance of some sort of infection, unless the users are very careful about installing third party software, some of which carries spyware or worse, and clicking on links in IE. Even Firefox had spyware on one of these machines.

Windows PCs run by power users (not the users here) can be somewhat secure, but it's painful to make them so. One colleague who's very techie still got infected by a PDF security hole recently, so you need Secunia PSI to run continuously, as well as monitoring some security blogs, and updating software regularly, as well as using a good anti-spyware tool, not using IE/Outlook, etc etc. However, once you are making this much effort, the work needed to install Ubuntu becomes much less of a hurdle - you might as well just switch over one PC so you have a safe PC for online shopping/banking etc.

The only good thing about this story is that nothing very important was being done on these PCs - little online shopping and no online banking... however, that's the users' self-reported status and they may well not want to admit they are at risk.

I don't do this for a living, I'm just a Windows and Linux user who wondered why there were so many popups on one of these PCs and ended up getting sucked into this when I should have been socialising - fortunately anti-spyware scans can run during dinner...

Re:Survival of the fittest in action (1)

steveo777 (183629) | more than 6 years ago | (#20999091)

I do a lot of spyware/trojan removal in my spare time. Mostly for family, friends, or acquaintances with an extra $50. Every computer I've seen with an up to date Norton, McAffee, or any other 'major name' anti-virus is just chalk-full of trojans and spyware. Way over the FDA recommended amounts. I usually run Spybot once to clear out the easy stuff, and then go registry hunting with HiJackThis and a few other tools.

It is my non-expert (I am not certified to say this) opinion that there is no antivirus program or suite that does... anything. The most a user will get out of these is a lot of processor time removed and warnings when they open email. Spybot and some due-diligence is all that is needed to run a clean Windows distro. Unfortunately normal users have no idea what that means, and Norton and McAffee will continue to collect gobs of money for almost nothing. I might actually use them if they didn't need half my system resources just to idle.

Re:Survival of the fittest in action (2, Insightful)

dave562 (969951) | more than 6 years ago | (#20999615)

It is my non-expert (I am not certified to say this) opinion that there is no antivirus program or suite that does... anything.

FWIW & YMMV, I setup my family and acquaintances with XP-SP2, IE7, Windows Defender and the latest version of SAV Corporate/Enterprise in Unmanaged mode. I just turn on Automatic Updates in Windows and setup the AV software to update every night. My biggest "problem user" is a girl whose laptop was completely owned by spyware when I first met her. After a pave and rebuild with the above mentioned build two years (I actually gave her IE6 back then), she called me a couple weeks ago because her computer was "broken" again. I figured it was more spyware. Nope. The box was clean. Her problems were that the C: drive was out of space because she wasn't saving anything on the completely unused 40GB D: drive (even though I showed her how to), and MS Messenger wouldn't download files directly because Windows Firewall was blocking it (like it is supposed to). This girl is all over Myspace and clicks on anything that her friends send her in the various IM programs she uses (AIM, MSM, Yahoo, etc.) It isn't THAT hard to keep a Windows box clean these days.

Re:Survival of the fittest in action (1)

Xeriar (456730) | more than 6 years ago | (#20999163)

AV Comparatives does not give AVG very good marks, and my experience has reinforced this. NOD32 [eset.com] and AntiVir [free-av.com] are the best out there by their results. AntiVir is free for personal use and they both perform on par with Norton without bringing systems to a crawl.

Oddly, I haven't seen many truly serious rootkits. Most of them have been on pre-SP2 XP machines, which are (thankfully) becoming rarer.

Re:Survival of the fittest in action (1)

butterwise (862336) | more than 6 years ago | (#20997737)

I'm not sure whether to be impressed, depressed, or both.
For those asking about the meaning of "flux" in this context, there's your answer.

Re:Survival of the fittest in action (1)

rah1420 (234198) | more than 6 years ago | (#20997921)

I'm honestly wondering if I can safely believe that any Windows machine I come across with problems ISN'T on Storm or one of the other botnets.
The POS Gateway that I'm trying to disinfect is a classic example of one that I'm sure isn't on a botnet.

Because, and only because, I refuse to hook it to a network while I'm trying to de-worm it. ;)

the point (2, Funny)

commodoresloat (172735) | more than 6 years ago | (#20998011)

If 90% of what you get for connecting to the Internet is problems, what's the point? Bile spewing bloggers, bought-and-paid news reports and total advertising awareness?
pr0n?

Be impressed! Here's the best use for this (0)

Anonymous Coward | more than 6 years ago | (#20998131)

All one needs to do to improve the Internet is to buy some of these botnets and put together a Denial of Service attack on the Russian Business Network [slashdot.org]

The next time you have to clean up after one of these messes, you might consider how much cheaper it is to use their tactics against them, and put them out of business.

Re:Survival of the fittest in action (0, Flamebait)

Hatta (162192) | more than 6 years ago | (#20998681)

At what point does having a multi-use computing device become more of a problem than the benefits it provides?

When you install windows on it.

I'm impressed... (0)

Anonymous Coward | more than 6 years ago | (#20999417)

...Because I use a Mac.

Slashvertising. (5, Funny)

onion2k (203094) | more than 6 years ago | (#20997051)

This slashvertising has reached a new low. ;)

Re:Slashvertising. (1)

Adeptus_Luminati (634274) | more than 6 years ago | (#20997303)

That's not offtopic. It's a joke people! You know, "haha". If I had mod points, I'd give it an under rated point. :)

Clever (5, Funny)

Billosaur (927319) | more than 6 years ago | (#20997111)

The malware attacks behind this botnet have been relentless all year, using a wide range of clever social engineering lures to trick Windows users into downloading executable files with rootkit components.

Windows has downloaded a new security update. Do you wish to install?

Re:Clever (1)

Gregb05 (754217) | more than 6 years ago | (#20997201)

That would never work, nobody updates Windows!

Re:Clever (1, Redundant)

15973 (861573) | more than 6 years ago | (#20997269)

Doesn't matter if there's an update _after_ your system has been compromised. If updates were the answer to the botnet problem (instead of putting a band-aid on a bullet wound), then MS would actually have something to brag about...

Re:Clever (1)

Amouth (879122) | more than 6 years ago | (#20997635)

but the band-aid on the bullet wound always work for me in SR

Re:Clever (0)

Anonymous Coward | more than 6 years ago | (#20999435)

Year after Year of the Linux Desktop

"Linux have downloaded a new security update, please enter your root password".

Break the key with zombies? (4, Funny)

ralf1 (718128) | more than 6 years ago | (#20997157)

Can I buy a partition of zombie PC's and use their processing power to crack the 40 bit key?

Re:Break the key with zombies? (4, Insightful)

smussman (1160103) | more than 6 years ago | (#20997271)

Can I buy a partition of zombie PC's and use their processing power to crack the 40 bit key?
Unfortunately, it's a 40-byte key. You might look into getting several partitions.

Re:Break the key with zombies? (1)

timhillu03 (903863) | more than 6 years ago | (#20997519)

Check the article. It's 40BYTE, not 40BIT.

40bit keys can be cracked in quite a short time by a normal PC using a brute force attack (less than a week). 40 bytes = 320 bits, which is not feasible to crack with modern technology.

Re:Break the key with zombies? (2, Funny)

Silver Sloth (770927) | more than 6 years ago | (#20997751)

40 bytes = 320 bits, which is not feasible to crack with modern technology.
Yes, it can, I've read Digital Fortress, the Dan Brown book. What do you mean, that was fiction? Next you'll be telling me the DaVinci Code isn't true!

Re:Break the key with zombies? (-1)

Anonymous Coward | more than 6 years ago | (#20997553)

Presumably there is no need to crack the key. The fact that they know it's a 40 byte key should tell you something right there.

Think about it, each machine in the network needs to talk to the other machines. The key has to be stored somewhere on the machine. Easy enough to pull out.

BZT! IAmSorryThankYouForPlayingNextContestantPLEEZ (1)

abb3w (696381) | more than 6 years ago | (#20999243)

Think about it, each machine in the network needs to talk to the other machines. The key has to be stored somewhere on the machine.

Not quite correct. Each machine in the network needs to be able to relay messages to the other machines; it therefore only needs the Public Key half, to verify that the messages it receives should be obeyed and/or passed along further (or simply dropped on the floor). The Private Key need only reside in the hands of the owner; in theory (if they're Diabolical), it could be kept on a high-end calculator, and the encrypted instructions only put onto the internet by 10-finger interface.

ortva 644 RIVY.GKG
Z22=-($R.(%52($R.5$523Q546@U@2$%+24K@55(@6Q]-0QR%6@U@("!.3GG@
(3Q]-($L/30V2
`
raq

Tedious, but possible. Can I haz Patent now?

Just curious.. (4, Funny)

What the Frag (951841) | more than 6 years ago | (#20997237)

... can the partitions be formated with ext2/3 or do have we stick to NTFS?

Re:Just curious.. (1)

KillerBob (217953) | more than 6 years ago | (#20997307)

oh, for mod points. +1 funny

Re:Just curious.. (0)

Anonymous Coward | more than 6 years ago | (#20997447)

+5 underrated?!!??!!

Blue Frog remembrance... (4, Insightful)

Spy der Mann (805235) | more than 6 years ago | (#20997249)

I remember when we proposed an anonymous P2P system for the anti-spam system "Okopipi" (successor of Blue Frog). We were criticized by saying spammers would use that system to make P2P networks for DNS attacks.

One year later, spammers are ALREADY using a P2P system for such thing, while nobody has the means to counter them.

The lesson: They got ahead of us. It's time we invest in countermeasures of our own, or succumb to the enemy. Because, we're losing.

Re:Blue Frog remembrance... (2, Insightful)

nuzak (959558) | more than 6 years ago | (#20997603)

So if we don't have exactly the same weapons that spammers have, we lose? Oh horseshit. It doesn't take clever technical tricks, it takes ISPs stopping direct port 25 access from their residential ranges. But they won't, because they're criminally negligent. They're also afraid that the zombies will send through the smarthost, that their smarthost will get blacklisted, and that they'll actually have to start paying attention to the security on their own networks. God forbid.

If the dynamic residential ranges were adequately secured, the zombie problem would be a tiny fraction of what it is today.

Re:Blue Frog remembrance... (1)

Spy der Mann (805235) | more than 6 years ago | (#20998123)

I agree with you. That would be the perfect solution. Unfortunately, with our current governments, implementing those "terrible" measures won't give them any money. So all that we have is to fight on our own. And legally - Blue frog's purpose wasn't DOS attacks, but filling the spammers' forms so their business model wouldn't work anymore.

Re:Blue Frog remembrance... (2, Insightful)

norton_I (64015) | more than 6 years ago | (#20999655)

The zombies *will* go through the smarthost, and we will be pretty much back where we started, whether or not the smarthosts get blacklisted.

Blocking port 25 is a reasonable idea, and many ISPs do it, but to say to do otherwise is criminally negligent or that doing so would stop worms from spreading is completely absurd.

Pretty much the only effective tool ISPs have is to completely shut down the connection to any infected computer. But people will (rightly) get upset about that.

Re:Blue Frog remembrance... (1)

nettdata (88196) | more than 6 years ago | (#20998569)

Except that "they" ARE "us"... they just choose to use their powers for evil.

Bruce Schneier discusses the Storm Worm (4, Informative)

Zymergy (803632) | more than 6 years ago | (#20997503)

http://www.schneier.com/crypto-gram-0710.html#1 [schneier.com]
A good essay on the Storm Worm and how it works and how it can be prevented (or rather why it CAN'T be prevented in many cases).

Fixing one part (1)

BiOFH (267622) | more than 6 years ago | (#20997557)

One thing we can do? Everyone can just stop accepting mail from servers with short TTL and the fast-flux DNS model is no good to spammers.
Yes, it's inconvenient to some ("wah! but I run sendmail off my laptop on dial-up!" - Yeah, well, go back in time to 1993 and have yourself a ball...). Frankly, they can just get the hell over it and use one of a dozen other methods to send out mail or increase their TTL. Spam is way more inconvenient and it affects everyone.

This doesn't address other uses for these botnets, sure, but every little bit helps. Especially when some estimates now say that the amount of spam in mail traffic may be as high as 80%!

And while we're at it... everyone get their damned DNS records set up properly. OK? It's not an option to have matching PTR and A records, it's required by RFC 1912.

Re:Fixing one part (0)

Anonymous Coward | more than 6 years ago | (#20997939)

If PTR and A have to match, why aren't they just collapsed to one field? It's pathetic 'configuration traps' like this which are partly to blame for the mess we're in.

Re:Fixing one part (1)

BiOFH (267622) | more than 6 years ago | (#20998115)

Because having multiple PTR entries for a single A is possible if needed. Also, it makes FCrDNS viable.
It's not a 'trap'. It's part of the spec and RFC 1033 spells it out in a section called "instructions". Where's the voodoo in that?
Anyone who can't do this properly (following what amounts to a checklist of 'do this, then do this') shouldn't be handling zone records.

The problem is people NOT following spec, not any failing of the spec.

How can you tell if you are infected? (1)

UberHoser (868520) | more than 6 years ago | (#20997563)

And no, not a rash or anything of that crap :P I don't leave my pc's at home on 24/7, and I am up to date with everything (AV, FW, Widows Patches). Could I still be infected ?

Re:How can you tell if you are infected? (2, Funny)

Chapter80 (926879) | more than 6 years ago | (#20997907)

I think the best way to tell if you are infected is to monitor your network traffic. Ideally, from an independent machine watching the traffic. (Not that I have ever done this, but it seems like the most fool-proof method.)

I am up to date with everything (AV, FW, Widows Patches)
What are you up to? Dating patches of women who lost their husband? Yeah, that might infect you! ;)

Re:How can you tell if you are infected? (1)

multipartmixed (163409) | more than 6 years ago | (#20998561)

I was thinking that maybe the Widow Patch was to help you through withdrawing from your widow.

Presumably they're loaded with baby oil or something.

So, how bad is it? (3, Interesting)

Anonymous Coward | more than 6 years ago | (#20997629)

I've not been actively following the Storm Worm Botnet stories, but I've picked up a few details which, on the surface, are downright frightening: Storm infects between 1 and 50 million PCs; it's more powerful than the world's supercomputers; dynamically evolves to avoid counteractions by security companies; and only uses 20% of its potential computing power at the moment.

These blurbs, if they're true, paint a bleak picture. Should the hackers leverage the network's full power, couldn't they shut down just about any server on earth? And imagine the bandwidth costs of this thing operating at full force.

So for those in the know, is Storm just a way to propagate spam and annoy people? Or is it something even more dangerous?

Re:So, how bad is it? (1)

asuffield (111848) | more than 6 years ago | (#20998065)

So for those in the know, is Storm just a way to propagate spam and annoy people? Or is it something even more dangerous?


So far as anybody knows, it does nothing just yet, except for a very small part that is used to spread Storm. The prevailing theory is that it is for sale to the highest (criminal) bidder. It looks like somebody is getting serious about providing hijacked hosts for sale (this is not a new activity, but it's never happened on this scale before). One or more of the organised crime syndicates is probably involved somewhere.

Re:So, how bad is it? (1)

joe 155 (937621) | more than 6 years ago | (#20998221)

"So for those in the know, is Storm just a way to propagate spam and annoy people? Or is it something even more dangerous?"

I'm not "in the know" per se, but my analysis of the situation - especially given the developments mentioned above - is that Storm probably is both. If all you want to do is to make money then it really doesn't matter if you're selling your power for spam or for attacking governments. Money is money. So if a black hat decides that instead of just sending the usual spam out he'd really like to have a crack at a government he doesn't like then I guess he could just cough up the money and away they go.

Call me paranoid but I wouldn't be that amazed if certain regimes consider going the owner of Storm (assuming they can find someone who knows who it is... or how to get in contact with people who do) in order to attack other governments. It would be a great proxy for an attack.

Re:So, how bad is it? (1)

Torontoman (829262) | more than 6 years ago | (#20999067)

I'm just counting down the days until the AI starts building it's own robots...

Rename (4, Funny)

surajbarkale (877769) | more than 6 years ago | (#20997667)

It's about time we start calling it Skynet

Re:Rename (1)

Anubis_Ascended (937960) | more than 6 years ago | (#20997883)

Better yet...

"We are the Borg. You will be assimilated. Disable your firewalls, and forward your ports. Your processing power and hard drive capacity will be added to our own. Resistance is futile."

Re:Rename (0)

Anonymous Coward | more than 6 years ago | (#20998113)

If we convinced them to do that, could we in theory detect who is infected by watching for the same encrypted word being changed?
From that could we pull some Enigma shit using the network and break the 40 bit key?

Re:Rename Redux (0)

Anonymous Coward | more than 6 years ago | (#20998475)

Not Skynet! A better sci-fi reference is "The Replicators" from SG, LOL!

How would this service be marketed? (1)

ktappe (747125) | more than 6 years ago | (#20997891)

What amazed me about this article is how unsure it is of everything. "Appears that" and "may be" keep coming up. If things are that unsure, how can the potential customers of this segmented spamnet know that there is a service for sale? Wouldn't any marketing that these bot-admins do also be picked up by the white hat guys? I'm confused.

Re:How would this service be marketed? (1)

asuffield (111848) | more than 6 years ago | (#20998097)

In two words: organised crime. It's the sort of thing they excel at. You won't see your friendly neighbourhood drug dealer advertising in any newspapers - but he's there.

Re:How would this service be marketed? (1)

cez (539085) | more than 6 years ago | (#20998227)

When's the last time you hung out at a hooka bar in Moscow?


Obviously, criminal activities aren't marketed in the open...seen any adverts for Drugs recently (yes the good fun kind, not the prescriptions they shove down your throat)...not saying I know for sure, but I think people can still get them.

Can it be that hard to catch whoever is behind it? (1)

TorKlingberg (599697) | more than 6 years ago | (#20997987)

Since Storm is probably run by a single person, or a single group, how have they managed to avoid getting caught? Especially if they start make money on it, it should be possible to track them that way.

Re:Can it be that hard to catch whoever is behind (1)

Genocaust (1031046) | more than 6 years ago | (#20998155)

If they are located in a country with lax laws or that is reluctant to support international efforts to shut them down, it could be difficult. There was an article posted just yesterday I believe about the Russian Business Network; they solely exist to promote and host illegal activities, yet the Russian government, due to its laws, has no power to shut them down.

I could see this spun many ways, in the US it is illegal to "make available" as with all the RIAA cases, but that is seemingly not the issue in Russia as the RBN "makes available" so-called "bulletproof hosting" for criminal organizations. So perhaps the owner(s) of Storm are saying "Hey, we're making available some raw processing power, who wants to buy?"

Re:Can it be that hard to catch whoever is behind (1)

gurps_npc (621217) | more than 6 years ago | (#20998305)

One of the reasons they have not been caught is BECAUSE it is a single person or small group.

Small = harder to find unless you area a '133t' programer bragginb about how good youare.

You want to keep a secret you tell NO ONE, you don't go spreading it around.

The real way to kill storm is to basically start having interpol treat it like drug trafficking, getting real cooperation, fairly quickly, instead of just ignoring it as not important.

You have cops not investigate one crime then guess what happens - the criminals FLOURISH.

You start having cops arrest people start investigating and arresting people then it works. Yeah, you have to wait till they move the crime from cyber to real life (i.e. ask for money) but it can be done.

Re:Can it be that hard to catch whoever is behind (1)

Zak3056 (69287) | more than 6 years ago | (#20998391)

One of the reasons they have not been caught is BECAUSE it is a single person or small group.
[snip]
The real way to kill storm is to basically start having interpol treat it like drug trafficking, getting real cooperation, fairly quickly, instead of just ignoring it as not important.

These two statements pretty much contradict each other. Who are you going to get to cooperate if it's a single individual, or small, well insulated group?

The ultimate goal? (0)

Anonymous Coward | more than 6 years ago | (#20998083)

Presumably, the result of this and further partitioning will be Internet 3.

This problem is its own solution... (2, Interesting)

MiniMike (234881) | more than 6 years ago | (#20998105)

Step 1: Rent botnet.
Step 2: Have each 'rented' computer run update, anti-virus, anti-malware...
Step 3: Profit! Ok, no profit, but maybe you get to enjoy reduced amounts of spam.

Repeat until bored.

Re:This problem is its own solution... (1)

Z00L00K (682162) | more than 6 years ago | (#20998235)

And at the same time provide the spammers with more money so that they can continue.

I'm starting to think that spammers should get familiar with the business end of a Desert Eagle .50 or similar device.

Re:This problem is its own solution... (1)

Zak3056 (69287) | more than 6 years ago | (#20998317)

Step 1: Rent botnet.
Step 2: Have each 'rented' computer run update, anti-virus, anti-malware...
Step 3: Profit! Ok, no profit, but maybe you get to enjoy reduced amounts of spam.

Step 4: Never be seen again after you get shot in the head, dismembered, and buried in the desert by the organized crime connections of the botnet owners.

Re:This problem is its own solution... (1)

An ominous Cow art (320322) | more than 6 years ago | (#20998663)

Better yet, replace Step 2 with:

Step 2: Have each 'rented' computer download, and make available for download, various movies and music.
And Step 3 with:

Step 3: Profit! as the ??AA begins systematically attacking the botnet.
And Step 4 with:

Step 4: Laugh with glee as dismembered pieces of ??AA executives and lawyers begin washing up on river banks.

What is preventing a sting? (2, Insightful)

erroneus (253617) | more than 6 years ago | (#20998261)

People are hijacking PCs and servers all over the globe and selling access to them to spammers and other shady characters. This is an organized crime of GLOBAL scale. Why the hell isn't Interpol or some large law enforcement body prepared to follow the money to the sources and burn them with it?

And if we don't have the REAL people to work on this, perhaps we should hire Hollywood to get the job done because it seems like the only real law enforcement that happens these days is in the movies or on TV.

Re:What is preventing a sting? (1)

pla (258480) | more than 6 years ago | (#20999423)

This is an organized crime of GLOBAL scale. Why the hell isn't Interpol or some large law enforcement body prepared to follow the money to the sources and burn them with it?

You assume too much in not considering that Interpol or the NSA or Mossad may very well run this thing.

Not claiming that they do, but finding out they do wouldn't surprise me in the least.

Re:What is preventing a sting? (1)

blhack (921171) | more than 6 years ago | (#20999567)

You assume too much in not considering that Interpol or the NSA or Mossad may very well run this thing.
What motivation would the NSA, which is an orginization with almost limitless funds, have in creating a botnet of the scale of storm? If they did, why would they sell it off?

Re:What is preventing a sting? (0)

Anonymous Coward | more than 6 years ago | (#20999861)

This is an organized crime of GLOBAL scale. Why the hell isn't Interpol or some large law enforcement body prepared to follow the money to the sources and burn them with it?

Because the police officers who work for the Interpol are 50-60 years old and still use "green screen" computers at work. Those intarweb tubes are a new thing which younger police will have seen are mostly used by paedophiles but it doesn't really have any use in honest police work.

Unethical countermeasures? (2, Interesting)

dtml-try MyNick (453562) | more than 6 years ago | (#20998289)

First things first, IANAE (I am not a expert)

I've recently read some stories about this botnet. From what I've gathered it's powerfull enough to do some serious damage in a society. Cyber attacks can disrupt our lives in multiple ways after all.
Imo we're just lucky so far that it hasnt been used for some serious attack on money/bank agencies, public transport, etc etc, stuff close to us and vital for average day life. (or am I just being to paranoid now?)

The hosts that are infected will most likely be bad maintained boxes, unattended, never updated. Wouldn't it be possible to write a counterworm/trojan that would delete the bot software and close the holes?

I realise the ethical issues involved here. A Trojan like this would basicly be just as "bad" as the botnet itself, on the other hand it would be for the greater good.
Has anyone ever attempted this? If not, what if someone did? Would you be pissed off if one of your forgotten and infected boxes would be cleaned this way?

Just being curious..

Re:Unethical countermeasures? (1)

u38cg (607297) | more than 6 years ago | (#20998517)

One of the first things a competent virus does nowadays is to sweep the host it has just infected for other malware and to remove any that is hostile to the authors aims. As usual, the bad guys are ahead of you ;) I have read anecdotal stories of people doing this back in the days when virii were novelties rather than dangers.

However, at the end of the day a counter-worm would still be a worm and, and running unauthorised software on someone else's box is still unethical, never mind illegal, no matter what it actually does. There are plenty virii that do absolutely nothing except propagate.

Re:Unethical countermeasures? (1)

jonbryce (703250) | more than 6 years ago | (#20999277)

Most likely Storm closes whatever hole it used to get into the machine, so no other worm can come in afterwards.

It isn't unknown for rival worm authors to attack each other's worms.

Re:Unethical countermeasures? (1)

BRMachine (1174811) | more than 6 years ago | (#20999517)

Storm does in fact protect the zombie system from other malware installations, so a "counter" worm would be ineffective.

The key is to catch the Bot "master" and decapitate. We know they are in Russia, and there are even indications who they are. Without someone updating code to keep the worm alive, it might be taken down, or at least slowed. Pressure on Russian authorities would be the best route. Boycott Russian exports if necessary until they deal with it. Something better be done soon, or some very nasty things could happen. Remember "Blue Security" and Estonia? Think of that 100 times worse.

Re:Unethical countermeasures? (1)

ratboy666 (104074) | more than 6 years ago | (#20999557)

Not just ethics -- its just not practical.

STORM (mostly) just installs and hides. It doesn't DO anything that a user would notice. The only thing it does (which, generally, is not noticed) is mutate itself twice an hour.

Only a small fraction of STORM infected systems try to spread STORM. An even smaller fraction act as a distributed control net.

Since the control net is distributed, it is very difficult to trace. Since STORM is ...quiet... it isn't noticed (and that's why estimates on how many systems are infected vary so wildly).

A "counter-STORM" would have to infect wildly to begin to be effective. Because it cannot know how far the STORM "infection" has spread. And that would be too disruptive (basically, the equivalent of a STORM attack itself). You can try to lop off the commanding systems, but just more would pop up. You can try to lop off DNS, but STORM has a counter-measure for that as well (rapid DNS cycling).

Missing in the summary (1)

Statecraftsman (718862) | more than 6 years ago | (#20998385)

Where's their online store and to which paypal address do I send the funds?

Did anyone else... (0, Troll)

TheVelvetFlamebait (986083) | more than 6 years ago | (#20998421)

... look at the first four words of the title and think the editors strung four random words together?

c4v3aT 3mpt0R (3, Funny)

xactuary (746078) | more than 6 years ago | (#20999447)

The partition you just purchased is on your own hard drive.

sell it (1)

el_coyotexdk (1045108) | more than 6 years ago | (#20999825)

to seti@home :]

CmdrTaco is behind this (5, Funny)

Experiment 626 (698257) | more than 6 years ago | (#20999849)

The updates are part of the Slashdot tenth anniversary auction. In addition to the @slashdot.org address and low user id, CmdrTaco has also gotten the operators of the Storm Worm Botnet to auction its use off as part of the charity action.

Some potential uses for the winning bidder:

  • No longer will you have to only imagine having a Beowulf cluster of those.
  • Create your own Slashdot effect at the push of a button.
  • Thousands of Slashdot sock puppet accounts at your beck and call, ready to mod you up, karma-assassinate your foes, or post supportive replies to all the drivel you post.
  • Bring the parallel power of distributed computing to bear on problems like cracking DRM, modelling global warming, or ray tracing pictures of Natalie Portman with hot grits.
  • DDOS the RIAA / SCO / Diebold / whoever and become an instant Slashdot hero.
  • In Soviet Russia, spammers inboxes get flooded by YOU!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...