×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Storm Worm Being Reduced to a Squall

Zonk posted more than 6 years ago | from the blood-pressure-lowering-sight-returning dept.

Security 183

Rumours of financial schemes surrounding the botnet aside, PC World has an article that should lower the blood pressure of some SysAdmins. The Storm Worm botnet is apparently shrinking. A researcher out of UC San Diego who has been tracking the network has published a report indicating it is now only 10% of its former size. "Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world's most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time. Enright guessed that a total of about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority of those have been cleaned up and are no longer part of the Storm network."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

183 comments

Spread of Windows (2, Interesting)

Prysorra (1040518) | more than 6 years ago | (#21064185)

Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?

Just wondering.

Re:Spread of Windows (3, Funny)

Colin Smith (2679) | more than 6 years ago | (#21064237)

Hmmm... Windows as a threat to national security ...

Imagines SWAT teams dodging chairs as they storm Microsoft headquarters to screams of "You'll never take me alive copper!"

 

Re:Spread of Windows (5, Funny)

rustalot42684 (1055008) | more than 6 years ago | (#21064593)

But then SWAT is beaten back by Clippy:
It looks like you're trying to raid the Redmond campus. Would you like to:
  • Hunt and kill all the employees
  • Destroy the supercomputer cores
  • Uncover the secret plot for world domination
  • Just raid the campus without help
# Don't show me this tip again

Re:Spread of Windows (1)

JackMeyhoff (1070484) | more than 6 years ago | (#21064701)

Actually, it is. Its not certified for such use when there is a network card installed.

Re:Spread of Windows (0)

Anonymous Coward | more than 6 years ago | (#21064893)

Where's the -1 'Whoosh - Over your head' mod when you need it.

it's true (0)

Anonymous Coward | more than 6 years ago | (#21065991)

Windows is C3 compliant only when the network cable is unplugged. But don't tell your managers.

Maybe. (1)

khasim (1285) | more than 6 years ago | (#21064243)

From TFA:

Then on September 11, Microsoft added Storm detection (Microsoft's name for Storm's components is Win32/Nuwar) into its Malicious Software Removal tool, which ships with every Windows system. Overnight, Storm infections dropped by another 20 percent.

Anyone have any info on whether Microsoft's tool would detect it earlier?

Re:Spread of Windows (2, Insightful)

sakdoctor (1087155) | more than 6 years ago | (#21064255)

I'd say enforcement of Windows piracy is the least lax that it has ever been.
WGA raises the barrier of casual copying to lusers who's skill wouldn't have been enough to stop them getting pwned by some virus, and being incorporated into a botnet.

Re:Spread of Windows (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21064365)

Thats part of the problem. One of the ways they protect against privacy is keeping you from getting updates. This leaves unpatched pirated systems out there. Since there is no real legal threat for the average user the only real motivation for a person to get a legit copy is so they can get security updates easily. Joe Six Pack is just going to borrow that pirated copy of XP his buddy picked up at a flea market. OP brings very valid point

Re:Spread of Windows (2, Informative)

LO0G (606364) | more than 6 years ago | (#21064611)

Huh? According to Microsoft they security updates to pirated versions of Windows. Source: (click on "Will users of non-genuine Windows be blocked from receiving security updates?") [microsoft.com]

It also appears that the Malicious Software Removal Tool [microsoft.com] doesn't require validation either.

So you can run the same malware removal tools on pirated versions of Windows as well.

Re:Spread of Windows (1, Informative)

Anonymous Coward | more than 6 years ago | (#21064671)

No. Regardless of genuine status, users will not be denied access to critical security updates. Users who have not validated their computers as genuine, however, will not be able to install many updates, including Internet Explorer 7.0 and Windows Defender. Microsoft strongly recommends that users of non-genuine systems correct their problem immediately.

Re:Spread of Windows (2, Informative)

LO0G (606364) | more than 6 years ago | (#21065907)

So? First off, the IE team claims that IE7's going to be available without WGA [msdn.com] . So part of that is no longer valid.

Also, I was responding to a claim that Microsoft witheld security updates for people who were running pirated versions of Windows. I provided a link from Microsoft that seems to indicate otherwise.

Why is this a problem? Are you saying that Microsoft is lying in their post?

Re:Spread of Windows (2, Informative)

petermgreen (876956) | more than 6 years ago | (#21066313)

Huh? According to Microsoft they security updates to pirated versions of Windows.
they do kind of.

If you want to run pirate windows without getting nags and you don't have access to a good (as in allocated by MS and not shitlisted because of wide distribution) corp key you have to either crack windows genunine advantage notifications or keep it off your system. Cracking it has the downside that MS could release an update at any time.

There are two easy ways to keep windows genuine advantage notifications off your system.

1: set automatic update to prompt before installing updates and manually check the list for wga every time (you can reject it but it reappears every so often). This is probablly tolerable if it is your own machine but if you give it to someone else to use then it's not such a good idea.
2: disable automatic updates completely.

Re:Spread of Windows (0)

Anonymous Coward | more than 6 years ago | (#21064265)

Only to a certain degree. If it would be totally lax everybody would probably update the system as if it where legit, so there are probably alot of illegal installation, where the owner avoids contact with MS servers.
On the other hand it is the reason why Windows is number one and hence it has so many installations that have a high probabilty of beeing insecure.

Re:Spread of Windows (2, Insightful)

$RANDOMLUSER (804576) | more than 6 years ago | (#21064271)

Or possibly it's the lax enforcement of security standards by Redmond programmers? Or the lax attitude of Microsoft about all things not directly related to increased sales and world hegemony?

Re:Spread of Windows (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21064351)

It's probably just that the owner of the network doesn't like the publicity and is moving a good proportion of the nodes to less conspicuous means of communication, or even temporarily deactivating nodes. If the secutiry guys manage to disable the main Storm network, they may find that the parts they disabled are no longer necessary for the hacker.

Re:Spread of Windows (1)

El Lobo (994537) | more than 6 years ago | (#21064505)

Interesting? Ignorant, I would moderate this. Security patches for serious problems like this are always available EVEN for non Genuine windows.

Re:Spread of Windows (1)

wizardforce (1005805) | more than 6 years ago | (#21064515)

Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?
no. windows does just fine getting infected by its self, it doesn't need a pirate's help arrrr.

Re:Spread of Windows (1, Insightful)

ILuvRamen (1026668) | more than 6 years ago | (#21064537)

if everyone used Mac OS or a Linux distribution then malware makers would target them. They only target windows cuz it's popular. Come on, everyone knows that.

Re:Spread of Windows (0, Redundant)

mrsteveman1 (1010381) | more than 6 years ago | (#21064605)

Marketshare accounts for around 2/5ths of the reason Windows is so insecure

Re:Spread of Windows (1, Redundant)

Anpheus (908711) | more than 6 years ago | (#21065435)

Made up statistics* count for around 9/10ths of the reason you say that.

* over the past six months, the number of made up statistics has TRIPLED! wiki it!

Re:Spread of Windows (3, Insightful)

diskis (221264) | more than 6 years ago | (#21066029)

That argument is getting a bit dated. Linux is used more and more as servers. More processing power, more bandwidth and not so competent administrators. I know a lot of machines sitting un-updated on 100mbit or faster. They have been sitting for years serving as storage for irc logs, simpsons episodes and funny pictures. Still they are not part of any botnets.

Re:Spread of Windows (2, Insightful)

vtcodger (957785) | more than 6 years ago | (#21065443)

***Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?***

Why would anyone think that? Windows is Windows whether it's pirated or paid for. Is a drunk weaving through heavy traffic at 135kph any more or less of a menace if he's driving a stolen car rather than a car he "owns"?

Re:Spread of Windows (1)

petermgreen (876956) | more than 6 years ago | (#21066263)

Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?
IMO anti piracy measures are contributing to insecurity. The fact is that such measures WILL be cracked and those using cracked versions will be reluctant to install updates both from the point of view of MS possibly breaking thier system (I don't think WGA actually disables your system on XP but it does give annoying nag messages they could change it to be nastier at any time, sure you don't have to install WGA to get important updates but MS repeatedly put it back in the critical updates list every time they update it so it only takes one slip to end up with it installed) and from the point of view of possiblly giving away to MS that they are pirates to be hunted down (afaict MS hasn't actually done this yet but after the recent filesharing lawsuits I wouldn't blame people for being paraniod about it).

Anti piracy measures probablly do stop some piracy but they also mean a lot of people stick to older versions/non updated copies of pirate software to make sure they don't have problems (whether technical or legal).

Advice Please (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21064247)

My girlfriend has a pussy that is really smelly, like old boots (that have had rotting tuna stored in them)

How can I tell her that I won't go down until she smells better without hurting her feelings? She keeps wanting me to lick it, but I don't wanna it makes me gag =(

Re:Advice Please (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21064301)

So really, your post is about two pussies.

Re:Advice Please (0, Offtopic)

Anonymous Coward | more than 6 years ago | (#21065075)

take a shower with her, and be very careful to clean the area with different products, then try again.

Re:Advice Please (1, Funny)

iogan (943605) | more than 6 years ago | (#21066053)

It might be diet related. Get her to eat more healthy food, and then see what happens.

Oblig. (1, Interesting)

The Living Fractal (162153) | more than 6 years ago | (#21064249)

Couldn't this just be the 'eye' of the Storm?

Or is it possible that Windows boxes really are just getting more secure? Ohh shit I asked THAT on Slashdot?! Charles Stross will have my soul. /owenwilson

Re:Oblig. (0)

Anonymous Coward | more than 6 years ago | (#21064391)

Secure Windows boxes are against Slashdot policy.

But I don't really care much about this issue, *my* Windows box (which sits behind a normal DSL router with Symantec and an off-the-shelf-never-tweaked firewall) has never been "hacked".

Re:Oblig. (3, Funny)

marcosdumay (620877) | more than 6 years ago | (#21064461)

Windows boxes are getting more secure all the time.

But we can only guess when they will be ready for widespread use...

Re:Oblig. (1)

rustalot42684 (1055008) | more than 6 years ago | (#21064649)

IMO, Windows Vista is the most secure Windows yet (because of UAC). That said, compared to other systems, is Windows secure? It is certainly less secure than my Linux box. But OS security is only one half of the equation. IMO, many viruses are PICNIC (Problem in Chair, Not In Computer) problems. I think that the problem of viruses would be greatly reduced if people were less ignorant about viruses.

Re:Oblig. (1)

ConceptJunkie (24823) | more than 6 years ago | (#21065547)

Yes, unfortunately, it's a toss-up between whether Vista is more secure because of better security features or it's more secure because no one uses it.

Re:Oblig. (3, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#21065731)

I think that the problem of viruses would be greatly reduced if people were less ignorant about viruses.


I think the problem of viruses would be greatly reduced if people were less ignorant about how their behavior causes them to get viruses.

Windows can be an okay operating system security-wise, if people didn't do these things:

Run Internet Explorer: IE is buggy and and insecure. If everyone replaced it with Firefox with the NoScript plugin installed, you could watch how much fewer viruses there would be.

Run Outlook or Outlook Express: Mail programs shouldn't have scripting abilities that can take control of the entire OS. Watch how much fewer viruses would exist if people would run Thunderbird instead.

Download programs from untrusted sites: Lots of random malware, spyware and viruses are installed because users the latest 'cute' or 'cool' thing their friend told them about.

Enable VBA macros to autorun in Microsoft Office documents. Turn off macros.

Run as Administrator: Either learn how to use your OS properly or upgrade to Vista. Seriously.


Eliminate these behaviors and you will have removed the most common vectors of infection on Windows machines.

Re:Oblig. (1)

slyn (1111419) | more than 6 years ago | (#21064785)

If the boxes are getting cleaned up from Storm, then they have all the newest updates on them, don't they?

It was my understanding that when Storm infected a PC it downloaded and installed all the security updates for windows. If only 10% of the PC's originally infected still haven't been cleaned up and the apex of infections was 15M, then 12.5M boxes that might otherwise not have had the updates now do.

woops (1)

slyn (1111419) | more than 6 years ago | (#21064807)

gah! 15m - 1.5m = 12.5m only for extremely large values of 1.5m.

For normal size values of 1.5M the result is 13.5M.

looking for details on storm botnet control (0)

v1 (525388) | more than 6 years ago | (#21064345)

I've picked up only fragments of information on how the storm botnet is being controlled. From what I've heard, they all log into an IRC channel and report their presense, and then await encrypted / signed commands from the bot herder. While this does make it difficult to spoof commands to the bots to say, uninstall themselves and patch their host machines properly, I don't see why no one has been able to track the person issuing the commands. Anyone that takes apart the Storm source code can retrieve the public key for the commands, log into the irc channel, and at least see what commands are being sent out anytime they want. I don't understand how this has gone on for so long without anyone busting it up.

What server and channel is this on? Does it require invitation? (if so, how do you get invited? again this is something that anyone that analyzes the Storm bot should easily be able to determine) Where is this server hosted? Has any attempt been made to close down the server? I assume it's on one of those "bulletproof" russian hosts we read about a few weeks ago? Surely with something of this proportion and global impact, pressure can be brought to bear even on them?

Re:looking for details on storm botnet control (5, Informative)

liquidpele (663430) | more than 6 years ago | (#21064395)

Your thinking of botnets in the 1990s. This is 2007, Storm communicates with a hacked version of the eDonkey p2p protocol, and redirects all P2P traffic and DNS requests through nodes acting as proxies to the "motherships", so it's much harder to track. All P2P traffic is encrypted with 40 BYTE encryption (not 40 bit mind you).

Re:looking for details on storm botnet control (1)

v1 (525388) | more than 6 years ago | (#21065207)

and redirects all P2P traffic and DNS requests through nodes acting as proxies to the "motherships"

ok so why are they not focusing on these "nodes"?

Re:looking for details on storm botnet control (1)

nuzak (959558) | more than 6 years ago | (#21065623)

> ok so why are they not focusing on these "nodes"?

Three guesses as to how storm supernodes get installed.

Re:looking for details on storm botnet control (2, Interesting)

Kobun (668169) | more than 6 years ago | (#21065921)

Re:looking for details on storm botnet control (2, Interesting)

v1 (525388) | more than 6 years ago | (#21066255)

That's a very interesting read. I hope the authors release a similar, more up-to-date rundown of Storm. it sounds like Curious Yellow is one step before Storm in terms of worm evolution. (or that it was the successor to it?)

Re:looking for details on storm botnet control (1)

Fnord666 (889225) | more than 6 years ago | (#21066151)

ok so why are they not focusing on these "nodes"?
As I understand it, they are also using fast flux DNS [honeynet.org] to move these nodes around on a regular basis. By the time you track one down, it is no longer a node in the network, just another compromised system.

Re:looking for details on storm botnet control (2, Informative)

ymgve (457563) | more than 6 years ago | (#21066501)

Doesn't matter that it's 40-byte. It's using simple XOR encryption, and the key is stored in plaintext inside the unpacked executable.

(If anybody cares, the current key, atleast for the botnet partition I've seen, is F3 AA 58 0E 78 DE 9B 37 15 74 2C 8F B3 41 C5 50 33 7A 63 3D E6 13 DF 6C 46 CA BE 9A 77 48 94 02 C0 F3 66 49 EE 87 21 BB.)

Re:looking for details on storm botnet control (1)

Gazzonyx (982402) | more than 6 years ago | (#21066739)

How current are your binaries of this thing? I've been wanting to get my hands on this thing and tear it apart for some time now...

Re:looking for details on storm botnet control (1, Redundant)

bucky0 (229117) | more than 6 years ago | (#21064409)

From what I remember, there's no central IRC control. The bots all join in a p2p network and share files with commands to be executed. The herder uploads a command file with a specific (spoofed) hash, and the bots spread them over the P2P network to the whole network. The reason noone's been able to pull the plug is because there's no central IRC server that people can target, the commands are just files on a p2p network.

Re:looking for details on storm botnet control (0)

Anonymous Coward | more than 6 years ago | (#21064417)

This is not an IRC bot. It used P2P - each bot sends the encrypted/signed commands to it's known neighbors. It used the gnutella network to find other nodes.

Re:looking for details on storm botnet control (0)

Anonymous Coward | more than 6 years ago | (#21064489)

Anyone that takes apart the Storm source code can retrieve the public key for the commands, log into the irc channel, and at least see what commands are being sent out anytime they want. I don't understand how this has gone on for so long without anyone busting it up.
Well, of course you could extract the public key of the bot herder, but what could you do with that? You would need the private key of the bot herder to sign messages, only then you could control the botnet.

Re:looking for details on storm botnet control (0)

Anonymous Coward | more than 6 years ago | (#21064601)

Well duh. Just factor it!

don't be sure (5, Insightful)

phantomfive (622387) | more than 6 years ago | (#21064359)

The researcher determined this with a spider he created to crawl the storm network. How does he know that the network is shrinking and not just being partitioned? [slashdot.org]

Furthermore, the storm virus is known to be updatable. Is it possible it was updated to be even less obtrusive, thus escaping detection in other ways? Maybe it has gone into dormant mode, because the creator doesn't need so many computers at the moment.

One interesting innovation of the worm, quoted from the article:

"If you're a researcher and you hit the pages hosting the malware too much... there is an automated process that automatically launches a denial of service [attack] against you," he said. This attack, which floods the victim's computer with a deluge of Internet traffic, knocked part of the UC San Diego network offline when it first struck.

I think some part of me must be sick or something, because when I read about this I almost hope the worm will get bigger, become unstoppable, and reveal windows for the insecure piece of crap that it is. Linux, BSD, OSX, Solaris, and heck even Minux could clearly stand up to a threat like this much more easily than Windows.

Re:don't be sure (4, Insightful)

John Hasler (414242) | more than 6 years ago | (#21064513)

> I think some part of me must be sick or something, because when I read about this I
> almost hope the worm will get bigger, become unstoppable, and reveal windows for the
> insecure piece of crap that it is.

Already been done. Nobody cares.

Re:don't be sure (0)

Anonymous Coward | more than 6 years ago | (#21064575)

I'm kinda hoping it gets bigger, too. I've been selling v14gr@ like crazy lately.

Re:don't be sure (1)

MoogMan (442253) | more than 6 years ago | (#21064713)

Linux, BSD, OSX, Solaris, and heck even Minux could clearly stand up to a threat like this much more easily than Windows.

Bzzzt! Wrong. There are many attack vectors for Storm's entry into someone's computer (one of which is indeed an OS vulnerability). AFAIK, the majority of the attack vectors rely on people downloading some bootstrapper program via their email or web browser. Nothing is going to stop this happening to a "normal" user on *NIX.

Re:don't be sure (1)

Master of Transhuman (597628) | more than 6 years ago | (#21065503)

OTOH, the bot has to communicate out. As a normal user not running as root, that means it has to open a port. Many Linux distro firewalls - and some Windows third party firewalls, but not the standard Windows firewall - block incoming and outgoing ports by default unless explicitly opened. If the bot can't commmunicate, it's worthless to the botnet.

Of course, the Worm might be smart enough to trick the user into opening a port by popping up a message and requesting it masquerading as a legit program - but I haven't heard of the ability in it. Therefore it would seem likely that a version compiled to run on Linux wouldn't work.

Another possibility is that the bot would know a way to fool any software firewall to let it out. Most of the Windows software firewalls can be easily bypassed. Only Comodo manages to prevent most of the more common techniques. I'm not sure if Linux software firewalls are as easily bypassed.

Any distro whose firewall that allowed local initiated Web contact by default, however, probably would allow it out.

Bots are a good reason to have a hardware firewall that blocks everything except explicitly opened ports in or out.

Re:don't be sure (1)

Sancho (17056) | more than 6 years ago | (#21065585)

Which Linux firewalls block outgoing connections by default? In my 12+ years of using Linux, I have never seen this behavior configured by default.

Re:don't be sure (1)

Master of Transhuman (597628) | more than 6 years ago | (#21066005)

I don't know, I assume some of them do. I know most firewalls are configured to allow outbound by default, but I would assume some of them don't - or can be configured not to, so it would depend on the distro to set the default.

If none do, then Linux definitely is no better than Windows in this regard.

Re:don't be sure (1)

petermgreen (876956) | more than 6 years ago | (#21066391)

I don't know, I assume some of them do. I know most firewalls are configured to allow outbound by default, but I would assume some of them don't - or can be configured not to, so it would depend on the distro to set the default.
Blocking outbound by default would make a distro practically unusuable for anyone who didn't understand firewall configuration.

Re:don't be sure (1, Informative)

Sancho (17056) | more than 6 years ago | (#21066455)

I'm not trying to be rude here, you probably shouldn't make a statement of fact based upon your own assumptions.

I've mostly used Debian-based Linux distributions, though I've also used Gentoo. I've installed Red Hat's enterprise solution, though I've never used it on the desktop. None of these have any special firewall beyond Netfilter (commonly called iptables.) Some are configured to block inbound packets that aren't part of an established connection, some don't have any rules by default (and use implicit pass in/out), but of the three, none have had implicit outbound-blocking. I've also never seen a Linux firewall that worked like ZoneAlarm (blocking by default, but alerting you and offering to let you allow the connection.)

No better than Windows on this front? Well, only as far as the defaults go. You're quite capable of blocking egress (outbound) traffic in Linux, you just have to turn it on yourself. In XP, you aren't even capable of blocking outbound traffic without third-party software--the Windows firewall only blocks incoming connections (as far as I can tell--since I don't run Windows myself, my experiences are limited to times when I've had to learn enough to support a user.) So Linux is a little better--at least the capability exists.

Re:don't be sure (4, Insightful)

phantomfive (622387) | more than 6 years ago | (#21065543)

Heh, I knew someone was going to trot out this old troll. The point is, it would be much easier to secure unix-type systems than windows-type systems. Compare Microsoft's budget to that of OpenBSD; now tell me, which is more secure?

For it to be effective as a virus, it is going to have to install itself to startup somehow. What is going to do, add a line to my .bashrc? Add a script to /etc/rc.d? It can't do that, only root can, and I don't browse the internet as root. Nobody does.

You may say, "it will prompt you for the password and idiot users will just type it" but you are showing your Windows bias. On windows, you get so many popup prompts that many users just ignore them and do whatever they ask. OSX has shown that it can be done differently, however. Ask any average OSX user what they would do if a downloaded attachment asked them for their root password, and they will say something to the effect of, "Freak out and delete it immmediately." It's because the warnings and prompts in OSX don't become annoying.

Security on Windows is hard. For any vulnerability, it takes a lot more effort to fix on Windows than a similar vulnerability in a Unix system. In unix-world, fixing the OS is an option.

Re:don't be sure (1)

Sancho (17056) | more than 6 years ago | (#21065605)

With Windows, almost everyone runs as Administrator, so the software doesn't have to do anything special to hook into the OS while beings stealthy. On Linux, being stealthy (against most non-knowledgeable users) would just mean adding a line to .xinitrc or .bashrc. If you set your parents up with Ubuntu, would they know to look there? Would most people who aren't deep into the Unix culture?

Viruses on Linux would be easier to clean as long as the user isn't running as Root all the time (and the virus doesn't wait for them to legitimately type in their password and then sneak in on the 5-minute timer that sudo has), but the trojan infection vector would be just as easy.

Re:don't be sure (1)

phantomfive (622387) | more than 6 years ago | (#21065645)

See, this is where it breaks down. If you are clever, I'm sure you can think of half a dozen ways to defend against this. The easiest I can think of in 10 seconds is to replace the .bashrc/.xinitrc with something standard every time a user logs in. A bit annoying, maybe; but effective.

This is why unix is so much easier to harden. Because of it is well-designed, there is much more flexibility when trying to think of a defense.

Re:don't be sure (1)

Sancho (17056) | more than 6 years ago | (#21066361)

Are you suggesting that the user not be able to run things at startup? That would certainly work. You could also restrict what can be run to only things which have been approved by the vendor (in any particular OS), but it doesn't mean that it's a good solution.

Keep in mind that Windows could re-image itself every time that the computer is restarted, or every X hours. The registry startup entries could be cleared, each boot. The problem is that you lose functionality with any of these solutions. They're great for corporate environments, but they don't work so well for individual users at home.

It's not hard to stop malware from running on computers. It's just hard to do it while maintaining the freedoms that current users enjoy.

Re:don't be sure (1)

lachlan76 (770870) | more than 6 years ago | (#21066579)

Just chmod .bashrc, .bash_login, etc. to 500, so that only root can make things run on startup.

Re:don't be sure (1)

petermgreen (876956) | more than 6 years ago | (#21066415)

and the virus doesn't wait for them to legitimately type in their password and then sneak in on the 5-minute timer that sudo has
It has always seemed to me that it would be pretty trivial for malware to hijack a users use of su/sudo/gksu/similar. The easiest way would be to modify the users bash profile and desktop menus so that instead of running the real elevation tool the users ran a program supplied by the malware. This program would then use the information it gathered to do both what the user wanted and what the malware wanted.

Re:don't be sure (1)

Sancho (17056) | more than 6 years ago | (#21066533)

sudo, at least, needs to be suid. A trojan would have to act as a wrapper, which could certainly work, but it would probably be more suspicious than /home/bin/happyfungame, which would just start a background process and wait for the user to run sudo.

Then again, we're talking about the more ignorant userbase, so a wrapper in their home directory might go unnoticed.

Re:don't be sure (1)

petermgreen (876956) | more than 6 years ago | (#21066653)

Unless you go looking at the list of environment variables (something that most people only do occasionally afaict, probablly far less often than you use su) you won't notice something new on the start of your path and I very much doubt you will notice a binary sitting in some deep subdir under your homedir or even somewhere under /tmp .

for menu based stuff it is even easier, are you really going to notice a couple of menu item customisations?

Re:don't be sure (2, Interesting)

Master of Transhuman (597628) | more than 6 years ago | (#21065517)

I was wondering about the possibility of it being partitioned myself.

The botnet has always been hard to figure out the size because of its policy of only allowing a limited number of immediate connections in its net. Partitioning and assigning control of sections to other people - and this would presumably entail cutting connections with other portions of the botnet completely in order to enforce "ownership" - would presumably make it look smaller than it is.

This guy may also be overconfident in the crawling ability of his tool.

Bullshit (5, Interesting)

Anonymous Coward | more than 6 years ago | (#21064383)

Myself and some colleagues, along with a couple of anti-malware sites have been tracking Storm infections as best we can over the last couple of months. We've mostly been using honeypots, trapping SMTP traffic and utilizing some nslookup scripts to mine Storm's fast-fluxing domains. It has not shown any sign of shrinking, particularly not by a factor of 10.

The only people who have ever estimated its size to be anywhere near 50 million hosts are paranoid tin-foil hat wearing security analysts and journalists looking to generate some ad revenue with a shocking headline or two. I've never seen any solid evidence pointing towards Storm being larger than 2-3 million hosts, so even assuming there is an exact science at work here, 1.5 million is far from a 10th of 2-3 million.

This phenomenon would be a lot easier to combat if people would stop spreading bullshit stories such as this.

Re:Bullshit (2, Insightful)

sg_oneill (159032) | more than 6 years ago | (#21064619)

Whatever the case is, its a nasty piece of work. Theres precious little that'll stand up to that thing focusing fire on a target.

Re:Bullshit (1)

vtcodger (957785) | more than 6 years ago | (#21065721)

If you read the article, the belief that the storm botnet is shrinking is based on the fact that the guy has a tool for actively crawling the Storm network. His estimates are based on the number of machines he can see vs the number that he used to be able to see. He agrees with you that there never were 50 million machines in the network BTW. He says maybe 15 million total over time and most of those have been deloused.

Since a tenfold reduction in the number of infected machines seems sort of optimistic, my guess would be that you might be closer to right than he is and that parts of the network might be hidden from him nowadays somehow. But what the hell do I know?

Oblig Inverse (2, Funny)

hksdot (1128515) | more than 6 years ago | (#21064389)

I for one bid farewell to our swarm intelligence worm overlords.

Re:Oblig Inverse (0)

Anonymous Coward | more than 6 years ago | (#21064629)

No cloud nor squall shall hinder us!

One question (1)

edxwelch (600979) | more than 6 years ago | (#21064533)

It says that you get infected with the storm worm by clicking on a link in an email message. But it that an IE security hole? What happens if you use firefox? Are you safe?

Re:One question (1)

tinkerghost (944862) | more than 6 years ago | (#21065069)

If you launch an exe file, you launch the file - it's a pebkac defect not a programming one. It's independent of both the software & the OS.

Re:One question (2, Interesting)

petermgreen (876956) | more than 6 years ago | (#21066437)

my understanding is that you get taken to a page that tries a bank of browser exploits (I don't know if they are all for IE or if there are some FF ones in there too) until one works. If they all fail then it tells the user to download and run an exe.

90 % decrease smells fishy... (0)

Anonymous Coward | more than 6 years ago | (#21064569)

...I can't imagine how 90 % of all infected users could remove Storm. The storm bot has probably been changed and so has the command channels (I would guess to port 80, 443, 110 or 53).

Re:90 % decrease smells fishy... (1)

hasbeard (982620) | more than 6 years ago | (#21065247)

I think I recently saw something about Microsoft pushing out an update that supposed to have cleaned a lot of these machines.

Mac and Linux users (1, Insightful)

gillbates (106458) | more than 6 years ago | (#21064591)

Just breathed a collective sigh of relief...

Oh wait, maybe they were just rolling their eyes and sighing. Honestly, don't mean to troll, but you Windows users put up with so much trouble an annoyance just so you can avoid learning how a computer actually works...

Methinks you guys would be better off just biting the bullet and switching. Sure, Macs are more expensive, and Linux has a steep learning curve, but isn't it worth avoiding all of the frustration you're going experience over the rest of your tech lifetime? Or are you one of those folks who relishes the semi-annual Windows reinstall? Perhaps you like paying an annual license fee to keep your computer from getting infected with a virus?

When you think about it, even if you don't factor in the cost of your time, Microsoft Windows systems are easily the most expensive systems to run on the planet, and the least useful (unless you expect your corporate users to play games all day...) Microsoft has been leveraging fear of the unknown to blackmail and intimidate non-technical users into supporting their monopoly, and the only winners I see in the whole thing are Microsoft and Intel. The users aren't any better off, and sysadmins risk their careers (not to mention their marriages!) on the capricious reliability and security of Windows systems.

But I guess that's why there's an old saying: Fool me once, shame on you. Fool me twice, shame on me . Microsoft fooled me once. I'm not getting fooled again.

Re:Mac and Linux users (3, Insightful)

TheRaven64 (641858) | more than 6 years ago | (#21064685)

Just breathed a collective sigh of relief... Oh wait, maybe they were just rolling their eyes and sighing.
No, we get spam from Windows zombies the same as everyone else.

Re:Mac and Linux users (0)

Anonymous Coward | more than 6 years ago | (#21064749)

I'm not getting fooled again
Not knowingly, anyway.

Here We Go Again (0)

Anonymous Coward | more than 6 years ago | (#21065243)

I run Ubuntu, CentOS, Mac OS X, two flavours of BSD, Solaris, Windows 2000, and Windows XP. With the amount of OS's I have at hand, I keep using Windows for reasons other than those you've mentionned. I'm not a moron and a cheap bastard just because I happend to run Windows. I'm also proud to say that all my computers are clean, including the ones running Windows (hell, even the one running DR DOS 6 is clean). Saying that your intention is not to troll doesn't keep you from sounding like one.

Re:Mac and Linux users (3, Insightful)

Torvaun (1040898) | more than 6 years ago | (#21065357)

Windows can be secured. I've got an XP desktop for gaming, and I run Linux on my laptop. Neither of them get viruses. My protection suite is all free software, so there's no annual fee there. And, if enough regular people switched to something with a Unix base, they'd have virus issues too. There are viruses and rootkits for systems other than Windows. They aren't prolific because the average moron who clicks everything is on Windows.

Yes, those systems are more secure than Windows. No, they are not secure enough to deal with the assault of a wave of moronic users. Feel free to dream of an exodus away from Windows, but understand that nothing will change, even if your dream comes true.

Re:Mac and Linux users (1)

bigstrat2003 (1058574) | more than 6 years ago | (#21065553)

Honestly, don't mean to troll, but you Windows users put up with so much trouble an annoyance just so you can avoid learning how a computer actually works...
That's a pretty big troll for "not meaning to troll". Using Windows is not a barrier to knowing how computers work. Hell, you wouldn't want me to go into my rant on how OSX's ui is dumbed-down compared to Windows, and even I'm not arrogant enough to claim that Mac users necessarily don't know how a computer works.

Sure, Macs are more expensive, and Linux has a steep learning curve, but isn't it worth avoiding all of the frustration you're going experience over the rest of your tech lifetime?
You know, for all the touted insecurities of Windows, I have been using it for YEARS, and have had a virus or spyware infection once. Even that one time, for that matter, it was only because I listened to a friend's advice on a good source for a keygen (Hint: keygen.us is really bad unless your computer is running at maximum security, preferably on a live cd). That's precious little frustration I've put up with. Contrast that with the frustration I experienced with the Mac GUI I dislike a lot, or the frustration of getting Linux set up properly (example: I should not have to either learn how to manage config files, or reinstall the OS, because I picked a resolution my monitor doesn't support... all basic tasks should be easily handled by the GUI). Windows is by far the least frustrating for me.

Or are you one of those folks who relishes the semi-annual Windows reinstall? Perhaps you like paying an annual license fee to keep your computer from getting infected with a virus?
Both of these are blatantly false. I haven't reinstalled my copy of Windows since I built my machine, over a year ago. At best, one could argue that I bought some time when I installed Vista (upgraded from a pirated XP). Hell, I just popped a new mobo in yesterday, and Vista managed to get all the new drivers put into place properly (a pleasant surprise, given how dicey an operation that was under XP). As for the licensing fee, unless you mean a volume license or something (and there's no indication you do), you pay for Windows once per computer. Doesn't sound unreasonable to me.

When you think about it, even if you don't factor in the cost of your time, Microsoft Windows systems are easily the most expensive systems to run on the planet, and the least useful
Macs are more expensive, as you already noted, and usefulness is pretty much equal across all the platforms. Macs have good design apps, Windows has its own apps, not to mention games, and Linux has good server apps. These are all useful for different groups of people.

The users aren't any better off
That, sir, is entirely a matter of opinion, and many disagree with you. Many agree with you, too, but it hardly qualifies as some sort of statement of anything close to fact.

sysadmins risk their careers (not to mention their marriages!)
I somehow doubt it's a risk to a sysadmin's career to support whatever software the company he/she works for uses, but maybe I live in the world of sane employers. God only knows how it jeopardizes marriages, I guess you figure that Microsoft is just that damn evil?

Re:Mac and Linux users (2, Insightful)

creativeHavoc (1052138) | more than 6 years ago | (#21065941)

I wonder how many slashdot windows users are infected. I would venture a guess that there isn't very many. Computers are as smart as their users in a lot of cases, and most often that goes for security as well.

Storm (1, Interesting)

Tibixe (1138927) | more than 6 years ago | (#21064647)

An unstoppable botnet... quite beautiful. (Well, unstoppable as long as Windows is not exactly secure.) I know it's probably done for money, but wouldn't it be funny if ten years later someone announced he made the Storm to compute big prime numbers, and he found 10000 more than ever? :) By the way, what is the use of big computers/networks if not maths?

Re:Storm (0)

Anonymous Coward | more than 6 years ago | (#21064935)

Spam, scams and DDoS extortion. These things are unfortunately rather more profitable than prime-searching.

Wyrm? (1)

Ranzear (1082021) | more than 6 years ago | (#21064997)

We'll only need to worry when it becomes sentient and starts rendering virtual realities for bald people and taking over the nuclear stockpiles. I need to go catch a cold.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...