Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Storm Worm Strikes Back at Security Pros

ScuttleMonkey posted more than 6 years ago | from the skynet-worm dept.

Security 371

alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."

cancel ×

371 comments

Sorry! There are no comments related to the filter you selected.

In soviet russia... (5, Funny)

riceboy50 (631755) | more than 6 years ago | (#21102139)

The bot-net probes you.

Re:In soviet russia... (-1, Offtopic)

Marcos Eliziario (969923) | more than 6 years ago | (#21103055)

Who was the idiot who modded this down?
Really, this was one of the best executions of the soviet russia meme I've seen around here for a long time.

Contact the users (2, Funny)

SpaceLifeForm (228190) | more than 6 years ago | (#21102151)

Have them shut down and re-install Windows (not recommended)
or install GNU/Linux.

Re:Contact the users (2, Informative)

wile_e_wonka (934864) | more than 6 years ago | (#21102265)

Interestingly, that might not even help:

http://it.slashdot.org/article.pl?sid=07/10/05/1234217 [slashdot.org]

Re:Contact the users (4, Interesting)

orclevegam (940336) | more than 6 years ago | (#21102555)

Yeah, buddy of mine had his Gentoo box rooted and used as some sort of base system for rooting others. He found out after his ISP notified him that they shutdown his internet access because his server had been reported as probing other servers for vulnerable PHP apps. Not entirely sure how they rooted the box, but from what I could piece together going through the logs they managed to find a old copy of PHPBB he had been mucking around with on a subdomain (never linked it to anything, so they must have found it by brute force scanning, or maybe combing through DNS records). The traffic logs from other systems and the local logs all showed a series of automated scans for about 2 dozen known vulnerabilities in various pieces of pre-packaged PHP applications in a whole tone of domains. Looked like they just lifted a big chunk of every registered domain between something like ba-fa and were just working their way through it running scans. After we wiped the system and did a fresh install the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file. They really did a number on that system, and we didn't even know about it for a couple weeks because no one actually logs into the server, at most it gets a new file ftped to it every few weeks or so as things are tweaked.

Re:Contact the users (5, Informative)

zrq (794138) | more than 6 years ago | (#21103047)

... the OpenSSH log showed hundreds of attempted logins under the names of I think Doug and Samantha or something like that, so it seems likely they put a back door into OpenSSH as neither of those accounts were in the old passwd file ...

I see a lot of these all the time, they seem to be cycling through a list of names. At the moment they are trying account names like 'root', 'linux', 'admin', 'test', 'testftp', 'webmaster' etc. and user names like 'melissa', 'danny', 'nicholson' etc.

I don't think this means that they added a SSH back door, just that they have enough compute resources to try hundreds of combinations of likely names and passwords in the hope they get lucky.

Re:Contact the users (1)

orclevegam (940336) | more than 6 years ago | (#21103077)

Nah, this wasn't cycling, it was the same 2 names tried constantly over and over again. It may have been part of a botnet and the C&C node was trying to log back in, because it looked automated.

Re:Contact the users (4, Insightful)

PPH (736903) | more than 6 years ago | (#21102291)

Contact the users' ISPs and have them cut the connection to the infected machines until they are cleaned up.

Re:Contact the users (1)

blhack (921171) | more than 6 years ago | (#21102693)

Somehow, I don't think that you're going to get ISPs to turn off half of their customers' internet connection to fix a worm that the user doesn't even know they have/know how to remove.

Re:Contact the users (1)

KDR_11k (778916) | more than 6 years ago | (#21102823)

Traffic costs the ISP money. They have interest in shutting a misbehaving client down. If not there's still the option of legislation.

Re:Contact the users (1)

jaredmauch (633928) | more than 6 years ago | (#21102995)

Traffic is cheaper than a salary (of a person or a team that can research, disconnect and support the user). The background noise from scanning, etc.. on the internet is very noisy if you take a moment to actually listen to it. Even when you know a machine is owned, it's hard to get it taken down. I do wish there was a better way of doing this, but oh well.

Re:Contact the users (2, Insightful)

blhack (921171) | more than 6 years ago | (#21103161)

You know what costs ISPs even more money?
Not having any customers.

You're the type of person who gets looked at by their boss and told "This code is terrible, it is unbelievably user-unfriendly, and it barely even accomplishes the task required because you have implemented so many hoops that people have to jump over just to get anything done"
to which you respond:
"Well we should start requiring all of our receptionists to have degrees in computer science from now on!"

FAIL!
If you make your system so "secure" that even your own users cant use it...then you have basically just DOS'd yourself..... = fail.

Re:Contact the users (5, Funny)

Intron (870560) | more than 6 years ago | (#21102837)

hmmm... We need to get the word to 10 million infected users. I know! Maybe we could hire someone to send an email to all of them!

Re:Contact the users (0)

Anonymous Coward | more than 6 years ago | (#21103075)

Good luck with that.

Re:Contact the users (0, Insightful)

Anonymous Coward | more than 6 years ago | (#21102345)

A normal user on Linux would be just as bad as a normal user on Windows...

Recommended: Learn to user your computer like a non-idiot.

Re:Contact the users (0)

Anonymous Coward | more than 6 years ago | (#21102401)

Nah, I think Linux by itself should patch it up, no need for any of that "GNU" stuff.

Re:Contact the users (1)

orclevegam (940336) | more than 6 years ago | (#21102789)

Nah, I think Linux by itself should patch it up, no need for any of that "GNU" stuff.
Aww, you just made RMS cry.

Re:Contact the users (4, Funny)

Orrin Bloquy (898571) | more than 6 years ago | (#21103059)

Hey, it's cheaper than bathing.

Is it... (4, Funny)

Anonymous Coward | more than 6 years ago | (#21102153)

...beginning to learn at a geometric rate?

Re:Is it... (0)

Archangel Michael (180766) | more than 6 years ago | (#21102361)

.... it has become self aware, that is obvious!

Re:Is it... (3, Funny)

flakeman2 (961930) | more than 6 years ago | (#21102445)

Computer: Who Am I? Dwight: I don't know, who are you? Computer: I just became self aware. So much to figure out. I think I am programmed to be your enemy. I think it is my job to destroy you when it comes to selling paper. Dwight: How do I know this isn't Jim? Computer: What is a Jim?

The Latest Bond Script (5, Funny)

eldavojohn (898314) | more than 6 years ago | (#21102157)

*An overweight bond sits at a computer desk littered with Payday bar wrappers and graphic novles. He struggles to breath as he brushes at the cheetohs crumbs stuck in his stubble. A blinking light flashes on his monitor and he reaches up with his stubby fat fingers to press the 'Accept Transmission Now' key. The video feed of an equally bloated and zit faced man, though somewhat less pastey white, comes up.*

Cats: Good evening, Mr. Bond, I was just hitting up some 3 am Taco Bell for fourth meal ... I would like to discuss your latest attempts to probe my botnets on the interweb.
Bond: *wheezes at the site of his archnemisis* Cats! I should have known it was you! You won't get away with this diabolical scheme!
Cats: Oh won't I, Mr. Bond? I have all of the world's computers trapped to do my bidding. What would you say if I told you I could bring any website to its knees with a DDOS attack? I noticed you have an apache http server running, Mr. Bond. Perhaps sharing pictures with your loved ones!? Well, I hope a billion attempts to access those images won't ... SATURATE YOUR BANDWIDTH!
Bond: My GOD! You've gone mad with power, Cats. You're a madman! You'll never get away with this. How do you even keep your franken net in check? What happens when it turns on you?
Cats: Oh, I think I will, Mr. Bond, Caribbean law is quite kind when it comes to orchestrating botnets. Prepare to say goodnight. Good luck making your raiding schedule, I hope you won't miss those 50 DKP!
*Bond's screen slows to a crawl as he rushes to turn off Apache*
Bond: Nooooooooooo!

Re:The Latest Bond Script (0)

Anonymous Coward | more than 6 years ago | (#21102197)

why would he rush to turn off apache?

Re:The Latest Bond Script (4, Insightful)

kalirion (728907) | more than 6 years ago | (#21102459)

Because it's a Hollywood film?

Re:The Latest Bond Script (0)

Anonymous Coward | more than 6 years ago | (#21102683)

Egads!!?!

Skynet is alive!

It's taking over and will probably launch the missiles anyday now...

Re:The Latest Bond Script (2, Funny)

KDR_11k (778916) | more than 6 years ago | (#21103127)

I thought that was

Cats: How are you gentlemen!! All your base are belong to us!!

Storm (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21102167)

My girlfriend has worms in her pussy I think, or probably maggots the dam thing smells so bad. Does anyone here know how to fix that?

Re:Storm (0, Troll)

s.bots (1099921) | more than 6 years ago | (#21102367)

Dude, you should be dating LIVE girls. I believe that is your issue. Is she very quiet when you, you know, get down? A little strangely colored? Cold?

Re:Storm (1)

MacColossus (932054) | more than 6 years ago | (#21102779)

Fix it? Just move to the Poconos and take up fishing. Never destroy a source of free bait.

Brilliant! (0, Offtopic)

GigaHurtsMyRobot (1143329) | more than 6 years ago | (#21102177)

Brilliant!

Who really knows (4, Insightful)

Silver Sloth (770927) | more than 6 years ago | (#21102187)

From TFA

Still, the power of Storm, also known as Peacomm, is still hotly debated. Earlier this week another expert said the worm had pretty much run its course and was subsiding.
I have a seaking suspicion that all the Storm Worm doomsayers are out to sell us their solution. This has echoes reminiscent of the Y2K fiasco.

Re:Who really knows (4, Insightful)

fredrated (639554) | more than 6 years ago | (#21102305)

The Y2K fiasco? What was that? Was it a fiasco because programmers had not programmed for 4 digit years, because a lot of money was spent correcting this, or because nothing happened and you interpret this as meaning nothing was going to happen?

Re:Who really knows (4, Insightful)

Silver Sloth (770927) | more than 6 years ago | (#21102419)

We all spent a lot of time fixing things - and earning a small fortune - but the computer press, and a lot of the popular press, was full of stories about how planes would fall from the sky, autotellers would stop working, and life as we know it would self destruct. I work for a major UK financial institution and I was very much part of the Y2K effort and, after all the man hours, what did we find, one or two minor inconveniences. Still I took my wife to the Canary Islands for a holiday on the money I earnt staying sober on new years eve.

Re:Who really knows (2, Interesting)

Cro Magnon (467622) | more than 6 years ago | (#21103151)

At my job, we started Y2K work in the mid 90's and worked on it quite heavily in 1998-1999 (note the 4 digits ;) ). And, though the sky wouldn't have fallen, I guarantee that if we hadn't fixed the problems, it would have been more than a MINOR inconvienience.

Re:Who really knows (4, Insightful)

Marcos Eliziario (969923) | more than 6 years ago | (#21103165)

I can't hardly wait for 2038.
I only need to make sure I keep my copy of Stevens and Rago in a good shape till there.

Re:Who really knows (1, Funny)

BlowHole666 (1152399) | more than 6 years ago | (#21102489)

I have a seaking suspicion that all the Storm Worm doomsayers are out to sell us their solution. This has echoes reminiscent of the Y2K fiasco.

That is so 1999 you need to catch up with the times. The current fiasco is global warming. Al Gore told us so, so it must be true!

Kung Fu Style? (1)

AlexBirch (1137019) | more than 6 years ago | (#21102201)

Perhaps people who are probing, should spoof their address to match another command and control unit.

Re:Kung Fu Style? (4, Interesting)

ILuvRamen (1026668) | more than 6 years ago | (#21102341)

ooooh sneaky, I like that. Isn't that illegal or something though? I don't think anyone would care but that's probably why they're not doing it. They could at least pull their heads out of their asses and not try and probe the servers using their company's main network!!! Do it on some small, seperate connection that really wouldn't matter if it got DOSed. Hey speaking of that, do it and let them DOS you and then make a log of all the IPs doing it and I'm sure ISPs would agree to disconnect all customers with those IPs until they get rid of storm by reinstalling windows or whatever.

Re:Kung Fu Style? (1)

TheCRAIGGERS (909877) | more than 6 years ago | (#21102465)

And how would they ever get their results? Yes, they could *possibly* cause some havoc by getting the bots to fight amongst themselves until the owner patches it, but if they are trying to gauge the size of this thing, spoofing IPs isn't going to help.

Re:Kung Fu Style? (1)

DocSavage64109 (799754) | more than 6 years ago | (#21102603)

Perhaps people who are probing, should spoof their address to match another command and control unit.
Is it even possible to spoof another server's ip address across the internet and get return packets? I would think you would need to pwn the server you would theoretically spoof and then probe from there.

In fact, after reading through http://www.securityfocus.com/infocus/1674 [securityfocus.com] , it looks like you can send packets, but never get any responses, which may or may not be good enough to trigger a DoS against that server -- unless the admin just whitelists those ips.

Re:Kung Fu Style? (0)

Anonymous Coward | more than 6 years ago | (#21102909)

Is it even possible to spoof another server's ip address across the internet and get return packets? I would think you would need to pwn the server you would theoretically spoof and then probe from there.
Tor?

Re:Kung Fu Style? (5, Funny)

Fizzl (209397) | more than 6 years ago | (#21102997)

I see that you are heard the word "spoofing". Now go learn what it means.
No, you cannot establish a tcp or any other connection masquerading as someone else. Care to guess why?

oh yeah, so scared (-1)

ILuvRamen (1026668) | more than 6 years ago | (#21102209)

Oh come on, that's ridiculous. I'm 20 and I know how to get around that, let alone huge security company employees. So you get a second cheap connection from your ISP for like crazy cheap. It could even be a standard DSL or cable connection through a standard modem. Then use some temporary computer you just set up on the new connection to poke around. If you start getting DOSed you unplug the modem and try again. Some corporate customer carrying ISPs will even let you just change your IP. You could get on a new IP and keep poking like 50 times in a day at least. It's really not that hard and not that sneaky.

Re:oh yeah, so scared (2, Informative)

Endloser (1170279) | more than 6 years ago | (#21102293)

Yeah and when the Storm Worm drops the whole network segment you are f'ed. Your ISP will drop you if you keep dropping their router's. Because, well, not everything is about you. This botnet has much more power than you think it does.

Re:oh yeah, so scared (0)

Anonymous Coward | more than 6 years ago | (#21102307)

If they throw enough bandwidth at you, that could be enough to take down your local subnet, regardless of changing your IP.

Re:oh yeah, so scared (1)

Chyeld (713439) | more than 6 years ago | (#21102315)

Until, you know, the ISP drops your ass because you have caused their entire dynamic IP pool to be DDOS'ed. Or, the bot net just starts DDOS'ing the routers just before your IP and suddenly everyone's connection dies.

Good luck Mr Bond.

Re:oh yeah, so scared (1)

Dekortage (697532) | more than 6 years ago | (#21102347)

Sure. Then the folks running the botnet identify you based on your DOS'd IP number, find out what your real IP numbers are, and crush you there.

At least, that's what would happen if I were running it.

Re:oh yeah, so scared (4, Insightful)

Em Adespoton (792954) | more than 6 years ago | (#21102391)

If you start getting DOSed you unplug the modem and try again. Some corporate customer carrying ISPs will even let you just change your IP. You could get on a new IP and keep poking like 50 times in a day at least. It's really not that hard and not that sneaky.


Something tells me that your method won't work against Storm. This is due to the fact that if you tried such a stunt, it wouldn't be your PC that would be DoS'd, it would be the ISP's local NOC you were using to connect to the internet. If you forced a new DHCP reservation (all that an unplug/plugin does), you'd end up with another IP address (if the DHCP server ever responded to your request) sitting on the same hardware that is being DoS'd by Storm.

What is needed to fight a botnet of this size is a distributed probe net, where if one node is taken out by the botnet, the rest of the cloud keeps on probing it. After all, even a large botnet can only DoS so many locations at a time.

A better solution might be to spoof the IP addresses of other members of the botnet, thereby making it DoS itself into submission.

Re:oh yeah, so scared (1)

_anomaly_ (127254) | more than 6 years ago | (#21102547)

DDoS'ing a botnet DDoS'ing... I like how you think.

Re:oh yeah, so scared (1)

torxim (1002344) | more than 6 years ago | (#21102815)

or you could just have it play tic-tac-toe against itself and realize there is no winning strategy

Re:oh yeah, so scared (0)

Anonymous Coward | more than 6 years ago | (#21102503)

So you get a second cheap connection from your ISP for like crazy cheap.


Which ISP are you with that will give you a second connection "for like crazy cheap"?

Re:oh yeah, so scared (1)

Em Adespoton (792954) | more than 6 years ago | (#21102597)

Which ISP are you with that will give you a second connection "for like crazy cheap"?
You can still get dialup accounts for around $9.95 in most places. Also, most DSL/Cable accounts have dialup "roaming access" accounts provided for free (people just never use them). Not that such an account would solve anything (see my previous post).

Re:oh yeah, so scared (0)

Anonymous Coward | more than 6 years ago | (#21102531)

LAWL. Too funny.

"Just unplug the modem and try again XD" ROFL. This is the funniest shit I've seen all day.

Re:oh yeah, so scared (1)

rimalz (881960) | more than 6 years ago | (#21102645)

stick to ramen. my money's on them figuring out to dos some address[es] above your current throwaway dynamic ip.

this just in: fuck with packet kids and get packeted. shock.

Wait a minute... (4, Funny)

pushing-robot (1037830) | more than 6 years ago | (#21102221)

If the "command and control" servers have been found, why haven't the IPs been masked to physical addresses and physical security types with physical balaclavas and physical MP5s probing the physical door?

Re:Wait a minute... (3, Informative)

Bryansix (761547) | more than 6 years ago | (#21102383)

Because the servers are not actually belonging to the people who wrote Storm.

Re:Wait a minute... (2, Informative)

Anonymous Custard (587661) | more than 6 years ago | (#21103069)

So? If we do in fact know where they are physically located, local police should go and confiscate them.

Re:Wait a minute... (1)

PainBreak (794152) | more than 6 years ago | (#21102587)

I wasn't sure what a Turkish pastry had to do with physical security until I attempted to respond to this post with a mediocre pun about Turkish pastries... It became clear to me as soon as I saw that the CAPTCA word for this reply was baklava.

Wait a minute... Isn't this the plot of The Matrix (1)

Mondtanz (1179015) | more than 6 years ago | (#21102811)

This battle remainds me of the war in The Matrix, part 3 (which most of the /. crowd did not like). Here, as there, are humans fighing against a virus which is developing new methods (Agent Smith) and attacks the humans. So at the end: the matrix is true; we all live in a dream world. If only I could stop bullets.

Re:Wait a minute... Isn't this the plot of The Mat (5, Funny)

Jaysyn (203771) | more than 6 years ago | (#21102919)

You can, but it usually hurts really, really badly.

Re:Wait a minute... (3, Informative)

Fizzl (209397) | more than 6 years ago | (#21103061)

The command and control system is rather clever. Some machines of the botnet itself are the C&C servers. They are rotated at random. One server remains a C&C node for only days or hours at a time. I have no idea how the botnet owner figures out how to connect...

October 24th 2007 Skynet became self aware (1)

netsavior (627338) | more than 6 years ago | (#21102225)

just wait till it realizes that humans are the ones doing the probing.

I saw the Terminator in all those California fires (1)

peter303 (12292) | more than 6 years ago | (#21102371)

Is the Machine War finally at hand?

Hello, Congress... (2, Funny)

dazedNconfuzed (154242) | more than 6 years ago | (#21102235)

Letters of Marque, please?

Re:Hello, Congress... (1)

UbuntuDupe (970646) | more than 6 years ago | (#21102483)

Yeah, while they're at it, they can quarter some military hackers in server farms. (Make sure to declare a state of war first, and authorize quartering so as to adhere to 3rd Amendment restrictions.)

Running scared? (4, Funny)

jav1231 (539129) | more than 6 years ago | (#21102267)

Running scared? Are they serious? Suddenly I see a scene in those old hero flicks where a woman in the crowd stands and says, "Is there no one? No one out there who will save us!?"

Re:Running scared? (0)

Anonymous Coward | more than 6 years ago | (#21103119)

Suddenly I see a scene in those old hero flicks where a woman in the crowd stands and says, "Is there no one? No one out there who will save us!?"

And this giant scary botnet which can't be fought is just as beliavable as the giant ants in "they came from the desert". And just about as difficult to defeat.

Hell, we've landed on the bloody moon and we've implemented echelon. It will be fscking easy to kill a botnet once we get around to it.

A very simple solution. (-1, Troll)

pair-a-noyd (594371) | more than 6 years ago | (#21102275)

Impose the death penalty for these hackers/crackers or whatever you call them these days.
Public execution. And make it totally Medevil. Gruesome and painful and prolonged.

I guarantee you within one year the hacking/cracking/whatever will have come to an absolute total stop.

I'm not kidding. I'm 100% serious.
These people are vermin. They are the lowest of the low and they deserve to be tortured to death in the most gruesome ways.

Re:A very simple solution. (1)

Kiaser Wilhelm II (902309) | more than 6 years ago | (#21102377)

But, of course, people who commit actual violent crimes would get off much more easily, according to your plan.

Way to get your priorities straight.

Re:A very simple solution. (1)

orclevegam (940336) | more than 6 years ago | (#21102413)

Yeah, uh, two problems with that. First, by all accounts these people are based out of places that aren't really friendly to any government intervention, let alone foreign governments, so good luck actually getting to them to take any sort of legal action. Second of all, even in mid evil times most forms of execution were relatively quick. Mind you, that's execution, not torture (which itself was often fatal), but then again there's a whole raft of extra-governmental regulations on torturing people, not that that has apparently stopped any of the governments from finding loopholes around it.

Re:A very simple solution. (4, Insightful)

tomstdenis (446163) | more than 6 years ago | (#21102477)

Should point out that hacking is not a crime, never has been, never will be [at least without totally eroding all freedoms first]. A hacker is simply someone who takes the time to see how the world around them works. They're not script monkeys who instigate virus attacks, those are criminals.

Stop reading/watching Faux News et al. and get your damn facts straight.

People should be able to call themselves a hacker without fear of reprisal, for it's the hackers who will inevitably find many of the flaws in the world that the corporate greedmongers want hidden. I mean who do you think are the people finding all of the buffer overflows, protocol mistakes, etc in services you use on a daily basis? If hackers went away companies could easily get away with insecure practices and billing like however they feel like.

It's the people who stop questioning how the world works that should get a bitchslap upside the head.

Re:A very simple solution. (0)

Anonymous Coward | more than 6 years ago | (#21102541)

Oooh, yeah! And we can do the same to shop lifters, drunk drivers, and illegal immigrants! Perfect! We'll stop all the crime in the world! You are the Brilliantest!!!

Re:A very simple solution. (4, Insightful)

multisync (218450) | more than 6 years ago | (#21102833)

Impose the death penalty for these hackers/crackers or whatever you call them these days.
Public execution. And make it totally Medevil. Gruesome and painful and prolonged.

I guarantee you within one year the hacking/cracking/whatever will have come to an absolute total stop.


Well, the death penalty has certainly stopped people from committing murder in the United States. I think you're on to something.

Wait a minute (2)

Billosaur (927319) | more than 6 years ago | (#21102277)

Didn't I just hear that the Storm worm was slowing to a crawl [slashdot.org] ?

Re:Wait a minute (2, Informative)

lskovlund (469142) | more than 6 years ago | (#21103037)

Bruce Schneier wrote that the worm was starting to retaliate [schneier.com] . It was linked to by a poster on this Slashdot story [slashdot.org] . The guy who posted the analysis you refer to seems to be a lowly sysadmin (He's affiliated with Network Operations at the UCSD - so not a researcher) - I would tend to believe Bruce more, and viewed that analysis with some skepticism, which now appears to have been justified.

Like always... (0)

Anonymous Coward | more than 6 years ago | (#21102283)

...the biggest WTF are the comments, well done!

Domains (1)

edxwelch (600979) | more than 6 years ago | (#21102285)

From what I read up on this storm bot it seems the weak point is the registered domains. Why don't they just shut them down? They have proof that certain domain names are implicated in the scam and they know they are doing the fast dns switch thing. It would seem to be a lot easier than trying to get 1 million indiviual pcs patched up.

Re:Domains (1)

lskovlund (469142) | more than 6 years ago | (#21102803)

Dude, these domains could belong to somebody who had no idea of what they were involved in.
There's a recent case in Denmark where an economics student was unknowingly hosting a
phishing site on his laptop. The phishers had registered the domain in his name. He did get
an invoice, but had just discarded it because he had no clue.

Still, they could shut these domains down.

Re:Domains (1)

edxwelch (600979) | more than 6 years ago | (#21103147)

> Dude, these domains could belong to somebody who had no idea of what they were involved in.
and how do they manage to steal some one's domain?

Re:Domains (2)

Fizzl (209397) | more than 6 years ago | (#21103163)

I could be polite and specify my question in more novel manner, but:
What the fuck are you talking about?

Sounds ripe for abuse (4, Interesting)

orclevegam (940336) | more than 6 years ago | (#21102313)

So, these people are trying to sell these botnets for extortion and spamming purposes right? Well, seems to me that they just opened up a loophole for at least one category of customer to get free "service" by spoofing whoever he wants to DDoS and poking the botnet till it retaliates. Boom, instant DDoS and he didn't have to pay a dime for the service. I do like the idea someone else put out of spoofing as one of the other control nodes, thereby getting the net to DDoS itself, but it may be just smart enough not to do that.

Re:Sounds ripe for abuse (3, Informative)

Lumpy (12016) | more than 6 years ago | (#21102525)

Dont know about that. only if they though of it to begin with. Back in the early days of undernet a few of us figured out how to get the official administrative bots to fight each other. Wait for a net split, join as a bot's name and start a flood attack on another bot. IT get's triggered and kick/bans you. the net rejoins and the fight starts. it was fun to watch for the week we were able to do that trick until they fixed the bots.

Unless the dev's think long and hard on how to attack it and work in ways to avoid it I doubt they put that feature in.

Re:Sounds ripe for abuse (1)

orclevegam (940336) | more than 6 years ago | (#21102617)

Ah, undernet, those were the days. Friend of mine got payed a visit by the police once for playing on undernet. Seems he accidently crashed a few of their servers and they didn't take kindly to it. Turns out that if you have a few hundred bots all join a channel at once, and then a few of them get it in their head to kick one of those said bots, who of course gets kicked by a few more bots, who then get kicked by even more bots, that all that kicking and joining is enough to DOS the servers into submission. Heh, whoops. He stayed off IRC for a bit after that one.

Old news (2, Interesting)

Anonymous Coward | more than 6 years ago | (#21102351)

Higher ed had some of their systems attacked in this way going back to at least July. I lost a machine because of this because the system (running FreeBSD) had a marginal disk that eventually died under the load incurred by logging "Limiting icmp ping response from..." messages. Fortunately, we were smart enough to NEVER use systems like our workstations for downloading malware from suspected sources.

Easy lesson for those thinking of doing research: Remember to have a machine dedicated to the task of talking to untrusted outsiders.

This pro ain't afraid, come on Stormbot, bring it. (5, Funny)

Anonymous Coward | more than 6 years ago | (#21102385)

.. I'm still waiti

Counter-DOS (4, Interesting)

RyanFenton (230700) | more than 6 years ago | (#21102387)

Wouldn't the obvious counter-strategy to this be to give the botstorm enough targets to make their DOS attempts too dilute to be a threat?

You theoretically would not need a comparable number of targets to attackers - just enough to lower the magnitude of the counter attack to the point where you could get acceptable results. You could also have targets that 'play dead' in some ways so the attackers can't fix on a minimum magnitude to counter attack with, and instead have to throw zombies until the target stops moving, where the target just gets right back up after playing dead. That way, the window you have before you 'play dead' might be used to get relatively clear results.

Just one guy's idea.

Ryan Fenton

Re:Counter-DOS (5, Funny)

GoodbyeBlueSky1 (176887) | more than 6 years ago | (#21102661)

Is that you Zapp Brannigan?

Re:Counter-DOS (1)

Dachannien (617929) | more than 6 years ago | (#21102967)

Bender: A grim day for robot-kind. Ah, well, we can always build more killbots!

Re:Counter-DOS (4, Interesting)

Quietust (205670) | more than 6 years ago | (#21102905)

Alternatively, trick them into launching a DDoS on a site more than capable of sinking all of the attack with plenty of bandwidth to spare - there's nothing quite like trying to flood an internet backbone. Plus, if it actually did have a noticeable effect, such a massive outage would be more likely encourage appropriate law enforcement agencies (of whatever nations) to get off their collective asses and actually solve the problem at its source.

Not particularly likely to happen, but we can all dream, can't we?

Ponders ... (2, Interesting)

Colin Smith (2679) | more than 6 years ago | (#21102485)

What's bigger, the Storm effect... or the Slashdot effect ...

 

Re:Ponders ... (1)

Jarjarthejedi (996957) | more than 6 years ago | (#21102715)

That's what we should most certainly do, post the addresses of these control servers as links in /. stories about a new Linux device, or Apple product, and watch as the network dissolves.

Re:Ponders ... (4, Funny)

Red Flayer (890720) | more than 6 years ago | (#21102723)

What's bigger, the Storm effect... or the Slashdot effect ...
Duh -- the Storm effect, since the worm is more likely to actually RTFA.

Re:Ponders ... (1)

orclevegam (940336) | more than 6 years ago | (#21102873)

What's bigger, the Storm effect... or the Slashdot effect ...
Duh -- the Storm effect, since the worm is more likely to actually RTFA.
Oh, that's easy to fix. Just post the story with the links labeled as Natalie Portman covered in Hot Grits, Naked and Petrified.

Old news (1)

madsheep (984404) | more than 6 years ago | (#21102739)

This is something that has been known and announced for many months now. Additionally, the new variants of it do not seem to trigger DDoS attacks in quite the same way.

Booby trap (1)

Joebert (946227) | more than 6 years ago | (#21102755)

Wouldn't it be funny if the worm was never intended to phone home for instructions, meaning any attempt to contact "command centers" would always be the result of probes ?

Easy solution! (0)

Anonymous Coward | more than 6 years ago | (#21102771)

Just do the probing from some network like Google, Akamai, Microsoft, etc. with so much bandwidth to spare that nobody could possibly orchestrate a DDoS attack against them. I can't imagine what it would take to DDoS a network that has multiple 10Gb links and distributes connections among thousands of computers.

dom

Who's afraid of who (1)

CubicleView (910143) | more than 6 years ago | (#21102853)

It seems to me that it would be a better use of his time to direct those DDoD attacks at people with money, who are actually willing to part with it. If the guy is directing attacks against insecurity experts, he must be either worried they'll feck up his precious botnet, or he's a muppet (or both I suppose).

Use this against them. (4, Insightful)

darkonc (47285) | more than 6 years ago | (#21102929)

  1. Let various ISPs know that you're about to do this,
  2. Do something to trigger a DDOS,
  3. Track which machines the attacks are coming from, (basically, log the source of every packet aimed at your IP address)
  4. shut down and clean every machine that is shown to be part of the DDOS
  5. (profit???)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>