Botnet assault: Spammers launch DDoS offensive

Botnet assault: Spammers launch DDoS offensive

Summary: The spammers behind last year's destruction of Blue Security are back with a vengeance, using a variant of the 'Storm Worm' malware to launch a sustained distributed denial-of-service attack against three anti-spam services.

SHARE:
TOPICS: Security, Malware
96

The spammers behind last year's destruction of Blue Security are back with a vengeance, using a variant of the 'Storm Worm' malware to launch a sustained distributed denial-of-service attack against three anti-spam services.

SpamhausThe ongoing attacks, which use botnets of hijacked Windows computers, successfully shut down the Web servers that power the Spamhaus Project, URIBL (Realtime URI Blacklists) and SURBL (Spam URI Realtime Blocklists (SURBL).

A note from Steve Linford of the Spamhaus Project explains the assault:

The attack is being carried out by the same people responsible for the BlueSecurity DDoS last year, using the Storm malware.

The attack method was sufficiently different to previous DDoS attacks on us that some of it got through our normal anti-DDoS defenses and halted our web servers.

At 02:00 GMT we got the attack under control and our web servers are now back up, www.spamhaus.org is running again as normal.

The attack is ongoing, but it's being absorbed by anti-DDoS defenses. Also under attack by the same gang are SURBL and URIBL.

Storm is the 'nightmare' botnet, capable of taking out government \facilities and causing much mayhem on the internet. It has 3 functions; sending spam, fast-flux web and dns hosting mainly for stock scams, and DDoS. There is a hefty international effort underway by cyber-forensics teams in a joint effort by law enforcement and private sector botnet and malware analysts to trace the perpetrators.

The Storm Worm Trojan has been linked to similar attacks against anti-spam services, anti-rootkit software providers and even malware researchers.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

96 comments
Log in or register to join the discussion
  • Want to eliminate BotNets and all this crap?

    It's really easy, it takes a router expert and the will to force ISPs to take control of their networks. It works, I have personally forced several ISPs to disable spammers from their networks, it just comes down to sheer force of will on the part of Govt to mandate ISPs do something about spammers.

    Here's the deal, if I work for Time Warner Cable, for example. I am allowed by management (the new Govt mandate where sticking your head in the sand and doing nothing doesn't fly anymore).

    I monitor for spammers and botnets and networks coming into my network, and one by one, the routing entries for those domains disappears, thrown into the big bitbucket in the sky.

    I monitor for botnets I serve, and with software tools, each computer becomes blocked, banned from internet access until such time as the computer is dis-infected or de-0wned. That's where the will comes in. They can identify these 0wned computers easily, but it is worth more to them to allow the spamming computer to access the network and get their money than it is to deal with angry customers who are told their access is blocked until they resolve their security issues.

    Now, I would suspect DRAMATIC resistance from one OS company to a plan such as this because outside of technical circles, the incredible scale of 0wned computers is not known by the general public.

    In any event, if I was IT manager for Time Warner Cable, and had 200 experienced techs, spam streams originating in my network would be virtually eliminated, and streams of spam crap coming in from overseas would be well on it's way to being a don't care, both of which happening within 2 weeks.

    The problem is, no one seems to want to address the real problem, tens or many tens of millions of 0wned machines.

    TripleII
    TripleII-21189418044173169409978279405827
    • Any and all feedback appreciated

      Finally put thoughts to "paper".

      http://mostly-linux.blogspot.com/2007/06/spammers-and-ddos-attacks-its-time-to.html

      Help me find all the holes you can in any logic, or ideas on refinements. I made it OS agnostic, not a single reference to Windows, so please save any flames along those lines for another time.

      TripleII
      TripleII-21189418044173169409978279405827
      • Well, not EXACTLY true, TripleII.

        I don't think there is doubt in ANYBODY'S mind about who that "one OS company" is.

        That being said, unless EVERYBODY who uses the Internet buys into the solutions, we'll be saddled with these vermin for a long time. This means ANY company which has a web site, sells ANYTHING over the Internet, uses email, or even [i]connects their computers to the Internet[/i] needs to back up this effort with cold, hard cash. As long as there are billionaires out there placing the blame for Owned computers on poor SysAdmins --- who do not make even six-figure incomes --- we will continue to have these periodic problems with hijacked hardware.
        OButterball
        • Not EXACTLY true, Butterball

          OButterball wrote "unless EVERYBODY who uses the Internet buys into the solutions, we'll be saddled with these vermin for a long time."

          Not necessarily. A lot of people run operating systems which aren't as fragile and vulnerable as those sold by "that one OS company." As this number increases, the problem decreases.
          critic-at-arms
          • Even if the OS is bulletproof (not really possible), ...

            ...as long as there are things like macro viruses and "social engineering," EVERYBODY needs to be involved or we will never get the upper hand.

            If yours is one of the sites affected, it doesn't matter if the statisticians can trumpet the the fact that we have reduced the number of Owned computers out there from 2 million to 1 million.
            OButterball
          • RE: Even if the OS is ...

            "Social Engineering" is too labor intensive to generate the zombie farms that these crackers have accumulated. They can only generate the 5,000 or 10,000 or 50,000 pool of owned computers if the OS on the zombie machine AUTOMATICALLY COOPERATES with its own compromise. There is only ONE OS where that is possible. That's why you don't hear of Linux or Mac zombie farms containing the huge numbers of owned computers that are characteristic of farms made of of owned Windows boxes. IF such Linux or Mac farms existed you can bet your last dollar that ZDNet and the other Windows centric websites would make that story a permanent link on their page, in large bold, flashing graphics to make sure no one misses it.
            GreyGeek
          • Yeah, yer right about SE being too labor intensive ...

            ... for the big number of bots, but we shouldn't let the resistance of Macs and Linux to compromise themselves lull us into a sense of false security. After all, which boxes would you prefer to be compromised: those 10 XP workstations or that one Linux FTP server?
            OButterball
          • "the OS"

            No one writes malware for systems other than windows because there's such a gigantic number of computers running windows compared to every other os <em>combined</em>. Even if a majority of windows users completely protected their computers, it would still be statistically better to write windows malware.
            ubaz2
          • You don't hear about Mac or Linux zombie farms because...

            ...there aren't enough people who own them to make it worthwile to the spammers. :)

            Let the flames begin.
            robertaaa10
          • social engineering

            Is a hell of a lot tougher and less effective on the internet than good ol' r00tk1ts. Besides, what would I do with social engineering... 0wn a corporate machine? I don't hold much hope of my 0wn3rsh1p lasting very long and it could take weeks or months before I get my next victim. Macro viruses on OSX, BSD, Solaris and Linux are pretty lame. The OpenOffice macro worm drops various scripts onto the victim machines - whoopee. The scripts can't even be executed without deliberate action by the users. Now on certain systems all a poor user has to do is view an email - which is often automatic because the contents under the selected header are displayed in a window beneath the mail list. Home users have no hope of protecting their systems and corporate IT guys are pushing something nasty uphill. So although we need a lot of people involved, some people (that is, most home users) have to put in a disproportionate effort to get the job done because they're using a system that's way too friendly to the bad guys.
            zoroaster
          • I agree, but read my response to GreyGeek, above (NT)

            :)
            OButterball
          • With humna diseases....

            ... such as measles, if you immunise 85% or more of the general population, the level of disease is reduced to the point where it effectively disappears. The medics call it "group immunity" and 100% (or 99.999%) of the population is protected.

            The same is true of botnets. If the number of "infectable" computers dropped massively then whole botnet thing might become uneconomic.
            bportlock
          • In regards to spam

            If every ISP blocked port 25 with the exception of flows to and from its mail server, and had high quality SPAM/AV filtering on those mail servers we would see spam die off almost overnight.
            Suicida|
          • Only to a point

            Once the numbers of computers shift from an OS by "that one OS company" to others, the number of virus written for these other OS's will increase. Hence the problem may not decrease in direct correlation to the OS numbers. The virus is written for maximum impact. If you have a quintillion machines running "that one OS" and only 100 million machines running other OS's combined. What would you write for? I'm sure the numbers aren't that lopsided, but you get the idea. I am a strong supporter of Linux and other Unix like OS's, but realistic at the same time. "If you build it, they will come."

            With that being said, I'll have to agree with TripleII. It's gotta be done at the ISP level if you want it to have the greatest effect.


            Just my 2?
            flhtc
          • RE: Only to a point

            Your argument is bogus, as are your choice of numbers.

            Linux and Mac ALREADY have over 10% of the desktop market (some think as much as 15-20%), and Linux has an even larger portion of the server market, both Internet and corporate. Linux and/or Open Source runs close to 70% of the Internet, yet Linux or Mac zombie farms are non-existent.


            In addition, Linux distros come with EXCELLENT firewalls preinstalled. They are far superior to the IFC that Microsoft foists on users. That's why port probes do nothing to Linux boxes.

            Email viruses or Trojans attachments WILL NOT infect a Linux box UNLESS the user copies the attachment to the HD, then adds "execute" to its permissions, and then RUNS it. Three MANUAL steps that few Linux users will likely take. The crackers are NOT going to make phone calls to thousands of Linux or Mac users and try to convince them to reveal their home account, much less their root account password.


            Because of VISTA hundreds of thousands of NEW Linux users are finding out that they don't have to buy Anti-virus subscription because their new Linux boxes don't need them. They are also pleased to learn that their new distro comes with anti-spam controlls preinstalled. And, they are EXTREMELY HAPPY to know that if they accidentally click on a URL embedded in email that includes "postcard.exe" NOTHING HAPPENS.
            GreyGeek
          • RE: Re: Only to a point

            Ya the numbers are out of kilter, as I stated, just trying to get a point across. The argument however is not. The old saying "You can't make anything idiot proof, because the more idiot proof you make it, the more ingenious idiots become." holds true here as well.

            We (the internet community) has not even seen the tip of the non-M$ virus ice burg as yet. The fact is the overwhelming majority of the virus is written for the M$ OS, NOT the rest. When (not if) the balance shifts so will the virus writers. You don't remember the Lion virus for Linux? How about the Badbunny being proliferated through OpenOffice. Yes, it's a proof of concept, but it's there, now.

            THE FACT IS THE LINUX / MAC ZOMBIE MACHINES AREN'T THERE BECAUSE THE MAJORITY OF VIRUS ARE WRITTEN FOR THE M$ OS PERIOD. It will change. History dictates this. I can't keep my head in the sand and pretend I'm safe because I use Linux, which I do use. I am for now, but I know it won't last. I'm not a pessimist, just a realist.

            BTW. Those Linux boxes running wine (Lindows, Linspire, and other variants), more than likely will run postcard.exe when clicked. Granted it will be under the users permissions, but it would cause sufficient damage. This I'm not sure of, I've not run Lindows for a couple of years now. They may have improved their security since then.

            Virus writers(vermin) aren't as dumb as you think, and the end users aren't as smart as you think either. 90%+ of my support calls are for Operator Error or lack of knowledge on any OS.

            Just my 2?
            flhtc
          • malware on other systems

            "the number of virus written for these other OS's will increase"

            That's a load of schlock which only shows a poor understanding of operating systems. All variants of UNIX are so unfriendly to the scriptkiddie that there are absolutely no effective worms or viruses on UNIX systems. To date, the only known useful attacks on UNIX systems are:
            1. 'local' exploit of vulnerable code
            2. exploit via remote services provided (apache, ftp, etc)

            Now (1) is best done via social engineering - and then you have to get lucky and find vulnerable software on the system. (2) works beautifully on the rare occasion that you find a vulnerable service - but the service vulnerabilities are slowly being fixed and just to make life harder, it is often possible to isolate services in such a way that you accomplish nothing other than temporarily making that service unavailable. In any case, (1) and (2) require an awful lot of hard work and benefits are not guaranteed.

            There is a whole universe of attacks which simply are not possible on UNIX and yet work beautifully on most desktop computers out there.
            zoroaster
        • One OS, and other thoughts

          Yes, I did say "One OS" vendor, but in the linked blog, stated generic "OS vendors". It doesn't have to be an all or nothing proposition though. If Time Warner blocked all it's 0wned computers, but also blocked all external bots, what would I care if AT&T didn't? AT&T's customers get all the spam, and those Zombied machines remain under control of the spammers.

          When I say block access to an owned machine, no incoming path whatsowever, and only access to the proxied security site.

          TripleII
          TripleII-21189418044173169409978279405827
      • agree, with slight mod

        I agree with your approach, but you would have to make sure that the right wording got into the Service Level Agreement to protect the ISP from claims made by the clients for having service cut off without warning.

        Secondly, ISPs might not want to deal with the additional customer service requests generated by active detection. If the ISP could have an active "penalty period" that could be assessed to the client connection once a botnet or similar infection was detected, the client could affect resolution by using another computer or only port 80 (browser requests of the affected unit) to help them resolve the issue.
        jefmud
        • I Agree

          That's where the $1/month fee comes in to help defray initially, totally cover later. Like posted, the user is directed to a site with malware tools, AV tools, scan tools, online customer support and probably a toll free number. It all costs cash, but is the solution worth the effort?

          TripleII
          TripleII-21189418044173169409978279405827