Botnet assault: Spammers launch DDoS offensive
Summary: The spammers behind last year's destruction of Blue Security are back with a vengeance, using a variant of the 'Storm Worm' malware to launch a sustained distributed denial-of-service attack against three anti-spam services.
The spammers behind last year's destruction of Blue Security are back with a vengeance, using a variant of the 'Storm Worm' malware to launch a sustained distributed denial-of-service attack against three anti-spam services.
The ongoing attacks, which use botnets of hijacked Windows computers, successfully shut down the Web servers that power the Spamhaus Project, URIBL (Realtime URI Blacklists) and SURBL (Spam URI Realtime Blocklists (SURBL).
A note from Steve Linford of the Spamhaus Project explains the assault:
The attack is being carried out by the same people responsible for the BlueSecurity DDoS last year, using the Storm malware.
The attack method was sufficiently different to previous DDoS attacks on us that some of it got through our normal anti-DDoS defenses and halted our web servers.
At 02:00 GMT we got the attack under control and our web servers are now back up, www.spamhaus.org is running again as normal.
The attack is ongoing, but it's being absorbed by anti-DDoS defenses. Also under attack by the same gang are SURBL and URIBL.
Storm is the 'nightmare' botnet, capable of taking out government \facilities and causing much mayhem on the internet. It has 3 functions; sending spam, fast-flux web and dns hosting mainly for stock scams, and DDoS. There is a hefty international effort underway by cyber-forensics teams in a joint effort by law enforcement and private sector botnet and malware analysts to trace the perpetrators.
The Storm Worm Trojan has been linked to similar attacks against anti-spam services, anti-rootkit software providers and even malware researchers.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Want to eliminate BotNets and all this crap?
Here's the deal, if I work for Time Warner Cable, for example. I am allowed by management (the new Govt mandate where sticking your head in the sand and doing nothing doesn't fly anymore).
I monitor for spammers and botnets and networks coming into my network, and one by one, the routing entries for those domains disappears, thrown into the big bitbucket in the sky.
I monitor for botnets I serve, and with software tools, each computer becomes blocked, banned from internet access until such time as the computer is dis-infected or de-0wned. That's where the will comes in. They can identify these 0wned computers easily, but it is worth more to them to allow the spamming computer to access the network and get their money than it is to deal with angry customers who are told their access is blocked until they resolve their security issues.
Now, I would suspect DRAMATIC resistance from one OS company to a plan such as this because outside of technical circles, the incredible scale of 0wned computers is not known by the general public.
In any event, if I was IT manager for Time Warner Cable, and had 200 experienced techs, spam streams originating in my network would be virtually eliminated, and streams of spam crap coming in from overseas would be well on it's way to being a don't care, both of which happening within 2 weeks.
The problem is, no one seems to want to address the real problem, tens or many tens of millions of 0wned machines.
TripleII
Any and all feedback appreciated
http://mostly-linux.blogspot.com/2007/06/spammers-and-ddos-attacks-its-time-to.html
Help me find all the holes you can in any logic, or ideas on refinements. I made it OS agnostic, not a single reference to Windows, so please save any flames along those lines for another time.
TripleII
Well, not EXACTLY true, TripleII.
That being said, unless EVERYBODY who uses the Internet buys into the solutions, we'll be saddled with these vermin for a long time. This means ANY company which has a web site, sells ANYTHING over the Internet, uses email, or even [i]connects their computers to the Internet[/i] needs to back up this effort with cold, hard cash. As long as there are billionaires out there placing the blame for Owned computers on poor SysAdmins --- who do not make even six-figure incomes --- we will continue to have these periodic problems with hijacked hardware.
Not EXACTLY true, Butterball
Not necessarily. A lot of people run operating systems which aren't as fragile and vulnerable as those sold by "that one OS company." As this number increases, the problem decreases.
Even if the OS is bulletproof (not really possible), ...
If yours is one of the sites affected, it doesn't matter if the statisticians can trumpet the the fact that we have reduced the number of Owned computers out there from 2 million to 1 million.
RE: Even if the OS is ...
Yeah, yer right about SE being too labor intensive ...
"the OS"
You don't hear about Mac or Linux zombie farms because...
Let the flames begin.
social engineering
I agree, but read my response to GreyGeek, above (NT)
With humna diseases....
The same is true of botnets. If the number of "infectable" computers dropped massively then whole botnet thing might become uneconomic.
In regards to spam
Only to a point
With that being said, I'll have to agree with TripleII. It's gotta be done at the ISP level if you want it to have the greatest effect.
Just my 2?
RE: Only to a point
Linux and Mac ALREADY have over 10% of the desktop market (some think as much as 15-20%), and Linux has an even larger portion of the server market, both Internet and corporate. Linux and/or Open Source runs close to 70% of the Internet, yet Linux or Mac zombie farms are non-existent.
In addition, Linux distros come with EXCELLENT firewalls preinstalled. They are far superior to the IFC that Microsoft foists on users. That's why port probes do nothing to Linux boxes.
Email viruses or Trojans attachments WILL NOT infect a Linux box UNLESS the user copies the attachment to the HD, then adds "execute" to its permissions, and then RUNS it. Three MANUAL steps that few Linux users will likely take. The crackers are NOT going to make phone calls to thousands of Linux or Mac users and try to convince them to reveal their home account, much less their root account password.
Because of VISTA hundreds of thousands of NEW Linux users are finding out that they don't have to buy Anti-virus subscription because their new Linux boxes don't need them. They are also pleased to learn that their new distro comes with anti-spam controlls preinstalled. And, they are EXTREMELY HAPPY to know that if they accidentally click on a URL embedded in email that includes "postcard.exe" NOTHING HAPPENS.
RE: Re: Only to a point
We (the internet community) has not even seen the tip of the non-M$ virus ice burg as yet. The fact is the overwhelming majority of the virus is written for the M$ OS, NOT the rest. When (not if) the balance shifts so will the virus writers. You don't remember the Lion virus for Linux? How about the Badbunny being proliferated through OpenOffice. Yes, it's a proof of concept, but it's there, now.
THE FACT IS THE LINUX / MAC ZOMBIE MACHINES AREN'T THERE BECAUSE THE MAJORITY OF VIRUS ARE WRITTEN FOR THE M$ OS PERIOD. It will change. History dictates this. I can't keep my head in the sand and pretend I'm safe because I use Linux, which I do use. I am for now, but I know it won't last. I'm not a pessimist, just a realist.
BTW. Those Linux boxes running wine (Lindows, Linspire, and other variants), more than likely will run postcard.exe when clicked. Granted it will be under the users permissions, but it would cause sufficient damage. This I'm not sure of, I've not run Lindows for a couple of years now. They may have improved their security since then.
Virus writers(vermin) aren't as dumb as you think, and the end users aren't as smart as you think either. 90%+ of my support calls are for Operator Error or lack of knowledge on any OS.
Just my 2?
malware on other systems
That's a load of schlock which only shows a poor understanding of operating systems. All variants of UNIX are so unfriendly to the scriptkiddie that there are absolutely no effective worms or viruses on UNIX systems. To date, the only known useful attacks on UNIX systems are:
1. 'local' exploit of vulnerable code
2. exploit via remote services provided (apache, ftp, etc)
Now (1) is best done via social engineering - and then you have to get lucky and find vulnerable software on the system. (2) works beautifully on the rare occasion that you find a vulnerable service - but the service vulnerabilities are slowly being fixed and just to make life harder, it is often possible to isolate services in such a way that you accomplish nothing other than temporarily making that service unavailable. In any case, (1) and (2) require an awful lot of hard work and benefits are not guaranteed.
There is a whole universe of attacks which simply are not possible on UNIX and yet work beautifully on most desktop computers out there.
One OS, and other thoughts
When I say block access to an owned machine, no incoming path whatsowever, and only access to the proxied security site.
TripleII
agree, with slight mod
Secondly, ISPs might not want to deal with the additional customer service requests generated by active detection. If the ISP could have an active "penalty period" that could be assessed to the client connection once a botnet or similar infection was detected, the client could affect resolution by using another computer or only port 80 (browser requests of the affected unit) to help them resolve the issue.
I Agree
TripleII