Storm Worm botnet partitions for sale
Summary: SecureWorks researcher Joe Stewart has seen evidence that the massive Storm Worm botnet is being broken up into smaller networks, a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers.
SecureWorks researcher Joe Stewart (left) has seen evidence that the massive Storm Worm botnet is being broken up into smaller networks, a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers.
Stewart, a reverse engineering guru who has been tracking Storm Worm closely, says the latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic.
"This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities," Stewart said in an e-mail message.
[SEE: [SEE: Storm Worm botnet numbers, via Microsoft ]
"If that's the case, we might see a lot more of Storm in the future," he warned.
The malware attacks behind this botnet have been relentless all year, using a wide range of clever social engineering lures to trick Windows users into downloading executable files with rootkit components. By some accounts, the malware has successfully created a massive botnet — between one million and 10 million CPUs — producing computing power to rival the world’s top 10 supercomputers.
Statistics from Microsoft's monthly updated MSRC (malicious software removal tool) peg the size of the botnet at the low end of the supercomputer speculation.
Stewart sees a silver lining in the latest Storm Worm twist. Because of the new encryption scheme, Stewart says it is now easier to distinguish Storm-related traffic from "legitimate" Overnet/eDonkey P2P traffic.
"[It] makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic," he said.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
And Storm Worm Botnets Are Running Which OS?
Thanks for giving us another headache to worry about.
Thanks to who?
Secure toilets
Now THAT's funny! The majority of the internet infrastructure is powered by *nix systems (of which Linux is a significant part.) If someone really wanted to push major spam bandwidth on the Net they'd be targeting these systems. Of course, people DO try to attack these systems and they try very hard. But they don't get very far, because *nix systems are not shamelessly insecure the same way as every kind of Windows. Occasionally, someone does manage to infiltrate one here or another there, but they don't get the traction necessary to cause any meaningful consequence, because *nix systems are inherently secure by design. Instead of attacking the internet plumbing (that is, *nix) spammers and virus writers target the toilets (Windows), because Windows at its most secure is far more vulnerable and easier to exploit.
Secure, or just obscure?
What we are talking about here are PCs, a market that Linux currently occupies less than 1% of. PCs are not managed by professionals, but ordinary users, and are generally not as up to date or secure. Contrary to your prejudicial beliefs, Windows PCs are quite secure when updated in a timely fashion, including the necessary antivirus software. I install and manage PCs for a living, and have for many years, and it is a rare occurrence for me to find an infected machine anymore. Consider the numbers listed in this article, something over 1 million PCs infected by this virus. Now, consider that there are around 1 billion PCs in the world, with about 90% of those running Windows, and the conclusion is that the infection rate is very small. Not bad, considering that most of those are neglected home computers.
I agree that the malware programmers target Windows machines, that is just common sense. Would you target 1% of the computers, or 90%? You can chest thump all you want about Linux superior security, but until it is really tested, it isn't proven. Besides, Macs are also Linux based, and we all saw what happened when hackers were challenged (and finally offered cash) to attempt to "own" two Macs earlier this year. Both Macs (and the cash prizes) were gone within hours.
For the record, I have Ubuntu 7.04 running one of my home PCs, and I have installed and supported servers running various versions of Linux, Xenix, and Unix, so I am not anti-Linux. I am also not anti-Windows, running Vista on another home computer, and supporting several hundred users at work running everything from Win98 to Vista, along with a number of servers running 2000 and 2003. As far as I am concerned, they are all just computers, and each has their stong points and weaknesses.
secure and made that way.
We're talking about computers connected to the internet.
"I agree that the malware programmers target Windows machines, that is just common sense. Would you target 1% of the computers, or 90%?"
If 1% of the computers can push 90% of the internet content wouldn't it be common sense to attack those computers? Of course it would, and people do attack them, and they don't get very far, because they're primarily beating on *nix systems.
"You can chest thump all you want about Linux superior security, but until it is really tested, it isn't proven."
It is proven every day by the fact the internet itself remains operating and largely stable. Incidents are isolated, few and far between.
I have a Windows system too, they are great game machines. But, the Windows system goes nowhere near the internet without standing behind a real, unix firewall.
Where your argument fall down
You are still comparing the security of a *nix server to a Windows desktop. When you compare *nix servers to Windows servers, the hacking story shows that Windows servers actually hold their own. I can't access Zone-H statistics any more but they consistently showed that LAMP servers were hacked more often than IIS6 servers. So am I suggesting that IIS6 is more secure than LAMP? No, because I don't believe it. I believe that using LAMP doesn't guarantee security and using IIS6 doesn't guarantee failure, it is up to the human being behind the OS, whether that OS is being used in a server role or a desktop role. It just so happens that more people behind server role installations are security conscious when compared to people behind desktop role installations.
The other factor you ignore is that desktop role OSs typically have different attack vectors than server role OSs. You can fool a human behind a desktop to run an executable or to navigate to a website. This becomes much more difficult to do when attacking a server.
For those reasons, you can't simply say that you are comparing all [i]computers connected to the internet[/i]. It would be as silly as saying that NASCAR drivers are less skilled than non NASCAR drivers because they get in more accidents. Hey, we are just talking about people driving cars right? When you compare *nix servers to Windows servers, they have been shown to be equally secure. The OS plays [b]far[/b] less a factor than the admin does and a good admin can make any OS secure while a bad admin can make any OS insecure. You can't compare Windows desktop computers to *nix servers though in order to disprove marketshare arguments since the conditions of their use are totally different, just like NASCAR.
Are you sure about that?
As long as software can be installed on your computer, malicious software can be installed as well. The only way to prevent this is to block the installation of drivers, services, registry entries, etc. And if you do this, you have to have a way to undo it, so you can install new software when you want to.
The only Linux users who still believe Linux is invincible are the ones who haven't been hit yet. I'll bet you the victims discussed in this article don't think so: http://www.theregister.co.uk/2007/10/03/ebay_paypal_online_banking/
Likewise, most Mac users (Mac is also UNIX-based) also think their platform is invincible. Not so: http://www.pcworld.ca/news/column/96a4d31d0a010408006ca32e63160f68/pg1.htm
How does one detect the Storm Worm?
This (the potential break-up and distribution of the "net") is akin to Capone selling off the West Side but keeping Northtown for pocket change.
All of the antivirus programs...
Anti Virus
Re: How does one detect the Storm Worm?
Once the rootkit is installed, traditional antimalware programs likely won't be able to detect it. At this point, there are dedicated tools you can use to help uproot the rootkit. You'll find a handy little handful of them here: http://www.techsupportalert.com/best_46_free_utilities.htm#7
There are also Intrusion Prevention/Detection programs you can use to catch Storm worm when it tries to install the rootkit. These programs go beyond fingerprinting to utilize behavior analysis, offering a vital third layer of zero-day protection. You will find Intrusion Prevention in a lot of firewall products these days, but there are standalones available as well. ThreatFire is about the best there is, and it happens to be available in a free version, as well as paid.
Still another solution is to use a sandbox. Sandbox programs create a virtual environment that corrals certain programs (especially Internet programs) off from the rest of your system, preventing events generated by these programs from making permanent changes. One of my favorites is BufferZone. They offer free versions, but each of them only covers certain types of programs, and you could only have one installed at at time from what I remember. Sandboxie is a viable alternative, but it's a bit less automated and a bit more technical. Also, while sandbox programs will kill any program inside the sandbox when you empty it, they will not prevent a keylogger from intercepting your passwords while running inside the sandbox.
If you would like another solution that prevents Web-borne malware from launching in the first place, perhaps this would be of interest to you: http://invincible-windows.blogspot.com/
Hope this helps!
Money.....
their superfleet fleet of zombies but if they cripple the Internet to a crawl so nobody
can use it all who is served by that?!
:)
can use it all who is served by that?! "
Post office! Now u have to write letters to ur friends. :)
How to detect?
Maybe an ISP will enforce it's policies
"Your computer is compromised, you are NOT secure, click this link to find out how to clean your computer".
You know what, you take the botted computers offline, ALL the revenue dries up and people fix their computers. Of course, Quest and other backbone providers don't sell as much bandwidth, and symantic doesn't make as much money, and few computers sell because the computer is not actually slow, it is bogged by infection, and of course... never mind, except for the consumer, this is GREAT for the world economy, as you were.
TripleII
because browsers now block redirects....
Proxy
So, it isn't flashing a screen in front of them, then leaving them on their merry way, it is their computer is isolated with no route in/out to the internet, and all attempts at web browsing cause the user to arrive at the proxy.
You may allow them to surf through the proxy, but that's another story. This is just one idea, but my ISP allows for that. Your account can be direct or proxied. This is forced change to proxied for bott'd computers.
TripleII
95%. Yes, spam has hit 95% level of all email
Leading zombie locations included the United States (36%) and Russia (8%).
Is it time for more band aids or is it time to actually fix the problem? Until people focus on the problem, ze-zombifying and/or taking these machines off the internet, enjoy your Viagra.
TripleII
Don't believe everything you hear
As long as software can be installed on your computer, malicious software can be installed as well. The only way to prevent this is to block the installation of drivers, services, registry entries, etc. And if you do this, you have to have a way to undo it, so you can install new software when you want to.
The only Linux users who still believe Linux is invincible are the ones who haven't been hit yet. I'll bet you the victims discussed in this article don't think so: http://www.theregister.co.uk/2007/10/03/ebay_paypal_online_banking/
Likewise, most Mac users (Mac is also UNIX-based) also think their platform is invincible. Not so: http://www.pcworld.ca/news/column/96a4d31d0a010408006ca32e63160f68/pg1.htm
Or what you read
I have never read about any botted Linux client machine (I have read about cracked servers with Linux), and the reason is, SSH, FTP as root, which are not enabled by default, don't allow for root access by default when turned on. I would be HIGHLY interested in reading up on any Linux malware available for install by user's not versed in ONLY using repository sources. The cracker community would have to create a .deb, rpm, etc, customize it for each linux, convince the user to download the right version, install it. LOL, the typical #1 complaint, hard to create universal software across distro's is actually a security perk. It means we all use the repositories 99.8% of the time.
I used to have to compile, but haven't needed to, for any package, in probably over a year.
Look at what it takes, a security vulnerability must
1) be accessible from the web through the firewall
2) be able to escalate to root undetected
3) install the rootkit undetected
4) start ssh and modify the system for remote access, disable or poke a hole in the firewall, allow for root access, download any missing dependencies, etc, undetected
5) not hurt the system from booting up normally
6) survive and remain undetected from chrootkit.
7) Do it right, as easy as it has become, setting up an SSH server is NOT an automatic easy process.
That is a VERY VERY tall order. Much much easier to crack the password on a server (i.e. weak root password).
The time will come when users will be able to download and install from anywhere to get the same malware infected wizbang screensaver-weathermachine, that can do all the above, but we aren't there yet (years away, not enough marketshare) and there is likely a better open source free equivalent in the repository. :D
TripleII