backtop

Print E-mail del.icio.us 24 comment(s) - last by idconstruct.. on Apr 4 at 8:00 AM

This joker carries a dangerous payload.  (Source: Arbor Networks)
Everyone's favorite botnet makes an encore appearance

Storm is back, reports security firm Arbor Networks, and dressed to kill in its April Fools’ outfit.

Arbor Networks blogger Jose Nazario notes that Storm's latest variant began appearing sometime during March 31, greeting users with a simple “Doh! April’s Fool. (sic)” message that hyperlinks to an IP address.

Users clicking the link are taken to a web page with a cute picture and an automatic download, prompting them to run the download as soon as it completes. If the user follows these directions, he or she will find his or her computer added to the decentralized Storm botnet, which security analysts think contains anywhere from 20,000 to 10 million computers.

April Fools’ Day is only the latest such occasion to be exploited by Storm, which in the past has sent out e-mail messages with headlines like, “Saddam Hussein alive!” and “Fidel Castro dead.”

The original Storm variant earned it namesake in January 2007, when it infected thousands of computers in the United States and Europe with the headline “230 dead as storm batters Europe.” Six more waves appeared within three days of the worm’s initial attack, and by January 22 the Storm Worm was responsible for 8% of virus infections around the world.

The worm’s author is still unknown, and its decentralized structure leaves investigators little to target, let alone quantify: an October 2007 estimate that the Storm botnet is down to 20,000 computers was disputed by security researcher Bruce Schneier, who noted that the botnet’s owner is partitioning the network into discrete units, likely for their independent sale.

Nazario warns users to look out for the following signs of infection:

  • C:\WINDOWS\aromis.config, which contains the botnet’s decentralized peerlist – a list containing a very small subset of its overall network.
  • C:\WINDOWS\aromis.exe, the program that this variant of the Storm installs itself as.
  • “Services.exe” or “Aromis.exe” listening on a random UDP port, as well as a large volume of outbound connections – the worm will attempt to create a firewall rule for itself and use windows services to update its internal clock.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Maybe I just don't understand
By theapparition on 4/2/2008 12:10:30 PM , Rating: 3
How can thing like this not be stopped, or why is is so hard?
A link is distributed that if clicked will take you to an adress where you can download the malicious code. Why can't autorities hunt down and find the domain? That's not to dificult. Once the domain is questioned, they'll give up the user. I know other countries are involved, but now can't ISP when warned about an adress block access to that site?

Maybe someone could explain a little more.




RE: Maybe I just don't understand
By Hieyeck on 4/2/2008 12:57:39 PM , Rating: 2
Because people will always be stupid and click on links that say "click me"


By idconstruct on 4/4/2008 8:00:25 AM , Rating: 2
... according to the article the link was to an IP address, not a domain name, in which case it's not impossible that the IP is a random bot already infected. (Thus, decentralized)

Decentralization is the most powerful weapon available to combat those who want to take your network down. (See: p2p)


RE: Maybe I just don't understand
By stmok on 4/2/2008 1:46:04 PM , Rating: 2
quote:
How can thing like this not be stopped, or why is is so hard?


Are you willing to conduct a worldwide campaign of teaching EVERY single Windows user on the planet in using Limited User Account (LUA) and Software Restriction Policy (SRP) in WinXP SP2 or Vista? (That's assuming most use WinXP or Vista...What about Win2k? They don't have SRP.)

In addition, educate ALL of them to not blindly accept emails with attachments from strangers? ie: Good security computing practices. (If you don't know where it came from, delete it...And NOT to disable UAC in Vista).

Because that's what its going to take. A worldwide education campaign. (That's assuming they want to learn...Which many aren't!)

On top of this, are you gonna help everyone get their apps working (because some apps need Admin account to run), without reducing the effectiveness of LUA+SRP?

quote:
A link is distributed that if clicked will take you to an adress where you can download the malicious code. Why can't autorities hunt down and find the domain? That's not to dificult. Once the domain is questioned, they'll give up the user. I know other countries are involved, but now can't ISP when warned about an adress block access to that site?


Its not that simple. Its not a link. Its an executable attached to an email with a social engineering approach. (Trick user into clicking it).

Once you execute that, it installs a rootkit. This typically modifies a Windows driver like tcpip.sys...The problem is, you won't know the driver has been modified. (Although, if you're smart enough, you'll notice the generation of new and odd Registry entries).

If a person is using LUA with SRP, this isn't likely to happen. That's because under this situation a Limited User with SRP implemented, isn't allowed to write into the Windows directory itself. (So they aren't able to modify a Windows driver)

What the rootkit of Storm Worm does (depending on the version of Storm Worm), is try to connect to a server via a modified P2P protocol.

This server can be an innocent party that was compromised early on. (It could be a string of them to hide the true identity of the attacker, you don't know.).

What makes tracking formidable malware hard, is that they're being constantly updated and improved at a rate faster than AV vendors can keep up with! (Not to mention the fact that the distribution of malware via email is often down via compromised email servers to act as relays and points of distribution).

This effectively renders AV solutions useless in situations like these. (In real life attacks, not tests with old malware, AV solutions only help 47% to 50% of the time).

On a side note: While LUA with SRP is effective, it isn't the end-all or be-all. It has limitations in that if you compromise the Limited User Account, its possible to take the whole box by compromising a bug in the system. (The goal is to escalate the privileges to Admin via OS bug, so you can get access to the whole box).

This is why I advocate use of some sort of HIPS (host-based intrusion-prevention system). The point is to warn and prevent something from happening. (Its what I learned from the Linux world).

This is instead of relying on third-party applications that take a reactive approach to security. That is, only act until something has already happened! (ie: its too late!)


By theapparition on 4/2/2008 8:32:58 PM , Rating: 2
quote:
Are you willing to conduct a worldwide campaign of teaching EVERY single Windows user on the planet in using Limited User Account (LUA) and Software Restriction Policy (SRP) in WinXP SP2 or Vista?

Don't confuse the issue I was asking about. I know quite well that the casual user will do stupid things. That's not what I'm talking about.

What I'm talking about is a global IP censor list, that would prevent such "link" attacks happening in the first place. As for malicious code that is already running as a rootkit....same goes for that as well. Usually, those attacks involve sending info out to another sever, and that servers IP address is usually known.

Once you have an IP adress, I still don't understand why it's so hard to be able to find out who the owner is. Your reply did nothing to answer that question, but if you know I'd still like to find out. I know part of the problem is that these "hackers" are operating in other countries. Even so, I still don't understand why ISP's can't volintarily block known malicious IP addresses.

quote:
Arbor Networks blogger Jose Nazario notes that Storm's latest variant began appearing sometime during March 31, greeting users with a simple “Doh! April’s Fool. (sic)” message that hyperlinks to an IP address.

Users clicking the link are taken to a web page with a cute picture and an automatic download, prompting them to run the download as soon as it completes.

Clearly this article states that it links to the page where the offending malicious code is harbored. If that's the case, why can't AV co's (for example, they are the experts after all) put out lists of malicious addresses. These addresses would be put on ISP's as blocked. Therefore, when the link is clicked, it goes nowhere but to a redirect page. This problem solved. No infections.
Now, with that known, the authorities should be able to track down the offending computer and block all traffic to that server if the owners don't give up the account. Once again, problem solved.


I want a job as a Security Analyst
By 325hhee on 4/2/2008 9:25:01 AM , Rating: 3
quote:
which security analysts think contains anywhere from 20,000 to 10 million computers.


Wow, I know people need to take guesses, but seriously, talk about a +/- margin, you'd think they can narrow down the numbers a bit. LOLZ




By Cogman on 4/2/2008 9:48:32 AM , Rating: 2
I agree. I think that is what is so scary about the storm worm is they really have no clue how many computers are infected.


By FITCamaro on 4/2/2008 10:23:15 AM , Rating: 2
It truly must be a great thing. Even when you're wrong you can simply say you didn't have all the data and your numbers were merely a best guess with the data you did have. It's kind of like being a weatherman. But without the botox injections and fake smile.


By Souka on 4/2/2008 11:39:29 AM , Rating: 2
my 1st thought exactly...20,000 to 10mil.

Heh...

They should've said 20,000 to many as billions!


feels good to run linux
By JoshuaBuss on 4/1/08, Rating: -1
RE: feels good to run linux
By pauldovi on 4/1/2008 11:13:06 PM , Rating: 4
Because when you are using a Windows PC you instantly become retarded and do anything a email tells you to.


RE: feels good to run linux
By FITCamaro on 4/2/2008 10:18:00 AM , Rating: 1
Didn't Al Gore prove this in his "documentary" too?


RE: feels good to run linux
By 67STANG on 4/1/2008 11:47:06 PM , Rating: 4
You've probably also forgotten how to play games, share files with others and pretty much do any kind of work oriented tasks.

Oh how I envy your peace of mind...


RE: feels good to run linux
By lagitup on 4/2/2008 3:08:34 AM , Rating: 1
Before I start I will say: I have tri boot with Vista Basic, XP Pro, Sabayon Linux 3.5b2 Standard. I guess what I am really trying to say here is I have the right to talk about this.
Now I will take these one at a time:
quote:
You've probably also forgotten how to play games,

Not really. Wine or compiling WineX/cedega yourself works just dandy if you have a nocd crack in hand...havn't got a game in my collection that Wine cant handle.
quote:
share files with others

Im gonna go out on a limb here and assume you mean torrents. Every version of linux I have ever ran (starting with ubuntu 6.06 Dapper a few years ago) had a working torrent utility preloaded, with plenty more available.
quote:
pretty much do any kind of work oriented tasks.

This brings us back to: Wine, if you mean m$ office. Or you could use a free program, like open office which, again, has come preloaded on every version of linux I have ever used. You could also have meant things like 3d graphics apps which have started leaning further and further towards linux, and not windows.
quote:
Oh how I envy your peace of mind...

Oh, how I envy your blissful ignorance, BSODs, and driver hells.


RE: feels good to run linux
By Darkefire on 4/2/2008 4:13:50 AM , Rating: 5
While you were busy wowing us with your technical savvy and ginormous e-penis (which I'm sure is quite lovely and makes a great hunting tool on the great 'net savannah), 90% of the working world starting letting stupid-spit dribble out the sides of their mouths. That's because your average corporate drone has neither the time nor the inclination to learn how to use Linux in any flavor, or have to fiddle with it when something inevitably goes wrong. Yes, I know that Linux is getting easier to use. Yes, I know that many Windows programs can work under Linux with some twiddling. But before you let your inner geek lash out at me, think of it this way: if you need anything other than two or three mouse clicks to download/install/run a program, it's too complicated for the average Windows user. That's why every virus on the planet goes straight for the C:\WINDOWS folder, and why Norton/McAfee/Sophos and their ilk will earn enough money from subscriptions to their lousy services to start buying tiny island nations to house their dev teams.


RE: feels good to run linux
By Cogman on 4/2/2008 9:55:39 AM , Rating: 2
The only think in linux that requires "Fiddleing" is windows programs to work (IE games). In the corporate world that is hardly a priority. Everything else useful that windows has, most linux distro come with standard. File Sharing? Ever hear of samba? Most linux distros seamlessly incorperate it so that you can just browse the network like you would with any windows machine.

As for office applications, Open Office, while using an older MS office 2003 type interface, can handle pretty much any file created by microsoft office (any version) and produce files to match. That requires about as much work as double clicking on the file you want to open *Gasp*

If my sister, the most tech savy less person on the planet, can run ubuntu and like it, I am almost certain anyone else can.


RE: feels good to run linux
By Yawgm0th on 4/2/2008 4:43:41 AM , Rating: 5
quote:
Before I start I will say: I have tri boot with Vista Basic, XP Pro, Sabayon Linux 3.5b2 Standard. I guess what I am really trying to say here is I have the right to talk about this.
That doesn't give you the right to talk. The anonymity of the Internet and presumably your home country's constitution give you the right. Being a multi-platform user might make you experienced or knowledgeable enough to provide an educated opinion. In this case, however, I think you've demonstrated why it doesn't.

quote:
Not really. Wine or compiling WineX/cedega yourself works just dandy if you have a nocd crack in hand...haven't got a game in my collection that Wine cant handle.
You collection must be rather paltry. Using wine for games on Linux is a complete joke. A limited selection of major titles run, and few run reasonably well and without bugs. Let's not talk about performance. No, Wine is a ways from making Linux a serious contender as a PC gaming platform.

Moreover, "compiling WineX/cdega yourself" is simply out of the scope of most users.

Im gonna go out on a limb here and assume you mean torrents. Every version of linux I have ever ran (starting with ubuntu 6.06 Dapper a few years ago) had a working torrent utility preloaded, with plenty more available.Obviously he meant file sharing, not P2P. As in sharing files on your home network. I'll have to disagree with him on this, though, as setting up shares in modern Linux distributions requires no more than a mixture of intuitive right and left clicks. If it were any easier -- let's say you didn't even have to right click -- it could be on a Mac. But Windows has wizards and big icons and uses task-oriented terminology instead of tech-oriented terminology.

It's all beside the point, however, as the OP was almost undoubtedly referring to Macintosh systems, not Linux. Way to start the wrong flame war.

quote:
This brings us back to: Wine, if you mean m$ office. Or you could use a free program, like open office which, again, has come preloaded on every version of linux I have ever used. You could also have meant things like 3d graphics apps which have started leaning further and further towards linux, and not windows.


Using Wine for anything is inherently not work-oriented. Wine Is Not Effortless. Nor is using Linux. Almost any idiot can quickly install and use MS Office on a Windows computer. The same is not true with most Linux distributions and applications. If a given application comes with a working RPM that works on your system, great. Otherwise, compile from source yourself. That's not work-oriented. It takes more effort to install OOo on a non-RPM distro than it does to install XP itself. Even from the standpoint of a knowledgeable IT professional, Windows takes an approach to almost everything that is much, much more conducive to effective time management, an office environments, and business in general.

Moreover, Wine is not easy or work-oriented by any means, nor is it a true replacement for Windows. OOo is a so-so replacement for MS Word, a mediocre replacement for PowerPoint, a poor replacement for Excel, and not at all a replacement for most of the other Office products.

Also, what "3d graphics apps" are "leaning further and further towards linux?" Whether you're talking about image editing, video editing, 3d rendering, modeling, or anything related, the vast majority of the market is not going to Linux nor is there any indication it will. Photoshop, the de facto standard in image editing, only runs on Windows and Mac. Don't even start on GIMP. Calling it a Photoshop equivalent shows ignorance. Avid and Final Cut Pro, the de facto standards for video editing, only run on -- yes, you guess it -- Windows and Mac. I've certainly never heard of any serious game developer or CG animator using Linux for 3d rendering or 3d modeling.

Seriously, where are you getting some of this?

quote:
Oh, how I envy your blissful ignorance, BSODs, and driver hells.

BSODs indicate a poorly built system or poorly managed OS, 99% of the time. For the most part, BSODs are long since past as a software-induced stability problem inherent in Windows. If you actually still see BSODs not caused by hardware failure, then they are your fault. You also can't even compare Windows driver issues to Linux. Windows has support for a far greater volume of hardware than all Linux distributions combined, and installing drivers is infinitely easier. Writing point-of-sales applications, burning programs, and database clients is easier than installing most drivers in most Linux distributions. Process that for a second... Yes, software engineering is easier in Windows than driver installation is in Linux.

I love Linux. I use it on an everyday basis. It's a great development platform; it offers a lot of great network management and security tools; an inherently more secure environment; better and cheaper licensing models, especially for servers or integrated devices; free software and, better yet, free freeware. It has its place in the IT world and in the consumer space. But it is not inherently superior to Windows in the overall quality and productivity provided. You can't take some poor anecdotal evidence and some of the genuine advantages of *NIX and act like Windows serves no purpose or its users are simply ignorant of the advantages of Linux. The fact of the matter is that Linux is simply not an option as a Windows replacement even for most tech-savvy users, and might never be.


RE: feels good to run linux
By wushuktl on 4/2/2008 9:27:16 AM , Rating: 3
RE: feels good to run linux
By theslug on 4/2/2008 9:32:54 AM , Rating: 2
Glad to see someone finally understands that BSODs are not to be feared and actually tell you something is wrong with the computer and needs fixing. Unfortunately this goes over the heads of many Linux users.

And it's not like Linux is bullet-proof either. Kernel panic, anyone?


RE: feels good to run linux
By FITCamaro on 4/2/2008 10:21:03 AM , Rating: 2
Give this man a 6!


RE: feels good to run linux
By Etsp on 4/2/2008 1:45:43 PM , Rating: 2
quote:
Wine Is Not Effortless
To spell this out so people who don't know understand, Wine Stands for "Wine Is Not an Emulator" But, the quote is correct as well, Wine is far from effortless. Nice play on its acronym!


RE: feels good to run linux
By lanscaper on 4/2/2008 10:48:35 AM , Rating: 2
Ummm, let's see, tri boot, huh? I have numerous PCs and servers at home and work running various flavors of Linux, Windows Server 2003R2 and 2008. I have several instances of Vista Business, Ultimate and XP running both on physical hardware and virtual. I like them all. All are very different and have good and bad points. I'm so very tired of the idiotic Windows bashing. Linux is not problem free or free for that matter. That's if you time is worth anything at all. The Linux boxes at work require a great deal more time and effort to configure, maintain and manage. I can't tell you how many times we have said, "Forget it. Let’s just run it on a windows box". And quotes like this make me wonder how experienced you are with either operating system

"Oh, how I envy your blissful ignorance, BSODs, and driver hells."

Driver Hells???? Have you ever tried to get a video card or sound card to run on Linux? Now I will admit, it has gotten much, much better, but give me a break. You have to be fair. I also can't tell you the last time I've seen a BSOD that wasn't caused by a device driver. Even then they are few and far between. It is a myth that Linux doesn't crash. Instead of BSOD, it is said that Linux runs around with its hair on fire. They go down my friend. This is from someone who is on-call once a month. Our calls for Linux boxes that have stopped responding or an application isn't running because the process has stopped far outnumber the calls we get for our Windows boxes. Our Windows boxes outnumber our Linux boxes by 3 to 1. No question viruses are a problem, but in the 20 years plus I've worked in this industry, at least at the places I've worked, we have never, ever had an outbreak that crippled us. Sure we've had outbreaks, but they have been contained. Furthermore, the last one I can recall was 5 or 6 years ago, code red. None at all since then. What it comes down to is, if you know what you are doing, all of these OSs can be secure and reliable. However, as is the case all too often these days, many end users and sys admins who claim to know what they are doing, just don't have a clue.


RE: feels good to run linux
By Kougar on 4/2/2008 2:35:25 AM , Rating: 1
At least I can de-stress after infecting my computer by playing a few rounds of my game of choice.


RE: feels good to run linux
By stmok on 4/2/2008 12:27:29 PM , Rating: 1
quote:
feels good to run linux

i've forgotten about these virus worries and only when I read about them do I ever happen to remember all the stress of managing anti-virus utilities/precautions for windows machines..


Why in god's name did you have to drag Linux into this, huh?

It disappoints me (as a Linux user), that you have some need to incite others for no reason other than your own gratification.

Whether someone uses Linux or not, is entirely up to them and their requirements or needs. All we want to do is develop software that offer choices to all. (Regardless of race, religon or financial status.)

As to the other people: I do apologise, we aren't ALL like this.

On a side note: You can try to emulate some Linux practices in Windows XP SP2 by going to this link:

Maximising Windows XP security with Limited User Account (LUA) and Software Restriction Policy (SRP)
http://www.wilderssecurity.com/showthread.php?t=20...

I've tried this on a relative's system. Complement this with some good security computing practices, and you should be resistant to a good majority of threats...It has largely worked well for the person I was helping. (They haven't been infected in 2 months).


"If they're going to pirate somebody, we want it to be us rather than somebody else." -- Microsoft Business Group President Jeff Raikes











botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki