too quiet...
October 15, 2007 6:43 AM   Subscribe

If Bruce Schneier, the expert voice of security moderation, is "worried" than so am I. Since the beginning of the year Storm, an advanced, distributed worm network has been growing quietly as its authors tweak its social engineering attack. Now it seems that it is in place and waiting. Schneier's article. Digital Intelligence and Strategic Operations Group has been monitoring Storm for a year. OWL.
posted by shothotbot (89 comments total) 20 users marked this as a favorite

 
When an attachment is opened, the malware installs the wincom32 service,...Some of the known names for the attachments include:

Postcard.exe
ecard.exe
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe
GreetingPostcard.exe
MoreHere.exe


Can I just be the first to say that anybody who opens any file named "Video.exe" deserves whatever they get?
posted by Avenger at 7:06 AM on October 15, 2007 [2 favorites]


Do we deserve what they get? We're all using the same internet, remember.
posted by DU at 7:07 AM on October 15, 2007 [2 favorites]


dildoinanus.exe
posted by quonsar at 7:10 AM on October 15, 2007 [1 favorite]


Yeah but "we" won't get it if we have an IQ higher than a turnip and don't open strange .exe files. Right? Or am I being ignorant and don't realize that worms can infect computers even without opening hazardous attachments?

Or would the internet just crash if enough people got infected and started sending out 80,000 emails each?
posted by Avenger at 7:12 AM on October 15, 2007


What's interesting is that this worm, (IIRC) profiles users based on the software they have installed or running and tries to avoid computers where the user might notice it, like if they have sys internals programs, or visual studio. It's certainly a smart thing to do.

I seriously doubt these storm guys have any motive other then money, and wreaking havoc won't make them any. They'll just keep using their network as is, IMO.
posted by delmoi at 7:13 AM on October 15, 2007


Am I right in saying that Windows default is still to hide file extensions for known file types, and also that this is a major security flaw?
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 7:16 AM on October 15, 2007 [4 favorites]


Or would the internet just crash if enough people got infected and started sending out 80,000 emails each?

I think that's the concern. Plus, do you really want 80,000 emails? As far as the individual users themselves, they don't even "get" that much, as the virus takes lots of precautions to avoid damaging the users machine or even effecting performance.
posted by delmoi at 7:17 AM on October 15, 2007


::gasp::

Skynet!
posted by cowbellemoo at 7:17 AM on October 15, 2007 [3 favorites]


Or would the internet just crash if enough people got infected and started sending out 80,000 emails each?

This is pretty close to the real concern here. The collective bandwidth of all of the people who do open "video.exe" could, if used properly, pose a legitimate threat to Internet infrastructure.
posted by dreadpiratesully at 7:18 AM on October 15, 2007


Or, what he said.
posted by dreadpiratesully at 7:19 AM on October 15, 2007


Avenger writes "Can I just be the first to say that anybody who opens any file named 'Video.exe' deserves whatever they get?"

Well, I work at a small ISP. We end up paying the costs of such infections. Do we deserve it?
posted by krinklyfig at 7:22 AM on October 15, 2007


Quansar, I keep clicking that link and it doesn't work! Please repost!
posted by dirtdirt at 7:22 AM on October 15, 2007


Even if the entire internet survives, individuals may not. If a teller at your bank is "dumb enough" to get infected and that spreads to the entire bank, how happy are you going to be that it takes them a couple extra days to process your paycheck?

Computer health is like biological health. We are each better off if we are all better off. The real world and the internet are both networks, and networks don't perform as well when many of the nodes are dead or dying (even if they've been designed to limp along).
posted by DU at 7:23 AM on October 15, 2007 [1 favorite]


Am I right in saying that Windows default is still to hide file extensions for known file types, and also that this is a major security flaw?

Windows doesn't control what gets shown in email clients. And many webmail clients won't let you download EXE files at all. I know I've had trouble sending even Java .jar files
posted by delmoi at 7:24 AM on October 15, 2007


Bring it on. Dead or alive. Mission accomplished.
posted by spitbull at 7:26 AM on October 15, 2007 [1 favorite]


The Storm botnet is completely frigging terrifying. It's like HIV with a very intelligent and completely unscrupulous mind behind it. I'm reminded of the early days of AIDS, when only a small proportion of the medical community recognized the disease for the looming catastrophe that it was while most of the world ridiculed the people who contracted it. Then Africa's life expectancy (and economy and government and ...) started dropping through the floor while the public health boffins scratched their heads.

Storm could, in less than an hour, blast an entire country from the Internet or put an communications-dependent company out of business within two weeks. All that a rogue corporation (or government) would have to do is pay Storm's controllers enough money. This is James-Bond-evil-genius territory, it's %100 real and growing larger and nobody knows how to stop it yet.
posted by xthlc at 7:29 AM on October 15, 2007 [3 favorites]


I think this quote from the second to last link is notable:

As more black hats investigate the CME711 code, the network will become more vulnerable to takeover attacks. I hope these guys cut their losses and start breaking down the net soon. I would hate to see such a large botnet in the hands of some second rate script kiddy.

Even if the authors/current owners of the network are purely in it for the money, the command and control structure is theoretically vulnerable just like any other network infrastructure. It's quite possible that someone out to make a name for themselves, or just to make things interesting, might find it easier to take over the network than to create one themselves.
posted by dreadpiratesully at 7:29 AM on October 15, 2007


"Or would the internet just crash if enough people got infected and started sending out 80,000 emails each?"

Let's say one of the people controlling a botnet takes an extreme dislike to MetaFilter; they could instantly knock it offline whenever they felt like it, attack the admins' email addresses, spread to going after sites and email addresses found in user profiles, etc. It's hard to defend against a big, well-organised denial of service attack.

The only viable option is to somehow encourage/compel all ISPs to immediately disconnect machines clearly exhibiting malicious behaviour, but that's not always easy to determine and many clueless people would blame their ISP rather than themselves.
posted by malevolent at 7:31 AM on October 15, 2007


Email viruses used to be something that geeks used to scare newbies with. And then Microsoft took the impossible and made it real. Thanks, Microsoft!
posted by ardgedee at 7:55 AM on October 15, 2007 [2 favorites]


I, for one, welcome our new worm overlords.
posted by Slothrup at 8:04 AM on October 15, 2007


quonsar.exe
posted by oaf at 8:06 AM on October 15, 2007 [2 favorites]


Big crashes and internet mayhem are exciting but I what find even more frightening is the idea that the worm may act like a true parasite: it attaches, sucks some resources, but still leaves the host largely unaware of its presence.
posted by klarck at 8:09 AM on October 15, 2007


Its true. When a parasite kills its host it is often a design flaw (though I think sometimes it can be key to propagating). Better to keep the host alive and use it for your own purposes.
posted by shothotbot at 8:11 AM on October 15, 2007


I've seen estimates that between 1 million and 50 million computers have been infected worldwide.

Schneier's article lists 9 reasons why this particular worm/trojan/botnet is especially dangerous. I only got up to #4 before I thought we were totally fucked.

On the other hand, it might take a massive attack to radically alter the behavior of users/vendors/ISPs/governments. I can see if an attack ends up shutting off some essential services for a time, a law would be quickly passed that forced ISPs to shut off user's PCs that were detected with a virus. The ISPs could then shrug off customer complaints by saying "We're just complying with the federal DETOX* Act of 2008."

*Don't Even Think Of Clicking K Thanx?
posted by gwint at 8:22 AM on October 15, 2007 [1 favorite]


dildoinanus.exe

Years ago, a couple of friends of mine were playing in the orchestra for a regional chamber-opera company production of Dido and Aeneas. It clad all the principles in limsy polyester togas, the chorus in self-supplied non-matching sweatpants and t-shirts, and featured a pair of barely-clothed nymphs writhing sappho-erotically all over the stage.

One of my orchestra-member friends insisted on referring to it conversationally as "Dildo and Anus."

posted by lodurr at 8:38 AM on October 15, 2007


On the other hand, it might take a massive attack to radically alter the behavior of users/vendors/ISPs/governments.

You seem to be assuming such a radical alteration would be for the better, while the history of responses to massive attacks suggests the opposite.
posted by scottreynen at 9:00 AM on October 15, 2007 [1 favorite]


To me, the really fun part is that the Storm krew have started selectively attacking people known to be studying it. Kind of the way that gangsters lean on anyone who looks too close at what they're doing.
posted by lodurr at 9:06 AM on October 15, 2007


One of the links provided in Crypto-gram (Schneier's newsletter) this morning mentions that Storm once attacked a rival spam outfit in Russia, Warezov. They deflected the attack by changing their DNS A records to point to spamhaus.org, an anti-spam company.

Criminal organizations battling it out to corner the market in sending me cock pictures. RAD.
posted by kickback at 9:08 AM on October 15, 2007 [1 favorite]


Can I just be the first to say that anybody who opens any file named "Video.exe" deserves whatever they get?
posted by Avenger


This is still the key point. We have unsophisticated users who will click on anything, and - my favourite rant this decade - the OSs sold to the public default to letting ANY executable run with full rights to fuck up the user's computer.
posted by Artful Codger at 9:13 AM on October 15, 2007


Can I just be the first to say that anybody who opens any file named "Video.exe" deserves whatever they get?
posted by Avenger


Back in 2000 or so, I had a friend that did not know much about computers. He received an email that had an attachment that was called something like, getaolforfree.exe. It erased his hard drive. Ignorance is not bliss.
posted by Mr_Zero at 9:21 AM on October 15, 2007


Am I right in saying that Windows default is still to hide file extensions for known file types, and also that this is a major security flaw?

Not really. How is my grandma supposed to know that a pif, dll, vbs, exe, bat, and who-knows-whatelse are dangerous but a doc, txt, and xls probably arent? That's a lot of stuff to keep in the noggin.

MS does a good job of limiting user rights with their email clients. Outlook wont even let them download executables. I dont see why other clients should, especially web clients targetted at free email for non-technical users.
posted by damn dirty ape at 9:26 AM on October 15, 2007


It erased his hard drive. Ignorance is not bliss.

...which produces the question: might we arrive at a time when nominal "good guys" feel it's necessary to write destructive viruses in order to "teach users a lesson" and thereby reduce the spread of less-immediately-destructive viruses?

Mark my words. Someone's gonna write a virus that destroys Storm bots, and they'll say it was done for altruistic reasons. Some folks may even believe them.
posted by aramaic at 9:29 AM on October 15, 2007


Taiwan Olympic fiasco, virus hides all.

(sorry, playing six word stories)
posted by furtive at 9:35 AM on October 15, 2007


I'm glad that this story is getting publicity but I don't think this is exactly new. Botnets of hundreds of thousands of Windows machines have been around for a few years now. Their resources are readily for sale to stock spammers, DoS extortionists, wars with other botnets, etc. The difference with Storm is it's more discreet. That's bad news, but it's pretty predictable evolution.
posted by Nelson at 9:46 AM on October 15, 2007


Nelson, we all know that. Storm really is different. It's as though someone took all the lessons that anyone had learned with regard to social engineering, automated propagation, code morphing, and network survivability, and started applying them to the same system.

It's the paradigmatic demonstration of the truism that software evolution is a human-directed endeavor. These folks have done a truly amanzing, and deeply unsurprising thing. In a really open-source criminal system, this would have all happened seven or eight years ago.
posted by lodurr at 9:55 AM on October 15, 2007


Funny, I had just come across this on Cryptome, and I thought about posting it myself.

Nasty stuff.

From what I've read so far, it would seem that treating this problem in any significant way would require important name servers to drop requests for "infected" domain names. The address records keep changing, so just taking down the infected hosts themselves is not much use.

For those of you who understand internet policy better than I do: would this be an (unfeasibly) drastic measure?

I once had the hobby of pondering various scenarios regarding stealthy, decentralized botnets, and one of my creepier ideas was that in order to be able to do under-the-radar crime for as long as possible, the most visible and damaging attacks would have to be reserved for when it seems that the security community is finally starting to get through with effective countermeasures. This would mean, of course, that once such measures are on their way, the shit will hit the fan.

As for what the shit and the fan could be, I don't want to give these people any ideas :-)
posted by Anything at 9:56 AM on October 15, 2007


And the Department of Homeland Security still endorses Microsoft products. Amazing.

We've had decades-long relationships with the agencies that currently now make up the Department of Homeland Security, and we can now approach it as one common enterprise. We're excited about the enterprise agreement that we entered in to with DHS over a year ago which provides a common desktop and messaging platform, and server software.
posted by Blazecock Pileon at 9:57 AM on October 15, 2007


gwint writes "I can see if an attack ends up shutting off some essential services for a time, a law would be quickly passed that forced ISPs to shut off user's PCs that were detected with a virus. The ISPs could then shrug off customer complaints by saying 'We're just complying with the federal DETOX* Act of 2008.'"

Which would be great if Internet=USA. There is no way you are going to get buy in from all the countries with significant internet presence. And even if you did you'd need universal competence at the ISPs. The cure could end up being worse than the disease without actually curing the disease.

damn dirty ape writes "How is my grandma supposed to know that a pif, dll, vbs, exe, bat, and who-knows-whatelse are dangerous but a doc, txt, and xls probably arent? "

Well doc and xls aren't safe, they contain fully functional scripting languages.
posted by Mitheral at 9:58 AM on October 15, 2007


This is oddly reminiscent of the beginning of this book.
posted by EarBucket at 9:59 AM on October 15, 2007


And the Department of Homeland Security still endorses Microsoft products.

The only reason it's Windows machines that are infected is because that's what most computers on the net are. If Apple or Linux had enough marketshare to be relevant, there would be plenty of worms for them too. Yes, Windows' commonly deployed security model is less secure than Mac or Linux, but the difference isn't significant enough to stop this kind of attack.
posted by Nelson at 10:04 AM on October 15, 2007


Well doc and xls aren't safe, they contain fully functional scripting languages.

I was making the disctintion between executables and documents. Granted, a lot can be done in scripting, but at the end of the day nothing is really safe. Adobe just announced there's some exploit for pdf files, etc. Dilligent computing is difficult and good defaults go a long way towards security. Starting with blocking executables goes a long way. From what I've seen most of these large bot nets were created by simply mass-mailing an executable. They're not worms. They exploit PEBKAC.
posted by damn dirty ape at 10:04 AM on October 15, 2007


Not to mention that techies and non-techies alike hate anything that is different than what they are used to. See all the UAC complaints in Vista. People dont even want security, even people who know better.
posted by damn dirty ape at 10:06 AM on October 15, 2007


From nelson's link:
Although there has been some success in dealing with high profile botnet related security incidents, including the 57 month prison term for Jeanson James Ancheta for infecting 400,000 computers for botnet use, this really is tip of the iceberg time. The really organised criminals will be using exactly the same techniques to evade capture and to protect the business of criminality as is seen in the drugs war. You can be sure that while sacrificial lambs get jail time, the gang bosses and the real botnet builders will continue to prosper. Until, that is, law enforcement, the judiciary and governments around the world start to take the spam problem as seriously as they do the drugs one. To be frank, I don’t see any evidence of that happening any time soon. (emphasis mine)

Hey, remember when you used to be able to buy drugs? Too bad the war on drugs has been so successful, because i could sure use a joint right now...
posted by schyler523 at 10:13 AM on October 15, 2007


So I've heard it speculated that a computer that could simulate the workings of the human brain would need to perform about 100 million MIPS. What kind of processing power would a bot networked over 50 million computers have available to it?
posted by EarBucket at 10:18 AM on October 15, 2007


EarBucket, distributed processing has its limits. The latency between two random PCs on the net is anywhere between 50-300 or so milliseconds. Imagine if your brain took that long to talk to another part of it or even the neuron next door.

If the problem cannot be broken up into discete chunks then its probably not a good candidate for distributed processing. Its too IO intensive and bandwidth will become your bottleneck very quickly.
posted by damn dirty ape at 10:21 AM on October 15, 2007


If Apple or Linux had enough marketshare to be relevant, there would be plenty of worms for them too.

I don't buy that argument. The security model on Windows machines is simply weaker.

In any case, the problem is buying one platform for everything. A monoculture invites extinction events.
posted by Blazecock Pileon at 10:26 AM on October 15, 2007 [2 favorites]


It is a paradox: The more we rely on the internet, the more dangerous the internet becomes, so the less we can rely on the internet.
posted by gwint at 10:26 AM on October 15, 2007


See all the UAC complaints in Vista.

Have there been any studies showing that UAC is anything other than a damned nuisance though? Like, I don't know, has anyone taken two completely unfirewalled Vista machines, one with UAC on and one with UAC disabled and seen how long it takes for them to get compromised?
posted by Lentrohamsanin at 10:31 AM on October 15, 2007


Mark my words. Someone's gonna write a virus that destroys Storm bots, and they'll say it was done for altruistic reasons. Some folks may even believe them.

We've already had someone write and release a counter-virus for a well-known worm. It turns out that's not such a great idea.

There are also currently viruses in the wild that will install good security patches and anti-virus software in an attempt to keep other viruses from hogging all the resources of the machine they just infected.
posted by sparkletone at 10:31 AM on October 15, 2007


What's sad is that Storm isn't even particularly good software by any objective definition. It's lightyears better than the script kiddie crap that's been kicking our asses for years, but it's still not the "That's not a knife, this is a knife" disaster that could happen if a bunch of truly talented hackers got motivated.

And what's doubly, triply, etc sad is that this is a trivially solvable problem, but the solution is (perceived to be) too expensive to use commercially. ISPs won't shut their links down simply for being dirty, because if they did they'd be doing their competitors a favor. Unless all the major ISPs decide to take action in unison, this will never go away.
posted by Skorgu at 10:38 AM on October 15, 2007


There is no way you are going to get buy in from all the countries with significant internet presence.

The most effective way to cow ISPs into fixing this will be to null-route them until they block the machines from their network.

The only reason it's Windows machines that are infected is because that's what most computers on the net are. If Apple or Linux had enough marketshare to be relevant, there would be plenty of worms for them too.

No matter how many times you say it, it's still a canard.
posted by oaf at 10:42 AM on October 15, 2007


I don't see the big deal. This is just a virus, right? The herd needs to be thinned anyways.
posted by chlorus at 11:01 AM on October 15, 2007


If it is a herd-thinning metaphor you seek, consider the following:

This is just a virus that will thin the herd by turning the thinned into undead cattle with martial arts training and a thirst for siphoned cash who take marching orders from weather patterns that are difficult to discern to the uninfected and are controlled by a masked man three proxy servers away.
posted by Fezboy! at 11:15 AM on October 15, 2007 [11 favorites]


I find it interesting, as well, that formidable, 'Net conquering, bot nets are being built at the same time that the US is delving ever-further into the networked military presence. Reminds me of the OPFOR general who whipped some major ass by running all his coms through motorcycle courier--rendering vast swaths of expensive monitoring equipment into paperweights.
posted by Fezboy! at 11:19 AM on October 15, 2007


and now I'll stop playing at being delmoi.
posted by Fezboy! at 11:19 AM on October 15, 2007


Skorgu: "trivially" is a big word. From a purely technical (as in, divorced from reality) standpoint, it's trivial, sure. From a practical (i.e., technical as in "detailed") standpoint, it's massively difficult.

And as for whether it's "good software" or not -- well, what are your criteria? As I understand it, the thing basically uses off the shelf techniques, re-arranged as needed -- essentially, deploying a dizzying array of cheap shit, switched up so fast and in such volume that nothing can keep up.

Kind of like those pesky insurgents over there in that hot dry place we keep hearing about...

Really, that's better than one or three sophisticated, elegant attacks. It's more robust, and it's harder to break, in a way, because there's always a fresh supply of off-the-shelf exploits that have been beta-tested by the script kiddies.

In a phrase, this is open-source warfare: Good enough is good enough, especially when you've got lots of help refining the means of production and application.
posted by lodurr at 11:31 AM on October 15, 2007


EarBucket: So I've heard it speculated that a computer that could simulate the workings of the human brain would need to perform about 100 million MIPS. What kind of processing power would a bot networked over 50 million computers have available to it?
Roughly 135 million MIPS, EarBucket (assuming the average infected computer is a PIII 500MHz PC or faster), but it takes a lot more than sheer number of instructions to simulate the human mind. IANANeurologist, but it seems to me that if you look at the influence of chemicals and hormones, the hundreds of millions of years of specifically evolved brain and body subsystems and structures that we'd have to replicate (while barely understanding them), not to mention the heavily interconnected and multiple-signals-sent-at-once methods of the neuron... making anything akin to a "consciousness" in computers would be far more daunting than simply having the total MIPS available.
damn dirty ape: EarBucket, distributed processing has its limits. The latency between two random PCs on the net is anywhere between 50-300 or so milliseconds. Imagine if your brain took that long to talk to another part of it or even the neuron next door.
Actually, I don't think that's true. The connection time of a neuron is very very quick, since they are usually nm apart, but the chemical nature is such that neurons have to rest after firing for 10-100ms. In effect, this is little different than the RTT of packet transfer in TCP on most broadband hosts in terms of the wait time before another window of packets can be sent.



What I find utterly fascinating about this is the parallels of whoever created Storm with the interesting work done both in-house at places like Google and in the P2P world to make more distributable applications. As Skorgu notes, while worlds ahead of most script kiddies, this is child's play development compared to the work done by seriously smart computer scientists. Still... effectively, Storm sounds in principle a lot like something you'd build if you wanted to make a high-availability application: distributed management nodes that can be shifted to other hosts seamlessly if there are failures, etc. The difference being you'd only deploy it to your own servers in your own datacenters, and have a well-known purpose in mind.

I'm certainly far from the only person who's long pondered the possibility of creating a full virtualOS running on millions of machines at once, across the Internet. Using things like decentralized host election and distributed hashtables and management is an interesting approach to botnets, but not unexpected; several torrent clients have been using DHT for some time, and it's hardly a novel approach. Again, to echo Skorgu, this is simplistic computing in one sense- but still, the application of many different advances in decentralized high availability computing to the purposes of a malicious botnet is, from one angle, rather elegant. I'd rather this have been an accidentally rogue thesis project from Stanford or MIT than something that [cliche]Russian spam gangsters[/cliche] cooked up.


What I find particularly interesting is three things:

1) Self-defense: Wow. If I'm reading correctly, Storm itself will attack IPs in self-defense that excessively probe it, without the creators necessarily issuing a DDoS command. I know that a company I worked for created a dynamic DDoS-list in a distributed shared memory on their webservers, to rapidly detect likely DDoS attacks based on commonalities not only in IP but traffic patterns and usage that wouldn't be apparent to any individual node, and automatically blacklisting those IPs upstream (which, because of a widely distributed reverse proxy network, meant that attacking traffic would get directed to only a few of many entrypoints, which would then happily topple over while all other customers continued to come in through the remaining and healthy entrypoints). It's intriguing to think that Storm has that capability, and may automatically take action. If this part is accurate... well, that's dangerously clever, because it means even Storm's creators could theoretically lose control of it: attempts to manage it or take it down could DDoS the creators themselves! Skynet, indeed...

2) A good theory, a bad use: This would make a great thesis project; it's a shame the creators are scummy people, as an open, opt-in distributed network system for doing more than just computing SETI data would be a hell of an accomplishment. On a simple scale, imagine if you could host popular websites and data repositories through datacenter-less widely distributed networks. I wonder if the future of the internet will be something akin to that; on the hardware and network infrastructure, a new overlay network or set of networks function on millions of machines at once. The biggest challenge of hosting say a Metafilter.com on a wholly distributed network is less one of performance or uptime and more one of security: how do you properly authenticate and manage the network if any node can take action, and how do you prevent data injection by a malicious host? This brings us to...

3) Management of Storm: How do the people who created Storm manage it? The most logical answer is they have an infected host that they know how to issue instructions into, which then propagate through the network via the subsets, etc. But then, how does Storm distinguish between valid commands and invalid ones- and would the security folk working against the problem of Storm better spend their time investigating how they could take over Storm (hopefully to shut it down) and "change the password", as opposed to trying to cut off the problem on the individual PC level?

In one sense, Storm is dangerous only in potential, and in a few uses that have emerged from its creators. Unlike many virii or worms/trojans, it appears to not try to cripple the host in some way, or produce excessive- and traceable- traffic. Would the world be a horrible place if someone created an opt-in version of Storm that wasn't used for DDoS? Would we never want such a thing because it could, like nuclear weapons, fall into the wrong hands- without the physical protection that nuclear weapons have of scarcity of uranium and tight controls on storage and shipment of the weapons?
posted by hincandenza at 11:35 AM on October 15, 2007 [2 favorites]


> I don't see the big deal. This is just a virus, right? The herd needs to be thinned anyways.

The purpose of most botnets is not to harm the computers hosting them but to use those computers to spam and attack other computers.

If yours is the only Mac in a building full of Windows computers, you're safe from whatever infects them. But you are not safe from the activities of those Windows computers. If all those computers are told to pingflood your Mac, your net access is crippled while the Windows users all around you will work as usual.
posted by ardgedee at 11:49 AM on October 15, 2007


The latency between two random PCs on the net is anywhere between 50-300 or so milliseconds. Imagine if your brain took that long to talk to another part of it or even the neuron next door.

A computer is not a neuron. Groups of neurons doing something like face recognition can take a few hundred milliseconds. This is a popular debate these days, but in my (probably worthless) opinion the computing power of a group of machines this size is probably sufficient to approximate human cognition, if at least at a rudimentary model.

The problem remains, however, as to how to write the software to do so.
posted by RikiTikiTavi at 12:04 PM on October 15, 2007


This sort of distributed model is used by Google for their provisioning; it seems inevitable that you'd see it for nefarious purposes as well. I suppose the future is distributed.
posted by RikiTikiTavi at 12:06 PM on October 15, 2007


Hincandenza, I don't read any of the info in the links as saying that Storm automatically took any self-preservation (or counterstrike) actions, only that its unknown authors or controllers moved to stifle discussion or analysi------

[insert dial tone here]
posted by rokusan at 12:42 PM on October 15, 2007


hincandenza writes "But then, how does Storm distinguish between valid commands and invalid ones"

The obvious solution, and therefor probably either wrong or unworkable, would be to have the nodes only accept commands that had been digitally signed.
posted by Mitheral at 12:46 PM on October 15, 2007


i wonder how much adsense revenue this thing will earn.
posted by probablysteve at 1:09 PM on October 15, 2007


“Email viruses used to be something that geeks used to scare newbies with.”

*cd tray opens*

“A quarantine wouldn't work in any case: Storm's creators could easily design another worm”

And it’s not like you could find them with some sort of huge security apparatus with advanced surveillance technology at the command of multi-billion dollar espionage agencies monitoring most of the worlds telephone, e-mail and telex communications.
Not when people are trying to get onto airplanes with a 1/2 oz of breast milk.
posted by Smedleyman at 1:59 PM on October 15, 2007 [3 favorites]


That's funny. I'm sure AT&T is busy coming up with a great scheme to packet-shape my encrypted torrent and VOIP sessions, but applying that genius to worm networks is, for some reason, someone else's problem.

I wouldnt be surprised if my traffic was downgraded to let Storm better DDOS some hapless victim because all those GETs are on port 80 and in clear-text.
posted by damn dirty ape at 2:16 PM on October 15, 2007 [3 favorites]


But mitheral, if they're digitally signed, couldn't one track what the signature source is, and thus eventually exactly who purchased the signature? That's a very traceable and I'd think hackable action. If Storm was a severe enough threat, and its commands were signed with a valid authority, the "good guys" could work with that company to co-opt the authority and introduce their own commands to effectively shut down or uninstall Storm, or introduce a version that is harmless yet easily found by antivirus programs.

That's why I think solving the problem by focusing on how to co-opt the system is the key to halting any danger that Storm poses.
posted by hincandenza at 2:27 PM on October 15, 2007


lodurr Oh, I'm well aware that the real-world trivialities of solving the network security problem are probably unsolvable. But that's not because they're hard. But that doesn't make sense, does it.

Everybody who's got two bits to bang together knows what has to be done to solve this problem, we need educated users, mandatory access control, competently-written operating systems, robust software and accountability and responsibility for those who make/break these things. The "technical" bits of this are solved. A properly secured network is (at the risk of invoking Mr. Murphy) very difficult to thoroughly pwn, I've administered publicly-accessible labs at the mercy of the least educated users imaginable, and we kept the network as a whole reasonably secure. Far below the noise threshold on the internet, that's for sure. And the bureaucracy there was unimaginable, yet we managed.

My point is that the pieces are there, but they aren't being applied. They aren't being applied because the distribution of knowledge, resources, and relativistic anvils from orbit are imperfectly distributed. To put it another way, the body is willing, so we've reduced it to the known-unsolved problem of politics and markets.

Oh and how do I know that Storm isn't the kind of knifey-spoony worm that it could be? It's on metafilter. A real worm could be a whole lot more subtle.
posted by Skorgu at 2:34 PM on October 15, 2007 [1 favorite]


hincandenza, you don't need to purchase a certificate: you can create self-signed ones.
posted by aye at 3:02 PM on October 15, 2007


Hincandenza, I may misunderstand you, but nonetheless I'll point out that a digital signature need not come from a third party authority. CAs and the like sell trust, not prime numbers. Anybody can generate a cryptographic key and use it to sign messages. The botnet hosts, unlike users of an e-commerce website, only need to verify that the message was signed with the expected key. They do not need to verify that the key belongs to anyone in particular.
posted by dreadpiratesully at 3:02 PM on October 15, 2007 [1 favorite]


That's the second time that's happened to me in this thread, and that time I even previewed. I give up.
posted by dreadpiratesully at 3:03 PM on October 15, 2007


Ya, self signed messages. Though you'd want to make sure to incorporate a required time stamp so that someone couldn't send out the same message and trigger a second round of attacks after you've collected your extortion money.
posted by Mitheral at 3:50 PM on October 15, 2007


From the article:
Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it.
Does he mean to say that antivirus companies are pretty much powerless to get everybody to correctly install antivirus programs and keep them up to date?

Or does he mean that my correctly installed, up to date antivirus program is pretty much powerless against an attempted infection of my machine?

If the latter, why?
posted by Flunkie at 3:58 PM on October 15, 2007


Does he mean to say that antivirus companies are pretty much powerless to get everybody to correctly install antivirus programs and keep them up to date?

Antivirus companies are pretty much powerless to get everybody to stop downloading and running untrusted programs from the Internet.
posted by oaf at 4:10 PM on October 15, 2007


I am sure this will never be used all at once. It will be harnessed in usable groups of PCs, and used to fuck with people and send out spam and do whatever it is the designers would like to do that day, and there won't really be anything anyone can do about it.

Which is sad, because I'd rather it melted the internet down, or at least the windows part of it. Just for a while, to shake some sense into the Redmond fuckwits that put it together, and the people who continue to use it in serious/critical applications.
posted by blacklite at 5:04 PM on October 15, 2007


Flunkie: The latter. Because it morphs too often.

The morphing is automated. "Powerless" is based on the assumption that the morphing patterns can't be divined or that it's not useful to divine them.
posted by lodurr at 5:39 PM on October 15, 2007


That doesn't seem right.

The virus companies have access to the code. Granted, it's machine code, and so more difficult to analyze, but that's what they're paid for.

And it morphs, sure, but in order to be useful, it has to morph such that its core functionality remains unimpaired.

And it's morphing in a way that is defined by its code itself.

It's not magic. This seems like an excuse.
posted by Flunkie at 6:34 PM on October 15, 2007


For those who prefer not to read:

The Other Bruce on Storm. No, not that Bruce.
posted by b1tr0t at 6:55 PM on October 15, 2007


That's funny. I'm sure AT&T is busy coming up with a great scheme to packet-shape my encrypted torrent and VOIP sessions, but applying that genius to worm networks is, for some reason, someone else's problem.

Packet shaping has been available in high-end routers for years. Backbones just aren't allowed to use it.

The interesting question is - suppose Cisco comes up with a solution to the Storm problem. will they maximize their income by offering it for sale now, or by waiting another year?
posted by b1tr0t at 7:04 PM on October 15, 2007


will they maximize their income by offering it for sale now, or by waiting another year?

It's kind of horrible that that's a viable question.
posted by oaf at 7:12 PM on October 15, 2007


Not to mention that techies and non-techies alike hate anything that is different than what they are used to.

Vista is different enough from XP that there is a real opportunity right now to persuade disgruntled forced-Vista users to give Ubuntu a whirl. If people are going to be forced to change anyway, it's been my experience that many of them are easily persuaded to change to something with better security and fewer hassles.

See all the UAC complaints in Vista. People dont even want security, even people who know better.

The reason people complain about User Annoyed Constantly is because it's really fucking annoying. I don't hear anywhere near the same level of vitriol in complaints about the Ubuntu administrative-tasks password prompt.
posted by flabdablet at 7:33 PM on October 15, 2007


Flunkie, I'm intuitively inclined to agree with you, but apparently it's a very hard problem.
posted by dreadpiratesully at 7:35 PM on October 15, 2007


dreadpiratesully: And it morphs, sure, but in order to be useful, it has to morph such that its core functionality remains unimpaired.

Absolutely. But if you can change up the presentation of the payload often enough -- mix and match, as it were -- and with enough variation, you can force the virus writers into a situation where they have to essentially be re-writing their product to deal with just you.

It's not the single technique that's killing the anti-malware efforts. It's the combination of techniques: The dizzying array of cheap shit. Just like guerilla warfare. Or just like the way a smart gang evades the cops.

Which brings us to another thing that Storm illustrates: It's comparatively easy to succeed at evil. [Note small-'e'.] All you've got to do is exhaust the resources of the good.
posted by lodurr at 2:57 AM on October 16, 2007


dreadpiratesully >> flunkie
(I have had my coffee, but it hasn't soaked in yet.)
posted by lodurr at 2:59 AM on October 16, 2007


And it morphs, sure, but in order to be useful, it has to morph such that its core functionality remains unimpaired.

And it's morphing in a way that is defined by its code itself.

It's not magic. This seems like an excuse.
posted by Flunkie at 6:34 PM on October 15 [+] [!]
Trying to identify executables by signature or heuristically has only worked historically because virus writers were generally morons.

There are so many ways to get around it!

You can make a ~100byte Win32 executable that downloads code from somewhere on the internet straight into memory and executes it. Because it's so small and simple (and doesn't actually contain anything obviously bad), it's very easy to mogrify completely without affecting it's function.

You can encrypt the majority of the executable image with a relatively weak cipher, using a different key each time it's redistributed, and have a very small (and easily mogrified) stub that brute forces the encryption on the image.

Beginning to see why this is impossible, and why commercial Anti-Virus doesn't even defend against "yesterday's problem" anymore?
posted by blasdelf at 5:02 PM on October 16, 2007


dreadpiratesully: Hincandenza, I may misunderstand you, but nonetheless I'll point out that a digital signature need not come from a third party authority. CAs and the like sell trust, not prime numbers. Anybody can generate a cryptographic key and use it to sign messages. The botnet hosts, unlike users of an e-commerce website, only need to verify that the message was signed with the expected key. They do not need to verify that the key belongs to anyone in particular.
See, I meant to include the other case- hence the language "and its commands were signed with a valid authority"- but thought it would seem overly verbose at the time. Alas.

If the third party authority is NOT trusted- not a well-established cert authority, but one spun up by the virus writers to host certs for this purpose- then couldn't the attack vector of the "good guys" focus on THAT, as opposed to Storm itself? Then couldn't the solution be to collectively agree via DNS or routing that "evil untrusted cert authority" is actually hosted at Symantec, et al., or is simply black-holed so the Storm bots could never verify any new commands as "legit"? In that sense, they could "take over" the authority without much fear of unintended consequences, since it wasn't one of the established ones.

Plus, it would re-establish the "centralization" that is usually targeted when bringing down botnets. Storm is massively decentralized in terms of management, but our hypothetical untrusted cert authority is not; those server(s) are hosted somewhere, and managed by someone. Unless... well, unless Storm functions as its own cert authority, but that agains raises the first principle of who is the final authority on allowing actions- and thus, why couldn't we poison-pill Storm by using modified bots in the Storm cloud?
posted by hincandenza at 5:47 PM on October 16, 2007


Public key cryptogaphic signing doesn't work that way, there is no need for centralization.

To sum up: The authors of Storm create a public-private key pair. They embed the public key in the payload or distribute it on the internet (web/ftp/nntp/heck even autoreply email). Then they "sign" all messages with their private key. Signing consists of taking a hash of the message contents and then encrypting the hash with the private key. The Storm nodes can verify the the Storm operators and only the Storm operators1 sent the message and also that it hasn't been tampered with during transmission. They do this by decrypting the hash with the public key. As long as a newly generated hash on the message is the same as the decrypted hash Storm knows the message did indeed originate with the creators/operators.

Wikipedia has a fairly good lay man write up with diagrams.

{1} as long as the private key is known only to the operators.
posted by Mitheral at 8:06 PM on October 16, 2007


That could cut two ways. A well-known public key is a potential virus signature that can be searched for, even if the code has to be allowed to run in a sandbox to expose it.
posted by flabdablet at 10:18 PM on October 16, 2007


Ya I realised that which is why I added the internet key distribution vector. The ideal distribution method is NNTP. Widely distributed and supported. You can't just up and block 119/563 and the messages could be posted to practically any group as the keys could be steganographed in headers and the message body. Even places where only 80 is open wouldn't be safe as there are all sorts of usenet to web gateways, even google runs one. And of course key pairs are trivially easy to generate, the ops could have thousands of the things. You could use a rolling code system like garage door openers with lots of redundancy built in.
posted by Mitheral at 10:53 PM on October 16, 2007


The (obfuscated) attack vector could include instructions to generate a private/public keypair. The public key is then sent back to the infecting node, which is used to establish a symmetrically encrypted connection between the infecting node and the infected node . The public op-key can then be sent through this connection. Nothing detectable, besides the original (obfuscated) attack vector (which, it seems, can also be made effectively undetectable), ever needs to go through the wires in plaintext.
posted by Anything at 12:18 AM on October 17, 2007


« Older The Little House In Ballard   |   Made to be Broken: laws you can ignore Newer »


This thread has been archived and is closed to new comments