Dismantling the Storm Worm botnet

malware

Zero Day has an interview with German researchers who have found a way to take down the Storm Worm botnet. Their program, Stormfucker, takes advantage of flaws in Storm’s command network: Nodes that are NAT‘d only use a four-byte XOR challenge. Nodes that aren’t NAT’d are only using a trivial 64bit RSA signature. Their solution can clean infected machines and also distribute to other nodes. Unfortunately, installing software without the user’s consent is the exact same behavior as malware. Don’t expect to see this in any sort of widespread use. The researchers did point out that some ISPs have moved to shutting off service for infected customers until their machines are cleaned.

Comments

  1. _matt says:

    those crazy germans, cutting service off to infected customers.

  2. cde says:

    Viral Anti-Virus
    or
    Anti-Viral Virus?

    VAV or AVV for short. Whitehats to the rescue! (Or not. More like to the proof-of-concept! Some greyhats should take note)

  3. martinmunk says:

    So, what i don’t get is why they dont publish “stormfucker” and let random users who wants to fight storm run it. This way nobody will know who was actually “let it free” and we would hopefully destroy parts of storm.

    grats

  4. nebulous says:

    Or more to the point, why not just run it? Yes, it uses the same techniques to move about as malware, but it *isn’t* malware. Storm is bad not because it spreads in a viral manner, but because of the shit it pulls once installed.

    And given that this uses the storm mechanism to spread, won’t this already be stopped by whatever anti-malware software people may have installed, meaning only those already infected would be hit?

    I say, let loose the dogs of war.

  5. Coyotecom says:

    Well, I’m 100% behind the name at least. Here’s hoping it works.

  6. ragnar says:

    I’m against the use of this tool without users notice, you can never be sure not to destroy data on the target system by accident. What I am suggesting is that ISPs noticing 100% clear bot behaviour on IPs will reroute the next HTTP request to a warning site suggesting steps to get rid of the infection or call for service, then after say 20 seconds follow the original HTTP request. It could be seen as a self defense/prophylactics of that ISP, who knows if the next bot attack isn’t against a domain hosted by that ISP?

  7. TJHooker says:

    Old news. It’s the same deal with other botnets.

    What’s pathetic is the most effective propagation method is still email attachments. Also companies that lease botnet time aren’t prosecuted. So yeah, don’t look for it to go away, spam is epically profitable.

  8. loldongs says:

    there were debates about the ethics of a viral anti-virus in some early 90s x86 assembly textbook I had. the general consensus then was the same it is now, the idea is good in theory but because of the impossibility of testing in all system configurations, you could end up with the same bugs some viruses have, slowing down systems or corrupting data.

    this would really be more of an anti-worm worm by definition though, unless storm is infecting lots of executables on the same machine besides being a worm.

  9. TJHooker says:

    @loldongs: three reputable researchers have done this exact same thing with various botnets in the last 2 years. The red tape is the legality of running arbitrary code on remote machines.

    Even if they could, a new DNS system would be made making it harder, because spam is extremely profitable. If you look at the statistics these bot nets are mainly used for denial of service attacks and spam.

  10. TJHooker says:

    double post: What’s really hilarious is that any of us can go lease portions of the botnet right now, and nobody knows who controls it. yet you get DMCA letters for P2P downloads, and supreme court prosecutions for distributed soliciting while not under trademark.

  11. jude says:

    OMFG the fucking wanker geek squad want to fight with the evil storm worm. These so called researchers are the most disgusting scum of the community go back wank in the dark you retards instead of fight us. We will destroy you faggots.
    Until people make profit from storm worm like malware you won’t have a restfull night.

    You think you are the good guys and you want to make a cleaner internet when the whole world is a toilet more or less shit in it doesnt matter. Go fuck yourselves, you will lose at the end!

    Go back to the university suck more cock u are too dumb to grow up yet shitheads you don’t have the education of the street yet!

  12. anti-judge says:

    shut the fuck up jude

  13. jude's dad says:

    jude: finish your homework, and clean your room, or I’ll take your computer away!!

  14. Nox13last says:

    @Jude:
    I expect your extent of ‘teh streetz’ involves shagging anything that moves and fantastic use of a cocaine knife. Maybe you should stick to that?

    @:
    It’s not the first. At least one virus I’ve read about actually puts itself on your computer, patches your computer against it and another virus in the wild, then deletes itself completely. If your computer were to be infected by it again, it would look for the patch it made and delete itself again if it found it.
    How helpful, I like it.

  15. az says:

    @Jude:

    You hint that you are part of the botnet scene – but judging from the language used in your post I’m guessing you’re nothing to do with storm botnet. Writing that would take some skill.

    I’m guessing you’re just some kiddie with maybe a few zombies using rxbot or some other p.o.s malware trying to make yourself look “l33t”.

    You’re really not kidding anyone.

    Oh, and the researchers “don’t have the education of the street”? Computers aren’t the street. On computers you get flamed for a dumbass post like that. You did that to someone on the street and I’m fairly certain you’d get your kiddie ass kicked.

    :)

  16. matt says:

    @jude:

    oh dear, did sombody just get turned down a place at university?

  17. Wwhat says:

    Problem with your idea ragnar is that any sensible person would not believe such redirects, because that’s a known trick of viruses/worms, to fake being a helpful site or ‘alert’, like the famous ‘your IP is x.x.x.x, hackers can already start to attack you! install our crap now!’
    Let the ISP’s just send a regular snailmail.

  18. TJHooker says:

    @jude: Nice 4chan’ish troll. Something tells me you’re not capable of much else than what you’ve shown here.

    The truth is the control nodes are hidden behind hundreds of tiers of DNS and researchers can’t just break into the computers. Also in some aspect corporate governance is profiting off of the spam, so they won’t directly prosecute and interrogate the people charging for lease time on them, or the companies who pay to have their stuff advertised in the spam.

  19. nebulous says:

    Hey jude, don’t make it bad. Etc etc.

    My own ISP actually does detect botnet (and spambot) hosts, and disconnects a person’s internet access, by redirecting every HTTP request to a dummy site, and denying everything else. The page just tells people to call the ISP for help on getting unstuck, and the helpdesk can tell them to clean up their shit.

    I’m sorry to say I got stung by this. Had an old laptop working on an out-of-house connection, unfirewalled, for a bit. Picked up a bot, got it home, and started spamming from there. Easily and unavoidably fixed.

  20. Rob A says:

    @jude: yea i agree with everyone else, your retarded.

    I just sent this link to a prof. of mine at RIT. I took a malware class with him and we took a look at the storm bot. It was hard to analyze it because of its defensive mechanisms. If this stormfucker app really can beat it i say let people download it and opt in. I certainly would download it.

  21. Techninja says:

    I see why people would be hesitant to send this out because it may screw up some machines. But if the machine is susceptible to bots already, what guarantee that the system is working properly already? Or that some other piece of malware won’t break it anyway..

  22. jude says:

    JUDE HERE, HAHAHA DISREGARD THAT, I SUCK COCKS

  23. hazed says:

    Sucks for the malware writers. Cool concept though. It really puts meaning to “fighting fire with fire”.

  24. Devin Broggee says:

    //test @jude 0.o” wtf

  25. imanerd11 says:

    definitely a 4chan troll.

    people will more likely and willingly listen to facts than emotional and blind flaming rant.

    facts can be thrown farther than flaming arrows. they’re your best weapon.

    I definitely agree on letting us individual white [or even for some of us, gray] hats opt-in to destroy the botnet. on the other hand, there’s the downside that if just absolutely anyone whatsoever is allowed to participate, what’s to stop blackhats as well, maybe some HF skiddies who can’t even spread jokes for RATs like Plasma, to harness the power of “real” botmasters’ spread-work in establishing storm network, and using it for the same purposes, only a new assistant manager in charge of that department? if it’s not at least even semi-restricted, it can fall into the wrong hands.

    on the other hand, the same can be said with malware shares within whitehat communities and even hat-agnostic communities, which, yes I take part in and do share with other whitehats and grayhats for the sole purpose of infosec research and reverse engineering, prevention, etc.,and most like xylitol, believe despite it being a double-edged sword, cutting both ways, it’s a gamble worth betting on for the betterment of technology.

    does anyone see it this way? just curious.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,813 other followers