Storm Worm botnet meets its match
THE INFAMOUS and rather destructive Storm Worm botnet has been blown open. A team of researchers from Bonn and RWTH Aachen Universities has proven that it is not as invincible as once thought.
Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser have developed software which they have partially disclosed claiming that they can rapidly eliminate the Storm Worm botnet.
The Storm Worm has been causing havoc for over two years now, transforming more than a billion computers into drones. Following a surprisingly unsuccessful mission by Microsoft’s Malicious Software Removal Tool around 100,000 drones still remain.
So how did these researchers do it?
They began by reverse translating large parts of the machine code from the drone client program, analysing it and looking closely at the functions for communications between the drone and the server.
Once this background knowledge had been gained, they were able to develop their own client which in turn linked itself back into the peer-to-peer structure of the Storm Worm network. As soon as this was accomplished, existing drones looking for new command servers could be routed to it and thereby diverted to a new server.
Next was to analyse the protocol for passing commands and direct the drones to a simple server. This provided a platform to write a program to eliminate the Storm Worm network completely.
However, there is a problem with this discovery. The team has not yet tested this on a real Storm Worm botnet because it might face legal issues in doing so.
When accessing third-party computers they could fall afoul of the law by tampering with data. Although legal issues would only come up if someone complained, which no one likely would, they are still unable at present to go ahead with eliminating the botnet.
However, looking on the bright side, at least they’ve worked out how to do it. µ
L'Inq
Heise
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
its a shame they didn't do it, really.. because now the C&C will probably modify it with stronger encryption or something.
I mean, the bad guys will infect all those zombies with some other_not_yet_disassembled_malware
:/
Thats all this is about, legal issues preventing right from wrong.
I agree with George, since now this has become public the said "bad guys" will react with joy for the attention and create a further hinderence for our interwebs.
I believe the internet is an open world. No one is to own it but at any time war may break out. Who's to say if the Governments should control our internet. But as I see it power is from control. So let hackers power over hackers and may they find alliance with our nation.
It's like the good guys are being forced to fight blindfolded with one arm tied behind their backs.
If the MS removal tool reduced the botnet from more than 10^9 zombies to about 10^5 zombies, how can you call it surprisingly unsuccessful?
I call that four orders of magnitude.
Why don't they just give the solution to Microsoft? They alter our machines every time they release a patch...
The publishers had a talk around christmas at the Chaos Communications Congress.
They took down nodes live. But only a local node.
The reason for not taking down the net (which they've almost fully developed) is the legal one. They cant legally modify peoples computers.
The researchers are part of !EOF
European Friendly Hackers
Unfortunately, I do see the reason that they do not bring down the botnet. I do like the idea of giving the information to Microsoft to find a way to send it out on a Patch Tuesday, with a licensing agreement that MS is just so famous for. But what I would REALLY like to see is for someone to finger, with a great degree of accuracy, the perpetrators of the code, so the angry mobs (flaming torches and pitchforks mandatory) can rip them out of their comfy home at some ungodly hour of the day and made to run a gauntlet of victimized computer owner who have various blunt instruments, some pointy sticks, and rocks of various sizes. This would be much better and satisfying than prison time, unless you can send them to some 3rd world country and imprison them their.
Just a thought.
I agree with what you'd REALLY like to see happen to these hackers but it's probably highly unlikely.
If found, these <insert hackers will probably just go to jail and/or have to pay a heavy fine.
Laws only keep people who will follow them in line. What should happen is a federal pardon for this team of researchers and give them the blessing of the government to take the botnet down. The botnet is a network of machines that are not the physical property of the operators of the botnet anyway, so who's breaking any laws?
We need more of this to fight back against botnets and spam, a virtual war so to speak, members of our population should be allowed to take offensive action against these rouge networks, instead of everyone wasting their money on defenses.
If researchers become too good at eliminating botnets they will run out of funding so it is in their interest to give the "bad guys" another chance. If they really wanted to get rid of the botnet they could "accidentally" let it rip. I mean who's really going to complain? Find you bollocks and let it rip!