PC World - Internet Public Enemy #1
PC World - Internet Public Enemy #1Wed, Oct 24th, 2007
A
vastly powerful new supercomputer is on the loose. With more than a
million CPUs and a petabyte of RAM, it completely dwarfs its
next-largest competitor, IBM's BlueGene/L, which contains a paltry
128,000 processing cores and 32 terabytes of memory. And the new
supercomputer is growing larger every day.
There's just one problem. This powerhouse isn't run by a university, or
IBM, or a government agency. It's the Storm Worm botnet, capable of
sending staggering amounts of spam and viruses around the globe, and
launching devastating attacks against security researchers or anyone
else who might oppose it.
A botnet (short for "robot network") is a corralled network of
computers that are infected by bot malware and can be remotely
controlled by a single individual. Estimates vary, but security
researchers believe that the Storm Worm has anywhere between 1 and 10
million PCs unwillingly dancing to its tune.
Peter Gutmann, a computer scientist with the University of Auckland in
New Zealand, notes that real supercomputers would likely outperform
Storm's distributed network in traditional supercomputer benchmarking.
But "where Storm leaves every conventional supercomputer in the dust is
in terms of the sheer hardware resources (number of CPUs, amount of
memory, and network bandwidth) at its disposal," he wrote in an e-mail.
Those network connections, likely numbering in the millions, are the
most valuable resources for the crooks behind Storm. Botnet
controllers, or "bot herders," sell their botnets' spam-sending or
Internet attack services for a fee on the Internet underground. The
more PCs and network connections a botnet has, the more spam or
denial-of-service attack traffic it can send, and the more money it can
make.
Who's behind the Storm Worm? No one knows for sure. Researchers at
Finnish security firm F-Secure believe, for a few reasons, that the
masterminds are Russian. They use a domain and host out of the
notorious Russian Business Network. Inside their code, they refer to
their hatred of Moscow-based security firm Kaspersky Lab. And some of
their software uses the word bydloshka, which F-Secure researchers
believe is a derivative of buldozhka, a Russian term of affection that
translates roughly to "bulldog."
Cunning Defense
Whoever is controlling the massive botnet is managing its spread and
defense with great sophistication. They frequently change the
well-crafted e-mail messages that trick users into installing the
virulent bot. When the alert went out about a late-summer wave of fake
e-card notes, Storm e-mail in September shifted to messages that
pretended to promote Tor, a legit anonymous-surfing application.
The fake Tor e-mail used text and images from the actual Tor Web site,
but any recipient who followed the download link and double-clicked the
resulting tor.exe file installed Storm.
And once it has control of a PC, Storm will fight to maintain it.
According to Paul Sop, CTO of Prolexic, which defends business clients
against the type of Internet attacks that botnets launch, security
researchers who investigate Storm-infected machines can expect swift
retaliation.
"The Storm Worm [botnet] has the ability to defend itself," Sop
explains. "When you scan it, it will tell another portion of the botnet
to DDoS you." In a DDoS, or distributed-denial-of-service attack, a bot
herder instructs some or all of the botnet to send a flood of garbage
data to a particular victim. And often that flood is enough to knock a
Web site offline, or to take down a researcher's Internet connection.
Storm is the only botnet Sop knows of with this kind of automated
self-defense. What's more, it's sneaky about how it executes that
defense. It won't launch the attack from the same machines that are
scanned, or even ones with similar IP addresses, since that would make
the attack's cause immediately apparent. Instead, it passes along the
researcher's location to other parts of the Storm botnet, so the DDoS
attack appears to come from somewhere else.
The Storm Worm has become so ubiquitous, it's even a star on YouTube,
where an F-Secure video that shows the worm's spread around the globe has
been viewed more than 850,000 times. (Check out the comments, where
you'll find some viewers who are convinced that the worm was created by
extraterrestrial forces.)
To help ensure that you don't become the next cog of the vast Storm
Worm wheel, use a good antivirus program, and keep your applications
up-to-date. The Storm Worm and other such malware frequently exploit
known holes in old versions of software such as Internet Explorer,
Firefox, QuickTime, and even WinZip to infect PCs.
Also, exercise extreme caution with any unsolicited e-mail, even if it
appears to come from someone you know. And finally, to help determine
whether your computer might have already joined the ranks of the living
dead, see"Proper ID for a Zombie PC."
About Prolexic:
Prolexic Technologies provides cutting edge solutions that protect
Internet operations from the debilitating service disruptions caused by
DDoS attacks. Prolexic's patent-pending Clean Pipe Virtual Transport(R)
network offers solutions that keep its clients' Internet-facing
infrastructures free of DDoS traffic. Without making major adjustments
or multimillion-dollar investments in their existing hardware
infrastructures, Prolexic's customers rest assured that their network
borders are secure and can thus focus on what is really important:
their businesses. More information about Prolexic is available at
www.prolexic.com
|
|
 |
|
"The problem of web attacks is increasing and we are committed to providing our customers with the highest level of protection possible. We chose to work with Prolexic to offer this, because they have the strongest expertise in the field of DDoS and the most dynamic solution to handle the range of attacks we have seen in past months."
Warren K. Liu, CTO
IP-Converge
|
