Forgot your password?
typodupeerror
The Internet Security IT

Storm Botnet Subsides For Now 90

Posted by timothy
from the wait-until-weather-2.0 dept.
Stony Stevenson points out an iTnews Australia story about the decline of the biggest botnet of recent times, excerpting "The Storm botnet decreased to just five percent of its original size during April, but overall web-based malware levels increased by 23.3 percent, new monitoring data reveals. MessageLabs' Intelligence Report for April 2008 said that new malicious software removal tools aimed at removing Storm infections were responsible for the sudden reduction in Storm-infected computers." According to their estimate, Storm-compromised computers are now down to about 100,000 rather than numbers closer to two million.
This discussion has been archived. No new comments can be posted.

Storm Botnet Subsides For Now

Comments Filter:
  • I know at one point they were supposing that they were going to sell parts of Storm's Botnet...

    Could this just be the result of that?
    • I know at one point they were supposing that they were going to sell parts of Storm's Botnet... Could this just be the result of that?

      No. The real reason is that people are finally moving over to Vista, which is of course stopping storm dead in its tracks with UAC.

  • Now batting...

    [Insert next bot name here]
  • People finally switching to Linux.

    Well, one can hope.

    • by gad_zuki! (70830)
      No, its because MS put an anti-storm package in its recent patch tuesday.

      I'm still curious about all this web-based junk. Why dont all web site operators do some kind of malware/virus scan nightly. Hell ClamAV is free, although I'm not sure if it detects these kinds of things.
      • by Megane (129182)
        Maybe because the "junk" is merely cross-site scripting links to the actual sites hosting the malware? I'm not sure that ClamAV is smart enough to go through a MySQL database looking for weblinks to "ka3122ha1.net", etc.
        • by gad_zuki! (70830)
          Yeah but my understanding is that a lot of the sites doing the hosting are in themselves compromised on the user level. On the system level the admins could be running anti-virus. The real downside is that they have no incentive to do this, which is a shame.
    • Why would they switch to Linux when all they need to do is run an update... It is like moving to fort knox where all you needed to do was change the lock on your doors.
      • Because fort knox has faster internet.
      • by cmacb (547347)

        It is like moving to fort knox where all you needed to do was change the lock on your doors.

        No, I think it's more like moving to a gated community vs changing the lock on your doors every day or two.
      • by WNight (23683)
        Because the lock failed to provide security before. Replacing it with a nearly identical part isn't going to do much in the long run.
    • People finally switching to Linux.

      Well, one can hope.


      You realize that if the entire world switched to *nix tomorrow, you would have almost the same level of virus, spyware, and malware infections, right? The botnets would still exist, and probably in the same numbers you are seeing today.

      It will probably ruffle some feathers, but the problem isn't MS products, its user knowledge and ability. While MS has produced some craptacular software, most of the problem is people using computers that don't ha
      • by Monsuco (998964)

        Half the reason *nix is so 'secure' is because it is more daunting for idiots to use.
        Yes, I am sure it has nothing to do with decent user permissions and holes being patched quicker.
  • It would behoove people to leave their computers off overnight unless they have a compelling reason for leaving them on. Not only does it waste electricity, it also enables many computers to be used as spambots. If instead of banning incandescent light bulbs, Congress had told the American people to turn off their computers overnight, we would have been able to take out two birds with one stone.
    • Re: (Score:3, Interesting)

      by MightyYar (622222)
      I'm one of the guilty ones, and the reason is really stupid.

      I run a tiny PHP application that automatically shares any photos stored in my pictures folder, so that I don't have to upload anything to get an online photo album, and I don't have to abandon the 10-year-old system I have of dumping photos into directories by date/event.

      A simple rsync might do it, but many of my pictures are in TIFF format from scans and collectively are too big to host anywhere affordable. Plus the little PHP script also shares
      • In addition to some HTTP services, i'm also seeding on bittorrent 24/7. I wonder how many bittorrent client have a "power off after downloading" feature?
        • by MightyYar (622222)
          I keep thinking that I should get one of those cheap network appliances and run my persistent stuff from that. I doubt it'll handle on-the-fly photo conversion, but it might be worth the try.
        • by maxume (22995)
          utorrent has a wide range of shutdown options. Shutdown when everything complete(I think this waits until the seed ratio hits 1), hibernate when complete, shutdown when downloads complete, etc.
      • So, I've been slowly writing a script that converts anything in the pictures folder into jpegs and THEN uploads them... but I've been working on that for quite some time now and still haven't finished.

        You mean like this?

        for i in *tiff; do convert "$i" $(basename "$i" .tiff).jpg; done
        • by MightyYar (622222)
          Thanks, figured that part out already :) I can convert the video, too.

          It also has to be smart enough to only upload things that are new or have changed, and delete things that are gone.
          • by barzok (26681)
            rsync?
            • by MightyYar (622222)
              rsync would work straight out of the box if I didn't need to convert the TIFFs to JPG and the huge MPG videos to smaller mp4s.

              Someone suggested using the make system together with rsync. I hadn't thought of that, but it looks like it would first make a local copy so I'll have to weigh it against disk space usage.

              And then, of course, I'd need to find a super-cheap host that supports rsync.

              If flickr supported more than 90 seconds of video, I would probably just do that.
              • by WNight (23683)
                Dreamhost is fairly good - they fix their problems, refund overbillings politely, respond to email. You should be able to find a "promo code" for the first year almost for free.
    • The bulk of computers (not to mention continuously lit lights) are in offices, not in peoples homes. They are frequently left on for virus scanning, updates, and backup purposes. Congress needs to speak to the American corporations moreso than the American people.

      Furthermore, if they want us to turn our computers off, then they need to dramatically cut down the time it takes to boot up.
      • by tokul (682258)

        They are frequently left on for ... backup purposes.
        Wake-on-lan. Shutdown when backup is finished.
        • by RulerOf (975607)
          Unless you know something I don't, Wake-on-lan isn't a very well implemented feature of corporate networks. I don't know what exists in the linux world, but in the Microsoft world, if you could marry DHCP's MAC records and the appropriate DNS records *and* make WOL (and perhaps BIOS boot order) configurable through Group Policy *and* shove it all into an MMC with AD support, I could totally see that happening.

          As it stands, you can't even do something as simple as right click an MS DHCP lease and convert i
          • by tokul (682258)

            It does not depend on OS. Wakeonlan depends only on hardware. I am doing backups that way, because I am too lazy to watch how hundreds gigs of data are backuped after working hours. It takes hours even on gigabit network.

            "Leave computers turned on" policy fails to eliminate most vulnerable part of backups. Human factor.

            • by RulerOf (975607)
              WOL is a hardware function, true, but it'd be much nicer to browse an AD OU, right click a computer, see if it is online, and if it isn't, see if it's at least plugged into the network, and then WOL it with a button in a contextual menu. Currently, if you want to WOL a machine on a network, you have to look it up its MAC address in a DHCP console, and use a third party program to wake it.... Plus, I think it would need to be on the same subnet as the WOL broadcast... my point is that full scale WOL acros
      • by maxume (22995)
        You just accidentally implied that Congress should make our computers boot faster.
        • by tepples (727027)

          You just accidentally implied that Congress should make our computers boot faster.
          Wouldn't that fit into the "Energy Star" program?
      • by Shados (741919)
        Sleep and/or Hibernate, depending on usage. Computer usuable within -seconds- from hitting the switch. Power usage minimal (or none).
      • I remember a time when the university my mom works at started telling everyone to leave their computers ON to save power. The issue (this was many a year ago so certainly some things have changed) then was that booting up took more power.
        I think another thing to consider is the enormous strain on the grid at 8am when everyone shows up for work and starts booting up their computers. Leaving computers on, but turning off the monitor and turning out the overhead lights would make a difference, as well as kee
      • by GooberToo (74388)
        Congress needs to speak to the American corporations moreso than the American people.

        You are correct, but that is only a drop in the bucket. Office buildings typically leave theirs lights on to ensure they use MORE energy so they can qualify for various bulk discounts. In other words, for most office buildings in the US, it is actually cheaper to use more energy than it is to conserve.

        If Congress needs to speak to anyone, it's the power companies and their huge efforts to ensure corporate conservation does
    • by RulerOf (975607)
      /agree

      I started shutting my machine(s) down whenever I'm not using them for more than an hour or so, and the savings on the power bill are enormous.

      I also think the ban on incandescent bulbs is ridiculous, because TCO on incandescent vs. CFL is obvious to just about anyone, meaning simple economics could solve what congress decided we needed a bill to do instead. Furthermore, there are very, very simple things that incandescent bulbs can do that CFL's *never* will. Working properly with a dimmer is one
      • by michrech (468134)
        There are CF bulbs that work properly with dimmers. They are usually slightly more expensive than a non-dimmer CF bulb, but they exist.

        /agree

        I started shutting my machine(s) down whenever I'm not using them for more than an hour or so, and the savings on the power bill are enormous.

        I also think the ban on incandescent bulbs is ridiculous, because TCO on incandescent vs. CFL is obvious to just about anyone, meaning simple economics could solve what congress decided we needed a bill to do instead. Furthermore, there are very, very simple things that incandescent bulbs can do that CFL's *never* will. Working properly with a dimmer is one very simple example.

        • by RulerOf (975607)

          There are CF bulbs that work properly with dimmers.

          I was kind of half-truthing that, I know that dimmable CFL's exist, but from what I understand, they suck. A lot. :P
      • Don't worry, mercury poisoning will kill us all off before anyone realizes how stupid that ban is.

        Congress's unintended consequences are getting ridiculous. I find it hard to believe they can even pretend they are acting in the interests of this country and its citizens. These days, when Congress "fixes" a problem, we are lucky indeed if they don't make it worse.

    • Some /. article about Hard Drives recently had a comment that mentioned thermal fluctuations from power cycling led to a decrease in life span. I have no idea if this is true or not, there was no FA to RT concerning the post.

      Besides, how can I help find aliens if I can't let my seti work overnight as a screen saver?

    • It would behoove people to leave their computers off overnight unless they have a compelling reason for leaving them on. Not only does it waste electricity, it also enables many computers to be used as spambots. If instead of banning incandescent light bulbs, Congress had told the American people to turn off their computers overnight, we would have been able to take out two birds with one stone.

      Then what? Turn power plants off during the night. The problem is not power consumption during the night, it's ex

  • I assume that means the remaining .05 computer is running DOS 5.0 and programmed using QuickBasic.
  • All this means is that the number of computers that are showing the world that they are infected has decreased.

    For all we know, Storm has begun morphing and is not being detected in as many computers. There is nothing that says Storm can't be replaced, or hasn't been.

    No car analogy, but this is like saying that the number and frequency of active earthquakes is down to 3% of average for this time of year. WTF

    I'm not saying that we should see more Storm bots, just that not seeing them does not mean they are n
    • by Thelasko (1196535)

      There is nothing that says Storm can't be replaced, or hasn't been
      ...by Kraken
      There, fixed it for ya!

      I believe you are 100% correct. Storm "subsides" just as this "new" botnet appears. The botnet operator just upgraded to version 2.0.
  • Storm had a good run but I'm sure eventually fixes will be found for all of these botnets. It's kind of like drug dealers and our war on drugs. We go out and shut down a smuggling/selling ring only to have another pop up in its place to take over that market we shut down. It's the same thing with botnets, as we shut down things like Storm another will pop up in its place, i.e. Kraken. As long as there is a demand for malicious use of these botnets, there will always be a supplier.
  • All this is hardly surprising - there is a straightforward evolutionary arms race between the black and white hats. Faster cheetahs mean faster gazelles and vice-versa. Ironically, although I am no fan of any form of malware, there is a positive aspect in that necessity is the mother of invention. The rise in computing 'exteligence' - to use a term developed by Terry Pratchett - that is a direct result of the need to either overcome the rise in malware, or, alternatively overcome the rise in protection, is
    • Isn't this an Intelligently Designed arms race? I mean, it's not as if random code on one computer suddenly because a self-replicating botnet or anything. Someone did design it.
  • I have never seen a particular example of a machine taken by Storm or the type of work done on that machine: server? some forgotten old machine in the corner of the big office?

    Is there an analysis of typical owner of such machine?
    • by prshaw (712950)
      Since Storm was spread through social engineering it stands to reason that the machines taken over by it are machines with active users at the keyboard reading email.

      It was spread by sending massive numbers of email asking a user to click on a link that would install the program. It was not a true 'worm' that could spread by itself, it required the user to actually click on a link in an email, and then say run the program.

      Why did it spread so much? They picked timely, and valid, subjects. Around holidays th
      • by mapkinase (958129)
        Thanks for the answer, but I still feel unsatisfied. I guess I needed the answer that could help me to "visually generalize" the type of people who do things like that, so I can visually spot them on the pedestrian crossings and run them over.
  • Victory or Defeat? (Score:3, Interesting)

    by MozeeToby (1163751) on Thursday May 01, 2008 @11:04AM (#23263434)
    Is this really a sign of victory or defeat? If the article had said that storm decreased to 5% its largest size because of such and such efforts it would be a victory but it doesn't say what caused the reduction. It seems to imply that Storm is being removed by other malicious software, not the efforts of researchers.

    For all we know this is just the operators of Storm paring down the system to a more usable, less scary size or hibernating large portions of the network so that if a bot killer is implemented they still have 95% to recover. It could also be the "selling off" that everyone was talking about earlier except instead of selling the botnets power they actually sold off access to the computers themselves (We'll open the backdoor to install your software then remove ourselves so you have freedom to act). Unless they can find a good reason that the network is shrinking this actually makes me more nervous, not less.
    • by sshock (975534)

      It seems to imply that Storm is being removed by other malicious software, not the efforts of researchers.
      When the article says "new malicious software removal tools", I think it refers to something like Microsoft's Malicious Software Removal Tool, not other malicious software.
    • by kasot (1274250)
      That's what I'm thinking too. Storm were getting too much attention, so the owners portioned it. Nobody needs a 2 million botnet (unless you're taking down Google or a whole country). A 100k botnet is likely to be able to take down any website, and is capable of sending out massive amounts of spam. So they may be renting out some of these or selling them.
    • by gad_zuki! (70830)
      This was done with MSRT via patch tuesday. Some details here:

      http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080958 [computerworld.com]

    • by Tofflos (942124)

      it doesn't say what caused the reduction
      It's mentioned in the first paragraph of the article and then again in the second sentence of the Slashdot summary. Here it is again so you don't have to scroll all the way up to the top:

      malicious software removal tools aimed at removing Storm infections were responsible for the sudden reduction in Storm-infected computers
  • It seems to me that the simple fix still remains out there yet no one wants to do it.
    If we can detect the size of the botnet, it stands to reason you can probably identify which machines are part of this botnet by watching their traffic patterns. Any responsible ISP should immediately block the service of any customer whose machine appears to be a part of this botnet (with a very simple process to demonstrate that its not in the case of a false ID and/or that you've cleaned your machine). ISPs should then t
    • It's a simple fix, and also a stupid one. This would cripple the internet, and make people furious with their ISPs (I, for one, would immediately switch providers if they blocked my access under such a pretext). ISPs that did not take such action would gain a huge market share, and you'd be back where you started.

      And, seriously, the internet works: the web works, email works--we don't need draconian measures to stop botnets. They're the cost of doing business.
      • by crossmr (957846)
        The internet is a community. Not your personal playground. If you're part of the community and your machine has be compromised to cause damage to other people who are part of that community there is no good reason that you can give for why you should be permitted to be part of that community until you fix your machine.

        If you have the technical knowledge to be partaking in an activity that might resemble botnet behaviour, you'd also be smart enough to to let your ISP know of this and they could flag your mac
        • by IonOtter (629215)
          You have to keep in mind that ISP's don't deal with "techies", since most techies are savvy enough to fix 99% of their own problems.

          What they have to deal with are the clueless users, grandmas and busy people who have neither the time nor the inclination to understand anything other than point-and-click.

          And those clueless users comprise nearly 90% of their userbase.

          Cutting off those clueless users would be tantamount to corporate suicide. Much like British Telcom found out back in 2001 with the outbreak of
          • by crossmr (957846)
            That's kind of my point. Since most of the users aren't technical any activity that looks like a botnet is probably a botnet.

            As for BT they failed because they were a lone wolf. Users had alternatives. This has to be a universal fix. Users will be lazy if you give them the chance. If they have nowhere else to go they'll fix their machines. Have a blitz campaign on phishing and malware under the pretext that the new rules would be coming in X days, weeks, whatever.
            It wouldn't be much for most ISPs to set up
  • What's the updated size of Skynet now?

No hardware designer should be allowed to produce any piece of hardware until three software guys have signed off for it. -- Andy Tanenbaum

Working...