forkb0mb.org - Worms

Move Over Storm

nospam@example.com (TJE) — Wed, 09 Apr 2008 03:03:10 -0400

Move Over Storm - There's a Bigger, Stealthier Botnet in Town

Researches have unearthed what they say is the biggest botnet ever. It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network.

Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that's at the heart of "Kraken," the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of PCs running anti-virus products are detecting the malware. Just as a con artist might throw off detectives by changing his hair color or other physical characteristics, Kraken's ability to morph its code base has allowed it to evade the majority of malware detectors.

/*
Looks like polymorphism is becoming almost a necessity for malware authors. Great for avoiding AV, IPS, IDS, etc.
*/

In addition, the code inside the executable file that infects a PC has been arranged in a way that makes it hard for malware analysis tools to accurately disassemble the malicious program.

"It raises the question of whether this basically has been authored specifically with anti-virus evasion in mind," Royal added.

/*
Gee, you think? It's fairly pointless to write malware that doesn't try to evade detection.
*/

Kraken's primary activity is sending spam that advertises high-interest loans, male-enhancement techniques, fake designer watches and gambling opportunities. Damballa has observed as many as 500,000 pieces of junk mail being sent from a single zombie.

/*
This should make it a little easier to spot these zombies than they're letting on. If you've got a box on your network that's hammering tcp/25 around the clock, you might have a trojan. Checking your local mail server logs for high-volume users would probably also tip you off.
*/

[Storm] has clearly been eclipsed by Kraken, which on March 25 was observed to have compromised 409,912 unique IP addresses during a 24-hour period. Royal predicted the number will grow to more than 600,000 in the next two weeks.

Royal says he's still trying to figure out how the bot is managing to horn its way on to so many machines, many of which are behind well-fortified networks of some of the world's biggest companies.

"Somehow, this thing is evading the canonical defense techniques that the enterprises use," such as intrusion detection systems and intrusion prevention systems, he said. "It should be caught by IDSes, IPSes and firewalls and it's not."

/*
It's finding it's way into so many machines because most users are stupid, fact of life. They click on every object claiming to show them naked pictures of their favorite celebs.

The polymorphism is what's allowing it to slip past AV, IDS, and IPS. The idea started with viruses back in the early 90s; it's been used in shellcode to avoid IDS/IPS detection; and now it's making it's way back to the malware community.
*/

FreeBSD: Virus Scanning

nospam@example.com (TJE) — Sun, 18 Nov 2007 21:41:29 -0500

FreeBSD: Virus Scanning

This article outlines how to setup virus scanning using AMaViS (A Mail Virus Scanner), ClamAV, and Postfix. The actions describe below are particular to a FreeBSD system and are applicable to other operating systems by altering the path to the configuration files, and adjusting for other OS-specific issues.

What? Virus scanning on non-windows? Well, yes. My mail server happens to be running FreeBSD. It also happens to have many clients which are running Windows. Let's just stop the viruses before they get past my mail servers. Thank you. :)

This article is written as a reminder to me for the next time I configure virus scanning with amavisd. It is very high level.

/*
A great article on how to implement a secure anti-virus email gateway. Better to block the virus before it gets to the user's PC, thus saving bandwidth and reducing the reliance on the user to do the right thing.

The majority of email-borne viruses have required some form of user intervention, such as clicking on the attachment. If you value your bandwidth and mail server resources, it's always a good idea to filter as much junk as you can before it reaches the end-user.
*/

Storm Worm Botnet More Powerful than Top Supercomputers

nospam@example.com (TJE) — Fri, 07 Sep 2007 08:53:22 -0400

Storm Worm Botnet More Powerful than Top Supercomputers

The Storm worm botnet has grown so massive and far-reaching that it easily overpowers the world's top supercomputers.

That's the latest word from security researchers who are tracking the burgeoning network of Microsoft Windows machines that have been compromised by the virulent Storm worm, which has pounded the Internet non-stop for the past three months.

/*
Ahem... "Microsoft Windows machines." I guess that rules out anything on my network as being infected. ;)
*/

"In terms of power, the botnet utterly blows the supercomputers away," said Matt Sergeant, chief anti-spam technologist with MessageLabs, in an interview. "If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it."

Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10 percent of capacity.

"We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see," he said, noting he suspects the botnet could be as large as 50 million computers. "That means they can turn on the taps whenever they want to."

/*
If these numbers are more than just FUD by the security industry to sell Anti-Virus and crappy personal firewalls, then this is certainly alarming. A bot-net of 2 million computers can still send a flood of traffic. Let's do the math, shall we?

We'll assume that due to bandwidth limitations, being that most of these "bots" are PCs on broadband connections, we'll say that we've got 256k upstream.

256 kbps * 2,000,000 computers = 512 Gbps of traffic.

If we double that upstream cap to 512kbps, which is not uncommon, our potential traffic is now 1 Terabit per second!

Now if we consider that there could be as many as 50 million computers, with an average upstream of 512 kbps, we end up with a figure like this:

512 kbps * 50,000,000 computers = 25 Terabits per second, or 25,000 Gbps, or 25,000,000 Mbps. Holy NetFlow, Batman!

Another thing worth considering is the raw computing power. I'm thinking something along the lines of the distributed.net project. How secure is your encryption scheme? This would definitely be enough processing power to brute-force even large key-length algorithms. distributed.net used your spare CPU cycles, i.e., when you're not using the computer. Someone with enough disregard to install remote-control software on your PC for financial gain surely won't care if you're busy or not, they'll be busy hammering away at blocks of crypto keys.
*/

Sourcefire Acquires ClamAV

nospam@example.com (TJE) — Wed, 22 Aug 2007 11:04:29 -0400

Sourcefire Acquires ClamAV

Sourcefire, a maker of intrusion detection products, announced on Friday that the company had acquired the intellectual property and copyrights to the open-source antivirus project, ClamAV, from five key developers.

...

"Sourcefire pioneered the business of balancing commercial solutions with open source innovation, and we intend to apply those same Snort sensibilities to the ClamAV project," Roesch said in a statement.

/*
This basically sounds like they're going to ruin ClamAV like they've done with Snort. My guess is that ClamAV will not be available for free, at least not the fully capable version, for much longer. You may end up being able to download and install/run a binary version of ClamAV with half the features missing; or just having to come up with the cash to license it legit.
*/

Some more information in regards to the purchase of ClamAV. I think this guy says it best:

Anybody feels like placing bets on how long it’s going to take SourceFire to pull the same trick with ClamAV signatures they pulled with Snort signatures where you’ll need to “conveniently” license the signatures from SourceFire to have the latest ones to be properly protected :-)

The engine source code will be useless if you don’t have the very latest AV sigs…

Battle of the Botnets

nospam@example.com (TJE) — Tue, 15 May 2007 10:47:44 -0400

Battle of the Botnets

For the average user spam has always been an annoyance. For the average spammer it has always been about making money. For the criminal gangs that have muscled in on this lucrative industry during the last few years it is now about territory and control. Control, that is, of the botnets behind the malware distribution networks that they rent out to the spamming middle men to enable them to ply their trade in relative safety from the crippled arm of the law.

/*
This article is a pretty interesting read on the current use of botnets. I remember the days when exploitation was for knowledge, for the challenge of getting into a system. You bring money into the picture and it loses all it's fun. :(

I have to say, I really agree with "shamgar" on his comments at the bottom of the page.
*/

With Exploits Out, MS Braces for Worm Attack

nospam@example.com (TJE) — Fri, 11 Aug 2006 19:50:41 -0400

With Exploits Out, MS Braces for Worm Attack

A network worm attack exploiting a critical Microsoft Windows vulnerability appears inevitable, security experts warned Aug. 10.

Just days after the Redmond, Wash., software maker issued the MS06-040 bulletin with patches for a "critical" Server Service flaw, Microsoft's security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.

Even before the release of Microsoft's patch, the US-CERT (Computer Emergency Readiness Team) warned that the flaw was being used in targeted attacks and that the appearance of public exploits is a sure sign that a worm attack is imminent.

/*
Looks like the next Worm du Jour. Go figure...
*/