Re: "Storm Worm Botnet Partitions May Be Up For Sale" (slashdot)

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 10/22/07, Paul Vixie <paul () vix com> wrote:
> "There is evidence that the massive Storm Worm botnet is being broken up into
> smaller networks, and a ZDNet post thinks that's a surefire sign that the CPU
> power is up for sale to spammers and denial-of-service attackers. The latest
> variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey
> peer-to-peer traffic, meaning that each node will only be able to communicate
> with nodes that use the same key. This effectively allows the Storm author to
> segment the Storm botnet into smaller networks. This could be a precursor to
> selling Storm to other spammers, as an end-to-end spam botnet system, complete
> with fast-flux DNS and hosting capabilities."
>
> http://it.slashdot.org/article.pl?sid=07/10/16/155209

They better hurry up and sell it before its gone :-)

http://www.pcworld.com/article/id,138721-c,virusesworms/article.html

The Storm Worm's days may be numbered, according to a University of
California researcher.

Brandon Enright, a network security analyst at UC San Diego, has been
tracking Storm since July and said that, despite the intense publicity
that the network of infected computers has received, it's actually been
shrinking steadily and is presently a shadow of its former self. On
Saturday, he presented his findings at the Toorcon hacker conference in
San Diego.

Storm is not really a computer worm. It's a network of computers that
have been infected via malicious e-mail messages, and are centrally
controlled via the Overnet P-to-P protocol. Enright said he has
developed software that crawls through the Storm network and he thinks
that he has a pretty accurate estimate of how big Storm really is.

Some estimates have put Storm at 50 million computers, a number that
would give its controllers access to more processing power than the
world's most powerful supercomputer. But Enright said that the real
story is significantly less terrifying. In July, for example, he said
that Storm appeared to have infected about 1.5 million PCs, about
200,000 of which were accessible at any given time.

Enright guessed that a total of about 15 million PCs have been infected
by Storm in the nine months it has been around, although the vast
majority of those have been cleaned up and are no longer part of the
Storm network.

Since July, it's been downhill for Storm. That's when antivirus vendors
began stepping up their tracking of Storm variants and got a lot better
at identifying and cleaning up infected computers, Enright said.

Then on September 11, Microsoft added Storm detection (Microsoft's name
for Storm's components is Win32/Nuwar) into its Malicious Software
Removal tool, which ships with every Windows system. Overnight, Storm
infections dropped by another 20 percent.

Today, Enright said that Storm is about one-tenth of its former size.
His most recent data counts 20,000 infected PCs available at any one
time, out of a total network of about 160,000 computers. "The size of
the network has been falling pretty rapidly and pretty consistently," he
said.

-JP
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.