User: Password:
Subscribe / Log in / New account


Storm worm gains strength

By Jake Edge
August 29, 2007

Spam rates are rising, rapidly, with a lot of the blame being placed on the "storm worm." The worm is targeted at PCs, to build an enormous botnet for purposes that can only be speculated upon. Estimates of the size of the botnet vary, but it is probably fair to say that millions of machines are infected. Interestingly, the techniques used to propagate the worm are evolving and some defense mechanisms are emerging.

The storm worm has been with us since January, its name stems from the subject of the earliest emails that propagated it, attacking in multiple waves of spam since then. It uses the simplest of all infection techniques: tricking recipients into running a program. Those programs, which, from all reports, only run on Windows, then install various kinds of malware, including programs to connect the machine to a massive botnet.

At its root, the storm worm uses various "social engineering" tactics to convince people to either open an executable in the email or to visit a website and download software from there. Several different messages have been tried recently, electronic greeting cards, welcome messages from various "groups" (Wine Lovers, Poker Players, etc.) and the most recent, that claims to be a pointer to a YouTube video that shows you or your family. These messages have been pumped out at enormous rates by the botnet as it tries to grow bigger.

Some defensive behavior has been noted as well. When infected machines are scanned for vulnerabilities or malware, they sometimes react by calling in a distributed denial-of-service (DDoS) attack on the scanning machine. The main concern is for academic networks that sit directly on the internet, machines behind firewalls are generally protected, unless a significant part of the botnet also lives there.

These evolving tactics and defensive measures are not being implemented for fun, the botnet herders probably have a plan for using such a huge botnet, the only question is: for what? The most likely explanation is for DDoS attacks on targeted sites, quite possibly to get paid to stop, which is also known as extortion. They presumably also get paid to send spam – other than that used to increase their size – but extorting money from sites that depend on traffic is probably much more lucrative.

Unlike other botnets, storm's does not rely on a single central server that can be shut down, destroying the botnet. Instead it uses peer-to-peer technology, distributing its command and control infrastructure throughout the network, making it much more difficult to combat. That coupled with the furious spamming and defensive responses makes this the most robust botnet we have seen yet.

While this particular attack does not appear to affect Linux users directly, we should not be resting on our laurels. Linux users likely have a higher clue level, overall, than Windows users, but that level is dropping. As Ubuntu and other desktop, newbie-oriented distributions gain ground, the average computer literacy of the Linux community drops. There is no defense, other than educating users, against folks who download random things and run them on their computer. If the storm botnet herders decide they need even more machines for their plan for total world domination, they might just turn to Linux.

Comments (18 posted)

New vulnerabilities

bugzilla: several vulnerabilities

Package(s):bugzilla CVE #(s):
Created:August 28, 2007 Updated:August 29, 2007
Description: This Bugzilla security advisory covers several vulnerabilities in Bugzilla 2.20.4, 2.22.2, and 3.0.
Fedora FEDORA-2007-1853 bugzilla 2007-08-27

Comments (1 posted)

id3lib: insecure tmpfile creation

Package(s):id3lib CVE #(s):CVE-2007-4460
Created:August 27, 2007 Updated:October 2, 2007
Description: The RenderV2ToFile function in tag_file.cpp in id3lib (aka libid3) 3.8.3 allows local users to overwrite arbitrary files via a symlink attack on a temporary file whose name is constructed from the name of a file being tagged.
Debian DSA-1365-3 id3lib3.8.3 2007-10-02
Gentoo 200709-08 id3lib 2007-09-15
Mandriva MDKSA-2007:180 id3lib 2007-09-12
Debian DSA-1365-2 id3lib3.8.3 2007-09-09
Debian DSA-1365-1 id3lib3.8.3 2007-09-01
Fedora FEDORA-2007-1774 id3lib 2007-08-23

Comments (none posted)

opera: multiple vulnerabilities

Package(s):opera CVE #(s):CVE-2007-4367 CVE-2007-3929 CVE-2007-3142 CVE-2007-3819
Created:August 23, 2007 Updated:February 27, 2008
Description: The Opera browser has multiple vulnerabilities. The JavaScript engine is vulnerable to a virtual function call on an invalid pointer that can be triggered by specially crafted JavaScript. A freed pointer in the BitTorrent support may be accessed, this can be used for malicious code execution. The browser is vulnerable to several memory read protection errors. There are URI display errors that can be used to trick users into visiting arbitrary web sites.
SuSE SUSE-SR:2007:015 PHP, moodle, tomcat5, lighttpd, asterisk, libarchive, xpdf, evolution, kvirc, wireshark, gd, opera, clamav, gimp 2007-08-03
SuSE SUSE-SA:2007:050 opera 2007-08-30
Gentoo 200708-17 opera 2007-08-22

Comments (none posted)

pam_ssh: authentication restriction bypass

Package(s):pam_ssh CVE #(s):CVE-2007-0844
Created:August 27, 2007 Updated:August 29, 2007
Description: The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the allow_blank_passphrase option is disabled, allows remote attackers to bypass authentication restrictions and use private encryption keys requiring a blank passphrase by entering a non-blank passphrase.
Fedora FEDORA-2007-1793 pam_ssh 2007-08-23

Comments (none posted)

po4a: information leak

Package(s):po4a CVE #(s):CVE-2007-4462
Created:August 27, 2007 Updated:September 14, 2007
Description: This update fixes a potential security problem (information leak) due to use of predictable name in /tmp.
Gentoo 200709-04 po4a 2007-09-13
Fedora FEDORA-2007-1763 po4a 2007-08-23

Comments (none posted)

star: directory traversal vulnerability

Package(s):star CVE #(s):CVE-2007-4134
Created:August 28, 2007 Updated:October 23, 2007
Description: Star saves many files together into a single tape or disk archive, and can restore individual files from the archive. Star supports ACL. Version 1.5a84 fixes a directory traversal vulnerability.
Gentoo 200710-23 star 2007-10-22
Foresight FLEA-2007-0051-1 star 2007-09-06
Red Hat RHSA-2007:0873-01 star 2007-09-04
Fedora FEDORA-2007-1852 star 2007-08-27

Comments (none posted)

sylpheed: format string vulnerability

Package(s):sylpheed CVE #(s):CVE-2007-2958
Created:August 28, 2007 Updated:October 26, 2007
Description: Ulf Harnhammar (Secunia Research) has discovered a format string vulnerability in sylpheed and claws-mail in inc_put_error() function in src/inc.c when displaying POP3 error reply. The problem can be exploited by malicious POP3 server via specially crafted POP3 server replies containing format specifiers. See this Secunia advisory for more information.
Gentoo 200710-29 sylpheed 2007-10-25
Fedora FEDORA-2007-2009 claws-mail 2007-09-04
Fedora FEDORA-2007-1841 sylpheed 2007-08-27

Comments (none posted)

tar: symlink path traversal vulnerability

Package(s):tar CVE #(s):CVE-2007-4131
Created:August 23, 2007 Updated:December 28, 2007
Description: The tar utility has a symlink path traversal vulnerability involving extracted archives. Maliciously created tar archives can be used to write arbitrary data to files that the tar user has write access to.
Debian DSA-1438-1 tar 2007-12-28
Gentoo 200709-09 tar 2007-09-15
Mandriva MDKSA-2007:173 tar 2007-09-04
Fedora FEDORA-2007-683 tar 2007-08-30
SuSE SUSE-SR:2007:018 clamav, RealPlayer, pfstools, vim/gvim, tar/star, nfsidmap 2007-08-31
Fedora FEDORA-2007-1890 tar 2007-08-29
Ubuntu USN-506-1 tar 2007-08-28
rPath rPSA-2007-0172-1 tar 2007-08-25
Foresight FLEA-2007-0049-1 tar 2007-08-27
Red Hat RHSA-2007:0860-01 tar 2007-08-23

Comments (none posted)

wordpress: cross-site scripting

Package(s):wordpress CVE #(s):CVE-2007-4139
Created:August 29, 2007 Updated:August 29, 2007
Description: Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php.
Fedora FEDORA-2007-1885 wordpress 2007-08-29

Comments (none posted)

xterm: local user unauthorized access

Package(s):xterm CVE #(s):CVE-2007-2797
Created:August 27, 2007 Updated:November 15, 2007
Description: Previous versions of the xterm package assigned incorrect ownership and write permissions to pseudo-terminal devices, permitting local users to direct output to other users' xterm sessions.
Red Hat RHSA-2007:0701-02 xterm 2007-11-15
rPath rPSA-2007-0169-1 xterm 2007-08-23
Foresight FLEA-2007-0048-1 xterm 2007-08-23

Comments (1 posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds