10/30/2007

There's a war going on

It's been a while since my last post. Nothing have changed much in the world of the scams in general. But an incredible event took place during the first week of October and is still going on.
The Storm Botnet started an attack against anti scam sites like 419Eater, Scamwarners and Artist Against 419.

To understand the meaning of this news I'll give you a brief about the Storm Botnet. It may seem to you like a science fiction tale but it's true. A botnet is a network of computers under a centralized control. It seems the description of almost any network of computers belonging to a particular organization. The main difference is that the computers in the botnet have been hijacked to take part of it. The second difference is that the botnets like the Storm have many millions of computers.

The Storm Botnet, also known as Zhelatin, is the largest known botnet ever. It's estimated in many millions because there's no way to know how many computers were infected since its creation in January of 2007. The objective of the botnet is to allow its owner to open as many sessions with different origin IPs as computers it has and do with that sessions virtually anything its owner wishes. Botnets are mainly used to spam, generating mail connections from many different IPs that the mail servers can't block (blocking all of them would be like blocking everyone out of email), or DOS (denial of service) attacks. The DOS attack simply open connections to the target server rendering it unusable. It doesn't matter how big is your network structure, you only have resources for a limited number of connections and to serve a limited number of requests. You can put more resources to increase that number but it's going to be a finite number anyway. When one user has the power to generate many millions of connections at the SAME time there's little chance your structure is going to stand it.

The first line of defense for a network/server structure is the firewall. My own connection suffers attacks from time to time, not really dangerous but sometimes they take too much bandwidth trying over and over again the same old tricks that they know didn't work before. I can block the IP of the attacker and forget about it. If it bothers me too much, I can call my ISP and request him to block it on the next router and he can make the decision of blocking the IP even further up in the net. But we're talking about one IP, maybe two, maybe a dozen.
How do you deal with many millions? You can't.
You can't block that many IP numbers and, even if you could, your firewall is going to to respond very very slow with a list of many million rules to check for every packet. It's not practical. And the packets are not easy to identify. A request for a session is the same coming from a botnet or a regular user.

A typical zombie PC is a computer belonging to a common user connected to a broadband service. He may spend his whole life as a member of the botnet without knowing it. And this makes an important difference with any other virus, worm or trojan. The botnet doesn't want your computer to fail, it doesn't want to take a look at your personal information, it doesn't want your computer to loose performance. Quite the contrary, the dream zombie for a botnet is a healthy high performance computer with a high speed connection. This makes very difficult to detect the infiltration. Most virus are reported due to the effect they have in the victim, when you don't have a problem you don't have anything to report. Some of the variants of the Storm worm are known and included in anti virus databases. But not all of them have been found, the botnet itself is being used to spread its own worm in new versions and millions of computers are being used without any kind of protection.

Eventually, a zombie can be identified (millions) and, once you get to it, it should be easy to watch it closely and trace the commands to the owner of the botnet, shouldn't it?
No, it's not like that. The Storm Botnet is using p2p technology to communicate to its members. Meaning that once you get to one zombie you can watch closely, you're going to see traffic to other zombies. And when you get to them, you're going to see more zombies. The number grows fast and by the time you have one connection that may lead to the owner, the number is so high you have no way to check them all. P2p is the technology used by BitTorrent and other file sharing systems that allows you to get the files from many different sources. It changes the concept from a client/server structure (connections many to one or one to many) to a distributed structure (connections many to many). Older botnets were not successful due to this small difference. They were traced to its owners pretty soon while this one probably never will be.

Here you can find more information about this attack. The Slashdot report (pretty small...), Spamnation, The High Weirdness Project. And for more on the Botnet, here's a rather technical video of how it spreads from Help Net Security and a video showing a surge in the spread of the worm (that may or may not be related to this attack) from FSLabs.


It's known who owns the Storm Botnet. Maybe not identified to the person or persons themselves, but to the group handling it. They are devoted mostly to spam services and banking fraud over the net. Their "formats" are mostly cell phone sales and service and overpaying for auctions. The reason for the attack is that they know that 419Eater is a place where baiters are coordinating activities against them, Scamwarners is warning and giving advice to their victims and Artist Against 419 is researching, reporting and shutting down their sites.
It's bad news and good news too, in a way. It shows that their activities are making a dent on the gang's operations.

The attack is still going on. It won't last, they never do that for long periods of time. This is the kind of attack that's done in waves, but even the waves have to slow down and dtop eventually. Every packet sent gives more information that can be used to block them automatically. Every second the botnet is active, it opens the opportunity for a trace. It's unlikely that a trace is going to succeed, the odds seem to be on the gang's side but the stakes are too high. The botnet is a very valuable asset and they're going to so anything to protect it, including giving up on this attack.

The good side is that the activities of the attacked sits are not going to stop. The attack may have damaged some baiting activities temporarily but the warnings, the serious research, the scam sites identification and reporting and other activities kept going on throughout the attacks. It's been more difficult at times but not to the point of stopping it all. Most of the people I've contacted during the attacks felt encouraged by it. There are no feelings of defeat, nobody wants to quit, nobody wants a truce, nobody wants to take one step back. The scammers didn't win this battle and they never will. If something changes for them, it's going to be for the worse.

Visit the sites, support them, spread the word. If you're aware of the scam there's no way they're going to get you. Everyone who's warned about this is one less potential victim in the market. I hope someday we can take the whole market down.

Meanwhile, be careful out there because it's getting dangerous...

419 Eater
Scamwarners
Artists Against 419

1 comment:

Scoobie Davis said...

This is a very informative post. I blogmarked your site.