From eugen@leitl.org Wed Jan 2 12:48:15 2008 From: Eugen Leitl To: cypherpunks-legacy@lists.cpunks.org Subject: Re: Storm, Nugache lead dangerous new botnet barrage Date: Wed, 02 Jan 2008 12:48:15 +0000 Message-ID: <20080102174637.GR10128@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9007531212398506903==" --===============9007531212398506903== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----- Forwarded message from Brandon Enright ----- --===============9007531212398506903==-- From camera_lumina@hotmail.com Fri Jan 11 11:02:46 2008 From: Tyler Durden To: cypherpunks-legacy@lists.cpunks.org Subject: RE: Storm, Nugache lead dangerous new botnet barrage Date: Fri, 11 Jan 2008 11:02:46 +0000 Message-ID: In-Reply-To: <20080102174637.GR10128@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2855698503096224993==" --===============2855698503096224993== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Someone want to explain this? Does Storm exchange keys on behalf of the infected hosts? Why encrypt the traffic? -TD > Date: Wed, 2 Jan 2008 18:46:37 +0100 > From: eugen(a)leitl.org > To: cypherpunks(a)al-qaeda.net; info(a)postbiota.org > Subject: Re: Storm, Nugache lead dangerous new botnet barrage > > ----- Forwarded message from Brandon Enright ----- > > From: Brandon Enright > Date: Tue, 1 Jan 2008 02:02:24 +0000 > To: cryptography(a)metzdowd.com > Cc: bmenrigh(a)ucsd.edu > Subject: Re: Storm, Nugache lead dangerous new botnet barrage > Organization: UCSD ACS/Network Operations > X-Mailer: Claws Mail 3.2.0 (GTK+ 2.12.1; i686-pc-linux-gnu) > > On Fri, 28 Dec 2007 09:06:44 -0800 or thereabouts "' =3DJeffH '" > wrote: > > > Storm, Nugache lead dangerous new botnet barrage > > By Dennis Fisher, Executive Editor > > 19 Dec 2007 | SearchSecurity.com > > > ,00.html?track=3DNL-358&ad=3D614777&asrc=3DEM_NLN_2785475&uid=3D1408222> > > > ...snip... > > Storm made a pretty significant comeback this week: > > http://noh.ucsd.edu/~bmenrigh/stormdrain/stormdrain.enctotal_encactive.html > > Note that those graphs are *only* from the peers that speak encrypted > Overnet. If you include all the legacy Storm bots out there that still > speak the unencrypted variant Storm is getting back up to its heyday > size. > > Brandon > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.c= om > > ----- End forwarded message ----- > -- > Eugen* Leitl leitl http://leitl.org > ______________________________________________________________ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE _________________________________________________________________ Watch =13Cause Effect,=14 a show about real people making a real difference. http://im.live.com/Messenger/IM/MTV/?source=3Dtext_watchcause --===============2855698503096224993==-- From coderman@gmail.com Fri Jan 11 14:08:06 2008 From: coderman To: cypherpunks-legacy@lists.cpunks.org Subject: Re: Storm, Nugache lead dangerous new botnet barrage Date: Fri, 11 Jan 2008 14:08:06 +0000 Message-ID: <4ef5fec60801111107g6a8b6a47oc8b529fde9bd7b5e@mail.gmail.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5976576095623543912==" --===============5976576095623543912== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Jan 11, 2008 8:01 AM, Tyler Durden wrote: > Someone want to explain this? ... Why encrypt the traffic? authentication of replies to special searches used in the decentralized command and control. the botnet is basically being partitioned up into distinct sets for resale or other purpose. the previous design did not allow for such segmentation of C&C. --===============5976576095623543912==-- From pgut001@cs.auckland.ac.nz Sat Jan 12 05:39:02 2008 From: pgut001@cs.auckland.ac.nz To: cypherpunks-legacy@lists.cpunks.org Subject: RE: Storm, Nugache lead dangerous new botnet barrage Date: Sat, 12 Jan 2008 05:39:02 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6364614150433513265==" --===============6364614150433513265== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Tyler Durden writes: >Someone want to explain this? Does Storm exchange keys on behalf of the >infected hosts? Why encrypt the traffic? Enterprise DRM for the botnet. (Alternatively, "because they can". They're not paying for the overhead, it doesn't really make much sense not to encrypt everything). Peter. --===============6364614150433513265==-- From eugen@leitl.org Sat Jan 12 08:45:14 2008 From: Eugen Leitl To: cypherpunks-legacy@lists.cpunks.org Subject: Re: Storm, Nugache lead dangerous new botnet barrage info@postbiota.org Date: Sat, 12 Jan 2008 08:45:14 +0000 Message-ID: <20080112134443.GX10128@leitl.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5897652743999037487==" --===============5897652743999037487== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Sat, Jan 12, 2008 at 11:38:06PM +1300, Peter Gutmann wrote: > Enterprise DRM for the botnet. > > (Alternatively, "because they can". They're not paying for the overhead, it > doesn't really make much sense not to encrypt everything). Anyone seen a private Tor bot network in the wild yet? -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE --===============5897652743999037487==-- From rabbi@abditum.com Sat Jan 12 13:38:03 2008 From: Len Sassaman To: cypherpunks-legacy@lists.cpunks.org Subject: RE: Storm, Nugache lead dangerous new botnet barrage Date: Sat, 12 Jan 2008 13:38:03 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4580102647200261172==" --===============4580102647200261172== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Sat, 12 Jan 2008, Peter Gutmann wrote: > (Alternatively, "because they can". They're not paying for the overhead, it > doesn't really make much sense not to encrypt everything). I don't agree -- they *are* paying for the overhead. Not in dollars, but in CPU cycles (and a minor programming overhead.) If you increase the performance degradation on the hosts in the botnet, you're going to lose some of those hosts due to the owners cleaning up the system so that they can use it -- botnets survive because they steal CPU and bandwidth that is "acceptable" to the users, or unnoticed by them. Adding in additional computational overhead to the operation of the botnet diminishes its overall capacity, either in the number of nodes, or in the amount of work you can steal from the nodes without losing hosts, or both. Your "DRM" answer, and coderman's comments, seem to be more on the mark. --Len. --===============4580102647200261172==-- From rabbi@abditum.com Sat Jan 12 13:38:51 2008 From: Len Sassaman To: cypherpunks-legacy@lists.cpunks.org Subject: Re: Storm, Nugache lead dangerous new botnet barrage info@postbiota.org Date: Sat, 12 Jan 2008 13:38:51 +0000 Message-ID: In-Reply-To: <20080112134443.GX10128@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8986086321260426308==" --===============8986086321260426308== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Sat, 12 Jan 2008, Eugen Leitl wrote: > Anyone seen a private Tor bot network in the wild yet? There is speculation about this, but no proof: http://www.schneier.com/blog/archives/2007/09/anonymity_and_t_1.html --===============8986086321260426308==-- From bill.stewart@pobox.com Sat Jan 12 18:02:59 2008 From: Bill Stewart To: cypherpunks-legacy@lists.cpunks.org Subject: RE: Storm, Nugache lead dangerous new botnet barrage Date: Sat, 12 Jan 2008 18:02:59 +0000 Message-ID: <6.2.1.2.1.20080112145115.048da120@pop.idiom.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1530550669461406550==" --===============1530550669461406550== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit At 10:37 AM 1/12/2008, Len Sassaman wrote: >On Sat, 12 Jan 2008, Peter Gutmann wrote: > > (Alternatively, "because they can". They're not paying for the > overhead, it > > doesn't really make much sense not to encrypt everything). >I don't agree -- they *are* paying for the overhead. Not in dollars, but >in CPU cycles (and a minor programming overhead.) If you increase the >performance degradation on the hosts in the botnet, you're going to lose Encrypting the control channel isn't going to burn a lot of CPU; hopefully the botnet doesn't need more than a few KB/hour of control, and almost certainly it wouldn't need more than a few KB/sec of data (such as spam-target email addresses), so encrypting it's low-horsepower. The heavy-resource job of a bot is sending out lots of packets to targets, whether it's spam email sessions or DDOS UDP packets, and the limiting factor on that is upstream bandwidth, typically 128-768kbps. On a modern CPU you could even encrypt that traffic if you wanted, without the CPU breaking a sweat, though the only application I can see for that is encrypted SMTP sessions if you're spamming somebody high-tech. Most computers have enough spare CPU that they can burn it looking for space aliens or folding proteins at home without noticing a performance hit; the real trick on keeping resource consumption low enough to not be noticed is managing upstream bandwidth so that you don't stifle http queries and TCP acks. --===============1530550669461406550==-- From pgut001@cs.auckland.ac.nz Sat Jan 12 22:55:40 2008 From: pgut001@cs.auckland.ac.nz To: cypherpunks-legacy@lists.cpunks.org Subject: RE: Storm, Nugache lead dangerous new botnet barrage Date: Sat, 12 Jan 2008 22:55:40 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3370003392659151663==" --===============3370003392659151663== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Len Sassaman writes: >On Sat, 12 Jan 2008, Peter Gutmann wrote: >> (Alternatively, "because they can". They're not paying for the overhead, = it >> doesn't really make much sense not to encrypt everything). > >I don't agree -- they *are* paying for the overhead. Not in dollars, but in >CPU cycles (and a minor programming overhead.) If you increase the >performance degradation on the hosts in the botnet, you're going to lose some >of those hosts due to the owners cleaning up the system so that they can use >it If you ever find users who do this, could you send them my way? :-). There may be some reference user somewhere in a display case who does this, but in practice unless the computer explodes in front of them no-one ever reacts to infection. I've seen users whose laptop fans are running continuously because the CPU is pegged at 100% by malware not have any idea that this isn't a normal state of affairs. I've seen users who patiently wait something like 30 seconds for an Explorer window to open because that's just how long Windows takes. I've seen users whose PCs page themselves to death every time they start an app, and that's quite normal. I've seen attack ships on fire off the shoulder of Orion... More importantly, the sort of people who are likely to have machines riddled with malware are the same ones who aren't likely to have any idea that anything's wrong. Bill Cheswick has a neat talk "Windows OK" in which he describes his dad patiently using his malware-infested PC that nicely illustrates this. >Adding in additional computational overhead to the operation of the botnet >diminishes its overall capacity, either in the number of nodes, or in the >amount of work you can steal from the nodes without losing hosts, or both. So you reduce it from 1M nodes to 900,000 nodes, that's not much of a loss. The benefit you get from making it hard(er) to intercept and disrupt more than covers it. Peter. --===============3370003392659151663==-- From rabbi@abditum.com Sun Jan 13 06:38:00 2008 From: Len Sassaman To: cypherpunks-legacy@lists.cpunks.org Subject: RE: Storm, Nugache lead dangerous new botnet barrage Date: Sun, 13 Jan 2008 06:38:00 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9113101907199085394==" --===============9113101907199085394== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Sun, 13 Jan 2008, Peter Gutmann wrote: [Snip discussion about user cluelessness -- sure, I agree, though I maintain hope that there is at least *some* attrition on that scale.] > >Adding in additional computational overhead to the operation of the botnet > >diminishes its overall capacity, either in the number of nodes, or in the > >amount of work you can steal from the nodes without losing hosts, or both. > > So you reduce it from 1M nodes to 900,000 nodes, that's not much of a loss. > The benefit you get from making it hard(er) to intercept and disrupt more t= han > covers it. Ah! There's a reason stronger than "because they can." Yes, I recognize that the overhead is minimal, etc., etc. But without some compelling reason (making it partitionable for resale, making it harder to disrupt, etc.) I would not expect the botnet controllers to introduce another area of possible failure -- one that not only increases CPU time, but bandwidth, and makes maintaining and upgrading the code and compatibility between instances more difficult. I'm not sure that this *does* make it harder to disrupt the botnet, though, does it? Does anyone have example traffic dumps of these encrypted payloads? It should be possible to identify and block this traffic; it's going to follow some unique pattern. --Len. --===============9113101907199085394==-- From pgut001@cs.auckland.ac.nz Sun Jan 13 07:28:57 2008 From: pgut001@cs.auckland.ac.nz To: cypherpunks-legacy@lists.cpunks.org Subject: RE: Storm, Nugache lead dangerous new botnet barrage Date: Sun, 13 Jan 2008 07:28:57 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1347974967547813955==" --===============1347974967547813955== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Len Sassaman writes: >I'm not sure that this *does* make it harder to disrupt the botnet, though, >does it? Does anyone have example traffic dumps of these encrypted payloads? >It should be possible to identify and block this traffic; it's going to >follow some unique pattern. It doesn't have much effect on passive blocking, but what it stops (or at least makes lot harder) is two things: Active attacks (penetration of botnet servers by security people is a serious problem for the botherders, and I assume competing botherders find this an easy target as well), and leeching of botnet-collected data by others. It's mostly back to enterprise DRM again. Peter. --===============1347974967547813955==-- From camera_lumina@hotmail.com Thu Jan 17 06:24:07 2008 From: Tyler Durden To: cypherpunks-legacy@lists.cpunks.org Subject: RE: Storm, Nugache lead dangerous new botnet barrage Date: Thu, 17 Jan 2008 06:24:07 +0000 Message-ID: In-Reply-To: <6.2.1.2.1.20080112145115.048da120@pop.idiom.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0625255634615952816==" --===============0625255634615952816== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Makes me wonder whether there's some way to make peace with our new Spam overlords. Maybe get in on the action somehow. Seems to me the battle's very nearly lost if the botnet is functioning in a way that we can live with and that is very hard to tamper with. -TD > Date: Sat, 12 Jan 2008 15:01:54 -0800 > To: rabbi(a)abditum.com > From: bill.stewart(a)pobox.com > Subject: RE: Storm, Nugache lead dangerous new botnet barrage > CC: pgut001(a)cs.auckland.ac.nz; camera_lumina(a)hotmail.com; cypherpunks(a)al-qaeda.net; eugen(a)leitl.org; info(a)postbiota.org > > At 10:37 AM 1/12/2008, Len Sassaman wrote: > >On Sat, 12 Jan 2008, Peter Gutmann wrote: > > > (Alternatively, "because they can". They're not paying for the > > overhead, it > > > doesn't really make much sense not to encrypt everything). > >I don't agree -- they *are* paying for the overhead. Not in dollars, but > >in CPU cycles (and a minor programming overhead.) If you increase the > >performance degradation on the hosts in the botnet, you're going to lose > > Encrypting the control channel isn't going to burn a lot of CPU; > hopefully the botnet doesn't need more than a few KB/hour of control, > and almost certainly it wouldn't need more than a few KB/sec of data > (such as spam-target email addresses), so encrypting it's low-horsepower. > > The heavy-resource job of a bot is sending out lots of packets to targets, > whether it's spam email sessions or DDOS UDP packets, > and the limiting factor on that is upstream bandwidth, typically 128-768kbps. > On a modern CPU you could even encrypt that traffic if you wanted, > without the CPU breaking a sweat, though the only application I can see for > that > is encrypted SMTP sessions if you're spamming somebody high-tech. > > Most computers have enough spare CPU that they can burn it looking for > space aliens or folding proteins at home without noticing a performance hit; > the real trick on keeping resource consumption low enough to not be noticed > is managing upstream bandwidth so that you don't stifle http queries and > TCP acks. _________________________________________________________________ Need to know the score, the latest news, or you need your Hotmail.-get your "fix". http://www.msnmobilefix.com/Default.aspx --===============0625255634615952816==-- From coderman@gmail.com Thu Jan 17 17:40:28 2008 From: coderman To: cypherpunks-legacy@lists.cpunks.org Subject: Re: Storm, Nugache lead dangerous new botnet barrage Date: Thu, 17 Jan 2008 17:40:28 +0000 Message-ID: <4ef5fec60801171439g4896d7c4j5ee238edbfb273f5@mail.gmail.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4338469949875352744==" --===============4338469949875352744== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Jan 17, 2008 3:23 AM, Tyler Durden wrote: > Makes me wonder whether there's some way to make peace with our new Spam > overlords. Maybe get in on the action somehow. Seems to me the battle's very > nearly lost if the botnet is functioning in a way that we can live with and > that is very hard to tamper with. it's actually not that difficult to tamper with (dht's are fragile against coordinated malicious attackers, etc). such a tampering is pretty indiscriminate against the entire ring / overlay though, so no one is anxious to try it :) --===============4338469949875352744==--