back to article Storm worm smackdown as researchers unpick control system

A team of security researchers have developed a technique for automatically purging the remnants of the Storm worm infection from the internet. But the approach - which involves turning the botnet's command and control system against itself - could run foul of computer hacking laws in Germany and elsewhere, which ban the …

COMMENTS

This topic is closed for new posts.
Dead Vulture

Cool development!

Just too bad that the German, as well as some other European and the U.S. governments have seen fit to criminalize the digital crimefighters for using the tools they need to fight digital crime, while the governments, themselves, are legalizing the same tacticts to be used on innocent citizens without the need for a warrant...

0
0

This is how all battles are fought

The good guys always have a harder job because they follow the rules. It would be nice to be able to spread cleanup code in the same way that malicious code is spread, but you can't. Just because you are trying to do good does not mean you are exempt from the law. At the same time, would it be such a bad thing for governments to pass laws that allow for cleanup like this? A case by case situation? Sort of deputizing security companies to take down an organized crime institution.

0
0
Anonymous Coward

Oh probably illegal in the UK as well

yes, that is unauthorised access.

Liability is high as well, if those machines are being used for any day to day legitimate activity and they go down during the dismantle attempt. And then there is the false positives, crack into someone's machine just because it under your impression is compromised is dubious.

Wasn't one of these botnets actually controlled by a 'digital crimefighter', who do you trust. What is going on here, is some people want to crack machines, and they are trying to make some legitimate targets for their unauthorised incursions, just another social engineering trick.

They will have to track down all the owners of the systems to do this legitimately, and should be going through the ISPs, when actions like that are taken it is better for the general good, these maverick style actions are not really that beneficial.

0
0
Gold badge
Happy

Easy answer.

Host the cleanup servers elsewhere. Let's face it, there are quite a few hosts out there in certain countries who, for a small consideration, are quite happy to let you run whatever you like, far from the influence of US / European law enforcement.........

0
0
Black Helicopters

Errors in the code.

I had a quick mooch through the stormfucker code, I think the Xor key has had a few bytes edited and the code needs to be compiled with the flag -DXOR there's probably other things need fixing to make it work but those 2 things stood out.

You would also need the peers.ini from an infected pc to get tit to start talking on the storm network i think.

0
0
Stop

Ah, good old Red Tape...

don't you just love it?

0
0

This isn't new

The ability to take over command and control functions of botnets is not new, in fact early last year TippingPoints research team at DVLabs had a semi-religious debate about commanding the Kraken worm to kill itself and clean up.

http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration

and

http://dvlabs.tippingpoint.com/blog/2008/04/28/owning-kraken-zombies

I echo the first comment - its a shame that despite having the technology to mitigate these infrections, Governments throughout the World ban the action.

0
0
Flame

Stormfucker...

...was posted to Slashdot.

Seconds later, thousands of machines around the globe were editing the makefile (so it'd work) and typing make.

Believe me, it's been run.

0
0
Bronze badge

Add a "consent" pop-up

If the user consents to your malware removal attempt, is that enough to make it legal?

0
0
Thumb Up

Just what we needed

^^^ More please. Do these guys have Paypal donation box?

0
0
Silver badge
Happy

@Evil Graham....

please say you missed a Joke icon off your post.

"Your pc is infected. Click OK to remove". Only the thick dumb asses that get most viruses would click OK.

Actually maybe that's not such a bad idea!

0
0
Silver badge
Joke

@Evil Graham re. Add a "consent" pop-up

So, if I see a pop-up box on my screen saying "Do you want me to clean up the Storm Worm trojan which has been detected as infecting your PC?", then I press 'Yes' and everything will be ok?

That sounds like a wonderful idea.

0
0
Pirate

Digital Vigelantism

Allowing security researchers break the law in order to stop other people breaking the law is digital vigelantism, its not a good idea in the same way that normal vigelantism isnt. Different people have different ideas of justice, and enforcing an individual view, rather than societies view is not healthy. What is needed is a co-ordinated, international body, or group of national bodies that deals with malware in a way that society views is fair.

0
0
Coat

We came, we saw. we kicked its ASS.

Point me to a copy of the client, *I've* got no problem issuing the cleanup command...

Mines the one with 'vigilante sysadmin' across the back (in fixed pitch terminal font naturally)

0
0

Consent for consent pop-up

Unfortunately you'd have to somehow gain consent to run code on the machine to display the consent popup.

0
0
Thumb Up

Anyone remember 'Core Wars'

'Twas an article published in '84 in Scientific American. Google 'core wars'. This is essentially a real live core war. Fantastic! Nice one guys.

0
0
Flame

Kick them off

1) Identify a zombie

---a) Researchers or a cohort of ISP techs agree an verify that a particular computer is acting as a zombie

2) Inform an ISP of all identified zombies on their network, giving them a 48 hour deadline

---a) Zomibies' ISP blocks affected computers and informs users why.

---b) Affected systems not allowed back on until they are verified clean.

---c) Users added to a "watch list" so no other ISP will accept them until system is clean

---d) Users may need to pay for cleaning/verification

3) ISP responds within 48 hours that all zombies are now blocked

---a) Zombies probed - if blocked, all is well

---b) If still live, ISP faces risk of blacklisting (>5% still live, immediate blacklist, <5% ISP has 3 hours to block)

4) Once 48 hours deadline passes with no response that *ALL* zombies are blocked (99% is not good enough), ISP gets black listed.

5) ISPs required to inform users of their responsibility to ensure that their systems are secure. The users should also be informed that they may well be held liable for all costs and penalties the ISP incurs as a result of the user's lax security.

There is NO EXCUSE for a computer being on the net without security. ***NONE*** Even Windows can be secured to a reasonable enough extent (and for free).

0
0
Thumb Up

Sorry we can't fix anything - that's illegal!

PMSL! "the approach - which involves turning the botnet's command and control system against itself - could run foul of computer hacking laws in Germany and elsewhere, which ban the modification of computer systems without consent.".

So, the worm can do it illegally and cause havoc, but it can;t be fixed as that's illegal ROFL.

0
0
Silver badge

@Digital Vigelantism

I don't think it is. Many laws allow you to commit a small crime in order to prevent a larger one. I think that using this tool to sort the zombies is perfectly acceptable and would fall under this protection.

0
0
Boffin

Re: Core Wars

Yep, played Core Wars in University in '91 on one of the campus Vax machines.

You use a 'programming language' called Red Code, which consists of 7 instructions. Its amazing the range of tactics you can come up with using such a limited instruction set.

0
0
Bronze badge
Happy

Yeah, I was dumb.

I was kind of forgetting about all the other spurious drive-by popup crap.

In my (lame) defence, I was only really interested in the legal side of it, but yeah, I guess you need someone's consent even to get the consent popup to run.

Maybe I'll engage my brain before posting next time.

Naah, on second thoughts, where's the fun in that?

0
0
Joke

got to stop reading like this

@AC Tue 13th Jan 2009 08:07 - "to get tit " Snurk

@AC Tue 13th Jan 2009 12:09 - "---a) Zombies probed " Erm, no thanks. I like mine living.

0
0
This topic is closed for new posts.

Forums