[ISN] Storm Botnet Behind Canadian DoS Attack

From: InfoSec News (alerts@private)
Date: Tue Aug 14 2007 - 01:04:17 PDT


By Sharon Gaudin
August 13, 2007

Researchers are blaming the virulent Storm worm for a widespread 
denial-of-service attack that hit Canadian Web sites over the weekend.

The attack may have been unfocused and unsuccessful, but it could have 
been an early test of the denial-of-service power that the Storm worm 
botnet now holds.

Johannes Ullrich, chief research officer at the SANS Institute and chief 
technology officer for the Internet Storm Center, said in an interview 
that while sites in Canada were "pounded" over the weekend, he doesn't 
think it was a targeted denial-of-service attack. The attacks weren't 
aimed at any particular Web sites. It was just spread across a wide 
swath of the Internet.

"The DoS part was basically an unintentional side effect," said Ullrich. 
"It was a whole lot of spam -- enough to make the servers slow down. 
Once [that much spam] is set loose, it's hard to tell what's going to 

This weekend's attack veered off the norm.

The Storm worm has been buffeting the Internet for the past several 
months, sending out historic levels of spam e-mail. Much of it has been 
in the form of phony electronic greeting cards, luring unsuspecting 
users to malicious Web sites where their machines are infected with 
malware that turns them into bots. The individual zombie machines are 
then added to the massive botnet that the Storm worm authors have been 
putting together.

This latest attack, though, didn't use the e-card ruse. The e-mails in 
the attack also didn't carry any malware and didn't link to or point 
users to any malicious Web sites. The limited amount of text in the 
e-mails was little more than gibberish, according to Ullrich.

"They may have been trying something but it didn't work," said Ullrich. 
"Sure. It definitely could be a test [of a DoS attack]. That's what 
you'd expect. They generally try a test-run first."

Earlier this month, researchers at SecureWorks reported that the Storm 
authors had a botnet about 2,815 strong in the first half of this year. 
That number had skyrocketed to 1.7 million by the end of July.

Researchers at both SecureWorks and Postini said they think the Storm 
worm authors are cultivating such an enormous botnet to do more than 
send out increasing amounts of spam. All of the bots are set up to 
launch DoS attacks and that's exactly what they're anticipating. 
Denial-of-service attacks are designed to pound each computer with 
countless questions that flood its ability to respond, effectively 
taking the machine down.

Ullrich said on Monday that he too is concerned about what a botnet of 
this size could do if the Storm worm authors decide to target a DoS 
attack. However, he said the authors seem very focused on making money 
and unless they plan on extorting a company with threats of a massive 
denial-of-service attack, where's the financial motive?

Ullrich added that he's been seeing Storm worm ads on various 
underground Web sites. The authors are advertising their ability to send 
out pump-and-dump and pharmaceutical spam with their global botnet.

Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 

This archive was generated by hypermail 2.1.3 : Tue Aug 14 2007 - 01:17:18 PDT