Re: fyi: Storm Worm botnet numbers, via Microsoft
[EMAIL PROTECTED] said: Detailed analysis of the Storm network, how it works, its size, etc is being activly worked on by several research groups 8^) Storm is nowhere near 50 million nodes and never was. Good. I will be presenting /some/ of this work at Toorcon in San Diego this Saturday: http://www.toorcon.org/2007/event.php?id=38 excellent, how'd it go? Anyone else present on Storm? The presentation is not academic paper quality and takes more of a code-monkey approach to the network. Real (sane and substantiated) numbers, stats, and graphs will be presented. To the best of my knowledge, it will be the first publicly released estimates of the size of the network with actual supporting data and evidence. are your slides now available? =JeffH - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: fyi: Storm Worm botnet numbers, via Microsoft
On Mon, 22 Oct 2007 17:55:39 -0700 plus or minus some time ' =JeffH ' [EMAIL PROTECTED] wrote: ...snip... I will be presenting /some/ of this work at Toorcon in San Diego this Saturday: http://www.toorcon.org/2007/event.php?id=38 excellent, how'd it go? Anyone else present on Storm? Things went pretty smooth. Storm is a complicated and evolving beast so a 50 minute talk can't really go into the depth that is needed to really understand how it works. There weren't any other presentations at Toorcon but it's a pretty hot topic so there should be more talks and papers coming out from various researchers in the coming weeks and months. It seems like whenever anyone says anything about Storm, the story gets picked up by some news service and makes its way to Slashdot. The presentation is not academic paper quality and takes more of a code-monkey approach to the network. Real (sane and substantiated) numbers, stats, and graphs will be presented. To the best of my knowledge, it will be the first publicly released estimates of the size of the network with actual supporting data and evidence. are your slides now available? They are: http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt The link to the historical trends of the network is here: http://noh.ucsd.edu/~bmenrigh/storm_data.tar.bz2 It can be very hard to track the size of a botnet, even in the case of Storm where I'm crawling the network. Technologies like NAT can significantly complicate things. See http://www.usenix.org/events/hotbots07/tech/full_papers/rajab/rajab_html/ for a discussion on tracking the size of botnets. =JeffH My slides should provide adequate detail for someone to understand how to interpret the graphs and data. For specific questions, feel free to email me directly. Brandon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: fyi: Storm Worm botnet numbers, via Microsoft
On Mon, 15 Oct 2007 16:02:54 -0700 plus or minus some time ' =JeffH ' [EMAIL PROTECTED] wrote: I haven't come across any detailed Storm extent analysis, even with having Google search specific security company sites (e.g. using site:sec-corp.com). So if anyone has pointers to pages (other than the MSFT blog article pointed to in an earlier post) that present a sane and substantiated analysis of Storm extent, please post 'em. Maybe folks don't want to (post 'em or point to 'em)? Are there papers in submission? ;-) Detailed analysis of the Storm network, how it works, its size, etc is being activly worked on by several research groups. Storm is nowhere near 50 million nodes and never was. I will be presenting /some/ of this work at Toorcon in San Diego this Saturday: http://www.toorcon.org/2007/event.php?id=38 The presentation is not academic paper quality and takes more of a code-monkey approach to the network. Real (sane and substantiated) numbers, stats, and graphs will be presented. To the best of my knowledge, it will be the first publicly released estimates of the size of the network with actual supporting data and evidence. Brandon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: fyi: Storm Worm botnet numbers, via Microsoft
[EMAIL PROTECTED] said: I have two problems with this report. thanks for commenting on it. I pointed to it in order to see what denizens of this list might have to say about it. I'm simply curious. Also, as I'd noted, I haven't really seen any estimates of Storm's extent -- other than that article [0] -- that actually go into any details about how the number is arrived at (however bogus or not the approach might be). Also, I'm personally mostly just curious and have done only modest searches for info. And based on that, I've only come across the (typically) unsubstantiated one or two million zombies [1] to (breathless) maybe /50 million/ out there [2] articles/posts. Firstly, I don't think this is a very representative sampling technique compared to the estimates from security companies. I haven't come across any detailed Storm extent analysis, even with having Google search specific security company sites (e.g. using site:sec-corp.com). So if anyone has pointers to pages (other than the MSFT blog article pointed to in an earlier post) that present a sane and substantiated analysis of Storm extent, please post 'em. Maybe folks don't want to (post 'em or point to 'em)? Are there papers in submission? ;-) If you look at the sample that's being used, Windows machines that have automatic updates turned on, then the typical machine is going to be configured with something like Windows XP SP2 with all available hotfixes and updates applied, in other words the very systems that are (one would hope :-) the *least* likely to be affected by malware. agreed. If you take the rule-of- thumb estimate that's sometimes used on MSDN blogs of 1B Windows machines out there then 2.6M machines is 0.3% of that total. Now this in itself wouldn't be so bad if it was an unbiased sample, but in fact it's probably a rather non-representative 0.3%. ..as compared to the overall population of windows machines, on the Internet, globally. agreed. Although some of the numbers from security companies for infections may be just guesswork, they also use broad sampling across all Windows machines (not just ones with Windows Defender), honeypots, monitoring of botnet traffic patterns, and other methods as well. pointers? So while it's valid to say that this [the Anti-Malware Engineering Team blog post [0]] provides data for Storm on fully patched, up-to-date machines running Windows Defender, I don't think this generalises for all Windows machines. agreed. Secondly, the text completely contradicts the figures given. If the figures really are accurate and not a typo, then 274K machines infected out of 2.6M puts Storm on 10% of Windows PCs, which would make the worldwide infection rate 100M systems, or ten times larger than the previous worst-possible case estimate. a resonably-substantiated worst-case estimate? Because it's only twice as many as the 50M number thrown around in the likes of [2]. But yes, it'd be alarming if there's really 1B windows machines on the Internet (one way or another) and there's a reasonable probability of 10% being Storm zombies. Storm may be big, but it's not *that* big. I think there's something wrong with the figures. Yeah, one hopes so. So, it'd seem to me (tho I'm not a statistician) that if one could get a set of articles wrt Storm extent that say at least something to substantiate how they arrived at the numbers, and then do some back-of-the-envelope calcs, we'd have a better idea of what's going on, at least here in the public domain. I have to believe that there's folks working hard on this given the down-the-road risks, and are just keeping the info close to their collective chest. =JeffH [0] http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx [1] http://www.secureworks.com/media/press_releases/20070802-botstorm [2] http://www.neoseeker.com/news/story/7103/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
fyi: Storm Worm botnet numbers, via Microsoft
food for consideration. yes, #s are from MSFT as he notes, but are the only ones we have presently wrt actual Storm extent, yes? If not, pls post pointers... =JeffH -- Storm Worm botnet numbers, via Microsoft http://blogs.zdnet.com/security/?p=533 Posted by Ryan Naraine @ 7:40 am Categories: Patch Watch, Hackers, Microsoft, Browsers, Rootkits, Vulnerability research, Spam and Phishing, Spyware and Adware, Botnets, Exploit code, Viruses and Worms, Data theft, Pen testing, Passwords Tags: Microsoft Corp., Worm, Machine, MSRT, Productivity, Microsoft Windows, Cyberthreats, Spyware, Adware Malware, Viruses And Worms, Security, Operating Systems, Software, Ryan Naraine icn_balloon_154x48 +14 16 votes Worthwhile? If the statistics from Microsoft\u2019s MSRT (malicious software removal tool) are anything to go by, the Storm Worm botnet is not quite the world\u2019s most powerful supercomputer. The tool \u2014 which is updated and shipped once a month on Patch Tuesday \u2014 removed malware associated with Storm Worm from 274,372 machines in the first week after September 11. In all the tool scanned more about 2.6 million Windows machines. These numbers, released by Microsoft anti-virus guru Jimmy Kuo, puts the size of the botnet on the low end of speculation that Storm Worm has commandeered between 1 million and 10 million Windows machines around the world. [ SEE: Storm Worm botnet could be world\u2019s most powerful supercomputer ] The MSRT numbers, though helpful, shouldn\u2019t be relied on as gospel. For starters, the tool targets a very specific known malware (it only finds exactly what it\u2019s looking for) and attackers constantly tweak malware files to get around detection. In addition, it is only delivered to Windows machines that have automatic updates turned on, which means there are liely tons and tons of hijacked machines that never gets a copy of the MSRT. Still, Kuo claims that the September version of MSRT made a dent in the botnet. Another antimalware researcher who has been tracking these recent attacks has presented us with data that shows we knocked out approximately one-fifth of Storm\u2019s Denial of Service (DoS) capability on September 11th. Unfortunately, that data does not show a continued decrease since the first day. We know that immediately following the release of MSRT, the criminals behind the deployment of the Storm botnet immediately released a newer version to update their software. To compare, one day from the release of MSRT, we cleaned approximately 91,000 machines that had been infected with any of the number of Nuwar components. Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the Storm botnet. Machines that will be cleaned by MSRT in the subsequent days will be of similar nature. The September release of the MSRT probably cleaned up approximately one hundred thousand machines from the active Storm botnet. Such numbers might project that the strength of that botnet possibly stood at almost half a million machines with an additional few hundred thousand infected machines that the Storm botnet perhaps were not actively incorporating. Kuo also confirmed fears that the botnet will slowly regain its strength once those cleaned machines become reinfected because those machines are likely unpatched and not equipped with any security software. --- end - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]