How much power do the bad guys have?

Haven’t you ever wondered what the criminals do with all the virus infected PC’s. what we know for sure is they are used for, sending spam, performing dDoS attacks, and other misc evil activities.

As every is aware (I hope) , the StormWorm has been making it’s rounds over the internet the past few months and adding to its botnet a tremendous amount of PC’s. Today Peter Gutmann posted to the Full-Disclosure mailing list a quick summary of the estimated power of this botnet.

This doesn’t seem to have received much attention, but the world’s most powerful supercomputer entered operation recently. Comprising between 1 and 10 million CPUs (depending on whose estimates you believe), the Storm botnet easily outperforms the currently top-ranked system, BlueGene/L, with a mere 128K CPU cores. Using the figures from Valve’s online survey, http://www.steampowered.com/status/survey.html, for which the typical machine has a 2.3 – 3.3 GHz single core CPU with about 1GB of RAM, the Storm cluster has the equivalent of 1-10M (approximately) 2.8 GHz P4s with 1-10 petabytes of RAM (BlueGene/L has a paltry 32 terabytes). In fact this composite system has better hardware resources than what’s listed at http://www.top500.org for the entire world’s top 10 supercomputers:

BlueGene/L: 128K CPUs, 32TB
Jaguar: 22K CPUs, 46TB
Red Storm: 26K CPUs, 40TB
BGW: 40K CPUs, 10TB
New York Blue: 37K CPUs, 18TB
ASC Purple: 12K CPUs, 49TB
eServer Blue Gene: ?
Abe: 10K CPUs, 10TB
MareNostrum: 10K CPUs, 20GB
HLRB-II: 10K CPUs, 39GB

This may be the first time that a top 10 supercomputer has been controlled not by a government or megacorporation but by criminals. The question remains, now that they have the world’s most powerful supercomputer system at their disposal, what are they going to do with it?

Here is another good source of information on botnets.

Another Storm Worm Varriant

If you have not noticed lately, the Storm Worm is in an ever changing email attempting to infect users.

The Basics of Storm Worm – an email gets sent out to ??? number of users with a link to a web server that attempts to compromise a users system. In the beginning it masked itself as a greeting card email, then it was a registration confirmation email.

Now it has taken a turn that I feel will be able to fool many users into clicking on it. The email hides the know Storm IP link with a youtube link. With the use of this site being so big, I am pretty sure that the botnet size will grow even bigger. The current size of the BotNet is different based upon the article read, but you can be assured that it is large and will continue to grow. One estimate has it at 250 K to 1 Million while another has it 5 to 10 million machines.

In case you are interested here are some sample subject lines and email body text. I have removed links of course.

Subject Lines

• LOL, dude what are you doing
• LOL, that is too cool…..
• oh man your nutz
• Where did you take that?
• ROTFLMAO, who is that your …
• I cant belive you did this

And for the body.

• What are you thinking…if pat sees this your divorced dude. :-{) check it out yourself
• this i not good. If this video gets to her husband your both dead. this is the link to it.
• You can see your face right in the video. its all over the web dude. take a look, lol…
• this i not good. If this video gets to her husband your both dead. go look at it…
• this i not good. If this video gets to her husband your both dead. check it out yourself
• What are you thinking…if pat sees this your divorced dude. :-{) see for yourself…

BBB Phishing

According to Secureworks and others, SANS and SunBelt, there are two different phishing scams making their way around email.

While both of them are extremely dangerous in their own respects, one of them I find very interesting. It is a highly targeted attack against executive level managers at companies. It uses an email with which claims to link you to documents pertaining to your case. Here are some of the highlights from Secureworks.

Highlights

• Highly-targeted attack – aimed at specific executive-level company managers
• Steals all interactive data sent from victim’s IE browser to remote websites
• Uses browser helper object to access form data before it is SSL-encrypted
• One stolen data repository located. As of Friday, May 25, there are 1, 400 victims and 145 megabytes of data in the repository. Approximately 70 megabytes of data is being collected daily.

The other email contains an attachment (RTF Document) when executed installs several pieces of malware onto the computer opening to attachment. The problem with this one is that for some reason it is easier to get virus through email content scanners with RTF documents.

For more information click on one of the reports above.

McAfee’s – Another Identity theft Story

This story shows how complicated virus writers and ID Theft criminals are getting. Multiple sites, multiple malware, and the targeting of specific countries. This one inparticular targeted users in France.

Read it here.