Monthly Archives: September 2007

Storm Worm Analysis (Take 2)

I’ve read quite a lot in my search on information about the Storm worm.

Capacity

Apparently, a better estimate of the Storm Worm Botnet’ current number of zombie machines is about 10 Million. As such, I’ve redone all my calculations (bottom of the article) with the updated numbers, and I’ve also spent some more time finding other numbers to remove some of the estimations from calculations.

I estimate, that the botnet currently has access to about 15,000 THz of CPU power. The fastest super computer currently in existence, Blue Gene L has 91.8 THz. So, this has fallen with the re-calculations.

I managed to find this report on the state of broadband in the US, which says that the average upload speed (all I’m interested in really) is about 371kb/s. So, I’ve recalculated all of my bandwidth calculations, working from that figure, as outside the US, e.g. canada, Japan, are likely to have much higher upload speeds. Also, Britain is starting to move to 448/812kb/s

About 442GB/s. Which, is equivalent to 339 Million emails per second, or 604 CDROMs worth of data every second.

Use

So, what have the Zhelatin Gang (group of crackers behind the Storm Worm) been up to with all this data capacity?

This report says that they are currently selling distribution capacity, as well as as of the 13th of August, testing their DDoS capacity.

This report from spamnation.info estimates that they are currently attacking a number of Anti- Spam / Malware sites. In fact, a large number of malware sites have / are under attack, including 419eater, which was basically overloaded with about 450GBs an hour worth of traffic, taking it off-line. CastleCops.com, is currently weathering the same high-level of incoming traffic.

Here is a graph of the traffic hitting 419eater.com. The attack took 419eater offline for a number of days, and they’re only coming back online now. They are still under attack, but have moved hosts, to someone who can cope with a massive amount of data incoming.

419eater DOS attack graph

At 11:44, traffic stops, as the site is taken offline, because the guys who hosted their website could no-longer cope with the sheer amount of incoming traffic.

Self Defence

The storm worm is (unfortunately for us) quite clever. It detects when its being used on what is called a virtual machine, a tool that some security researchers use to keep their PC safe from the trojan/virus, whilst they are trying to disassemble it.

Also, the botnet will launch a DDoS attack at any computer that either:

  1. Downloads the virus too many times (Researcher)
  2. Scans an infected computer for the basic signs of infection

I hope all this information is useful. The storm worm has quite worried me recently, and the only real way to combat it now, would be for the ISP’s to take action. Which they are not going to anytime soon – it does not make economic sense to do so.

My calculations are below. If you have any more up-to-date information for me to base them on, I’d love to hear from you. Leave a comment, or send me an email. My address is in the “about” page, linked above.

Calculations

All calculations are in computer-style notation, so * for multiplication, and / for division.

Processing Capacity (Zombies)

Assume 10 Million infected computers. 10,000,000.

Assume an average of 1.5Ghz processor in each computer. (Its probably more like 2.5Ghz, but safe side it.) 15,000,000 Gigahertz (Ghz)

15,000,000/1000 = 15,000 Terahertz (Thz)

Processing Capacity (Blue Gene L Super Computer)

Blue Gene L, has 131,072 Processors, each running at 0.7 GHz (700 Mhz).

131072 * 0.7 = 91750.4 Ghz

91750.4 / 1000 = 91.7504 Thz

Round to 1 decimal place = 91.8 Thz

Data Transfer (Zombies)

Assume 10 Million infected computers. 10,000,000.

Assume that each computer has about 371kb/s upload rate. (Probably a bit higher, but thats the average for the US, so safe-side it. 10 million is still a lot of computers…)

Get the 371 Kilobits into KiloBytes. 1 KiloByte = 8 KiloBits, so:

371/ 8 = 46.375KB/s per bot.

10000000 * 46.375 = 463,750,000KB/s transfer rate. Ok, that’s too mind-boggling. Lets get the numbers to be more sensible.

1 MegaByte = 1024 KiloBytes, so:
463750000 / 1024 = 452,880.859375MB/s. Not readable yet. Again.

1 GigaByte = 1024 MegaBytes, so:
452880.859375 / 1024 = 442.266464233GB/s

Err… I did do these sums right… *checks*. Wow.

Round to 0 decimal places = 442GB/s

Emails per second with 442GB/s bandwidth.

Assume an Average spam email size of 11.76 KB from This article, and rough confirmation from spamnation.info

From our bandwidth calculations above, there is 463,750,000 KB/s bandwidth available. So:

463750000 / 11.76 = 339434523.80952381 emails per second.

Round to 0 decimal places = 339,434,524 emails per second.

Round to 3 significant places = 339,000,000

CDs per second with 442GB/s bandwidth.

CD-ROM total size : 750MB.

From bandwidth calculations above, 452880.859375 MB/s.

452880.859375 / 750 = 603.841145833 CDROMS worth of data transfer per second.
Round to 0 decimal places = 604 CDROMS data per second.

Thanks to

Those on the CastleCops DDoS forum who helped provide data.. and the rest of the DDoS forum guys, for putting up with me whilst I find out more about the Storm / Nuwar botnet.

Useful Linux (Ubuntu) Tidbits

Here are just some morsels of information about the Linux Command line, and more specifically, Ubuntu Linux Command line / system.

  • Users can be added to a group with the command:
sudo adduser <username> <groupname>

In ubuntu, the default system shell is “Dash”. That does speed up your system boot, but it also introduces problems with those scripts which are designed to run in bash, but use /bin/sh to execute. (Which is a surprising amount… this has solved many problems for me. Especially with Asterisk and freePBX.)

  • To set Ubuntu back to using bash from dash, run the following command…
cd /bin && sudo rm sh && sudo ln -s /bin/bash /bin/sh
  • To add a user to the sudoer list (the list that controls who can use “sudo”) use the command
sudo visudo
  • Add a user underneath the “# User privalage specification” comment. If you want just a bog standard sudo user, able to do all on the system, add the line:
<username>    ALL=(ALL) ALL
  • ?Fun? tip: add “insults” to the end of the list of “Defaults” in visudo, so it will look like:
Defaults        !lecture,tty_tickets,!fqdn,insults
  • The system will insult you every time you enter your sudo password wrongly. For a random example, it just gave me this when I deliberately triggered it:
You speak an infinite deal of nothing
  • In Firefox, select the address bar quickly by hitting the “F6” key.
  • Type “pwd” to get the full path to your current directory. e.g.:
kirrus@asus:~$ pwd
/home/kirrus
  • Monit is a useful program, that gives you a good way of keeping an eye on your servers, making sure they don’t run out of harddisk space, or get a high CPU load. It can either perform some function (like stopping a program from running) during high CPU, or send you a warning email.

http://debianhelp.co.uk/monit.htm (useful howto/basic guide)

http://www.tildeslash.com/monit/ (main website)

Monit is in the ubuntu repositories:

aptitude install monit

Scary analysis of Storm Worm

The Storm Worm. A virus and set of malware that has been spreading across the internet since January 2007. According to this article, it is now estimated that it has turned up to 50 Million computers into bots (or Zombie Computers), and is more powerful than a supercomputer.

So, I thought, a fine time to do some number crunching, to see if we can see approximately how powerful this bot-net is. (See here for the full article, with calculations at the bottom, if you’re looking at this from the homepage.)
The bot-net will probably have a maximum of around 40,000 Terahertz (THz) at its disposal. To put that into perspective, the worlds fastest supercomputer (The Blue Gene L) has around 91.8 Terahertz.

Ok, that is a really, really impressive amount of processing power. But what use is that power without being able to get data (spam emails etc.) onto the internet?

61 GigaBytes a second.

You heard me right. The bot network, will have the estimated capacity to pump 61 Gigabytes of data onto the internet per second.

At 20KB an email, thats 3,200,000 (Three Million Two Hundred Thousand), emails per second.
Revised email calculations (see note below): at 11.73KB an email, thats 5,442,177 emails per second.

Or, at 750MB per CDROM, thats 83.3 discs per second.
I think the term “Houston, we have a problem” doesn’t even come close to showing the amount of pain these guys can cause. At that rate of data transfer, this cracker (“hacker” for mass-media) group will be able to take any website in the world off-line, with a Distributed Denial of Service attack. They may even be able to take the internet offline, with another Backbone attack.
Now, this has been a almost-worst-case scenario, but trust me when I say, this is not good. I think, something drastic may be in order.

Note: Checkout my math and assumptions by clicking the “Read More” (if you’re not already in the full post). If you see any problems, or have some more-up-to-date information, feel free to register, and add a comment. (Sorry about forcing you to register. Spammers have been causing problems ><.) Alternatively, my email address can be found on the “about” page above.”
Update: Looks like the bot-net is being brought into play to attack anti-spammer websites.
http://www.spamnation.info/blog/archives/2007/09/419eater_ddosd.html

Update #2: The webmaster of spamnation.info has confirmed (roughly) the analysis of this article, which says the average spam email is 11.76KB. As such, I have revised my email calculations. I’ll probably post a follow-up to this, if I can get any more accurate data to go on, and I may re-do all of the calculations at some point, with a more conservative bot number estimate base.

Calculations

All calculations are in computer-style notation, so * for multiplication, and / for division.

Processing Capacity (Zombies)

Assume 40 Million infected computers, (even though the article says 50,000,000, lets err more on the safe side…) 40,000,000.

Assume an average of 1Ghz processor in each computer. (Its probably more like 1.5, but safe side again.) 40,000,000 Gigahertz (GHz)

40000000/1000 = 40,000 Terahertz (THz)

Processing Capacity (Blue Gene L Super Computer)

Blue Gene L, has 131,072 Processors, each running at 0.7 GHz (700 Mhz).

131072 * 0.7 = 91750.4 Ghz

91750.4 / 1000 = 91.8 Thz (Rounded to 1 decimal place)

Data Transfer (Zombies)

Assume 40 Million infected computers. 40,000,000.

Assume that each computer has about 128kb/s upload rate. (Probably closer to at least 256kb/s, but lets err on the safe site. 40 million is a lot of computers…)

Get the 128 Kilobits into KiloBytes. 1 KiloByte = 8 KiloBits, so:

128 / 8 = 16KB/s per bot.

40000000 * 16 = 64,000,000KB/s transfer rate. Ok, that’s too mind-boggling. Lets get the numbers to be more sensible.

1 MegaByte = 1024 KiloBytes, so:
64000000 / 1024 = 62,500/s. Not readable yet. Again.

1 GigaByte = 1024 MegaBytes, so:
62500 / 1024 = 61GB/s (rounded to 0 decimal places). Err… I did do these sums right… *checks*. Wow.

Emails per second with 61GB/s bandwidth.

Assume an Average spam email size of 20 KiloBytes (This article says 11.76KB, but its out of date, and source is offline. Err on safe side.)

From our bandwidth calculations above, there is 64,000,000 KB/s bandwidth available. So:

64000000 / 20 = 3,200,000 per second.

Emails per second with 61GB/s bandwidth (Revised calculations).

The 11.76KB appears to be accurate, so lets revise these calculations to take that into account.

Bandwidth 64,000,000 KB/s.

64000000 / 11.76 = 5,442,177 emails per second (Rounded to 0 decimal places.)

CDs per second with 61GB/s bandwidth.

CD-ROM total size : 750MB.

From bandwidth calculations above, 62,500 MB/s.

62500 / 750 = 83.3 CDROMS worth of data transfer per second. (Rounded to one decimal point)

How to Configure or Disable Predictive Text in Open Office or LibreOffice

Open Office keeps automatically trying to guess what you’re typing? Sometimes it can be useful, especially if you’re doing something quite repetitive. However, it can also be a bit dumb at times.

Now, Open Office predictive text, actually comes under auto-complete. Don’t ask me why, as to my mind at least, that’s a completely illogical place to put it. Also, Open Office call it “Word Completion”

Configure Open Office Predictive Text

Here are a couple of things you can try to make it more useful.
Click on “Tools” > “AutoCorrect…” > Click on the “Word Completion” tab.

  • Increase the minimum word length.

Make sure that the minimum word length is at least 8. Less than that, and you’re going to get it trying to auto complete too-short words, and get confused. More than 8, it will trigger less often. Tweak this for how much you want to use the predictive system.

  • Delete False Positives

Sometimes, the predictive system just gets confused. An example of this, is if you have used “Disneyland” in a document, and then want to type “Disney” Open Office will keep auto-completing to “Disneyland”. Really, not helpful.

To fix this the only response, is to find and delete the offending word from the predictive system. Click on the word you want to remove (In this case, Disneyland), and click the “Delete Entry” button.

Note: The image has been cropped to make it fit. The dialogue box is longer than this.

Disable Open Office Predictive Text

If you just can’t get it quite to work how you want, then your last resort is to disable the feature. Click on “Tools” > “AutoCorrect…” > Click on the “Word Completion” tab.

Now, untick the box that says “Enable Word Completion”. Your Open Office will no longer automatically try to predict what you’re typing.

Note: if you leave “collect words” ticked, the system will still collect words to Auto Complete, but won’t actually use them. If you’re just turning the feature off for a little while, leave it ticked. Otherwise, untick it, to save memory, and a little bit of processor power whilst you’re working.