Talk:Storm botnet

Article is Out of Date
There is no new information (as of 2009) that I can see in this article. While citing references at FA quality is not my strong suit, I would like to draw the attention of those more skilled editors than myself with an ~{~{outofdate~}~} tag. Dragonnas (talk) 21:05, 14 November 2009 (UTC)

Compromise
Apparently the botnet has been compromised and is in the process of being taken down. http://www.heise-online.co.uk/security/Storm-Worm-botnet-cracked-wide-open--/news/112385 210.50.248.62 (talk) 19:06, 12 January 2009 (UTC)

DDoS attacks
The DDoS attacks appear to be utilising both Syn attacks, and just basic html connection overloading attacks. See http://www.castlecops.com/f285-DDoS.html for more info. —Preceding unsigned comment added by 80.229.38.101 (talk) 14:20, 13 September 2007 (UTC)

Methodology, first paragraph. A tad too much drama there? I suggest you log all the IP's that modify this site and tracert them (at least), this is written quite surely by some minor admins of some bot net... -- Sigmundur (talk) 20:24, 29 May 2008 (UTC)

Unsourced info
I just pulled this from the article:

It should be noted that the distributed and anonymous nature of the botnet would make it difficult to be used on any computing task that relies on being able to access information from other computers in the botnet. Most supercomputers have fast interconnects between nodes, and all nodes are easily addressable, whereas the botnet has little to no interconnection between nodes, and nodes aren't easily addressable. Matt Sergeant was also using the absolute upper-most estimates for the size of the botnet, which aren't based on evidence, have massive uncertainty, and will have been popularized by a media looking for whoever will give the largest estimate. (Other estimates in the range of 250,000 to 1,000,000 are often ignored in favor of the 10,000,000 to 50,000,000 estimate which is more frequently cited.)

1-50 million computers? Seems like a pretty wide range... Sounds very fishy. —Preceding unsigned comment added by 76.181.245.163 (talk) 05:19, 14 August 2008 (UTC)

There is also not very much that criminals could do with a vast amount of computing power. Some applications include breaking password hashes, but the applications are limited. The botnet is likely to only be useful to spread spam and make DDoS attacks, and not to give the author(s) computing power.

Those need sourcing, but I haven't been able to find any yet. • Lawrence Cohen  04:53, 3 October 2007 (UTC)


 * I really doubt the second, but WP:BEANS never applied so hard... Wnt (talk) 19:55, 11 January 2008 (UTC)
 * There's a lot of info here that's going to end up as some corner of information technology folklore, I'm sure. "Boy, back in the winter a' two thousand dickety seven, I seen me the biggest botnet you ever did seen!" Lawrence Cohen  22:19, 14 January 2008 (UTC)


 * I don't think anyone's done a good analysis of what they could do with that much CPU power. One thing that they can/do do is generate unique messages for every email, and regenerate the worm signatures on the fly by mutating the payload. SteveLoughran (talk) 20:48, 23 January 2008 (UTC)

Peer review

 * Try to avoid one paragraph sections. Either expand them or combine them with other sections.
 * The article needs more background. What type of virus/worm is this?  How does it relate to other worms/viruses?  What is the evolution of computer infections that led to this one?  What are the possible motivations of its creator?
 * "Way forward" section. What are the plans of network/security engineers to defeat it?  What are the plans to safeguard against this type of infection in the future?
 * How does this internet attack relate to the "big picture"? What does it mean for internet security and usage in general?  What are its long-term ramifications?

All in all, though, a good start on the article. Cla68 06:57, 14 October 2007 (UTC)

To-do list, more headers, milestones
I added them all. Feel free to help out on the article if you're interested. • Lawrence Cohen  20:34, 17 October 2007 (UTC)

Successful good article nomination
I am glad to report that this article nomination for good article status has been promoted. This is how the article, as of October 21, 2007, compares against the six good article criteria:


 * 1. Well written?: Fascinating article. Well worded, good use of language, clear and understandable.
 * 2. Factually accurate?: 35 citations used, with good formatting, looks like the Citation templates were used. Nice work.
 * 3. Broad in coverage?: The four main sections do cover a broad area. Looking at the talk page, moving forward to FA status eventually, I would suggest following that informal Peer Review and expanding it further, i.e. what has been done lately about this, even more developing current events, etc.  The next place to seek advice is Peer Review.
 * 4. Neutral point of view?: Worded quite neutrally, no sense of any bias here.
 * 5. Article stability? Article seems quite stable, I only saw one vandalism issue, keep an eye on this.
 * 6. Images?: No images. Therefore, there are no image licensing problems - but it would be nice going towards FA if there were some relevant images that could be included.

If you feel that this review is in error, feel free to take it to Good article reassessment. Thank you to all of the editors who worked hard to bring it to this status, and congratulations. — Cirt 00:51, 24 October 2007 (UTC)

decline of the storm worm
There is little mention of the botnet's current size. A recent story in PC World (http://www.pcworld.com/article/id,138721-c,virusesworms/article.html) says "The Storm Worm botnet has been shrinking steadily and is about 10 percent of its former size". How about incorporating some such recent estimation of the botnet's size into the article? lennarth 22:36, 27 October 2007 (UTC)
 * Definitely. There are lots of good sources that came out since I list hit it, but I've been short on time/distracted by other articles. Feel free to take a whack at it if you're game. :) • Lawrence Cohen  14:51, 28 October 2007 (UTC)

Images for the article
I'm going to personally get back to work on expanding this out more in December. Its been idle for too long. In the meanwhile, does anyone have any suggestions for images for this article? The images on malware and botnet type articles are passable, but not the very best. Suggestions? • Lawrence Cohen  19:48, 27 November 2007 (UTC)
 * How about a graph (hits vs time) of one of the DDoS attacks mentioned in the article? It seems like that data should be available somewhere.  --W0lfie (talk) 17:25, 28 November 2007 (UTC)
 * I think that could work, and wouldn't be original research. I'm pretty terrible at any sorts of graphing or graphics work, though. Is that something you can do? • Lawrence Cohen  17:43, 29 November 2007 (UTC)
 * I think the preferred format for graphs here is SVG. I'll look and see if there's a good tool to manipulate data and spit out an SVG file.  Would you be able to get the data? --W0lfie (talk) 22:48, 13 December 2007 (UTC)
 * PS Collaboration to convert graphs to SVG --W0lfie (talk) 22:54, 13 December 2007 (UTC)
 * I haven't been able to find a good RS for that sort of information, unfortunately, yet. Lawrence Cohen  22:53, 27 December 2007 (UTC)

FAC request
I've submitted the article for a Feature Article Review. Thanks everyone that helped! Lawrence Cohen 23:00, 27 December 2007 (UTC)

Tremendous read. I've not commented in the FAC yet as that requires rather more attention to detail (checking for top quality prose, checking the quality of the sources you have referenced, and so on) but on an informal basis let me say it's a great effort. --kingboyk (talk) 19:42, 28 December 2007 (UTC) PS Can't help but be impressed by the sinister geniuses behind this botnet, either
 * Thank you! :) And yes, the masterminds behind it all are frighteningly clever--especially since unless you're an IT professional, you may never know you're under their control. And even then, maybe not? Lawrence Cohen  20:19, 28 December 2007 (UTC)

Location of malware servers?
Is there a public posting of current locations of the malware servers? How many times or in what way do they have to be accessed to trigger a DDOS attack from the botnet? It does not seem to me that it would be in any way unethical for a dissatisfied employee or protesting student to intentionally mimic a DDOS researcher's actions to provoke such an attack against his network, since it simply redirects the ongoing activities of a criminal organization, and it would have the curious side effect of making life easier for the researchers. But is that what people involved in security and enforcement believe? Wnt (talk) 18:08, 6 January 2008 (UTC)
 * Most of this from my understanding of digging up this article is that the researchers (and obviously the botmasters) guard this information very carefully, so no one gives away to much, except to law enforcement. If you could possibly find something like this in a valid source, I'd love to add it. Could be very interesting. Lawrence Cohen  06:18, 7 January 2008 (UTC)
 * Sorry, I thought the community collaboration to track these people would be more open than that - I certainly have no special knowledge and was surprised when I couldn't find it in a Web search. Wnt (talk) 02:44, 8 January 2008 (UTC)

Wording in the lead
I undid FrummerThanThou's wording change. FrummerThanThou, please explain why you think your version is better. The wording there in unclear compared to what it was. Lawrence Cohen 06:40, 9 January 2008 (UTC)
 * The current incarnation is a Featured Article, so does the wording of the lead need to be changed if the article itself isn't changing in a significant way? Hewinsj (talk) 13:37, 9 January 2008 (UTC)
 * Thats what I was wondering, myself. Lawrence Cohen  14:10, 9 January 2008 (UTC)
 * featured articles are not set in stone. frummer (talk) 17:30, 9 January 2008 (UTC)
 * hi lawrence, plz take up issue with the exact words you didn't like. i thought they spoke for themselves, such as "speculate" on a few instances. frummer (talk) 17:30, 9 January 2008 (UTC)

Well, since you asked, this is the diff of reverting your changes, to act as a reading guide for this (open it in a new tab):


 * "which has come to worldwide attention amongst computer security vendors due to its speculated size and control."
 * No source for your sentence here. Who said this was receiving attention because of it's size, implying it was feeding on itself? Who said worldwide?


 * "speculated to control"
 * Not needed: we can quote experts as authorities, and in nearly all cases their very wording is speculative. No need to say this here, and we shouldn't say they speculated--who said they were speculating? We can quote experts factually.


 * "instant messaging and link spam"
 * Source?


 * "alltime biggest"
 * Source?


 * "or have shrunken to"
 * This wording is just plain awkward.


 * "but with the C&C server constantly evading detection, the seizure of which would lend veracity either ways, conflicting reports only spike further speculation."
 * Very awkward wording, and there is no point in getting into the high concepts of the C&C that early as an acronym, because it's confusing there. It's explained in context it belongs in later under the composition of the botnet section.


 * "As of September 2007 the botnet was reportedly powerful enough to force entire countries off the Internet, and is speculated it to potentially" ...
 * On the section, I'm certainly not married to the wording, either can work, so I'd be inclined to leave it as-is if its fine now. What do others besides ourselves think? Please weigh in.


 * "as a decentralised system, its comparison to a supercomputer is"
 * My version of "according to security analyst James Turner" is needed here, to attribute who said that.


 * "Known to be used" vs. "used"
 * Used is fine, as we have this cited from the expert authorities on the matter. No need to qualify this in any way.

Overall, aside from possibly the "As of September 2007..." section, I don't see a need to change the wording. Lawrence Cohen 17:46, 9 January 2008 (UTC)


 * hi lawrence, i know you've put allot of work into the storm botnet article but i must remind you that we musnt piss on our turf here and be careful to take up issue with changes on the talk page. the Storm, Nugache, Peacomm, and Nuw botnets are an entirely new bread of malware in that they are completely decentralized and impossible to crawl deeply and make authoritative estimations of their size and control.


 * the wide ranging estimates as to the size of the botnet that the researchers come up with show how in fact these estimations are in fact speculations. the only way proper estimations can be made would be if we could actually crawl the entire botnet, but with the C2 server evading detection and bots talking to each in an encrypted IRC channel, morphing their code every 30 mins and popping up and down like rabbits in holes, it is simply not possible.


 * as Schneier says to this affect, until the controller is cuffed, there won't be much we'll can for sure know. in regards to every possible detail of its size over time, we can only speculate.


 * frummer (talk) 17:50, 9 January 2008 (UTC)
 * And I agree, but I still think it is more important to only put sourced information into the article, attributable to the cited experts. We can't come to our own conclusions, and Schneier's statement from learning about this I feel is accurate, but not a single definitive point. I'll move this over to the Storm botnet talk page. What do you mean by pissing on our turf? Lawrence Cohen  18:01, 9 January 2008 (UTC)
 * Hi Frummer, in reply to your email, I don't have IM, unfortunately, and very, very strongly prefer to do content or policy talk in public so that others can weigh in. Thanks. We are in no rush, so I can wait for your points here instead of real time. Lawrence Cohen  18:24, 9 January 2008 (UTC)

Purported?
Re: The section header "Purported decline of the botnet", Purported is quite a loaded word to use in a front page FA section header. The original wording of Reported, changed in December 2007, seems more in keeping with NPOV policy and is backed by the section's content (a report need not be accurate in everyone's view; being backed by substantial verifiable sources, as here, suffices). Even Claimed, though not entirely free of bias, would be a better choice for neutrality.

I personally believe there is a content slant throughout the article which is at odds with featured article critera #1d "Neutral" means that the article presents views fairly and without bias, but at a minimum, I think most can agree it is vital to avoid using titles which immediately cast doubt on the truth of the content. -- Michael Devore (talk) 06:54, 14 March 2008 (UTC)
 * I don't disagree with this point specific to this article, and will update it. Lawrence  §  t / e  14:52, 15 March 2008 (UTC)
 * Thanks for the change. I appreciate the consideration. -- Michael Devore (talk) 16:39, 15 March 2008 (UTC)

No image for main page?
Why is the image in this article not used on the main page? It is in the public domain so I don't see any fair use problems with it, and I think it illustrates the idea behind this article very well. Gary King (talk) 00:05, 16 March 2008 (UTC)

Grow up, wikipedia
Come on, first video games as feature articles and now this? Grow up, wikipedia. Andrew zxc (talk) —Preceding comment was added at 01:31, 16 March 2008 (UTC)
 * What a ridiculous comment. tyx (talk) 03:15, 16 March 2008 (UTC)


 * I would like to ask why you think this fails notoriety? If anyone needs to do growing up, it may be you Rotovia (talk) 03:16, 16 March 2008 (UTC)


 * Good articles are good articles. 99.230.152.143 (talk) 15:26, 16 March 2008 (UTC)


 * This is a great article. Really well written, fascinating topic.  Congrats to the principal authors.   Tempshill (talk) 05:55, 17 March 2008 (UTC)

Front page of WP
Whoa, I just noticed the article I began got there!! Where was the discussion for that, I totally missed it (I am not complaining, though, wow)! Lawrence §  t / e  04:29, 16 March 2008 (UTC)

Holy Crap
This is one hell of a "multi-virus" so to speak. I wouldn't be surprise if it visited this page... —Preceding unsigned comment added by 71.119.129.200 (talk) 06:18, 16 March 2008 (UTC)
 * Yeah I kept thinking of what the makers of the virus thought of this page. They could easily take down Wiki or take control of this pages content. I assume they are okay with it. Rekija (talk) 23:25, 16 March 2008 (UTC)

Estimate in the intro
In the intro paragraph, I didn't understand what is meant by "it was estimated to run on as many as 1 to 50 million computer systems"? Should it instead say "it was estimated to run on a million computer systems; some estimates suggested 50 million computer systems". or did I misunderstand? Sam Staton (talk) 10:40, 16 March 2008 (UTC)


 * 1 to 50 million means between 1000000-50000000. An anlogous statement might be, "fred has 1-20 cats" meaning that fred owns at least 1 cat, but he may have up to 20 cats.
 * However I agree it could have been worded better. Though even if given the worst interpretation.ie. that at times there amy only be one PC in the net, it is probably true enough. It is indeed possible that at times there may only be one bot in the net - thought this is improbabable, it is not impossible. —Preceding unsigned comment added by 219.90.158.147 (talk) 12:31, 16 March 2008 (UTC)
 * "As many as" is often used incorrectly before a range. It should precede a single, upper-limit number. I changed the wording to what I think the author meant to express. -Eric talk 13:13, 16 March 2008 (UTC)

I'm also finding the phrase "1 to 50 million" confusing/ambiguous -- I read it as "1 to 50,000,000" rather than as "1,000,000 to 50,000,000." (This may be an artifact of different dialects of English.) I'm going to boldly change this to "1 million to 50 million", which is both correct and unambiguous. -- Writtenonsand (talk) 13:38, 16 March 2008 (UTC)
 * That's a good change. Lawrence  §  t / e  18:08, 16 March 2008 (UTC)

Sarah Connor
This article clearly needs a section on Storm botnet's attempt to locate and kill Sarah Connor. --Xyzzyplugh (talk) 14:41, 16 March 2008 (UTC)
 * Cute. I always did wonder when building this article if the defensive steps where done manually, or if they actually wrote some sort of system into Storm to have it respond in a list of ways to certain things. Lawrence  §  t / e  18:09, 16 March 2008 (UTC)
 * I too couldn't help but draw similarities between this and Skynet. If there was someone notable connecting the dots I wouldn't be against mentioning it in the article but so far I've not seen anything. Rekija (talk) 23:21, 16 March 2008 (UTC)

Partial deletion
Given the...colorful metaphors just used by a vandal in his edit summaries, it might be advisable to outright delete those versions (by deleting the article and restoring everything but those edits) so those aren't visible to the public-at-large in the article history. Probably should wait until after the article is no longer the FA of the day though. Postdlf (talk) 17:38, 16 March 2008 (UTC)
 * I don't believe that profanity in edit summaries is considered a big problem. We have profanity in the bodies and the names of many articles, in fact.  See Fuck (disambiguation).  The method you suggested is used when edit summaries contain serious WP:BLP violations, like accusing real people of crimes; I don't think anyone would think it was worth the time just to get profanity removed.  --Xyzzyplugh (talk) 18:05, 16 March 2008 (UTC)
 * Yeah, it's no big deal. Lawrence  §  t / e  18:08, 16 March 2008 (UTC)

Methodology section
I can't make the bandwidth math in the DoS section work. It's uncited, so there's not much to go on. The units also need to be verified (see Kilobit per second) and corrected. --Zoombody (talk) 20:19, 16 March 2008 (UTC)

Cleaning infected machines
I'm very surprised this page doesn't bring any information on how to clean an infected machine. Even how to know your computer is infected. Am I missing something here? —Preceding unsigned comment added by 201.42.190.169 (talk) 22:58, 16 March 2008 (UTC)
 * Wikipedia is not a guide, however some sources to guides couldn't hurt. Rekija (talk) 23:13, 16 March 2008 (UTC)


 * It would be redundant info, the sort of people who have been infected are the sorts of clowns who don't know it exists or alternaively can't follow simple instructions for safety e.g. "don't open email from anyone unless you are sure you know them" so won't be able to follow any simple removal instructions either provided directly or via a link.. —Preceding unsigned comment added by 219.90.176.8 (talk) 09:32, 17 March 2008 (UTC)
 * Well, it's not that... it's just got to be reliably sourced information, not just a guide or manual. Lawrence  §  t / e  17:22, 17 March 2008 (UTC)
 * We'd need a reliable source, really on this. Anyone ever seen anything on Storm removal? Half the stuff is still so secret that I've never seen such a thing, let alone in an reliable source. Lawrence  §  t / e  17:22, 17 March 2008 (UTC)
 * here basicaly install the latest microsoft security updates.Geni 00:55, 26 July 2008 (UTC)

New botnet in town?
link -- Shark face  217  23:25, 7 April 2008 (UTC)
 * Yeah, saw it earlier. Someone mailed me today saying I should keep an eye on it for a new article section on both sides in case "they go to war". Crazy world... Lawrence  §  t / e  23:28, 7 April 2008 (UTC)
 * You mean Kraken botnet? Please help improve that article.  Verifiable facts about how the thing works are greatly appreciated. davidwr/  (talk)/(contribs)/(e-mail)  23:29, 7 April 2008 (UTC)
 * For the facts on the guts of the thing, don't expect anything soon. It took months after Storm became public for that kind of info to come out. Lawrence  §  t / e  23:30, 7 April 2008 (UTC)
 * Yeah, that kind of information is generally closely held by those in the know, on both sides of the equation, for a variety of reasons. It'll be a while before there's anything significant publicly known about it (at which time the reports from now will almost certainly be proven erroneous, quite possibly by orders of magnitude - in which direction, I could only guess). —Krellis (Talk) 23:48, 7 April 2008 (UTC)
 * Sort of like the early estimates (that first got me curious about Storm, actually) that this botnet was "7,000,000+ strong, can knock nations offline, destroy Western civilization, and sell your children into slavery!!" Lawrence  §  t / e  23:51, 7 April 2008 (UTC)
 * Even the current estimates of Storm are highly controversial and widely disputed. Only the controllers likely really know the extent of the network (and perhaps even they don't!) —Krellis (Talk) 23:53, 7 April 2008 (UTC)
 * Latest word on Storm is that is has come back with a major redesign now called Waledec See link1, link2 and link3 for further information. Suggestion to add what good information is in those articles. --41.247.115.17 (talk) 13:45, 16 January 2009 (UTC)

Interesting new reference
http://www.darkreading.com/document.asp?doc_id=151862&f_src=drdaily Jehochman Talk 18:33, 24 April 2008 (UTC)

This may be help also. http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231 PS. read the whole thing —Preceding unsigned comment added by Rabbit67890 (talk • contribs) 03:12, 8 January 2009 (UTC) Link dead 66.230.114.105 (talk) 18:27, 9 May 2009 (UTC)

Proposal to remove date-autoformatting
Dear fellow contributors

MOSNUM no longer encourages date autoformatting, having evolved over the past year or so from the mandatory to the optional after much discussion there and elsewhere of the disadvantages of the system. Related to this, MOSNUM prescribes rules for the raw formatting, irrespective of whether or not dates are autoformatted. MOSLINK and CONTEXT are consistent with this.

There are at least six disadvantages in using date-autoformatting, which I've capped here:

Removal has generally been met with positive responses by editors. Does anyone object if I remove it from the main text (using a script) in a few days’ time on a trial basis? The original input formatting would be seen by all WPians, not just the huge number of visitors; it would be plain, unobtrusive text, which would give greater prominence to the high-value links. Tony  (talk)  06:54, 24 July 2008 (UTC)

nugache redirects back to this same page. link removed 76.181.70.43 (talk) 03:16, 6 August 2010 (UTC) Dan

Work needed
Hello everyone - Unfortunately, this article does not meet the current standards for a featured article. The major issue is that it is significantly out-of-date, as has been pointed out by the cleanup banner that has been located at the top of the article for almost two years. The majority of the article's information ending at 2008, and absolutely nothing since 2010. What has happened with this system over the past 2-4 years? There are also several dead links, see here. If work is not completed on these issues in the next few weeks, this article will need to be taken to WP:Featured article review for a possible revocation of its featured status. Dana boomer (talk) 15:00, 24 September 2012 (UTC)

External links modified
Hello fellow Wikipedians,

I have just added archive links to 1 one external link on Storm botnet. Please take a moment to review my edit. If necessary, add after the link to keep me from modifying it. Alternatively, you can add to keep me off the page altogether. I made the following changes:
 * Added archive https://web.archive.org/20091006100315/http://media.ccc.de:80/browse/congress/2008/25c3-3000-en-stormfucker_owning_the_storm_botnet.html to http://media.ccc.de/browse/congress/2008/25c3-3000-en-stormfucker_owning_the_storm_botnet.html

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

Cheers.—cyberbot II  Talk to my owner :Online 16:28, 21 January 2016 (UTC)