Courtesy of Heise, we learn details of flaws that researchers have found in the storm worm botnet.

The whole article is interesting, but I found this most interesting:

Using this background knowledge, they were able to develop their own client, which links itself into the peer-to-peer structure of a Storm Worm network in such a way that queries from other drones, looking for new command servers, can be reliably routed to it. That enables it to divert drones to a new server. The second step was to analyse the protocol for passing commands. The researchers were astonished to find that the server doesn’t have to authenticate itself to clients, so using their knowledge they were able to direct drones to a simple server.

What kind of savant goes to all the trouble of building a worm as sophisticated as Storm and then leaves out authentication? This sort of thing is why I still hold out hope for the future of computing–the Bad Guys can make just as serious dumb moves as the rest of us.

Of course now the storm folks will add authentication to their network… But before that happens could the good gys act as an anti-body and cure the disease?

The asymmetric rules of engagement really hurt the Good Guys here–they can’t exploit the vulnerability to clean up the machines, though the Bad Guys certainly would, so the Bad Guys get a “Free Pass” to fix the vulnerability, either now or next time.

There’s also a “Security by Obscurity” lesson here–I suspect that the malware writers expected that the lack of authentication would not be discovered behind the other layers of protection for their tool–until it was.