Go away, we're not home

The other day me and one of my buddies were just sitting around monitoring our TCP/IP traffic when all of a sudden we started receiving ack packets from addresses we had not sent any data to at all. The interesting thing was, the packets only contained a packet header and 23 bytes of data. “Go away, we're not home” was the message we were sent. After taking the recipient of the packets off the web temporarily I hopped a few gateways and ran a port scan on the computer that had sent us the packets. It was a normal Windows machine with all the typical ports open, 123, 139, and 445 if I remember correctly, but port 21 was also open. Looking into this further it was apparent that indeed port 21 was open, but not for file transfer protocol. Whenever any data was sent to the port it closed the connection and sent the “Go away, we're not home” message. In fact probing any port, even closed ports, on the machine produced this response.

Turning to the web for answers, we realized that these machines that we had stumbled upon, 5 to be exact, were most likely a part of the storm botnet. After collecting a few more pieces of data we decided to leave the machines alone.

Today I was reading a little more about the botnet on the web when I came across a webpage on which Microsoft takes credit for dismantling the storm botnet.First of all the storm botnet is hardly dismantled. Second, its Microsoft's fault the botnet got as large as it did in the first place. Even if they did reduce it in number, thats nothing to brag about. Their product is hosting something with enough power to mess up the Internet across the globe. Its not the time for bragging.

Proprietary software makes me ill.