The Storm Worm

2007-10-05

in Geek stuff, Internet matters, Security

The Storm Worm is scary for a number of good reasons. It acts patiently, slowly creating a massive network of drone machines and control systems, communicating through peer-to-peer protocols. It gives little evidence that a particular machine has been compromised. Finally, it creates a malicious network that is particularly hard (maybe impossible, at this time) to map or shut down.

This is no mere spam-spread annoyance. If it takes over very large numbers of computers and remains in the control of its creators, it could be quite a computational force. The only question is what they (or someone who rents the botnet) will choose to use it for, and whether such attacks can be foiled by technical or law-enforcement means. Hopefully, this code will prove a clever exception to the norm, rather than a preview of what the malware of the future will resemble.

Normally, I don’t worry too much about viruses. I use a Mac, run anti-virus software, use other protective programs, make frequent backups, and use the internet cautiously. While those things are likely to keep my own system free of malware, I naturally remain vulnerable to it. That’s where most spam comes from. Also, there is the danger that a network of malicious computers will crash or blackmail some website or service that I use. With distributed systems like Storm, the protection of an individual machine isn’t adequate to prevent harm.

Previous related posts:

Report a typo or inaccuracy

{ 9 comments… read them below or add one }

Milan October 4, 2007 at 9:58 am

The Storm botnet, or Storm worm botnet, is a massive network of computers linked by the Storm worm. This botnet, that is estimated to run on as many as 1,000,000 to 50,000,000 infected computer systems as of September, 2007. It’s formation began around January, 2007, when the Storm worm at one point accounted for 8% of all infections on all Windows computers.

The botnet reportedly is powerful enough as of September 2007 to force entire countries off of the Internet, and is estimated to be able to potentially execute more instructions per second than some of the world’s top supercomputers. However, it is not a completely accurate comparison, according to one security expert, who said that comparing a botnet and a supercomputer is like comparing an army of snipers with a nuclear weapon. Another said, “The more worrying thing is bandwidth. Just calculate four million times a standard ADSL connection. That’s a lot of bandwidth. It’s quite worrying. Having resources like that at their disposal — distributed around the world with a high presence and in a lot of countries — means they can deliver very effective distributed attacks against hosts.”

Anon October 15, 2007 at 9:58 am

too quiet…
By shothotbot on security

If Bruce Schneier, the expert voice of security moderation, is “worried” than so am I. Since the beginning of the year Storm, an advanced, distributed worm network has been growing quietly as its authors tweak its social engineering attack. Now it seems that it is in place and waiting. Schneier’s article. Digital Intelligence and Strategic Operations Group has been monitoring Storm for a year.

Milan October 16, 2007 at 5:27 pm

Storm Worm Botnet Partitions May Be Up For Sale

“There is evidence that the massive Storm Worm botnet is being broken up into smaller networks, and a ZDNet post thinks that’s a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. The latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic, meaning that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities.”

Milan October 21, 2007 at 4:46 pm

Storm Worm Being Reduced to a Squall

Rumours of financial schemes surrounding the botnet aside, PC World has an article that should lower the blood pressure of some SysAdmins. The Storm Worm botnet is apparently shrinking. A researcher out of UC San Diego who has been tracking the network has published a report indicating it is now only 10% of its former size. “Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world’s most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time. Enright guessed that a total of about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority of those have been cleaned up and are no longer part of the Storm network.”

R.K. November 12, 2007 at 6:16 pm

Related:

The World’s Biggest Botnets
What makes three of today’s largest botnets tick, what they’re after – and a peek at the ‘next’ Storm

NOVEMBER 8, 2007

. December 6, 2007 at 12:49 pm

Inside the “Ron Paul” Spam Botnet

Getting the Malware in Hand

At this point, armed with the IP addresses of current bots, it is possible to trace the command and control server of the botnet with cooperation from network administrators who have bots on their network. By monitoring and correlating network flows, the command center was soon tracked to a server at a co-location facility located in the U.S., one that is well known to malware researchers as a frequent host of this type of activity.

These clues also led us to the name of the malware behind the botnet – Trojan.Srizbi. Based on this we were able to locate several variants for testing, the earliest one having been compiled on March 31, 2007. At the end of June, Symantec wrote a fairly detailed blog entry about Srizbi. Information concerning technical details of Srizbi and its removal is available from various anti-virus firms, and will not be covered here.

How Srizbi is Spread

Analysis of recently compromised machines indicated that Srizbi is being spread by the n404 web exploit kit, through the malicious site msiesettings.com. This is a well-known “iframe affiliate” malware install site, where the site owner gets paid by different botnet owners for spreading their malware. A trojan is installed by the exploit kit which regularly requests a remote configuration file containing URLs of additional malware to download and install. Previous reports have implicated the use of the MPack web exploit kit in spreading Srizbi as well, so it seems this is the Srizbi author’s preferred method of building the botnet.

Unfortunately for Srizbi’s author, this approach may have some drawbacks – one machine we analyzed was infected with no less than nine other spambots, belonging to the malware families Ascesso, Cutwail, Rustock, Spamthru, Wopla and Xorpix. While installing multiple spambots may increase profits for the web exploiter, it forces the different spam engines to share resources and bandwidth. Some of these spambots utilize a great deal of CPU time and memory, which means not only is the system less efficient for the other spammers’ use, but may force the victim to seek technical help to fix their “slow” machine, leading to premature removal of the bots. It also is likely to land the IP address of the infected machine in DNS blocklists much faster, rendering the bot much less effective in bypassing spam filtering.

. April 7, 2008 at 2:44 pm

New Botnet Dwarfs Storm

By CmdrTaco on that’s-a-lotta-zombies

ancientribe writes “Storm is no longer the world’s largest botnet: Researchers at Damballa have discovered Kraken, a botnet of 400,000 zombies — twice the size of Storm. But even more disturbing is that it has infected machines at 50 of the Fortune 500, and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques that hinder its detection and analysis by researchers.”

. November 13, 2009 at 10:10 am

Atrivo Shutdown Hastened Demise of Storm Worm

The infamous Storm worm, which powered a network of thousands of compromised PCs once responsible for sending more than 20 percent of all spam, appears to have died off. Security experts say Storm’s death knell was sounded by the recent shutdown of Atrivo, a California based ISP that was home to a number of criminal cyber crime operations, including at least three of the master servers used to control the Storm network.

The Storm network consisted of a complex hierarchy of servers designed to balance the load of sending spam and and to hide the location of the master servers that the Storm worm authors used to operate the network.

Three out of four of those control servers were located at Atrivo, a.k.a. Intercage, said Joe Stewart, a senior security researcher with Atlanta based SecureWorks who helped unlock the secrets of the complex Storm network. The fourth server, he said, operated out of Hosting.ua, an Internet provider based in the Ukraine.

. September 22, 2010 at 12:23 pm

“The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.

“It’s amazing, really, the resources that went into this worm,” said Liam O Murchu, manager of operations with Symantec’s security response team.

“I’d call it groundbreaking,” said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google’s network and those of dozens of other major companies, were child’s play.”

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

{ 1 trackback }

Previous post:

Next post: