Storm worm going out with a bang, mounts DDoS attacks against researchers October 26, 2007
Posted by eastvalleygeeks in 10750.comments closed
When we last wrote about the Storm Worm in September, Heise Security had noted that the growing botnet had not yet been used for much, but could be a threat in the future. “[A]lthough the network has so far been primarily used to send spam, it could also be used for DDoS attacks on businesses or even countries,” said Heise. Since then, Heise’s prediction has come true; the worm now attacks those who publish new information on the inner workings of the worm. Researchers are allegedly “running scared” from the worm, which seemingly has a sentient ability to detect and attack whoever threatens it.
IBM/ISS host-protection architect Josh Korman told Interop New York conference attendees this week that the worm has the ability to see who is probing its servers and launch a DDoS attack on that IP as retaliation. As a result, some researchers are afraid to publish any of their findings about the worm for fear of even harsher retaliation. “As you try to investigate [Storm], it knows, and it punishes,” Korman said, as recounted by Network World. “It fights back.”
Since its inception early this year, the Storm Worm has been spreading like wildfire. It first came as spam e-mail and claimed to provide information on storms going on in Europe, but soon began to morph into many different forms—presumably to avoid easy tracking. In almost every instance, the worm sent spam that contained a link, which would then infect the user’s computer in order to send more spam. It appeared as if the worm’s only purpose was to get as many computers as possible as part of its massive botnet, which (as we now know) is used to launch DDoS attacks.
There has been some level of debate over just how serious the Storm Worm’s threat really is, and whether the botnet is as big as some researchers claim. Some had estimated that up to 15 million computers had become part of the Storm Worm’s botnet, but others disagree, citing numbers in the hundreds of thousands. Detractors also point out that awareness of the worm allowed antivirus and malware-removal programs to target the worm in recent months, cutting down the number of infected computers even further. Indeed, Microsoft’s anti-malware team added the Storm Worm to its Malicious Software Removal Tool on September 11th. That update was pushed out to millions of Windows users and eliminated many infected nodes almost overnight.
Storm Botnet May Co-opt Infected PCs October 18, 2007
Posted by eastvalleygeeks in 10750.comments closed
Changes to some variants may mean the Trojan’s creators are ’selling’ compromised systems to spammers.
The hackers behind the pernicious, persistent Storm Trojan are getting ready to slice off pieces of the botnet created by their malware so that they can “sell” the compromised computers to spammers and denial-of-service attackers, a researcher said Tuesday.
That’s the most likely explanation for the encryption added to secure the command-and-control traffic between the bot herder and some bots, said Joe Stewart, a senior security researcher at SecureWorks Inc. According to Stewart, who has closely tracked Storm since its debut in January, the newest variants include a 40-byte key that encrypts the command traffic. Unlike other bot-building Trojans, Storm uses peer-to-peer (P2P) rather than IRC (Internet Relay Chat) to receive commands, a tactic that has made its bots harder to take down.
“One possibility is that they’re splitting [the botnet] and selling off individual botnets to spammers,” said Stewart. “If they’re going to sell, they need to have it so each botnet is on a separate network. The easiest way to do that is to scramble the peer-to-peer Overnet traffic.”
If Stewart is right and the people responsible for Storm are getting ready to cash in, it would be a first. Until now, Storm has busied itself only with spreading more copies to uninfected PCs, and with several pump-and-dump stock-scam spam campaigns. There’s no evidence that the botnet has been rented out or sold before, said Stewart.
“This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS [domain name system] and hosting capabilities,” Steward said. “If that’s the case, we might see a lot more of Storm in the future.”
Stewart, who characterized the new encryption used by Storm as “not strong,” said that the addition would actually help security researchers in the long run: It should be easier to separate the command-and-control from the rest of the Overnet P2P traffic. “It makes it a little easier. We should be able to tell at a glance whether the traffic is coming from a Storm node or an eDonkey [P2P] client.
