October 15th, 2007
Storm Worm botnet partitions for sale
SecureWorks researcher Joe Stewart (left) has seen evidence that the massive Storm Worm botnet is being broken up into smaller networks, a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers.
Stewart, a reverse engineering guru who has been tracking Storm Worm closely, says the latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic.
“This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities,” Stewart said in an e-mail message.
[SEE: [SEE: Storm Worm botnet numbers, via Microsoft ]
“If that’s the case, we might see a lot more of Storm in the future,” he warned.
The malware attacks behind this botnet have been relentless all year, using a wide range of clever social engineering lures to trick Windows users into downloading executable files with rootkit components. By some accounts, the malware has successfully created a massive botnet — between one million and 10 million CPUs — producing computing power to rival the world’s top 10 supercomputers.
Statistics from Microsoft’s monthly updated MSRC (malicious software removal tool) peg the size of the botnet at the low end of the supercomputer speculation.
Stewart sees a silver lining in the latest Storm Worm twist. Because of the new encryption scheme, Stewart says it is now easier to distinguish Storm-related traffic from “legitimate” Overnet/eDonkey P2P traffic.
“[It] makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic,” he said.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
