[Outofthebox] Storm

Alessio 'isazi' Sclocco isazi at olografix.org
Tue Oct 23 13:04:51 CEST 2007 

Parecchi leggono la newsletter di Schneier, pero' questo mi sembra un 
articolo piuttosto interessante e da riproporre.

The Storm worm first appeared at the beginning of the year, hiding in 
e-mail attachments with the subject line: "230 dead as storm batters 
Europe." Those who opened the attachment became infected, their 
computers joining an ever-growing botnet.

Although it's most commonly called a worm, Storm is really more: a worm, 
a Trojan horse and a bot all rolled into one. It's also the most 
successful example we have of a new breed of worm, and I've seen 
estimates that between 1 million and 50 million computers have been 
infected worldwide.

Old-style worms -- Sasser, Slammer, Nimda -- were written by hackers 
looking for fame. They spread as quickly as possible (Slammer infected 
75,000 computers in 10 minutes) and garnered a lot of notice in the 
process. The onslaught made it easier for security experts to detect the 
attack, but required a quick response by antivirus companies, sysadmins, 
and users hoping to contain it. Think of this type of worm as an 
infectious disease that shows immediate symptoms.

Worms like Storm are written by hackers looking for profit, and they're 
different. These worms spread more subtly, without making noise. 
Symptoms don't appear immediately, and an infected computer can sit 
dormant for a long time. If it were a disease, it would be more like 
syphilis, whose symptoms may be mild or disappear altogether, but which 
will eventually come back years later and eat your brain.

Storm represents the future of malware. Let's look at its behavior:

1. Storm is patient. A worm that attacks all the time is much easier to 
detect; a worm that attacks and then shuts off for a while hides much 
more easily.

2. Storm is designed like an ant colony, with separation of duties. Only 
a small fraction of infected hosts spread the worm. A much smaller 
fraction are C2: command-and-control servers.  The rest stand by to 
receive orders. By only allowing a small number of hosts to propagate 
the virus and act as command-and-control servers, Storm is resilient 
against attack. Even if those hosts shut down, the network remains 
largely intact, and other hosts can take over those duties.

3. Storm doesn't cause any damage, or noticeable performance impact, to 
the hosts. Like a parasite, it needs its host to be intact and healthy 
for its own survival. This makes it harder to detect, because users and 
network administrators won't notice any abnormal behavior most of the 
time.

4. Rather than having all hosts communicate to a central server or set 
of servers, Storm uses a peer-to-peer network for C2. This makes the 
Storm botnet much harder to disable. The most common way to disable a 
botnet is to shut down the centralized control point. Storm doesn't have 
a centralized control point, and thus can't be shut down that way.

This technique has other advantages, too. Companies that monitor net 
activity can detect traffic anomalies with a centralized C2 point, but 
distributed C2 doesn't show up as a spike. Communications are much 
harder to detect.

One standard method of tracking root C2 servers is to put an infected 
host through a memory debugger and figure out where its orders are 
coming from. This won't work with Storm: An infected host may only know 
about a small fraction of infected hosts -- 25-30 at a time -- and those 
hosts are an unknown number of hops away from the primary C2 servers.

And even if a C2 node is taken down, the system doesn't suffer. Like a 
hydra with many heads, Storm's C2 structure is distributed.

5. Not only are the C2 servers distributed, but they also hide behind a 
constantly changing DNS technique called "fast flux." So even if a 
compromised host is isolated and debugged, and a C2 server identified 
through the cloud, by that time it may no longer be active.

6. Storm's payload -- the code it uses to spread -- morphs every 30 
minutes or so, making typical AV (antivirus) and IDS techniques less 
effective.

7. Storm's delivery mechanism also changes regularly. Storm started out 
as PDF spam, then its programmers started using e-cards and YouTube 
invites -- anything to entice users to click on a phony link. Storm also 
started posting blog-comment spam, again trying to trick viewers into 
clicking infected links. While these sorts of things are pretty standard 
worm tactics, it does highlight how Storm is constantly shifting at all 
levels.

8. The Storm e-mail also changes all the time, leveraging social 
engineering techniques. There are always new subject lines and new 
enticing text: "A killer at 11, he's free at 21 and ...," "football 
tracking program" on NFL opening weekend, and major storm and hurricane 
warnings. Storm's programmers are very good at preying on human nature.

9. Last month, Storm began attacking anti-spam sites focused on 
identifying it -- spamhaus.org, 419eater and so on -- and the personal 
website of Joe Stewart, who published an analysis of Storm. I am 
reminded of a basic theory of war: Take out your enemy's reconnaissance. 
Or a basic theory of urban gangs and some governments: Make sure others 
know not to mess with you.

Not that we really have any idea how to mess with Storm. Storm has been 
around for almost a year, and the antivirus companies are pretty much 
powerless to do anything about it. Inoculating infected machines 
individually is simply not going to work, and I can't imagine forcing 
ISPs to quarantine infected hosts. A quarantine wouldn't work in any 
case: Storm's creators could easily design another worm -- and we know 
that users can't keep themselves from clicking on enticing attachments 
and links.

Redesigning the Microsoft Windows operating system would work, but 
that's ridiculous to even suggest. Creating a counterworm would make a 
great piece of fiction, but it's a really bad idea in real life. We 
simply don't know how to stop Storm, except to find the people 
controlling it and arrest them.

Unfortunately, we have no idea who controls Storm, although there's some 
speculation that they're Russian. The programmers are obviously very 
skilled, and they're continuing to work on their creation.

Oddly enough, Storm isn't doing much, so far, except gathering strength. 
Aside from continuing to infect other Windows machines and attacking 
particular sites that are attacking it, Storm has only been implicated 
in some pump-and-dump stock scams. There are rumors that Storm is leased 
out to other criminal groups. Other than that, nothing.

Personally, I'm worried about what Storm's creators are planning for 
Phase II.

This essay originally appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2007/10/securitymatters_1004 
or http://tinyurl.com/2xevsm

http://www.informationweek.com/news/showArticle.jhtml?articleID=201804528 
or http://tinyurl.com/3ae6gt
http://www.informationweek.com/showArticle.jhtml;jsessionid=SNSXKAZRQ04MMQSNDLRSKHSCJUNN2JVN?articleID=201803920 
or http://tinyurl.com/2lq3xt
http://www.informationweek.com/showArticle.jhtml;jsessionid=SNSXKAZRQ04MMQSNDLRSKHSCJUNN2JVN?articleID=201805274 
or http://tinyurl.com/3bb4f5
http://www.scmagazineus.com/Storm-Worm-uses-e-cards-to-push-spam-near-all-time-high/article/35321/ 
or http://tinyurl.com/33chht
http://www.usatoday.com/tech/news/computersecurity/wormsviruses/2007-08-02-storm-spam_N.htm 
or http://tinyurl.com/2c6te7

Fast flux:
http://ddanchev.blogspot.com/2007/09/storm-worms-fast-flux-networks.html 
or http://tinyurl.com/2xwgln

Storm's attacks:
http://www.spamnation.info/blog/archives/2007/09/419eater_ddosd.html
http://ddanchev.blogspot.com/2007/09/storm-worms-ddos-attitude.html
http://www.disog.org/2007/09/opps-guess-i-pissed-off-storm.html

Stewart's analysis:
http://www.secureworks.com/research/threats/storm-worm/

Counterworms:
http://www.schneier.com/crypto-gram-0309.html#8

-- 

Alessio "isazi" Sclocco - Metro Olografix member

http://www.olografix.org/isazi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : https://www.olografix.org/pipermail/outofthebox/attachments/20071023/1b099847/attachment.bin

More information about the Outofthebox mailing list