Thursday, January 24, 2008

The Storm Worm and the Rise of P2P Malware

It is estimated that several million PCs have been infected by the Storm Worm. It represents a new generation worm/botnet. Although it's most commonly called a worm, Storm is much more: a worm, a Trojan horse and a bot all rolled into one. Storm has been around for a year, and the antivirus companies are pretty much powerless to do anything about it. Why?


The Storm worm first appeared at early 2007 in e-mail attachments with the subject line: "230 dead as storm batters Europe." Those who opened it became infected, their computers joining an ever-growing botnet of zombie computers.

There is no central "command-and-control point" in the Storm botnet that can be shut down. The infected windows host computers use encrypted communication over a modified version of the eDonkey/Overnet peer-to-peer protocol. The name and location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called ‘fast flux’, making it difficult to find and stop them.

We simply don't know how to stop Storm, except to find the people controlling it and arrest them. The Storm botnet uses the power of P2P networking to protect itself.

The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations explains this nicely. Although a starfish and a spider have similar shapes, their internal structure is dramatically different—a decapitated spider inevitably dies, while a starfish can regenerate itself from a single amputated leg. In the same way, decentralized organizations, like the Storm botnet are made up of many smaller units capable of operating, growing and multiplying independently of each other, making it very difficult for a rival force to control or defeat them.

The Storm botnet has been used for spamming, distributed denial-of-service attacks, and other malicious activities including phishing attacks targeting banking European banks. It appears that portions of the Storm botnet and its variants were for sale. The controllers of the Storm seems to lease out portions of the network for misuse.

The Storm represents serious security threat for internet users but it is only the tip of the iceberg. It has started a new wave of innovation by hackers. More advanced P2P malware like Nugache is on its way. Are we prepared?

(To remove the Storm Worm from a Microsoft Windows computer use the Malicious Software Removal Tool as described in the link.)

No comments: