Legal concerns stop researchers from disrupting the Storm Worm botnet

Legal concerns stop researchers from disrupting the Storm Worm botnet

Summary: What if security researchers were able to disrupt the leftovers of the Storm Worm botnet thanks to a flaw in its communication model allowing them to redirect infected hosts and eventually disinfect them, but fearing legal action have their hands tied?At the 25th Chaos Communication Congress, which took place in December, 2008, German researchers Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser, held a presentation (Stormfucker: Owning the Storm Botnet) demonstration their idea.

SHARE:
TOPICS: Security
7

Chaos Communications CongressWhat if security researchers were able to disrupt the leftovers of the Storm Worm botnet thanks to a flaw in its communication model allowing them to redirect infected hosts and eventually disinfect them, but fearing legal action have their hands tied?

At the 25th Chaos Communication Congress, which took place in December, 2008, German researchers Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser, held a presentation (Stormfucker: Owning the Storm Botnet) demonstration their idea.  The apparently working concept has a single flaw by itself - it operates in exactly the same fashion that a botnet master does when issuing updated malware binaries to the infected hosts, thereby violating computer abuse laws internationally.

Go through a Q&A with the researchers offering insights on the potential for distributed disinfection, and Storm Worm in general.

Q: How did you come up with the Stormfucker idea at the first place, and could you provide us with more details on the lack of server authentication when communicating to the infected clients that the Storm Worm botnet is vulnerable to?

Georg: On the 24c3 congress at the end of 2007, Thorsten Holz gave a presentation on disrupting Zhelatin's command and control infrastructure, involving a /16 network or 65536 nodes in other terms. This seemed both unfeasible to us and motivated to do better, we started analyzing Zhelatin binaries and eventually found out, that NAT'ed nodes don't require any authentication to be commanded at all.

They simply use a four-byte XOR challenge response for distinguishing between real command nodes and maybe accidentally connected nodes and that is it, as long as you implement the server protocol properly, you can command these nodes. Later it was brought to our attention that the small minority of non-NAT'ed nodes checks for a 64bit RSA signature, which is obviously trivial to crack.

Q: So basically, Stormfucker is capable of issuing potential disinfection commands to infected hosts meaning the botnet can be a thing from the past? What are the legal implications of saving the infected users from themselves here?

Georg: Stormfucker is able to send an update to a storm node that will then download an executable from a Stormfucker provided host and execute it. This executable would then be a Stormfucker executable that disinfects the computer and also aids in propagation of the update commands. Obviously, issuing a command to download and execute a file without the users' consent is against the law in many countries, let alone the then carried out further propagation of this command to other users.

Q: The industry and the general public has never been comfortable with the idea of "white worms" or "ethical worms", and perhaps with a reason. Is this distributed disinfection method any different? Moreover, since there's never been a shortage of pragmatic solutions to a problem that's the main vehicle driving the cybercrime ecosystem, what would be the best way to put this pragmatic capabilities into action?

Georg: It is exactly like a white worm, the Stormfucker executable spreads from host-to-host in a distributed setup, however only targeting Zhelatin nodes -- other nodes will not see any extra traffic. Luckily some law enforcement agencies in some countries see the need to put an end to such menaces as Zhelatin and other botnets, maybe some of these people will push the button with proper legislation in the future. Rumor has it that it has happened in isolated cases before.

Q: What are your thoughts of a potential (free) opt-in service, where for instance, end users can request to be at least notified that they are part of Storm Worm's botnet or any other botnet in particular?

Georg: People who are so ignorant to execute an email attachment from an untrusted source would never sign up for such a service. A much better solution is taken by a local German ISP, NetCologne: they are allowed by their AUP to cut off users that are identified to be infected with malware and they have a Nepenthes based system to find such users. Being cut off from the Internet makes these ignorant people clean their computers pretty fast, so that they can browse the tubes again. Other ISPs should come up with similar solutions!

Q: Storm Worm's copycat Waledac (the same malware gang behind Storm) is currently spreading in the wild, would the same tactic work against it for instance, and how is Waledac's communication model any different than Storm Worm's original one?

Tillmann Werner: From the code perspective, waledac isn't storm's copycat, it's totally different, besides the fact that it also uses a p2p infrastructure. For instance, it communicates via encrypted XML messages over HTTP, thus it's immune to the sibyl attack. It does provide fast-flux DNS services similar to storm, but we would expect that from every serious malware these days, right? Some people think that there is the same group behind storm and waledac. Maybe, maybe not - who wants to know?

Felix Leder: Waledac is pretty new and the C&C structure not researched in-depth, yet. We are on it and may find something interesting. Currently we can only say that it is using "state-of-the-art" cryptography, which complicates things a bit but doesn't make it invulnerable. Instead of P2P, Waledac uses Fast-Flux networks. It is definitely possible to place controlled nodes in those networks. Whether those nodes can issue commands has to be investigated. So in short: The same tactics may work, but some more research has to be done.

The inside of Waledac is a lot different from Storm and similarities are hardly there. It is definitely a complete rewrite. The similarities (we have seen so far) are the use of open-source libraries in the malware, nodes that speak both storm and Waledac, and decentralized communication.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Bad Legal Advice was the Cause of the Present Quandary

    That is, both ISPs and legislators in the various countries have fallen victim to the same bad source of worse legal advice: lawyers!

    After all: if they had been thinking when they came up with these laws against 'cybercrime', they would have admitted and prepared for the possibility that 'unauthorized' access is not necessarily [b]malicious[/b]. They would also have prepared for the need to provide careful competent oversight to such access.

    Btu they did neither! Why? Because, frankly, lawyers are a scourge on society. They are trained to be incompetent in an intimidating way, they are ruled by one of the two most disastrously successful and powerful protectionist organizations, the Bar Association.

    But it is not all doom and gloom: Georg was quite right to point out that German ISP's excellent solution to this dilemma: "they are allowed by their AUP to cut off users that are identified to be infected with malware and they have a Nepenthes based system to find such users."

    This IS the best way to recover from the mistake we let the lawyers get us into. If security experts wage their "propaganda campaign" well, more and more ISPs will imitate this German ISP's excellent example.

    Surely the ISPs will be more likely to all get on board sooner than the governments!

    Unless, of course, they repeat the same mistake they are making today with DNS NXDOMAIN, all following like sheep a few giants who have decided on standards corruption -- the IBM/MSFT business model:(
    mejohnsn
    • Excuse me

      But I am a paralegal, and I take offense at your bullshit. The fact is that most times, it is not lawyers who are telling people these things RIGHTLY in most cases.
      It is the advisors to the police, going on the interpretations of the law that have been sussed out by judges in court.
      The fact is that, by the way the law is written, ANY authorized access to a computer by anyone save the police and ONLY with a warrant in that later case, is illegal!
      The only thing that can be done is to change the law so that if someone is using 'white worms' to shut down criminal botnets..... they can do it.
      Lerianis
  • RE: Legal concerns stop researchers from disrupting the Storm Worm botnet

    The statement from Georg Wicherski is not accurate, more
    information in my blog: http://honeyblog.org/archives/18-
    Storm-Worm,-Encryption,-Disruption,-and-more....html
    Thorsten Holz
    • Not many machines with the Storm worm are still online?

      Once I saw that statement in your blog, I immediately discounted it. There are still a BOATLOAD, if not AIRCRAFT CARRIER load of computers out there with the storm virus still on them.
      Lerianis
  • So many Windows Operating Systems

    So little time.
    tracy anne
  • RE: Legal concerns stop researchers from disrupting the Storm Worm botnet

    It's really quite simple, to access a system without
    consent, is illegal. No matter how good your
    subjective intentions are. That's the rule of law.

    The argument that all users are the same is just
    boring and bland, what percentage of machines infected
    where hosted? in comparison ... anyway, I digress. The
    point is, as Daniel Cuthbert discovered after being
    convicted for a directory traversal attempt, a crime
    under the computer misuse act, as it was interpreted
    by the judge, rather narrowly he had to admit.

    No matter how good you think your intentions, you have
    no right to access another system without consent.
    This is morally right in my view, as well as Ethically
    and legally. Would it be ok for me to break into your
    house or car to fix that noisy squeak? or that broken
    heater?

    There needs be more creative ways to resolve the
    problem, to entice users into correcting their and
    others problems. It must be with consent though. The
    AUP cut-off is a great idea, and I'm sure it works,
    but does it work in all situations? You can't blame
    people for not being aware as they should be, people
    have other things to do, it's our job to be creative
    and clever enough to tackle all the audiences of the
    solution the problem. It's not our job, as security
    professionals to contradict what we preach, and to
    enforce unlawful, unethical amoral acts to fix
    security problems.

    Ok, so what are the options smarty pants?
    Behavioural psychology perhaps install SETI, get free
    STORM removal?, work with AV vendors, offer the patch
    opensource as package, via P2P, sourceforge. Advertise
    the solution. Utilise the media, print and online.

    There are other options.
    U235
  • RE: Legal concerns stop researchers from disrupting the Storm Worm botnet

    Great!! ! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut