ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Storm Worm botnet partitions for sale

By | October 15, 2007, 11:41am PDT

Summary: SecureWorks researcher Joe Stewart has seen evidence that the massive Storm Worm botnet is being broken up into smaller networks, a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers.

Storm Worm botnet partitions for saleSecureWorks researcher Joe Stewart (left) has seen evidence that the massive Storm Worm botnet is being broken up into smaller networks, a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers.

Stewart, a reverse engineering guru who has been tracking Storm Worm closely, says the latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic.

“This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities,” Stewart said in an e-mail message.

[SEE: [SEE: Storm Worm botnet numbers, via Microsoft ]

“If that’s the case, we might see a lot more of Storm in the future,” he warned.

The malware attacks behind this botnet have been relentless all year, using a wide range of clever social engineering lures to trick Windows users into downloading executable files with rootkit components. By some accounts, the malware has successfully created a massive botnet — between one million and 10 million CPUs — producing computing power to rival the world’s top 10 supercomputers.

Statistics from Microsoft’s monthly updated MSRC (malicious software removal tool) peg the size of the botnet at the low end of the supercomputer speculation.

Stewart sees a silver lining in the latest Storm Worm twist. Because of the new encryption scheme, Stewart says it is now easier to distinguish Storm-related traffic from “legitimate” Overnet/eDonkey P2P traffic.

“[It] makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic,” he said.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Supercomputer, P2P, Malware, Worm, Rootkits, Cyberthreats, Spyware, Adware & Malware, Peer To Peer (P2P), Security, Viruses And Worms, Networking, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
30
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Storm Worm botnet partitions for sale
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
And Storm Worm Botnets Are Running Which OS?
itanalyst 15th Oct 2007
MICROSOFT.

Thanks for giving us another headache to worry about.
0 Votes
+ -
Thanks to who?
itpro_z 15th Oct 2007
Interesting that you blame Microsoft, rather than the real culprits, the malicious programmers (I don't like to use the term hackers in this context) who wrote the garbage. Pray that your favorite OS doesn't come under the same level of attack that Microsoft has had to endure in the last few years, else you may find that security is not as simple as you think.
0 Votes
+ -
Secure toilets
ken_jennings@... 16th Oct 2007
"Pray that your favorite OS doesn't come under the same level of attack that Microsoft has had to endure in the last few years..."


Now THAT's funny! The majority of the internet infrastructure is powered by *nix systems (of which Linux is a significant part.) If someone really wanted to push major spam bandwidth on the Net they'd be targeting these systems. Of course, people DO try to attack these systems and they try very hard. But they don't get very far, because *nix systems are not shamelessly insecure the same way as every kind of Windows. Occasionally, someone does manage to infiltrate one here or another there, but they don't get the traction necessary to cause any meaningful consequence, because *nix systems are inherently secure by design. Instead of attacking the internet plumbing (that is, *nix) spammers and virus writers target the toilets (Windows), because Windows at its most secure is far more vulnerable and easier to exploit.
0 Votes
+ -
Secure, or just obscure?
itpro_z 16th Oct 2007
Are we talking servers here, or PCs? Servers are generally very secure, since they have pros supporting them and keeping them up to date. Even with that, I do seem to remember reading about a hit on the Ubuntu servers this last summer, and hacking of websites is a fairly common occurrence. Some of the very first viruses were Unix based as well.

What we are talking about here are PCs, a market that Linux currently occupies less than 1% of. PCs are not managed by professionals, but ordinary users, and are generally not as up to date or secure. Contrary to your prejudicial beliefs, Windows PCs are quite secure when updated in a timely fashion, including the necessary antivirus software. I install and manage PCs for a living, and have for many years, and it is a rare occurrence for me to find an infected machine anymore. Consider the numbers listed in this article, something over 1 million PCs infected by this virus. Now, consider that there are around 1 billion PCs in the world, with about 90% of those running Windows, and the conclusion is that the infection rate is very small. Not bad, considering that most of those are neglected home computers.

I agree that the malware programmers target Windows machines, that is just common sense. Would you target 1% of the computers, or 90%? You can chest thump all you want about Linux superior security, but until it is really tested, it isn't proven. Besides, Macs are also Linux based, and we all saw what happened when hackers were challenged (and finally offered cash) to attempt to "own" two Macs earlier this year. Both Macs (and the cash prizes) were gone within hours.

For the record, I have Ubuntu 7.04 running one of my home PCs, and I have installed and supported servers running various versions of Linux, Xenix, and Unix, so I am not anti-Linux. I am also not anti-Windows, running Vista on another home computer, and supporting several hundred users at work running everything from Win98 to Vista, along with a number of servers running 2000 and 2003. As far as I am concerned, they are all just computers, and each has their stong points and weaknesses.
0 Votes
+ -
secure and made that way.
ken_jennings@... 17th Oct 2007
"Are we talking servers here, or PCs?"

We're talking about computers connected to the internet.

"I agree that the malware programmers target Windows machines, that is just common sense. Would you target 1% of the computers, or 90%?"

If 1% of the computers can push 90% of the internet content wouldn't it be common sense to attack those computers? Of course it would, and people do attack them, and they don't get very far, because they're primarily beating on *nix systems.

"You can chest thump all you want about Linux superior security, but until it is really tested, it isn't proven."

It is proven every day by the fact the internet itself remains operating and largely stable. Incidents are isolated, few and far between.

I have a Windows system too, they are great game machines. But, the Windows system goes nowhere near the internet without standing behind a real, unix firewall.
0 Votes
+ -
Where your argument fall down
NonZealot 17th Oct 2007
If 1% of the computers can push 90% of the internet content wouldn't it be common sense to attack those computers? Of course it would, and people do attack them, and they don't get very far, because they're primarily beating on *nix systems.

You are still comparing the security of a *nix server to a Windows desktop. When you compare *nix servers to Windows servers, the hacking story shows that Windows servers actually hold their own. I can't access Zone-H statistics any more but they consistently showed that LAMP servers were hacked more often than IIS6 servers. So am I suggesting that IIS6 is more secure than LAMP? No, because I don't believe it. I believe that using LAMP doesn't guarantee security and using IIS6 doesn't guarantee failure, it is up to the human being behind the OS, whether that OS is being used in a server role or a desktop role. It just so happens that more people behind server role installations are security conscious when compared to people behind desktop role installations.

The other factor you ignore is that desktop role OSs typically have different attack vectors than server role OSs. You can fool a human behind a desktop to run an executable or to navigate to a website. This becomes much more difficult to do when attacking a server.

For those reasons, you can't simply say that you are comparing all computers connected to the internet. It would be as silly as saying that NASCAR drivers are less skilled than non NASCAR drivers because they get in more accidents. Hey, we are just talking about people driving cars right? When you compare *nix servers to Windows servers, they have been shown to be equally secure. The OS plays far less a factor than the admin does and a good admin can make any OS secure while a bad admin can make any OS insecure. You can't compare Windows desktop computers to *nix servers though in order to disprove marketshare arguments since the conditions of their use are totally different, just like NASCAR.
0 Votes
+ -
Are you sure about that?
santuccie 18th Oct 2007
How much do you really know about firewalls? A firewall is a device/program that prevents unsolicited traffic from entering your PC. If you're talking about Intrusion Prevention, be aware that no such technology can fully protect a machine from exploits, not even a Web application firewall operating from the positive security model. And the best negative-model example, Snort, is not associated with UNIX as far as I know.

As long as software can be installed on your computer, malicious software can be installed as well. The only way to prevent this is to block the installation of drivers, services, registry entries, etc. And if you do this, you have to have a way to undo it, so you can install new software when you want to.

The only Linux users who still believe Linux is invincible are the ones who haven't been hit yet. I'll bet you the victims discussed in this article don't think so: http://www.theregister.co.uk/2007/10/03/ebay_paypal_online_banking/

Likewise, most Mac users (Mac is also UNIX-based) also think their platform is invincible. Not so: http://www.pcworld.ca/news/column/96a4d31d0a010408006ca32e63160f68/pg1.htm
0 Votes
+ -
How does one detect the Storm Worm?
Arcturus16a 16th Oct 2007
Is this virus so unique that it can remain undetected on a user's pc? If I am running McAfee or Norton A/V will I remain protected? Or are these rootkits designed to evade detection?

This (the potential break-up and distribution of the "net") is akin to Capone selling off the West Side but keeping Northtown for pocket change.
0 Votes
+ -
All of the antivirus programs...
itpro_z 16th Oct 2007
...are updating frequently to detect the worm, but it evolves rapidly. Microsoft's own MSRT is also combating the bug. Keep your software up to date, and be wary of email from unknown sources.
0 Votes
+ -
Anti Virus
tracy anne 17th Oct 2007
If you rely on anti virus software for computer security, it's already too late.
0 Votes
+ -
Re: How does one detect the Storm Worm?
santuccie 21st Oct 2007
From the malware perspective, the purpose of a rootkit is to hide the malware's files from Windows API and avoid being detected by scanners. Antivirus and some antispyware programs can potentially block the worm itself, by detecting it via heuristic or black-and-white signature. However, I am of the understanding that the Storm worm is polymorphic, meaning it is continually changing its code.

Once the rootkit is installed, traditional antimalware programs likely won't be able to detect it. At this point, there are dedicated tools you can use to help uproot the rootkit. You'll find a handy little handful of them here: http://www.techsupportalert.com/best_46_free_utilities.htm#7

There are also Intrusion Prevention/Detection programs you can use to catch Storm worm when it tries to install the rootkit. These programs go beyond fingerprinting to utilize behavior analysis, offering a vital third layer of zero-day protection. You will find Intrusion Prevention in a lot of firewall products these days, but there are standalones available as well. ThreatFire is about the best there is, and it happens to be available in a free version, as well as paid.

Still another solution is to use a sandbox. Sandbox programs create a virtual environment that corrals certain programs (especially Internet programs) off from the rest of your system, preventing events generated by these programs from making permanent changes. One of my favorites is BufferZone. They offer free versions, but each of them only covers certain types of programs, and you could only have one installed at at time from what I remember. Sandboxie is a viable alternative, but it's a bit less automated and a bit more technical. Also, while sandbox programs will kill any program inside the sandbox when you empty it, they will not prevent a keylogger from intercepting your passwords while running inside the sandbox.

If you would like another solution that prevents Web-borne malware from launching in the first place, perhaps this would be of interest to you: http://invincible-windows.blogspot.com/

Hope this helps!
0 Votes
+ -
RE: Storm Worm botnet partitions for sale
lovedong 13th Sep
Thanks for sharing happy replica watches
0 Votes
+ -
Money.....
Kobashrer 15th Oct 2007
That's what it's all about the money they could DDOS the hell out of the Internet with
their superfleet fleet of zombies but if they cripple the Internet to a crawl so nobody
can use it all who is served by that?!
0 Votes
+ -
CrazY_UKRaiNiaN 16th Oct 2007
"if they cripple the Internet to a crawl so nobody
can use it all who is served by that?! "

Post office! Now u have to write letters to ur friends. happy
0 Votes
+ -
How to detect?
angelsix 16th Oct 2007
Yes, but (as Arcturus16a asked), does anyone know which, if any, of the std. a/v programs can detect and remove it? E.g., will Norton, or McAfee, if up to date do the trick? If not, why the hell not?
0 Votes
+ -
Maybe an ISP will enforce it's policies
TripleII-21189418044173169409978279405827 16th Oct 2007
Fret and worry and discuss and brainstorm over how to combat the symptoms of botnets, or just solve the frick'n problem, take the botnets offline and inform the users. Big flashing page in their browser

"Your computer is compromised, you are NOT secure, click this link to find out how to clean your computer".

You know what, you take the botted computers offline, ALL the revenue dries up and people fix their computers. Of course, Quest and other backbone providers don't sell as much bandwidth, and symantic doesn't make as much money, and few computers sell because the computer is not actually slow, it is bogged by infection, and of course... never mind, except for the consumer, this is GREAT for the world economy, as you were.

TripleII
0 Votes
+ -
because browsers now block redirects....
waylander 17th Oct 2007
... flashing a screen in front of the user no longer works.. i work in a major ISP and this just cant be done anymore
0 Votes
+ -
Proxy
TripleII-21189418044173169409978279405827 17th Oct 2007
What I am proposing, lets assume Joe is compromised. You then route his computer (basically, for him, all DNS lead to 150.1.1.1) which is a pie in the sky address for your proxy. The proxy displays the help pages and warning.

So, it isn't flashing a screen in front of them, then leaving them on their merry way, it is their computer is isolated with no route in/out to the internet, and all attempts at web browsing cause the user to arrive at the proxy.

You may allow them to surf through the proxy, but that's another story. This is just one idea, but my ISP allows for that. Your account can be direct or proxied. This is forced change to proxied for bott'd computers.

TripleII
0 Votes
+ -
95%. Yes, spam has hit 95% level of all email
TripleII-21189418044173169409978279405827 17th Oct 2007
http://www.net-security.org/secworld.php?id=5545

Leading zombie locations included the United States (36%) and Russia (8%).

Is it time for more band aids or is it time to actually fix the problem? Until people focus on the problem, ze-zombifying and/or taking these machines off the internet, enjoy your Viagra.

TripleII
0 Votes
+ -
Don't believe everything you hear
santuccie 18th Oct 2007
How much do you really know about firewalls? A firewall is a device/program that prevents unsolicited traffic from entering your PC. If you're talking about Intrusion Prevention, be aware that no such technology can fully protect a machine from exploits, not even a Web application firewall operating from the positive security model. And the best negative-model example, Snort, is not associated with UNIX as far as I know.

As long as software can be installed on your computer, malicious software can be installed as well. The only way to prevent this is to block the installation of drivers, services, registry entries, etc. And if you do this, you have to have a way to undo it, so you can install new software when you want to.

The only Linux users who still believe Linux is invincible are the ones who haven't been hit yet. I'll bet you the victims discussed in this article don't think so: http://www.theregister.co.uk/2007/10/03/ebay_paypal_online_banking/

Likewise, most Mac users (Mac is also UNIX-based) also think their platform is invincible. Not so: http://www.pcworld.ca/news/column/96a4d31d0a010408006ca32e63160f68/pg1.htm
0 Votes
+ -
Or what you read
TripleII-21189418044173169409978279405827 20th Oct 2007
Your point is valid, no machine is ever secure, however, the article you linked to, the person doing the description is confusing phishing sites with botted computers. Yes, some SERVERs are probably compromised, but the reason Linux was found at the source is that many, if not most, phishing sites are cheap rented web service rented from companies that, naturally, to keep prices down, run Linux.

I have never read about any botted Linux client machine (I have read about cracked servers with Linux), and the reason is, SSH, FTP as root, which are not enabled by default, don't allow for root access by default when turned on. I would be HIGHLY interested in reading up on any Linux malware available for install by user's not versed in ONLY using repository sources. The cracker community would have to create a .deb, rpm, etc, customize it for each linux, convince the user to download the right version, install it. LOL, the typical #1 complaint, hard to create universal software across distro's is actually a security perk. It means we all use the repositories 99.8% of the time.

I used to have to compile, but haven't needed to, for any package, in probably over a year.

Look at what it takes, a security vulnerability must
1) be accessible from the web through the firewall
2) be able to escalate to root undetected
3) install the rootkit undetected
4) start ssh and modify the system for remote access, disable or poke a hole in the firewall, allow for root access, download any missing dependencies, etc, undetected
5) not hurt the system from booting up normally
6) survive and remain undetected from chrootkit.
7) Do it right, as easy as it has become, setting up an SSH server is NOT an automatic easy process.

That is a VERY VERY tall order. Much much easier to crack the password on a server (i.e. weak root password).

The time will come when users will be able to download and install from anywhere to get the same malware infected wizbang screensaver-weathermachine, that can do all the above, but we aren't there yet (years away, not enough marketshare) and there is likely a better open source free equivalent in the repository. grin

TripleII
0 Votes
+ -
Indeed
santuccie 22nd Oct 2007
Yes, it takes a lot for a rootkit to install. But what you view as a "VERY VERY tall order" is hardly any different from what has to be done in Windows Vista. Granted, with previous versions, privileges were already escalated in the creator/owner account. But in Vista, they're not. Authorization is required for everything, and there are some things you can't change at all without providing credentials. The kernel is locked by default, and startup programs must have predefined associations. It's not easy, but it's being done.

And a firewall is not as complicated as you might think. Without some form of Intrusion Prevention, a client firewall simply protects ports from unsolicited, inbound traffic, and hides ports not in use (a good firewall hides all ports, even 113). All this entails is managing three-way handshakes on a state table. The SYN must be initiated from inside the firewall.

But without outbound protection, what is to stop locally executed malware from initiating such a connection? Nothing, unless you've installed additional security software/hardware. Unfortunately, out of cocksureness, most Linux users do not. Most of them say there's no point behind all the free antivirus programs that already exist for Linux. I find that short-sighted, not to mention light years from proactive. And that's ironic, because people who switch to Linux for security's sake would be expected to be proactive.

'The time will come when users will be able to download and install from anywhere to get the same malware infected wizbang screensaver-weathermachine, that can do all the above, but we aren't there yet (years away, not enough marketshare) and there is likely a better open source free equivalent in the repository.'
--That was exactly the point. There is no argument (at least not from me) that it is generally more difficult to compromise Linux than Windows XP or earlier. But be aware that it is far from impossible. At least you seem to be one of precious few who understand the primary reason why you don't have a pandemic on your hands, and what becomes the ONLY reason once Vista overtakes XP. You don't have enough market share to be of any interest to a bot herder.
0 Votes
+ -
RE: Storm Worm botnet partitions for sale
MACKENZI 11th Sep
I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate! nccma cooler
0 Votes
+ -
RE: Storm Worm botnet partitions for sale
PEARLINEI 12th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing the i shop abatwa
0 Votes
+ -
RE: Storm Worm botnet partitions for sale
RHIANNONA 13th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post. power sa shop
0 Votes
+ -
RE: Storm Worm botnet partitions for sale
SATURNINA 14th Sep
I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper wheel car com bury
0 Votes
+ -
RE: Storm Worm botnet partitions for sale
TOCCAR 25th Sep
Well welcome, hopefully you can become a vital member of the community and really help to push far ahead of google. Which Im sure the development team would love. This will of course earn you alot points too and get you on the leaders board. z d n e t t h a n k Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas.
0 Votes
+ -
RE: Storm Worm botnet partitions for sale
MCKNIGH 26th Sep
Thanks nice info z d n e t I really liked your current article write more..let me add you to its favorite The articles you have on zdnet s i t e are always so enjoyable to read. Good work and I bookmarked it.
0 Votes
+ -
RE: Storm Worm botnet partitions for sale
MEJIAHA 30th Sep
Fantastic news about the new release.I positively enjoying each little bit of it and I have you b o o k m a r k e d to check out new stuff you weblog post.Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas
0 Votes
+ -
RE: Storm Worm botnet partitions for sale
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix