Storm Worm botnet partitions for sale

Storm Worm botnet partitions for sale

Summary: SecureWorks researcher Joe Stewart has seen evidence that the massive Storm Worm botnet is being broken up into smaller networks, a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers.

SHARE:

Storm Worm botnet partitions for saleSecureWorks researcher Joe Stewart (left) has seen evidence that the massive Storm Worm botnet is being broken up into smaller networks, a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers.

Stewart, a reverse engineering guru who has been tracking Storm Worm closely, says the latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic.

"This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities," Stewart said in an e-mail message.

[SEE: [SEE: Storm Worm botnet numbers, via Microsoft ]

"If that's the case, we might see a lot more of Storm in the future," he warned.

The malware attacks behind this botnet have been relentless all year, using a wide range of clever social engineering lures to trick Windows users into downloading executable files with rootkit components. By some accounts, the malware has successfully created a massive botnet — between one million and 10 million CPUs — producing computing power to rival the world’s top 10 supercomputers.

Statistics from Microsoft's monthly updated MSRC (malicious software removal tool) peg the size of the botnet at the low end of the supercomputer speculation.

Stewart sees a silver lining in the latest Storm Worm twist. Because of the new encryption scheme, Stewart says it is now easier to distinguish Storm-related traffic from "legitimate" Overnet/eDonkey P2P traffic.

"[It] makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic," he said.

Topics: Security, Browser, Malware, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • And Storm Worm Botnets Are Running Which OS?

    MICROSOFT.

    Thanks for giving us another headache to worry about.
    itanalyst
    • Thanks to who?

      Interesting that you blame Microsoft, rather than the real culprits, the malicious programmers (I don't like to use the term hackers in this context) who wrote the garbage. Pray that your favorite OS doesn't come under the same level of attack that Microsoft has had to endure in the last few years, else you may find that security is not as simple as you think.
      itpro_z
      • Secure toilets

        "Pray that your favorite OS doesn't come under the same level of attack that Microsoft has had to endure in the last few years..."


        Now THAT's funny! The majority of the internet infrastructure is powered by *nix systems (of which Linux is a significant part.) If someone really wanted to push major spam bandwidth on the Net they'd be targeting these systems. Of course, people DO try to attack these systems and they try very hard. But they don't get very far, because *nix systems are not shamelessly insecure the same way as every kind of Windows. Occasionally, someone does manage to infiltrate one here or another there, but they don't get the traction necessary to cause any meaningful consequence, because *nix systems are inherently secure by design. Instead of attacking the internet plumbing (that is, *nix) spammers and virus writers target the toilets (Windows), because Windows at its most secure is far more vulnerable and easier to exploit.
        ken_jennings@...
        • Secure, or just obscure?

          Are we talking servers here, or PCs? Servers are generally very secure, since they have pros supporting them and keeping them up to date. Even with that, I do seem to remember reading about a hit on the Ubuntu servers this last summer, and hacking of websites is a fairly common occurrence. Some of the very first viruses were Unix based as well.

          What we are talking about here are PCs, a market that Linux currently occupies less than 1% of. PCs are not managed by professionals, but ordinary users, and are generally not as up to date or secure. Contrary to your prejudicial beliefs, Windows PCs are quite secure when updated in a timely fashion, including the necessary antivirus software. I install and manage PCs for a living, and have for many years, and it is a rare occurrence for me to find an infected machine anymore. Consider the numbers listed in this article, something over 1 million PCs infected by this virus. Now, consider that there are around 1 billion PCs in the world, with about 90% of those running Windows, and the conclusion is that the infection rate is very small. Not bad, considering that most of those are neglected home computers.

          I agree that the malware programmers target Windows machines, that is just common sense. Would you target 1% of the computers, or 90%? You can chest thump all you want about Linux superior security, but until it is really tested, it isn't proven. Besides, Macs are also Linux based, and we all saw what happened when hackers were challenged (and finally offered cash) to attempt to "own" two Macs earlier this year. Both Macs (and the cash prizes) were gone within hours.

          For the record, I have Ubuntu 7.04 running one of my home PCs, and I have installed and supported servers running various versions of Linux, Xenix, and Unix, so I am not anti-Linux. I am also not anti-Windows, running Vista on another home computer, and supporting several hundred users at work running everything from Win98 to Vista, along with a number of servers running 2000 and 2003. As far as I am concerned, they are all just computers, and each has their stong points and weaknesses.
          itpro_z
          • secure and made that way.

            "Are we talking servers here, or PCs?"

            We're talking about computers connected to the internet.

            "I agree that the malware programmers target Windows machines, that is just common sense. Would you target 1% of the computers, or 90%?"

            If 1% of the computers can push 90% of the internet content wouldn't it be common sense to attack those computers? Of course it would, and people do attack them, and they don't get very far, because they're primarily beating on *nix systems.

            "You can chest thump all you want about Linux superior security, but until it is really tested, it isn't proven."

            It is proven every day by the fact the internet itself remains operating and largely stable. Incidents are isolated, few and far between.

            I have a Windows system too, they are great game machines. But, the Windows system goes nowhere near the internet without standing behind a real, unix firewall.
            ken_jennings@...
          • Where your argument fall down

            [i]If 1% of the computers can push 90% of the internet content wouldn't it be common sense to attack those computers? Of course it would, and people do attack them, and they don't get very far, because they're primarily beating on *nix systems.[/i]

            You are still comparing the security of a *nix server to a Windows desktop. When you compare *nix servers to Windows servers, the hacking story shows that Windows servers actually hold their own. I can't access Zone-H statistics any more but they consistently showed that LAMP servers were hacked more often than IIS6 servers. So am I suggesting that IIS6 is more secure than LAMP? No, because I don't believe it. I believe that using LAMP doesn't guarantee security and using IIS6 doesn't guarantee failure, it is up to the human being behind the OS, whether that OS is being used in a server role or a desktop role. It just so happens that more people behind server role installations are security conscious when compared to people behind desktop role installations.

            The other factor you ignore is that desktop role OSs typically have different attack vectors than server role OSs. You can fool a human behind a desktop to run an executable or to navigate to a website. This becomes much more difficult to do when attacking a server.

            For those reasons, you can't simply say that you are comparing all [i]computers connected to the internet[/i]. It would be as silly as saying that NASCAR drivers are less skilled than non NASCAR drivers because they get in more accidents. Hey, we are just talking about people driving cars right? When you compare *nix servers to Windows servers, they have been shown to be equally secure. The OS plays [b]far[/b] less a factor than the admin does and a good admin can make any OS secure while a bad admin can make any OS insecure. You can't compare Windows desktop computers to *nix servers though in order to disprove marketshare arguments since the conditions of their use are totally different, just like NASCAR.
            NonZealot
          • Are you sure about that?

            How much do you really know about firewalls? A firewall is a device/program that prevents unsolicited traffic from entering your PC. If you're talking about Intrusion Prevention, be aware that no such technology can fully protect a machine from exploits, not even a Web application firewall operating from the positive security model. And the best negative-model example, Snort, is not associated with UNIX as far as I know.

            As long as software can be installed on your computer, malicious software can be installed as well. The only way to prevent this is to block the installation of drivers, services, registry entries, etc. And if you do this, you have to have a way to undo it, so you can install new software when you want to.

            The only Linux users who still believe Linux is invincible are the ones who haven't been hit yet. I'll bet you the victims discussed in this article don't think so: http://www.theregister.co.uk/2007/10/03/ebay_paypal_online_banking/

            Likewise, most Mac users (Mac is also UNIX-based) also think their platform is invincible. Not so: http://www.pcworld.ca/news/column/96a4d31d0a010408006ca32e63160f68/pg1.htm
            santuccie
    • How does one detect the Storm Worm?

      Is this virus so unique that it can remain undetected on a user's pc? If I am running McAfee or Norton A/V will I remain protected? Or are these rootkits designed to evade detection?

      This (the potential break-up and distribution of the "net") is akin to Capone selling off the West Side but keeping Northtown for pocket change.
      Arcturus16a
      • All of the antivirus programs...

        ...are updating frequently to detect the worm, but it evolves rapidly. Microsoft's own MSRT is also combating the bug. Keep your software up to date, and be wary of email from unknown sources.
        itpro_z
      • Anti Virus

        If you rely on anti virus software for computer security, it's already too late.
        tracy anne
      • Re: How does one detect the Storm Worm?

        From the malware perspective, the purpose of a rootkit is to hide the malware's files from Windows API and avoid being detected by scanners. Antivirus and some antispyware programs can potentially block the worm itself, by detecting it via heuristic or black-and-white signature. However, I am of the understanding that the Storm worm is polymorphic, meaning it is continually changing its code.

        Once the rootkit is installed, traditional antimalware programs likely won't be able to detect it. At this point, there are dedicated tools you can use to help uproot the rootkit. You'll find a handy little handful of them here: http://www.techsupportalert.com/best_46_free_utilities.htm#7

        There are also Intrusion Prevention/Detection programs you can use to catch Storm worm when it tries to install the rootkit. These programs go beyond fingerprinting to utilize behavior analysis, offering a vital third layer of zero-day protection. You will find Intrusion Prevention in a lot of firewall products these days, but there are standalones available as well. ThreatFire is about the best there is, and it happens to be available in a free version, as well as paid.

        Still another solution is to use a sandbox. Sandbox programs create a virtual environment that corrals certain programs (especially Internet programs) off from the rest of your system, preventing events generated by these programs from making permanent changes. One of my favorites is BufferZone. They offer free versions, but each of them only covers certain types of programs, and you could only have one installed at at time from what I remember. Sandboxie is a viable alternative, but it's a bit less automated and a bit more technical. Also, while sandbox programs will kill any program inside the sandbox when you empty it, they will not prevent a keylogger from intercepting your passwords while running inside the sandbox.

        If you would like another solution that prevents Web-borne malware from launching in the first place, perhaps this would be of interest to you: http://invincible-windows.blogspot.com/

        Hope this helps!
        santuccie
  • Money.....

    That's what it's all about the money they could DDOS the hell out of the Internet with
    their superfleet fleet of zombies but if they cripple the Internet to a crawl so nobody
    can use it all who is served by that?!
    Kobashrer
    • :)

      "if they cripple the Internet to a crawl so nobody
      can use it all who is served by that?! "

      Post office! Now u have to write letters to ur friends. :)
      CrazY_UKRaiNiaN
  • How to detect?

    Yes, but (as Arcturus16a asked), does anyone know which, if any, of the std. a/v programs can detect and remove it? E.g., will Norton, or McAfee, if up to date do the trick? If not, why the hell not?
    angelsix
  • Maybe an ISP will enforce it's policies

    Fret and worry and discuss and brainstorm over how to combat the symptoms of botnets, or just solve the frick'n problem, take the botnets offline and inform the users. Big flashing page in their browser

    "Your computer is compromised, you are NOT secure, click this link to find out how to clean your computer".

    You know what, you take the botted computers offline, ALL the revenue dries up and people fix their computers. Of course, Quest and other backbone providers don't sell as much bandwidth, and symantic doesn't make as much money, and few computers sell because the computer is not actually slow, it is bogged by infection, and of course... never mind, except for the consumer, this is GREAT for the world economy, as you were.

    TripleII
    TripleII-21189418044173169409978279405827
    • because browsers now block redirects....

      ... flashing a screen in front of the user no longer works.. i work in a major ISP and this just cant be done anymore
      waylander
      • Proxy

        What I am proposing, lets assume Joe is compromised. You then route his computer (basically, for him, all DNS lead to 150.1.1.1) which is a pie in the sky address for your proxy. The proxy displays the help pages and warning.

        So, it isn't flashing a screen in front of them, then leaving them on their merry way, it is their computer is isolated with no route in/out to the internet, and all attempts at web browsing cause the user to arrive at the proxy.

        You may allow them to surf through the proxy, but that's another story. This is just one idea, but my ISP allows for that. Your account can be direct or proxied. This is forced change to proxied for bott'd computers.

        TripleII
        TripleII-21189418044173169409978279405827
  • 95%. Yes, spam has hit 95% level of all email

    http://www.net-security.org/secworld.php?id=5545

    Leading zombie locations included the United States (36%) and Russia (8%).

    Is it time for more band aids or is it time to actually fix the problem? Until people focus on the problem, ze-zombifying and/or taking these machines off the internet, enjoy your Viagra.

    TripleII
    TripleII-21189418044173169409978279405827
  • Don't believe everything you hear

    How much do you really know about firewalls? A firewall is a device/program that prevents unsolicited traffic from entering your PC. If you're talking about Intrusion Prevention, be aware that no such technology can fully protect a machine from exploits, not even a Web application firewall operating from the positive security model. And the best negative-model example, Snort, is not associated with UNIX as far as I know.

    As long as software can be installed on your computer, malicious software can be installed as well. The only way to prevent this is to block the installation of drivers, services, registry entries, etc. And if you do this, you have to have a way to undo it, so you can install new software when you want to.

    The only Linux users who still believe Linux is invincible are the ones who haven't been hit yet. I'll bet you the victims discussed in this article don't think so: http://www.theregister.co.uk/2007/10/03/ebay_paypal_online_banking/

    Likewise, most Mac users (Mac is also UNIX-based) also think their platform is invincible. Not so: http://www.pcworld.ca/news/column/96a4d31d0a010408006ca32e63160f68/pg1.htm
    santuccie
    • Or what you read

      Your point is valid, no machine is ever secure, however, the article you linked to, the person doing the description is confusing phishing sites with botted computers. Yes, some SERVERs are probably compromised, but the reason Linux was found at the source is that many, if not most, phishing sites are cheap rented web service rented from companies that, naturally, to keep prices down, run Linux.

      I have never read about any botted Linux client machine (I have read about cracked servers with Linux), and the reason is, SSH, FTP as root, which are not enabled by default, don't allow for root access by default when turned on. I would be HIGHLY interested in reading up on any Linux malware available for install by user's not versed in ONLY using repository sources. The cracker community would have to create a .deb, rpm, etc, customize it for each linux, convince the user to download the right version, install it. LOL, the typical #1 complaint, hard to create universal software across distro's is actually a security perk. It means we all use the repositories 99.8% of the time.

      I used to have to compile, but haven't needed to, for any package, in probably over a year.

      Look at what it takes, a security vulnerability must
      1) be accessible from the web through the firewall
      2) be able to escalate to root undetected
      3) install the rootkit undetected
      4) start ssh and modify the system for remote access, disable or poke a hole in the firewall, allow for root access, download any missing dependencies, etc, undetected
      5) not hurt the system from booting up normally
      6) survive and remain undetected from chrootkit.
      7) Do it right, as easy as it has become, setting up an SSH server is NOT an automatic easy process.

      That is a VERY VERY tall order. Much much easier to crack the password on a server (i.e. weak root password).

      The time will come when users will be able to download and install from anywhere to get the same malware infected wizbang screensaver-weathermachine, that can do all the above, but we aren't there yet (years away, not enough marketshare) and there is likely a better open source free equivalent in the repository. :D

      TripleII
      TripleII-21189418044173169409978279405827