What if security researchers were able to disrupt the leftovers of the Storm Worm botnet thanks to a flaw in its communication model allowing them to redirect infected hosts and eventually disinfect them, but fearing legal action have their hands tied?
At the 25th Chaos Communication Congress, which took place in December, 2008, German researchers Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser, held a presentation (Stormfucker: Owning the Storm Botnet) demonstration their idea. The apparently working concept has a single flaw by itself - it operates in exactly the same fashion that a botnet master does when issuing updated malware binaries to the infected hosts, thereby violating computer abuse laws internationally.
Go through a Q&A with the researchers offering insights on the potential for distributed disinfection, and Storm Worm in general.
Q: How did you come up with the Stormfucker idea at the first place, and could you provide us with more details on the lack of server authentication when communicating to the infected clients that the Storm Worm botnet is vulnerable to?
Georg: On the 24c3 congress at the end of 2007, Thorsten Holz gave a presentation on disrupting Zhelatin's command and control infrastructure, involving a /16 network or 65536 nodes in other terms. This seemed both unfeasible to us and motivated to do better, we started analyzing Zhelatin binaries and eventually found out, that NAT'ed nodes don't require any authentication to be commanded at all.
They simply use a four-byte XOR challenge response for distinguishing between real command nodes and maybe accidentally connected nodes and that is it, as long as you implement the server protocol properly, you can command these nodes. Later it was brought to our attention that the small minority of non-NAT'ed nodes checks for a 64bit RSA signature, which is obviously trivial to crack.
Q: So basically, Stormfucker is capable of issuing potential disinfection commands to infected hosts meaning the botnet can be a thing from the past? What are the legal implications of saving the infected users from themselves here?
Georg: Stormfucker is able to send an update to a storm node that will then download an executable from a Stormfucker provided host and execute it. This executable would then be a Stormfucker executable that disinfects the computer and also aids in propagation of the update commands. Obviously, issuing a command to download and execute a file without the users' consent is against the law in many countries, let alone the then carried out further propagation of this command to other users.
- Go through previous Storm Worm campaigns - The Storm Worm would love to infect you; Tracking down the Storm Worm malware; Storm Worm’s Independence Day campaign; Storm Worm says the U.S have invaded Iran
Q: The industry and the general public has never been comfortable with the idea of "white worms" or "ethical worms", and perhaps with a reason. Is this distributed disinfection method any different? Moreover, since there's never been a shortage of pragmatic solutions to a problem that's the main vehicle driving the cybercrime ecosystem, what would be the best way to put this pragmatic capabilities into action?
Georg: It is exactly like a white worm, the Stormfucker executable spreads from host-to-host in a distributed setup, however only targeting Zhelatin nodes -- other nodes will not see any extra traffic. Luckily some law enforcement agencies in some countries see the need to put an end to such menaces as Zhelatin and other botnets, maybe some of these people will push the button with proper legislation in the future. Rumor has it that it has happened in isolated cases before.
Q: What are your thoughts of a potential (free) opt-in service, where for instance, end users can request to be at least notified that they are part of Storm Worm's botnet or any other botnet in particular?
Georg: People who are so ignorant to execute an email attachment from an untrusted source would never sign up for such a service. A much better solution is taken by a local German ISP, NetCologne: they are allowed by their AUP to cut off users that are identified to be infected with malware and they have a Nepenthes based system to find such users. Being cut off from the Internet makes these ignorant people clean their computers pretty fast, so that they can browse the tubes again. Other ISPs should come up with similar solutions!
Q: Storm Worm's copycat Waledac (the same malware gang behind Storm) is currently spreading in the wild, would the same tactic work against it for instance, and how is Waledac's communication model any different than Storm Worm's original one?
Tillmann Werner: From the code perspective, waledac isn't storm's copycat, it's totally different, besides the fact that it also uses a p2p infrastructure. For instance, it communicates via encrypted XML messages over HTTP, thus it's immune to the sibyl attack. It does provide fast-flux DNS services similar to storm, but we would expect that from every serious malware these days, right? Some people think that there is the same group behind storm and waledac. Maybe, maybe not - who wants to know?
Felix Leder: Waledac is pretty new and the C&C structure not researched in-depth, yet. We are on it and may find something interesting. Currently we can only say that it is using "state-of-the-art" cryptography, which complicates things a bit but doesn't make it invulnerable. Instead of P2P, Waledac uses Fast-Flux networks. It is definitely possible to place controlled nodes in those networks. Whether those nodes can issue commands has to be investigated. So in short: The same tactics may work, but some more research has to be done.
The inside of Waledac is a lot different from Storm and similarities are hardly there. It is definitely a complete rewrite. The similarities (we have seen so far) are the use of open-source libraries in the malware, nodes that speak both storm and Waledac, and decentralized communication.