The owners of the Storm botnet, whose identities are as yet unknown, could be preparing to sell off the "services" of segments of the network, according to Joe Stewart, a researcher from managed security services company SecureWorks.
Stewart claimed in a blog post on Sunday that the latest Storm variants now use a 40-byte key to encrypt their peer-to-peer traffic, meaning each node will only be able to communicate with nodes that use the same key.
"This effectively allows the Storm author to segment the Storm botnet into smaller networks," Stewart wrote in his blog post. "This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that's the case, we might see a lot more of Storm in the future."
Fast-flux service networks are networks of compromised computer systems with public DNS records that are constantly changing, making it more difficult to track and control criminal activities, according to the Honeynet Project Research Alliance, a forum of honeypot research organizations. A honeypot is a system, often undefended, set up as a trap for attackers.
Stewart said the good news is that security researchers can now distinguish encrypted Storm traffic from legitimate peer-to-peer traffic, making it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow peer-to-peer traffic.
Antivirus vendor Sophos agreed that Stewart's analysis is "probably correct" on the use of encryption to segment the Storm network for the purposes of resale.
"Storm's use of encrypted traffic is an interesting feature which has raised eyebrows in our lab," said Graham Cluley, senior technology consultant at Sophos. "Its most likely use is for the cybercriminals to lease out portions of the network for misuse. It wouldn't be a surprise if the network was used for spamming, distributed denial-of-service attacks, and other malicious activities."
The Storm botnet was initially created at the beginning of 2007 when the Storm worm was spammed out, hiding in e-mail attachments with a subject line of "230 dead as storm batters Europe."
While Storm has continued to grow since then, it is difficult to gauge its true size since a large percentage of the infected machines are on "standby", according to security expert Bruce Schneier. Schneier wrote in a blog post at the beginning of October that he was worried what Storm's creators had in store for phase two of the botnet.
"Oddly enough, Storm isn't doing much, so far, except gathering strength," Schneier wrote. "Aside from continuing to infect other Windows machines and attacking particular sites that are attacking it, Storm has only been implicated in some pump-and-dump stock scams. There are rumors that Storm is leased out to other criminal groups. Other than that, nothing."
Schneier wrote that the Storm botnet authors had quietly been increasing the strength of the botnet by having small portions attacking other computers and then lying dormant, by using a yet-smaller fraction of the botnet to control compromised computers.
"Storm is designed like an ant colony, with separation of duties," Schneier wrote. "Only a small fraction of infected hosts spread the worm. A much smaller fraction are command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties."