- Related Stories
-
'Storm worm' exploits YouTube
October 10, 2007 -
Greetings...you're infected
October 8, 2007 - Related Blogs
-
Storm worm rivals world's best supercomputers
September 7, 2007
"This effectively allows the Storm author to segment the Storm botnet into smaller networks," Stewart wrote in his blog post. "This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that's the case, we might see a lot more of Storm in the future."
Fast-flux service networks are networks of compromised computer systems with public DNS records that are constantly changing, making it more difficult to track and control criminal activities, according to the Honeynet Project Research Alliance, a forum of honeypot research organizations. A honeypot is a system, often undefended, set up as a trap for attackers.
Stewart said the good news is that security researchers can now distinguish encrypted Storm traffic from legitimate peer-to-peer traffic, making it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow peer-to-peer traffic.
Antivirus vendor Sophos agreed that Stewart's analysis is "probably correct" on the use of encryption to segment the Storm network for the purposes of resale.
"Storm's use of encrypted traffic is an interesting feature which has raised eyebrows in our lab," said Graham Cluley, senior technology consultant at Sophos. "Its most likely use is for the cybercriminals to lease out portions of the network for misuse. It wouldn't be a surprise if the network was used for spamming, distributed denial-of-service attacks, and other malicious activities."
The Storm botnet was initially created at the beginning of 2007 when the
While Storm has continued to grow since then, it is difficult to gauge its true size since a large percentage of the infected machines are on "standby," according to security expert Bruce Schneier.
"Oddly enough, Storm isn't doing much, so far, except gathering strength," Schneier wrote. "Aside from continuing to infect other Windows machines and attacking particular sites that are attacking it, Storm has only been implicated in some pump-and-dump stock scams. There are rumors that Storm is leased out to other criminal groups. Other than that, nothing."
Schneier wrote that the Storm botnet authors had quietly been increasing the strength of the botnet by having small portions attacking other computers and then lying dormant, by using a yet-smaller fraction of the botnet to control compromised computers.
"Storm is designed like an ant colony, with separation of duties," Schneier wrote. "Only a small fraction of infected hosts spread the worm. A much smaller fraction are command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties."
Tom Espiner of
See more CNET content tagged:
node,
fraction,
host,
P2P,
researcher
Having a botnet being able to spread and control computers by itself. This kind of reminds me of the Borg in Star Trek.. or the Replicators in Stargate Atlantis.. more so Stargate Atlantis.
Its quite interesting where this is all going.. and a bit worrisome.. and a lot wow.
The people making this software obviously have some computer programing skills which likely mean that they COULD obtain legitimate employment, but probably aren't because they're earning a lot more doing illegal stuff. The reason they're earning that money is because there are simply too many idiots on the planet willing to buy the crap they're selling!