October 16, 2007 9:57 AM PDT

Security expert: Storm botnet 'services' could be sold

Security expert: Storm botnet 'services' could be sold
Related Stories

'Storm worm' exploits YouTube

October 10, 2007

Greetings...you're infected

October 8, 2007
Related Blogs

Storm worm rivals world's best supercomputers

September 7, 2007
The owners of the Storm botnet, whose identities are as yet unknown, could be preparing to sell off the "services" of segments of the network, according to Joe Stewart, a researcher from managed security services company SecureWorks.

Stewart claimed in a blog post on Sunday that the latest Storm variants now use a 40-byte key to encrypt their peer-to-peer traffic, meaning each node will only be able to communicate with nodes that use the same key.

"This effectively allows the Storm author to segment the Storm botnet into smaller networks," Stewart wrote in his blog post. "This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that's the case, we might see a lot more of Storm in the future."

Fast-flux service networks are networks of compromised computer systems with public DNS records that are constantly changing, making it more difficult to track and control criminal activities, according to the Honeynet Project Research Alliance, a forum of honeypot research organizations. A honeypot is a system, often undefended, set up as a trap for attackers.

Stewart said the good news is that security researchers can now distinguish encrypted Storm traffic from legitimate peer-to-peer traffic, making it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow peer-to-peer traffic.

Antivirus vendor Sophos agreed that Stewart's analysis is "probably correct" on the use of encryption to segment the Storm network for the purposes of resale.

"Storm's use of encrypted traffic is an interesting feature which has raised eyebrows in our lab," said Graham Cluley, senior technology consultant at Sophos. "Its most likely use is for the cybercriminals to lease out portions of the network for misuse. It wouldn't be a surprise if the network was used for spamming, distributed denial-of-service attacks, and other malicious activities."

The Storm botnet was initially created at the beginning of 2007 when the Storm worm was spammed out, hiding in e-mail attachments with a subject line of "230 dead as storm batters Europe."

While Storm has continued to grow since then, it is difficult to gauge its true size since a large percentage of the infected machines are on "standby," according to security expert Bruce Schneier. Schneier wrote in a blog post at the beginning of October that he was worried what Storm's creators had in store for phase two of the botnet.

"Oddly enough, Storm isn't doing much, so far, except gathering strength," Schneier wrote. "Aside from continuing to infect other Windows machines and attacking particular sites that are attacking it, Storm has only been implicated in some pump-and-dump stock scams. There are rumors that Storm is leased out to other criminal groups. Other than that, nothing."

Schneier wrote that the Storm botnet authors had quietly been increasing the strength of the botnet by having small portions attacking other computers and then lying dormant, by using a yet-smaller fraction of the botnet to control compromised computers.

"Storm is designed like an ant colony, with separation of duties," Schneier wrote. "Only a small fraction of infected hosts spread the worm. A much smaller fraction are command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties."

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
node, fraction, P2P, host, researcher


Join the conversation!
Add your comment
I totally do not agree with activities like this.. but I still have to say "wow". Imagine the next step of botnet... AI botnets.

Having a botnet being able to spread and control computers by itself. This kind of reminds me of the Borg in Star Trek.. or the Replicators in Stargate Atlantis.. more so Stargate Atlantis.

Its quite interesting where this is all going.. and a bit worrisome.. and a lot wow.
Posted by aSiriusTHoTH (176 comments )
Reply Link Flag
Holy crap Batman!
Would people just stop buying this crap already?! Spam would completely cease to exist almost overnight if people would simply STOP paying their hard-earned money for knock-off 'Rolux' watches or placebos advertised as V!agra or *****-pills.

The people making this software obviously have some computer programing skills which likely mean that they COULD obtain legitimate employment, but probably aren't because they're earning a lot more doing illegal stuff. The reason they're earning that money is because there are simply too many idiots on the planet willing to buy the crap they're selling!
Posted by Hoser McMoose (182 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.