What if you wanted to build your own botnet to act as a spam relay or to launch a denial-of-service attack against an organization or a country? "It's actually a lot of work," says Joe Stewart, director of malware research at SecureWorks.
I had a chance to talk with Stewart at this year's Black Hat security conference in Las Vegas where, in a talk, he provided insight into the inner workings of one botnet, the Storm worm botnet. Using unpackers, debuggers, and decompilers, Stewart was able to dissect the rogue network and learn how it works and why Storm remains so resilient when other botnets simply fail over time.
Joe Stewart of SecureWorks at Black Hat Las Vegas 2008
(Credit: Robert Vamosi / CNET)Botnets, whose combined computing power can equal that of a large supercomputer, are organic, yet they only evolve when they need to, such as after they've been discovered and shut down, Stewart said. But he said anyone wanting to copy a successful botnet like Storm would simply be wasting their time. While all the coding tricks used to make Storm successful are available on the Internet, it's combining them that's the trick.
"How you are going to make all that work for your specific needs? It's pretty complex," he said. "The person who developed Storm did it over a long period of time. They didn't start out with the peer-to-peer program (as used today); they started out with something much simpler. They then made small modifications. A lot of hours have been put into it."
Storm's structure
A basic botnet would includes a Command and Control (C&C) server contacted to thousands of compromised desktop computers worldwide. Were that always the case, botnets could be taken down quickly by simply finding and shutting down the C&C server. Storm's approach is more nuanced and layered. Top level is a Command & Control server running Apache (presumably somewhere in Russia). Next level is a server running a Nginx 0.5.17 proxy; this server is designed to hide the Apache machine from view. At the third level are a couple more Nginx 0.5.17 proxies used to hide the master Nginx 0.5.17 proxy from view. Sitting at the fourth level are public nodes that act as reverse proxies leading back to the controller and perform as fast-flux name servers. Fast flux means that a hard-coded URL can be sent out with the bot code, but where that URL resolves changes.
The final level is composed of thousands of compromised computers worldwide. Stewart says that Storm starts out infecting a computer with a dropper. Right now the preferred infection process is via an e-mail link, but this might change to a peer-to-peer process. However infected, the initial click by the end user installs a rootkit which, in turn, reaches out to the EXE file from a fourth-level supernode. Once infected, the compromised computer and supernode trade the infected desktop's IP information. This information is sent to a third-level supernode proxy as pert of its mapping operation. At the third level it is also compressed and encoded for obfuscation, then sent on to the second level proxy, and finally to the top level server.
Overnet/eDonkey
At the second and third levels, the Nginx proxies listen for Overnet/eDonkey peer-to-peer Internet traffic. Overnet/eDonkey was a popular peer-to-peer network application until it was shut down by the Recording Industry Association of America. While the service is gone, the code still exists. What botnet operators like most is Overnet/eDonkey's distributed nature; it lacks a central peer list. Thus, each of the nodes keeps only a small list of neighboring peers.
This decentralized network is what Stewart and many other experts say is the key to Storm's resilience.
And it almost proved to be Storm's undoing. Overnet/eDonkey is still used for file-sharing, so in Storm's view there is a lot of bogus traffic out there. To better distinguish its traffic from other traffic, Stewart says Storm uses the Kadamlia distributed hash table (DHT) and its C&C servers listen only for predictable MD4 hashes. Those hashes are derived from a simple checksum algorithm that includes IP address and the port used. Authentication is accomplished through a 4-byte challenge and response.
The predictable hashes also have a positive effect for researchers, says Stewart: If a given peer doesn't know the location of the specific node you're searching for, the known peer will provide you with a list of peers closest to what you asked for. And, because the Overnet/eDonkey supernode peers all broadcast their presence, Stewart and other researchers can walk all the nodes in a network to get a fairly accurate count of the botnet's size.
Not perfect
Lately, though, Storm has been evolving yet again. This time it's isolating its network further from the general Internet traffic by encrypting packets using an embedded key and simple XOR. It also has been changing its initial infection packing or compression process. The outer layers change every 10 minutes, while the interior bot code changes packing more on the order of once a month. Neither the packing nor the encryption have so far proven defeating to security researchers.
However, one downside to encryption is that Storm's handlers could now segment parts of their network--that is, they could rent or sell off pieces of the botnet to others. Although speculation around segmentation has been widespread, Stewart says he has not observed it.
In addition to Stewart's research, see Brandon Enright's report for another detailed look at the structure of this venerable botnet.
Recent e-mails stating that the U.S. has already attacked Iran and, in some cases, also offering links to a video purportedly from a soldier, are not to be believed, according to Websense. The security vendor said in an advisory Wednesday that it has linked the provocative e-mails to the Storm worm.
Storm got its name because it first took advantage of a huge winter storm in Northern Europe in early 2007. Since then, it has used a variety of social engineering tricks, including the use of political themes, to get unsuspecting users to open its malicious payload.
This time Storm is offering form.exe and iran_occupation.exe as executable payloads.
Acording to Dancho Danchev over at ZDNet, the latest iteration of Storm appears to be using the following domains:
- statenewsworld . com
- morenewsonline . com
- dailydotnews . com
- dotdailynews . com
- newsworldnow . com
A link from one of the Storm worm e-mails leads to this page.
(Credit: Websense)
On Thursday, MessageLabs reported in its April Intelligence Report a marked decrease in the number of malware links connected to the Storm botnet. "It's not too often that a security company says that things are getting better," said Mark Sunner, Chief Security Analyst.
At its peak, Sunner said, the Storm botnet resided upon one million computers worldwide. That number has since come down to between 85,000 IP addresses at the end of April. He said that over the last eighteen months Storm has been constant, and never decreased according to MessageLabs research. "Other security companies have reported decreases in the past," he said because of different methods of studying the botnet, "but this is first decrease we've seen."
He credited the most recent patches from Microsoft with the decline. He said that in the weeks following the most recent Patch Tuesday there was a sharp drop off.
Given that the creators of Storm managed and maintained a constant flood of variations for more than one year, it's a little odd that they would just take their money and walk away. Sunner said that they are seeing an increase in Srizbi, named for the one of the Web sites from which is downloaded. A Trojan, Srizbi uses rootkit technology to hide on an infected machine but, like Storm, it is also known to relay spam.
(Credit:
Jose Nazario, Arbor Networks)
Don't click on that silly April Fools' Day e-mail, says one security expert.
In a blog, Arbor Networks' Jose Nazario reports that within the last 24 hours he's seeing new releases of the Storm worm designed to take advantage of the first day of April. This new spam campaign is a lure to infect new computers that will become part of the larger Storm worm botnet.
The e-mail body is spartan: the words "Doh! April Fools" followed by a numeric URL. If a user clicks on that URL, the default Internet browser will open to a page with a cartoon character. A download is supposed to start within five seconds and, according to the message, "If your download does not start, click here and then press 'Run.'"
The compromised computer will then install the downloaded file as C:\WINDOWS\aromis.exe. Nazario reports that the botnet file opens the firewall using the netsh firewall set command, makes a lot of outbound connections, then listens on a random UDP port.
On Monday, Adobe Systems rolled out its new Web 2.0 development tool, Adobe Integrated Runtime, or AIR. Following its release were some concerns from the security community.
Adobe CEO Shantanu Narayen talks up AIR at a San Francisco event.
(Credit: Charles Cooper/CNET News.com)AIR, formerly Adobe Apollo, is a runtime environment that allows developers use HTML, Flash, AJAX, Flex, and other Web 2.0 tools to create desktop applications. One such application built using Adobe AIR comes from Nickelodeon Online.
But some security experts are concerned about local file access by AIR applications. Recently, Firefox experienced a vulnerability that could have allowed remote attackers to access a targeted file system. To mitigate this, Adobe says it implemented a sandboxing environment, however, Adobe's documentation suggests that the sandboxes are less secure than a Web browser's sandbox.
Additionally, Adobe says that AIR applications need to be digitally signed, however, these certificates can be self-signed. And many users will ignore the warnings and run untrusted applications.
Finally, there is the potential for Cross-Site Scripting (XSS), SQL injection, and local link injection. While these threats are not limited to Adobe AIR, developers could gain a false sense of security by relying only on AIR's weaker sandbox protection.
Adobe has also provided the following: an informative article titled "Introduction to AIR security" and a white paper, "AIR Security" (PDF). But Lenny Zeltser, writing on the Sans Internet Storm Center site, notes that "many developers will be unaware of Adobe AIR security best practices or will knowingly take shortcuts that expose end users to attacks."
The FBI is warning that Valentine's Day e-mails you see this year might be coming not from loved ones, but from the Storm worm botnet. In a press release Tuesday, the FBI warns users to be on the lookout for e-mail that "directs the recipient to click on a link to retrieve the electronic greeting card (e-card). Once the user clicks on the link, malware is downloaded to the Internet-connected device and causes it to become infected and part of the Storm worm botnet."
Dr. Jose Nazario of Arbor Networks said the authors of Storm have launched a carefully orchestrated series of lure campaigns to bring new members into the network. One of them is Valentine's Day-themed. Nazario said the creators of Storm have in recent weeks "grown the network by as much as 50 percent."
Nazario blamed fresh spam and incomplete antivirus protection on users' desktops for the new botnet infections.
"Generally speaking, when you only have something like 25 percent or less who are updated with the current patches and Best Practices in AV software, it doesn't really matter. You can be caught up with the latest AV fix, but if other people aren't really applying it, it doesn't really matter."
If you don't have antivirus protection, get some. See CNET's latest antivirus performance test results here. If you already have an antivirus product installed, make sure your subscription and the data files are both up to date.
On Tuesday, exploits for the Yahoo apps were reported circulating. There is currently no patch from the individual vendors, so the only workaround is to disable the several specific, vulnerable ActiveX controls. (ActiveX controls were developed by Microsoft for use with Internet Explorer and other browsers.)
The SANS tool, available here, eliminates the risks associated with editing the Windows system registry file. A command line version is available here.
The kill-bit tool first checks your system to see if any of the vulnerable CLSIDs exist. If so, the tool saves a copy of any values currently set, then updates the display to show that the CLSID--the unique sequence assigned to each ActiveX component that specifies which control you are using--exists. It also shows whether the kill-bit flag is set. To set the kill-bit, just check the box beside any of the affected ActiveX controls then click on the "Set" button. Unchecking any of the boxes will either reset the "Compatibility Flags" to their saved value or remove the CLSID entirely (if you didn't have the control installed in the first place).
SANS suggests setting the kill-bits for all of the affected ActiveX controls, and, even if you don't currently have one or more of these CLSIDs installed on your machine, go ahead set the kill-bit for controls that might be added to your system in the future.
A number of phishing sites have cropped up within the last day using domains previously attributed to the Storm worm botnet. Last fall, Storm was used in a series of pump-and-dump stock spam blasts, including a unique MP3-based spam blast, but researchers at F-Secure don't think the original authors of Storm are necessarily trying something new. F-Secure said Tuesday that "October brought evidence of Storm variations using unique security keys. The unique keys...allow the botnet to be segmented allowing 'space for rent.'" They think phishers are leasing parts of the larger botnet.
F-Secure cites a Halifax bank as one of the phishing targets, while Trend Micro identifies the Royal Bank of Scotland as another. What connects these sites are the server domains hosting the pages. Trend Micro said Tuesday it detected the hosts "while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities."
The original Storm worm code, so named because it coincided with a severe winter storm in Europe, will celebrate its first anniversary next week, on or around January 19.
- prev
- 1
- next
