LAS VEGAS--On Wednesday, Joe Stewart, director of malware research for SecureWorks, presented his work on protocols and encryption used by the Storm worm botnet at Black Hat 2008.
He said as far as botnets go, Storm is not particularly sophisticated, nor is it our No. 1 threat. Yet while other botnets come and go, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.
None of this surprising, it's just handled well.
In explaining Storm worm's resiliency compared to newer and sleeker botnets, Stewart looked at the encryption used within the commands sent from the command and control server. He said the compression or packing code changes so often in order to thwart antivirus signature files.
Storm uses P2P to communicate with its various nodes and supernodes throughout the Internet. He said because of that, it has to contend with bogus media files being sent via P2P and researchers such as himself attempting man-in-the-middle attacks to see what the commands might be. To handle that, Storm has started using 64-bit RSA encryption based, in part, on the date.
Joe Stewart talks about what botnet code is available and what can be found within it.
On Wednesday, the FBI and its partner, the Internet Crime Complaint Center (IC3), warned against a new e-mail campaign being used by the creators of the Storm Worm botnet.
The e-mail uses the the phrase "F.B.I. vs. Facebook" in its subject line and contains a link to view an article about the FBI and Facebook, a popular social networking website. Clicking on the link downloads malicious software onto the victim's computer.
"The spammers spreading this virus are preying on Internet users and making their computers an unwitting part of criminal botnet activity," said the FBI in a press release. "We urge citizens to help prevent the spread of botnets by becoming web-savvy."
The FBI is warning users not to respond to spam e-mail and not to open attachments or links provided within such e-mail, and advising them to validate the legitimacy of the e-mail by typing the organization's Web site address directly into a browser window, rather than clicking on a provided link.
- prev
- 1
- next
