Storm Worm Botnet Partitions May Be Up For Sale

Bowling for cents writes "There is evidence that the massive Storm Worm botnet is being broken up into smaller networks, and a ZDNet post thinks that's a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. The latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic, meaning that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities."

What is fast flux DNS?

[Shimdaddy]

Being the n00b that I am, I don't know what fast flux DNS is. I know what DNS is, and I know the meaning of fast... but flux to me is something you put on a pipe before you weld it. What does it mean in this context?

How long before..

[monk.e.boy]

How long before Storm is better than the Internet?

It seems to be peer-2-peer, can host files, must be reliable (DNS and all that), encrypted traffic.

If you assume Internet is past its sell by date, what would the next generation network look like?

:-)

(OK, maybe it wouldn't be owned by the mafia (insert USA joke here))

Are there legitimate reasons to do this...

[Animaether]

...and if there aren't, then why are reputable DNS servers allowing these super-fast changes to DNS records anyway? Certainly such trends can be easily detected and stopped dead in its tracks?

So, how bad is it?

[Anonymous Coward]

I've not been actively following the Storm Worm Botnet stories, but I've picked up a few details which, on the surface, are downright frightening: Storm infects between 1 and 50 million PCs; it's more powerful than the world's supercomputers; dynamically evolves to avoid counteractions by security companies; and only uses 20% of its potential computing power at the moment.

These blurbs, if they're true, paint a bleak picture. Should the hackers leverage the network's full power, couldn't they shut down just about any server on earth? And imagine the bandwidth costs of this thing operating at full force.

So for those in the know, is Storm just a way to propagate spam and annoy people? Or is it something even more dangerous?

Re:Survival of the fittest in action

[Cato]

Here's a small and possibly unrepresentative datapoint from last weekend that would tend to suggest there are a lot of infected PCs out there, some of them with Storm. Basically, 2 of 3 PCs scanned had backdoor trojans and I didn't have time to debug the third PC enough to scan it.

I spyware scanned three PCs belonging to two friends/family households. Naturally, they were all Windows. I used Webroot Spysweeper which is pretty good but costs, and Kaspersky online scan, which is good but slow, and virus only.

- PC 1: infected with various spyware and a backdoor trojan (remote access by the bad guys) - had an up to date antivirus (AVG) that didn't spot any of this, but no anti-spyware installed.

- PC 2 (same network as 1): couldn't even install new software (error on running any new .EXE), ran out of time to debug this so did not install Webroot or any other tools. Also had AVG antivirus, which was up to date, and no anti-spyware. Presumed infected.

- PC 3: (2nd household) - infected with a different backdoor trojan and several viruses. Had Norton anti-virus that had not updated since 2004.

I would assume the average Windows PC has a high chance of some sort of infection, unless the users are very careful about installing third party software, some of which carries spyware or worse, and clicking on links in IE. Even Firefox had spyware on one of these machines.

Windows PCs run by power users (not the users here) can be somewhat secure, but it's painful to make them so. One colleague who's very techie still got infected by a PDF security hole recently, so you need Secunia PSI to run continuously, as well as monitoring some security blogs, and updating software regularly, as well as using a good anti-spyware tool, not using IE/Outlook, etc etc. However, once you are making this much effort, the work needed to install Ubuntu becomes much less of a hurdle - you might as well just switch over one PC so you have a safe PC for online shopping/banking etc.

The only good thing about this story is that nothing very important was being done on these PCs - little online shopping and no online banking... however, that's the users' self-reported status and they may well not want to admit they are at risk.

I don't do this for a living, I'm just a Windows and Linux user who wondered why there were so many popups on one of these PCs and ended up getting sucked into this when I should have been socialising - fortunately anti-spyware scans can run during dinner...

Yes. Re:Are there legitimate reasons to do this...

[algae]

Sure there are legitimate reasons to do this - one of them is cheap datacenter fail-over. If I have web servers colocated in two different datacenters with two different ISPs, and one of them goes down, I can change the TTL on my DNS records to, say 30 seconds, and point all the addresses to the other location. The short short TTL will cause global DNS to be updated much more quickly than normal, and my web site's traffic won't dead-end.

On the other hand, I defintiely see ISPs that don't respect DNS TTLs anyway.

Re:What is fast flux DNS?

[asuffield]

Registrars are extremely reluctant to remove domains just because somebody claims that they are part of a botnet. Basically, you need a court order. You'll only get a court order if a judge rules against the botnet operator. You'll only get a ruling if somebody takes the botnet operator to court in a criminal case. That will only happen if a government intervenes.

No governments are interested in dealing with this problem.

This problem is its own solution...

[MiniMike]

Step 1: Rent botnet.
Step 2: Have each 'rented' computer run update, anti-virus, anti-malware...
Step 3: Profit! Ok, no profit, but maybe you get to enjoy reduced amounts of spam.

Repeat until bored.

Unethical countermeasures?

[dtml-try MyNick]

First things first, IANAE (I am not a expert)

I've recently read some stories about this botnet. From what I've gathered it's powerfull enough to do some serious damage in a society. Cyber attacks can disrupt our lives in multiple ways after all.
Imo we're just lucky so far that it hasnt been used for some serious attack on money/bank agencies, public transport, etc etc, stuff close to us and vital for average day life. (or am I just being to paranoid now?)

The hosts that are infected will most likely be bad maintained boxes, unattended, never updated. Wouldn't it be possible to write a counterworm/trojan that would delete the bot software and close the holes?

I realise the ethical issues involved here. A Trojan like this would basicly be just as "bad" as the botnet itself, on the other hand it would be for the greater good.
Has anyone ever attempted this? If not, what if someone did? Would you be pissed off if one of your forgotten and infected boxes would be cleaned this way?

Just being curious..

Is the 40 byte key attackable?

[Qbertino]

I'm sorry, I'm probably sounding completely lame to those more firm in cryptography, but I have to ask:

What would it take to attack the 40 byte key? Imagine a coordinated effort by the biggest 500 gouverment computing setups around the world. All the blue genes and whatnot pitching in. The Japanese sure have the one or other state-of-the-art mainframe supercomputer, and CERN, ESA, Nasa and few German weather services have a few aswell. There is tons of horsepower laying around idle at agencies, bureaus and the occasional school or corporation. If they all pitch in in a coordinated brute force attack *and* have Seti@Home do a few hours too it should be possible, no? Especially if one takes into account that at least the NSA has mathmatical functions that do some of the dirty work and speed up the process a little. They wouldn't even have to publish them.

Wait, let's just check:

255 to the power of 40 is rougly 1.8 times 10 to the power of 96 (Gulp!). Thats nearly Gogol. (10^100, what Google initially was supposed to be called, the guy registering the domain mixed up the letters...)
Whatever.
On it goes: For the sake of ease I'll roughly estimate that after the overhead has been dealt with, half of the top 500 (or a simular setup) will be doing optimized attacks on an average of 50 billion tries per second. An average state-of-the-art mid-range server has aprox. 20 GigaFLOPS, so I think that's fairly realistic for a large mainframe doing a multi-step operation.
250 * 50 000 000 000 = 1.25*10^13 tries per second.

*60*60*24 makes 1.08*10^18 per day. [Sidenote: This may be way off wack allready and total bollocks but it's fun actually]

*7*52*5 makes 1.96*10^21. Oh, gee. This doesn't look to good. Where at it for 5 years and have only covered less than the fourth root of our total amount of keys. Even if we had 10 times the power it would make up only 1 percent of the keypace. Sheesh. We'll probably be cheaper off in handing out Linux PCs to everyone on the planet.

It's no use. I gotta start working on my next project: Finding an explicit function for prime numbers. Hehehe. I could use the Million from the Fields Medal too. :-)

Bottom line: My question/assumption was lame. But at least I found out myself. :-)