> -----Original Message-----
> From: Bruce Schneier [mailto:schneier@xxxxxxxxxxxx]
> Sent: Monday, October 15, 2007 8:08 AM
> To: CRYPTO-GRAM-LIST@xxxxxxxxxxxxxxxxxxxx
> Subject: CRYPTO-GRAM, October 15, 2007
> October 15, 2007
> The Storm Worm
> The Storm worm first appeared at the beginning of the year, hiding in
> e-mail attachments with the subject line: "230 dead as storm batters
> Europe." Those who opened the attachment became infected, their
> computers joining an ever-growing botnet.
> Although it's most commonly called a worm, Storm is really
> more: a worm,
> a Trojan horse and a bot all rolled into one. It's also the most
> successful example we have of a new breed of worm, and I've seen
> estimates that between 1 million and 50 million computers have been
> infected worldwide.
> Old-style worms -- Sasser, Slammer, Nimda -- were written by hackers
> looking for fame. They spread as quickly as possible (Slammer infected
> 75,000 computers in 10 minutes) and garnered a lot of notice in the
> process. The onslaught made it easier for security experts to
> detect the
> attack, but required a quick response by antivirus companies,
> and users hoping to contain it. Think of this type of worm as an
> infectious disease that shows immediate symptoms.
> Worms like Storm are written by hackers looking for profit,
> and they're
> different. These worms spread more subtly, without making noise.
> Symptoms don't appear immediately, and an infected computer can sit
> dormant for a long time. If it were a disease, it would be more like
> syphilis, whose symptoms may be mild or disappear altogether,
> but which
> will eventually come back years later and eat your brain.
> Storm represents the future of malware. Let's look at its behavior:
> 1. Storm is patient. A worm that attacks all the time is much
> easier to
> detect; a worm that attacks and then shuts off for a while hides much
> more easily.
> 2. Storm is designed like an ant colony, with separation of
> duties. Only
> a small fraction of infected hosts spread the worm. A much smaller
> fraction are C2: command-and-control servers. The rest stand by to
> receive orders. By only allowing a small number of hosts to propagate
> the virus and act as command-and-control servers, Storm is resilient
> against attack. Even if those hosts shut down, the network remains
> largely intact, and other hosts can take over those duties.
> 3. Storm doesn't cause any damage, or noticeable performance
> impact, to
> the hosts. Like a parasite, it needs its host to be intact and healthy
> for its own survival. This makes it harder to detect, because
> users and
> network administrators won't notice any abnormal behavior
> most of the time.
> 4. Rather than having all hosts communicate to a central server or set
> of servers, Storm uses a peer-to-peer network for C2. This makes the
> Storm botnet much harder to disable. The most common way to disable a
> botnet is to shut down the centralized control point. Storm
> doesn't have
> a centralized control point, and thus can't be shut down that way.
> This technique has other advantages, too. Companies that monitor net
> activity can detect traffic anomalies with a centralized C2 point, but
> distributed C2 doesn't show up as a spike. Communications are much
> harder to detect.
> One standard method of tracking root C2 servers is to put an infected
> host through a memory debugger and figure out where its orders are
> coming from. This won't work with Storm: An infected host may
> only know
> about a small fraction of infected hosts -- 25-30 at a time
> -- and those
> hosts are an unknown number of hops away from the primary C2 servers.
> And even if a C2 node is taken down, the system doesn't suffer. Like a
> hydra with many heads, Storm's C2 structure is distributed.
> 5. Not only are the C2 servers distributed, but they also
> hide behind a
> constantly changing DNS technique called "fast flux." So even if a
> compromised host is isolated and debugged, and a C2 server identified
> through the cloud, by that time it may no longer be active.
> 6. Storm's payload -- the code it uses to spread -- morphs every 30
> minutes or so, making typical AV (antivirus) and IDS techniques less
> 7. Storm's delivery mechanism also changes regularly. Storm
> started out
> as PDF spam, then its programmers started using e-cards and YouTube
> invites -- anything to entice users to click on a phony link.
> Storm also
> started posting blog-comment spam, again trying to trick viewers into
> clicking infected links. While these sorts of things are
> pretty standard
> worm tactics, it does highlight how Storm is constantly
> shifting at all
> 8. The Storm e-mail also changes all the time, leveraging social
> engineering techniques. There are always new subject lines and new
> enticing text: "A killer at 11, he's free at 21 and ...," "football
> tracking program" on NFL opening weekend, and major storm and
> warnings. Storm's programmers are very good at preying on
> human nature.
> 9. Last month, Storm began attacking anti-spam sites focused on
> identifying it -- spamhaus.org, 419eater and so on -- and the personal
> website of Joe Stewart, who published an analysis of Storm. I am
> reminded of a basic theory of war: Take out your enemy's
> Or a basic theory of urban gangs and some governments: Make
> sure others
> know not to mess with you.
> Not that we really have any idea how to mess with Storm.
> Storm has been
> around for almost a year, and the antivirus companies are pretty much
> powerless to do anything about it. Inoculating infected machines
> individually is simply not going to work, and I can't imagine forcing
> ISPs to quarantine infected hosts. A quarantine wouldn't work in any
> case: Storm's creators could easily design another worm -- and we know
> that users can't keep themselves from clicking on enticing attachments
> and links.
> Redesigning the Microsoft Windows operating system would work, but
> that's ridiculous to even suggest. Creating a counterworm would make a
> great piece of fiction, but it's a really bad idea in real life. We
> simply don't know how to stop Storm, except to find the people
> controlling it and arrest them.
> Unfortunately, we have no idea who controls Storm, although
> there's some
> speculation that they're Russian. The programmers are obviously very
> skilled, and they're continuing to work on their creation.
> Oddly enough, Storm isn't doing much, so far, except
> gathering strength.
> Aside from continuing to infect other Windows machines and attacking
> particular sites that are attacking it, Storm has only been implicated
> in some pump-and-dump stock scams. There are rumors that
> Storm is leased
> out to other criminal groups. Other than that, nothing.
> Personally, I'm worried about what Storm's creators are planning for
> Phase II.
> This essay originally appeared on Wired.com.
> or http://tinyurl.com/2xevsm
> or http://tinyurl.com/3ae6gt
> or http://tinyurl.com/2lq3xt
> or http://tinyurl.com/3bb4f5
> or http://tinyurl.com/33chht
> or http://tinyurl.com/2c6te7
> Fast flux:
> or http://tinyurl.com/2xwgln
> Storm's attacks:
> Stewart's analysis: