John Robb has a hair raising post about a new generation of computer worm called the ‘Storm Worm’. “What makes it special”, he writes, is that “he Storm Worm’s method of operation is sophisticated, so much so, that it is nearly immune to defense, suppression, or eradication — demonstrated in that it has already infected up to 50 million computers and slaved them into a massive botnet”.
Scared yet? Wait: the best is still to come. Because “the really dangerous aspect of this isn’t the smart way the Storm Worm is operated, it’s what the network will be able to do once it activated”. Here’s a breakdown of what makes Storm Worm special, courtesy of Bruce Schneier (via Robb’s Global Guerrillas site):
- Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.
- Storm is designed like an ant colony, with a separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.
- Stealth. Storm doesn’t cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won’t notice any abnormal behavior most of the time.
- Distributed/resilient command and control. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn’t have a centralized control point, and thus can’t be shut down that way. This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn’t show up as a spike. Communications are much harder to detect.
- Rapid evolution. Storm’s payload — the code it uses to spread — morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective. Also, Storm’s delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites — anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels. The Storm e-mail also changes all the time, leveraging social engineering techniques. There are always new subject lines and new enticing text: “A killer at 11, he’s free at 21 and …,” “football tracking program” on NFL opening weekend, and major storm and hurricane warnings. Storm’s programmers are very good at preying on human nature.
- Retaliation. Last month, Storm began attacking anti-spam sites focused on identifying it — spamhaus.org, 419eater and so on — and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy’s reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.
