Storm

     The botnet created by the Trojan Peacomm has been nicknamed Storm by researchers and is the most advanced type of botnet to date. "By some accounts, the malware has successfully created a massive botnet between one million and 10 million CPUs" (Dignan and McFetters, 2007). One of the most troubling aspects of Storm is that the sheer number of hosts involved in the botnet place the botnet in a position to leverage the computing power approaching that of a supercomputer.

By New Zealand computer scientist Peter Gutman’s calculations, the Storm Worm botnet 'may be the first time that a top 10 supercomputer has been controlled not by a government or mega-corporation but by criminals. ' The attackers have tied the spam lures to global news events, links to YouTube videos and online greeting cards. The sophisticated operation includes the use of fast-flux networks to avoid shutdowns, a rootkit component to hide from anti-virus scanners and a P2P command-and-control structure that makes it near impossible to kill the controlling server". (Naraine, 2007).

     Peer-to-peer (P2P) communication is a mode of communication between two hosts normally used for media file-sharing. This mode of communication uses encrypted channels, which makes identifying specific data streams next to impossible. Using P2P permits Storm to hide the C&C streams between the bots and the C&C servers as well as between the C&C servers and the bot-herders.

     Fast-flux networks use dynamic Domain Name Services (DNS), which means that the Internet Protocol (IP) address of a C&C server may change as often as an hour or less. Fast-flux networks enable Storm to frequently change C&C servers, making locating the C&C that much more difficult. The dynamic structure of the Storm botnet frequently changes C&C servers in a manner where any node peer could in fact be a C&C server. This is accomplished through the Overnet bootstrap protocol as explained by Enright (n.d.).

     This C&C structure is much more complex than the simple push/pull styles used by IRC-based botnets. In order to maintain connectivity with Overnet peers, the nodes must frequently reinitialize to rediscover their relative locations in the overall botnet. This function is illustrated in Figure 3: Maintaining Overnet Connectivity - Storm. "’They've built a very resilient infrastructure,’ says Dmitri Alperovitch, principal researcher at Secure Computing, ‘if one command server gets shut down, it moves to the next’" (Acohido and Swartz, 2008).

     One final disturbing characteristic of storm is that the developers of Trojan Peacomm showed some added cunning by designing retaliation mechanisms into the code. Researchers who get too close to locating the C&C servers or inner workings of the botnet find themselves targets of Storm. "New features of botnets created by the infamous Storm Worm allow denial of service attacks to be launched against security defenders that attempt to interrupt its operation" (Leyden, 2008).

     Somehow, Peacomm includes a trace back feature to identify hosts used in an attempt to discover the botnet. Reverse-engineering of the captured Trojan is beginning to enlighten the security community but the cyber-crime gang running Storm has managed to conceal the specific C&C structure from researchers.

References

Dignan, L., and McFeters, N. (2007). Storm worm botnet partitions
     for sale. ZDNet. Available from
     http://blogs.zdnet.com/security/?p=592.

Naraine, R. (2007). Storm worm botnet could be world’s most
     powerful supercomputer. ZDNet. Available from
     http://blogs.zdnet.com/security/?p=493&tag=rbxccnbzd1.