Since January of this year, various incarnations of what the media calls the Storm worm, and what antivirus vendors call Nuwar, have arrived on the Internet. Whatever you call it, the Storm worm is distinctive for being active, then lying quiet for weeks, only to return in some new variation. This week saw two surprising developments. One was a barrage of spam using MP3 files as attachments. The other development was that the command and control of the Storm worm botnet is being encrypted among specific peer-to-peer machines, perhaps a sign that the owners are planning to sell off pieces of the empire to others.
The Storm worm got its media name because it first appeared during a winter storm, hitting northern Europe as an e-mail offering the latest news and information. Since then, Nuwar, as it's known by major antivirus vendors (although, for some reason, Symantec calls it Peacomm) is basically just a clever vehicle for spewing spam and installing bots on infected machines worldwide. Over the summer there were several guesstimates that the Storm worm had infected more than 10 million computers worldwide, in turn using the infected computers as some sort of supercomputer. That turns out not to be true.
If you listen to the Storm worm's MP3 file, you won't get infected, but you will hear a poor-quality recording of a British woman's synthesized voice touting the latest pump and dump stock victim.
I asked Joe Stewart, senior security researcher at SecureComputing, for his opinion. "We think it's actually below 1,000,000 (infections)," he said. "Probably anywhere from 250,000 to 1,000,000, somewhere in that range, based on what we've seen." He said the Microsoft MSRC reported that its malicious software removal tool only cleaned about 300,000 infections. Still, having 100,000 infected machines is a considerable platform in which to build a profitable network of spam servers. Which is what the Storm worm has done.
So what's new?
On the evening of October 17, 2007, Storm-infected PCs started sending out a new spam message with MP3 files as attachments. If you listen to the file (named beatles.MP3, elvis.MP3, or any of about 40 different titles), you won't get infected but will hear a poor-quality recording of a British woman's synthesized voice touting the latest pump and dump stock victim. In some cases, the recording is fast and, in some cases, the voice is slow. The different names and file sizes are all meant to confuse network administrators.
Corporate networks know to block PDF file e-mail attachments and, in some cases, even image and text file attachments. But they don't necessarily block MP3 files. Unlike the PDF files that Storm originally sent, these MP3 files are large--really large--meaning that this latest spam campaign is eating up both bandwidth and storage space.
But even bigger news is...
For those computers that are infected with the Storm worm, they're part of much larger network called a botnet. Botnets are controlled from a central source and are often used to relay spam messages. Originally the control was sent via an IRC server, but sys admins became adept at finding those and shutting them down. Today bot herders use peer-to-peer connections. This past week, Stewart found evidence that the Storm botnet is starting to divide into smaller segments; it's doing so by encrypting its C&C peer-to-peer traffic between specific hosts.
This past week, Stewart found evidence that the Storm botnet is starting to divide into smaller segments; it's doing so by encrypting its C&C peer-to-peer traffic between specific hosts.
"Since the beginning, Storm has been using the Overnet peer-to-peer protocol in order to communicate. And, when it does this, it is basically sharing the Overnet with the other peer-to-peer clients that also use that protocol like eDonkey and Kademlia, and things like that." That makes it hard for sys admins to sort out what's legit and what's not. Stewart says, "What we saw in the most recent variant is, basically, it's still using the Overnet protocol but it's scrambling the packets as they go out."
Good and bad
For the bot herder, this can be good. "What it ends up doing is that only hosts that have that same key, with that same scrambled traffic, can talk to each other. And so they end up being segmented off now from the rest of the Overnet and they're just talking to themselves. And so, theoretically our Storm author could generate a new key for each variant and segment this off and have lots of little botnets that could only talk to each other."
And there is a market for this? Yes. Earlier this year, I spoke with Dr. Jose Nazario of ArborNetworks, who told me "Some of the folks renting botnets don't want the administrative overhead. Often, much more common, they're trying to establish a buffer between themselves and the actions that they've taken, whether it be spamming, DDoSing, or whatever. If you can anonymize (your attacks) through somebody else's botnet, fantastic."
Ultimately, it's a good thing for sys admins too
"What we'll be able to do now is be able to tell the difference between a host that is sending out this UDP traffic that is storm-infected and a node that is sending out UDP traffic because they're running a peer-to-peer client. Before, it was kind of hard for a network administrator to be able to tell the difference in that traffic and really know that they had any infected nodes on the network if it's just people using peer-to-peer."
Stewart also said, "The encryption's not really that big of a deal. It's weak encryption, it's nothing that can't be broken. But I don't think encryption for the sake of obfuscation is the point here, I think it's more for that segmentation, just making sure that only hosts that have that key talk to each other instead of relying on this one, big, monolithic botnet." Maybe now that we can identify that traffic, we can start cleaning up some of the Storm mess.
To hear a copy of the Storm worm's MP3 file, and more of my interview with Joe Stewart, see this week's Security Bites podcast.
A botnet, PDF spam, now MP3 spam. What's next for the Storm worm? TalkBack to me.