-Caveat Lector-
Begin forwarded message:
From: palcat <[EMAIL PROTECTED]>
Date: October 8, 2007 1:58:54 AM PDT
To: [EMAIL PROTECTED]
Subject: [cia-drugs] Insidious new trojan worm/bot "Storm"
Reply-To: [EMAIL PROTECTED]
If this is for real, it's pretty scary.
http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
Schneier on Security
October 04, 2007
The Storm Worm
The Storm worm first appeared at the beginning of the year, hiding
in e-mail attachments with the subject line: "230 dead as storm
batters Europe." Those who opened the attachment became infected,
their computers joining an ever-growing botnet.
Although it's most commonly called a worm, Storm is really more: a
worm, a Trojan horse and a bot all rolled into one. It's also the
most successful example we have of a new breed of worm, and I've
seen estimates that between 1 million and 50 million computers have
been infected worldwide.
Old style worms -- Sasser, Slammer, Nimda -- were written by
hackers looking for fame. They spread as quickly as possible
(Slammer infected 75,000 computers in 10 minutes) and garnered a
lot of notice in the process. The onslaught made it easier for
security experts to detect the attack, but required a quick
response by antivirus companies, sysadmins and users hoping to
contain it. Think of this type of worm as an infectious disease
that shows immediate symptoms.
Worms like Storm are written by hackers looking for profit, and
they're different. These worms spread more subtly, without making
noise. Symptoms don't appear immediately, and an infected computer
can sit dormant for a long time. If it were a disease, it would be
more like syphilis, whose symptoms may be mild or disappear
altogether, but which will eventually come back years later and eat
your brain.
Storm represents the future of malware. Let's look at its behavior:
Storm is patient. A worm that attacks all the time is much easier
to detect; a worm that attacks and then shuts off for a while hides
much more easily.
Storm is designed like an ant colony, with separation of duties.
Only a small fraction of infected hosts spread the worm. A much
smaller fraction are C2: command-and-control servers. The rest
stand by to receive orders. By only allowing a small number of
hosts to propagate the virus and act as command-and-control
servers, Storm is resilient against attack. Even if those hosts
shut down, the network remains largely intact, and other hosts can
take over those duties.
Storm doesn't cause any damage, or noticeable performance impact,
to the hosts. Like a parasite, it needs its host to be intact and
healthy for its own survival. This makes it harder to detect,
because users and network administrators won't notice any abnormal
behavior most of the time.
Rather than having all hosts communicate to a central server or set
of servers, Storm uses a peer-to-peer network for C2. This makes
the Storm botnet much harder to disable. The most common way to
disable a botnet is to shut down the centralized control point.
Storm doesn't have a centralized control point, and thus can't be
shut down that way.
This technique has other advantages, too. Companies that monitor
net activity can detect traffic anomalies with a centralized C2
point, but distributed C2 doesn't show up as a spike.
Communications are much harder to detect.
One standard method of tracking root C2 servers is to put an
infected host through a memory debugger and figure out where its
orders are coming from. This won't work with Storm: An infected
host may only know about a small fraction of infected hosts --
25-30 at a time -- and those hosts are an unknown number of hops
away from the primary C2 servers.
And even if a C2 node is taken down, the system doesn't suffer.
Like a hydra with many heads, Storm's C2 structure is distributed.
Not only are the C2 servers distributed, but they also hide behind
a constantly changing DNS technique called "fast flux." So even if
a compromised host is isolated and debugged, and a C2 server
identified through the cloud, by that time it may no longer be active.
Storm's payload -- the code it uses to spread -- morphs every 30
minutes or so, making typical AV (antivirus) and IDS techniques
less effective.
Storm's delivery mechanism also changes regularly. Storm started
out as PDF spam, then its programmers started using e-cards and
YouTube invites -- anything to entice users to click on a phony
link. Storm also started posting blog-comment spam, again trying to
trick viewers into clicking infected links. While these sorts of
things are pretty standard worm tactics, it does highlight how
Storm is constantly shifting at all levels.
The Storm e-mail also changes all the time, leveraging social
engineering techniques. There are always new subject lines and new
enticing text: "A killer at 11, he's free at 21 and ...," "football
tracking program" on NFL opening weekend, and major storm and
hurricane warnings. Storm's programmers are very good at preying on
human nature.
Last month, Storm began attacking anti-spam sites focused on
identifying it -- spamhaus.org, 419eater and so on -- and the
personal website of Joe Stewart, who published an analysis of
Storm. I am reminded of a basic theory of war: Take out your
enemy's reconnaissance. Or a basic theory of urban gangs and some
governments: Make sure others know not to mess with you.
Not that we really have any idea how to mess with Storm. Storm has
been around for almost a year, and the antivirus companies are
pretty much powerless to do anything about it. Inoculating infected
machines individually is simply not going to work, and I can't
imagine forcing ISPs to quarantine infected hosts. A quarantine
wouldn't work in any case: Storm's creators could easily design
another worm -- and we know that users can't keep themselves from
clicking on enticing attachments and links.
Redesigning the Microsoft Windows operating system would work, but
that's ridiculous to even suggest. Creating a counterworm would
make a great piece of fiction, but it's a really bad idea in real
life. We simply don't know how to stop Storm, except to find the
people controlling it and arrest them.
Unfortunately we have no idea who controls Storm, although there's
some speculation that they're Russian. The programmers are
obviously very skilled, and they're continuing to work on their
creation.
Oddly enough, Storm isn't doing much, so far, except gathering
strength. Aside from continuing to infect other Windows machines
and attacking particular sites that are attacking it, Storm has
only been implicated in some pump-and-dump stock scams. There are
rumors that Storm is leased out to other criminal groups. Other
than that, nothing.
Personally, I'm worried about what Storm's creators are planning
for Phase II.
This essay originally appeared on Wired.com.
Posted on October 04, 2007 at 06:00 AM
http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
__._,_.___
Complete archives at http://www.sitbot.net/
Please let us stay on topic and be civil.
OM
Your email settings: Individual Email|Traditional
Change settings via the Web (Yahoo! ID required)
Change settings via email: Switch delivery to Daily Digest | Switch
to Fully Featured
Visit Your Group | Yahoo! Groups Terms of Use | Unsubscribe
__,_._,___
www.ctrl.org
DECLARATION & DISCLAIMER
==========
CTRL is a discussion & informational exchange list. Proselytizing propagandic
screeds are unwelcomed. Substanceânot soap-boxingâplease! These are
sordid matters and 'conspiracy theory'âwith its many half-truths, mis-
directions and outright fraudsâis used politically by different groups with
major and minor effects spread throughout the spectrum of time and thought.
That being said, CTRLgives no endorsement to the validity of posts, and
always suggests to readers; be wary of what you read. CTRL gives no
credence to Holocaust denial and nazi's need not apply.
Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://www.mail-archive.com/ctrl@listserv.aol.com/
<A HREF="http://www.mail-archive.com/ctrl@listserv.aol.com/";>ctrl</A>
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om
