Be careful what you click on boys and girls, and update your security
patches early and often; put your browser temporary files onto a ram drive
and then reboot after you do any online banking or purchases. Disable
scripting in your email program.
http://www.wired.com/politics/security/commentary/securitymatters/2007/10/s
ecuritymatters_1004
http://tinyurl.com/2xevsm
Gathering 'Storm' Superworm Poses Grave Threat to PC Nets
Bruce Schneier 10.04.07 | 12:00 AM
The Storm worm first appeared at the beginning of the year, hiding in
e-mail attachments with the subject line: "230 dead as storm batters
Europe." Those who opened the attachment became infected, their computers
joining an ever-growing botnet.
Although it's most commonly called a worm, Storm is really more: a worm,
a Trojan horse and a bot all rolled into one. It's also the most
successful example we have of a new breed of worm, and I've seen
estimates that between 1 million and 50 million computers have been
infected worldwide.
Old style worms -- Sasser, Slammer, Nimda -- were written by hackers
looking for fame. They spread as quickly as possible (Slammer infected
75,000 computers in 10 minutes) and garnered a lot of notice in the
process. The onslaught made it easier for security experts to detect the
attack, but required a quick response by antivirus companies, sysadmins
and users hoping to contain it. Think of this type of worm as an
infectious disease that shows immediate symptoms.
Worms like Storm are written by hackers looking for profit, and they're
different. These worms spread more subtly, without making noise. Symptoms
don't appear immediately, and an infected computer can sit dormant for a
long time. If it were a disease, it would be more like syphilis, whose
symptoms may be mild or disappear altogether, but which will eventually
come back years later and eat your brain.
Storm represents the future of malware. Let's look at its behavior:
Storm is patient. A worm that attacks all the time is much easier to
detect; a worm that attacks and then shuts off for a while hides much
more easily.
Storm is designed like an ant colony, with separation of duties. Only a
small fraction of infected hosts spread the worm. A much smaller fraction
are C2: command-and-control servers. The rest stand by to receive orders.
By only allowing a small number of hosts to propagate the virus and act
as command-and-control servers, Storm is resilient against attack. Even
if those hosts shut down, the network remains largely intact, and other
hosts can take over those duties.
Storm doesn't cause any damage, or noticeable performance impact, to the
hosts. Like a parasite, it needs its host to be intact and healthy for its
own survival. This makes it harder to detect, because users and network
administrators won't notice any abnormal behavior most of the time.
Rather than having all hosts communicate to a central server or set of
servers, Storm uses a peer-to-peer network for C2. This makes the Storm
botnet much harder to disable. The most common way to disable a botnet is
to shut down the centralized control point. Storm doesn't have a
centralized control point, and thus can't be shut down that way.
This technique has other advantages, too. Companies that monitor net
activity can detect traffic anomalies with a centralized C2 point, but
distributed C2 doesn't show up as a spike. Communications are much
harder to detect.
One standard method of tracking root C2 servers is to put an infected host
through a memory debugger and figure out where its orders are coming from.
This won't work with Storm: An infected host may only know about a small
fraction of infected hosts -- 25-30 at a time -- and those hosts are an
unknown number of hops away from the primary C2 servers.
And even if a C2 node is taken down, the system doesn't suffer. Like a
hydra with many heads, Storm's C2 structure is distributed.
Not only are the C2 servers distributed, but they also hide behind a
constantly changing DNS technique called "fast flux." So even if a
compromised host is isolated and debugged, and a C2 server identified
through the cloud, by that time it may no longer be active.
Storm's payload -- the code it uses to spread -- morphs every 30 minutes
or so, making typical AV (antivirus) and IDS techniques less effective.
Storm's delivery mechanism also changes regularly. Storm started out as
PDF spam, then its programmers started using e-cards and YouTube invites
-- anything to entice users to click on a phony link. Storm also started
posting blog-comment spam, again trying to trick viewers into clicking
infected links. While these sorts of things are pretty standard worm
tactics, it does highlight how Storm is constantly shifting at all levels.
The Storm e-mail also changes all the time, leveraging social engineering
techniques. There are always new subject lines and new enticing text: "A
killer at 11, he's free at 21 and ...," "football tracking program" on NFL
opening weekend, and major storm and hurricane warnings. Storm's
programmers are very good at preying on human nature.
Last month, Storm began attacking anti-spam sites focused on identifying it
-- spamhaus.org, 419eater and so on -- and the personal website of Joe
Stewart, who published an analysis of Storm. I am reminded of a basic
theory of war: Take out your enemy's reconnaissance. Or a basic theory of
urban gangs and some governments: Make sure others know not to mess with
you.
Not that we really have any idea how to mess with Storm. Storm has been
around for almost a year, and the antivirus companies are pretty much
powerless to do anything about it. Inoculating infected machines
individually is simply not going to work, and I can't imagine forcing
ISPs to quarantine infected hosts. A quarantine wouldn't work in any case:
Storm's creators could easily design another worm -- and we know that
users can't keep themselves from clicking on enticing attachments and
links.
Redesigning the Microsoft Windows operating system would work, but that's
ridiculous to even suggest. Creating a counterworm would make a great
piece of fiction, but it's a really bad idea in real life. We simply don't
know how to stop Storm, except to find the people controlling it and arrest
them.
Unfortunately we have no idea who controls Storm, although there's some
speculation that they're Russian. The programmers are obviously very
skilled, and they're continuing to work on their creation.
Oddly enough, Storm isn't doing much, so far, except gathering strength.
Aside from continuing to infect other Windows machines and attacking
particular sites that are attacking it, Storm has only been implicated in
some pump-and-dump stock scams. There are rumors that Storm is leased out
to other criminal groups. Other than that, nothing.
Personally, I'm worried about what Storm's creators are planning for Phase
II.
- - -
Bruce Schneier is CTO of BT Counterpane and author of
Beyond Fear: Thinking Sensibly About Security in an Uncertain World.
and
Applied Cryptography
.
|
