Podcast: Crypto-Gram 15 October 2007: Storm ~ the future of malware.
from the Oct 15, 2007 Crypto-Gram Newsletter
by Bruce Schneier
* The Storm Worm
The Storm worm first appeared at the beginning of the year, hiding in e-mail attachments with the subject line: "230 dead as storm batters Europe." Those who opened the attachment became infected, their computers joining an ever-growing botnet.
It is really more: a worm, a Trojan horse and a bot all rolled into one. It's also the most successful example we have of a new breed of worm.
It is written by hackers looking for profit, and they're different. These worms spread more subtly, without making noise. Symptoms don't appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.
Storm represents the future of malware. Let's look at its behavior:
1. Storm is patient.
2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders.
3. Storm doesn't cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect.
4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn't have a centralized control point, and thus can't be shut down that way.
This technique has other advantages, too: but distributed C2 doesn't show up as a spike. Communications are much harder to detect.
One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won't work with Storm: An infected host may only know about a small fraction of infected hosts -- 25-30 at a time -- and those hosts are an unknown number of hops away from the primary C2 servers.
5. Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called "fast flux."
6. Storm's payload -- the code it uses to spread -- morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.
7. Storm's delivery mechanism also changes regularly.
8. The Storm e-mail also changes all the time, leveraging social engineering techniques.
9. Last month, Storm began attacking anti-spam sites focused on identifying it. I am reminded of a basic theory of war: Take out your enemy's reconnaissance.
Not that we really have any idea how to mess with Storm. Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it.
Oddly enough, Storm isn't doing much, so far, except gathering strength.Personally, I'm worried about what Storm's creators are planning for Phase II.
* Anonymity and the Tor Network
by joining Tor you join a network of computers around the world that pass Internet traffic randomly amongst each other before sending it out to wherever it is going.
It's called "onion routing," and it was first developed at the Naval Research Laboratory. The communications between Tor nodes are encrypted in a layered protocol -- hence the onion analogy -- but the traffic that leaves the Tor network is in the clear. It has to be.
Tor anonymizes, nothing more.
length: 19:26
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0710.html
by Bruce Schneier
* The Storm Worm
The Storm worm first appeared at the beginning of the year, hiding in e-mail attachments with the subject line: "230 dead as storm batters Europe." Those who opened the attachment became infected, their computers joining an ever-growing botnet.
It is really more: a worm, a Trojan horse and a bot all rolled into one. It's also the most successful example we have of a new breed of worm.
It is written by hackers looking for profit, and they're different. These worms spread more subtly, without making noise. Symptoms don't appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.
Storm represents the future of malware. Let's look at its behavior:
1. Storm is patient.
2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders.
3. Storm doesn't cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect.
4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn't have a centralized control point, and thus can't be shut down that way.
This technique has other advantages, too: but distributed C2 doesn't show up as a spike. Communications are much harder to detect.
One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won't work with Storm: An infected host may only know about a small fraction of infected hosts -- 25-30 at a time -- and those hosts are an unknown number of hops away from the primary C2 servers.
5. Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called "fast flux."
6. Storm's payload -- the code it uses to spread -- morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.
7. Storm's delivery mechanism also changes regularly.
8. The Storm e-mail also changes all the time, leveraging social engineering techniques.
9. Last month, Storm began attacking anti-spam sites focused on identifying it. I am reminded of a basic theory of war: Take out your enemy's reconnaissance.
Not that we really have any idea how to mess with Storm. Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it.
Oddly enough, Storm isn't doing much, so far, except gathering strength.Personally, I'm worried about what Storm's creators are planning for Phase II.
* Anonymity and the Tor Network
by joining Tor you join a network of computers around the world that pass Internet traffic randomly amongst each other before sending it out to wherever it is going.
It's called "onion routing," and it was first developed at the Naval Research Laboratory. The communications between Tor nodes are encrypted in a layered protocol -- hence the onion analogy -- but the traffic that leaves the Tor network is in the clear. It has to be.
Tor anonymizes, nothing more.
length: 19:26
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0710.html
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home