Looking inside the Storm worm botnet
Venerable botnet encrypts its command codes using the current date.
LAS VEGAS--On Wednesday, Joe Stewart, director of malware research for SecureWorks, presented his work on protocols and encryption used by the Storm worm botnet at Black Hat 2008.
He said as far as botnets go, Storm is not particularly sophisticated, nor is it our No. 1 threat. Yet while other botnets come and go, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.
None of this surprising, it's just handled well.
In explaining Storm worm's resiliency compared to newer and sleeker botnets, Stewart looked at the encryption used within the commands sent from the command and control server. He said the compression or packing code changes so often in order to thwart antivirus signature files.
Storm uses P2P to communicate with its various nodes and supernodes throughout the Internet. He said because of that, it has to contend with bogus media files being sent via P2P and researchers such as himself attempting man-in-the-middle attacks to see what the commands might be. To handle that, Storm has started using 64-bit RSA encryption based, in part, on the date.
Joe Stewart talks about what botnet code is available and what can be found within it.