Storm botnet 'services' for hire?

The owners of the Storm botnet, whose identities are as yet unknown, could be preparing to sell off the "services" of segments of the network, according to Joe Stewart, a researcher from managed security services company SecureWorks.

Stewart has claimed in a blog post that the latest Storm variants now use a 40-byte key to encrypt their peer-to-peer traffic, meaning each node will only be able to communicate with nodes that use the same key.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

He wrote: "This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that's the case, we might see a lot more of Storm in the future."

Fast-flux service networks are networks of compromised computer systems with public DNS records that are constantly changing, making it more difficult to track and control criminal activities, according to the Honeynet Project Research Alliance, a forum of honeypot research organisations. A honeypot is an system, often undefended, set up as a trap for attackers.

Stewart said the good news is security researchers can now distinguish encrypted Storm traffic from legitimate peer-to-peer traffic, making it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow peer-to-peer traffic.

Antivirus vendor Sophos agreed Stewart's analysis of the use of encryption to segment the Storm network for the purposes of resale is "probably correct".

Graham Cluley, senior technology consultant at Sophos, said: "Storm's use of encrypted traffic is an interesting feature which has raised eyebrows in our lab. Its most likely use is for the cyber criminals to lease out portions of the network for misuse. It wouldn't be a surprise if the network was used for spamming, distributed denial of service attacks, and other malicious activities."

The Storm botnet was initially created at the beginning of 2007 when the Storm Worm was spammed out, hiding in email attachments with a subject line of "230 dead as storm batters Europe".

While it has continued to grow since then, it is difficult to gauge its true size as a large percentage of the infected machines are on 'stand-by', according to security expert Bruce Schneier.

At the beginning of October, Schneier wrote in a blog post that he was worried what Storm's creators had in store for Phase II of the botnet. "Oddly enough, Storm isn't doing much, so far, except gathering strength," he wrote, adding that: "Aside from continuing to infect other Windows machines and attacking particular sites that are attacking it Storm has only been implicated in some pump-and-dump stock scams. There are rumours that Storm is leased out to other criminal groups. Other than that, nothing."

Schneier wrote that the Storm botnet authors had quietly been increasing the strength of the botnet by having small portions attacking other computers and then lying dormant, by using a yet-smaller fraction of the botnet to control compromised computers.

He wrote: "Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties."

Tom Espiner writes for ZDNet UK