Storm Botnet Kits Loom on the Horizon

The massive Storm worm botnet is being segmented into smaller, more nimble networks of zombie PCs through the use of 40-byte encryption.

The Storm Worm botnet is now using 40-byte encryption on traffic running with the Overnet peer-to-peer protocol—a weak encryption scheme but one that allows a malware author to segment the botnet into smaller networks that soon may show up as turnkey spam botnets for sale in malware forums.

"It is [pretty weak encryption]. I dont think the point was to make [the botnets activity stealthier] or harder to crack. I think the idea was to segment out the network" in order to sell off Storm variants, SecureWorks Senior Security Researcher Joe Stewart told eWEEK in an interview.

If Storm does indeed enter the malware market in a ready-to-use botnet-making spam kit, the result could be a sharp rise in Storm infections, security researchers predict.

The scope of the Storm botnet, made up of zombie computers controlled remotely and used to blanket the world in spam, has been estimated to reach from 1 million to 50 million infected systems as of September. The botnet was first spotted in January, when the Storm worm accounted for some 8 percent of all infections on Windows computers. Atlanta-based SecureWorks is tracking one botnet that uses the 40-byte encryption and said it might well be a test to determine whether segmenting will work as expected.


Click here to read more about spam and the Storm worm.

The use of encryption means that each node in the botnet is only able to communicate with nodes that are using the same key. New variants of the worm can be run on a separate network on which only those nodes can talk. Segmenting the whole Storm botnet down into smaller networks is a trivial matter of merely changing the key and re-releasing the variant, Stewart said.

There are a few possible reasons that the author of the Storm botnet would choose to do so. One purpose would be to sell off Trojan variants to other criminals who are interested in a turnkey spamming platform. By compiling each botnet with a different key, the malware author can produce a personalized Storm botnet to sell to each group or individual.

Another reason to use encryption could be to carve up the massive Storm botnet simply in order to make it more scalable, with the addition of more centralized C&C (command and control) networks from which to issue orders and a reduced load on the central server, Stewart said.

Botnet use of encryption over P2P isnt new—it was first spotted a few years ago. And 40-byte encryption is fairly simple encryption. Even if it were stronger, Stewart said, researchers could get the encryption key by reversing the binary of whichever Storm variant theyre researching, given that each variant has a hard-coded 40-byte encryption key. "If you know what youre doing, you can reverse-engineer" the code to retrieve the encryption key, he said.

On one level, even the weak encryption now being spotted in use by Storm variant botnets makes it harder to track down infected bots. "Its harder to see into the packets and figure out where traffic is going," Stewart said.

But on another level it makes it easier, given that security workers can now easily differentiate Storm nodes talking to each other from normal P2P sharing sessions. Prior to the botnets recent use of encryption, differentiating normal P2P sessions from botnet chatter required a substantial amount of knowledge about algorithms, Stewart said. "The casual observer looking at network packets, such as a network administrator, wouldnt be able to tell" the difference, he said.

Regardless of how easy it is to track Storm botnet traffic or to crack its encryption, the Storm botnet has other tricks up its sleeve that make it tough to take down. For one, its using fast-flux DNS (Domain Name System), a technique that enables each node to act as both a DNS server and a Web server so as to host content. Storm doesnt always use fast flux, but at this point in the worms evolution, the capability is built in.

However, the spamming activity the Storm botnet is currently being used for means that no Web site is needed, Stewart said. Currently, the Storm botnet is used for stock pump-and-dump spam. SecureWorks hasnt seen the subject matter of the spam change and is in fact waiting for it to do so, he said, given that if it starts carrying new types of spam that could be proof that its been sold in variant form.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.