Search This Blog

Thursday, August 7, 2008

Black Hat - Looking inside the Storm worm botnet


"Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated. Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype. For more information, see Kaminsky's power point presentation.

On Wednesday, Joe Stewart, Director of Malware Research for SecureWorks, presented his work on protocols and encryption used by the Storm worm botnet at Black Hat 2008.

He said as far as botnets go, Storm is not particularly sophisticated nor is it our number one threat. Yet while other botnets come and go, Storm remains amazingly resilient in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.

None of this surprising, it's just handled well.

Toward explaining Storm worm's resiliency against newer and sleeker botnets, Stewart looked at the encryption used within the commands sent from the Command and Control server. He said the compression or packing code changes every 10 minutes to thwart antivirus signature files, although the last packed code only changes once a month or so.

Storm uses P2P to communicate with its various nodes and supernodes throughout the Internet. He said because of that, it has to contend with bogus media files being sent via P2P and researchers such as himself attempting man-in-the-middle attacks to see what the commands might be. To handle that, Storm has started using 64-bit RSA encryption based in part on the date.

Joe Stewart talks about what botnet code is available and what can be found within it.

No comments:

Find here

Home II Large Hadron Cillider News