Black Hat - Looking inside the Storm worm botnet

24hoursnews

"Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated. Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype. For more information, see Kaminsky's power point presentation.

On Wednesday, Joe Stewart, Director of Malware Research for SecureWorks, presented his work on protocols and encryption used by the Storm worm botnet at Black Hat 2008.

He said as far as botnets go, Storm is not particularly sophisticated nor is it our number one threat. Yet while other botnets come and go, Storm remains amazingly resilient in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.

None of this surprising, it's just handled well.

Toward explaining Storm worm's resiliency against newer and sleeker botnets, Stewart looked at the encryption used within the commands sent from the Command and Control server. He said the compression or packing code changes every 10 minutes to thwart antivirus signature files, although the last packed code only changes once a month or so.

Storm uses P2P to communicate with its various nodes and supernodes throughout the Internet. He said because of that, it has to contend with bogus media files being sent via P2P and researchers such as himself attempting man-in-the-middle attacks to see what the commands might be. To handle that, Storm has started using 64-bit RSA encryption based in part on the date.



Joe Stewart talks about what botnet code is available and what can be found within it.

DNS Flaw At Black Hat

24hoursnews

At the Black Hat conference in Las Vegas on Wednesday, attendees occupied every available seat and most of the floor space to hear security researcher Dan Kaminsky finally explain the Domain Name (DNS) vulnerability that has been the talk of the Internet security community since early July.
"There are a lot of people out there," Kaminsky began as he scanned the audience. "Holy cr**!"

On Tuesday, July 8, Kaminsky and more than 80 technology vendors launched an unprecedented campaign to fix a flaw in widely distributed DNS software that could allow a form of attack called DNS cache poisoning.
The attack could be used to send Internet users to malicious sites or hijack e-mail.

To characterize the seriousness of the flaw, Kaminsky quoted security researcher Brad Hill's assessment: "Remember how pissed you were when you found out that the NSA had rooms where they could read everything? That's every kid right now."

As Kaminsky explained during his presentation, DNS is basically the Internet's version of 411. So being able to alter the associations between domain names and IP addresses allows malicious attackers to control where online information gets routed.

"Everything breaks when DNS breaks," said Kaminsky.

Following his July 8 announcement Kaminsky said that he planned to reveal details about the vulnerability at the Black Hat conference on Wednesday, August 6 and he encouraged security researchers to refrain from speculating about the withheld details, to give those with vulnerable systems time to patch.

But on Monday, July 21, security researcher Halvar Flake posted his guess about how the DNS vulnerability worked on his blog. Then a security researcher at Matasano Security corrected some of the details in his own blog post. That prompted US CERT to warn that technical details about the DNS vulnerability had been released and to urge Internet users to patch vulnerable systems immediately.

Upon learning about the disclosure, Kaminsky in a blog post responded, "Patch. Today. Now. Yes, stay late."

What wasn't revealed until today was that another security researcher, Pieter de Boer, found the bug only 51 hours after Kaminsky's initial announcement. As it turns out, there are at least 15 known ways to run this attack and, Kaminsky suggested, perhaps 20 more undiscovered ways. So Kaminsky's effort to keep the flaw secret to buy time, derided by some, now looks even wiser.

The security community's commitment to fix the DNS bug appears to be working. On July 8 and 9, 85% of the unique name servers submitting to a self-test on Kaminsky's blog were vulnerable. As of July 25, that number had dropped to just over 50%.