by Blight Crusader

In a recent blog post, Robert Vamosi dissects the inner workings of the Storm worm botnet, after speaking with Joe Stewart from SecureWorks. This is a fascinating look into the development and evolution of one particular botnet, assumed to be running from somewhere in Russia.

Before getting into highly technical analysis, Vamosi lays out the basic structure:

A basic botnet would includes a Command and Control (C&C) server contacted to thousands of compromised desktop computers worldwide. Were that always the case, botnets could be taken down quickly by simply finding and shutting down the C&C server. Storm’s approach is more nuanced and layered. Top level is a Command & Control server running Apache (presumably somewhere in Russia). Next level is a server running a Nginx 0.5.17 proxy; this server is designed to hide the Apache machine from view. At the third level are a couple more Nginx 0.5.17 proxies used to hide the master Nginx 0.5.17 proxy from view. Sitting at the fourth level are public nodes that act as reverse proxies leading back to the controller and perform as fast-flux name servers. Fast flux means that a hard-coded URL can be sent out with the bot code, but where that URL resolves changes. The final level is composed of thousands of compromised computers worldwide.

This is a botnet that has been around for awhile, and originated not in today’s peer-to-peer programs, but began with much simpler schemes, and then added on as needed to keep one step ahead. But at the end of the article, a possible “next step” is discussed which has serious implications for the future — marketing their botnet to others on a piecemeal basis. The article closes:

Lately, though, Storm has been evolving yet again. This time it’s isolating its network further from the general Internet traffic by encrypting packets using an embedded key and simple XOR. It also has been changing its initial infection packing or compression process. The outer layers change every 10 minutes, while the interior bot code changes packing more on the order of once a month. Neither the packing nor the encryption have so far proven defeating to security researchers.

However, one downside to encryption is that Storm’s handlers could now segment parts of their network–that is, they could rent or sell off pieces of the botnet to others. Although speculation around segmentation has been widespread, Stewart says he has not observed it.

Certainly something to be on the lookout for in the near future.

Tags: bot, botnet, storm, worm

This entry was posted on Tuesday, September 16th, 2008 at 3:36 am and is filed under Articles, Blight News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.