User:Lawrence Cohen/work/Storm botnet

The Storm botnet, or Storm worm botnet, is a massive network of computers linked by the Storm worm Trojan horse in a botnet, a group of "zombie" computers controlled remotely. It is estimated to run on as many as 1,000,000 to 50,000,000 infected and compromised computer systems as of September 2007. Its formation began around January, 2007, when the Storm worm at one point accounted for 8% of all infections on all Windows computers.

The botnet reportedly is powerful enough as of September 2007 to force entire countries off of the Internet, and is estimated to be able to potentially execute more instructions per second than some of the world's top supercomputers. However, it is not a completely accurate comparison, according to one security expert, who said that comparing a botnet and a supercomputer is like comparing an army of snipers with a nuclear weapon. Another said, "The more worrying thing is bandwidth. Just calculate four million times a standard ADSL connection. That's a lot of bandwidth. It's quite worrying. Having resources like that at their disposal — distributed around the world with a high presence and in a lot of countries — means they can deliver very effective distributed attacks against hosts."

Storm Worm infected computers contribute system resources to support the overall functioning of the network in a method similar to the operation of distributed computing projects like Folding@home.

Name
The Storm botnet and worm are so-called because of the storm-related subject lines its infectious e-mail employs, such as "230 dead as storm batters Europe", "Chinese missile shot down USA aircraft", or "U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel".

Creators/Administrators
It is suspected by some information security professionals that well-known fugitive spammers, including Leo Kuvayev, may be involved in the operation and control of the Storm botnet.

Composition
The botnet, or zombie network, comprises computers running Microsoft Windows as their operating system, the only operating system which can be breached by the Storm worm. Once infected, a computer becomes known as a bot. This bot then performs automated tasks -- anything from gathering data on the user, to attacking web sites, to forwarding infected email -- without its owner's knowledge or permission.

Estimates indicate that 5,000 to 6,000 computers are dedicated to propagating the spread of the worm through the use of emails with infected attachments; 1.2 billion virus messages have been sent by the botnet including a record 57 million on 22 August 2007 alone. Lawrence Baldwin, a computer forensics specialist, was quoted as saying, "Cumulatively, Storm is sending billions of messages a day. It could be double digits in the billions, easily." One of the methods used to entice victims to infection-hosting web sites are offers of free music, for artists such as Beyonce Knowles, Kelly Clarkson, Rihanna, The Eagles, Foo Fighters, R. Kelly, and Velvet Revolver.

Back-end servers that control the spread of the botnet and Storm worm automatically re-encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread. Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called ‘fast flux’, making it difficult to find and stop virus hosting sites and mail servers. In short, the name and location of such machines are frequently changed and rotated, often on a minute by minute basis. The Storm botnet's operators control the system via peer-to-peer networks, making external monitoring and disabling of the system more difficult. There is no central "command-and-control point" in the Storm botnet that can be shut down. The botnet also makes use of encrypted traffic.

Social engineering
Efforts to infect computers usually revolve around convincing people to download email attachments which contain the virus through subtle manipulation. In one instance, the botnet's controllers took advantage of the National Football League's opening weekend, sending out mail offering "football tracking programs" which did nothing more than infect a user's computer.

Computing power
According to Matt Sergeant, chief anti-spam technologist at MessageLabs, "In terms of power, [the botnet] utterly blows the supercomputers away. If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." It is estimated that only 10%-20% of the total capacity and power of the Storm botnet is currently being used.

Sytems joining the botnet
Once a system is compromised by Storm, it will attempt to join the botnet. This is done by launching a series of .exe files on the computer system in question, in stages. Usually, they are named in a sequence from game0.exe through game5.exe, or a similar structure. Once a Windows system is running game0.exe, the following will occur. At each stage, the compromised system will connect into the botnet, using the obscured and hard to track DNS system the botnet uses, to make tracking this process exceptionally difficult. The typical steps are:

The control for this, and linking to the botnet, is run from %windir%\system32\wincom.sys on a Windows system, via a kernel rootkit, and all connections back to the botnet are sent through a modified version of the eDonkey/Overnet communications protocol.

Methodology
The Storm botnet and its variants employ a variety of attack vectors, and an equally wide variety of defensive steps exist as well.

On the offensive
Spameater.com as well as other sites such as 419eater.com and Artist Against 419, both of which deal with 419 spam e-mail fraud, have experienced DDoS attacks, temporarily rendering them completely inoperable. The DDoS attacks consist of making massed parallel network calls to those and other target IP addresses, overloading the servers' capacity, practically preventing them to respond to any requests from anyone. Other anti-spam groups, such as the Spamhaus Project, were also attacked. Jeff Chan, a spam researcher, stated, "In terms of mitigating Storm, it's challenging at best and impossible at worst since the bad guys control many hundreds of megabits of traffic. There's some evidence that they may control hundreds of Gigabits of traffic, which is enough to force some countries off the Internet."

On September 17, 2007, a Republican party website in the United States was hacked, and used to propagate the Storm worm and botnet. In October 2007, the botnet took advantage of flaws in YouTube's Captcha application on its mail systems, to send targeted spam e-mails XBox owners with a scam involving winning a special version of the video game Halo 3. Other attack methods include using cuteness, such as animated images of laughing cats to get people to click on a trojan software download.

On the defensive
The Storm botnet was observed to be defending itself, and attacking computer systems that scanned for Storm virus-infected computer systems online. The botnet will defend itself with DDoS counter-attacks, to maintain its own internal integrity. On September 25th, it was estimated that a Microsoft update to the Windows Malicious Software Removal Tool they offer may have helped reduce the size of the botnet by up to 20%. The new patch, as claimed by Microsoft, removed Storm from approximately 274,372 infected systems out of 2.6 million scanned Windows systems. However, according to senior security staff at Microsoft, "the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the 'Storm' botnet," indicating that the MSRT cleaning may have been symbolic at best.

Storm botnet encryption and sales
In October, 2007 it was uncovered that portions of the Storm botnet and its variants were for sale. This is being done by using unique security keys in the encryption of the traffic. The unique keys will allow each segment, or sub-section of the Storm botnet, to communicate with a section that has a matching security key. However, this may also allow people to detect, track, and block Storm botnet traffic in the future, if the security keys have unique lengths and signatures. Computer security vendor Sophos has agreed with the assessment that the partioning of the Storm botnet indicated likely resale of its services. Graham Cluley of Sophos said, "Storm's use of encrypted traffic is an interesting feature which has raised eyebrows in our lab. Its most likely use is for the cybercriminals to lease out portions of the network for misuse. It wouldn't be a surprise if the network was used for spamming, distributed denial-of-service attacks, and other malicious activities."

However, the encryption only seems to affect systems compromised by Storm from the second week of October 2007 onwards, meaning that the previous up to 5,000,000 compromised systems will remain difficult to track and block.