Storm worm cracked, but defenses may not fly

By oterod at 11:21 pm on January 11, 2009 | 3 Comments

The Storm worm, noticed for the first time on January 17th, 2007, is one of the more notorious worms of the last few years. Targetted initially towards individual Windows machines, victims were often infected after receiving a bait e-mail with a particularly intriguing subject line, originally on the topic of a nasty European windstorm. The malicious attachment, when opened, would begin sending data to predetermined locations, as well as potentially installing additional malware.

The two most important side-effects of the worm were assumed control of the victim machine for botnetting, as well as the application of a root kit. What made Storm particularly effective as a botnet client was the use of peer-to-peer technology, rather than a strict client-server model. While “primitive” botnets could be attacked by targetting the centralized server, Storm created a P2P network of hosts, each of which was only ever “aware” of a small subset of the total botnet. While “command servers” did exert control over the botnet, they existed in numbers, and hosts were given means to find new command servers as they came online. This made it especially hard to know of the botnet’s size and member machines, let alone take it down. Despite attempts by Microsoft to use its Malicious Software Removal Tool to cleanse infected nodes, estimates suggest remaining infected nodes are still plentiful.

In results published on January 9th, German researchers at Bonn University and RWTH Aechen University show analysis which could, if applied properly, lead to any remaining botnets’ demise. By disassembling the drone client program used by infected nodes, the researchers were able to discover the protocol used for inter-client and client-server communication. They then built their own client and hooked it into an isolated test botnet. Experiments with this client showed that drones in the botnet asked each other about command servers, much in the same way that a DNS query might travel. By creating their own bootleg command server, and using their false drone client to deceitfully route real drones to the new server, they found that they could assume control over some aspects of the infected nodes. This would allow them to remotely install and run cleanup software, potentially allowing systematic cleanup of an entire botnet.

“What’s the holdup?” you might ask. The problem is that this cleanup would violate German information safety laws. Not only would it invade victim machines in the same way that the worm itself has, but it could also cause all kinds of data corruption and other collateral damage as part of the cleanup process. The legal repercussions of invasion of privacy and potential tampering with data are severe. While the cost of allowing Storm-backed botnets to exist is immense — with respect to spam alone, Symantec clocked the e-mail spam-output rate of one infected node at around 360 messages per minute — the practical and ethical cost of cleanup is high enough that its unclear to the German researchers which is worse.

It seems to me as though another approach could prove less problematic. If non-Storm-controlled drones can enter the network as demonstrated by this research, they could be used to identify, rather than automatically fix, targeted nodes. With the support of some well-recognized anti-virus or computer security agency, an opt-in cleanup program could make owners of infected nodes aware of the risks of cleanup before granting access to their machines or installing cleanup software themselves. The public approval of a well-known name in the field would give credibility to the cleanup effort, and perhaps could provide an open infrastructure for individual opt-in.

At the very least, this research allows security professionals and indivual Windows users to take anti-Storm defense into their own hands. Whether it can be used to extinguish remaining Storm-related activity remains to be seen, especially now that Storm’s developers have a chance to react. It appears that the current drone protocol doesn’t require server authentication; were that to be put in place, the researcher’s spoof-server approach would no longer work. The makers of the worm have shown an eagerness and a capability to react quickly and successfully to possible anti-Storm technologies, and could no doubt “fix” this “problem” too fast for it to be useful.

It will be interesting to see how this situation plays out. Hopefully, it will be for the better.

Filed under: Current Events,Ethics,Policy,Privacy,Research3 Comments »

3 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by ando

    January 12, 2009 @ 11:16 am

    A very interesting post. Another thing to consider apart from the researchers either taking down all of the infected computers or using the network for good computation is if different malicious groups take over the botnets. Now with released knowledge that the server doesn’t have to authenticate itself to clients, others could take this information and hijack the hijacked machines. Then a whole new world is opened up and a hacker can use this computer as they desire to possibly install other worms/malware making the situation even worse.

    I think that action needs to occur promptly to avoid this risk. Either start a clean-up effort like Daniel recommends or try and get special legislative approval for a mass removal to avoid law penalties. The researchers should definitely contact the German authorities to discuss a special plan to allow for removal. This plan could be constructed to guarantee that individual privacy remains intact. If for a specific case this cannot be guaranteed then that computer will remain infected and the user can be notified to implement their own removal.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by David Balatero

    January 13, 2009 @ 12:11 am

    This is a pretty interesting intersection between privacy invasion and defensive security. Since your computer is infected already with a massive, P2P application that is geared towards remote execution of code, it doesn’t seem like a problem to use that capability against the Storm worm. Yes, it’s invasive, but allowing the botnet to survive is in no one’s interest except the creator’s.

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by jonfung

    January 15, 2009 @ 11:48 am

    I don’t think it’s appropriate to hijack a hijacked network to clean itself up. These kinds of things always have unintended consequences. I remember a previous worm which was meant to clean up other worms and would go out and download a fix and try to run it. It ended up causing enormous amounts of load and more problems for the people who ended up getting it. The opt-in fix using the worm’s exploit to identify affected clients sounds much more reasonable, especially given that the article mentions that removal of the worm can cause data corruption. Even still, it’s a slippery slope when we start figuring when it’s ok to intrude into other people’s systems without permission. Even if it’s just to identify the machine, we would need some way to contact the person. That alone means we already need to collect personally identifiable information.

    The legal issues raised would be no small matter either. Storm crosses boundaries which would mean that any proposed solution would also need to be compliant with the laws of all countries it would end up being used in. Even if German authorities allow researchers to use the botnet to clean machines, that does not mean that other countries’ governments would be as receptive.

RSS feed for comments on this post