UW Computer Security Research and Course Blog

Summary:
The popular Storm botnet (also known as Peacomm and a bevy of other names…one for each AV company!) has just released yet another round of its malware in spam send out over the christmas / new years holiday period. While the disassembly of the current version is not yet available, older versions have employed a wide array of techniques to ensure the privacy of their code, and the current version is likely to employ these, and more. The network, while once operating on the Overnet p2p network, has now gone private, obfescating their udp packets. A few of the software issues will be discussed, and hopefully, a similar analysis of the most recent variety will be coming soon. However, it is simply an arms race. It takes time to dissect new pieces of malware, and in this time, computers are infected. Once a solution is found, another technique will be created to defeat it.

Assets:

• While the malware authors want the software distributed as widely as possible, its important to protect the details of the protocol and the command and control portions of the malware. The privacy here is protecting several assets. Without completely dissecting the code, AV signatures are hard to develop, making it easier to successfully infect potential hosts. In addition, the obfuscation of the code protects the protocol used by the bots to communicate. While Storm as recently as September used the popular overnet p2p network to communicate, it has since moved to a private network. This network is the authors biggest asset, as massive ddos attacks are possible with so many infected machines, as well as the ability to send massive amounts of spam.
• Small footprint. Sending spam, or even being part of a ddos attack doesn’t generate so much traffic that the infected machines are crippled. The spread of high speed internet connections has made hiding in the background much easier.
• What appears to be a group of very talented minds.
• Instead of taking advantage of exploits, the malware is spread via social engineering…as people are by default dumb, this method of distribution works great!

Potential Adversaries/Threats:

• Wide spread adoption of a more secure email protocol than SMTP. Storm currently abuses the fact that smtp does not authenticate the sender of email messages. The authors of the malware seem to be driven by financial gains, and without the ability to send spam, they would be unable to participate in pump and dump scams, nor product advertisement.
• Honest ISPs. There are currently ISPs that still do not validate the sender’s ip address of UDP packets. There have been reports of these in Russia and China. These provide lovely avenues in which DHT (Older versions utilized the dht used by overnet…I’m assuming there is still a dht in place, despite the change in protocol) values can be inserted without the source being obvious. This doesn’t have to be the case! Just try sending a message from your computer with a forged src ip. It will be blocked! In addition, ISPs could block all Storm traffic (might be illegal…not that Comcast seems to mind dropping customers packets).
• OpenDNS and other dns servers that are null routing ip’s seen hosting malware. This is rather difficult as storm utilizes fast-flux domain changing, however as Storm is being hosted by many of the already infected machines, blocking all ips seen communicated with infected boxes would potentially reduce the number of hosts.
• VMWare/VirtualPC and debuggers…These can be used to run the code, dissect the method that the udp packets are being created, and identify bootstrap lists (Hopefully leading to these IPs being notified and cleaned…but apparently this isn’t happening). Widespread use of VMs would also pose a threat to malware in general, as simply resetting the machine to a previous snapshot would clean the machine.
• Researchers…we’re so curious!
• Law enforcement…nothing angers the man more than someone getting rich easy.
• Script kiddies…can you imagine a 15 year old kid in north dakota with the ability to ddos anyone, anytime? Remember Estonia?

Weaknesses:

• The fact that this piece of software must actually run means that the code cannot be completely hidden. It must be unpacked to run. So running in a debugger will reveal un-obfuscated code.
• A large volume of udp packets must be sent, both to enter the Storm network, as well as to simply maintain itself in the network. This creates a large amount of traffic to be analyzed.
• The size of the storm network, while a strength, has also generated a huge amount of interest from both the AV, research and law enforcement fields.
• To avoid running in a VM, the malware utilizes default settings in the software that can be easily changed to avoid detection.
• Hard-coded bootstrapping list. A list of several hundred IPs are hard coded into the malware. Without these the program cannot run. There is no evidence of a IRC C&C backup.