Storm worm cracked, but defenses may not fly
The Storm worm, noticed for the first time on January 17th, 2007, is one of the more notorious worms of the last few years. Targetted initially towards individual Windows machines, victims were often infected after receiving a bait e-mail with a particularly intriguing subject line, originally on the topic of a nasty European windstorm. The malicious attachment, when opened, would begin sending data to predetermined locations, as well as potentially installing additional malware.
The two most important side-effects of the worm were assumed control of the victim machine for botnetting, as well as the application of a root kit. What made Storm particularly effective as a botnet client was the use of peer-to-peer technology, rather than a strict client-server model. While “primitive” botnets could be attacked by targetting the centralized server, Storm created a P2P network of hosts, each of which was only ever “aware” of a small subset of the total botnet. While “command servers” did exert control over the botnet, they existed in numbers, and hosts were given means to find new command servers as they came online. This made it especially hard to know of the botnet’s size and member machines, let alone take it down. Despite attempts by Microsoft to use its Malicious Software Removal Tool to cleanse infected nodes, estimates suggest remaining infected nodes are still plentiful.
In results published on January 9th, German researchers at Bonn University and RWTH Aechen University show analysis which could, if applied properly, lead to any remaining botnets’ demise. By disassembling the drone client program used by infected nodes, the researchers were able to discover the protocol used for inter-client and client-server communication. They then built their own client and hooked it into an isolated test botnet. Experiments with this client showed that drones in the botnet asked each other about command servers, much in the same way that a DNS query might travel. By creating their own bootleg command server, and using their false drone client to deceitfully route real drones to the new server, they found that they could assume control over some aspects of the infected nodes. This would allow them to remotely install and run cleanup software, potentially allowing systematic cleanup of an entire botnet.
“What’s the holdup?” you might ask. The problem is that this cleanup would violate German information safety laws. Not only would it invade victim machines in the same way that the worm itself has, but it could also cause all kinds of data corruption and other collateral damage as part of the cleanup process. The legal repercussions of invasion of privacy and potential tampering with data are severe. While the cost of allowing Storm-backed botnets to exist is immense — with respect to spam alone, Symantec clocked the e-mail spam-output rate of one infected node at around 360 messages per minute — the practical and ethical cost of cleanup is high enough that its unclear to the German researchers which is worse.
It seems to me as though another approach could prove less problematic. If non-Storm-controlled drones can enter the network as demonstrated by this research, they could be used to identify, rather than automatically fix, targeted nodes. With the support of some well-recognized anti-virus or computer security agency, an opt-in cleanup program could make owners of infected nodes aware of the risks of cleanup before granting access to their machines or installing cleanup software themselves. The public approval of a well-known name in the field would give credibility to the cleanup effort, and perhaps could provide an open infrastructure for individual opt-in.
At the very least, this research allows security professionals and indivual Windows users to take anti-Storm defense into their own hands. Whether it can be used to extinguish remaining Storm-related activity remains to be seen, especially now that Storm’s developers have a chance to react. It appears that the current drone protocol doesn’t require server authentication; were that to be put in place, the researcher’s spoof-server approach would no longer work. The makers of the worm have shown an eagerness and a capability to react quickly and successfully to possible anti-Storm technologies, and could no doubt “fix” this “problem” too fast for it to be useful.
It will be interesting to see how this situation plays out. Hopefully, it will be for the better.