The document discusses the Storm worm and botnet. It describes how the Storm worm was first discovered in 2007 and uses peer-to-peer networking, making it resilient and difficult to detect. The worm spreads through social engineering emails and phishing websites. It features a P2P-based botnet constructed using the Overnet protocol and uses rootkit technology to hide itself. The decentralized botnet architecture means it does not require a central command and control server. The document analyzes the P2P network traffic and encryption methods used by Storm bots to communicate. It also describes the rootkit's capabilities to hide files, ports, and processes to avoid detection by anti-virus software and security researchers.
The document discusses the Storm worm and botnet. It describes how the Storm worm was first discovered in 2007 and uses peer-to-peer networking, making it resilient and difficult to detect. The worm spreads through social engineering emails and phishing websites. It features a P2P-based botnet constructed using the Overnet protocol and uses rootkit technology to hide itself. The decentralized botnet architecture means it does not require a central command and control server. The document analyzes the P2P network traffic and encryption methods used by Storm bots to communicate. It also describes the rootkit's capabilities to hide files, ports, and processes to avoid detection by anti-virus software and security researchers.
The document discusses the Storm worm and botnet. It describes how the Storm worm was first discovered in 2007 and uses peer-to-peer networking, making it resilient and difficult to detect. The worm spreads through social engineering emails and phishing websites. It features a P2P-based botnet constructed using the Overnet protocol and uses rootkit technology to hide itself. The decentralized botnet architecture means it does not require a central command and control server. The document analyzes the P2P network traffic and encryption methods used by Storm bots to communicate. It also describes the rootkit's capabilities to hide files, ports, and processes to avoid detection by anti-virus software and security researchers.
Jun Zhang Websense, Inc. Beijing Security Lab. Aug 2008
Introduction -- What's the Storm Worm
A kind of malicious program The first storm worm was discovered in late January,2007 The storm is the one of the first malware to use a P2P network which makes Storm more resilient, powerful and hard to be detected. Spreading method The primary method of spreading remains social engineering email and Phishing website.
Introduction -- What's the Storm Worm
Storm Features Based on the P2P and the rootkit technology, the Storm is able to easily resist attempts to shut down the network and has evolved continuously to stay ahead of the Anti-Virus industry and researchers. Features: Uses P2P network (Overnet/Kademlia) Uses fast-flux DNS for hosting on named sites Binary has gone through many revisions Hides on machine with rootkit technology
Introduction -- What's the Storm Worm
Storm Capabilities As Storm has evolved, it has gained a number of capabilities to aid it in malicious activity. Capabilities: Spam Spread ICMP Echo flood TCP SYN flood Proxy connections Download and executed file
Introduction -- What's the Storm Worm
Malicious Activities The Storm network has been used for many malicious money-marking activities. Spamming Phishing emails DDoS Attack Example Sending Spam through Googles SMTP Server
Introduction -- What's the Storm Worm
Example Phishing mail
Introduction -- What's the Storm Worm
Core components of Strom P2P-based Botnet Rootkit Through analyzing the recent Strom, we noticed that the P2P network and the Rootkit are more important for Strom worm. Most Strom worms use Overnet protocol to construct its botnet, because of the distributed nature of Overnet, there isnt a central command and control server. This dynamic nature makes Storm so resilient to attack.
Introduction -- What's the Storm Worm
The nature of Overnet-based P2P botnet is also the primary reason why casual researchers and security enthusiasts often chalk the Storm botnet up as impossible to shut down or to even track or estimate the size of. Another reason lets Storm avoid being detected is the Rootkit technology. The Rootkit enhances the hiding ability of Storm, using the Roorkit, the Storm can hide itself in file system, conceal running processes and easily bypass the firewall and IDS. Next, we will focus on the P2P-based botnet and Rootkit, and discuss these with a real Storm we captured.
Storm Worm P2P-based Botnet
Overview In recent years, P2P technology has been used frequently in Storms and has become more and more popular. The P2P-based botnet is very hard to be traced and to be shut down, because the botnet has robust network connectivity(This is the nature of P2P network), uses encryption, and controls traffic dispersion. Each bot in the botnet influences only a small part of the botnet, and upgrade/recovery is accomplished easily by its botmaster.
Storm Worm P2P-based Botnet
Decentralized Botnet The latest botnet is a decentralized architecture, not liking the traditional peer-to-peer system. This kind of botnet does not need a central command and control location; It can allow the attacker to upgrade and control infected hosts without the botmaster.
Storm Worm P2P-based Botnet
P2P botnet Implementation The Storm uses a distributed hash table(DHT) based on the Kademlia algorithm and assigns a random 128bit ID to each bot. The format of the random ID is similar to this:
Normally, The Strom will carry a hard-coded peers list. This
list will be used to bootstrap the Botnet.
Storm Worm P2P-based Botnet
Example of peer list
Each line is a single
hex-encoded peer in this format: <128 bit hash>=<32 bit IP><16 bit port><8 bit peer type>
Storm Worm P2P-based Botnet
How to build up the peer list: Using the system time as a random seed. Depending on the timing seed to generate the 128bit bot ID Randomly picking up the IP/UDP Port from a static array that was carried by the Strom. Keeping a part of the bot information in the configuration file.
Storm Worm P2P-based Botnet
Botnet Traffic Analysis The primary protocol the botnet used is UDP. Each bot will use UDP protocol to communicate. Normally, The Strom will include a SMTP component to spread the spam email.
Storm Worm P2P-based Botnet
Spamming SMTP component This figure is the screen snapshort of a storm sending the spam
Storm Worm P2P-based Botnet
UDP-based bots conversation
Storm Worm P2P-based Botnet
Security the net-traffic between bots The Storm uses an XOR encryption algorithm to encrypt the message between the bots and randomly assigns the UDP port for each bots.
These can highly increase the dispersion of UDP port. So it is very
hard to trace single bot.
Storm Worm P2P-based Botnet
XOR Encryption Algorithm
This encryption algorithm is very simple but good enough
for bypassing IDS or IPS.
Storm Worm P2P-based Botnet
Botnet Messages To analyse the botnet, I wrote a tool to observe the message between the bots. Two kinds of Messages: Search: A bot uses search messages to find resources and other bots based on BotID. Publicize: A bot uses publicize messages to report ownership of network resources (BotIDs) so that other bots can find the resource later.
Storm Worm P2P-based Botnet
Search Message
Storm Worm P2P-based Botnet
Publicize Message
Storm Worm P2P-based Botnet
The huge Botnet The below figure is a part of a real Botnet, I observed more than 5796 infected hosts only in 21 minutes!
Storm Worm Rootkit Technology
Whats the Rootkit A rootkit is a set of software applications intending to hide running processes, files or system data from the operating system. In recent years, rootkits have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.
Storm Worm Rootkit Technology
A real Rootkit used by Strom Worm We captured this Strom on August. The below is the workflow of the Rootkit this Storm used.
Storm Worm Rootkit Technology
The Rootkits capabilities: Hide File Avoid being deleted. ( Hook NtQueryDirectoryFile ) Hide TCP Port Bypass the firewall. Hook TCP device (Device\Tcp) Hide Win32 Service (Avoid being detected) Erase its footprint from the register. Hook NtEnumerateKey/NtEnumerateValueKey Inject Code to services.exe In the kernel mode, uses user-mode APC inject the malicious code to "services.exe"