storm info

been doing some reading on a fascinating investigation into the storm worm which came out of the usenix leet08 con...

the authors start out explaining traditional botnets, and then differentiate the new p2p botnet anatomy. they do analysis on how information is routed and propagated, and then look into how they can participate within the network to gauge its size and more...

the sybil attack (and eclipse attack) are new to me, and pretty nifty...

overall, i think it is interesting how we're seeing p2p evolve to fill a new space. coming out of the high ideals of freenet, p2p moves over to a lot of legit and illegit filesharing, and now we're seeing it used to protect the C&C capabilities of modern organized crime networks.

the sophistication of some aspects of storm are quite impressive. the authors describe adaptive attacks on browsers, where non-vulnerable browsers are ignored and vulnerable ones are sent a variety of payloads. also, the exe files used to infect hosts are repacked by the minute (which seems like a cpu expensive operation) on certain web servers serving them... the payload includes a rootkit to hide itself. there are other things which point to ongoing and active development of the network. they say they are going to try to identify the ppl behind the curtain as their next effort, and i wish them luck. i am quite curious to know more about the innerworkings and motivations of the people who are coding this up.

another interesting note is that almost all of the social engineering attacks from storm were done in english. given the level of sophistication we're seeing in being adaptive and polymorphic in some areas, i wonder how long it will be until we see adaptive language (maybe based on destination ip of the domain for the spam?) as a component in these networks.

finally, the authors say they were able to successfully attack the network from the inside, by seeding benign files and then routing requests for malicious files to their sybils (the polluting attack). this is very nifty, because it allows for disruption to the network overall, and might (?) allow for the possibility to write a type of code-green countermeasure if you could somehow get infected hosts to execute a file which would turn them into sybils or clean themselves somehow.

unfortunately, given how sophisticated the bad guys seem to be, i can only imagine that this possibility will be closed in the future. i may not have thought this all the way through, but it seems that the clients could be coded to check for a digital signature on any file which is being published, and to ignore any published files which are incorrect or missing a signature. this wouldn't prevent infiltration into the network, but i think it would severely hamper any ability to hijack or suppress it. on the flip side, however, i believe the authors would then subject themselves to non-repudiation if law enforcement found a copy of the private key on their box ;)