Storm, Nugache lead dangerous new botnet barrage

Storm, Nugache lead dangerous new botnet barrage
By Dennis Fisher, Executive Editor
19 Dec 2007 | SearchSecurity.com
<http://searchsecurity.techtarget.com/originalContent/0
,289142,sid14_gci1286808
,00.html?track=NL-358&ad=614777&asrc=EM_NLN_2785475&
amp;uid=1408222>

In early 2006, Dave Dittrich, a senior security engineer and
researcher at the 
University of Washington in Seattle, got a sample of a new
strain of malware 
from a colleague, and began monitoring its activity. The
Trojan was a bit lazy 
at first, making just a few outbound connections. But it
quickly became 
obvious that this was no ordinary piece of malware, because
each of the 
connections was to a peer and not a central command and
control server.

This was strange behavior for PCs that have been compromised
by this type of 
malware. The members of a distributed network like this
typically communicate 
only with one central machine, called the command and
control server. It's a 
top-down structure; the C&C server gives the commands
and the compromised PCs 
carry them out. However, this new network didn't seem to
have one C&C server 
that was running the show, and the malware itself couldn't
really even be 
classified as a bot as it didn't make its first IRC
connection for more than a 
month. IRC, or Internet Relay Chat, is the preferred method
of communication 
for botnet controllers.

But with this network, in lieu of one C&C server, there
were a number of peers 
around the network that were sending out commands and
serving as download 
sites for various pieces of the network. So if one of the
peers in the network 
that the attacker is using to issue commands to the rest of
the network is 
shut down, the attacker could simply begin sending orders
through another 
peer. This made the entire network of compromised PCs equal
partners and made 
the prospect of disabling the network incredibly daunting.

As troubling as this new development was, more troubling was
the fact that the 
peers sending out the commands changed on the fly and, as
Dittrich watched, 
various members of the network would drop off botnet, only
to reappear days or 
weeks later. So the shape and size of the botnet was
changing almost 
constantly, with entire branches going dark for extended
periods of time and 
peers jumping from one portion of the network to another
seemingly on a whim. 
And, to add to the pile of bad news, the bots were
communicating with each 
other over an encrypted channel, making it all but
impossible to listen in on 
their conversations.

Dittrich, one of the top botnet researchers in the world,
has been tracking 
botnets for close to a decade and has seen it all. But this
new piece of 
malware, which came to be known as Nugache, was a
game-changer. With no C&C 
server to target, bots capable of sending encrypted packets
and the 
possibility of any peer on the network suddenly becoming the
de facto leader 
of the botnet, Nugache, Dittrich knew, would be virtually
impossible to stop.

"The authors are making these subtle little changes to
keep it under the 
radar, and they're succeeding," said Dittrich.

This is the future of malware and it's not a pretty picture.
What it is, is a 
nightmare: a new breed of malicious software developed,
tested and sold by 
professionals and engineered to change on the fly, adapt to
its environment 
and evade traditional defenses.

Nugache, and its more famous cousin, the Storm Trojan, are
not simply the next 
step in the evolution of malware. They represent a major
step forward in both 
the quality of software that malware authors are producing
and in the 
sophistication of their tactics. Although they're often
referred to as worms, 
Storm and Nugache are actually Trojans. The Storm creator,
for example, sends 
out millions of spam messages on a semi-regular basis, each
containing a link 
to content on some remote server, normally disguised in a
fake pitch for a 
penny stock, Viagra or relief for victims of a recent
natural disaster. When a 
user clicks on the link, the attacker's server installs the
Storm Trojan on 
the user's PC and it's off and running.

Various worms, viruses, bots and Trojans over the years have
had one or two of 
the features that Storm, Nugache, Rbot and other such
programs possess, but 
none has approached the breadth and depth of their feature
sets. Rbot, for 
example, has more than 100 features that users can choose
from when compiling 
the bot. This means that two different bots compiled from an
identical source 
could have nearly identical feature sets, yet look
completely different to an 
antivirus engine.
	

The creators of these Trojans and bots not only have very
strong software 
development and testing skills, but also clearly know how
security vendors 
operate and how to outmaneuver defenses such as antivirus
software, IDS and 
firewalls, experts say. They know that they simply need to
alter their code 
and the messages carrying it in small ways in order to evade
signature-based 
defenses. Dittrich and other researchers say that when they
analyze the code 
these malware authors are putting out, what emerges is a
picture of a group of 
skilled, professional software developers learning from
their mistakes, 
improving their code on a weekly basis and making a lot of
money in the 
process.

"If you look at the way [Storm] is used, it's clear
that money is changing 
hands and that the software has gone through a testing and
revision process," 
said Phillip Porras, a program director at SRI International
in Menlo Park, 
Calif., who has studied Storm's behavior. "The botnet
is out there to help 
some group of people make money. This kind of malware is an
economy now. Storm 
is not meant to spread across the entire Internet. It's
meant to compromise 
specific targets. It's a network that is very good at
producing money."

<snip/>


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

re:
Storm, Nugache lead dangerous new botnet barrage
http://searchsecurity.techtarget.com/originalContent/0
,289142,sid14_gci1286808,00.html

from above:

The creators of these Trojans and bots not only have very
strong 
software development and testing skills, but also clearly
know how 
security vendors operate and how to outmaneuver defenses
such as 
antivirus software, IDS and firewalls, experts say. They
know that they 
simply need to alter their code and the messages carrying it
in small 
ways in order to evade signature-based defenses. Dittrich
and other 
researchers say that when they analyze the code these
malware authors 
are putting out, what emerges is a picture of a group of
skilled, 
professional software developers learning from their
mistakes, improving 
their code on a weekly basis and making a lot of money in
the process.

... snip ...

... and somewhat related

Virtualization still hot, death of antivirus software
imminent, VC says
http://www.networkworld.com/news/20
07/121707-crystal-ball-virtualization.html

from above:

Another trend Maeder predicts for 2008 is, at long last, the
death of 
antivirus software and other security products that allow
employees to 
install and download any programs they'd like onto their
PCs, and then 
attempt to weed out the malicious code. Instead, products
that protect 
endpoints by only allowing IT-approved code to be installed
will become 
the norm.

... snip ...

and post about dealing with compromised machines
http://www
.garlic.com/~lynn/2007u.html#771 folklore indeed

mentioning sophistication in other ways:

Botnet-controlled Trojan robbing online bank customers
http://www.networkworld.com/news/2007/
121307-zbot-trojan-robbing-banks.htm

from above:

If the attacker succeeds in getting the Trojan malware onto
the victim's
computer, he can piggyback on a session of online banking
without even
having to use the victim's name and password. The infected
computer
communicates back to the Trojan's command-and-controller
exactly which
bank the victim has an account with. It then automatically
feeds code
that tells the Trojan how to mimic actual online
transactions with a
particular bank to do wire transfers or bill payments

... snip ...

there have been some number of online banking
countermeasures for
specific kinds of system compromises .... like keyloggers
... but they
apparently didn't bother to get promises from the crooks to
only limit
the kinds of attacks to those exploits.

some related comments on such compromised machines
http://www
.garlic.com/~lynn/aadsm27.htm#66 2007: year in review
http://www.
garlic.com/~lynn/aadsm28.htm#0 2007: year in review

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Anne & Lynn Wheeler wrote:
> Virtualization still hot, death of antivirus software
imminent, VC says
> http://www.networkworld.com/news/20
07/121707-crystal-ball-virtualization.html

Interesting how "virtualization" seems to imply
"safe" in the public
mind (and explicitly in that article) right now.... I'm sure
with the
increasing use of virtualization, we'll start to see more
VMware-aware
malware and virtual machine escapes in the wild. Another
example of
putting many, many eggs in the same basket.

Here's a good article about the first public VMware escape,
which
Intelguardians demonstrated at SANSFIRE this summer:
(Note: I'm biased, having worked on this project.)
http://www.pauldot
com.com/2007/07/

What boggles my mind is that despite this, the DoD has still
decided to
rely on virtualization software to keep classified and
unclassified info
on the same physical systems:
http://www.internetnews.com/storage/article.php/3696996

Sherri



Anne & Lynn Wheeler wrote:
> re:
> Storm, Nugache lead dangerous new botnet barrage
> http://searchsecurity.techtarget.com/originalContent/0
,289142,sid14_gci1286808,00.html
> 
> from above:
> 
> The creators of these Trojans and bots not only have
very strong software development and testing skills, but
also clearly know how security vendors operate and how to
outmaneuver defenses such as antivirus software, IDS and
firewalls, experts say. They know that they simply need to
alter their code and the messages carrying it in small ways
in order to evade signature-based defenses. Dittrich and
other researchers say that when they analyze the code these
malware authors are putting out, what emerges is a picture
of a group of skilled, professional software developers
learning from their mistakes, improving their code on a
weekly basis and making a lot of money in the process.
> 
> ... snip ...
> 
> ... and somewhat related
> 
> Virtualization still hot, death of antivirus software
imminent, VC says
> http://www.networkworld.com/news/20
07/121707-crystal-ball-virtualization.html
> 
> from above:
> 
> Another trend Maeder predicts for 2008 is, at long
last, the death of antivirus software and other security
products that allow employees to install and download any
programs they'd like onto their PCs, and then attempt to
weed out the malicious code. Instead, products that protect
endpoints by only allowing IT-approved code to be installed
will become the norm.
> 
> ... snip ...
> 
> and post about dealing with compromised machines
> http://www
.garlic.com/~lynn/2007u.html#771 folklore indeed
> 
> mentioning sophistication in other ways:
> 
> Botnet-controlled Trojan robbing online bank customers
> http://www.networkworld.com/news/2007/
121307-zbot-trojan-robbing-banks.htm
> 
> from above:
> 
> If the attacker succeeds in getting the Trojan malware
onto the victim's
> computer, he can piggyback on a session of online
banking without even
> having to use the victim's name and password. The
infected computer
> communicates back to the Trojan's
command-and-controller exactly which
> bank the victim has an account with. It then
automatically feeds code
> that tells the Trojan how to mimic actual online
transactions with a
> particular bank to do wire transfers or bill payments
> 
> ... snip ...
> 
> there have been some number of online banking
countermeasures for
> specific kinds of system compromises .... like
keyloggers ... but they
> apparently didn't bother to get promises from the
crooks to only limit
> the kinds of attacks to those exploits.
> 
> some related comments on such compromised machines
> http://www
.garlic.com/~lynn/aadsm27.htm#66 2007: year in review
> http://www.
garlic.com/~lynn/aadsm28.htm#0 2007: year in review
> 
>
------------------------------------------------------------
---------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Dec 29, 2007, at 6:37 PM, Anne & Lynn Wheeler wrote:
> Virtualization still hot, death of antivirus software
imminent

My, that sounds awfully familiar:
<http://radian.org/~krstic/talks/2007/auscert/slides.p
df>

I note that, come the January OLPC software update, I will
be using my  
XO laptop for all my e-banking and related needs. It
provides a  
drastically more secure platform for doing so than any
mainstream  
computer I know exists.

--
Ivan Krstić <krsticsolarsail.hcs.harvard.edu> | http://radian.org

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Fri, 28 Dec 2007 09:06:44 -0800 or thereabouts "'
=JeffH '"
<Jeff.HodgesKingsMountain.com> wrote:

> Storm, Nugache lead dangerous new botnet barrage
> By Dennis Fisher, Executive Editor
> 19 Dec 2007 | SearchSecurity.com
> <http://searchsecurity.techtarget.com/originalContent/0
,289142,sid14_gci1286808
>
,00.html?track=NL-358&ad=614777&asrc=EM_NLN_2785475&
amp;uid=1408222>
>   
...snip...

Storm made a pretty significant comeback this week:

http://noh.ucsd.edu/~bmenrigh/stormdr
ain/stormdrain.enctotal_encactive.html

Note that those graphs are *only* from the peers that speak
encrypted
Overnet.  If you include all the legacy Storm bots out there
that still
speak the unencrypted variant Storm is getting back up to
its heyday
size.

Brandon

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com