Viruses #2

Last week we started looking at some of the most prolific viruses of the last decade and I finished by promising an overview of a worm called ‘Storm’ this week.It would be accurate to say that on many levels I am impressed by the capability of this particular worm hence it requiring its own article however but since it has been created for ill gain, I am of course impressed merely in a disdained fashion.

The Storm Worm was discovered on January 17th 2007 as it began infecting thousands of computers by using an e-mail message with the subject line “230 dead as storm batters Europe” and after just six waves of attack the Storm Worm accounted for 8% of all infections globally.During its life the worm has continued to primarily infect people in the same fashion by getting them to open an executable attachment (opening executable attachments is NEVER a good idea) by sending e-mails with a catchy subject lines.

The rather unbelievable and arguably impressive stuff begins to happen once a machine has been infected however when, unbeknown to the user, it makes itself part of the Storm botnet; a remotely controlled network of “zombie” computers that have been infected by the Storm worm.Once part of the botnet an infected machine can be told to execute commands given by the authors who have yet to be discovered - worryingly security analysts still have no idea of the country of origin.

Some have estimated that as many as 1 to 50 million infected computer systems comprise the network however one network analyst that claims to have developed software to crawl the botnet estimates a more conservative 160,000 machines.

This network has been known to participate, collectively, in a number of criminal activities from gathering user data, to attacking websites and forwarding the e-mail on to more potential victims.It is estimated that approximately 5,000 zombie machines are dedicated to passing the e-mail on, with a record 57 million messages estimated to have been sent on August 22nd 2007 alone.In order to avoid detection by anti-virus scanners the worm automatically re-encodes the infection software twice an hour meaning that there are many different variants of the same worm.

The system itself works on a peer by peer basis (such as that employed by file sharing applications) so that external monitoring the system and bringing down the network is made next to impossible; the machines all talk independently of a centralised server there is no one point of contact that can be targeted.The remote servers which control the botnet are also hidden behind a constantly changing network of proxies and variable DNS (Domain Name System) addresses changes.The network has also shown signs of intelligent defensive behaviours and whilst it is unknown whether these are automated or human controlled responses, security operators who have tried to probe the network have instantly been punished with a consolidated DDoS (Distributed Denial of Service) attack from the network which instantly cripples them.

The overall power of the network cannot be accurately estimated but if we work on a relatively conservative assumption that there are one million zombie machines (with broadband connections) being controlled from one source then the potential combined computing power and Internet bandwidth is quite staggering.If a network such as that created by Storm can exist by such a simple method of infection as an executable e-mail attachment then we could be in real problems for the future should the method of infection become more advanced and require no user interaction such as that employed by the Sasser worm which we covered last week.


About the Author - Chris Holgate works for Refresh Cartridges who supply a wide range of printer cartridges at the UK’s lowest prices.