Storm Worm & Botnet

Storm Worm & Botnet

Websense, Inc.

Jun Zhang

Beijing Security Lab.

Aug 2008

Introduction -- What's the Storm Worm

A kind of malicious program

The first storm worm was discovered in late January,2007

The storm is the one of the first malware to use a P2P network which makes Storm more resilient, powerful and hard to be detected.

Spreading method

The primary method of spreading remains social engineering email and Phishing website.


Storm Features

Based on the P2P and the rootkit technology, the Storm is able to easily resist attempts to shut down the network and has evolved continuously to stay ahead of the Anti-Virus industry and researchers.

Features: Uses P2P network (Overnet/Kademlia) Uses fast-flux DNS for hosting on named sites Binary has gone through many revisions Hides on machine with rootkit technology


Storm Capabilities

As Storm has evolved, it has gained a number of capabilities to aid it in malicious activity.

Capabilities: Spam Spread ICMP Echo flood TCP SYN flood Proxy connections Download and executed file


Malicious Activities

The Storm network has been used for many malicious money-marking activities. Spamming Phishing emails DDoS Attack

Example – Sending Spam through Google’s SMTP Server


Example – Phishing mail


Core components of Strom P2P-based Botnet Rootkit

Through analyzing the recent Strom, we noticed that the P2P network and the Rootkit are more important for Strom worm.

Most Strom worms use Overnet protocol to construct its botnet, because of the distributed nature of Overnet, there isn’t a central command and control server.

This dynamic nature makes Storm so resilient to attack.


The nature of Overnet-based P2P botnet is also the primary reason why casual researchers and security enthusiasts often chalk the Storm botnet up as impossible to shut down or to even track or estimate the size of.

Another reason lets Storm avoid being detected is the Rootkit technology. The Rootkit enhances the hiding ability of Storm, using the Roorkit, the Storm can hide itself in file system, conceal running processes and easily bypass the firewall and IDS.

Next, we will focus on the P2P-based botnet and Rootkit, and discuss these with a real Storm we captured.

Storm Worm P2P-based Botnet

Overview

In recent years, P2P technology has been used frequently in Storms and has become more and more popular.

The P2P-based botnet is very hard to be traced and to be shut down, because the botnet has robust network connectivity(This is the nature of P2P network), uses encryption, and controls traffic dispersion.

Each bot in the botnet influences only a small part of the botnet, and upgrade/recovery is accomplished easily by its botmaster.


Decentralized Botnet

The latest botnet is a decentralized architecture, not liking the traditional peer-to-peer system.

This kind of botnet does not need a central command and control location;

It can allow the attacker to upgrade and control infected hosts without the botmaster.


P2P botnet Implementation

The Storm uses a distributed hash table(DHT) based on the Kademlia algorithm and assigns a random 128bit ID to each bot.

The format of the random ID is similar to this:

Normally, The Strom will carry a hard-coded peers list. This list will be used to bootstrap the Botnet.


Example of peer list

Each line is a single

hex-encoded peer in this format:

<128 bit hash>=<32 bit IP><16 bit port><8 bit peer type>


How to build up the peer list: Using the system time as a random seed. Depending on the timing seed to generate the 128bit bot ID Randomly picking up the IP/UDP Port from a static array

that was carried by the Strom. Keeping a part of the bot information in the configuration

file.


Botnet Traffic Analysis

The primary protocol the botnet used is UDP. Each bot will

use UDP protocol to communicate.

Normally, The Strom will include a SMTP component to spread the spam email.


Spamming – SMTP componentThis figure is

the screen snapshort of

a storm sending the spam


UDP-based bots conversation


Security the net-traffic between bots

The Storm uses an XOR encryption algorithm to encrypt the message between the bots and randomly assigns the UDP port for each bots.

These can highly increase the dispersion of UDP port. So it is very hard to trace single bot.


XOR Encryption Algorithm

This encryption algorithm is very simple but good enough for bypassing IDS or IPS.


Botnet Messages

To analyse the botnet, I wrote a tool to observe the message between the bots.

Two kinds of Messages: Search:

A bot uses search messages to find resources and other bots based on BotID.

Publicize:

A bot uses publicize messages to report ownership of network resources (BotIDs) so that other bots can find the resource later.


Search Message


Publicize Message


The huge Botnet

The below figure is a part of a real Botnet, I observed more than 5796 infected hosts only in 21 minutes!

Storm Worm – Rootkit Technology

What’s the Rootkit

A rootkit is a set of software applications intending to hide running processes, files or system data from the operating system.

In recent years, rootkits have been used increasingly by malware to help intruders maintain access to systems while avoiding detection.

Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.


A real Rootkit used by Strom Worm

We captured this Strom on August. The below is the work-flow of the Rootkit this Storm used.


The Rootkit’s capabilities: Hide File

Avoid being deleted. ( Hook NtQueryDirectoryFile )

Hide TCP Port

Bypass the firewall. Hook TCP device (Device\Tcp)

Hide Win32 Service (Avoid being detected)

Erase its footprint from the register.

Hook NtEnumerateKey/NtEnumerateValueKey

Inject Code to “services.exe”

In the kernel mode, uses user-mode APC inject the malicious code to "services.exe"

Storm Worm – A Real One

Work-flow of a real Strom.

The white-paper for this Strom can be found:

http://securitylabs.websense.com/content/Assets/Storm_Worm_Botnet_Analysis_-_June_2008.pdf



Any Questions?

The End