The balkanization of Storm Worm botnets
Creators of the Storm Worm Trojan have introduced a change to their malware that could help administrators trying to fortify their ISPs and networks against the prolific pest. PCs infected by Storm in the past week or so use a 40-byte key to encrypt traffic sent through Overnet, a peer-to-peer protocol that helps individual …
Very nicely written very concise a little disconserting of course but well written none the less.
Once again. It's bloody well not a worm. It's a trojan. Ever since this outbreak of sillyness started it's always been a trojan.
Can't we just switch off Asia and Eastern Europe. Let the bastards have their own internet, and leave us honest folks alone.
We lose the botnets, worms and hacked WoW accounts, they lose spam and 419s - everyone's a winner.
Switch off Asia and Eastern Europe?
An analysis done by an associate has shown that the country with the greatest proportion of bots hosting spammer sites is the U.S. Should we switch them off too mate? See here...
http://spamtrackers.eu/wiki/index.php?title=Botnet_hosting#Botnet_Geography_Charts
BTW not everyone in Asia is a dishonest bastard (as you implied)!
Actually sounds more like a good defensive strategy by the bad guys, and one of the main implications not touched upon by the article is that it makes it harder for other people to use those technologies for legitimate purposes. Were you thinking that encryption would add something good to a legitimate P2P service you are designing? Well, you better forget it now. However from the spammer's perspective, it puts their eggs into different baskets that are more strongly separated from each other, which may make it harder to get all of them.
I thought the article was another overly light populist approach to a complicated problem. Maybe the author does know his stuff--or maybe not. I'd have liked to see some links to heavier secondary sources that the Bleeding Edge Threats page.
Won't need to. In the name of Homeland Security, they'll be switching themselves off by the end of next year.
Most inappropriate name evah!
Actually, most attacks on my servers seem to come from Belgium.
Storm is a very devious, complex and well-designed malevolent toolset. For a really good insight into all aspects of the design I would refer all readers who have got here and want to understand more to go to Bruce Schneier's blog, which has its home at:
http://www.schneier.com/crypto-gram.html, look for "The Storm Worm" in the October 2007 archive page (it has 'fallen off the bottom' of the current page)
Bruce's entry refers out to a number of other articles and has attracted somehwat in excess of 100 comments.
Just a warning to those wanting to use those Snort signatures - those rules are so generic, you are going to be chasing false positives all day and night.
Sign up, sign up for The Register's weekly IT security newsletter - click here
