Tuesday, October 16, 2007

Detecting the "Storm Trojan" botnet - network traffic anomalies

Since its first appearance in early January 2007, the "Storm Trojan" has aggregated an astounding number of infected hosts or bots (about 1 million to 10 million computers). The botnet is of command-and-control (C&C or C2) nature over a peer-to-peer (P2P) network and implements the e-donkey or Overnet protocol to communicate data and actions to its nodes. Such a botnet is extremely difficult to track and take down owing to its de-centralized nature.

According to a blog post from Microsoft's Anti-malware team, their Malicious Software Removal Tool (MSRT) - which is updated and shipped once a month on Patch Tuesday - disinfected a large number of computers (about 2.6 million Window's machines) from variants of the "Storm Trojan".

Latest developments in researching the "Strom Trojan" have revealed that certain anomalies or spikes in network traffic can be used to detect hosts (or nodes) belonging to its botnet.

An interesting blog post about this is from eset. It shows the nature of spike in network traffic whenever a new node joins the "Storm Trojan's" de-centralized botnet. You can find the blog post here.

There is also an article by SRI on the Storm Trojan. You can find the article here.

There is also a post on "The Register" about "Storm Trojan's" new encrypted traffic being used to detect its botnet. You can find that post here.

Bleeding Edge research posted more info about this as well. Encrypted storm traffic and Storm side CC channel. They also maintain a list of compromised host IPs.

According to a blog post by Ryan Naraine, the creators of the "Strom Trojan" are now partitioning their botnet in order to make it available for sale to spammers and denial of service attackers. This discovery was done by Secure Work's researcher Joe Stewart who has been tracking the Storm botnet for a while.

A very interesting blog post by Websense, detailing the chronological appearance of the "Storm Trojan" can be found here.

Frank Boldewin recently posted a nice writeup on the internal workings of the "Storm Trojan" based on the variant Peacomm.C. You can find that here.

Note: "Storm Trojan" (a.k.a. Nuwar, Tibs, Peacomm, Zhelatin, Fathom, Storm Worm, Dorf, Trojan.Peed, Trojan-Downloader.Win32.Small.dam, CME-711, etc.)

Digg This | Slashdot This | Add to del.icio.us

No comments: