NESTA Crime Online - University of Brighton Repository
NESTA Crime Online - University of Brighton Repository
NESTA Crime Online - University of Brighton Repository
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The Storm botnet case study: the survival <strong>of</strong> the fastest in upgrading<br />
The Storm Worm botnet is a global network <strong>of</strong> compromised computers that was<br />
estimated to control between one and five million machines, and is capable <strong>of</strong> sending<br />
over three billion spams a day. Initially, the Storm Worm gang relied on social-<br />
engineering techniques to lure victims to open an attachment that contained a piece <strong>of</strong><br />
malicious malware, a Trojan. This Trojan silently took control <strong>of</strong> the infected machines<br />
and linked them together into a botnet, which was mainly used to send vast amounts <strong>of</strong><br />
spam and distributed denial <strong>of</strong> service attacks (DDoS). For some months, Storm Worm<br />
was simply spreading and gaining strength, rapidly becoming one <strong>of</strong> the largest in the<br />
world. It even started developing upgraded malware to avoid signature-based detection,<br />
with new variants being created every 15 minutes.<br />
Soon the Storm Worm had become the base that nearly all cybercriminals use to exploit<br />
the Internet and hide their theft <strong>of</strong> millions <strong>of</strong> users' identities. By the end <strong>of</strong> 2007 it was<br />
reported to comprise around 13 per cent <strong>of</strong> the entire malcode set collected. In 2008<br />
Storm Worm launched for the first time a large blended attack that combined<br />
sophisticated social engineering with malware [product upgrading] that not only enrolled<br />
the infected PCs as part <strong>of</strong> Storm's botnet but also captured keystrokes, load viruses,<br />
copy and transmit or delete files [functional upgrading]. 162<br />
To remain operative, the Storm Worm botnet controllers introduced innovative<br />
improvements in their camouflaging techniques. Currently, the locations <strong>of</strong> the remote<br />
servers that control the botnet are hidden behind a constantly changing Domain Name<br />
System (DNS) using a technique called ‘fast flux’. This technique changes the name and<br />
location <strong>of</strong> the DNS servers, <strong>of</strong>ten on a minute by minute basis, making external<br />
monitoring and disabling <strong>of</strong> the system more difficult. There is no central ‘command and<br />
control point’ in the Storm botnet that can be shut down [process upgrading].<br />
To add to these developments, there has been a recent segmentation <strong>of</strong> the botnet into<br />
smaller, more discreet networks, which allows the controllers to hire-out each segment<br />
162 Vikram Thakur from Symantec noted how Storm Worm moved from simply using social-engineering<br />
techniques to spread malware to actually exploiting vulnerabilities.<br />
Page 55