In 2007, the attention of researchers of information security has attracted P2P-botnet, created by a malicious program known as the Storm Worm (classified “Kaspersky Lab” – Email-Worm.Win32.Zhelatin).
The authors of “Storm” worm spread their offspring are very active: apparently, they have created an entire factory to create new versions of the malicious program.
Some experts believe that the “Storm” Worm is a malicious program for the construction of a zombie network of new generation. The fact that the bot was designed and distributed by professionals in their field, and the architecture and the protection of zombie networks are well thought out, according to the following characteristics of the “Storm” botnet:
- Bot code mutates, that reminds polymorphic viruses. Unlike Storm Worm is that the code that mutation does not work within the program itself (as polymorphic), and on a dedicated computer on the web. This mechanism is called “server-side polymorphism”.
- Mutations occur frequently (there were cases of mutations per hour), and – most importantly – on the server side, so that the database update for many users are ineffective.
- Storm botnet protect their resources from being too inquisitive researchers. Many antivirus companies regularly download new copies of the worm from the server, from where the spread of malware. When detected frequent handling of the same address, the command is given to start bots DDoS-attack this address.
- The malware bot tries as unobtrusively as possible to operate the system. Obviously, the program is constantly attacking your computer or take great network activity quickly attracts attention and administrators, and users. Therefore, the dosage activity that does not require a large number of computing resources, in terms of malware is the safest.
- Instead of communicating with a central server storm worm associated with only a few “neighbors” of infected computers in the network, making the task of identifying all zombie machines in P2P-networks almost impossible. This is the principle of organization of reconnaissance: everyone who is in a group, he knows only a few other group members, and the failure of one intelligence agent does not mean that the whole group is disclosed.
- The authors of the worm is constantly changing the way it is distributed. Originally malware distributed as an attachment to spam emails (especially under the guise of PDF-files), and then sent out in spam links to infected files, and there were also attempts to automatically blog post comments that contain links to infected websites. And in any way to spread the malware used sophisticated social engineering techniques.
Storm-botnet brought a lot of problems. In addition to mass spamming, he is suspected of involvement in various large-scale DDoS-attacks around the world, and, according to some scholars, even during the cyber attacks on Estonian websites of government agencies in 2007, could not have done without the “Storm” botnet. Something that is potentially capable of such a network, causes discomfort for ISPs and web hosters. Voltage adds that the true size of the “Storm” botnet remain secret. If other botnets, in whole or in part on C & C, you can see the whole (in the C & C can see every zombie computer is connected), the list of infected machines, included in the “Storm” botnet, has seen none of the experts. According to various estimates, the size of Storm Worm botnet could be from 50,000 to 10 million zombie computers.