Storm Worm & Botnet

Jun Zhang
Websense, Inc.
Beijing Security Lab.
Aug 2008

Introduction -- What's the Storm Worm

A kind of malicious program
The first storm worm was discovered in late January,2007
The storm is the one of the first malware to use a P2P
network which makes Storm more resilient, powerful and
hard to be detected.
Spreading method
The primary method of spreading remains social
engineering email and Phishing website.

Introduction -- What's the Storm Worm

Storm Features
Based on the P2P and the rootkit technology, the Storm is
able to easily resist attempts to shut down the network and
has evolved continuously to stay ahead of the Anti-Virus
industry and researchers.
Features:
Uses P2P network (Overnet/Kademlia)
Uses fast-flux DNS for hosting on named sites
Binary has gone through many revisions
Hides on machine with rootkit technology

Introduction -- What's the Storm Worm

Storm Capabilities
As Storm has evolved, it has gained a number of
capabilities to aid it in malicious activity.
Capabilities:
Spam
Spread
ICMP Echo flood
TCP SYN flood
Proxy connections
Download and executed file

Introduction -- What's the Storm Worm

Malicious Activities
The Storm network has been used for many malicious
money-marking activities.
Spamming
Phishing emails
DDoS Attack
Example Sending Spam through Googles SMTP Server

Introduction -- What's the Storm Worm

Example Phishing mail

Introduction -- What's the Storm Worm

Core components of Strom
P2P-based Botnet
Rootkit
Through analyzing the recent Strom, we noticed that the
P2P network and the Rootkit are more important for
Strom worm.
Most Strom worms use Overnet protocol to construct its
botnet, because of the distributed nature of Overnet,
there isnt a central command and control server.
This dynamic nature makes Storm so resilient to attack.

Introduction -- What's the Storm Worm

The nature of Overnet-based P2P botnet is also the primary
reason why casual researchers and security enthusiasts
often chalk the Storm botnet up as impossible to shut down
or to even track or estimate the size of.
Another reason lets Storm avoid being detected is the
Rootkit technology. The Rootkit enhances the hiding ability
of Storm, using the Roorkit, the Storm can hide itself in file
system, conceal running processes and easily bypass the
firewall and IDS.
Next, we will focus on the P2P-based botnet and Rootkit,
and discuss these with a real Storm we captured.

Storm Worm P2P-based Botnet

Overview
In recent years, P2P technology has been used frequently in
Storms and has become more and more popular.
The P2P-based botnet is very hard to be traced and to be
shut down, because the botnet has robust network
connectivity(This is the nature of P2P network), uses
encryption, and controls traffic dispersion.
Each bot in the botnet influences only a small part of the
botnet, and upgrade/recovery is accomplished easily by its
botmaster.

Storm Worm P2P-based Botnet

Decentralized Botnet
The latest botnet is a decentralized architecture, not liking
the traditional peer-to-peer system.
This kind of botnet does not need a central command and
control location;
It can allow the attacker to upgrade and control infected
hosts without the botmaster.

Storm Worm P2P-based Botnet

P2P botnet Implementation
The Storm uses a distributed hash table(DHT) based on the
Kademlia algorithm and assigns a random 128bit ID to each
bot.
The format of the random ID is similar to this:

Normally, The Strom will carry a hard-coded peers list. This

list will be used to bootstrap the Botnet.

Storm Worm P2P-based Botnet

Example of peer list

Each line is a single

hex-encoded peer in this format:
<128 bit hash>=<32 bit IP><16 bit port><8 bit peer type>

Storm Worm P2P-based Botnet

How to build up the peer list:
Using the system time as a random seed.
Depending on the timing seed to generate the 128bit bot ID
Randomly picking up the IP/UDP Port from a static array that
was carried by the Strom.
Keeping a part of the bot information in the configuration
file.

Storm Worm P2P-based Botnet

Botnet Traffic Analysis
The primary protocol the botnet used is UDP. Each bot will
use UDP protocol to communicate.
Normally, The Strom will include a SMTP component to
spread the spam email.

Storm Worm P2P-based Botnet

Spamming SMTP component
This figure is
the screen snapshort of
a storm sending the spam

Storm Worm P2P-based Botnet

UDP-based bots conversation

Storm Worm P2P-based Botnet

Security the net-traffic between bots
The Storm uses an XOR encryption algorithm to encrypt the
message between the bots and randomly assigns the UDP port for
each bots.

These can highly increase the dispersion of UDP port. So it is very

hard to trace single bot.

Storm Worm P2P-based Botnet

XOR Encryption Algorithm

This encryption algorithm is very simple but good enough

for bypassing IDS or IPS.

Storm Worm P2P-based Botnet

Botnet Messages
To analyse the botnet, I wrote a tool to observe the message
between the bots.
Two kinds of Messages:
Search:
A bot uses search messages to find resources and other
bots based on BotID.
Publicize:
A bot uses publicize messages to report ownership of
network resources (BotIDs) so that other bots can find the
resource later.

Storm Worm P2P-based Botnet

Search Message

Storm Worm P2P-based Botnet

Publicize Message

Storm Worm P2P-based Botnet

The huge Botnet
The below figure is a part of a real Botnet, I observed more
than 5796 infected hosts only in 21 minutes!

Storm Worm Rootkit Technology

Whats the Rootkit
A rootkit is a set of software applications intending to hide
running processes, files or system data from the operating
system.
In recent years, rootkits have been used increasingly by
malware to help intruders maintain access to systems while
avoiding detection.
Rootkits often modify parts of the operating system or
install themselves as drivers or kernel modules.

Storm Worm Rootkit Technology

A real Rootkit used by Strom Worm
We captured this Strom on August. The below is the workflow of the Rootkit this Storm used.

Storm Worm Rootkit Technology

The Rootkits capabilities:
Hide File
Avoid being deleted. ( Hook NtQueryDirectoryFile )
Hide TCP Port
Bypass the firewall. Hook TCP device (Device\Tcp)
Hide Win32 Service (Avoid being detected)
Erase its footprint from the register.
Hook NtEnumerateKey/NtEnumerateValueKey
Inject Code to services.exe
In the kernel mode, uses user-mode APC inject the malicious
code to "services.exe"

Storm Worm A Real One

Work-flow of a real Strom.

The white-paper for this Strom can be found:

http://securitylabs.websense.com/content/Assets/Storm_Worm
_Botnet_Analysis_-_June_2008.pdf

Any Questions?

The End