Published in News

Storm botnet disrupted by poisoning


Vulnerabilities discovered by researchers

Five German researchers have announced their public research attempt at actively disrupting the Storm worm, a peer-to-peer botnet. Botnets (networks of computers that are infected with malware) created by the Storm worm have evolved into using peer-to-peer techniques for communications, eliminating the need for a central control server. This makes them very difficult to locate and to shut down.

The researchers announced earlier this month at the Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET) in San Francisco, California that they were able to infiltrate the Storm worm and also were able to disrupt its communications through a “poisoning” technique.

The technique used active techniques, crawling the P2P network every 30 minutes, keeping track of peers and segregating infected peers from non-infected ones based on behavioral patterns. By crawling the Stormnet from early December 2007 through early February 2008, the researchers observed from 5,000 to 40,000 peers online at various times, but noted a distinct increase in bots during the holiday period from Christmas through New Years’ Day. The largest percentage of bots was found to be in the U.S.

The "poisoning" technique involves the keys used by Storm bots for communication. The researchers created and published a large quantity of false content for certain keys. By “polluting” the hashes that were identified as Storm hashes, the researchers were able to successfully disrupt the botnet communication.

Unfortunately, some botnet hosts are unaware that their computer systems are being misused or that they are part of a bot network. Researchers take the risk of disabling legitimate networks and computers when they attempt to poison botnet communications.  Due to this risk, the research group indicated that their future research will focus on analyzing the systems that issue the actual commands, which should lead to closer proximity of the actual operators of the Storm worm and possible apprehension by law enforcement.

Last modified on 28 April 2008
Rate this item
(0 votes)