I’ve been following the ever-increasing Storm Worm phenomena since it’s arrival almost a year ago. I was originally impressed by the relative polish of its social engineering aspects. It has always seemed to me that all manner of phishing, social engineering, and general spam vectors have had some very obvious clues. It’s like the individual crafting the vector was dropping these signs as warnings to their clued-in brethren—as if it were all a practical joke on the n00bs.

The Storm Worm kind of changed all that in my opinion. The initial vectors, messages about a catastrophic storm in Europe with links to what appear as video files, didn’t have that reek of hubris. It’s like perhaps they had been toying around with prototypes for all these years and after all of the testing had finally unleashed a fully-functional SPAM v1.0.

Storm’s approach has mutated over the past year but always keeping with the relatively believable social attack vectors. They usually have posed as video files or the less original postcard vector but altering the approach to hit on current events. More recently, they’ve gone insidious by moving the attack behind a layer of abstraction. No longer linking to executable files posing as video or postcards, they now link to actual video files encoded with an unidentifiable video codec. The video file directs the media player to an infection source as the place to download and install a codec that will theoretically enable the video to play. This process opens the user to clicking past the authentication windows Vista throws out there because the user is actually installing something; just not what they think they are. It’s brilliant design! In all the controller[s] behind Storm have really pushed the social engineering aspects of attack vectors, but what they’ve done behind the scenes is truly magnificent.

Unlike highly viral worms in the past, Storm doesn’t go for the big bang. It doesn’t absorb all of the infected system’s resources and push thousands of spores through SMTP, eating cycles and bandwidth. It doesn’t plague the user of an infected system with lots of pop-up garbage with the quick “buy this download to stop this annoying pop-up” payoff. Nope, it is a lot more insidious than that… It:

1. Root-kits your box so that it can dole out resources as necessary to your operating system. It also avoids anti-virus detection by running outside the operating system.
2. Installs a bittorrent-like client that feeds and seeds instructions from the botnet.
3. Provides a virtual command prompt that implements instructions coming from the peer-to-peer client

Infected machines not only become part of the botnet but also become part of the command and control mechanism for the botnet. The whole structure is completely decentralized and more or less impossible to take down. It also provides a means by which the infected computers can update with the latest viral code, keeping the bot net one step ahead of the anti-virus applications that try to stop it and changing tactics to fit the changing needs of the controller[s] or their clientèle. What the controller[s] have created is a robust, decentralized, anonymous command and control structure for what is arguably the largest bot net ever assembled.

So what have they done with this powerful tool?

Mostly nothing. They do the common stuff like relay spam and build the network out through further infection, but they have not yet leveraged the full power of this botnet for any nefarious purpose. It should be noted that some individuals who have been tracking the Storm have themselves been attacked by DDoS coming from small portions of the botnet—which was enough to meltdown their servers. These researchers have been trying to parse out the intentions of the controller[s] by creating honeypots and studying the traffic they generate but those in control have not tipped their hand as of yet.

Another scary thought is that this botnet could be compromised by someone less scrupulous and/or careful than the current controller[s]. Imagine the cool points one could gather by subverting the C&C structure and take over the botnet one’s self. One would necessarily have to bring the full brunt of the botnet to bear for some purpose, if only to demonstrate to the world that one had acquired control.

What if a sovereign interest managed to wrest control of the net? The attack on Latvia’s infrastructure by ostensibly Russian interests demonstrates what can be done by a sufficiently powerful and decentralized botnet. What if this power was turned on Wall Street? or even the DoD? Crazy.

Then again, others argue that the Storm is dissipating. The numbers of infected machines decreasing as publicity about the worm continues to grow. We can only hope. On the other hand, others argue that the botnet is merely being partitioned so as to sell various pieces of it off. This would not be cool at all.

Anyway, I wanted to post this in the event others hadn’t heard about it and to provide a foundation for future posts on the topic moving forward. I’ll certainly continue following this story at any rate.