Then again, I’d probably be rabitting for the NSA or somesuch and that’s not desirable. Because, like, if this isn’t a state-sponsored effort I’ll eat my hat.

Coding Horror: A Question of Programming Ethics

Storm botnet takes advantage of Valentine’s Day

The dialog box asks you to download a codec to view the movie. The image is dressed up like a dialog box even going so far as to enabling you to drag it around. The ultimate clue being you cannot drag it outside the browser window’s boundaries. Clicking the “Cancel” area on the image map throws a Javascript dialog asking you to click “OK” to download the exe file. Clicking “Cancel” here throws another dialog that insists you click “OK” to download the exe file. Clicking “OK” brings you back to the previous “Click OK to download the codec” pop-up.

Clever. I never did go so far as to try to view the embedded Flash Video file underneath. I mean, it’s likely that there has to be a video file to cover the social engineering that just occurred if they did manage to get the fake codec installed on you machine. Still, they steer really hard to get you to the place where you download that putative codec.

Like I said. Clever. The social engineering continues to get better.

Storm’s approach has mutated over the past year but always keeping with the relatively believable social attack vectors. They usually have posed as video files or the less original postcard vector but altering the approach to hit on current events. More recently, they’ve gone insidious by moving the attack behind a layer of abstraction. No longer linking to executable files posing as video or postcards, they now link to actual video files encoded with an unidentifiable video codec. The video file directs the media player to an infection source as the place to download and install a codec that will theoretically enable the video to play. This process opens the user to clicking past the authentication windows Vista throws out there because the user is actually installing something; just not what they think they are. It’s brilliant design! In all the controller[s] behind Storm have really pushed the social engineering aspects of attack vectors, but what they’ve done behind the scenes is truly magnificent.

Unlike highly viral worms in the past, Storm doesn’t go for the big bang. It doesn’t absorb all of the infected system’s resources and push thousands of spores through SMTP, eating cycles and bandwidth. It doesn’t plague the user of an infected system with lots of pop-up garbage with the quick “buy this download to stop this annoying pop-up” payoff. Nope, it is a lot more insidious than that… It:

1. Root-kits your box so that it can dole out resources as necessary to your operating system. It also avoids anti-virus detection by running outside the operating system.
2. Installs a bittorrent-like client that feeds and seeds instructions from the botnet.
3. Provides a virtual command prompt that implements instructions coming from the peer-to-peer client

Infected machines not only become part of the botnet but also become part of the command and control mechanism for the botnet. The whole structure is completely decentralized and more or less impossible to take down. It also provides a means by which the infected computers can update with the latest viral code, keeping the bot net one step ahead of the anti-virus applications that try to stop it and changing tactics to fit the changing needs of the controller[s] or their clientèle. What the controller[s] have created is a robust, decentralized, anonymous command and control structure for what is arguably the largest bot net ever assembled.

So what have they done with this powerful tool?

Mostly nothing. They do the common stuff like relay spam and build the network out through further infection, but they have not yet leveraged the full power of this botnet for any nefarious purpose. It should be noted that some individuals who have been tracking the Storm have themselves been attacked by DDoS coming from small portions of the botnet—which was enough to meltdown their servers. These researchers have been trying to parse out the intentions of the controller[s] by creating honeypots and studying the traffic they generate but those in control have not tipped their hand as of yet.

Another scary thought is that this botnet could be compromised by someone less scrupulous and/or careful than the current controller[s]. Imagine the cool points one could gather by subverting the C&C structure and take over the botnet one’s self. One would necessarily have to bring the full brunt of the botnet to bear for some purpose, if only to demonstrate to the world that one had acquired control.

What if a sovereign interest managed to wrest control of the net? The attack on Latvia’s infrastructure by ostensibly Russian interests demonstrates what can be done by a sufficiently powerful and decentralized botnet. What if this power was turned on Wall Street? or even the DoD? Crazy.

Then again, others argue that the Storm is dissipating. The numbers of infected machines decreasing as publicity about the worm continues to grow. We can only hope. On the other hand, others argue that the botnet is merely being partitioned so as to sell various pieces of it off. This would not be cool at all.

Anyway, I wanted to post this in the event others hadn’t heard about it and to provide a foundation for future posts on the topic moving forward. I’ll certainly continue following this story at any rate.