The tinkering networks of the Internet criminal/hacker marketplace have produced a major innovation called the "Storm Worm" and it is rewriting the rules of engagement in computer security. It's essentially a new breed of malware that is a combination of worm/trojan/bot. What makes it special is that the Storm Worm's method of operation is sophisticated, so much so, that it is nearly immune to defense, suppression, or eradication -- demonstrated in that it has already infected up to 50 million computers and slaved them into a massive botnet.However, the really dangerous aspect of this isn't the smart way the Storm Worm is operated, it's what the network will be able to do once it activated. If the developers are as smart as their approach indicates, that outcome will either be a big pay-off or substantial damage.
A Rogue Network ExpandsSo, what's so special about it? Bruce Schneier, an expert on computer security and the author of an excellent blog (as well as the book, Beyond Fear), lists the details of Storm Worm's behavior:
- Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.
- Storm is designed like an ant colony, with a separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.
- Stealth. Storm doesn't cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won't notice any abnormal behavior most of the time.
- Distributed/resilient command and control. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn't have a centralized control point, and thus can't be shut down that way. This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn't show up as a spike. Communications are much harder to detect.
One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won't work with Storm: An infected host may only know about a small fraction of infected hosts -- 25-30 at a time -- and those hosts are an unknown number of hops away from the primary C2 servers. And even if a C2 node is taken down, the system doesn't suffer. Like a hydra with many heads, Storm's C2 structure is distributed. Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called "fast flux." So even if a compromised host is isolated and debugged, and a C2 server identified through the cloud, by that time it may no longer be active.
- Rapid evolution. Storm's payload -- the code it uses to spread -- morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective. Also, Storm's delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites -- anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels. The Storm e-mail also changes all the time, leveraging social engineering techniques. There are always new subject lines and new enticing text: "A killer at 11, he's free at 21 and ...," "football tracking program" on NFL opening weekend, and major storm and hurricane warnings. Storm's programmers are very good at preying on human nature.
- Retaliation. Last month, Storm began attacking anti-spam sites focused on identifying it -- spamhaus.org, 419eater and so on -- and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy's reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.
Superempowerment Through Self-ReplicationIt's not surprising that the methods of operation we see with the Storm Worm are similar to the methods of open source warfare in the real world explored on this blog and in Brave New War. The interesting part is that it uses individual superempowerment, a major trend cited in the book, to bring it to a new level. This superempowerment is accomplished by adding hard self-replication to the mix (as opposed to soft self-replication through the propagation of ideas or disruption -- ala al Qaeda). Hard self-replication makes exact copies of itself through an automated process, ad infinitum, and is something we will see much more of in biotech weapons/crimes in the future. It is the path to a one man against the world scenario. NOTE to insiders: Hard self-replication likely a hallmark of a fifth generation of warfare.