Botnets: New and certainly improved

Recent news about botnet activity is far from reassuring, with bigger and better seeming to be the trend. Let's try and figure out how and why the good guys are losing.

A paradox immediately jumps out at me. The world's economy is tanking, yet the dark side seems to be thriving. Has the Internet made it easier for the bad guys? Is the RoI that good, allowing malware creators to continually improve products like the Storm worm? It seems so.

Storm's resiliency

The first bit of news is about the botnet created by the Storm worm and its undeniable resiliency. Storm took everyone by surprise in 2007, creating one of the largest botnets ever. Still Storm all but disappeared in early 2008 due in large part to Microsoft's Malicious Software Removal Tool (MSRT). Within a month of Microsoft issuing signatures for several Storm variants, MSRT had removed the Storm malware from almost 300,000 computers.

Around the same time, Joe Stewart the tireless director of malware research at Secureworks broke the 64-bit encryption key used for command and control traffic. Having the encryption key, security analysts were able to further reduce the usefulness of Storm's botnet by isolating and blocking the P2P inter-node communications.

In August 2008, I wrote the article "Storm Worm: The Energizer Bunny of Botnets." In the article, I was trying to point out the tenacity of the Storm developers. At that time it appeared that Storm was making yet another resurgence, but it didn't come to pass, so I thought I had made a mistake. It now seems that Storm's developers were just regrouping.

Waledac is Storm revamped

Dr. Jose Nazario, who graciously answered our questions about botnets in the article "10 Answers to Your Questions about Botnets," has been able to determine that Waledac is the new and improved version of the Storm botnet, providing supporting evidence in his blog post Walking Waledac:

"First, it looks like Waledac is the Storm worm infrastructure and group but with new malcode. I now fully support this conclusion and have for several days based on evidence from reliable sources.

OK, now that that is out in the open, one of the things we in the research community noticed about the Storm Worm network was that nodes acted as both an HTTP proxy and an open recursing DNS server."

Waledac's improvements

Storm used P2P technology for command and control and initially was considered a brilliant way to manage botnets. Still it was what security experts call noisy, allowing them to track and ultimately locate the nodes. Well, Waledac uses HTTP-based traffic for command and control. Malware developers have learned it's exponentially more difficult to isolate relatively minor HTTP command and control requests in the vast amount of HTTP traffic that traverses the Internet.

Also, Waledac's encryption scheme has been beefed up, moving from the original 64-bit RSA algorithm to a two-part process. Initial connection traffic uses AES encryption. Once the confirmation handshake is completed, Waledac switches to RSA 1024-bit encryption for the rest of the traffic, which essentially is impossible to crack.

Waledac's purpose

I'm afraid that Waledac, like Storm, is purposed to make sure all of us have enough spam in our In boxes. This past Christmas Eve, analysts noticed a significant spam run consisting of electronic greeting cards. In fact the spam run was so similar to Storm's handiwork it led researchers to eventually make the connection between Storm and Waledac.

So, Storm aka Waledac is still here and healthier than ever. I'd like to now move on to another piece of botnet news. What makes this news relevant and quite amazing is the growth rate of the botnet.

Worm:Win32/Conficker.B: It didn't take long

In December, I wrote an article "MS08-067: Not Updating Has Created a Monster Botnet." Little did I know that monster would mean anywhere from 3 million to 9 million bot members, depending on which analyst you believe. Kelly Jackson Higgins in the article "Widespread Worm May Be BuildingĀ a New Botnet" describes the circumstances behind the Win32/Conficker.B's successful deployment:

"One thing that is certain: The worm is spreading like wildfire, and its creators appear to be trying to beat the clock and infect as many machines as they can that haven't yet patched for the Windows vulnerability that it exploits on Windows 2000, XP, and Windows Server 2003 systems. The perpetrators have been cranking out new variants of the worm to evade detection."

Potential is there, but no purpose as of yet

Security experts are keeping a close watch on this potential botnet. As of now it hasn't been purposed to do anything. The malware code specifies domains that the bot machines are supposed to communicate with, but the domains have yet to be registered. Analysts are even wondering if the people behind this are having trouble setting up the command and control structure just due to the sheer number of infected machines that need to be managed.

Hopefully MSRT will help again

Microsoft feels that this is a significant threat (remember MS08-067 was an out-of-band update). Microsoft even included detection signatures for the Conficker worm in January's Critical Updates:

"To help customers who are affected, we decided to add capabilities to detect and remove this worm to the January version of the MSRT. If your computer or environment is impacted by this malware, you may want to run the MSRT to help disinfect it."

The following diagram (courtesy of Microsoft) visualizes how the Conficker worm works:


I see this botnet as another paradox. MS08-067 is available and eliminates the vulnerability that Conficker exploits. So if the critical update was ignored, more than likely the new signatures in the January update are going to be ignored as well.

Final thoughts

It's my goal and promise to keep everyone up to speed on what's happening in the botnet world. Having an informed majority will go a long way in preventing any detrimental impact from botnets. I just hope it doesn't take a major negative incident to get the majority informed and willing to help themselves.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks