Security

Botnets: New and certainly improved

Recent news about botnet activity is far from reassuring, with bigger and better seeming to be the trend. Let's try and figure out how and why the good guys are losing.

A paradox immediately jumps out at me. The world's economy is tanking, yet the dark side seems to be thriving. Has the Internet made it easier for the bad guys? Is the RoI that good, allowing malware creators to continually improve products like the Storm worm? It seems so.

Storm's resiliency

The first bit of news is about the botnet created by the Storm worm and its undeniable resiliency. Storm took everyone by surprise in 2007, creating one of the largest botnets ever. Still Storm all but disappeared in early 2008 due in large part to Microsoft's Malicious Software Removal Tool (MSRT). Within a month of Microsoft issuing signatures for several Storm variants, MSRT had removed the Storm malware from almost 300,000 computers.

Around the same time, Joe Stewart the tireless director of malware research at Secureworks broke the 64-bit encryption key used for command and control traffic. Having the encryption key, security analysts were able to further reduce the usefulness of Storm's botnet by isolating and blocking the P2P inter-node communications.

In August 2008, I wrote the article "Storm Worm: The Energizer Bunny of Botnets." In the article, I was trying to point out the tenacity of the Storm developers. At that time it appeared that Storm was making yet another resurgence, but it didn't come to pass, so I thought I had made a mistake. It now seems that Storm's developers were just regrouping.

Waledac is Storm revamped

Dr. Jose Nazario, who graciously answered our questions about botnets in the article "10 Answers to Your Questions about Botnets," has been able to determine that Waledac is the new and improved version of the Storm botnet, providing supporting evidence in his blog post Walking Waledac:

"First, it looks like Waledac is the Storm worm infrastructure and group but with new malcode. I now fully support this conclusion and have for several days based on evidence from reliable sources.

OK, now that that is out in the open, one of the things we in the research community noticed about the Storm Worm network was that nodes acted as both an HTTP proxy and an open recursing DNS server."

Waledac's improvements

Storm used P2P technology for command and control and initially was considered a brilliant way to manage botnets. Still it was what security experts call noisy, allowing them to track and ultimately locate the nodes. Well, Waledac uses HTTP-based traffic for command and control. Malware developers have learned it's exponentially more difficult to isolate relatively minor HTTP command and control requests in the vast amount of HTTP traffic that traverses the Internet.

Also, Waledac's encryption scheme has been beefed up, moving from the original 64-bit RSA algorithm to a two-part process. Initial connection traffic uses AES encryption. Once the confirmation handshake is completed, Waledac switches to RSA 1024-bit encryption for the rest of the traffic, which essentially is impossible to crack.

Waledac's purpose

I'm afraid that Waledac, like Storm, is purposed to make sure all of us have enough spam in our In boxes. This past Christmas Eve, analysts noticed a significant spam run consisting of electronic greeting cards. In fact the spam run was so similar to Storm's handiwork it led researchers to eventually make the connection between Storm and Waledac.

So, Storm aka Waledac is still here and healthier than ever. I'd like to now move on to another piece of botnet news. What makes this news relevant and quite amazing is the growth rate of the botnet.

Worm:Win32/Conficker.B: It didn't take long

In December, I wrote an article "MS08-067: Not Updating Has Created a Monster Botnet." Little did I know that monster would mean anywhere from 3 million to 9 million bot members, depending on which analyst you believe. Kelly Jackson Higgins in the article "Widespread Worm May Be Building a New Botnet" describes the circumstances behind the Win32/Conficker.B's successful deployment:

"One thing that is certain: The worm is spreading like wildfire, and its creators appear to be trying to beat the clock and infect as many machines as they can that haven't yet patched for the Windows vulnerability that it exploits on Windows 2000, XP, and Windows Server 2003 systems. The perpetrators have been cranking out new variants of the worm to evade detection."

Potential is there, but no purpose as of yet

Security experts are keeping a close watch on this potential botnet. As of now it hasn't been purposed to do anything. The malware code specifies domains that the bot machines are supposed to communicate with, but the domains have yet to be registered. Analysts are even wondering if the people behind this are having trouble setting up the command and control structure just due to the sheer number of infected machines that need to be managed.

Hopefully MSRT will help again

Microsoft feels that this is a significant threat (remember MS08-067 was an out-of-band update). Microsoft even included detection signatures for the Conficker worm in January's Critical Updates:

"To help customers who are affected, we decided to add capabilities to detect and remove this worm to the January version of the MSRT. If your computer or environment is impacted by this malware, you may want to run the MSRT to help disinfect it."

The following diagram (courtesy of Microsoft) visualizes how the Conficker worm works:

conficker_final.png

I see this botnet as another paradox. MS08-067 is available and eliminates the vulnerability that Conficker exploits. So if the critical update was ignored, more than likely the new signatures in the January update are going to be ignored as well.

Final thoughts

It's my goal and promise to keep everyone up to speed on what's happening in the botnet world. Having an informed majority will go a long way in preventing any detrimental impact from botnets. I just hope it doesn't take a major negative incident to get the majority informed and willing to help themselves.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

41 comments
seanferd
seanferd

Conficker seizes city's hospital network ??? The Register

Jalapeno Bob
Jalapeno Bob

I believe there are two big "people problems" that we, as coputer professionals, need to enlist psychologists to solve: 1. The "toaster" mentality. This is expressed: if it works, don't fix it. Most modern users do not know, nor do they even care to know, how a coputer works. This leads people to ignore "idiot lights" and such, until the device fails. Just ask any auto mechanic. 2. Business leaders who, ingoring their IT staff and other experts, prohibit installing patches because they are afraid that their mission critical applications will suddenly fail after some patch is installed. Your thoughts?

browolf
browolf

maybe ms need to make its monthly removal tools, auto install and not ignorable, separate from windows update seeing as they're pretty much the only people in the loop who have any potential power to halt open season on unpatched pcs.

Another Canadian
Another Canadian

Well done article, now bring the sentences that go with the crimes also

tkensc1
tkensc1

It's interesting to read about all of the efforts taken to try and prevent this and other malicious software from destroying people's file systems and making tons of money for the purpetrators of these crimes. But where are the efforts to detect, arrest, and severely punish those who do type of thing? Perhaps we have focused too heavily on developing technology to deal with these criminal activities and not enough on detection, arrest, conviction and punishment of those who engage in these criminal behaviors. TKEN

Michael Kassner
Michael Kassner

I just learned that several fake Web sites related to the election are malicious in intent and loaded with drive-by droppers that install the Storm/Waledac worm. This blog site has the some good information about the process: http://swatrant.blogspot.com/

jerome.buchler
jerome.buchler

when times are harsh, organized crime is on the move. Bandits that owe money to other bandits do not have choice they have to find fresh cash. They are now considering botnets like they used to consider bank robbing in the past. Here in France the number of attacks with firearms has been exploding lately I do not see any big difference with online crime :)

santeewelding
santeewelding

Your value and relevance are as immediate and useful as ins and outs of a martial art.

Michael Kassner
Michael Kassner

Malware coders are getting better. Are the good guys doing so as well? Find out in the article and see how to avoid having your computer join a botnet being formed by these two worms.

Michael Kassner
Michael Kassner

You beat me to the punch. I wonder how effective that will be? Before long a new variant will be out that's totally encrypted and they won't know where the clients are pointing. For some reason, I feel that what they are doing is a bit invasive. Not sure why, but I do.

Michael Kassner
Michael Kassner

One thing that I am amazed at is that throughout the history of mankind, techniques and capabilities have changed. It just seems that we can't change ourselves as fast. I can associate some of the problems cave dwellers had to what we still contend with. Wow, that's enough philosophy for me.

Neon Samurai
Neon Samurai

Any good IT shop for a company should consider using a two if not three stage process. "Dev" is your development box for trying realy new ideas or starting from scrach for whatever your install does. Testing is a clone of your Production install; install the patches on Testing and see if your mission critical applications break or not.. only then do you touch Production.

Michael Kassner
Michael Kassner

With MSRT and Defender already in place, MS is helping significantly. It's just the pirate copies and users that for some reason don't want to update monthly.

Michael Kassner
Michael Kassner

That the world community will come together and somehow manage this.

Michael Kassner
Michael Kassner

Most of the activity is from Eastern Europe and there is no real legal way to touch them. The colos that reside in the US are somewhat protected by the fact that they officially don't know what's on their servers. Or that's at least what they are saying. If you are interested this article talks about that: http://blogs.techrepublic.com.com/networking/?p=726

csmith.kaze
csmith.kaze

Laws in different countries are the roadblock. Some countries don't have laws regarding this, or if they do, it may be very weak. I know even here in the US nothing is done to search for them. I think it is the twentieth century policing tactics in a twenty-first century world. It is alot harder to track over the 'Net and alot easier to hide if you want.

Another Canadian
Another Canadian

I totaly agree. Sentences should vary from same lenght from bank robery as per example, to national and world wide national security treat with sentences that go accordingly also.

seanferd
seanferd

They've always got an angle. I wouldn't be surprised to find websites or email using USAir flight 1549 to attract people into the Waledac web. That actually may be too acute an incident, though. Sometimes I stop and think that I'm glad that Storm is just about spam.

Michael Kassner
Michael Kassner

Efficiency is a business requirement regardless of the legality of the business.

seanferd
seanferd

at http://www.sudosecure.net/archives/395 where Jeremy played "Where's Waledac", I found some of the AS of the infected IPs interesting. Couple of my favorite universities, and some ISPs, both which indicate addresses in Ohio. (What is it with Ohio?) And are those Microsoft IPs actually in the corporate network?

seanferd
seanferd

Very good (and timely) article, covering two currently very interesting bits of malware. Once again, you are right on top of things. Cheers!

seanferd
seanferd

Enable BotNet protection on this network Blocks infected computers on your network from connecting to botnet central controllers. At this time, this feature blocks the Conficker virus, and will be expanded to include others.

seanferd
seanferd

One of the things about any kind of filtering, but especially malware filtering, is that the sites change so fast. And I can tell you that there is this expectation from the average OpenDNS user that anything can be fully taken care of at the DNS level. You wouldn't believe some of the other services they ask for (all free, of course). Anyway, I personally don't feel that OpenDNS should get themselves wrapped up in such stuff to this extent, but it's their business plan. And if anyone wants to make use of that level of filtering, I figure I'll let them know that it is available. Aside: Did you know there was some massive DOS going on against WorldNIC (Network Solutions) but they haven't been very forthcoming. I think the attack may have been against other DNS providers as well, but I haven't read anything about it.

seanferd
seanferd

They then can test and apply patches at will. My other question is why there wasn't more "segregation" on the network, especially between critical systems and the internet, but between various groups of computers as well.

csmith.kaze
csmith.kaze

There are time when going through all three steps is not an option. An out of band patch is generally one of those times. If it is bad enough that Big Redmond has to push it down out of band, then there is a fair chance that any large enterprise may already be infected and that patching is the only way to curb the wildfire. Unless your three steps are completed in less than a day, the three steps rule could, theoretically cause that company more money and the IT dept more work than if the patch is placed.

Neon Samurai
Neon Samurai

Visit Windows Update once a month and your way ahead of most but even still, I've met developers who will only update if it's automated for them. If developers haven't the interest to take five minutes with there machines once a month, what hope has the average disinterested user?

Neon Samurai
Neon Samurai

well, depending on your resources for stepping back through each packet source. I think another issue along with different laws around the globe are false positives. You can't be sure the source IP is the originator or just an infected proxy point. It's the same reason that vigilantly responses are not acceptable; you may be ripping apart some little old granny's infected machine leaving the criminal originator untouched.

Michael Kassner
Michael Kassner

The very fact that Storm/Waledec is strictly focused on spam is ironically a blessing, as you fortuitously pointed out. Still, that's was my point. There has to be an amazing RoI in order for them to remain in that attack vector.

Michael Kassner
Michael Kassner

Very interesting commentary. I especially like this: "These hosts use the Ngnix web server to proxy requests through compromised bots to the main command and control (C&C) servers to conceal their identities. Unlike the Storm Botnet, the Waledac botnet does not appear to use the P2P network to exchange bot nodes, but instead it seems to exchange bot nodes through the HTTP protocol via encrypted channels." I'm trying to figure out if some P2P traffic still exists between nodes and then sent to the command and control servers.

Neon Samurai
Neon Samurai

It's the downside of the text medium so I thought I'd confirm encase I had missed something.

seanferd
seanferd

Sorry if it came off the wrong way. The initial bit was supposed to be goofy, and the rest was for expressing my bafflement at such things.

Neon Samurai
Neon Samurai

I meant that the thought process we usually have to contend with is the more reactive "open it all up and lock it down as needed" approach. In response to your point though; I wouldn't ever suggest that Windows should be used in any business critical let alone life critical task like surgical equipment. It's made it's money in "acceptable" crash rates in business critical tasks though.

seanferd
seanferd

Why are operating theatre computers even talking to non-critical systems with internet or thumb-drive access? Forget that, why are they running Windows? I mean, read the EULA for cryin' out loud. They could use a Windows system for reference or whatever, but anything medically critical should be running on its own.

Neon Samurai
Neon Samurai

After all, they are all inside the network and we have a firewall on the gateway router. (sadly, this is the thinking one has to contend with.)

Michael Kassner
Michael Kassner

I suspect that network was looked at pretty critically after that.

Michael Kassner
Michael Kassner

I also was curious how they were going to somehow defend the domains that were hard coded into the executable. The term fast-flux domains was used and explains a lot. My next questions is how they turn the IP addrs for those domains around so fast and so often.

seanferd
seanferd

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231 "It would seem that web servers nodes forward on and send traffic to other web server nodes effectively working in a peer-to-peer network. As our friend "W" calls it.. HTTP2p. There is certainly a back end mothership somewhere, but it does not seem that infected web nodes talk directly to it or at least not every time. It is also interesting to note that if the trojan does not successfully connect to any of its seed IPs for ten minutes it will then attempt to grab a php file from one of the domains that is hard coded inside the binary. "