DDoS and Security Reports

Last week I got a weird piece of malware, one that didn’t quite look familiar. A quick round of dynamic and static analysis showed that it was indeed new, and it turns out it was the malware known as the Storm Worm. AV detection, late Thursday night last week, was pretty weak, and I went to bed with a brief writeup in other peoples’ hands and samples shared with other AV researchers. When I woke up, people had found thousands of copies of it everywhere. It turns out that it was being aggressively seeded, and I was somewhere near the front of the line as a recipient. Lucky me!

Inspection of the malware showed that it maintained a list of peers (stored in a file, %SYSTEM32%\peers.ini) that it communicated with. This wasn’t just some spam malware, this was a P2P spam bot. Quickly, the people behind the malware upped the ante with new variants, and they haven’t slowed down too much. Lots of minor variants in each run to stop people doing static MD5 detection, but every day or two they change the code just enough to drop AV detection through the floor. I’ve been able to get samples, either in our mail traps or through contacts, and look at them. There’s a definite shift in tactics afoot. The original variant used UDP port 4000 to communicate, later versions used UDP port 7871. I’ve been looking at this worm’s traffic for the past several days and, despite the fact that we’re seeing boatloads of the mails, we’re not seeing a lot of the traffic these infected boxes generate.

Based solely on these traffic measurements, it’s hard to say just how many boxes are infected, but it doesn’t appear to be that many when compared to something like MyDoom or Bagle. This appears to be a lot more like the size of Nugache’s network. The traffic graph shown here shows a 24 window of one ASN’s traffic for UDP port 7871 (there was no detectable UDP port 4000 traffic), and there’s only bytes per second of traffic, and it’s not sustained. This isn’t a non-issue, but the bark (the flood of emails) may be worse than the bite (the P2P traffic, which indicates infected boxes), at least globally.

This year’s trend looks like it will be “get your own private distributed spam net,” built using malware and specialized botnets. Rustock, Storm Worm, and probably others are going to make the spam problem all that much harder to deal with.

Popularity: 1% [?]

This entry was posted on Thursday, January 25th, 2007 at 10:08 am and is filed under Arbor Networks - DDoS Experts, Botnets, Malware, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.