A SecureWorks researcher has uncovered evidence that apparently proves the latest Storm variants are geared towards building smaller Storm networks.

Joe Stewart, security researcher for SecureWorks, has found that the latest variants of Storm are using a 40-byte key to encrypt their Overnet peer-to-peer traffic.

“This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks,” Steward wrote in this blog.

Stewart believes that this on-going segmentation is gear toward selling Storm to other spammers as an ‘end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities’.

If Storm authors really are selling their Storm networks, we might see a lot more Storm attacks.

However, Stewart disclosed that because of the new encryption scheme, “we can now distinguish this new Storm traffic from ‘legitimate’ Overnet P2P traffic.”

As long as signatures of Storm nodes are identified, the network administrator can effectively block Storm traffic through firewall policy configuration that normally allow P2P traffic.

With this development, some security efforts should now focus on identifying Storm node signatures to prevent or minimize Storm Worm attacks.

---

Related:

Storm Worm detects early threat, launches counter-attacks

Storm Worm network shrinks to about one-tenth of its former size

Storm Worm growth is getting out of hand, researchers fear

WARNING: some Valentine e-cards could be a trap

Blogs, forums and web mail under siege by Storm Worm variant

Stumble It!

Entry was posted on Monday, October 15th, 2007 at 9:49 pm under Spam, Technology.  Print This Post

Read more entries by Ruben Francia.