A SecureWorks researcher has uncovered evidence that apparently proves the latest Storm variants are geared towards building smaller Storm networks.
Joe Stewart, security researcher for SecureWorks, has found that the latest variants of Storm are using a 40-byte key to encrypt their Overnet peer-to-peer traffic.
“This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks,” Steward wrote in this blog.
Stewart believes that this on-going segmentation is gear toward selling Storm to other spammers as an ‘end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities’.
If Storm authors really are selling their Storm networks, we might see a lot more Storm attacks.
However, Stewart disclosed that because of the new encryption scheme, “we can now distinguish this new Storm traffic from ‘legitimate’ Overnet P2P traffic.”
As long as signatures of Storm nodes are identified, the network administrator can effectively block Storm traffic through firewall policy configuration that normally allow P2P traffic.
With this development, some security efforts should now focus on identifying Storm node signatures to prevent or minimize Storm Worm attacks.