A 40-byte key used to communicate with specific nodes on a Storm botnet could be a harbinger of an even greater Storm threat.
|Storm Botnets Using Encrypted Traffic|
Storm and its variants have been plaguing Internet surfers since January 2007, when researchers at security firm F-Secure discovered it in spam after a series of vicious storms in Europe.
Since then it has spread around the world, infecting thousands of machines. The entrenched botnet created by Storm’s backers now poses a new concern, according to SecureWorks writer Joe Stewart.
He noted that the use of encryption via Overnet P2P allows for the segmenting of compromised machines into smaller botnets.
“This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities,” he said. “If that’s the case, we might see a lot more of Storm in the future.”
However, security pros may be able to fight this traffic. Stewart said the new Storm traffic can be distinguished from other Overnet P2P traffic, based on certain UDP packet sizes.
“Since there’s no content matching, these could be prone to false positives in certain cases, so the usual caveats with bleeding-edge signatures apply,” Stewart said.