Storm Worm & Botnet
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Storm Worm & Botnet



Introduce the Storm worm, analyze the P2P and the Rookit technologies used by storm worm to build up their botnet and hide themselves.

Introduce the Storm worm, analyze the P2P and the Rookit technologies used by storm worm to build up their botnet and hide themselves.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Excellent presentation. The link on slide 26 does not work anymore. I am doing a bit of research work on P2P botnets and I would be glad to have a look at your white paper. Also it will be great if you could share the network traces and data captures you have listed here. Are they available in public?
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • User- mode APC (Asynchronous Procedure Call).

Storm Worm & Botnet Presentation Transcript

  • 1. Storm Worm & Botnet Websense, Inc. Jun Zhang Beijing Security Lab. Aug 2008
  • 2. Introduction -- What's the Storm Worm
    • A kind of malicious program
    • The first storm worm was discovered in late January,2007
    • The storm is the one of the first malware to use a P2P network which makes Storm more resilient, powerful and hard to be detected.
    • Spreading method
    • The primary method of spreading remains social engineering email and Phishing website.
  • 3. Introduction -- What's the Storm Worm
    • Storm Features
    • Based on the P2P and the rootkit technology, the Storm is able to easily resist attempts to shut down the network and has evolved continuously to stay ahead of the Anti-Virus industry and researchers.
    • Features:
      • Uses P2P network (Overnet/Kademlia)
      • Uses fast-flux DNS for hosting on named sites
      • Binary has gone through many revisions
      • Hides on machine with rootkit technology
  • 4. Introduction -- What's the Storm Worm
    • Storm Capabilities
    • As Storm has evolved, it has gained a number of capabilities to aid it in malicious activity.
    • Capabilities:
      • Spam
      • Spread
      • ICMP Echo flood
      • TCP SYN flood
      • Proxy connections
      • Download and executed file
  • 5. Introduction -- What's the Storm Worm
    • Malicious Activities
    • The Storm network has been used for many malicious money-marking activities.
      • Spamming
      • Phishing emails
      • DDoS Attack
    • Example – Sending Spam through Google’s SMTP Server
  • 6. Introduction -- What's the Storm Worm
    • Example – Phishing mail
  • 7. Introduction -- What's the Storm Worm
    • Core components of Strom
      • P2P-based Botnet
      • Rootkit
      • Through analyzing the recent Strom, we noticed that the P2P network and the Rootkit are more important for Strom worm.
      • Most Strom worms use Overnet protocol to construct its botnet, because of the distributed nature of Overnet, there isn’t a central command and control server.
      • This dynamic nature makes Storm so resilient to attack.
  • 8. Introduction -- What's the Storm Worm
    • The nature of Overnet-based P2P botnet is also the primary reason why casual researchers and security enthusiasts often chalk the Storm botnet up as impossible to shut down or to even track or estimate the size of.
    • Another reason lets Storm avoid being detected is the Rootkit technology. The Rootkit enhances the hiding ability of Storm, using the Roorkit, the Storm can hide itself in file system, conceal running processes and easily bypass the firewall and IDS.
    • Next, we will focus on the P2P-based botnet and Rootkit, and discuss these with a real Storm we captured.
  • 9. Storm Worm P2P-based Botnet
    • Overview
    • In recent years, P2P technology has been used frequently in Storms and has become more and more popular.
    • The P2P-based botnet is very hard to be traced and to be shut down, because the botnet has robust network connectivity(This is the nature of P2P network), uses encryption, and controls traffic dispersion.
    • Each bot in the botnet influences only a small part of the botnet, and upgrade/recovery is accomplished easily by its botmaster.
  • 10. Storm Worm P2P-based Botnet
    • Decentralized Botnet
    • The latest botnet is a decentralized architecture, not liking the traditional peer-to-peer system.
    • This kind of botnet does not need a central command and control location;
    • It can allow the attacker to upgrade and control infected hosts without the botmaster.
  • 11. Storm Worm P2P-based Botnet
    • P2P botnet Implementation
    • The Storm uses a distributed hash table(DHT) based on the Kademlia algorithm and assigns a random 128bit ID to each bot.
    • The format of the random ID is similar to this:
    • Normally, The Strom will carry a hard-coded peers list. This list will be used to bootstrap the Botnet.
  • 12. Storm Worm P2P-based Botnet
    • Example of peer list
    • Each line is a single
    • hex-encoded peer in this format:
    • <128 bit hash>=<32 bit IP><16 bit port><8 bit peer type>
  • 13. Storm Worm P2P-based Botnet
    • How to build up the peer list:
    • Using the system time as a random seed.
    • Depending on the timing seed to generate the 128bit bot ID
    • Randomly picking up the IP/UDP Port from a static array that was carried by the Strom.
    • Keeping a part of the bot information in the configuration file.
  • 14. Storm Worm P2P-based Botnet
    • Botnet Traffic Analysis
    • The primary protocol the botnet used is UDP. Each bot will
    • use UDP protocol to communicate.
    • Normally, The Strom will include a SMTP component to spread the spam email.
  • 15. Storm Worm P2P-based Botnet
    • Spamming – SMTP component
    This figure is the screen snapshort of a storm sending the spam
  • 16. Storm Worm P2P-based Botnet
    • UDP-based bots conversation
  • 17. Storm Worm P2P-based Botnet
    • Security the net-traffic between bots
    • The Storm uses an XOR encryption algorithm to encrypt the message between the bots and randomly assigns the UDP port for each bots.
    • These can highly increase the dispersion of UDP port. So it is very hard to trace single bot.
  • 18. Storm Worm P2P-based Botnet
    • XOR Encryption Algorithm
    • This encryption algorithm is very simple but good enough for bypassing IDS or IPS.
  • 19. Storm Worm P2P-based Botnet
    • Botnet Messages
    • To analyse the botnet, I wrote a tool to observe the message between the bots.
    • Two kinds of Messages:
    • Search:
    • A bot uses search messages to find resources and other bots based on BotID.
    • Publicize:
    • A bot uses publicize messages to report ownership of network resources (BotIDs) so that other bots can find the resource later.
  • 20. Storm Worm P2P-based Botnet
    • Search Message
  • 21. Storm Worm P2P-based Botnet
    • Publicize Message
  • 22. Storm Worm P2P-based Botnet
    • The huge Botnet
    • The below figure is a part of a real Botnet, I observed more than 5796 infected hosts only in 21 minutes!
  • 23. Storm Worm – Rootkit Technology
    • What’s the Rootkit
    • A rootkit is a set of software applications intending to hide running processes, files or system data from the operating system.
    • In recent years, rootkits have been used increasingly by malware to help intruders maintain access to systems while avoiding detection.
    • Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.
  • 24. Storm Worm – Rootkit Technology
    • A real Rootkit used by Strom Worm
    • We captured this Strom on August. The below is the work-flow of the Rootkit this Storm used.
  • 25. Storm Worm – Rootkit Technology
    • The Rootkit’s capabilities:
    • Hide File
    • Avoid being deleted. ( Hook NtQueryDirectoryFile )
    • Hide TCP Port
    • Bypass the firewall. Hook TCP device (DeviceTcp)
    • Hide Win32 Service (Avoid being detected)
    • Erase its footprint from the register.
    • Hook NtEnumerateKey/NtEnumerateValueKey
    • Inject Code to “services.exe”
    • In the kernel mode, uses user-mode APC inject the malicious code to &quot;services.exe&quot;
  • 26. Storm Worm – A Real One
    • Work-flow of a real Strom.
    • The white-paper for this Strom can be found:
  • 27. Any Questions? The End