A Multi-perspective Analysis of the Storm (Peacomm) Worm
Phillip Porras, Hassen Saidi, and Vinod Yegneswaran
Computer Science Laboratory, SRI International
Since
early 2007 a new form of malware has made its presence known on the
Internet by its prolific growth rate, its ability to distribute large
volumes of spam, and its ability to avoid detection and
eradication. Storm Worm (or W32.Peacomm, Nuwar, Tibs, Zhelatin),
as it is known, is a highly prolific new generation of malware that has
gained a significant foothold in unsuspecting Microsoft Windows
computers across the Internet. Storm, like all bots,
distinguishes itself from other forms of malware (viruses, Trojan
horses, worms) by its ability to establish a control channel that
allows its infected clients to operate as a coordinated collective, or
botnet. However, even among botnets Storm has further
distinguished itself by being among the first to introduce a fully P2P
control channel, to utilize fast-flux to hide its binary
distribution points, and to aggressively defend itself from those who
would seek to reverse engineer its logic.
Despite
all the hype and paranoia surrounding Storm, the inner workings of this
botnet largely remain a mystery. Indeed, Storm is believed to
have an automated distributed denial of service (DDoS) feature to
dissuade reverse engineering, which gets triggered based on situational
awareness gathered from its overlay network, e.g., when the count of
spurious probes crosses a certain threshold. It has also been
reported that these defenses have been turned on those that have posted
their analysis results of Storm. In this paper, we attempt to
partially address voids in our collective understanding of Storm by
providing a multi-perspective analysis of various Storm clients.
Our analysis includes a static dissection of the malware binary and the
characteristics of the Storm worm's network dialog as observed from
multiple infection traces. Finally, we do not only seek to analyze
Storm for the greater understanding, but also to develop
solutions that can help detect its presence, even as we expect Storm to
continue to evolve and elude host security products. In this
report we present our modifications to SRI's
BotHunter FREE botclient
detection system. We
explain how BotHunter has been augmented tohunt for Storm infections, as well as other forms of spambot infections.