In early 2006, Dave Dittrich, a senior security engineer and researcher at the University of Washington in Seattle,...
got a sample of a new strain of malware from a colleague, and began monitoring its activity. The Trojan was a bit lazy at first, making just a few outbound connections. But it quickly became obvious that this was no ordinary piece of malware, because each of the connections was to a peer and not a central command and control server.
This was strange behavior for PCs that have been compromised by this type of malware. The members of a distributed network like this typically communicate only with one central machine, called the command and control server. It's a top-down structure; the C&C server gives the commands and the compromised PCs carry them out. However, this new network didn't seem to have one C&C server that was running the show, and the malware itself couldn't really even be classified as a bot as it didn't make its first IRC connection for more than a month. IRC, or Internet Relay Chat, is the preferred method of communication for botnet controllers.
But with this network, in lieu of one C&C server, there were a number of peers around the network that were sending out commands and serving as download sites for various pieces of the network. So if one of the peers in the network that the attacker is using to issue commands to the rest of the network is shut down, the attacker could simply begin sending orders through another peer. This made the entire network of compromised PCs equal partners and made the prospect of disabling the network incredibly daunting.
As troubling as this new development was, more troubling was the fact that the peers sending out the commands changed on the fly and, as Dittrich watched, various members of the network would drop off botnet, only to reappear days or weeks later. So the shape and size of the botnet was changing almost constantly, with entire branches going dark for extended periods of time and peers jumping from one portion of the network to another seemingly on a whim. And, to add to the pile of bad news, the bots were communicating with each other over an encrypted channel, making it all but impossible to listen in on their conversations.
Dittrich, one of the top botnet researchers in the world, has been tracking botnets for close to a decade and has seen it all. But this new piece of malware, which came to be known as Nugache, was a game-changer. With no C&C server to target, bots capable of sending encrypted packets and the possibility of any peer on the network suddenly becoming the de facto leader of the botnet, Nugache, Dittrich knew, would be virtually impossible to stop.
"The authors are making these subtle little changes to keep it under the radar, and they're succeeding," said Dittrich.
This is the future of malware and it's not a pretty picture. What it is, is a nightmare: a new breed of malicious software developed, tested and sold by professionals and engineered to change on the fly, adapt to its environment and evade traditional defenses.
Nugache, and its more famous cousin, the Storm Trojan, are not simply the next step in the evolution of malware. They represent a major step forward in both the quality of software that malware authors are producing and in the sophistication of their tactics. Although they're often referred to as worms, Storm and Nugache are actually Trojans. The Storm creator, for example, sends out millions of spam messages on a semi-regular basis, each containing a link to content on some remote server, normally disguised in a fake pitch for a penny stock, Viagra or relief for victims of a recent natural disaster. When a user clicks on the link, the attacker's server installs the Storm Trojan on the user's PC and it's off and running.
Various worms, viruses, bots and Trojans over the years have had one or two of the features that Storm, Nugache, Rbot and other such programs possess, but none has approached the breadth and depth of their feature sets. Rbot, for example, has more than 100 features that users can choose from when compiling the bot. This means that two different bots compiled from an identical source could have nearly identical feature sets, yet look completely different to an antivirus engine.
The creators of these Trojans and bots not only have very strong software development and testing skills, but also clearly know how security vendors operate and how to outmaneuver defenses such as antivirus software, IDS and firewalls, experts say. They know that they simply need to alter their code and the messages carrying it in small ways in order to evade signature-based defenses. Dittrich and other researchers say that when they analyze the code these malware authors are putting out, what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process.
"If you look at the way [Storm] is used, it's clear that money is changing hands and that the software has gone through a testing and revision process," said Phillip Porras, a program director at SRI International in Menlo Park, Calif., who has studied Storm's behavior. "The botnet is out there to help some group of people make money. This kind of malware is an economy now. Storm is not meant to spread across the entire Internet. It's meant to compromise specific targets. It's a network that is very good at producing money."
The way that Storm, Nugache and other similar programs make money for their creators is typically twofold. First and foremost, Storm's creator controls a massive botnet that he can use to send out spam runs, either for himself or for third parties who pay for the service. Storm-infected PCs have been sending out various spam messages, including pump-and-dump stock scams, pitches for fake medications and highly targeted phishing messages, throughout 2007, and by some estimates were responsible for more than 75% of the spam on the Internet at certain points this year.
Secondly, experts say that Storm's author has taken to sectioning off his botnet into smaller pieces and then renting those subnets out to other attackers. Estimates of the size of the Storm network have ranged as high as 50 million PCs, but Brandon Enright, a network security analyst at the University of California at San Diego, who wrote a tool called Stormdrain to locate and count infect machines, put the number at closer to 20,000. Dittrich estimates that the size of the Nugache network was roughly equivalent to Enright's estimates for Storm. Given that there are hundreds of millions of machines on the Internet at any one time, that may not seem like a significant number of compromised PCs. But, when you take into account the power of today's PCs, an attacker controlling even a small fraction of that network, say 500 machines, would have more than enough resources to launch crippling DoS attacks against virtually any target he chose.
Still, Storm's main reason for being remains the propagation of spam, which is still a highly lucrative business. Like Nugache, Storm's botnet has a decentralized architecture. However, the Storm network does in fact have a central C&C server; it's P2P capabilities are used to hide that server. Storm also has the ability to use a technique called fast-flux DNS, which allows its creator to change the location of the command and control server on a whim, an important capability for a spam network, which is of no use if it can't receive commands. (Nugache, by contrast, does not use DNS at all for command and control.) In this respect, Storm has proven to be one of the more resilient and adaptable Trojans of its kind.
Upon infecting a new machine, Storm immediately begins contacting a small embedded list of peers via the Overnet P2P protocol. If gets responses from some of those hosts, it then updates its list of peers, stores it and begins downloading new spam templates. Then it's off to work: the newly compromised PC begins spewing out spam messages or raining junk DoS packets down on target machines, depending on the orders it receives. The cycle begins again with each new peer that joins the network. Lather, rinse, repeat.
While this core set of activities remains the same from version to version, Storm's authors have been making small, but important, changes to each successive version of the program, giving it new capabilities and killing off features that are no longer necessary. Some newer versions of the Trojan, for example, have abandoned the practice of checking to see whether the malware is running inside of a virtual machine environment, a tactic that malware researchers often use to analyze new code. Instead, Porras said, the more recent releases have taken to encrypting all of the drivers they install in the name of added stealth.
Researchers like Porras, Dittrich, Joe Stewart of SecureWorks and others have spent thousands of hours analyzing the behavior of Storm, Nugache and other P2P Trojan networks, looking for some way -- any way -- to cripple them. Or even just to make a dent in them. Earlier this year, researchers grew tired of this game and decided to go on the offensive. They would take advantage of Storm's reliance on the Overnet protocol to overwhelm the network with junk search results. A small flaw in the Trojan's P2P implementation allows Storm bots to accept these spoofed results. The tactic worked for a while, but the malware's author removed Storm's dependency on Overnet searches, and the researchers were back to square one.
"The Storm network has a team of very smart people behind it. They change it constantly. When the attacks against searching started to be successful, they completely changed how commands are distributed in the network," said Enright. "If AV adapts, they re-adapt. If attacks by researchers adapt, they re-adapt. If someone tries to DoS their distribution system, they DoS back."
In fact, the person or persons pulling the strings on the Storm botnet has on several occasions used the network to attack machines belonging to researchers who have worked on analysis of the Trojan. Explanations for this behavior vary, with some researchers saying that some variants of Storm have the ability to launch automated DDoS attacks on suspicious IP addresses. But Dittrich and others say it is more likely that the Storm authors are paying attention to the research being done on the bot and are responding manually to unusual activity in their IRC channel and other indications of monitoring.
As scary as Storm and Nugache are, the scarier thing is that they represent just the tip of the iceberg. Experts say that there are several malware groups out there right now that are writing custom Trojans, rootkits and attack toolkits to the specifications of their customers. The customers are in turn using the malware not to build worldwide botnets a la Storm, but to attack small slices of a certain industry, such as financial services or health care.
Rizo, a variant of the venerable Rbot, is the poster child for this kind of attack. A Trojan in the style of Nugache and Storm, Rizo has been modified a number of times to meet the requirements of various different attack scenarios. Within the course of a few weeks, different versions of Rizo were used to attack customers of several different banks in South America. Once installed on a user's PC, it monitors Internet activity and gathers login credentials for online banking sites, which it then sends back to the attacker. It's standard behavior for these kinds of Trojans, but the amount of specificity and customization involved in the code and the ways in which the author changed it over time are what have researchers worried.
"There are some code changes in different versions, but mostly they just changed words," said Dittrich. "These guys will take a piece of malware like this and just use it for one or two weeks to target one specific bank and then they move on." Those small changes have the effect of fooling AV engines and also tricking malware researchers into thinking that these variants comprise a number of smaller attacks when in fact they are all pieces of one larger campaign.
The other worrisome detail in all of this is that there's significant evidence that the authors of these various pieces of malware are sharing information and techniques, if not collaborating outright.
"I'm pretty sure that there are tactics being shared between the Nugache and Storm authors," Dittrich said. "There's a direct lineage from Sdbot to Rbot to Mytob to Bancos. These guys can just sell the Web front-end to these things and the customers can pick their options and then just hit go."
Once just a hobby for devious hackers, writing malware is now a profession and its products have helped create a global shadow economy. That infrastructure stretches from the mob-controlled streets of Moscow to the back alleys of Malaysia to the office parks of Silicon Valley. In that regard, Storm, Nugache and the rest are really just the first products off the assembly line, the Model Ts of P2P malware.
"We're definitely going to see more of this," said Dittrich. "I can say with a pretty high degree of certainty that the authors are reading the stories and papers on their work and seeing which tactics work. They're learning and they're only going to get better."