Storm Botnet Becomes Self Defending?
The botnet that was built by the Storm Worm is estimated to contain up to 5 million compromised hosts, with enough computing power to rival the top ten supercomputers combined.
Now it is becoming apparent to some security researchers that the storm worm is defending itself against attempts to catalog or destroy the command and control nodes. Whether or not the cluster is doing this automatically or if it is signaling bot herders to do it manually is unknown at this time.
From the Reg here:
New features of botnets created by the infamous Storm Worm allow denial of service attacks to be launched against security defenders that attempt to interrupt its operation.
Attempts to probe command-and-control servers can result in a withering counter-attack of malicious traffic that can swamp the internet connections of security activists for days, according to Josh Korman, host-protection architect the ISS security division of IBM.
“As you try to investigate [Storm], it knows, and it punishes,” Korman told delegates at the Interop New York conference this week, Network World reports.
It’s unclear whether the counter-attacks are launched automatically by the malign system or by botnet herders manually. What is clear is that the code behind the malware is evolving.
Instead of simply disabling anti-virus applications, the latest refinement to the worm means that such applications may appear to run but are unable to detect malware. “It’s running, but it’s not doing anything,” Korman explained. “You can brain-dead anything.”
As malware writers become more sophisticated and they improve their botnets, it is inevitable that they should be able to collectively defend itself against interruption. Soon security researchers will need to deploy hacker techniques against the clusters to combat them, such as man-in-the-middle attacks or denial of service attacks- things that clearly cross the line and are in fact, illegal.
Will white hat researchers have to become “gray hats” to keep the internet safe? And would vigilante justice be justified in such a pursuit?
