News Categories

Next:ATTRITION: Finding The Winners Among The Losers

Information Warfare: The Silenced Storm

Archives

October 24, 2007: The most powerful Internet weapon on the planet is apparently dying the death of a thousand cuts. The weapon in question is the Storm botnet. This was the largest botnet ever seen, and it appeared to be acting like something out of a science fiction story. Last Summer, the Storm network was believed capable to shutting down any military or commercial site on the planet. Or, Storm could cripple hundreds of related sites temporarily. Worse, Storm could have done some major damage in ways that have not yet been experienced.

There's never been anything quite like Storm, but the counterattacks against the network proved to be very effective. The Storm Network is now believed to contain a few hundred thousand PCs at most, and is shrinking daily because of security software being updated to do just that.

The Storm computer virus had been spreading since early in the year, grabbing control of PCs around the world. In that time Storm apparently infected over ten million computers with a secret program that turned those PCs into unwilling slaves (or "zombies") of those controlling this network (or botnet) of computers. Many of you may have noticed a lot of spam this year directing you to look at an online greeting card, or accompanied by pdf or image files. That was Storm, the largest single spam campaign ever. When you try to look at the file, Storm secretly takes over your computer. But Storm tries very hard to hide itself. All it wants to do is use your Internet connection to send spam, or other types of malicious data.

What makes Storm the perfect Internet weapon is how it has been designed to survive. The Storm zombie does no damage to the PCs it infects, and simply sits there, waiting for an order. Those orders come via a peer-to-peer system (similar to things like Kazaa or Bittorrent). A small percent age of the zombies spend short periods of time trying to spread themselves, then turn off. This makes it more difficult to locate infected PCs. Commands from the Storm operators are sent through several layers of zombie PCs, again making it very difficult to identify where those commands come from. Moreover, Storm operates as a horde of clusters, each of two or three dozen zombie PCs. It was believed that Storm would be very resistant to being shut down. Some police agencies have concentrated on finding the people running it, arresting them, and seizing their access data. The programmers who put Storm together know their stuff, and police in dozens of country would like to get their hands on them.

To avoid the police (especially the U.S. FBI), many botherders (those who operate botnets) are usually in countries without an extradition treaty with the United States (where nearly half the zombie PCs are). Criminal gangs are increasingly active in producing things like Storm, and, in the case of China, so are government Cyber War operations. It's unclear who is controlling the Storm botnet, but it's becoming clear what Storm is up to. It has been launching attacks at web sites involved in stopping or investigating Storm. This involves transmitting huge quantities of bogus messages ,that shut down targeted web sites (this is a DDOS, or distributed denial or service attack). The Storm botherders are also advertising their botnet as available for the usual illegal activities (various types of spam). It's believed that Storm is owned by a Russian criminal syndicate, but that's only a guess based on what is known about Storm so far.

What brought down Storm were antivirus software publishers, who updated their software to detect and remove the Storm software that secretly turned a PC into a zombie. Even though the Storm creators made their zombie software hard to detect, it was not impossible to detect. The final blow in this campaign came in September, when Microsoft updated its "Malicious Software Removal tool" (which is a component of the Windows operating system) to detect and remove Storm. As Storm has been modified to avoid removal, Microsoft and other security software manufacturers have been adjusting their software. It's a race that Storm has apparently been losing.

What Storm demonstrated, however, was how a Cyber War operation could quickly build a large botnet. Such a network could be used as a military weapon, for at least a few weeks, until security software removed most of the zombie software. Storm, however, was used mainly for the usual Internet criminal scams. But it could have been used as a weapon, and future networks like Storm might be put to more sinister uses.

 

X

ad

Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close