The scariest virus attack to date
How long does a virus live and spread for? A couple of months? Maybe a month or so of rapid spreading, then infection rates start to stagnate? Note that I am using the word "virus" to refer to worms and trojans, too, as they are all subspecies of "virus".
How about 9 months and counting?
The Storm worm (supposedly the most well-known current virus, but I hadn't heard of it before yesterday) spread extremely rapidly one week in January 2007, and is still growing in October 2007. The virus is forming a botnet comprising of (estimates range) between 1 million and 50 million Windows computers. This botnet is being used to send spam and reproduce.
What's so scary about this virus?
- It is decentralised - unlike most botnets, commands are not sent through an IRC channel that all the infected computers are connected to. Instead, the crackers who created the virus merely have to connect directly to one computer, send the command, then disconnect. The infected computer sends the command on to other computers it knows about in the network, and they send the command on, etc etc. Traditional techniques for finding the culprit DO NOT WORK because 99.999999% of infected computers have never been in direct contact with the crackers.
- Storm is patient - no compromised computer attacks 100% of the time, which helped it fly underneath the radar for a long time.
- It has survived a Malicious Software Removal Tool update. Microsoft has put a definition for the worm into its MSRT, and pushed that update out to legitimate Windows users. In theory, that should have killed the botnet stone dead, as Windows computers would update their MSRT and the tool would delete the virus. But this has not happened; the botnet has been weakened by 20%, but the virus continually alters itself to escape detection and is continuing to spread.
- The virus has a self-defence system, which prevents anyone from scanning the ports that the virus opens. If the virus detects a port scan, it commands the rest of the botnet to commit Denial-of-Service attacks against the address of the computer that is doing the port scanning.
- Therefore, the virus already has the ability to commit DoS attacks. The massive combined bandwidth of these compromised computers is enough to bring down backbone nodes with a well-placed DoS attack - the effect would be that an entire country or two would lose its internet access.
- The botnet has already used DoS attacks against anti-spam websites.
- 1.2 billion e-mails have been sent by the botnet. 57 million were sent on 22 August 2007 ALONE.
- The virus has recently evolved - it no longer just sends spam, it also infects web servers running various Windows Server flavours. There is co-operation between these prongs of attack; the spam messages are advertising TOR (an anonymous internet surfing program), and linking to infected computers that are serving up the virus binary.
- The botnet has more processing power and bandwidth than the top 500 supercomputers COMBINED.
- Only approximately 10-20% of the botnet's power has been brought to bear yet.
Scared yet? I am. I no longer think that the category of "I don't need to worry about it" applies! I don't need to worry about actually getting the Storm worm, because I am careful about what attachments I open, and I have faith in the ability of my operating system (Linux) to protect my computer. But I'm scared of what the full power of this botnet could do.
Here are some good links to articles about Storm, just to get you more worried:
http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
http://en.wikipedia.org/wiki/Storm_Worm
http://www.youtube.com/watch?v=kH8cS1AkqiI - this is purportedly a map of Storm infections in January, but I'm not sure if this video is genuine or fake.
http://arstechnica.com/news.ars/post/20070902-storm-worm-adds-millions-of-computers-to-botnet.html
http://www.informationweek.com/news/showArticle.jhtml?articleID=201200849
http://blog.washingtonpost.com/securityfix/2007/10/the_storm_worm_maelstrom_or_te.html
http://en.wikipedia.org/wiki/Storm_botnet
http://seclists.org/fulldisclosure/2007/Aug/0520.html
Comments