Eternal Storm

If you haven’t heard of the Storm Botnet yet, chances are you will soon. With between one and 50 million nodes infected with this trojan, it forms the world’s most powerful supercomputer. Criminal elements are believed to control Storm, but that’s not why it is interesting.

The Storm Botnet is fascinating because of its resilience. As Bruce Schneier points out, antivirus companies haven’t figured out a way to put a dent in its propagation or effectiveness, even though they have known about it for almost a year, and even though it has already been used to send millions (perhaps billions) of spam emails and carry out several high-profile DDoS attacks. Getting rid of such a beast would clearly be very lucrative work for the antivirus industry, yet no one has devised a successful solution.

What makes this thing so indestructible? Schneier explains a key component:

Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn’t have a centralized control point, and thus can’t be shut down that way.

This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn’t show up as a spike. Communications are much harder to detect.

One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won’t work with Storm: An infected host may only know about a small fraction of infected hosts — 25-30 at a time — and those hosts are an unknown number of hops away from the primary C2 servers.

And even if a C2 node is taken down, the system doesn’t suffer. Like a hydra with many heads, Storm’s C2 structure is distributed.

In combination with some of its other novel features, Storm’s decentralization gives it a level of immunity to shutdown previously unseen anywhere.

It’s a shame that a malicious tool like Storm is providing such a stunning demonstration of the advantages of decentralization in the wild. But these techniques are not limited to malicious software. Indeed, major components of the Internet itself use the same techniques. flŭd backup is 100% decentralized for the same reasons: the data that you backup with flŭ­d should be as indestructible as possible. Decentralization is the most effective path to that goal, and Storm has provided us with ample evidence that such a scheme can be extremely effective.

Comments are closed.