Enviar búsqueda
Cargar
Analyzing the Stormy Web Threat in 2007
•
1 recomendación
•
544 vistas
Título mejorado por IA
Anthony Arrott
Seguir
a quantitative assessment of the Storm web threat in 2007
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 4
Recomendados
12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware
Digital Pymes
AVG Threat Report Q4 2012
AVG Threat Report Q4 2012
AVG Technologies AU
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
Aditya K Sood
2016 payment threats trends report
2016 payment threats trends report
Ian Beckett
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection Model
Aditya K Sood
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
Infinigate Group
Ghosts In The Machine Today's Invisible Threats Oct 2009
Ghosts In The Machine Today's Invisible Threats Oct 2009
Trend Micro
Eh34803812
Eh34803812
IJERA Editor
Recomendados
12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware
Digital Pymes
AVG Threat Report Q4 2012
AVG Threat Report Q4 2012
AVG Technologies AU
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
Aditya K Sood
2016 payment threats trends report
2016 payment threats trends report
Ian Beckett
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection Model
Aditya K Sood
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
Infinigate Group
Ghosts In The Machine Today's Invisible Threats Oct 2009
Ghosts In The Machine Today's Invisible Threats Oct 2009
Trend Micro
Eh34803812
Eh34803812
IJERA Editor
Nss repko
Nss repko
rrepko
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009
Kim Jensen
Rp threat-predictions-2013
Rp threat-predictions-2013
Комсс Файквэе
Historyofviruses
Historyofviruses
Fathoni Mahardika II
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
Symantec
Avg community powered threat report q2 2011
Avg community powered threat report q2 2011
AVG Technologies
Computer viruses
Computer viruses
Dark Side
Emerging cyber threats_report2012
Emerging cyber threats_report2012
day4justice
Network virus detection & prevention
Network virus detection & prevention
Khaleel Assadi
MainPaper_4.0
MainPaper_4.0
varun4110
New Age Cybersecurity
New Age Cybersecurity
Kishore Jethanandani, MBA, MA, MPhil,
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited Ressources
Secunia
Il Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del web
Symantec Italia
Computer virus
Computer virus
BGS Model Public School
Search Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software Diversification
FoCAS Initiative
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning Worms
IOSR Journals
Virus vs Anti-Virus
Virus vs Anti-Virus
SamarAhmadKhan1
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
UltraUploader
εργασια
εργασια
Stefanos MrPerfection
Viruses
Viruses
prakhar vajpai
Attact evolution
Attact evolution
RoshAan4
Protecting Against the New Wave of Malware
Protecting Against the New Wave of Malware
GFI Software
Más contenido relacionado
La actualidad más candente
Nss repko
Nss repko
rrepko
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009
Kim Jensen
Rp threat-predictions-2013
Rp threat-predictions-2013
Комсс Файквэе
Historyofviruses
Historyofviruses
Fathoni Mahardika II
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
Symantec
Avg community powered threat report q2 2011
Avg community powered threat report q2 2011
AVG Technologies
Computer viruses
Computer viruses
Dark Side
Emerging cyber threats_report2012
Emerging cyber threats_report2012
day4justice
Network virus detection & prevention
Network virus detection & prevention
Khaleel Assadi
MainPaper_4.0
MainPaper_4.0
varun4110
New Age Cybersecurity
New Age Cybersecurity
Kishore Jethanandani, MBA, MA, MPhil,
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited Ressources
Secunia
Il Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del web
Symantec Italia
Computer virus
Computer virus
BGS Model Public School
Search Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software Diversification
FoCAS Initiative
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning Worms
IOSR Journals
Virus vs Anti-Virus
Virus vs Anti-Virus
SamarAhmadKhan1
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
UltraUploader
εργασια
εργασια
Stefanos MrPerfection
Viruses
Viruses
prakhar vajpai
La actualidad más candente
(20)
Nss repko
Nss repko
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009
Rp threat-predictions-2013
Rp threat-predictions-2013
Historyofviruses
Historyofviruses
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
Avg community powered threat report q2 2011
Avg community powered threat report q2 2011
Computer viruses
Computer viruses
Emerging cyber threats_report2012
Emerging cyber threats_report2012
Network virus detection & prevention
Network virus detection & prevention
MainPaper_4.0
MainPaper_4.0
New Age Cybersecurity
New Age Cybersecurity
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited Ressources
Il Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del web
Computer virus
Computer virus
Search Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software Diversification
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning Worms
Virus vs Anti-Virus
Virus vs Anti-Virus
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
εργασια
εργασια
Viruses
Viruses
Similar a Analyzing the Stormy Web Threat in 2007
Attact evolution
Attact evolution
RoshAan4
Protecting Against the New Wave of Malware
Protecting Against the New Wave of Malware
GFI Software
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
ecarrow
CYBER TERRORISM
CYBER TERRORISM
Tejesh Dhaypule
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Con
karenahmanny4c
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
croysierkathey
C3
C3
Praveen Malisetty
Sophos security-threat-report-2014-na
Sophos security-threat-report-2014-na
Andreas Hiller
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
JASHU JASWANTH
Virus detection based on virus throttle technology
Virus detection based on virus throttle technology
Ahmed Muzammil
Information security
Information security
Appin Faridabad
IJSRED-V2I3P69
IJSRED-V2I3P69
IJSRED
2011 modeling and detection of camouflaging worm
2011 modeling and detection of camouflaging worm
deepikareddy123
2011 modeling and detection of camouflaging worm
2011 modeling and detection of camouflaging worm
deepikareddy123
cybersecurity essay.docx
cybersecurity essay.docx
ssuser719d6b
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...
UltraUploader
Information security in todays world
Information security in todays world
Sibghatullah Khattak
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
namblasec
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
mordechaiguri
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
IJCNCJournal
Similar a Analyzing the Stormy Web Threat in 2007
(20)
Attact evolution
Attact evolution
Protecting Against the New Wave of Malware
Protecting Against the New Wave of Malware
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
CYBER TERRORISM
CYBER TERRORISM
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
C3
C3
Sophos security-threat-report-2014-na
Sophos security-threat-report-2014-na
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
Virus detection based on virus throttle technology
Virus detection based on virus throttle technology
Information security
Information security
IJSRED-V2I3P69
IJSRED-V2I3P69
2011 modeling and detection of camouflaging worm
2011 modeling and detection of camouflaging worm
2011 modeling and detection of camouflaging worm
2011 modeling and detection of camouflaging worm
cybersecurity essay.docx
cybersecurity essay.docx
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...
Information security in todays world
Information security in todays world
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
Último
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Addepto
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
LoriGlavin3
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Fwdays
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
blackmambaettijean
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
LoriGlavin3
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
Dilum Bandara
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
Curtis Poe
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
HarshalMandlekar2
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Pixlogix Infotech
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
MounikaPolabathina
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
Nicole Novielli
Último
(20)
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
Analyzing the Stormy Web Threat in 2007
1.
STORMY WEATHER ...
GENES, ARROTT, SANCHO (F-Secure), Nuwar (McAfee, ESET), Peacomm (Symantec, STORMY WEATHER: A Microsoft), Tibs (BitDefender), Zhelatin (Kaspersky), Dorf QUANTITATIVE ASSESSMENT OF (Sophos), Small.EDW (Trend Micro) and CME-711 (MITRE). However, much overlap in naming continues to exist among the THE STORM WEB THREAT IN 2007 anti-virus vendors as the myriad of ever-changing components of Raimund Genes, Anthony Arrott, David Sancho Storm are identified. Manifestations of Storm are also known by Trend Micro, Germany their URL domains, by the subject lines of malicious emails used to distribute its malware (e.g. ‘Russian missile shot down Chinese satellite’), and by the filenames of attachments (e.g. Email {raimund_genes, anthony_arrott, ‘ReadMore.exe’). david_sancho}@trendmicro.com The effectiveness of Storm despite its extended period of general exposure has been attributed to several factors that distinguish it from previous malware. These factors have been summarized by ABSTRACT Porras et al. [4]: The mixed web threat known as Storm is widely acknowledged a. Smart social engineering: Storm infection links are sent in as the most significant digital security event of 2007. Storm emails that entice would-be victims by using highly topical combines the global epidemic aspects of traditional viruses and and constantly changing spam campaigns, e.g. subject lines worms with the stealth and economic activity of today’s massive about recent weather disasters [5], or holidays [6]. botnets. b. An ability to spread using client-side vulnerabilities: merely Historically, malware outbreaks have been fast-spreading, clicking on the wrong URL link from an unsolicited email single-purposed and soon over. Storm continued to spread for may be enough to infect one’s computer, and the apparent many months in successive bursts using different techniques. It pool of users willing to do this may be in the millions. sustained its potency by recruiting hundreds of thousands of infected computers into a gigantic botnet. Its purpose appears to c. An ability to lure victims to malicious URLs by hijacking be a service-for-hire for multiple fraudulent web activities. existing chat sessions [7]. The many months duration over which the Storm infection d. An effectively obfuscated command and control (C&C) spread and its successive methods of attack provide far more protocol overlaid on the Overnet P2P network. data to threat researchers than past virus and worm outbreaks. e. Actively updating the spambot client binaries to adapt to the Studying the development of the Storm botnet has been latest OS upgrades, malware removal heuristics and security compared to watching an ant colony grow; whereas traditional patches. virus outbreaks are more like studying a bomb explosion. The overall character and malicious purpose of Storm can be Conditions before the initial appearance of the Storm worm in summarized according to four dimensions of web threat January 2007 are compared with measurements made during the categorization proposed by Arrott & Perry [8]: various stages of Storm’s evolution throughout 2007. Storm provides a first opportunity for quantitative analysis of what may How does Storm infect computers? prove to be a new generation of intensive malware outbreaks. Storm infects host computers either by users opening email attachments or by users visiting infected websites. The email BACKGROUND messages usually link to an executable attachment (e.g. On 19 January 2007 a new web threat was discovered to be ‘Full Story.exe’) or a link to an infected website (e.g. ‘click_for_ infecting thousands of computers worldwide using an email full_story’). In either case, a user click on the link allows Storm message with a subject line about a recent weather disaster, ‘230 to download software that turns the victim’s computer into a dead as storm batters Europe’ [1]. During the weekend there remotely controlled botnet zombie. were six subsequent waves of the attack [2]. By 22 January 2007, what became popularly known as the Storm Worm accounted for What does Storm do to make money for its 8% of all new infections globally [3]. perpetrators? But what appeared at first to be a traditional computer virus Storm generates income for its perpetrators by enabling ‘botnets outbreak exhibited a novel resilience to anti-virus remedies as it for rent’ in the underground crimeware economy. Rented botnets sustained itself through successive waves of infection. Major can be used as powerful spam engines for various advertising waves of malware infection and elevated spam volumes occurred and marketing frauds. Rented botnets can also be used in in April, June, July and September of 2007. What emerged was a predatory denial of service attacks on targeted websites. complex adaptable web threat utilizing many of the latest malware techniques in clever coordination. How does Storm do it, technically? The sustained attacks of the Storm web threat throughout 2007 Storm operates as several instances of remotely controlled may well mark a milestone in the evolution of malicious networks (botnets) of infected computers (zombies) [9]. The software. Identified components of this threat have been assigned botnets can be configured to have their zombies launch spam various names by anti-virus research labs. These include: Storm 48 VIRUS BULLETIN CONFERENCE OCTOBER 2008 © Virus Bulletin Ltd
2.
STORMY WEATHER ...
GENES, ARROTT, SANCHO email campaigns [10]. Since each zombie has its own IP • 17 Jan 07 – European Storm Spam address, it is exceedingly difficult to identify spam by its sender. • 12 Apr 07 – Worm Alert Spam Similarly, zombies can be commanded to participate in distributed • 27 Jun 07 – E-card (applet.exe) denial of service attacks (DDoS) [11]. When thousands upon • 4 July 07 – 231st B-day thousands of zombies with random IP addresses are instructed to focus on a single website, the targeted website can be rendered • 2 Sep 07 – Labor Day (labor.exe) inoperable in the flood of indistinguishable access requests. • 5 Sep 07 – Tor Proxy • 10 Sep 07 – NFL Tracker How does Storm protect itself from detection and removal? • 17 Sep 07 – Arcade Games. In addition to the operational or ‘payload’ malicious code, Malware detection Storm infects its hosts with rootkits that operate underneath the host operating system and are able to mask the existence of Records of malware file detections were obtained throughout malicious code running in memory. 2007 from computers using the Trend Micro HouseCall AV utility. HouseCall scan reports from approximately 100,000 PCs Also, Storm provides periodic updates and replacements of the worldwide were collected and analysed for each week. From the malicious software on the infected hosts. These periodic scan reports, the percentage of computers infected with a deliveries may be part of why Storm attacks come in waves. Storm-related malware file was determined. Storm-related Finally, the botnet control of the thousands of Storm zombies is malware infections included the following Trend-designated itself managed in several innovative ways that protect the threats: TROJ_DUMADOR, BKDR_DUMADOR, individual zombie identities and maintain overall operational TROJ_AGENT.JV, TROJ_SMALL.EDW, TROJ_TIBS, integrity of the botnet. These include decentralized control, WORM_NUWAR and WORM_ZHELATIN. rotating activation, enhanced encryption and frequent code Weekly changes in the percentage of computers with replacement [12]. Storm-related infections were correlated with the initiation dates of each wave of Storm attack. The outbreaks in late June and MEASUREMENTS early July have been grouped as a single outbreak, as have the Detections of specific malware components associated with outbreaks in September 2007 (see Figure 1). Storm on infected computers worldwide are used to correlate Following each wave of Storm attacks, AV detections of the prevalence of computer infection to the timeline of Storm Storm-related malware files were initially suppressed. This was attacks and the subsequent bursts of spam. An important eventually followed by increased detections as AV products and limitation of these measurements to keep in mind is that services responded to the innovations of the Storm perpetrators. anti-virus researchers cannot measure the prevalence of a computer infection until after the threat has been identified and Correlation with spam volumes characterized, whether by digital signature or behavioural means. Hence the precise timing and actions of the perpetrators The predominant outcomes of the 2007 Storm attacks were of web threats is typically limited to inference. massive increases in spam during the weeks following each successive wave of infection. The early waves resulted in elevated spam in the order of tens of millions messages while Timeline the later attacks led to increases of over a billion spam messages While some malware components of what would come to be [12]. Also with each attack the elevated spam was sustained for known as Storm were identified earlier, 17 January 2007 is generally considered the launch date of Storm. (The distributed denial of service attacks on several anti-spam websites on 12 January 2007 [11] may have been a pre-emptive strike by Storm’s perpetrators in order to make more effective the general assault that began on 17 January 2007.) Unlike past computer virus outbreaks, Storm in 2007 consisted of successive waves of elevated computer infections initiated on particular dates throughout the year. The most distinguishing features of these successive waves were the massive bursts of spam volume following a distinct change in the malware and distribution techniques used by Storm in each wave. Consequently, the initiation date of each wave is associated with the tactic employed in the subsequent spam burst. Figure 1: Detections of Storm-related malware files are Although exact dates vary among reports, for purposes of our measured as the weekly average percentage of computers analysis the following timeline of Storm outbreaks in 2007 is infected by Storm (black bars). This is correlated with the onset adopted from Porras et al. [4]: dates of the successive waves of Storm attacks during 2007. VIRUS BULLETIN CONFERENCE OCTOBER 2008 © Virus Bulletin Ltd 49
3.
STORMY WEATHER ...
GENES, ARROTT, SANCHO suggests a potential innovative countermeasure. The spam campaign analysis of Kreibich et al. raises the possibility of anti-spam countermeasures utilizing intelligence of Storm’s background ‘target liveness’ testing and email address harvesting [10]. Holz et al. have demonstrated that knowledge of the communication protocols of distributed botnets like those of Storm can be used to mount ‘pollution attacks’ that disrupt command and control of the botnet’s zombies [9]. However, with its combined use of malicious email attachments, infected websites, rootkits and botnets to mount spam campaigns and DDoS attacks, Storm highlights the urgent need for even more integrated web threat security countermeasures. This requires combining and correlating threat information derived from anti-spam, anti-malware and web-filtering solutions. Cloud-based reputation services can perform ongoing cross-correlation analyses of spam source Figure 2: Delays from the initiation of each Storm attack wave until: (a) the domains, infected website URLs and executable trough of initial suppression of AV malware detection (yellow); (b) the subsequent malware files without the inherent delays peak of AV detections (green); and (c) the peak of spam elevation resulting from associated with the distribution and storage of the Storm attacks (red). threat information in individual computers and longer and longer periods. We use the delay between the networks. Internet security vendor Trend Micro initiation of a particular wave until the week of peak spam currently processes over five billion queries a day to its email, elevation as an indicator of the sustainability of each Storm URL and file reputation services. Automated root cause wave. During the first three Storm waves of 2007 (‘European analyses of these queries are cross-correlated among spam, bad Storm’ in January; ‘Worm Alert’ in April, and ‘E-card’/‘231st URLs and malware files to rapidly update in-the-cloud B-day’ in June/July) the delay to peak spam elevation steadily databases for the three types of reputations [15]. increased from one week to three weeks to eight weeks, respectively (see Figure 2). REFERENCES While Storm malware detections were consistently suppressed [1] BBC News. Storm chaos prompts virus surge. in the first week or two after the initiation of Storm attacks, the January 2007. http://news.bbc.co.uk/1/hi/ delay until AV products reached peak detection steadily technology/6278079.stm. increased with each wave from three weeks following the January and April waves to eight weeks in June/July and 12 [2] Espiner, T. ‘Storm worm’ slithers on. ZDNet. January weeks after the September attacks (see Figure 2). 2007. http://news.zdnet.co.uk/ security/0,1000000189,39285565,00.htm. IMPLICATIONS [3] Keizer, G. ‘Storm’ spam surges, infections climb. The measurements presented here provide only one view of the Information Week. January 2007. Storm web threat in 2007. We envision this to be but one http://www.informationweek.com/news/security/ building block which, when combined with other studies, may vulnerabilities/showArticle.jhtml?articleID=196902579. facilitate a fuller characterization of complex coordinated web [4] Porras, P.; Saidi H.; Yegneswaran V. A multi- threats like Storm and the development of more effective perspective analysis of the storm (peacomm) worm. countermeasures to mitigate their damage to computer users. SRI International Technical Report, October 2007. The better web threat researchers are able to characterize Storm, http://www.cyber-ta.org/pubs/StormWorm/. the more effectively countermeasures can be made to combat it [5] Kawamoto, D. Storm Worm rages across the globe. and similar innovative web threats. This not only applies to the CNET News. January 2007. http://news.cnet.com/ technical actions of Storm on individual infected host computers Storm-worm-rages-across-the-globe/2100-7349_ but also to the overall recruitment and management of the 3-6151414.html?hhTest=1&tag=item. massive Storm botnets [8,13], to the way these botnets mount effective spam campaigns [10] and to how these botnets evade [6] Albright, N. Latest stormworm sharing Labor Day detection [14]. greetings. Digital Intelligence and Strategic Operations Each new view into the workings of Storm provides not only a Group. September 2007. http://www.disog.org/2007/09/ better understanding of its complexity but also typically latest-stormworm-filenames.html. 50 VIRUS BULLETIN CONFERENCE OCTOBER 2008 © Virus Bulletin Ltd
4.
STORMY WEATHER ...
GENES, ARROTT, SANCHO [7] Florio, E. Mespam meets zunker (and targets German users). Symantec Security Response Log. May 2007. https://forums.symantec.com/syment/blog/ article?message.uid=305945. [8] Arrott, A.; Perry, D. New approaches to categorizing economically motivated digital threats. Proceedings of the 17th Virus Bulletin International Conference (VB2007). http://uk.trendmicro.com/imperia/md/ content/campaigns/predator2008/uk/wp01_ virusbulletin_080111us.pdf. [9] Holz, T.; Moritz Steiner, M.; Dahl, F.; Biersack, E.; Freiling, F. Measurements and mitigation of peer-to- peer-based botnets: a case study on storm worm. USENIX Workshop on Large-Scale Exploits and Emergent Threats. April 2008. http://www.usenix.org/events/leet08/tech/full_papers/ holz/holz.pdf. [10] Kreibich, C.; Kanich, C.; Levchenko, K.; Enright, B.; Voelker, G.M.; Paxson, V.; Savage, S. On the spam campaign trail. USENIX Workshop on Large-Scale Exploits and Emergent Threats. April 2008. http://www.usenix.org/event/leet08/tech/full_papers/ kreibich/kreibich_html/. [11] Stewart, J. Storm worm DDoS attack. Secureworks Research Center. February 2007. http://www.secureworks.com/research/threats/ storm-worm. [12] Smith, B. A storm (worm) is brewing. Computer, vol 41 #2 pp.20-22. February 2008. http://doi.ieeecomputersociety.org/10.1109/ MC.2008.38. [13] Sarat, S.; Terzis, A. Measuring the storm worm network. HiNRG Technical Report. Johns Hopkins University. October 2007. http://www.cs.jhu.edu/ ~sarat/storm.pdf. [14] Stinson, E.; Mitchell, J.C. Towards systematic evaluation of the evadability of bot/botnet detection methods. USENIX Workshop on Offensive Technologies. July 2008. http://www.usenix.org/event/ woot08/tech/full_papers/stinson/stinson_html/. [15] Trend Micro. Smart protection network. June 2008. http://itw.trendmicro.com/smart-protection-network/ pdfs/SmartProtectionNetwork_WhitePaper.pdf. VIRUS BULLETIN CONFERENCE OCTOBER 2008 © Virus Bulletin Ltd 51