Storm Worm, Encryption, Disruption, and more...
Dancho did an interview on the topic of Storm Worm, in which some wrong facts are described by Georg Wicherski, who said: "On the 24c3 congress at the end of 2007, Thorsten Holz gave a presentation on disrupting Zhelatin’s command and control infrastructure, involving a /16 network or 65536 nodes in other terms." This statement is wrong: we did not use 65536 machines, but just 2 machines - one machine in Sophia Antipolis, France and the other one in Mannheim, Germany. Actually everything is also possible with just one machine: the second machine was just used for measurements and to verify the results. I'm not sure what caused this confusion, presumably they did not read our paper on the topic :)
We also found out that the "authentication" used by Storm is very weak: The four byte XOR key is a simple obfuscation scheme, whereas the 64bit RSA needs a little bit more work to break the crypto. Actually we published our results back in April 2008 during the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08), a fact that some people seemed to have missed. Frederic Dahl also summarized all of these aspects in his diploma thesis which was published in March 2008.
My presentation from back then is available as "Measurements and Mitigation of Peer-to-Peer-based Botnets" and I also did a talk during the work-in-progress session on the crypto aspects of Storm Worm: "Other Aspects of Storm Worm".
Nowadays Storm Worm is not a very interesting botnet, we actually stopped the crawler several months ago since not many infected machines are still online in the network...
We also found out that the "authentication" used by Storm is very weak: The four byte XOR key is a simple obfuscation scheme, whereas the 64bit RSA needs a little bit more work to break the crypto. Actually we published our results back in April 2008 during the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08), a fact that some people seemed to have missed. Frederic Dahl also summarized all of these aspects in his diploma thesis which was published in March 2008.
My presentation from back then is available as "Measurements and Mitigation of Peer-to-Peer-based Botnets" and I also did a talk during the work-in-progress session on the crypto aspects of Storm Worm: "Other Aspects of Storm Worm".
Nowadays Storm Worm is not a very interesting botnet, we actually stopped the crawler several months ago since not many infected machines are still online in the network...
