Storm Botnet Cleaning Method Revealed

A team of security researchers from two German universities have developed a method that allows them to purge what remains from the Storm botnet off the Internet. The method proves that the botnet is not as invulnerable as previously thought, but cannot be put into action because it could have legal repercussions.

The army of drones raised by the Storm worm was considered one of the most powerful and resilient botnets to ever plague the Internet. It's estimated that, at its peak in 2007, the botnet was composed of millions of clients, and had enough bandwidth at its disposal in order to flood entire countries off the Internet.

What made it worse compared to other similar threats was the fact that the Storm botnet was fighting back on anyone trying to analyze its infrastructure, several antivirus vendors and security research companies suffering serious attacks. In addition to being powerful, the botnet was also innovative in its design by using peer-to-peer technology in order to connect its clients to the command and control servers, as well as amongst each other.

Today, the botnet is only composed of around 100,000 drones following a major cleaning operation undergone by Microsoft through its Malicious Software Removal Tool. Even so, it is still responsible for a small, but significant percentage of the daily spam e-mail traffic. That is why Georg Wicherski, Tillmann Werner, Felix Leder, and Mark Schlösser thought it would be worthy to reverse engineer most of the worm's binary code and analyze its inner-workings.

What the researchers discovered made them conclude that the worm was not that spectacular in its design, nor was it that indestructible. For example, one of the major weaknesses discovered is that the command and control server does not authenticate itself to the clients. With the newly acquired knowledge, the experts designed their own saboteur client that was able to infiltrate the storm p2p network and reliably redirect the other drones to a specific server.

Once hijacked, the legit storm drones could be sent specific commands that would cause them to download and execute a cleaner on the infected computer. For this purpose, the researchers created a removal utility, which they dubbed “Stormf****r” in a rather uninspired manner. In addition, they also claim that, with an additional extension, a cleaning campaign that would be able to handle all the traffic from the 100,000 drones and possible denial of service attacks could be launched.

The researchers are unlikely to launch such an offensive though, because of legal limitations. The German Penal Code punishes the unauthorized access and data tampering on third-party systems with two years in prison, actions which are required by the cleaning process. Furthermore, in certain environments and setups, the procedure is likely to fail, which could result in system instability. This might cause the owners of those systems to launch legal action against the researchers.

“On the other hand, any botnet of drone computers used for malicious purposes represents a threat to the public at large,” an analyst from Heise Security notes. “It's surprising that there is no discussion going on regarding the legal preconditions that would have to be created in order to get rid of the threat. In the light of this research, the responsible authorities certainly cannot claim that it's technically impossible,” he concludes.