When botnets start fighting back

August 17, 2007

The massive Storm Worm botnet that the hackers have been amassing over the last several months is now attacking computers that are trying to weed it out. The botnet is set up to launch a distributed denial-of-service (DDoS) attack against any computer that is scanning a network for vulnerabilities or malware.1 The attacks are ICMP based, can last more than a day, involve a large number of sources scattered globally, and can yield very significant attack traffic.2

Since the beginning of the month, some researchers have been warning that as the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a very large botnet -- its authors could be setting themselves up to launch a damaging denial-of-service attack.3 In fact the botnet, currently estimated at being 1.7 million in size, has recently launched a surge of SPAM against Canadian web sites, with such volume that it essentially generated a DoS attack.4

F-Secure Labs has a video on YouTube showing the rapid spread of Storm Worm, when it first appeared in January 2007 (you can also view it in higher resolution here). Like most of the newer botnets, Storm Worm uses peer-to-peer technology for communication between the bots and the bot-herder, instead of Internet Relay Chat, in order to make it more difficult to disrupt.5

REN-ISAC provides a list of recommendations for dealing with Storm-related DDoS attacks, which includes placing vulnerability scanners on private network segments (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and blocking inbound TCP/80 (if acceptable).




1. "Storm Botnet Puts Up Defenses And Starts Attacking Back", InformationWeek, August 16, 2007

2. "Storm Worm DDoS Threat to the EDU Sector", REN-ISAC, August 9, 2007

3. "Storm Botnet Puts Up Defenses And Starts Attacking Back", InformationWeek, August 16, 2007

4. "Storm Botnet Behind Canadian DoS Attack", InformationWeek, August 13, 2007

5. "Fake e-cards signal massive DDoS attack", The Register, August 7, 2007