09:01 AM
Connect Directly
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

You Can't Cut Off The Head Of Modern Crimeware

The Storm and Nugache botnets are hard to stop because they use encrypted peer-to-peer networking to update themselves and exchange information.

The Storm and Nugache trojans represent the face of future crimeware, or its facelessness: These two malicious bot programs are distinct from their ancestors because they lack a head that can be severed to stop them.

Previous generations of bots could be cut off from their control server, which communicated over Internet Relay Chat. Storm and Nugache bots do not depend on IRC communications; they use encrypted peer-to-peer networking to update themselves and exchange information.

Storm first came to attention in early 2007 and spread through an e-mail message that made reference to a recent European storm in the message subject line. It has created a massive botnet that has been estimated to range from a few hundred thousand to over 2 million machines. In an interview with InformationWeek last September, Matt Sergeant, chief anti-spam technologist with MessageLabs, likened the Storm botnet to a supercomputer in terms of its power.

Nugache appeared in mid-2006, initially as a trojan distributed through chat applications. Initially, it lagged behind Storm in terms of sophistication. For example, it couldn't send spam in regionally appropriate languages, as Storm can. But Paul Henry, VP of technology evangelism at Secure Computing, said that security experts now believe it has caught up with Storm's capabilities and will likely become a more significant threat as its controllers move to profit from their malware.

"[Nugache] is not as large as Storm yet, but from a technical perspective, it's just as good," said Henry.

The maturation of Nugache has resulted in a decrease in the price and quality of spam, according to Henry, who put the current cost of spamming at $100 per million messages.

Like Storm, Nugache relies on encrypted peer-to-peer communication for command and control, said Henry. But it has an advantage over Storm in that it's not tied to a specific set of ports. "[Nugache] will look at pretty much any port to establish communication," he said.

Storm and Nugache communication cannot be detected reliably by intrusion detection systems (IDS). In a paper published last month, computer security researchers Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich said, "User education is likely the only mitigation method to prevent installation of the malware."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.