You Can't Cut Off The Head Of Modern Crimeware - InformationWeek
09:01 AM
Connect Directly

You Can't Cut Off The Head Of Modern Crimeware

The Storm and Nugache botnets are hard to stop because they use encrypted peer-to-peer networking to update themselves and exchange information.

The Storm and Nugache trojans represent the face of future crimeware, or its facelessness: These two malicious bot programs are distinct from their ancestors because they lack a head that can be severed to stop them.

Previous generations of bots could be cut off from their control server, which communicated over Internet Relay Chat. Storm and Nugache bots do not depend on IRC communications; they use encrypted peer-to-peer networking to update themselves and exchange information.

Storm first came to attention in early 2007 and spread through an e-mail message that made reference to a recent European storm in the message subject line. It has created a massive botnet that has been estimated to range from a few hundred thousand to over 2 million machines. In an interview with InformationWeek last September, Matt Sergeant, chief anti-spam technologist with MessageLabs, likened the Storm botnet to a supercomputer in terms of its power.

Nugache appeared in mid-2006, initially as a trojan distributed through chat applications. Initially, it lagged behind Storm in terms of sophistication. For example, it couldn't send spam in regionally appropriate languages, as Storm can. But Paul Henry, VP of technology evangelism at Secure Computing, said that security experts now believe it has caught up with Storm's capabilities and will likely become a more significant threat as its controllers move to profit from their malware.

"[Nugache] is not as large as Storm yet, but from a technical perspective, it's just as good," said Henry.

The maturation of Nugache has resulted in a decrease in the price and quality of spam, according to Henry, who put the current cost of spamming at $100 per million messages.

Like Storm, Nugache relies on encrypted peer-to-peer communication for command and control, said Henry. But it has an advantage over Storm in that it's not tied to a specific set of ports. "[Nugache] will look at pretty much any port to establish communication," he said.

Storm and Nugache communication cannot be detected reliably by intrusion detection systems (IDS). In a paper published last month, computer security researchers Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich said, "User education is likely the only mitigation method to prevent installation of the malware."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll