09:01 AM
Connect Directly

You Can't Cut Off The Head Of Modern Crimeware

The Storm and Nugache botnets are hard to stop because they use encrypted peer-to-peer networking to update themselves and exchange information.

The Storm and Nugache trojans represent the face of future crimeware, or its facelessness: These two malicious bot programs are distinct from their ancestors because they lack a head that can be severed to stop them.

Previous generations of bots could be cut off from their control server, which communicated over Internet Relay Chat. Storm and Nugache bots do not depend on IRC communications; they use encrypted peer-to-peer networking to update themselves and exchange information.

Storm first came to attention in early 2007 and spread through an e-mail message that made reference to a recent European storm in the message subject line. It has created a massive botnet that has been estimated to range from a few hundred thousand to over 2 million machines. In an interview with InformationWeek last September, Matt Sergeant, chief anti-spam technologist with MessageLabs, likened the Storm botnet to a supercomputer in terms of its power.

Nugache appeared in mid-2006, initially as a trojan distributed through chat applications. Initially, it lagged behind Storm in terms of sophistication. For example, it couldn't send spam in regionally appropriate languages, as Storm can. But Paul Henry, VP of technology evangelism at Secure Computing, said that security experts now believe it has caught up with Storm's capabilities and will likely become a more significant threat as its controllers move to profit from their malware.

"[Nugache] is not as large as Storm yet, but from a technical perspective, it's just as good," said Henry.

The maturation of Nugache has resulted in a decrease in the price and quality of spam, according to Henry, who put the current cost of spamming at $100 per million messages.

Like Storm, Nugache relies on encrypted peer-to-peer communication for command and control, said Henry. But it has an advantage over Storm in that it's not tied to a specific set of ports. "[Nugache] will look at pretty much any port to establish communication," he said.

Storm and Nugache communication cannot be detected reliably by intrusion detection systems (IDS). In a paper published last month, computer security researchers Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich said, "User education is likely the only mitigation method to prevent installation of the malware."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
2016 InformationWeek Elite 100
Our 28th annual ranking of the leading US users of business technology.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of June 19, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.