A Multi-perspective Analysis of the Storm (Peacomm) Worm

Phillip Porras, Hassen Saidi, and Vinod Yegneswaran

Computer Science Laboratory, SRI International



Since early 2007 a new form of malware has made its presence known on the Internet by its prolific growth rate, its ability to distribute large volumes of spam, and its ability to avoid detection and eradication. Storm Worm (or W32.Peacomm, Nuwar, Tibs, Zhelatin), as it is known, is a highly prolific new generation of malware that has gained a significant foothold in unsuspecting Microsoft Windows computers across the Internet. Storm, like all bots, distinguishes itself from other forms of malware (viruses, Trojan horses, worms) by its ability to establish a control channel that allows its infected clients to operate as a coordinated collective, or botnet. However, even among botnets Storm has further distinguished itself by being among the first to introduce a fully P2P control channel, to utilize fast-flux to hide its binary distribution points, and to aggressively defend itself from those who would seek to reverse engineer its logic.



Despite all the hype and paranoia surrounding Storm, the inner workings of this botnet largely remain a mystery. Indeed, Storm is believed to have an automated distributed denial of service (DDoS) feature to dissuade reverse engineering, which gets triggered based on situational awareness gathered from its overlay network, e.g., when the count of spurious probes crosses a certain threshold. It has also been reported that these defenses have been turned on those that have posted their analysis results of Storm. In this paper, we attempt to partially address voids in our collective understanding of Storm by providing a multi-perspective analysis of various Storm clients. Our analysis includes a static dissection of the malware binary and the characteristics of the Storm worm's network dialog as observed from multiple infection traces. Finally, we do not only seek to analyze Storm for the greater understanding, but also to develop solutions that can help detect its presence, even as we expect Storm to continue to evolve and elude host security products. In this report we present our modifications to SRI's BotHunter FREE botclient detection system. We explain how BotHunter has been augmented tohunt for Storm infections, as well as other forms of spambot infections.



