Advanced Search

Browse by Discipline

Scientific Societies

E-print Alerts

Add E-prints

E-print Network

  Advanced Search  

HiNRG Technical Report: 01-10-2007 Measuring the Storm Worm Network

Summary: HiNRG Technical Report: 01-10-2007
Measuring the Storm Worm Network
Sandeep Sarat Andreas Terzis
sarat@cs.jhu.edu terzis@cs.jhu.edu
The Storm worm is a botnet which appeared in the early months of 2007. Its prolific
growth, the use of decentralized command and control communication based on the
Overnet P2P protocol and fast-flux servers for secondary-stage binary distribution, as
well as the capability to aggressively defend itself, make Storm a notable species in
the malware ecosystem. Despite considerable interest, Storm's defensive capabilities
and its distributed nature have complicated the accurate estimation of its size and
understanding of its network behavior.
In this paper, we actively probe the Storm botnet using Overnet queries to estimate
its size approximately 600,000 and 430,000 during the second and third week of Oc-
tober 2007, respectively. At the same time, we found several other surprising artifacts.
Unlike traditional DHTs, the distribution of peer IDs is not uniform. Furthermore,
we observed a small percentage of nodes which publish a large number of IDs, what
we believe is an indication of index poisoning. Taken as a whole, these results provide
insights which may facilitate researchers to curtail the Storm phenomenon as well as
future P2P-based botnets.


Source: Amir, Yair - Department of Computer Science, Johns Hopkins University


Collections: Computer Technologies and Information Sciences