The owners of the Storm botnet, whose identities are as yet unknown, could be preparing to sell off the "services" of segments of the network, according to Joe Stewart, a researcher from managed security services company SecureWorks.
Stewart claimed in a blog post on Sunday that the latest Storm variants now use a 40-byte key to encrypt their peer-to-peer traffic, meaning each node will only be able to communicate with nodes that use the same key.
"This effectively allows the Storm author to segment the Storm botnet into smaller networks," wrote Stewart in his blog post. "This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that's the case, we might see a lot more of Storm in the future."
Fast-flux service networks are networks of compromised computer systems with public DNS records that are constantly changing, making it more difficult to track and control criminal activities, according to the Honeynet Project Research Alliance, a forum of honeypot research organisations. A honeypot is a system, often undefended, set up as a trap for attackers.
Stewart said that the good news is that security researchers can now distinguish encrypted Storm traffic from legitimate peer-to-peer traffic, making it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow peer-to-peer traffic.
Antivirus vendor Sophos agreed that Stewart's analysis of the use of encryption to segment the Storm network for the purposes of resale is "probably correct".
"Storm's use of encrypted traffic is an interesting feature which has raised eyebrows in our lab," said Graham Cluley, senior technology consultant at Sophos. "Its most likely use is for the cybercriminals to lease out portions of the network for misuse. It wouldn't be a surprise if the network was used for spamming, distributed denial of service attacks, and other malicious activities."
The Storm botnet was initially created at the beginning of 2007 when the Storm worm was spammed out, hiding in e-mail attachments with a subject line of "230 dead as storm batters Europe". While it has continued to grow since then, it is difficult to gauge its true size as a large percentage of the infected machines are on 'stand-by', according
