October 16, 2007:
The most powerful Internet weapon
on the planet is hiding in plain sight, and no one can do anything about it. At
least not yet, or not that anyone is talking about. The weapon in question is
the Storm botnet. This is the largest botnet ever seen, and it is acting like
something out of a science fiction story. The Storm network is now believed
capable to shutting down any military or commercial site on the planet. Or,
Storm could cripple hundreds of related sites temporarily. Or, Storm could do
some major damage in ways that have not yet been experienced. There's never
been anything quite like Storm.
The Storm computer virus had been spreading since
early in the year, grabbing control of PCs around the world. By now, Storm had
infected nearly 5-10 million computers with a secret program that turned those
PCs into unwilling slaves (or "zombies") of those controlling this network (or
botnet) of computers. Many of you may have noticed a lot of recent spam
directing you to look at an online greeting card, or accompanied by pdf files.
That was Storm, the largest single spam campaign ever. When you try to look at
the PDF file, Storm secretly takes over your computer. But Storm tries very
hard to hide itself. All it wants to do is use your Internet connection to send
spam, or other types of malicious data.
What makes Storm the perfect Internet weapon is how
it has been designed to survive. The Storm zombie does no damage to the PCs it
infects, and simply sits there, waiting for an order. Those orders come via a
peer-to-peer system (similar to things like
Kazaa or Bittorrent). A small percent age of the zombies spend short
periods of time trying to spread themselves, then turn off. This makes it more
difficult to locate infected PCs. Commands from the Storm operators are sent
through several layers of zombie PCs, again making it very difficult to
identify where those commands come from. Moreover, Storm operates as a horde of
clusters, each of two or three dozen zombie PCs. No existing methods can shut
down Storm. In fact, all that will work to kill Storm is to find the people
running it, arrest them, and seize their access data. The programmers who put
Storm together know their stuff, and police in dozens of country would like to get
their hands on them.
To avoid the police (especially the U.S. FBI), many
botherders (those who operate botnets) are usually in countries without an
extradition treaty with the United States (where nearly half the zombie PCs
are). Criminal gangs are increasingly active in producing things like Storm,
and, in the case of China, so are government Cyber War operations. It's unclear
who is controlling the millions of Storm zombies, but it's becoming clear what
Storm is up to. It has been launching attacks at web sites involved in stopping
or investigating Storm. This involves transmitting huge quantities of bogus
messages ,that shut down targeted web sites (this is a DDOS, or distributed
denial or service attack). The Storm botherders are also advertising their
botnet as available for the usual illegal activities (various types of
spam). It's believed that Storm is owned
by a Russian criminal syndicate, but that's only a guess based on what is known
about Storm so far.
But the most alarming aspect of all this is the
sheer size of the Storm botnet. It's quite possible that it's not all one,
huge, multimillion PC botnet. There may be several owners, who simply used
variations of the basic Storm virus (which showed up last February, using as a
lure the promise of news about the huge Winter storms then lashing Europe, and
thus got its name.)
Police and Cyber War organizations are certainly
trying to track down who controls Storm, mainly in self-defense. A botnet that
large could shut down major sites, or large chunks of the Internet itself. The
Storm is the Internet equivalent of a nuclear weapon, and no one is sure who
controls it, or for what purposes.