Wednesday, October 17, 2007

Storm [worm] SuperComputer

With the recent coverage coming out the Washington Post blog posting, covering the Storm worm - I think there has been insufficient analysis of what the point of this absolutely massive super-computer will be. I won't re-present the facts to you, but if you haven't read it I'll sum it up for you by saying that Storm worm is more powerful than all the [previous] top 10 Supercomputers... that's saying quite a lot. The other major point, is that this is the first time in history that the world's most powerful "computer" (or cluster in this case) is not owned by a nation, a research organization - but by organized crime.

The analysis and breakdown of the raw power of the Storm worm is here, at the Full Disclosure archives.

I challenged a friend of mine who is also in the "security research" field to think about what in the world we could use this type of supercomputing power, and more importantly, why the apparent owners of this botnet/supercomputer are partitioning out this massive herd, using encryption keys for small blocks of bots.

I have a theory on both these things, and I disagree with the mainstream media analysis so far. The mainstream analysis has been wrong so far, I think. Jim Carr over at SCMagazine online quotes SecureWorks' Joe Stewart saying
"This [partitioning and encrypting communications in smaller groups] effectively allows the storm author to segment the storm botnet into smaller networks [and] could be a precursor to selling storm to other spammers."
I don't agree with this at all. If you apply logic to this from a different angle you have to realize that this botnet took lots of time and energy to build, ergo, you're going to go to extreme length to ensure that if someone manages to crack your communication scheme - they can't take over the whole lot. This is, I strongly believe, the point of encrypting communication to these botnet groups in small chunks, effectively partitioning herds of Storm-bots. To make my point even more clear, here is what I think the herder(s) are doing.
  • Storm worm botnet will be used for obviously malicious intent
  • Establishing ciphers for encryption of small chunks of the herd at a time gives it resiliency against infiltration and full compromise
  • No one in their right mind would "sell" a piece of such a masterpiece and raw power grid
  • It is more likely that the herder(s) will allow people to pay for time-slices on this massive supercomputer to do whatever it is they want to do, computationally...
This brings me to my next point. What in the world would someone want with this much absolute raw power? I think an interesting hint is given by Lawrence Baldwin, of myNetWatchman...
Baldwin said the raw power of the Storm botnet might be taken more seriously if it were more often used to take out large swaths of the Internet, or in attempting to crack some uber-complex type of encryption key used to secure electronic commerce transactions.
Fasinating. Cracking encryption keys is just one of the possibilities - here are some more:
  • On-the-fly cracking of some of the world's strongest encryption - remember all security is based on the fact that we develop technologies that are computationally improbable to break... not anymore?
  • DDoS at will - how will you stop a ~320Gb/sec onslaught?(assuming ~10million users at 256kb/sec DSL speeds, which is estimating low) What's worse is that it's not like you can block a certain netblock, or router... these Storm bots live all over the Internet.
  • Rainbow tables anyone? - Sure, there are plenty of arguments made that rainbow tables are useless now because any developer with a brain uses a salt... this is a false statement, guaranteed. Even if people salt, salts can be predictable, and what's worse, computer even if there are quadrillions of combinations; remember you have 10 million CPUs at your disposal here. Why not hash (SHA-1, SHA-256?) all permutations of credit card numbers, passwords, DOBs, SSNs, and other important pieces of data so that when you steal a hashed table from a database, it's only a [short] matter of time before you can successfully pull out the real information!
  • SPAM - yes, I acknowledge that this is a great vehicle for spam... but it's such a waste of power to spam from these botnets... maybe I'm nieve
That's just my analysis - because I think people that have looked at this have missed the point a little bit. There is so much raw power, that I simply think that human greed will prevent this thing from being partitioned out and sold off to high bidders... I don't see it happening, there is simply too much status, power, and prestige from being the one that controls 10Million slaves, and the most powerful supercomputer on the planet.

God help us all.

No comments:

Google+