Learn, hack!

URL

http://dewy.fem.tu-ilmenau.de/CCC/24C3/mpeg4/24c3-2318-en-cybercrime20.mp4

File name

24c3-2318-en-cybercrime20.mp4

File size

64.4 MB

MD5

947004eae25f3fdb41a115428673601a

SHA1

8cbd207c7dc4368852318ed42a597b8757c71c43

Not only the Web has reached level 2.0, also attacks against computer systems have advanced in the last few months: Storm Worm, a peer-to-peer based botnet, is presumably one of the best examples of this development. Instead of a central command & control infrastructure, Storm uses a distributed, peer-to-peer based communication channel on top of Kademlia / Overnet. Furthermore, the botherders use fast-flux service networks (FFSNs) to host some of the content. FFSNs use fast-changing DNS entries to build a reliable hosting infrastructure on top of compromised machines. Besides using the botnet for DDoS attacks, the attackers also send lots of spam - most often stock spam, i.e., spam messages that advertise stocks. This talk presents more information about Storm Worm and other aspects of modern cybercrime. The first part of the talk provides a brief history of Storm Worm (Peacomm, Nuwar, Zhelatin, ...), focusing on the actual propagation phase. Afterwards, we describe the network communication of the bot in detail and show how we can learn more about the botnet. We were able to infiltrate and analyze in-depth the peer-to-peer network used by Storm Worm and present some measurement results.