Tuesday, October 16, 2007

The balkanization of Storm Worm botnets

The Register article, "The balkanization of Storm Worm botnets," discusses how the Storm worm has changed in the past week:
PCs infected by Storm in the past week or so use a 40-byte key to encrypt traffic sent through Overnet, a peer-to-peer protocol that helps individual bots connect to other infected machines, according to Joe Stewart, a senior researcher with SecureWorks, a provider of security services and software.

The change effectively segments the Storm botnet, estimated by Stewart to contain from 250,000 to 1 million machines, into smaller networks because each node must know the password to unencrypt the Overnet traffic.

One fear is that the operators of the Storm worm are getting ready to sell the bots.