Document Actions
Storm Worm Analysis (Take 2) |
|
I've read quite a lot in my search on information about the Storm worm.
Capacity
Apparently, a better estimate of the Storm Worm Botnet' current number of zombie machines is about 10 Million. As such, I've redone all my calculations (bottom of the article) with the updated numbers, and I've also spent some more time finding other numbers to remove some of the estimations from calculations.
I estimate, that the botnet currently has access to about 15,000 THz of CPU power. The fastest super computer currently in existence, Blue Gene L has 91.8 THz. So, this has fallen with the re-calculations.
I managed to find this report on the state of broadband in the US, which says that the average upload speed (all I'm interested in really) is about 371kb/s. So, I've recalculated all of my bandwidth calculations, working from that figure, as outside the US, e.g. canada, Japan, are likely to have much higher upload speeds. Also, Britain is starting to move to 448/812kb/s
About 442GB/s. Which, is equivalent to 339 Million emails per second, or 604 CDROMs worth of data every second.
Use
So, what have the Zhelatin Gang (group of crackers behind the Storm Worm) been up to with all this data capacity?This report says that they are currently selling distribution capacity, as well as as of the 13th of August, testing their DDoS capacity.
This report from spamnation.info estimates that they are currently attacking a number of Anti- Spam / Malware sites. In fact, a large number of malware sites have / are under attack, including 419eater, which was basically overloaded with about 450GBs an hour worth of traffic, taking it off-line. CastleCops.com, is currently weathering the same high-level of incoming traffic.
Here is a graph of the traffic hitting 419eater.com. The attack took 419eater offline for a number of days, and they're only coming back online now. They are still under attack, but have moved hosts, to someone who can cope with a massive amount of data incoming.
At 11:44, traffic stops, as the site is taken offline, because the guys who hosted their website could no-longer cope with the sheer amount of incoming traffic.
Self Defence
The storm worm is (unfortunately for us) quite clever. It detects when its being used on what is called a virtual machine, a tool that some security researchers use to keep their PC safe from the trojan/virus, whilst they are trying to disassemble it.
Also, the botnet will launch a DDoS attack at any computer that either:
- Downloads the virus too many times (Researcher)
- Scans an infected computer for the basic signs of infection
I hope all this information is useful. The storm worm has quite worried me recently, and the only real way to combat it now, would be for the ISP's to take action. Which they are not going to anytime soon - it does not make economic sense to do so.
My calculations are below. If you have any more up-to-date information for me to base them on, I'd love to hear from you. Leave a comment, or send me an email. My address is in the "about" page, linked above.
Calculations
All calculations are in computer-style notation, so * for multiplication, and / for division.
Processing Capacity (Zombies)
Assume 10 Million infected computers. 10,000,000.
Assume an average of 1.5Ghz processor in each computer. (Its probably more like 2.5Ghz, but safe side it.) 15,000,000 Gigahertz (Ghz)
15,000,000/1000 = 15,000 Terahertz (Thz)
Processing Capacity (Blue Gene L Super Computer)
Blue Gene L, has 131,072 Processors, each running at 0.7 GHz (700 Mhz).
131072 * 0.7 = 91750.4 Ghz
91750.4 / 1000 = 91.7504 Thz
Round to 1 decimal place = 91.8 Thz
Data Transfer (Zombies)
Assume 10 Million infected computers. 10,000,000.
Assume that each computer has about 371kb/s upload rate. (Probably a bit higher, but thats the average for the US, so safe-side it. 10 million is still a lot of computers...)
Get the 371 Kilobits into KiloBytes. 1 KiloByte = 8 KiloBits, so:
371/ 8 = 46.375KB/s per bot.
10000000 * 46.375 = 463,750,000KB/s transfer rate. Ok, that's too mind-boggling. Lets get the numbers to be more sensible.
1 MegaByte = 1024 KiloBytes, so:
463750000 / 1024 = 452,880.859375MB/s. Not readable yet. Again.
1 GigaByte = 1024 MegaBytes, so:
452880.859375 / 1024 = 442.266464233GB/s
Err... I did do these sums right... *checks*. Wow.
Round to 0 decimal places = 442GB/s
Emails per second with 442GB/s bandwidth.
Assume an Average spam email size of 11.76 KB from This article, and rough confirmation from spamnation.info
From our bandwidth calculations above, there is 463,750,000 KB/s bandwidth available. So:
463750000 / 11.76 = 339434523.80952381 emails per second.
Round to 0 decimal places = 339,434,524 emails per second.
Round to 3 significant places = 339,000,000
CDs per second with 442GB/s bandwidth.
CD-ROM total size : 750MB.
From bandwidth calculations above, 452880.859375 MB/s.
452880.859375 / 750 = 603.841145833 CDROMS worth of data transfer per second.
Round to 0 decimal places = 604 CDROMS data per second.
Attacked by the Storm Botnet
Great work!
/lovingly pats his nice, secure, and quite lovely Ubuntu running laptop and home servers...
Thanks!
/lovingly pats his desktop PC, which crashes when heavily loaded whilst running Windows, but seems to prefer Ubuntu. Never runs with a load average less than 1, yet never crashes. Ever. Unless I do something stupid...
(I run Rosetta@home Distributed Computing)
ISP's are not going to do much quickly, if at all -- both the finances and logistical effort are not in their best interest. I personally started a grassroots effort, offering advice and free anti-virus checking and free Ubuntu installs to neighbors, friends, and family... which means I might be able to clean perhaps 20 infected machines in upcoming weeks (total WAG estimate). That is a ridiculously small percentage of a botnet of this size.
What's my alternative -- sit on my hands whining about how easy it is for my less net-savvy acquaintances to get scammed and harassed? I've never been much of a fatalist, no matter what the odds. I know that I'm hardly going to solve a global problem like this, but I have nothing better to do yet :)
Personally, I have moved a number of my relatives onto Ubuntu. Being linux, you *can't* get viruses.
However, Ubuntu is not ready for mass-market, you do need an Linux geek around (or at least, with remote access) to maintain the machine for you. (E.g. Users are not going to be able to deal with package conflicts post upgrades. I've only ever had 1 machine upgrade without at least one conflict. Must be all the ugly, restricted drivers I add for them.)
I guess, if you can, work on making Ubuntu a viable alternative to windows. Get a shipit pack, and have free Ubuntu discs to hand out when people want them. Try to move friends and relatives to ubuntu.
Realistically, the only people who can solve this is ISPs and Microsoft. If MS worked a bit more on the security side, that could help a bit.