NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0368 Botnets Using Encrypted P2P Communication are Nearly
Undetectable:
The Storm and Nugache Trojan bot programs are distinct from
their ancestors because they lack a head that can be severed to stop them.
Previous generations of bots could be cut off from their control server, which
communicated over Internet Relay Chat (IRC). Storm and Nugache bots do not
depend on IRC communications; they use encrypted peer-to-peer networking to
update themselves and exchange information. Security researchers said Storm and
Nugache communication cannot be detected reliably by intrusion detection
systems: "user education is likely the only mitigation method to prevent
installation of the malware."
Storm first came to attention in early 2007 and spread through
an email message that made reference to a recent European storm in the message
subject line. It has created a massive botnet that has been estimated to range
from a few hundred thousand to over 2 million machines. Matt Sergeant, chief
anti-spam technologist with MessageLabs, likened the Storm botnet to a
supercomputer in terms of its power.
Like Storm, Nugache relies on encrypted peer-to-peer
communication for command and control, said Henry. But it has an advantage over
Storm in that it is not tied to a specific set of ports. "[Nugache] will
look at pretty much any port to establish communication," he said.
(InformationWeek 10JAN08)