Storm Worm Botnet Partitions May Be Up For Sale

Bowling for cents writes "There is evidence that the massive Storm Worm botnet is being broken up into smaller networks, and a ZDNet post thinks that's a surefire sign that the CPU power is up for sale to spammers and denial-of-service attackers. The latest variants of Storm are now using a 40-byte key to encrypt their Overnet/eDonkey peer-to-peer traffic, meaning that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities."

Re:What is fast flux DNS?

[Ant+P.]

It means the spammers register a bunch of domain names to spam in their emails, and rotate the zombie PC IP they're pointing to every few minutes. Makes it harder to shut down.

Re:What is fast flux DNS?

[QuantumRiff]

Basically, you set your records to expire in a very, very short time, and constantly change the DNS servers, as well as the records. This makes it very hard to shut down the DNS, since its always moving and changing. I guess a good way to picture it is if at google, every single one of their 1M servers was changing. IE, every 5 seconds, a different machine was the dns server for "Google.com" and the www address changed to a different computer. Then, try to figure out which machine was misbehaving, and displaying the wrong data. It would be difficult.

Bruce Schneier discusses the Storm Worm

[Zymergy]

http://www.schneier.com/crypto-gram-0710.html#1
A good essay on the Storm Worm and how it works and how it can be prevented (or rather why it CAN'T be prevented in many cases).