The Son of Storm.

This is essentially a rewrite of the Storm worm with a much much stronger command and control channel protection scheme using  as written by the awesome .  Here is an of articles trackings its growth called the Waldec Tracker.


With robust encryption starting to become the norm, IE Conficker is now doing Robust Encryption it will be computationally infeasible to crack and observe the Command and Control traffic as well as conduct integrity attacks and command insertion into these botnets. 

That means we need to be more innovative.. or get some balls and be ruthless.  If your opponent gets smarter than you are, your better off just bashing him in the fucking head.  Pardon my french.


They are still using the same tricks, social engineering, email spam for propagation and fast flux for resiliency.

One of the awesome things its doing is crafting custom socially engineered LOCALIZED email spam based on a disaster theme and using GEOIP to localize it to the victims community.  So for example if you live in SanFrancisco it would say something like a Terrorist attack on the Golden Gate Bridge, or an Earth Quake.  Anything to lure the suckers in…


Here is alook at the network structure.


Thats a whole lotta pwnage boys and girls.  Keep your data close…. Here is the geographic distribution


Here are some good links to track .

So here is a little experiment.  I am going to run a monthly posting contest.  The purpose is to allow malware authors to hype their baddest ass skills and techniques as compared to some of the most insidious examples the research community has been dealing with.
Winners will recieve the dubious title of BADDEST ass code that does the BADDEST ass things.  O yea.  and the right to be represented by this Avatar.


There will be a chumpy award as well for code that thinks its bad ass enough to be ranked as the best but really is “old tired and busted” using stale and well know techniques.

They will get represent with this little digital Homage..

So here are the categories for assessment of who the baddest should be.

  • Best Hiding Techniques for (files, registry, process listing):
  • Best network or file based stenagraphy techniques:
  • Best innovative and destructive capabilities:
  • Most kleptoKrazy information stealing capabilities:
  • Most innovative functions: if you mention opening the CD drive bay door you get DDos’ed automajically:
  • Most enriching social engineering techniques: Sorry Bernie Madoff has the record so this place is automatic second place:
  • Most elegant code/resilency from detection:
  • Best polymorphic,metamorphic illusionist techniques:
  • Best code protection for code and logic integrity vs debugging, tracing, dumping:
  • Innovative and secure use of encryption:
  • (if you submit xor/rot/base64/rc4 or any other weak ass shit you get your remote files automatically encrypted with AES 256bit and the secret key Secure deleted from memory and the entire file system.  That’s after the secret key is encrypted. of course.
  • Best and most ievil undetectable Embedded attacks against third party file types. IE Office, Flash, PDF, CHM ectera:
  • Baddest and most comprehensive web page example with close to every drive by exploit out there:
  • Most Disruptive piece of code:
  • VISTA pwnage.  (most code rapes XP)  start evolving and compromise Vista systems if you have the balls: Special points for getting around Vista Security and specifically the 64-bit hardware enabled in BIOS DEP features.
  • Implementation of malicious VMs as a obfuscation technique or as a the payload itself by putting the target into the matrix without his knowing.

Requirements for submission are as follows:

  • Name of malware or self named or just plain found somewhere.
  • Why it deserves inclusion into the baddest ass hall of malware fame from a technique standpoint.
  • Description of its capabilities and its closest variants if any.
  • And for the do gooders, Who and what is to blame for this glaring technique and what can be done about it.
  • And O yea.  is it able to fully exploit and run on a Base build of Microsoft Vista SP1 SP2 out of the box.

Several CODE samples to compare your submission to for innovativeness and complexity.

Kraken, Storm, Conficker,Waldec, Rustock, Asprox, Pinch, Zeus, Bancos, Coreflood, Tigger/Syzoor

Participation by the research community and security vendors that might have the balls to discuss will get mad props for actually supporting research.

WELL let the games begin:

Awards and Ranking will be from 1 to 10.  If im impressed I will paypal monetary goodness maybe possibly if I actually feel something in my pants after reading.



So virus’s spread back in the day, then got PWNed by antivirus, then vulnerabilities lead to exploits, which lead to worms.  Worms get PWNed by antivirus, Worms get whittled down and turned into trojans that become massively networked to become bots which came from IRC scripts.  Everything is now hid by and protected from reverse engineering and analysis by packing, crypting, poly and meta morphism.  Advanced features are built-in such as automatic bank account balance checking… YEOCH.  Been going on for years.. 

Here is a example of one such bot () that has been OWNING for years and got progressively nastly,  It now targets powerusers in the organizations that can use Sysadmin tools such as psexec and Microsoft SMS or patch distributiom mechanisms to seed entire organizations, including the STATE police.  Fun Fun.  Wonder what data systems they have access to know.  O yea keystroke logging, cookie theft, and password grabbing on the wire, but that’s all STANDARD now in this malware code.  The guys at  are badasses for this. 

This little diddy had HUNDREDS of gigabytes of user data and credentials on its drop site.  Most of which had been already pulled off. Not to mention all the CASH MoOLa they have walked off with.  $90,000 grand on one account alone. 

O ya and No they still have’nt caught the guys yet.  When the US goverment charges the head driver/protector of Osama bin Laden with 5 years in jail even though he most likely knew about the 9/11 plot, what kind of penalties do you think we are levying against extreme ripoff artists with digital weapons….. HRMMM?

is everyone on when this stuff is running around?! Granted Storm is pretty kickass because its decentralized and using a hacked up p2p protocol and .  .  I did tons of research on P2P and its disruptive effects a long time ago, awesome stuff.

By the way why the hell do we not see any AES encrypted malware out there.  Are malware coders dumbasses because most all of their encryption in their products is based on RC4/ROT13/Base64 or some other weak ass pseudo crypto/encoding/scrambling that gets easily broken.

I’m going to have to search for lightweight AES implementations.


Get every new post delivered to your Inbox.