Nuwar Traffic Analysis
Created: 2007-11-12 16:12:52
Nuwar, also known as the Storm Worm, is a very popular threat in the antivirus industry this year. This threat has attracted a lot of attention because of its sophistication and the strenuous efforts made by its authors to maintain a strong botnet.
The botherders who operate the Nuwar botnet control infected PCs with a distributed network based on the eDonkey peer-to-peer network protocol. It is rare for malware to make use of this type of network topology because it is much more complicated than the well known and much-used Internet Relay Chat (IRC) protocol or, more recently, Hyper Text Transfer Protocol (HTTP). The use of a peer-to-peer communication scheme adds reliability to their network since there is no central point that can be shut down, no single point of failure (SPoF). This reliability comes at a cost, though: it consumes significant bandwidth.
The following graph shows the number of communication packets sent (blue area) and received (red area) by a computer newly infected by Nuwar. The X axis shows the number of minutes since infection and the Y axis represents the number of packets sent. We see from this that the first twenty minutes after infection are used to establish communication with other compromised systems and join the decentralized network. Trying to connect to the network creates high volumes of traffic. Once the infected node has joined the network, it performs hourly network maintenance. The infected system tries to find recently-connected peer systems and unmounts peers that have been disconnected. This control traffic is shown on this figure by the two peaks that appear after 80 and 140 minutes.
The conspicuous spikes in traffic occurring when a node joins the Nuwar network and the subsequent control traffic appearing every hour will be quite noticeable to vigilant network administrators. The authors of this malware seem to have chosen reliability over network stealth. The security industry needs to pay attention to the operational compromises attackers are making. These tradeoffs can point to design weakness which help us secure our infrastructure.
Pierre-Marc Bureau
Researcher