--On Saturday, August 18, 2007 1:45 PM -0400 "Kevin A. McGrail" kmcgrail@pccc.com wrote:
You have two customers (A & B) of an ISP that uses DHCP. Customer A gets an IP address, has a storm infection and sends out some emails that list his IP address (or possibly even other machines in the P2P Storm Network).
The botnet host that sends the mail is never the botnet host mentioned in the message. We analyzed about 10,000 examples.
Data from one day, July 15:
6,511 Storm messages
3,352 hosts sent mail to columbia.edu 2,030 web sites were given ----- 5,381 different IP addresses involved 1 IP address both sent mail (12:42) and was a web site (16:01)
Very roughly, 2 messages per mail host, and 3 references per web site.
It is probably the case that every infected host is both a mail sender and a web server, maybe at different times.
The botnet is believed to be millions. Observers have wondered what the owner is planning, because this well exceeds what is needed for a spam botnet. Yet so far all they have done is send stock pump-n-dump.
All of it could be stopped by one simple regexp, for five weeks or so. On August 14 the entire botnet suddenly changed to a different pattern, in about an hour's time. It could happen again.
Because of the size and volatility of the botnet, I wonder how useful it is to list the URIs. But we could find out. I won't be at work for a week, but after that, if you put this into SURBL, we could report how much of Storm worm it catches.
Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology