IPStorm

When one wants to make a botnet work, they have to make use of a certain network to establish a connection between the infected system and its command and control center (C2). IPStorm is a Trojan botnet that makes use of the IPFS p2p network. Since IPStorm works through this network, it might be hard to detect and remove IPStorm for good. However, that shouldn’t stop you from running regular system security scans with an antispyware program of your choice because Trojan infections are hard to spot. The sooner you detect them, the sooner you will be able to get rid of them.

IPStorm is written in the Go language, and thus it can be easily incorporated into the InterPlanetary File System (IPFS) because Go is also one of the several programming languages used to write the protocol implementations and client libraries. Also, researchers agree that the main IPStorm samples found in the wild are targeting the Windows operating system. Nevertheless, some of the analyzed features show that IPStorm might have been developed for a macOS machine, too. It is hard to say how this infection will develop in the future, but macOS users shouldn’t be lulled into the fake feeling of safety.

Since IPStorm uses the IPFS p2p network to establish C2 connection, this botnet can also hide its traffic amongst legitimate traffic, thus making it harder for security applications to detect it. Aside from that, IPStorm also employs several other measures to evade antivirus products. The research shows that this program employs a generation of random numbers, sleeps, and memory allocations to avoid getting detected. Also, it has to make sure that the botnet is able to connect to the p2p network, so when IPStorm enters the target system, it adds a rule to the firewall, that allows it to bypass the security measures.

Our research team says that by default, IPStorm can clearly collect basic data on the affected system. It will log your Windows version, username, and the admin status, and then share this information with its C2. However, there is so much more that IPStorm can do since it is a botnet, and researchers are still perplexed about it because they are not sure what exactly for this botnet was created. They only agree that it is a new development for botnets because IPStorm is the first botnet infection that employs the IPFS p2p network.

When this infection reaches the target system, is creates a new folder in the %LocalAppData% directory. However, the folder and the file that belong to this botnet have random filenames that differ from one infected system to the other. Therefore, it makes it harder to notice this infection. To give you an example of the file path, it would be something like this: %LocalAppData%\packages\{random}_{random}\appdata\{random}.exe. With at least two random filenames in its path, it is practically impossible to give users clear and direct guidelines for manual removal. Although hardly anyone would choose to remove this infection manually, it is still a rather frustrating fact.

Needless to say, IPStorm can download and upload files. It can be achieved by sending the data to the PubSub network. Every single separate bot has its own executable file, and the attack can make use of the PubSub network to distribute the botnet further. What’s more, the infection comes with a “reverse shell” functionality, which allows the attacker to execute virtually any PowerShell code on the compromised machine. As PowerShell gives full access to COM and WMI, running such codes on the infected system basically allows the attacker to take full control of the machine.

IPStorm and other similar infections are hard to notice because they don’t have an immediate interface. They work in the background of the infected machine. That is one of the reasons we recommend automated malware removal as opposed to the manual removal.

Manual removal is not recommended unless you are an experienced user who has dealt with similar intruders before. You can find the manual removal guide below this description, but please be aware that you should still scan your computer with a security tool even after the manual removal. It is very likely that there are more potential threats on your system, and so you have to terminate them all.

How to Remove IPStorm

1. Press Win+R and the Run prompt will open.
2. Type regedit into the open box. Click OK.
3. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
4. On the right, find a startup entry with the %LocalAppData%\packages location.
5. Delete the exe file in the path and the startup value.
6. Run a full system scan.