Storm worm botnet with over 1.7 million drones
At the start of the year, it was just a gentle breeze - now however, the storm worm has developed into a genuine tempest. The botnet built up by this worm has grown to include 1.7 million drones (infected computers) according to security services provider SecureWorks, who state that although the network has so far been primarily used to send spam, it could also be used for DDoS attacks on businesses or even countries.
According to security researcher Joe Stewart, between January and May of this year SecureWorks identified 71,342 attacks using the storm worm. Since June, however, the company has repelled 20,200,101 attacks. There has also been a dramatic increase in the number of infected computers from which e-mail attacks were sent. Whereas from the start of the year to the end of May just under 3000 computers were infected, in June and July, the number of drones increased to 1.7 million. SecureWorks speculates that the botnet operator has built such a large network in order to be able to hire it out to other hackers or perform attacks.
McAfee have ascribed the enormous increase in the number of infected computers to social engineering tactics used by malware authors, who, for instance, have sent out apparent greetings card e-mails with infected attachments or links to websites carrying the malware. Antivirus software vendors are working on the assumption that the storm worm botnet is behind recent spam e-mail carrying a RAR archive containing a text file as an attachment. According to McAfee, current versions of the malware use unusual tactics to gain a foothold within systems. Rather than simply implanting themselves in the registry using startup entries, the current versions infect the tcpip.sys file and append code for loading the malware to the driver. McAfee talks of an increasing trend of malware using this kind of file infection mechanism to get loaded after a reboot.
To protect from the worm, SecureWorks recommends exercising caution with e-mails claiming to contain greetings cards or warnings of impending catastrophes, either as attachments or as links. Users should also block peer to peer traffic, as the storm worm connects to other botnet drones using the eDonkey protocol. SecureWorks does not, however, provide any instructions on how this can be done. The eDonkey protocol is not limited to specific network ports. Additional tips on dealing with e-mails safely and on protection from malware infection can be found on heise Security's anti-virus web pages.
- Bots Launching Storm Attacks Increase Dramatically Totaling 1.7 Million in June/July, report from SecureWorks
- New wave of nuwars storming in, blog entry from McAfee