The Storm awakes
A number of anti-virus software vendors are reporting that the storm worm, long thought dead, is back and is disseminating spam. In its day, the Storm botnet was one of the biggest botnets out there. At times it encompassed more than a million infected computers and, between 2006 and 2009, was responsible for a significant proportion of spam and many distributed denial of service attacks. The Storm worm, which is strictly speaking a trojan downloader rather than a worm, got its name from infected emails with sensational headlines relating to hurricane Kyrill.
In early 2009, the worm went quiet. There was speculation that the bot herder had simply made enough money for the time being and wanted to re-jig the worm's architecture, partly because analysis by an increasing number of virus specialists was getting to grips with the bot. Alternatively, it may simply have been that the Storm worm was pushed out of the market by other bot herders (Srizbi, Mega-D, Rustock, Pushdo et al).
Analysis by Tillmann Werner, Felix Leder and Mark Schlösser of the Honeynet project shows that the new incarnation differs from the original in several minor ways. Communication between bots and C&C servers is now exclusively via HTTP, which bots use to download templates for spam campaigns for Viagra and suchlike. Peer-to-peer communication has been completely removed. Only around 60% of the code from the older version has been retained.
The researchers, who published analysis of the Storm worm and anti-Storm tool Stormfucker in early 2009, also note that the people behind the worm might have sold on the code for Storm, so the new version could well be the work of a new bot herder.
- Storm Worm botnet cracked wide open, a report from The H.
- "Storm worm" sloshes through the internet, a report from The H.