The Storm Worm Botnet Is Still a Threat

Have you been receiving more spam email than usual lately? Spam emails with attachments? There’s a reason. As Wired.com notes:

The Storm worm first appeared at the beginning of the year, hiding in e-mail attachments with the subject line: “230 dead as storm batters Europe.” Those who opened the attachment became infected, their computers joining an ever-growing botnet.

Although it’s most commonly called a worm, Storm is really more: a worm, a Trojan horse and a bot all rolled into one. It’s also the most successful example we have of a new breed of worm, and I’ve seen estimates that between 1 million and 50 million computers have been infected worldwide.

Old style worms — Sasser, Slammer, Nimda — were written by hackers looking for fame. They spread as quickly as possible (Slammer infected 75,000 computers in 10 minutes) and garnered a lot of notice in the process. The onslaught made it easier for security experts to detect the attack, but required a quick response by antivirus companies, sysadmins and users hoping to contain it. Think of this type of worm as an infectious disease that shows immediate symptoms.

EnterpriseIT Planet discusses the enormous rise of spam attributed to the worm:

There is no escaping the suspicion that spammers have been charting a cagier course in recent months. Electronic messaging managed service provider MessageLabs has noticed too.

Previously pristine inboxes are finding that image files and PDFs containing pump-and-dump stock pitches and advertisements increasingly slip through. Excel and Rich Text Format (RTF) spam have also been detected in the wild.

The cause can be summed up by one word: botnets.

Although spam has decreased from its peak in July 2004 when it accounted for a staggering 94.5 percent of the email monitored by MessageLabs — it now hovers around 71 percent — the monetary spoils have prompted spammers to pursue more exotic methods of keeping those coffers full.

Responsible for spewing spam and dropping the DDoS hammer on Web sites, botnets can hardly be considered an up-and-coming threat. However, a relatively new breed of botnet, spawned by the Storm worm, is proving to be tenacious adversary.

The malware has been contributing to a slight uptick in spam lately, according to MessageLabs’ Chief Anti-Spam Technologist, Matt Sergeant.

“We’re currently seeing a slight rise. Nothing anywhere near as huge a rise as we saw last year. But it’s early days yet,” he states.

Purportedly under the control of the notorious Russian spammer Zliden, the Storm-based botnet is a very different beast. First, its sheer size is immense. According to MessageLabs, Storm is believed to have infected 50 million machines, though only 10 - 20 percent of its capacity is being used.

Organizations such as Spamhaus which work to combat such Internet threats have been under attack by the Storm:

“It’s been a pretty constant battle to stay online,” Vincent Hanna, an investigator for the non-profit Spamhaus Project, told InformationWeek. “It’s an arms race. They try something. We block it. They try something else. We block it. It goes on and on. Sometimes it’s fine and sometimes we spend hours a day on this.”

Spamhaus is one of the anti-spam organizations that have been targeted in recent months by the Storm worm authors. The malware writers have amassed a giant, international botnet of compromised computers. Estimates of its size range wildly — from one or two million up to 50 million bots. Regardless of its specific size, though, security researchers say it’s definitely large enough to wreak a lot of havoc with a company’s network, a government agency, an ISP, or possibly even an entire country, if they use that illegal grid to launch a denial-of-service (DoS) attack.

Adam Swidler, a senior manager with security company Postini, said in an earlier interview he has no doubt if the Storm worm bosses focused the full power of their botnet on a targeted DoS attack, it could do a lot of damage. “I think there’s no question they could damage any single company, whether through a DoS attack or a spam barrage,” he added. “I’d be less worried about a Yahoo(YHOO) or a Bank of America than the thousands of mid-sized banks that aren’t as well protected. But undoubtedly, this could do a great deal of damage.”

While the protracted DoS attack on Spamhaus hasn’t used the full force of the botnet’s might, the attack has been long enough and strong enough to be disruptive, even if it hasn’t knocked the organization offline.

As always, be cautious with email from unknown senders and never download any attachments, ever, from unknown senders. Here is a helpful FAQ regarding the Storm Worm Botnet. Here is an informative interview with Trend Micro CEO Eva Chen regarding botnets and how to avoid being victimized.