Is STORM Really Dead?
Botnet trackers are still wondering this month what happened to the Storm botnet. Storm’s command and control servers continue to remain unresponsive. No doubt Storm is probably evolving in the wild as something yet to be discovered.
Marshal security analysts at TRACE ((Threat Research and Content Engineering) stated in the October 15 issue of Techlinks ” While Microsoft certainly made a major contribution to the downfall of the Storm botnet, no one is clear on what precisely happened to Storm. Some suggest that the botnet was sold or morphed into another botnet and still continues to produce spam.”
Even if turns out that this lull was merely the quiet before a Storm surge, it’s unlikely that even a reinvented Storm — now at about 47,000 infected machines, according to Damballa — would ever operate at the massive size it once was, at close to a half-million bots at its peak in early January. This is likely the end of the era of massive botnets, and the beginning of a new generation of smaller, more targeted botnets, says Paul Royal, director of research for Damballa.
Storm used the tactic of using spam to spread malware on a mass scale that was unprecedented in January 2007. Security experts dubbed this as “Malicious Spam.”
“Storm was one of the first botnets to use these tactics on a mass scale. It became the most successful botnet of its type and established the basic template for developing a spam empire that other botnets have since copied,” said Phil Hay, lead threat analyst for Marshal TRACE.
“They also led the way in using self-perpetuating malicious spam to grow the botnet. They utilised every social engineering trick and invented quite a few of their own.”
Wikipedia describes The Storm botnet as “a remotely-controlled network of “zombie” computers (or “botnet”) that has been linked by the Storm Worm, a Trojan horse spread through e-mail spam. “ Storm uses social engineering technicques via email providing storm-related subject lines and links in the infected email to infectious websites.
Wikipedia further explains The botnet, or zombie network, comprises computers running Microsoft Windows as their operating system. Once infected, a computer becomes known as a bot. This bot then performs automated tasks—anything from gathering data on the user, to attacking web sites, to forwarding infected e-mail—without its owner’s knowledge or permission.
Storm first derived it’s name in January 2007 with a first delivery of spam consisting of fake news headlines that linked to malware. Coincidentally this first batch of spam occured during severe winter storms in Europe. Storm’s early campaigns used headlines that described lethal storms in Europe.
The two possible avenues of attack that STORM used:
1- Spam with links to fast-flux sites utilizing operating system vulnerabilities
2- Injection of malicious iFrame tags into legitimate websites utilizing third-party applications such as WordPress. (with links to malware that download seamlessly to the uer machine.)
December 20, 2007 one of Tesquisites sister domains was hit with a malacious iframe attack pushing a rather large MPack compromise which ironically was traced back to the Russian Business Network (RBN).
Storm Timeline:
Jan 2007: Storm botnet comes to prominence with the headline “230 Dead as Storm Batters Europe” and rapidly infects hundreds of thousands of computers in a matter of days.
Feb 2007: Storm’s next campaigns feature malicious executable attachments. But, the Storm controllers quickly change tactics to drive-by malware provided through URL links when they realize that attachments are often detected by anti-spam/anti-virus solutions.
Feb-Sep 2007: Storm uses fast flux DNS to avoid detection and ever-changing malicious spam campaigns to infect as many as 1 million computers worldwide. Storm’s self-perpetuating malicious spam campaigns establish the templates for other would-be botnet spammers to develop their own botnets.
Sep 2007: Marshal announces Storm has become the single biggest spam producer by volume and attributes 20 percent of all spam globally to Storm. This is the peak of Storm’s dominance.Microsoft targets Storm with the Malicious Software Removal Tool, cleaning almost 275,000 infected computers in the first month.
Oct 2007: – Jan 2008: Storm dwindles steadily down to just 2 percent of spam according to Marshal. Microsoft claims credit for reducing the Storm threat with MSRT.
Jan-Sep 2008: Storm is never a major spam player again. Rarely exceeding 1 percent in Marshal’s spam statistics, Storm carries on at a trickle compared to other botnets – the top botnets now routinely exceed 20 percent of spam and cumulatively account for over 90 percent of spam in circulation.
Sep 2008: Marshal’s TRACE security analysts conclude that Storm has stopped sending spam.
botnet, iframe, Malware, mpack, spam, storm, zombie
No Comments