Storm botnet at one year: Unlikely to go away soon
But researchers argue about its impact
Computerworld - Security researchers marked the one-year anniversary of the botnet-building Storm Trojan today by disagreeing on its impact and arguing over whether it's an important landmark on the security landscape.
Storm, first detected a year ago today and given its name two days later to recognize its opening scam -- a news pitch on the deadly storms that had just swept Europe -- has been held up as the poster child for the next evolution in malware, linked to the notorious Russian Business Network (RBN) malware hosting organization, and blamed for scores of major spam campaigns that stocked, then restocked, its inventory of compromised computers.
Two things about Storm bear mentioning, said David Emm, a senior technology consultant at Kaspersky Labs, a Moscow-based security company. First, said Emm, the Trojan ditched the traditional IRC command-and-control technology for an off-the-shelf, peer-to-peer technology to keep tabs on the machines it had hijacked. "Storm built its botnet without a central command-and-control," which has made the army of compromised PC much more resilient to traditional takedown efforts, he said.
Secondly, its authors churn out variants at a dizzying rate, then distributes them from servers to bot-controlled PCs to constantly keep one step ahead of antivirus vendors and their scanner signatures. "Storm [has] shown that a distributed botnet is one way to make [a lot of] money," said Emm. "And it won't stop until the perpetrator or perpetrators get caught."
Jamz Yaneza, research project manager at Trend Micro Inc., has been tracking Storm since its debut and sees the malware's first year as less proof of the Trojan's technology as the effectiveness of the scams it runs to get on PCs.
"The social engineering it uses, the timeliness of the spam [centered] on special occasions, such as holidays, that's one of the main reasons why it's still out there," said Yaneza. Storm isn't an especially prevalent piece of malicious code; Trend doesn't even rank it in the top 15 for 2007. But its ability to trick users into opening attachments, which is how it spread itself originally, or dupe them into clicking on links to dangerous Web sites, where driveby exploits attack unpatched PCs, continues to amaze him.
It shows how little some users have learned.
"Storm will keep on churning out socially engineered attacks until end users learn to be more wary," said Yaneza, who seemed baffled by people who refuse to adopt spam filters, a first line of defense against attacks.
But Joe Stewart, a senior security researcher at SecureWorks Inc. and another longtime Storm investigator, dismissed talk of the Trojan as so much wasted breath. "Storm hasn't changed the reality of the threat landscape, but it has changed the IT press landscape," he said, referring to what he sees as a misplaced emphasis on the malware.
Stewart acknowledged that Storm has demonstrated some minor "advances" in malware -- the idea that one could use templates delivered to the bots themselves so that the hijacked computers did their own spamming is one -- but he downplayed any long-term significance of the Trojan. "It's just another botnet. There were a lot of other botnets that came before it," he said.
More than anything, Stewart seemed frustrated, even fed up, with Storm. The Trojan, which just recently launched its second annual run of Valentine, continues to plague users' houses. "It's repeating the same pattern that it's used all year," said Stewart. "It just shows how much farther we have to go."
Nor does he see an end in sight. "It's a matter of will on the part of its makers," he said. "Storm won't go away until they are done making money with this." And Stewart's betting that, what with Storm's origination, that day will be a long time coming. Researchers have consistently pegged Storm's birthplace as Russia -- St. Petersburg, in particular. And it's no coincidence that the RBN hails from the same city.
But it doesn't seem to matter how much information security researchers collect on Storm, then hand over to people in law enforcement. "Invariably, it turns out that they're in Eastern Europe," said Stewart. And then nothing gets done. "They still get to carry out their business."
Trend Micro has posted a chronology of Storm on its malware blog here.
Read more about Security in Computerworld's Security Topic Center.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!