Storm botnet at one year: Unlikely to go away soon
But researchers argue about its impact
Computerworld - Security researchers marked the one-year anniversary of the botnet-building Storm Trojan today by disagreeing on its impact and arguing over whether it's an important landmark on the security landscape.
Storm, first detected a year ago today and given its name two days later to recognize its opening scam -- a news pitch on the deadly storms that had just swept Europe -- has been held up as the poster child for the next evolution in malware, linked to the notorious Russian Business Network (RBN) malware hosting organization, and blamed for scores of major spam campaigns that stocked, then restocked, its inventory of compromised computers.
Two things about Storm bear mentioning, said David Emm, a senior technology consultant at Kaspersky Labs, a Moscow-based security company. First, said Emm, the Trojan ditched the traditional IRC command-and-control technology for an off-the-shelf, peer-to-peer technology to keep tabs on the machines it had hijacked. "Storm built its botnet without a central command-and-control," which has made the army of compromised PC much more resilient to traditional takedown efforts, he said.
Secondly, its authors churn out variants at a dizzying rate, then distributes them from servers to bot-controlled PCs to constantly keep one step ahead of antivirus vendors and their scanner signatures. "Storm [has] shown that a distributed botnet is one way to make [a lot of] money," said Emm. "And it won't stop until the perpetrator or perpetrators get caught."
Jamz Yaneza, research project manager at Trend Micro Inc., has been tracking Storm since its debut and sees the malware's first year as less proof of the Trojan's technology as the effectiveness of the scams it runs to get on PCs.
"The social engineering it uses, the timeliness of the spam [centered] on special occasions, such as holidays, that's one of the main reasons why it's still out there," said Yaneza. Storm isn't an especially prevalent piece of malicious code; Trend doesn't even rank it in the top 15 for 2007. But its ability to trick users into opening attachments, which is how it spread itself originally, or dupe them into clicking on links to dangerous Web sites, where driveby exploits attack unpatched PCs, continues to amaze him.
It shows how little some users have learned.
"Storm will keep on churning out socially engineered attacks until end users learn to be more wary," said Yaneza, who seemed baffled by people who refuse to adopt spam filters, a first line of defense against attacks.
But Joe Stewart, a senior security researcher at SecureWorks Inc. and another longtime Storm investigator, dismissed talk of the Trojan as so much wasted breath. "Storm hasn't changed the reality of the threat landscape, but it has changed the IT press landscape," he said, referring to what he sees as a misplaced emphasis on the malware.
Stewart acknowledged that Storm has demonstrated some minor "advances" in malware -- the idea that one could use templates delivered to the bots themselves so that the hijacked computers did their own spamming is one -- but he downplayed any long-term significance of the Trojan. "It's just another botnet. There were a lot of other botnets that came before it," he said.
More than anything, Stewart seemed frustrated, even fed up, with Storm. The Trojan, which just recently launched its second annual run of Valentine, continues to plague users' houses. "It's repeating the same pattern that it's used all year," said Stewart. "It just shows how much farther we have to go."
Nor does he see an end in sight. "It's a matter of will on the part of its makers," he said. "Storm won't go away until they are done making money with this." And Stewart's betting that, what with Storm's origination, that day will be a long time coming. Researchers have consistently pegged Storm's birthplace as Russia -- St. Petersburg, in particular. And it's no coincidence that the RBN hails from the same city.
But it doesn't seem to matter how much information security researchers collect on Storm, then hand over to people in law enforcement. "Invariably, it turns out that they're in Eastern Europe," said Stewart. And then nothing gets done. "They still get to carry out their business."
Trend Micro has posted a chronology of Storm on its malware blog here.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts