The “Storm Worm,” a strain of malicious software once responsible for blasting out 20 percent of spam sent worldwide before it died an ignominious death roughly 18 months ago, was resurrected this week. Researchers familiar with former strains of the worm say telltale fingerprints in the new version strongly suggest that it was either rebuilt by its original creators or was sold to another criminal malware gang.
The Storm Worm first surfaced in January 2007, disguising itself as videos supposedly depicting the carnage wrought by unusually violent storms that swept through Europe at the time. But as security researchers began delving into the code that powered the worm, they quickly realized they were up against an adversary that was significantly more sophisticated and resilient than any other threat in recent memory.
Storm spread by forcing infected systems to communicate via the same peer-to-peer file sharing systems used by millions of people to share movies and music online. These highly decentralized networks were thought to be appealing to the malware authors because they lacked a single command and control center, a critical piece of infrastructure common to most such large, remotely controlled collections of hacked PCs that were routinely targeted for dismantlement by security researchers.
Storm also contained self-defense mechanisms that automatically launched crippling Internet attacks against the networks of security researchers who sought to infiltrate or disrupt the Storm botnet.
Researchers who have examined the latest Storm malware say while the newly resurrected Storm Worm lacks the innovative P2P communication capability, it appears to retain the ability to attack those who may try to unravel its secrets.
According to members of the Honeynet Project, an international security research group, the new Storm Worm contains roughly two-thirds of the original Storm code.
“We found that 236 out of 310 separate functions of the worm were the same [as the old version],” said Felix Leder, a malware analyst with the project. “Since the source code for Storm was never made public, from that we deduce that there are two possibilities with this new version: The first is that it is the same team of developers, and the second possibility is that another team has bought source code for this worm.”
It remains unclear whether this Storm 2.0 strain will be as successful and prolific as its predecessor. But according to a blog post by security firm CA, the curators of the new Storm worm are very actively using the collection of PCs infected with this malware to once again relay junk e-mail advertising male enhancement pills and adult Web sites.
Read more about the Honeynet Project analysis of this new threat at this link here.