April 28, 2010

The “Storm Worm,” a strain of malicious software once responsible for blasting out 20 percent of spam sent worldwide before it died an ignominious death roughly 18 months ago, was resurrected this week. Researchers familiar with former strains of the worm say telltale fingerprints in the new version strongly suggest that it was either rebuilt by its original creators or was sold to another criminal malware gang.

The Storm Worm first surfaced in January 2007, disguising itself as videos supposedly depicting the carnage wrought by unusually violent storms that swept through Europe at the time. But as security researchers began delving into the code that powered the worm, they quickly realized they were up against an adversary that was significantly more sophisticated and resilient than any other threat in recent memory.

Storm spread by forcing infected systems to communicate via the same peer-to-peer file sharing systems used by millions of people to share movies and music online. These highly decentralized networks were thought to be appealing to the malware authors because they lacked a single command and control center, a critical piece of infrastructure common to most such large, remotely controlled collections of hacked PCs that were routinely targeted for dismantlement by security researchers.

Storm also contained self-defense mechanisms that automatically launched crippling Internet attacks against the networks of security researchers who sought to infiltrate or disrupt the Storm botnet.

Researchers who have examined the latest Storm malware say while the newly resurrected Storm Worm lacks the innovative P2P communication capability, it appears to retain the ability to attack those who may try to unravel its secrets.

According to members of the Honeynet Project, an international security research group, the new Storm Worm contains roughly two-thirds of the original Storm code.

“We found that 236 out of 310 separate functions of the worm were the same [as the old version],” said Felix Leder, a malware analyst with the project. “Since the source code for Storm was never made public, from that we deduce that there are two possibilities with this new version: The first is that it is the same team of developers, and the second possibility is that another team has bought source code for this worm.”

It remains unclear whether this Storm 2.0 strain will be as successful and prolific as its predecessor. But according to a blog post by security firm CA, the curators of the new Storm worm are very actively using the collection of PCs infected with this malware to once again relay junk e-mail advertising male enhancement pills and adult Web sites.

Read more about the Honeynet Project analysis of this new threat at this link here.

6 thoughts on “Infamous Storm Worm Stages a Comeback

  1. AlphaCentauri

    So, are there domains downloading storm worm? What are the nameservers? Are the domains still fast flux/zero-second refresh rate?

  2. eli baker

    Hi…love your columns and, following your advice, am now trolling the internet as a limited user. Windows 7 make LU easily used. Perhaps you should write an articlee or two on LU and Windows 7.


  3. Big Geek Daddy

    The resurrection of the Storm Worm explains why my spam box has been full of Viagra spam emails all week. For a few days now I’ve been wondering if the spammers were trying to tell me something…LOL.

  4. Charlie Griffith

    …Re: this business…is it a business?…of selling malware, worms, etc.

    How is this malware monetized? How do a buyer and seller arrive at an agreed price? How is “success” at spreading such “ware” measured? How does one measure trouble?

    These aren’t idle questions. If answers could be provided, perhaps this plague could be fought more accurately. Since we don’t seem to be able to fight this disease electronically, if the vectors could be “infected” financially, that may be an option.

    Wall Street ingenuity should be applicable.

  5. Charlie Griffith

    …amend that last sentence to read…”…derivative ingenuity”…should be applicable.

Comments are closed.