Move Over Storm, There's a New Botnet in Town
Page 1 of 1
An upgraded spam-blasting worm could be poised to surpass the durable Storm worm as the nastiest botnet on the Internet. Or not. Therein lies the uncertainty of predicting how malware evolves.
The worm, called Nugache, has been around since before Storm. However, Nugache never proved particularly powerful or widespread.
In recent weeks, however, malware researcher Secure Computing noticed that Nugache has been revised and updated, making it as powerful as Storm in many ways.
While both could easily be modified to deliver a more dangerous payload, like a keylogger, their primary function is blasting out spam. Spammers then hire the services of these botnets to send out their letter, be it pump-and-dump stock scams, mortgage offers or sexual performance drugs.
Both also often rely on user gullibility to trick people into willingly downloading the code onto their computer. Users generally infect their systems with Storm and Nugache when they click on a link to malicious code or download a file pretending to be a screen saver, a codec or an e-card.
Despite concerted efforts to eradicate it, Storm has hung on. What may be helping Nugache's rise is that the operators of the Storm worm seem to be reducing its size and selling off chunks of it to spammers, thus breaking it up.
Nugache's operators, meanwhile, are filling the void by massively undercutting Storm's prices, according to Secure Computing.
Paul Henry, vice president of technology evangelism for the researcher, began receiving offers from Nugache operators at his "honeypot" e-mail addresses, which are set up to attract mail from spammers without the spammer knowing where he works.
"They did a real good job of copying the capability of Storm," he told InternetNews.com. "To help them broaden the distribution, they are doing bargain-basement prices. They are pricing it to take business away from Storm and its technical capabilities are on par with Storm. They are the K-Mart of botnets right now."
Storm was so effective because it combined a number of technologies with new ways of operating. Storm uses a peer-to-peer method for store-and-forward e-mail, instead of centralized command and control. So while other botnets could be taken out simply by taking down the command-and-control servers, Storm had no such central hub.
Storm also uses encryption to communicate over peer-to-peer networks and mutates every 30 minutes, making it next-to-impossible for signature-based antivirus software to detect it.
Nugache now works the same way: p2p communications without any command control server and secure encrypted communications, Secure Computing said.
Of course, just because it can send out a flood of spam doesn't mean it will be effective. Henry noted that much of the spam he was getting was in German and Russian, rather pointless for English speakers.
Just like every antivirus program seems to have a different level of accuracy, firms in the antivirus space are mixed on Secure Computing's claim. Ivan Macalintal, research program manager for Trend Micro, said he has not seen any reports on Nugache mutating into a Storm-sized monster.
"We've still got Storm out there rampant in the last year," he told InternetNews.com. "There was a 200 percent growth in Storm over the holidays. I'm not saying that Nugache will not match what the Storm botnet has been, but as of right now, we're not seeing any indications that it will in the near future."
However, Randy Abrams, director of technical education for ESET Software, disagrees.
"Nugache has been upgraded," Abrams said. "It's gotten a lot more complex than it used to be. We've known from the beginning of Storm that these were tactics that would be copied and expanded upon."
"Nugache won't be the last headache that comes upon us, either," he added. "Any of the botnets have the potential to be upgraded."
As for the breakup of the Storm network, Abrams said he thinks the botnet's operators began the move more for financial reasons than security.
"We've seen large botnets deliberately segmented into smaller botnets," he said. "It makes sense because if you got one big botnet, you need a customer with fairly deep pockets, but with 20 smaller botnets you become affordable to a lot more customers. In the hotel business, they call it a higher occupancy rate."
Henry said enterprises can counter the botnets with techniques like URL filtering and reputation-based filters. Using those approaches, when as a site is known to be compromised, its "reputation" for hosting malware is quickly passed among edge servers, so access to can be blocked.
The home user, however, doesn't have enterprise security like URL filtering, "so they have to employ a great deal of common sense," Henry said. "When you see a URL in a blog, you have to consider it may point to a malicious site. If you click on a video file and it says you need a codec, avoid clicking on it."