Storm Worm Gathers Strength on The Internet

The Storm worm tore through the Internet earlier this year like Hurricane Dean tore through the Caribbean. But while Dean is already dissipating, the Storm virus is still around, still causing trouble and stronger than ever six months later.

Since it first appeared early this year, Storm has evolved and mutated faster than staph infections in a hospital, thanks to advanced virus toolkits like MPACK. Upon infecting a computer, it downloads the botnet  software and installs it on the PC. The binary changes every 30 minutes so antivirus definitions can’t detect it.

Unlike most botnets, Storm has no central management or hub. Rather, it uses a peer-to-peer pass-along design. The Russian criminals that run the botnets, send out their newest spam to a few machines, and they pass it on to other known bots in the chain. They use the eDonkey protocol to propagate. eDonkey is a popular peer-to-peer file sharing network.

Most insidious, Storm can launch a full-scale DDoS  attack on any researcher or company that tries to access the servers hosting the software or experiment with scanning or disabling them, and the attacks can last for days.

“This is the top of the line in technical progress as far as botnets are concerned,” Dmitri Alperovitch, principal research scientist for Secure Computing, told He estimates there are 20,000 total hosts worldwide infected with the Storm worm in over 100 countries.

The good news is that Secure Computing estimates that 60 percent of the infected computers are in the U.S., which makes them a lot easier to get at than the criminals who made the software. The bad news is that since Storm is a peer-to-peer network, even taking down all of the U.S. infections won’t disable the system, it will just slow it down.

“This is something people have been anticipating a long time,” said Alperovitch. “There is no centralized command and control infrastructure to shut down and disable the botnet. You have to shut down every single machine to get this botnet under control, which is impossible because these machines are all over the world.”

The junk mails don’t attach an executable or a URL that spam filters are now trained to catch. Instead, they use an IP address, which gets past spam filters, at least for now. Usually they link to e-cards, pictures or jokes.

Once the person gets to the site, they are prompted to click a link to download some software. Unfortunately, there are still plenty of people out there naïve enough to do just that.

Dealing with this new threat means new filters to deal with IP addresses, not just URLs, and new methods to scan PDF files, which are growing in popularity as a means to spread spam. It also means using antivirus software that uses behavior detection and not just strings or definitions because they just can’t keep up, said Alperovitch.

The Russian gang behind Storm is dedicated to spamming for things like pharmacies and pump and dump stock mailings. Somehow, they keep on trucking despite being a known threat.

“In countries where the economy is not as robust as the western world and they are making $100,000 a month, that can buy a lot of influence,” said Alperovitch. “You can buy yourself off from prosecutions or investigations.”

News Around the Web