The ‘Storm’ That Keeps Blowing

As the medical profession struggles with “superbugs” and drug-resistant bacteria, the computer world has a superbug of its own that it can’t seem to eradicate: the Storm worm.

This polymorphic monster is mutating faster than staphylococcus in a hospital and is the launch pad for many of the recent spam floods and denial of service attacks plaguing networks worldwide.

The Storm worm first surfaced in January in the U.S. and Europe with the distribution of a spam letter that referred to recent weather disasters in Europe. “230 dead as storm batters Europe,” it said.

Attached to the e-mail was a small executable that—if someone was foolish enough to run it—set in motion a chain of unpleasant and all but irrevocable events. Storm, a.k.a. Small.Dam, a.k.a. Win32/Nuwar, would then proceed to install all kinds of software on the hapless computer, including an updating component.

Part of what makes the Storm worm so hard to eradicate is the fact that it constantly mutates, around every 30 minutes or so. This makes signature-based detection that antivirus software products use fairly useless because it pulls down new code much faster than antivirus vendors can push out signatures to detect it.

Also, Storm doesn’t use the hub-and-spoke method of command and control like most worms. Taking out a few command and control servers is a simple way to take down a standard botnet, but Storm is immune to this tactic.

Instead, it’s a peer-to-peer method of taking a payload and instructions and passing it on to other computers it knows to be infected. They communicate using a modified peer-to-peer file sharing network protocol from eDonkey, the communication between peers is encrypted, and they change the encryption keys constantly, too.

All this sophisticated skulduggery comes from a shadowy group of Russian hackers.

“The way they’ve been able to constantly update their attacks and release something new every week has been fascinating to watch. It’s been as surprising to everybody in the security industry as it has been to everyone else,” Dmitri Alperovitch, principal research scientist at Secure Computing’s TrustedSource Labs told

Paul Ferguson, network architect for antivirus vendor Trend Micro, called Storm’s construction “one of the most sophisticated designs anyone has come across.” He said it’s highly componentized and upgrades and changes itself constantly to avoid detection. In addition to the P2P nature, he noticed the worm seems to be partitioning itself into a number of smaller Storm botnets rather than one huge network as it was when it originally began.

Why the worm partitions itself in this way, Ferguson doesn’t know. But he disagrees with some security experts who have downplayed Storm’s potential threat to computers and networks. At the Toorcon security conference held last week, Brandon Enright, a network security analyst at the University of California at San Diego said Storm has been steadily shrinking in size and threat and went so far as to say Storm was now a “squall.”

One of the things Enright showed was that a sizable dent was made in the population of Storm-infected machines last month. This was attributed to Microsoft’s monthly Patch Tuesday release on September 11 where its Malicious Software Removal Toolkit was patched to cover the variants of Win32/Nuwar.

That cut the population of Storm-infected computers by about 20 percent, according to Alperovitch, but the number came right back up after a few weeks and was reflected in Enright’s own research.

So Ferguson thinks Storm remains a threat. “To assume the Storm botnet is on its way into decline is a dangerous assumption,” he said. “They are segmenting it into smaller botnets. It has shrunken in size because we know it has been partitioned. So I think people are misinterpreting it because they don’t know all the data available.”

“Some headway has been made against Storm but it’s not down for the count,” said Randy Abrams, director of technical education for antivirus vendor ESET Software. “The guys behind it have displayed some resiliency.” And with Storm mutating every 30 minutes and sending out new code, it’s easy to get re-infected again, he added.

Wise Up, People

Alperovitch said that the MSRT support for Storm was a big help because it’s on practically every Windows XP computer, except those that are pirated. “A lot of the infected machines are probably running illegal copies of Windows and don’t want to register with Microsoft, or they are running older versions of the OS or have turned off Windows Update for some reason,” he said.

But the real reason Storm is so effective is users remain so gullible. It would seem like common sense not to click on a link or run an executable sent by a stranger, but some still do it.

“The Storm worm exploits the only vulnerability that’s never been patched and that’s the user,” said Abrams. “I fully expect spam in the coming weeks with references to the fires in Southern California that will have links to Storm worm infections.”

Chenxi Wang, principal analyst for security and risk management at Forrester Research, agreed. “Internet users are still not vigilant enough against Storm (or any other kind of virus),” he wrote in an e-mail to “They are not updating their signatures as promptly as they should or they’re not vigilant enough against suspicious emails. As a result, Storm continues to find new victims.”

However, if history is any indication, once these worms come out, they are with us for the long haul. Two of the most common worm variants are Bagel and Netsky, which have been around for years. “I’m quite confident we’re going to be dealing with Storm for quite a while,” said Alperovitch.

News Around the Web