TechRepublic – “Storm Worm: The Energizer Bunny of Botnets”
Email This Post
August 6th, 2008
- Shaun
Original article: http://blogs.techrepublic.com.com/networking/?p=620&tag=nl.e102
In the world of botnets, Storm isn’t king anymore, but Storm’s botnet owners aren’t giving up. This article is a reminder by Michael Kassner of the need to remain vigilant and not fall prey to the Storm worm or its relatives.
——————————————————————————————————————-
It appears that the Storm worm is making a comeback. I first made mention of this botnet maker in the article “Kraken: The biggest, baddest botnet yet“, where I explained how Storm was losing its grip as being the largest botnet in history to Kraken and Srizbi as the second largest. Well, Storm developers have added a few new twists to their arsenal and are seeing a resurgence in the size of their botnets. Therefore it’s very important to not become complacent about this type of malware as it relies on social engineering to propagate. I’d like to take a few moments to go over the process so we’re all clear on how the infestation occurs.
How my computer became a zombie
Let’s follow the process of becoming infected with Storm and the after-effects:
- I receive an e-mail informing me that the attachment contains some very important information. Not knowing any better, I open the attachment.
- I was just conned, the attachment has the Storm trojan/bot client hiding in it. My computer is now infected and just became part of a botnet. The scary part is that this all happened without my knowing it.
- What’s worse is that my AV application is useless as Storm’s code changes constantly, so any AV signature is out-of date within an hour.
- My computer now follows the bidding of the “botmaster,” which normally means it’s going to be used to as a spam relay. There are other more malicious activities such as “distributed denial of service attacks” but botnets are usually for hire and spamming is a lucrative business.
That’s one scenario and as botnet malware matures other more sophisticated attack venues are introduced. For instance, the delivery mechanism used by the Storm worm changes regularly. It starts out as PDF spam progressing to links for e-cards or invites to Web sites. The worm developers will try any method possible to entice users to click on a phony link or attachment. The initial e-mail used by Storm also morphs. There are new subject lines and body text that refer to relevant news or issues — any way to subjugate human nature.
The willingness to prey on human nature is why Storm is back in the news. It’s propagating successfully using an e-mail with a subject line of “FBI may strike Facebook” or “The FBI has a new way of tracking Facebook.” It appears that once again the developers have touched on a chord of human nature and are getting a decent infection rate.
Final thoughts
I could spend all sorts of time on the intricacies of how each of the top three botnets work or how successful they are at evading detection, but that wouldn’t help. This article is my regular attempt at making sure all of us are cognizant of the need to be web-savvy, always questioning whether that link or an attachment makes sense. Doing so will go a long way to reducing the amount of spam we receive. This certainly includes me, as I’ve been very close to becoming an unwilling botnet member myself.
——————————————————————————————————————-
Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer and independent wireless consultant. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.
Here are more Blog articles on the Storm Worm:
- In the last few weeks I have received several requests for information regarding the Storm Worm. So today I thought I would perform an analysis in my lab on the last Storm Binary (postcard.exe) I retrieved using my Storm Binary Tracking … - The Storm worm first appeared at the beginning of the year, hiding in e-mail attachments with the subject line: “230 dead as storm batters Europe.” Those who opened the attachment became infected, their computers joining an ever-growing … - E-mail pretending to contain information on a fictitious FBI vs. Facebook case contains malicious code for the Storm worm botnet. - The FBI and its partner, the Internet Crime Complaint Center (IC3), have received reports of recent spam e-mails spreading the Storm Worm malicious software, known as malware. These e-mails direct recipients to click on a link to view … - I can barely see anything around me due to all the smoke coming from the smoking guns of who’s what, what’s when, and who’s done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first … - The Storm Worm-ers seem to be lacking their usual creativity in respect to the usual social engineering attacks taking advantage of the momentum we’re used to seeing. These days they’re not piggybacking on real news items, … - In addition, an IP address related to the University of California in San Diego (UCSD) sticks out, presumably related to their Storm Worm research. I’m not yet sure what all the other IP addresses mean, but presumably all of them are … - The FBI is warning email users of spam email which mentions a link to an FBI vs Facebook news article. Once the user clicks on the link, the Storm Worm malware is downloaded to the Internet-connected device… - A rash of complaints prompted the FBI to issue a warning of a new round of spam e-mails bombarding the Internet to spread the malicious Storm Worm. |
1 Comment Add your own
1. yasir | October 20th, 2008 at 9:01 am
This article telling what was happening 15 days back around 15th sep..2008
http://blog.fireeye.com/research/2008/10/storm-just-befo.html
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed