Storm botnet at one year: Unlikely to go away soon
- 18 January, 2008 07:29
Security researchers marked the one-year anniversary of the botnet-building Storm Trojan Thursday by disagreeing on its impact and arguing over whether it's an important landmark on the security landscape.
Storm, first detected a year ago Thursday and given its name two days later to recognize its opening scam -- a news pitch on the deadly storms that had just swept Europe -- has been held up as the poster child for the next evolution in malware, linked to the notorious Russian Business Network (RBN) malware hosting organization, and blamed for scores of major spam campaigns that stocked, then restocked, its inventory of compromised computers.
Two things about Storm bear mentioning, said David Emm, a senior technology consultant at Kaspersky Labs, a Moscow-based security company. First, said Emm, the Trojan ditched the traditional IRC command-and-control technology for an off-the-shelf, peer-to-peer technology to keep tabs on the machines it had hijacked. "Storm built its botnet without a central command-and-control," which has made the army of compromised PC much more resilient to traditional takedown efforts, he said.
Secondly, its authors churn out variants at a dizzying rate, then distributes them from servers to bot-controlled PCs to constantly keep one step ahead of antivirus vendors and their scanner signatures. "Storm [has] shown that a distributed botnet is one way to make [a lot of] money," said Emm. "And it won't stop until the perpetrator or perpetrators get caught."
Jamz Yaneza, research project manager at Trend Micro Inc., has been tracking Storm since its debut and sees the malware's first year as less proof of the Trojan's technology as the effectiveness of the scams it runs to get on PCs.
"The social engineering it uses, the timeliness of the spam [centered] on special occasions, such as holidays, that's one of the main reasons why it's still out there," said Yaneza. Storm isn't an especially prevalent piece of malicious code; Trend doesn't even rank it in the top 15 for 2007. But its ability to trick users into opening attachments, which is how it spread itself originally, or dupe them into clicking on links to dangerous Web sites, where driveby exploits attack unpatched PCs, continues to amaze him.
It shows how little some users have learned.
"Storm will keep on churning out socially engineered attacks until end users learn to be more wary," said Yaneza, who seemed baffled by people who refuse to adopt spam filters, a first line of defense against attacks.
But Joe Stewart, a senior security researcher at SecureWorks Inc. and another longtime Storm investigator, dismissed talk of the Trojan as so much wasted breath. "Storm hasn't changed the reality of the threat landscape, but it has changed the IT press landscape," he said, referring to what he sees as a misplaced emphasis on the malware.
Stewart acknowledged that Storm has demonstrated some minor "advances" in malware -- the idea that one could use templates delivered to the bots themselves so that the hijacked computers did their own spamming is one -- but he downplayed any long-term significance of the Trojan. "It's just another botnet. There were a lot of other botnets that came before it," he said.
More than anything, Stewart seemed frustrated, even fed up, with Storm. The Trojan, which just recently launched its second annual run of Valentine, continues to plague users' houses. "It's repeating the same pattern that it's used all year," said Stewart. "It just shows how much farther we have to go."
Nor does he see an end in sight. "It's a matter of will on the part of its makers," he said. "Storm won't go away until they are done making money with this." And Stewart's betting that, what with Storm's origination, that day will be a long time coming. Researchers have consistently pegged Storm's birthplace as Russia -- St. Petersburg, in particular. And it's no coincidence that the RBN hails from the same city.
But it doesn't seem to matter how much information security researchers collect on Storm, then hand over to people in law enforcement. "Invariably, it turns out that they're in Eastern Europe," said Stewart. And then nothing gets done. "They still get to carry out their business."
Trend Micro has posted a chronology of Storm on its malware blog here.