Storm Worm Rewrote the Botnet and Spam Game

There is no escaping the suspicion that spammers have been charting a cagier course in recent months. Electronic messaging managed service provider MessageLabs has noticed too.

Previously pristine inboxes are finding that image files and PDFs containing pump-and-dump stock pitches and advertisements increasingly slip through. Excel and Rich Text Format (RTF) spam have also been detected in the wild.

The cause can be summed up by one word: botnets.

Although spam has decreased from its peak in July 2004 when it accounted for a staggering 94.5 percent of the email monitored by MessageLabs -- it now hovers around 71 percent -- the monetary spoils have prompted spammers to pursue more exotic methods of keeping those coffers full.

Responsible for spewing spam and dropping the DDoS hammer on Web sites, botnets can hardly be considered an up-and-coming threat. However, a relatively new breed of botnet, spawned by the Storm worm, is proving to be tenacious adversary.

The malware has been contributing to a slight uptick in spam lately, according to MessageLabs' Chief Anti-Spam Technologist, Matt Sergeant.

"We're currently seeing a slight rise. Nothing anywhere near as huge a rise as we saw last year. But it's early days yet," he states.

Purportedly under the control of the notorious Russian spammer Zliden, the Storm-based botnet is a very different beast. First, its sheer size is immense. According to MessageLabs, Storm is believed to have infected 50 million machines, though only 10 - 20 percent of its capacity is being used.

Another key difference is that it masks its command and control structure in eDonkey-derived P2P traffic, not IRC, rendering techniques to monitor for the latter useless. Plus, Storm-ridden machines are loaded with "intelligence" of the sort that turns victims' machines into multi-vector threats.

One trick, says Sergeant, is "fast flux Web hosting" aided by low DNS time to live (TTL) cycles. This enables a batch of machines to serve up phishing sites -- or worse -- for mere moments before switching to another set of dynamic hosts. By the time security researchers click an email link and get close, the site has already moved on, offering very little insight into the parties responsible.

Other characteristics of this multifaceted threat include image and PDF generation engines that ensure no two emails remain exactly alike for long. This involves randomizing graphical elements and arranging letters in a seemingly haphazard manner (yet remaining strangely legible) to thwart detection or profiling.

And if this all fails, zombie machines can automatically shift to DDoS attack duty. Plus, Storm has shown a knack for self-preservation by knocking rival botnet malware offline and undergoing regular updates to circumvent anti-virus detection.

Needless to say, Storm has caught a fair bit of attention.

"Microsoft added Storm as a target for their malicious software removal tool a couple of weeks ago, so this made a bit of a dent in the size of storm, possibly also causing the expected rise in volumes to not quite meet expectations," says Sergeant.

Though it would appear that Storm's days are numbered, its legacy may pave the way for more cunning threats.

"However we certainly haven't seen the end of the Storm worm yet. And other botnet authors are taking notes - we're currently tracking another botnet that's in excess of a million machines, so Storm is far from the only huge botnet out there," he warns.

This article was first published on EnterpriseITPlanet.com.