The Storm That Keeps Blowing
The Storm worm seems to unleash one new e-mail flood or denial of service attack every week. Why won't it go away?
As the medical profession struggles with "superbugs" and drug-resistant bacteria, the computer world has a superbug of its own that it can't seem to eradicate: the Storm worm.
This polymorphic monster is mutating faster than staphylococcus in a hospital and is the launch pad for many of the recent spam floods and denial of service attacks plaguing networks worldwide.
The Storm worm first surfaced in January in the U.S. and Europe with the distribution of a spam letter that referred to recent weather disasters in Europe. "230 dead as storm batters Europe," it said.
Part of what makes the Storm worm so hard to eradicate is the fact that it constantly mutates, around every 30 minutes or so. This makes signature-based detection that antivirus software products use fairly useless because it pulls down new code much faster than antivirus vendors can push out signatures to detect it.
Also, Storm doesn't use the hub-and-spoke method of command and control like most worms. Taking out a few command and control servers is a simple way to take down a standard botnet, but Storm is immune to this tactic.
Instead, it's a peer-to-peer method of taking a payload and instructions and passing it on to other computers it knows to be infected. They communicate using a modified peer-to-peer file sharing network protocol from eDonkey, the communication between peers is encrypted, and they change the encryption keys constantly, too.
All this sophisticated skulduggery comes from a shadowy group of Russian hackers.
"The way they've been able to constantly update their attacks and release something new every week has been fascinating to watch. It's been as surprising to everybody in the security industry as it has been to everyone else," Dmitri Alperovitch, principal research scientist at Secure Computings TrustedSource Labs told InternetNews.com.
Paul Ferguson, network architect for antivirus vendor Trend Micro, called Storm's construction "one of the most sophisticated designs anyone has come across." He said it's highly componentized and upgrades and changes itself constantly to avoid detection. In addition to the P2P nature, he noticed the worm seems to be partitioning itself into a number of smaller Storm botnets rather than one huge network as it was when it originally began.
Why the worm partitions itself in this way, Ferguson doesn't know. But he disagrees with some security experts who have downplayed Storm's potential threat to computers and networks. At the Toorcon security conference held last week, Brandon Enright, a network security analyst at the University of California at San Diego said Storm has been steadily shrinking in size and threat and went so far as to say Storm was now a "squall."
One of the things Enright showed was that a sizable dent was made in the population of Storm-infected machines last month. This was attributed to Microsoft's monthly Patch Tuesday release on September 11 where its Malicious Software Removal Toolkit was patched to cover the variants of Win32/Nuwar.
That cut the population of Storm-infected computers by about 20 percent, according to Alperovitch, but the number came right back up after a few weeks and was reflected in Enright's own research.
So Ferguson thinks Storm remains a threat. "To assume the Storm botnet is on its way into decline is a dangerous assumption," he said. "They are segmenting it into smaller botnets. It has shrunken in size because we know it has been partitioned. So I think people are misinterpreting it because they don't know all the data available."
"Some headway has been made against Storm but it's not down for the count," said Randy Abrams, director of technical education for antivirus vendor ESET Software. "The guys behind it have displayed some resiliency." And with Storm mutating every 30 minutes and sending out new code, it's easy to get re-infected again, he added.