WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
The Storm worm tore through the Internet earlier this year like Hurricane Dean tore through the Caribbean. But while Dean is already dissipating, the Storm virus is still around, still causing trouble and stronger than ever six months later.
Since it first appeared early this year, Storm has evolved and mutated faster than staph infections in a hospital, thanks to advanced virus toolkits like MPACK. Upon infecting a computer, it downloads the botnet (define) software and installs it on the PC. The binary changes every 30 minutes so anti-virus definitions can't detect it.
Unlike most botnets, Storm has no central management or hub. Rather, it uses a peer-to-peer pass-along design. The Russian criminals that run the botnets, send out their newest spam to a few machines, and they pass it on to other known bots in the chain. They use the eDonkey protocol to propagate. eDonkey is a popular peer-to-peer file sharing network.
"This is the top of the line in technical progress as far as botnets are concerned," Dmitri Alperovitch, principal research scientist for Secure Computing told internetnews.com. He estimates there are 20,000 total hosts worldwide infected with the Storm worm in over 100 countries.
The good news is that Secure Computing estimates that 60 percent of the infected computers are in the U.S., which makes them a lot easier to get at than the criminals who made the software. The bad news is that since Storm is a peer-to-peer network, even taking down all of the U.S. infections won't disable the system, it will just slow it down.
"This is something people have been anticipating a long time," said Alperovitch. "There is no centralized command and control infrastructure to shut down and disable the botnet. You have to shut down every single machine to get this botnet under control, which is impossible because these machines are all over the world."
The junk mails don't attach an executable or a URL that spam filters are now trained to catch. Instead, they use an IP address, which gets past spam filters, at least for now. Usually they link to e-cards, pictures or jokes.
Once the person gets to the site, they are prompted to click a link to download some software. Unfortunately, there are still plenty of people out there naïve enough to do just that.