Risk
2/11/2009
11:20 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

New And Improved Storm Botnet Morphing Malware

Waledac (which was previously known as Storm) is once again spewing gads of Valentine's Day spam and malware.

Waledac (which was previously known as Storm) is once again spewing gads of Valentine's Day spam and malware.The Storm botnet, which was previously declared dead, is back. Less than a month ago, I wrote this based on research from SecureWorks:

According to a research note published by managed security services provider SecureWorks -- the Storm botnet's death last summer resulted from a combination of punches it couldn't recover: First, a number of security researchers uncovered ways to break the encryption schemes used by the bot-masters to secure their command and control functions. Yet, because the worm utilized peer-to-peer networking, it wasn't possible to totally eradicate the network this way. However, writes Joe Stewart, director of malware research at SecureWorks, the number of bot infections was hit hard -- at least cut by hundreds of thousands -- by Microsoft's MSRT (Malicious Software Removal Tool). "Storm's numbers continued to fall off over the course of 2008, before it was apparently abandoned in September," wrote Stewart.

Not so fast, as Dark Reading reports today:

Waledac -- the new and improved Storm -- is using its favorite holiday, Valentine's Day, to spread the love with signature phony greeting cards and romance-themed e-mail that Storm so infamously spread in the past. "Over the last 24 hours, we've seen over 1,000 new variants [of Waledac code]," says Pierre-Marc Bureau, a senior researcher with Eset, which expects Waledac to eventually pump out thousands of variants a day. "It was a bit lower than what we are expecting. It may not have reached many of our clients yet." That said, it's still a big jump from the around 10 new versions a day Eset had seen the botnet creating, he adds.

However, SecureWorks researcher Joe Stewart disagrees that Waledac is Storm reincarnated:

Joe Stewart, director of malware research for SecureWorks, says Storm and Waledac are completely different when it comes to code and files. "It's definitely not the same programmers," he says.

Perhaps so. But who is programming and commanding this botnet, and whether or not they're the same as those who were previously commandeering Storm isn't what is important. What is important is that botnets are a long way from being exterminated -- and that we need more proactive ways of not only detecting them: but crushing them before they can rise to a level where they can do substantial damage.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.