Vulnerabilities / Threats

1/14/2009
01:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Storm Botnet Makes A Comeback

Researchers confirm 'Waledac' is the work of new and improved Storm

It's official: Storm is back. The notorious botnet that ballooned into one of the biggest botnets ever and then basically disappeared for months last year is rebuilding -- with all-new malware and a more sustainable architecture less likely to be infiltrated and shut down.

Researchers during the past weeks have been speculating about similarities between the new Waledac, a.k.a. Waled, botnet and Storm. Now new evidence has helped confirm that this new botnet is, indeed, Storm reincarnated.

Storm all but disappeared off of the grid last year, basically going dormant in mid-September after its last major spam campaign in July -- a "World War III" scam. In October, researchers started to write off Storm, at least in the short term. But now they say the big botnet has reinvented itself with new binary bot code, and that it is no longer using noisy peer-to-peer communications among its bots. It has instead moved to HTTP communications, which helps camouflage its activity among other Web traffic.

Jose Nazario, manager of security research for Arbor Networks, says he was initially skeptical of speculation that Waledac and Storm were one in the same. But Nazario says the latest findings on the malcode and its activity -- the botnet is using many of the same IP addresses that were used in Storm -- changed his mind. "[The Waledac bots] are talking to the same servers we saw in Storm," he says.

So far Storm's M.O. is the same: to send traditional spam, typically in the form of e-greetings, such as the Christmas Eve spam run of e-cards that had the earmark of Storm. But the biggest difference is it's no longer as easily detectable now that it has converted to HTTP communications. "P2P was part of the reason for Storm's demise. It was easy to filter it," Nazario says. "With HTTP, it's a little harder [to filter] because you've got to know what you're looking for."

According to Arbor, Storm is so far at about 35,000 bots, nowhere near its heyday of multiple hundreds of thousands of zombies; SecureWorks' Joe Stewart estimates that Storm is around 10,000 bots. Nazario and Stewart both expect Storm to continue to grow and again become a major botnet this year, with Stewart's including Storm/Waledac on his list of the top botnets to watch in 2009.

Storm began its comeback with a holiday spam run featuring its all-new malcode. "We started seeing a flurry of email on Christmas Eve...looking at the code, it was obvious they didn't just write this...it had been in development [for some time]. And they chose that timeframe of Christmas," SecureWorks' Stewart says.

This time, however, the bots aren't talking over noisy P2P links, he says. "eDonkey P2P stuff is really noisy," he says. "It wasted a lot of their bandwidth, so they've gotten away from that."

Steven Adair, a researcher with Shadowserver, says the HTTP method being used now by Storm also helps mask which machines are bots and which are command and control servers. "It makes it harder to figure out which systems are actually just victim systems and which are actually motherships systems that are used for the real command and control," he says.

Another improvement with Storm is its encryption: Stewart says the botnet is now using strong encryption rather than the weak 64-bit RSA encryption it used before that researchers were able to crack it. "Now they are using AES encrypption for the initial exchange, and then using RSA 1024 for the rest of traffic," Stewart says. Storm is still using the increasingly popular and stealthy fast-flux architecture to help keep it up and running.

But even with its new malware and departure from P2P, Storm so far is still spewing the same old traditional spam, and there's no sign so far that it's branching out to identity fraud, for instance, he says.

"The gang behind the Storm network hasn't changed. They may have a new coder...maybe that's what they were doing in their time off," Arbor's Nazario says.

Meanwhile, other botnets are brewing that SecureWorks' Stewart is watching closely as well, such as Donbot, Xarvester, and Zbot. And then there's the Conflickr worm, which has reportedly spread to more than 2 million PCs that could well be used for botnet operations. "That has got us nervous," Stewart says. "We haven't seen what they are doing with it [the worm] yet. They haven't tipped their hand yet."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
CVE-2018-18375
PUBLISHED: 2018-10-16
goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
CVE-2018-18376
PUBLISHED: 2018-10-16
goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.