Vulnerabilities / Threats

1/14/2009
01:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Storm Botnet Makes A Comeback

Researchers confirm 'Waledac' is the work of new and improved Storm

It's official: Storm is back. The notorious botnet that ballooned into one of the biggest botnets ever and then basically disappeared for months last year is rebuilding -- with all-new malware and a more sustainable architecture less likely to be infiltrated and shut down.

Researchers during the past weeks have been speculating about similarities between the new Waledac, a.k.a. Waled, botnet and Storm. Now new evidence has helped confirm that this new botnet is, indeed, Storm reincarnated.

Storm all but disappeared off of the grid last year, basically going dormant in mid-September after its last major spam campaign in July -- a "World War III" scam. In October, researchers started to write off Storm, at least in the short term. But now they say the big botnet has reinvented itself with new binary bot code, and that it is no longer using noisy peer-to-peer communications among its bots. It has instead moved to HTTP communications, which helps camouflage its activity among other Web traffic.

Jose Nazario, manager of security research for Arbor Networks, says he was initially skeptical of speculation that Waledac and Storm were one in the same. But Nazario says the latest findings on the malcode and its activity -- the botnet is using many of the same IP addresses that were used in Storm -- changed his mind. "[The Waledac bots] are talking to the same servers we saw in Storm," he says.

So far Storm's M.O. is the same: to send traditional spam, typically in the form of e-greetings, such as the Christmas Eve spam run of e-cards that had the earmark of Storm. But the biggest difference is it's no longer as easily detectable now that it has converted to HTTP communications. "P2P was part of the reason for Storm's demise. It was easy to filter it," Nazario says. "With HTTP, it's a little harder [to filter] because you've got to know what you're looking for."

According to Arbor, Storm is so far at about 35,000 bots, nowhere near its heyday of multiple hundreds of thousands of zombies; SecureWorks' Joe Stewart estimates that Storm is around 10,000 bots. Nazario and Stewart both expect Storm to continue to grow and again become a major botnet this year, with Stewart's including Storm/Waledac on his list of the top botnets to watch in 2009.

Storm began its comeback with a holiday spam run featuring its all-new malcode. "We started seeing a flurry of email on Christmas Eve...looking at the code, it was obvious they didn't just write this...it had been in development [for some time]. And they chose that timeframe of Christmas," SecureWorks' Stewart says.

This time, however, the bots aren't talking over noisy P2P links, he says. "eDonkey P2P stuff is really noisy," he says. "It wasted a lot of their bandwidth, so they've gotten away from that."

Steven Adair, a researcher with Shadowserver, says the HTTP method being used now by Storm also helps mask which machines are bots and which are command and control servers. "It makes it harder to figure out which systems are actually just victim systems and which are actually motherships systems that are used for the real command and control," he says.

Another improvement with Storm is its encryption: Stewart says the botnet is now using strong encryption rather than the weak 64-bit RSA encryption it used before that researchers were able to crack it. "Now they are using AES encrypption for the initial exchange, and then using RSA 1024 for the rest of traffic," Stewart says. Storm is still using the increasingly popular and stealthy fast-flux architecture to help keep it up and running.

But even with its new malware and departure from P2P, Storm so far is still spewing the same old traditional spam, and there's no sign so far that it's branching out to identity fraud, for instance, he says.

"The gang behind the Storm network hasn't changed. They may have a new coder...maybe that's what they were doing in their time off," Arbor's Nazario says.

Meanwhile, other botnets are brewing that SecureWorks' Stewart is watching closely as well, such as Donbot, Xarvester, and Zbot. And then there's the Conflickr worm, which has reportedly spread to more than 2 million PCs that could well be used for botnet operations. "That has got us nervous," Stewart says. "We haven't seen what they are doing with it [the worm] yet. They haven't tipped their hand yet."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10743
PUBLISHED: 2019-03-23
hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.
CVE-2019-9947
PUBLISHED: 2019-03-23
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) follo...
CVE-2019-9948
PUBLISHED: 2019-03-23
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
CVE-2019-9945
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...
CVE-2019-9942
PUBLISHED: 2019-03-23
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.