informa
News

Storm May Finally Be Over

The infamous botnet has been inactive for nearly a month, which researchers say may signal the demise of Storm as we know it

It’s been nearly a month now since the Storm botnet sent its last spam run -- significantly long enough that botnet researchers now conclude this could be the end of most infamous botnet once and for all.

Such prolonged inactivity is unusual for a botnet, they say, which may indicate that Storm’s operators have abandoned it. The only signs of life have been some remaining Storm-infected machines checking in with one another. One group of researchers has seen some Storm hosts return “go away, we’re not home” replies when contacted.

“It’s been almost a month now with nothing. That we have not seen before -- Storm has been pretty actively sending out copies of itself or sending spam nonstop since it started,” says Joe Stewart, director of malware research for SecureWorks. “Based on what we’ve seen in the past with other botnets, I would say there’s a good chance it won’t come back at all.”

Stewart, as well as researchers from Damballa and Marshal, say Storm has been dormant since mid-September, and its last major spam campaigns, such as the so-called “World War III” scam, were back in July. The fact that it’s been inactive for so long reduces its chance of coming back, Stewart says. “Every minute that it’s not out there seeding and trying to spread more bots, they’re losing bots” and money, he says. “If they have the intention of keeping this operation up, they would at least have had to remain in maintenance mode where they keep something [spamming] out there… so when they were ready for the next big spam or social engineering thing, the botnet is there and at the ready, and they don’t have to wait for it ramp back up again.”

Even if turns out that this lull was merely the quiet before a Storm surge, it’s unlikely that even a reinvented Storm -- now at about 47,000 infected machines, according to Damballa -- would ever operate at the massive size it once was, at close to a half-million bots at its peak in early January. This is likely the end of the era of massive botnets, and the beginning of a new generation of smaller, more targeted botnets, says Paul Royal, director of research for Damballa.

“This is the end of the really gigantic botnet as we know it,” Royal says.

Storm is now about ten times smaller than it was nearly 10 months ago, according to Damballa’s estimates. The botnet began a gradual decline in size after Microsoft’s Malicious Software Removal Tool began detecting and cleaning it up late last year.

Royal says massive botnets like Storm and Kraken (known as Bobax by SecureWorks) have been victims of their own success, attracting too much unwanted attention from researchers and the press such that they couldn’t operate as effectively. He says rather than the Swiss army knife approach that Storm took, more botnets will instead be smaller and created for specific purposes. One HTTP-based botnet Damballa has been watching, for instance, has a single mission: to collect email addresses from the machines it infects.

Still, there are some massive botnets in operation today, albeit not as large as Storm was in its heyday. SecureWorks says Srizbi remains the largest botnet, followed closely by Rustock, Ozdok, and Cutwail, which range from a minimum of 150,000 to upwards of 300,000 bots.

Meanwhile, one theory about Storm’s calm this past month is that researchers who have infiltrated Storm may have been able to neutralize it. “It’s very possible someone might be interfering with Storm,” Stewart says. “At RSA [Conference], I showed the RSA key that’s used for Storm controllers to authenticate themselves to the bots. If you can reverse-engineer that key, then you can become the controller and take over any number of bots… It’s possible somebody is even doing that.”

Whether Storm dies or reinvents itself somehow, its month of inactivity hasn’t had much impact on spam volumes. “Storm has been declining all year and has been very small recently, so its disappearance has not really impacted spam volumes," says Phil Hay, lead threat analyst with Marshal.

The researchers say the existing Storm botnet could eventually disappear altogether -- that is, unless this quiet period has been... well, too quiet, and Storm’s operators are biding their time with another, more stealthy form of the Storm botnet.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Marshal Inc.
  • SecureWorks Inc.
  • Damballa Inc.
  • Recommended Reading: