Its been nearly a month now since the Storm botnet sent its last spam run -- significantly long enough that botnet researchers now conclude this could be the end of most infamous botnet once and for all.
Such prolonged inactivity is unusual for a botnet, they say, which may indicate that Storms operators have abandoned it. The only signs of life have been some remaining Storm-infected machines checking in with one another. One group of researchers has seen some Storm hosts return go away, were not home replies when contacted.
Its been almost a month now with nothing. That we have not seen before -- Storm has been pretty actively sending out copies of itself or sending spam nonstop since it started, says Joe Stewart, director of malware research for SecureWorks. Based on what weve seen in the past with other botnets, I would say theres a good chance it wont come back at all.
Stewart, as well as researchers from Damballa and Marshal, say Storm has been dormant since mid-September, and its last major spam campaigns, such as the so-called World War III scam, were back in July. The fact that its been inactive for so long reduces its chance of coming back, Stewart says. Every minute that its not out there seeding and trying to spread more bots, theyre losing bots and money, he says. If they have the intention of keeping this operation up, they would at least have had to remain in maintenance mode where they keep something [spamming] out there so when they were ready for the next big spam or social engineering thing, the botnet is there and at the ready, and they dont have to wait for it ramp back up again.
Even if turns out that this lull was merely the quiet before a Storm surge, its unlikely that even a reinvented Storm -- now at about 47,000 infected machines, according to Damballa -- would ever operate at the massive size it once was, at close to a half-million bots at its peak in early January. This is likely the end of the era of massive botnets, and the beginning of a new generation of smaller, more targeted botnets, says Paul Royal, director of research for Damballa.
This is the end of the really gigantic botnet as we know it, Royal says.
Storm is now about ten times smaller than it was nearly 10 months ago, according to Damballas estimates. The botnet began a gradual decline in size after Microsofts Malicious Software Removal Tool began detecting and cleaning it up late last year.
Royal says massive botnets like Storm and Kraken (known as Bobax by SecureWorks) have been victims of their own success, attracting too much unwanted attention from researchers and the press such that they couldnt operate as effectively. He says rather than the Swiss army knife approach that Storm took, more botnets will instead be smaller and created for specific purposes. One HTTP-based botnet Damballa has been watching, for instance, has a single mission: to collect email addresses from the machines it infects.
Still, there are some massive botnets in operation today, albeit not as large as Storm was in its heyday. SecureWorks says Srizbi remains the largest botnet, followed closely by Rustock, Ozdok, and Cutwail, which range from a minimum of 150,000 to upwards of 300,000 bots.
Meanwhile, one theory about Storms calm this past month is that researchers who have infiltrated Storm may have been able to neutralize it. Its very possible someone might be interfering with Storm, Stewart says. At RSA [Conference], I showed the RSA key thats used for Storm controllers to authenticate themselves to the bots. If you can reverse-engineer that key, then you can become the controller and take over any number of bots Its possible somebody is even doing that.
Whether Storm dies or reinvents itself somehow, its month of inactivity hasnt had much impact on spam volumes. Storm has been declining all year and has been very small recently, so its disappearance has not really impacted spam volumes," says Phil Hay, lead threat analyst with Marshal.
The researchers say the existing Storm botnet could eventually disappear altogether -- that is, unless this quiet period has been... well, too quiet, and Storms operators are biding their time with another, more stealthy form of the Storm botnet.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.