Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:55 AM
Connect Directly

Storm May Finally Be Over

The infamous botnet has been inactive for nearly a month, which researchers say may signal the demise of Storm as we know it

It’s been nearly a month now since the Storm botnet sent its last spam run -- significantly long enough that botnet researchers now conclude this could be the end of most infamous botnet once and for all.

Such prolonged inactivity is unusual for a botnet, they say, which may indicate that Storm’s operators have abandoned it. The only signs of life have been some remaining Storm-infected machines checking in with one another. One group of researchers has seen some Storm hosts return “go away, we’re not home” replies when contacted.

“It’s been almost a month now with nothing. That we have not seen before -- Storm has been pretty actively sending out copies of itself or sending spam nonstop since it started,” says Joe Stewart, director of malware research for SecureWorks. “Based on what we’ve seen in the past with other botnets, I would say there’s a good chance it won’t come back at all.”

Stewart, as well as researchers from Damballa and Marshal, say Storm has been dormant since mid-September, and its last major spam campaigns, such as the so-called “World War III” scam, were back in July. The fact that it’s been inactive for so long reduces its chance of coming back, Stewart says. “Every minute that it’s not out there seeding and trying to spread more bots, they’re losing bots” and money, he says. “If they have the intention of keeping this operation up, they would at least have had to remain in maintenance mode where they keep something [spamming] out there… so when they were ready for the next big spam or social engineering thing, the botnet is there and at the ready, and they don’t have to wait for it ramp back up again.”

Even if turns out that this lull was merely the quiet before a Storm surge, it’s unlikely that even a reinvented Storm -- now at about 47,000 infected machines, according to Damballa -- would ever operate at the massive size it once was, at close to a half-million bots at its peak in early January. This is likely the end of the era of massive botnets, and the beginning of a new generation of smaller, more targeted botnets, says Paul Royal, director of research for Damballa.

“This is the end of the really gigantic botnet as we know it,” Royal says.

Storm is now about ten times smaller than it was nearly 10 months ago, according to Damballa’s estimates. The botnet began a gradual decline in size after Microsoft’s Malicious Software Removal Tool began detecting and cleaning it up late last year.

Royal says massive botnets like Storm and Kraken (known as Bobax by SecureWorks) have been victims of their own success, attracting too much unwanted attention from researchers and the press such that they couldn’t operate as effectively. He says rather than the Swiss army knife approach that Storm took, more botnets will instead be smaller and created for specific purposes. One HTTP-based botnet Damballa has been watching, for instance, has a single mission: to collect email addresses from the machines it infects.

Still, there are some massive botnets in operation today, albeit not as large as Storm was in its heyday. SecureWorks says Srizbi remains the largest botnet, followed closely by Rustock, Ozdok, and Cutwail, which range from a minimum of 150,000 to upwards of 300,000 bots.

Meanwhile, one theory about Storm’s calm this past month is that researchers who have infiltrated Storm may have been able to neutralize it. “It’s very possible someone might be interfering with Storm,” Stewart says. “At RSA [Conference], I showed the RSA key that’s used for Storm controllers to authenticate themselves to the bots. If you can reverse-engineer that key, then you can become the controller and take over any number of bots… It’s possible somebody is even doing that.”

Whether Storm dies or reinvents itself somehow, its month of inactivity hasn’t had much impact on spam volumes. “Storm has been declining all year and has been very small recently, so its disappearance has not really impacted spam volumes," says Phil Hay, lead threat analyst with Marshal.

The researchers say the existing Storm botnet could eventually disappear altogether -- that is, unless this quiet period has been... well, too quiet, and Storm’s operators are biding their time with another, more stealthy form of the Storm botnet.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Marshal Inc.
  • SecureWorks Inc.
  • Damballa Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    HackerOne Drops Mobile Voting App Vendor Voatz
    Dark Reading Staff 3/30/2020
    Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
    Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-04-04
    In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
    PUBLISHED: 2020-04-04
    bit2spr 1992-06-07 has a stack-based buffer overflow (129-byte write) in conv_bitmap in bit2spr.c via a long line in a bitmap file.
    PUBLISHED: 2020-04-04
    Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
    PUBLISHED: 2020-04-04
    Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
    PUBLISHED: 2020-04-04
    Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode.