Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/14/2009
01:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Storm Botnet Makes A Comeback

Researchers confirm 'Waledac' is the work of new and improved Storm

It's official: Storm is back. The notorious botnet that ballooned into one of the biggest botnets ever and then basically disappeared for months last year is rebuilding -- with all-new malware and a more sustainable architecture less likely to be infiltrated and shut down.

Researchers during the past weeks have been speculating about similarities between the new Waledac, a.k.a. Waled, botnet and Storm. Now new evidence has helped confirm that this new botnet is, indeed, Storm reincarnated.

Storm all but disappeared off of the grid last year, basically going dormant in mid-September after its last major spam campaign in July -- a "World War III" scam. In October, researchers started to write off Storm, at least in the short term. But now they say the big botnet has reinvented itself with new binary bot code, and that it is no longer using noisy peer-to-peer communications among its bots. It has instead moved to HTTP communications, which helps camouflage its activity among other Web traffic.

Jose Nazario, manager of security research for Arbor Networks, says he was initially skeptical of speculation that Waledac and Storm were one in the same. But Nazario says the latest findings on the malcode and its activity -- the botnet is using many of the same IP addresses that were used in Storm -- changed his mind. "[The Waledac bots] are talking to the same servers we saw in Storm," he says.

So far Storm's M.O. is the same: to send traditional spam, typically in the form of e-greetings, such as the Christmas Eve spam run of e-cards that had the earmark of Storm. But the biggest difference is it's no longer as easily detectable now that it has converted to HTTP communications. "P2P was part of the reason for Storm's demise. It was easy to filter it," Nazario says. "With HTTP, it's a little harder [to filter] because you've got to know what you're looking for."

According to Arbor, Storm is so far at about 35,000 bots, nowhere near its heyday of multiple hundreds of thousands of zombies; SecureWorks' Joe Stewart estimates that Storm is around 10,000 bots. Nazario and Stewart both expect Storm to continue to grow and again become a major botnet this year, with Stewart's including Storm/Waledac on his list of the top botnets to watch in 2009.

Storm began its comeback with a holiday spam run featuring its all-new malcode. "We started seeing a flurry of email on Christmas Eve...looking at the code, it was obvious they didn't just write this...it had been in development [for some time]. And they chose that timeframe of Christmas," SecureWorks' Stewart says.

This time, however, the bots aren't talking over noisy P2P links, he says. "eDonkey P2P stuff is really noisy," he says. "It wasted a lot of their bandwidth, so they've gotten away from that."

Steven Adair, a researcher with Shadowserver, says the HTTP method being used now by Storm also helps mask which machines are bots and which are command and control servers. "It makes it harder to figure out which systems are actually just victim systems and which are actually motherships systems that are used for the real command and control," he says.

Another improvement with Storm is its encryption: Stewart says the botnet is now using strong encryption rather than the weak 64-bit RSA encryption it used before that researchers were able to crack it. "Now they are using AES encrypption for the initial exchange, and then using RSA 1024 for the rest of traffic," Stewart says. Storm is still using the increasingly popular and stealthy fast-flux architecture to help keep it up and running.

But even with its new malware and departure from P2P, Storm so far is still spewing the same old traditional spam, and there's no sign so far that it's branching out to identity fraud, for instance, he says.

"The gang behind the Storm network hasn't changed. They may have a new coder...maybe that's what they were doing in their time off," Arbor's Nazario says.

Meanwhile, other botnets are brewing that SecureWorks' Stewart is watching closely as well, such as Donbot, Xarvester, and Zbot. And then there's the Conflickr worm, which has reportedly spread to more than 2 million PCs that could well be used for botnet operations. "That has got us nervous," Stewart says. "We haven't seen what they are doing with it [the worm] yet. They haven't tipped their hand yet."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13817
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
CVE-2020-13818
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
CVE-2020-6640
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
CVE-2020-9292
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
CVE-2019-16150
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...