Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/14/2009
01:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Storm Botnet Makes A Comeback

Researchers confirm 'Waledac' is the work of new and improved Storm

It's official: Storm is back. The notorious botnet that ballooned into one of the biggest botnets ever and then basically disappeared for months last year is rebuilding -- with all-new malware and a more sustainable architecture less likely to be infiltrated and shut down.

Researchers during the past weeks have been speculating about similarities between the new Waledac, a.k.a. Waled, botnet and Storm. Now new evidence has helped confirm that this new botnet is, indeed, Storm reincarnated.

Storm all but disappeared off of the grid last year, basically going dormant in mid-September after its last major spam campaign in July -- a "World War III" scam. In October, researchers started to write off Storm, at least in the short term. But now they say the big botnet has reinvented itself with new binary bot code, and that it is no longer using noisy peer-to-peer communications among its bots. It has instead moved to HTTP communications, which helps camouflage its activity among other Web traffic.

Jose Nazario, manager of security research for Arbor Networks, says he was initially skeptical of speculation that Waledac and Storm were one in the same. But Nazario says the latest findings on the malcode and its activity -- the botnet is using many of the same IP addresses that were used in Storm -- changed his mind. "[The Waledac bots] are talking to the same servers we saw in Storm," he says.

So far Storm's M.O. is the same: to send traditional spam, typically in the form of e-greetings, such as the Christmas Eve spam run of e-cards that had the earmark of Storm. But the biggest difference is it's no longer as easily detectable now that it has converted to HTTP communications. "P2P was part of the reason for Storm's demise. It was easy to filter it," Nazario says. "With HTTP, it's a little harder [to filter] because you've got to know what you're looking for."

According to Arbor, Storm is so far at about 35,000 bots, nowhere near its heyday of multiple hundreds of thousands of zombies; SecureWorks' Joe Stewart estimates that Storm is around 10,000 bots. Nazario and Stewart both expect Storm to continue to grow and again become a major botnet this year, with Stewart's including Storm/Waledac on his list of the top botnets to watch in 2009.

Storm began its comeback with a holiday spam run featuring its all-new malcode. "We started seeing a flurry of email on Christmas Eve...looking at the code, it was obvious they didn't just write this...it had been in development [for some time]. And they chose that timeframe of Christmas," SecureWorks' Stewart says.

This time, however, the bots aren't talking over noisy P2P links, he says. "eDonkey P2P stuff is really noisy," he says. "It wasted a lot of their bandwidth, so they've gotten away from that."

Steven Adair, a researcher with Shadowserver, says the HTTP method being used now by Storm also helps mask which machines are bots and which are command and control servers. "It makes it harder to figure out which systems are actually just victim systems and which are actually motherships systems that are used for the real command and control," he says.

Another improvement with Storm is its encryption: Stewart says the botnet is now using strong encryption rather than the weak 64-bit RSA encryption it used before that researchers were able to crack it. "Now they are using AES encrypption for the initial exchange, and then using RSA 1024 for the rest of traffic," Stewart says. Storm is still using the increasingly popular and stealthy fast-flux architecture to help keep it up and running.

But even with its new malware and departure from P2P, Storm so far is still spewing the same old traditional spam, and there's no sign so far that it's branching out to identity fraud, for instance, he says.

"The gang behind the Storm network hasn't changed. They may have a new coder...maybe that's what they were doing in their time off," Arbor's Nazario says.

Meanwhile, other botnets are brewing that SecureWorks' Stewart is watching closely as well, such as Donbot, Xarvester, and Zbot. And then there's the Conflickr worm, which has reportedly spread to more than 2 million PCs that could well be used for botnet operations. "That has got us nervous," Stewart says. "We haven't seen what they are doing with it [the worm] yet. They haven't tipped their hand yet."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...