Researchers during the past weeks have been speculating about similarities between the new Waledac, a.k.a. Waled, botnet and Storm. Now new evidence has helped confirm that this new botnet is, indeed, Storm reincarnated.
Storm all but disappeared off of the grid last year, basically going dormant in mid-September after its last major spam campaign in July -- a "World War III" scam. In October, researchers started to write off Storm, at least in the short term. But now they say the big botnet has reinvented itself with new binary bot code, and that it is no longer using noisy peer-to-peer communications among its bots. It has instead moved to HTTP communications, which helps camouflage its activity among other Web traffic.
Jose Nazario, manager of security research for Arbor Networks, says he was initially skeptical of speculation that Waledac and Storm were one in the same. But Nazario says the latest findings on the malcode and its activity -- the botnet is using many of the same IP addresses that were used in Storm -- changed his mind. "[The Waledac bots] are talking to the same servers we saw in Storm," he says.
So far Storm's M.O. is the same: to send traditional spam, typically in the form of e-greetings, such as the Christmas Eve spam run of e-cards that had the earmark of Storm. But the biggest difference is it's no longer as easily detectable now that it has converted to HTTP communications. "P2P was part of the reason for Storm's demise. It was easy to filter it," Nazario says. "With HTTP, it's a little harder [to filter] because you've got to know what you're looking for."
According to Arbor, Storm is so far at about 35,000 bots, nowhere near its heyday of multiple hundreds of thousands of zombies; SecureWorks' Joe Stewart estimates that Storm is around 10,000 bots. Nazario and Stewart both expect Storm to continue to grow and again become a major botnet this year, with Stewart's including Storm/Waledac on his list of the top botnets to watch in 2009.
Storm began its comeback with a holiday spam run featuring its all-new malcode. "We started seeing a flurry of email on Christmas Eve...looking at the code, it was obvious they didn't just write this...it had been in development [for some time]. And they chose that timeframe of Christmas," SecureWorks' Stewart says.
This time, however, the bots aren't talking over noisy P2P links, he says. "eDonkey P2P stuff is really noisy," he says. "It wasted a lot of their bandwidth, so they've gotten away from that."
Steven Adair, a researcher with Shadowserver, says the HTTP method being used now by Storm also helps mask which machines are bots and which are command and control servers. "It makes it harder to figure out which systems are actually just victim systems and which are actually motherships systems that are used for the real command and control," he says.
Another improvement with Storm is its encryption: Stewart says the botnet is now using strong encryption rather than the weak 64-bit RSA encryption it used before that researchers were able to crack it. "Now they are using AES encrypption for the initial exchange, and then using RSA 1024 for the rest of traffic," Stewart says. Storm is still using the increasingly popular and stealthy fast-flux architecture to help keep it up and running.
But even with its new malware and departure from P2P, Storm so far is still spewing the same old traditional spam, and there's no sign so far that it's branching out to identity fraud, for instance, he says.
"The gang behind the Storm network hasn't changed. They may have a new coder...maybe that's what they were doing in their time off," Arbor's Nazario says.
Meanwhile, other botnets are brewing that SecureWorks' Stewart is watching closely as well, such as Donbot, Xarvester, and Zbot. And then there's the Conflickr worm, which has reportedly spread to more than 2 million PCs that could well be used for botnet operations. "That has got us nervous," Stewart says. "We haven't seen what they are doing with it [the worm] yet. They haven't tipped their hand yet."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message