Storm worm returns from the dead
New version not as tough, say security pros
By Jeremy Kirk | Published: 10:03, 29 April 2010
A new variant of the Storm worm has emerged, but it does not appear to be as well-designed as its older relative, according to computer security researchers. The Storm worm first appeared in early 2007 and spread quickly, making it one of the most prolific and widespread worms ever. Once it infected people's computers, the worm sent million upon millions of spam messages.
The Shadowserver Foundation, which tracks botnets, first received a sample of the new version of the worm on April 13, said Steven Adair, via instant message.
The worm was then reverse-engineered by the Honeypot Project, which studies threats on the Internet. The new worm was found to be based on the old code, but some of the elements that made Storm difficult to disrupt were gone, according to a blog post from the organisation. The new Storm doesn't communicate using a peer-to-peer system, a decentralised way to have computers infected with the code communicate with each other and receive new spam instructions. That may be because researchers have been effective in disrupting peer-to-peer botnets, Adair said.
Related Articles on Techworld
The new Storm communicates via HTTP traffic, but it is programmed to receive instructions from one IP (Internet Protocol) address hosted by a server in the Netherlands. The ISP hosting that server has been contacted, Adair said. Since it is receiving instructions from just one IP address, it means the new Storm may not last that long, Adair said. It is also not employing fast flux, which allows an administrator to quickly point a domain name to a new IP address, making it harder to shut down.
The new Storm "doesn't seem as resilient as the older version," Adair said.
It's not known how many computers may be infected with the new Storm. Computers are believed to be getting infected through drive-by downloads, where a website attacks a user's computer looking for software vulnerabilities in order to deliver malicious software. Adair said those websites were delivering Storm via Neosploit, a toolkit used to attack a computer several different ways.
The worm is sending out pharmaceutical, adult dating and celebrity-related spam messages, wrote Ricardo Robielos III, a research engineer with CA. He wrote it was sending out a "massive" volume of spam to targeted recipients.
