Storm Worm making comeback with new spam run

Share this article:

It's baaack. Researchers at CA say they have detected a new variant of the Storm Worm, the infamous botnet best known for its spam-producing abilities, but which was effectively killed off more than a year ago.

During its roughly two-year run, though, Storm was highly successful, and it appears malware writers again are utilizing the old code to infect machines, which then are used to spread spam, Don DeBolt, director of threat research at CA, told SCMagazineUS.com on Wednesday.

Researchers discovered the threat while examining software that was bundled with rogue anti-virus software, he said.

"This is an example of the reuse of code that worked very effectively in the past," DeBolt said. "It's a good lesson to understand about malware and the internet that when one method works in the past, it's often reused again in the future. We have to constantly keep our guard up and look at the reissuance and redistribution of legacy malware."

The Storm Worm exploded on the scene in 2007, capitalizing on holidays and current events to place tens of thousands of machines under its control. Once computers were infected with the malware, they were used to push out spam. At its peak, Storm was responsible for 20 percent of the world's junk mail.

Then, near the end of 2008, Storm's grip on botnet dominance cratered, partly because a California-based internet service provider, Atrivo, also known as Intercage, was knocked offline. The rogue ISP was responsible for hosting Storm's command-and-control servers, used to supply infected computers with instructions.

In addition, detection of Storm became more effective. Researchers even were able to infiltrate the botnet and disrupt its peer-to-peer communication functionality. Storm eventually was replaced by Waledac.

But now Storm appears to have resurrected itself, at least somewhat. The crux of the latest run is again spam, DeBolt said. Messages related to the campaign are hawking pharmaceutical merchandise, online dating sites and celebrity videos, according to a CA blog post.

"They are sending a large number of spam messages," DeBolt said. "It's programmed to be pretty prolific in its distribution of spam emails. But it's still too early to tell how prolific."

End-users should expect to see increased variants of the Storm code.

"We have not infiltrated the botnet or command-and-control server to identify the volume of infected systems," he added. "But we verified that this is a new variant of the legacy threat and that's why we wanted to get the word out."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.