Storm Worm making comeback with new spam run

Share this article:

It's baaack. Researchers at CA say they have detected a new variant of the Storm Worm, the infamous botnet best known for its spam-producing abilities, but which was effectively killed off more than a year ago.

During its roughly two-year run, though, Storm was highly successful, and it appears malware writers again are utilizing the old code to infect machines, which then are used to spread spam, Don DeBolt, director of threat research at CA, told on Wednesday.

Researchers discovered the threat while examining software that was bundled with rogue anti-virus software, he said.

"This is an example of the reuse of code that worked very effectively in the past," DeBolt said. "It's a good lesson to understand about malware and the internet that when one method works in the past, it's often reused again in the future. We have to constantly keep our guard up and look at the reissuance and redistribution of legacy malware."

The Storm Worm exploded on the scene in 2007, capitalizing on holidays and current events to place tens of thousands of machines under its control. Once computers were infected with the malware, they were used to push out spam. At its peak, Storm was responsible for 20 percent of the world's junk mail.

Then, near the end of 2008, Storm's grip on botnet dominance cratered, partly because a California-based internet service provider, Atrivo, also known as Intercage, was knocked offline. The rogue ISP was responsible for hosting Storm's command-and-control servers, used to supply infected computers with instructions.

In addition, detection of Storm became more effective. Researchers even were able to infiltrate the botnet and disrupt its peer-to-peer communication functionality. Storm eventually was replaced by Waledac.

But now Storm appears to have resurrected itself, at least somewhat. The crux of the latest run is again spam, DeBolt said. Messages related to the campaign are hawking pharmaceutical merchandise, online dating sites and celebrity videos, according to a CA blog post.

"They are sending a large number of spam messages," DeBolt said. "It's programmed to be pretty prolific in its distribution of spam emails. But it's still too early to tell how prolific."

End-users should expect to see increased variants of the Storm code.

"We have not infiltrated the botnet or command-and-control server to identify the volume of infected systems," he added. "But we verified that this is a new variant of the legacy threat and that's why we wanted to get the word out."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Apple implements two-factor authentication

The company followed through on its promise to up iCloud security by implementing two-factor authentication earlier this week.

C&K apologizes for unauthorized access that led to Goodwill breach

A web hosting service apologized for intermittent unauthorized access of its hosted environment over 18 months that led to the Goodwill breach.

Yelp and TinyCo settle with FTC over COPPA Rule violations

Yelp and TinyCo settle with FTC over COPPA ...

Yelp will pay $450,000, and TinyCo will pay $300,000 to settle charges that their mobile apps collected information from children under the age of 13.