April 28, 2010

Storm Worm making comeback with new spam run

It's baaack. Researchers at CA say they have detected a new variant of the Storm Worm, the infamous botnet best known for its spam-producing abilities, but which was effectively killed off more than a year ago.

During its roughly two-year run, though, Storm was highly successful, and it appears malware writers again are utilizing the old code to infect machines, which then are used to spread spam, Don DeBolt, director of threat research at CA, told SCMagazineUS.com on Wednesday.

Researchers discovered the threat while examining software that was bundled with rogue anti-virus software, he said.

"This is an example of the reuse of code that worked very effectively in the past," DeBolt said. "It's a good lesson to understand about malware and the internet that when one method works in the past, it's often reused again in the future. We have to constantly keep our guard up and look at the reissuance and redistribution of legacy malware."

The Storm Worm exploded on the scene in 2007, capitalizing on holidays and current events to place tens of thousands of machines under its control. Once computers were infected with the malware, they were used to push out spam. At its peak, Storm was responsible for 20 percent of the world's junk mail.

Then, near the end of 2008, Storm's grip on botnet dominance cratered, partly because a California-based internet service provider, Atrivo, also known as Intercage, was knocked offline. The rogue ISP was responsible for hosting Storm's command-and-control servers, used to supply infected computers with instructions.

In addition, detection of Storm became more effective. Researchers even were able to infiltrate the botnet and disrupt its peer-to-peer communication functionality. Storm eventually was replaced by Waledac.

But now Storm appears to have resurrected itself, at least somewhat. The crux of the latest run is again spam, DeBolt said. Messages related to the campaign are hawking pharmaceutical merchandise, online dating sites and celebrity videos, according to a CA blog post.

"They are sending a large number of spam messages," DeBolt said. "It's programmed to be pretty prolific in its distribution of spam emails. But it's still too early to tell how prolific."

End-users should expect to see increased variants of the Storm code.

"We have not infiltrated the botnet or command-and-control server to identify the volume of infected systems," he added. "But we verified that this is a new variant of the legacy threat and that's why we wanted to get the word out."

Related Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.