Application security, Incident Response, Malware, TDR

Storm Worm making comeback with new spam run

It's baaack. Researchers at CA say they have detected a new variant of the Storm Worm, the infamous botnet best known for its spam-producing abilities, but which was effectively killed off more than a year ago.

During its roughly two-year run, though, Storm was highly successful, and it appears malware writers again are utilizing the old code to infect machines, which then are used to spread spam, Don DeBolt, director of threat research at CA, told SCMagazineUS.com on Wednesday.

Researchers discovered the threat while examining software that was bundled with rogue anti-virus software, he said.

"This is an example of the reuse of code that worked very effectively in the past," DeBolt said. "It's a good lesson to understand about malware and the internet that when one method works in the past, it's often reused again in the future. We have to constantly keep our guard up and look at the reissuance and redistribution of legacy malware."

The Storm Worm exploded on the scene in 2007, capitalizing on holidays and current events to place tens of thousands of machines under its control. Once computers were infected with the malware, they were used to push out spam. At its peak, Storm was responsible for 20 percent of the world's junk mail.

Then, near the end of 2008, Storm's grip on botnet dominance cratered, partly because a California-based internet service provider, Atrivo, also known as Intercage, was knocked offline. The rogue ISP was responsible for hosting Storm's command-and-control servers, used to supply infected computers with instructions.

In addition, detection of Storm became more effective. Researchers even were able to infiltrate the botnet and disrupt its peer-to-peer communication functionality. Storm eventually was replaced by Waledac.

But now Storm appears to have resurrected itself, at least somewhat. The crux of the latest run is again spam, DeBolt said. Messages related to the campaign are hawking pharmaceutical merchandise, online dating sites and celebrity videos, according to a CA blog post.

"They are sending a large number of spam messages," DeBolt said. "It's programmed to be pretty prolific in its distribution of spam emails. But it's still too early to tell how prolific."

End-users should expect to see increased variants of the Storm code.

"We have not infiltrated the botnet or command-and-control server to identify the volume of infected systems," he added. "But we verified that this is a new variant of the legacy threat and that's why we wanted to get the word out."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.