By Kelly Jackson Higgins
April 28, 2010
It's baaack: The bot code used in the infamous, massive Storm botnet
that was taken down nearly two years ago is being used to build another
spamming botnet. Researchers have reverse-engineered the tweaked version
of the original Storm code, which so far has spread somewhere between
10,000 to 20,000 machines.
Researchers don't know for sure whether it's the same botnet gang that
drove the original Storm and then its predecessor, Waledac -- both of
which are no more -- but they have identified two-thirds of the same
elements in this latest version as in the original Storm code version.
Noticeably missing is Storm's trademark peer-to-peer component: This
version is all HTTP-based rather than the hybrid P2P/HTTP approach in
the old botnet, which at one point swelled to a half-million bots. Storm
began to fade away in the fall of 2008 after researchers were able to
successfully disrupt its operations on more than one occasion.
Waledac, which boasted 60,000 to 80,000 zombies, was downed in February
by a sneak attack from a team from Microsoft, Shadowserver, the
University of Washington, Symantec, and a group of researchers from
Germany and Austria who had first infiltrated the botnet last year.
Joe Stewart, director of malware research for the counter threat unit at
Secureworks and known for his previous research on Storm, says he
believes another person or group has procured the code and stripped out
the P2P element. "From everything we've seen, it looks like the original
Storm crew moved to Waledac...so what strikes me is that they stripped
out the P2P and sold the spam code to another group to build a more
simplified botnet," Stewart says. The P2P feature had been targeted by
researchers, which made it less appealing, he says.
Best Selling Security Books and More!
Shop InfoSec News