Storm Worm Reappears

Storm Worm Reappears
Storm Worm Reappears 

By Kelly Jackson Higgins
April 28, 2010

It's baaack: The bot code used in the infamous, massive Storm botnet 
that was taken down nearly two years ago is being used to build another 
spamming botnet. Researchers have reverse-engineered the tweaked version 
of the original Storm code, which so far has spread somewhere between 
10,000 to 20,000 machines.

Researchers don't know for sure whether it's the same botnet gang that 
drove the original Storm and then its predecessor, Waledac -- both of 
which are no more -- but they have identified two-thirds of the same 
elements in this latest version as in the original Storm code version. 
Noticeably missing is Storm's trademark peer-to-peer component: This 
version is all HTTP-based rather than the hybrid P2P/HTTP approach in 
the old botnet, which at one point swelled to a half-million bots. Storm 
began to fade away in the fall of 2008 after researchers were able to 
successfully disrupt its operations on more than one occasion.

Waledac, which boasted 60,000 to 80,000 zombies, was downed in February 
by a sneak attack from a team from Microsoft, Shadowserver, the 
University of Washington, Symantec, and a group of researchers from 
Germany and Austria who had first infiltrated the botnet last year.

Joe Stewart, director of malware research for the counter threat unit at 
Secureworks and known for his previous research on Storm, says he 
believes another person or group has procured the code and stripped out 
the P2P element. "From everything we've seen, it looks like the original 
Storm crew moved to what strikes me is that they stripped 
out the P2P and sold the spam code to another group to build a more 
simplified botnet," Stewart says. The P2P feature had been targeted by 
researchers, which made it less appealing, he says.


Best Selling Security Books and More!
Shop InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods