The infamous Storm worm, which surfaced in 2007, infecting computers and then bogging down email inboxes and mail servers with a barrage of spam messages, has reemerged this week, but the researchers who stopped Storm the first time say the latest variant won't likely pose a major threat.
Felix Leder, Malware Analyst, The Honeynet Project
Felix Leder, a malware analyst with the research organization, The Honeynet Project, said the new ,a href="https://www.honeynet.org/node/539">Storm variant contains errors making it more susceptible to disruption. Leder, who was on the team that examined the original Storm worm and found ways to disrupt it, said the new variant contains roughly two-thirds of the original Storm code.
"So far, it doesn't look like it is going to be more dangerous than all those other HTTP botnets that are out there," Leder said in an interview with SearchSecurity.com. "Because of the old protocol problems, it's less dangerous than Conficker, Zeus, or the other ones."
Leder said malware researchers are still trying to determine the size of the latest variant. It copies nearly all the code contained in the old Storm worm with a few tweaks that modernize it. The code base was changed by the new author dropping Storms early peer-to-peer command and control communication method and replacing it with an HTTP method. The latest Storm variant was programmed to receive orders from a command and control server based in the Netherlands.
The spread of the Storm Trojan:
Storm Trojan was worse than it should have been: The "Storm" attack made a big splash because people keep falling for social engineering and there was simply little else in the news, experts say.
Spammers tweak Storm to push PDF spam, less image spam: Spammers that target enterprises are switching from image spam to emails containing PDF attachments that could eventually perform denial of service attacks and spread bot code.
Storm worm keeps spreading: A Trojan that first exploited concerns about a storm that battered Europe last week has broken into new variants with new techniques and a wider range of fake headlines.
Dropping peer-to-peer makes it more difficult to detect from legitimate traffic on corporate networks, Leder said. A team of researchers, which includes Leder, Tillmann Werner and Mark Schloesser analyzed the early code base and developed a prototype tool that was able to effectively clean and take over the whole original Storm botnet.
"We aren't surprised by the new version but by the fact that they reused the same old protocol with all the problems it had," Leder said, explaining that the new Storm version can be easily spotted by the typo in the HTTP User-Agent, which states "Windoss."
Leder said it's unclear whether the new malware is under new ownership or was tweaked by the same malware authors. The old Storm Trojan first emerged sending emails exploiting concern about major European storms by adopting a wide variety of fake news headlines in email subject lines.The malware authors were constantly changing their tactics, forcing security vendors to update antispam engines to detect the various forms of spam it sent out. Storm was the first to generate PDF files in spam to escape detection from antivirus software and trick employees with emails that look like business letters
Steven Adair, a security expert with the independent botnet research organization, Shadowserver Foundation, said the first malware variant was collected in the organization's honeypots on April 13. Adair said the new Storm worm is spreading via drive-by downloads and other attacks typically carried out by automated attack toolkits.
"It's using a single IP address right now, which really makes it more susceptible to being taken down," Adair said. "Right now I would say it's a pretty low threat because it's not very widespread. It's not using the P2P infrastructure nor is it using the fast flux DNS techniques."
Ricardo Robielos III, a research engineer at CA Inc., wrote in a blog post that the new Storm worm's code is similar in that it contains a long list of email templates for sending spam. The new Storm worm is sending out a high volume of pharmaceutical and adult dating spam messages.
"This Win32/Pecoan (aka Storm, Nuwar, Zhelatin, Dorf) variant is currently active as of this blog post and is sending out massive volume of spam emails to targeted recipients," Robielos wrote. "The authors also takes advantage of many free URL shortening services to masquerade the URL redirection linked in the Spam email body."