The news on the Storm worm just keeps getting worse. In just the last few days, there have come reports that the worm’s author (or other criminals who have bought copies of the worm) is using to send spam loaded with MP3 files and that someone has set up a fake file-sharing site designed to infect visitors with the Storm worm. And, perhaps most worrisome, is the fact that the bots controlled by the worm now are communicating with one another via encrypted channels. The beauty of this arrangement is that only those bots that have the current key can decipher the commands, making it more difficult for researchers and law enforcement agents to listen in.
This development is a pretty clear indication that the worm’s author is in the process of selling off or renting pieces of his huge botnet to third parties for whatever activities they have in mind. There’s been a lot of speculation in the security community about who is behind Storm and what the ultimate purpose of the worm is. Is it just gathering steam for one or two massive DDoS attacks against government or banking networks? Is it the work of a foreign government looking to infiltrate U.S. networks? It’s unlikely we’ll ever know for sure who is responsible for creating the worm, but all of the experts I’ve talked to believe that there is no real higher purpose for the worm. It is quite simply a well-designed and executed attack tool meant to make the author and his cronies large piles of cash through spam and other related schemes.
It remains to be seen how or if Storm ever dissipates, but the author has shown a clear understanding of the methods that security companies and law enforcement use to track and mitigate the worm, so it appears that he has the ability to continues his work undisturbed for the foreseeable future.