Microsoft didn't crush Storm, counter researchers

Not so fast, says Trend Micro

Microsoft didn't crush the Storm botnet as it has claimed, rival security researchers argued today. Instead, the criminals responsible for the army of compromised computers diversified last year to avoid attention and expand their business.

Paul Ferguson, a network architect with anti-virus vendor Trend Micro, and a colleague, Jamz Yaneza, a Trend Micro research project manager, disputed Microsoft's contention that the Malicious Software Removal Tool (MSRT) had beat Storm into submission .

The MSRT is a program that Microsoft updates and automatically redistributes to Windows users each month on Patch Tuesday. It includes definitions for the most popular malware, sniffs systems for malicious code and then deletes it. Microsoft first added detection for the Storm Trojan in September 2007.

By Microsoft's count, the MSRT cleaned more than 526,000 Storm-infected PCs in the final four months of last year. After some back-and-forth between the Storm bot herders and Microsoft, the former gave up, said Jimmy Kuo, a senior security architect with the Redmond, Wash. developer.

"Even though they were able to maintain parts of their botnet, they knew they were in our gun sights," Kuo said in an interview earlier this week. "And ultimately they gave up."

Not so fast, said Trend Micro.

"The MSRT had an impact on Storm," Ferguson acknowledged, citing Trend Micro statistics that showed a 20% to 25% reduction in the number of bots within the Storm botnet late last year. "But there are some key gaps in the reality on the ground.

"Storm is still out there," he said. And active. "We've seen campaigns to renew their [botnet] body count within the last 48 hours."

More important, though, is the big picture, said Ferguson and Yaneza. Storm is certainly diminished, they agreed, but not simply because of Microsoft and its MSRT.

"Storm's operators have been diversifying," said Yaneza, who has followed Storm since it first appeared in early 2007. In fact, the Storm botnet's current size -- considerably smaller than during 2007 -- was a matter of choice, not something forced on the hackers, Yaneza argued.

"They've changed business tactics, and diversified into other botnets, just like the Russian Business Network diversified by getting out of St. Petersburg [Russia] and is now working out of many facilities worldwide," he said.

Researchers, including Yaneza, have linked Storm -- and other botnets -- with the Russian Business Network (RBN), a shadowy network of malicious code and hacker hosting services. Last November, Yaneza and others reported that the RBN pulled up stakes and moved most of its operations to servers based in China. When the media noted the shift, RBN apparently split its hosting services among several Asian countries, a move analysts saw as an attempt to avoid attention and possible action by law enforcement.

"At one time, Storm was a monster that was rented out for all kinds of activities," said Ferguson, ticking off spamming, denial-of-service attacks and malware distribution. "It was one big, huge target. But they diversified. That falls into the 'fly low under the radar' theory."

Some of the botnets that are most active now, Ferguson continued, have connections to Storm, and its creators and managers. "Some of the same people who had a hand in Storm have a hand in the new botnets," he said, naming Bobax and Kracken as two which Trend links to Storm.

"It's virtually impossible to tell who is really behind each of these botnets," Ferguson admitted, "but there are a lot of similarities in methodology."

The bottom line, said the Trend Micro researchers: Storm is still breathing.

"Storm is not down and out," said Ferguson.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?