Storm botnet at one year: Unlikely to go away soon

This week marks the one year anniversary of the world's largest botnet

Security researchers marked the one-year anniversary of the botnet-building Storm Trojan Thursday by disagreeing on its impact and arguing over whether it's an important landmark on the security landscape.

Storm, first detected a year ago Thursday and given its name two days later to recognize its opening scam -- a news pitch on the deadly storms that had just swept Europe -- has been held up as the poster child for the next evolution in malware, linked to the notorious Russian Business Network (RBN) malware hosting organization, and blamed for scores of major spam campaigns that stocked, then restocked, its inventory of compromised computers.

Two things about Storm bear mentioning, said David Emm, a senior technology consultant at Kaspersky Labs, a Moscow-based security company. First, said Emm, the Trojan ditched the traditional IRC command-and-control technology for an off-the-shelf, peer-to-peer technology to keep tabs on the machines it had hijacked. "Storm built its botnet without a central command-and-control," which has made the army of compromised PC much more resilient to traditional takedown efforts, he said.

Secondly, its authors churn out variants at a dizzying rate, then distributes them from servers to bot-controlled PCs to constantly keep one step ahead of antivirus vendors and their scanner signatures. "Storm [has] shown that a distributed botnet is one way to make [a lot of] money," said Emm. "And it won't stop until the perpetrator or perpetrators get caught."

Jamz Yaneza, research project manager at Trend Micro Inc., has been tracking Storm since its debut and sees the malware's first year as less proof of the Trojan's technology as the effectiveness of the scams it runs to get on PCs.

"The social engineering it uses, the timeliness of the spam [centered] on special occasions, such as holidays, that's one of the main reasons why it's still out there," said Yaneza. Storm isn't an especially prevalent piece of malicious code; Trend doesn't even rank it in the top 15 for 2007. But its ability to trick users into opening attachments, which is how it spread itself originally, or dupe them into clicking on links to dangerous Web sites, where driveby exploits attack unpatched PCs, continues to amaze him.

It shows how little some users have learned.

"Storm will keep on churning out socially engineered attacks until end users learn to be more wary," said Yaneza, who seemed baffled by people who refuse to adopt spam filters, a first line of defense against attacks.

But Joe Stewart, a senior security researcher at SecureWorks Inc. and another longtime Storm investigator, dismissed talk of the Trojan as so much wasted breath. "Storm hasn't changed the reality of the threat landscape, but it has changed the IT press landscape," he said, referring to what he sees as a misplaced emphasis on the malware.

Stewart acknowledged that Storm has demonstrated some minor "advances" in malware -- the idea that one could use templates delivered to the bots themselves so that the hijacked computers did their own spamming is one -- but he downplayed any long-term significance of the Trojan. "It's just another botnet. There were a lot of other botnets that came before it," he said.

More than anything, Stewart seemed frustrated, even fed up, with Storm. The Trojan, which just recently launched its second annual run of Valentine, continues to plague users' houses. "It's repeating the same pattern that it's used all year," said Stewart. "It just shows how much farther we have to go."

Nor does he see an end in sight. "It's a matter of will on the part of its makers," he said. "Storm won't go away until they are done making money with this." And Stewart's betting that, what with Storm's origination, that day will be a long time coming. Researchers have consistently pegged Storm's birthplace as Russia -- St. Petersburg, in particular. And it's no coincidence that the RBN hails from the same city.

But it doesn't seem to matter how much information security researchers collect on Storm, then hand over to people in law enforcement. "Invariably, it turns out that they're in Eastern Europe," said Stewart. And then nothing gets done. "They still get to carry out their business."

Trend Micro has posted a chronology of Storm on its malware blog here.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?