Storm botnet at one year: Unlikely to go away soon

This week marks the one year anniversary of the world's largest botnet

Security researchers marked the one-year anniversary of the botnet-building Storm Trojan Thursday by disagreeing on its impact and arguing over whether it's an important landmark on the security landscape.

Storm, first detected a year ago Thursday and given its name two days later to recognize its opening scam -- a news pitch on the deadly storms that had just swept Europe -- has been held up as the poster child for the next evolution in malware, linked to the notorious Russian Business Network (RBN) malware hosting organization, and blamed for scores of major spam campaigns that stocked, then restocked, its inventory of compromised computers.

Two things about Storm bear mentioning, said David Emm, a senior technology consultant at Kaspersky Labs, a Moscow-based security company. First, said Emm, the Trojan ditched the traditional IRC command-and-control technology for an off-the-shelf, peer-to-peer technology to keep tabs on the machines it had hijacked. "Storm built its botnet without a central command-and-control," which has made the army of compromised PC much more resilient to traditional takedown efforts, he said.

Secondly, its authors churn out variants at a dizzying rate, then distributes them from servers to bot-controlled PCs to constantly keep one step ahead of antivirus vendors and their scanner signatures. "Storm [has] shown that a distributed botnet is one way to make [a lot of] money," said Emm. "And it won't stop until the perpetrator or perpetrators get caught."

Jamz Yaneza, research project manager at Trend Micro Inc., has been tracking Storm since its debut and sees the malware's first year as less proof of the Trojan's technology as the effectiveness of the scams it runs to get on PCs.

"The social engineering it uses, the timeliness of the spam [centered] on special occasions, such as holidays, that's one of the main reasons why it's still out there," said Yaneza. Storm isn't an especially prevalent piece of malicious code; Trend doesn't even rank it in the top 15 for 2007. But its ability to trick users into opening attachments, which is how it spread itself originally, or dupe them into clicking on links to dangerous Web sites, where driveby exploits attack unpatched PCs, continues to amaze him.

It shows how little some users have learned.

"Storm will keep on churning out socially engineered attacks until end users learn to be more wary," said Yaneza, who seemed baffled by people who refuse to adopt spam filters, a first line of defense against attacks.

But Joe Stewart, a senior security researcher at SecureWorks Inc. and another longtime Storm investigator, dismissed talk of the Trojan as so much wasted breath. "Storm hasn't changed the reality of the threat landscape, but it has changed the IT press landscape," he said, referring to what he sees as a misplaced emphasis on the malware.

Stewart acknowledged that Storm has demonstrated some minor "advances" in malware -- the idea that one could use templates delivered to the bots themselves so that the hijacked computers did their own spamming is one -- but he downplayed any long-term significance of the Trojan. "It's just another botnet. There were a lot of other botnets that came before it," he said.

More than anything, Stewart seemed frustrated, even fed up, with Storm. The Trojan, which just recently launched its second annual run of Valentine, continues to plague users' houses. "It's repeating the same pattern that it's used all year," said Stewart. "It just shows how much farther we have to go."

Nor does he see an end in sight. "It's a matter of will on the part of its makers," he said. "Storm won't go away until they are done making money with this." And Stewart's betting that, what with Storm's origination, that day will be a long time coming. Researchers have consistently pegged Storm's birthplace as Russia -- St. Petersburg, in particular. And it's no coincidence that the RBN hails from the same city.

But it doesn't seem to matter how much information security researchers collect on Storm, then hand over to people in law enforcement. "Invariably, it turns out that they're in Eastern Europe," said Stewart. And then nothing gets done. "They still get to carry out their business."

Trend Micro has posted a chronology of Storm on its malware blog here.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?