[ISN] Storm Worm Now Just a Squall

From: InfoSec News (alerts@private)
Date: Mon Oct 22 2007 - 00:08:41 PDT


http://www.pcworld.com/article/id,138721-c,virusesworms/article.html

By Robert McMillan
IDG News Service
October 21, 2007

The Storm Worm's days may be numbered, according to a University of 
California researcher.

Brandon Enright, a network security analyst at UC San Diego, has been 
tracking Storm since July and said that, despite the intense publicity 
that the network of infected computers has received, it's actually been 
shrinking steadily and is presently a shadow of its former self. On 
Saturday, he presented his findings at the Toorcon hacker conference in 
San Diego.

Storm is not really a computer worm. It's a network of computers that 
have been infected via malicious e-mail messages, and are centrally 
controlled via the Overnet P-to-P protocol. Enright said he has 
developed software that crawls through the Storm network and he thinks 
that he has a pretty accurate estimate of how big Storm really is.

Some estimates have put Storm at 50 million computers, a number that 
would give its controllers access to more processing power than the 
world's most powerful supercomputer. But Enright said that the real 
story is significantly less terrifying. In July, for example, he said 
that Storm appeared to have infected about 1.5 million PCs, about 
200,000 of which were accessible at any given time.

Enright guessed that a total of about 15 million PCs have been infected 
by Storm in the nine months it has been around, although the vast 
majority of those have been cleaned up and are no longer part of the 
Storm network.

Since July, it's been downhill for Storm. That's when antivirus vendors 
began stepping up their tracking of Storm variants and got a lot better 
at identifying and cleaning up infected computers, Enright said.

Then on September 11, Microsoft added Storm detection (Microsoft's name 
for Storm's components is Win32/Nuwar) into its Malicious Software 
Removal tool, which ships with every Windows system. Overnight, Storm 
infections dropped by another 20 percent.

Today, Enright said that Storm is about one-tenth of its former size. 
His most recent data counts 20,000 infected PCs available at any one 
time, out of a total network of about 160,000 computers. "The size of 
the network has been falling pretty rapidly and pretty consistently," he 
said.

Still, Storm has had a remarkably successful run. It's called Storm 
because it first popped up in mid-January in spam e-mails that offered 
late-breaking information on powerful storms that had been battering 
Europe. Users who clicked on the "Full Story.exe" or "Video.exe" 
attachments that accompanied the spam were infected by malicious 
software, making them part of the Storm network.

These machines were then used to send out more spam and launch attacks 
against other computers. The recent MP3 stock spam that was first 
spotted earlier this week was sent out by the Storm network, Enright 
said.

Storm was effective because its creators were really good at creating 
messages that victims would feel compelled to click, Enright said. In 
its first few days, it managed to infect more than 300,000 computers, 
making it the worst malware outbreak since 2005. Its creators have since 
been masters at creating timely messages for their spam and have also 
had success getting victims to click on fake e-greeting cards.

The Storm network itself is constantly changing, and has used a variety 
of technologies that have made it an interesting phenomenon to study. In 
addition to the peer to peer network, it has used rootkit software to 
disguise its presence on the PC and a server-switching technique called 
"fast-flux," which makes the Storm servers harder to find on the 
network.

It's also developed some interesting ways of keeping researchers like 
Enright at bay. "If you're a researcher and you hit the pages hosting 
the malware too much... there is an automated process that automatically 
launches a denial of service [attack] against you," he said. This 
attack, which floods the victim's computer with a deluge of Internet 
traffic, knocked part of the UC San Diego network offline when it first 
struck.

Lately Storm has been responsible for a large quantity of "pump and 
dump" spam, which tries to temporarily boost the price of penny stocks. 
But one area that does not seem to be of interest to Storm's creators is 
identity theft. "Believe it or not, credit card numbers aren't worth 
that much money," Enright said. "It's much better to make money... via 
pump and dump."


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Mon Oct 22 2007 - 00:43:50 PDT