Storm: The Largest Botnet in the World?

Storm's Effects

Whoever owns Storm is "certainly in tune with American society," says Roger Thompson, CTO of Exploit Prevention Labs. "They're probably European -- their command of English is not perfect -- but they understand American culture quite well."

If recipients of Storm-backed spam click on the link, they are taken to a Web site that automatically downloads Storm if their browsers don't have the most recent patches installed, researchers say. If visitors to the infected Web site do have an up-to-date browser, the site will ask them to click on a few links (with social-engineering queues such as "to download software for viewing your e-card greeting, click here") that allow Storm to circumvent current patches and install itself.

"Nobody's patched against social engineering," says Ben Greenbaum, senior manager of Symantec's Security Response team.

Once Storm is downloaded onto a PC, it turns that computer into part of its botnet, an army of compromised PCs that can be controlled remotely without the owner realizing it.

And that's where the profits come in; researchers believe the people behind Storm make money by renting out portions of their botnet. Members of Storm's botnet can be turned into spam servers, so organizations looking for an untraceable way to blast spam will rent space on these compromised PCs; when the spam sender's IP address is investigated it leads back to the member of the botnet, not the actual spammer.

Considering how profitable crime on the Internet has become, there's no reason to believe that Storm will die down; last month at a conference McAfee CEO David DeWalt said cybercrime has become a $105 billion business, making it worth more than the worldwide illegal drug trade.

Members of the Storm botnet also can be programmed to act as Web servers that download other malicious code, as well as participants in a distributed DoS attack, researchers say.

While Storm spam doesn't cause much concern among enterprise IT departments -- because antispam vendors usually catch on to the latest spam blast and update their filters within days, if not hours -- the potential of unknowingly having corporate assets become part of this huge botnet that's committing crime across the Internet does cause concern.

"We have real-time network traffic monitoring tools implemented across [Argonne National Laboratory]'s networks to ensure that we quickly become aware of 'bad' behavior, especially bot-type/malware behavior," says David Salbego, Unix and operations service manager with Argonne National Laboratory's computing and information systems department. "While no system is perfect, simply relying on not becoming infected is not sufficient -- one must be able to definitely prove that machines are not infected and/or not communicating with known `bad guys.'"

Constant Change

Another feature of Storm that keeps researchers on their toes is the malware's ability to constantly change in attempts to keep one step ahead of prevention measures.

"We detect the exploits [Storm] uses to force its way in," Thompson adds. "At one point they were actually changing what they were installing as often as every minute to avoid [antivirus] programs."

Another antivirus vendor agrees that while Storm isn't the worst piece of malware the Internet has seen, its versatility gives it longevity.

"I don't think Storm is doomsday; I still think people can use the Internet safely," says Dave Marcus, security research and communications manager at McAfee Avert Labs. "But I also don't think it's going to subside any time soon, because of the many ways it can be used. It's something we have to stay vigilant about."