The Internet's Public Enemy Number One

Cunning Defense

Whoever is controlling the massive botnet is managing its spread and defense with great sophistication. They frequently change the well-crafted e-mail messages that trick users into installing the virulent bot. When the alert went out about a late-summer wave of fake e-card notes, Storm e-mail in September shifted to messages that pretended to promote Tor, a legit anonymous-surfing application. The fake Tor e-mail used text and images from the actual Tor Web site, but any recipient who followed the download link and double-clicked the resulting tor.exe file installed Storm.

And once it has control of a PC, Storm will fight to maintain it. According to Paul Sop, CTO of Prolexic, which defends business clients against the type of Internet attacks that botnets launch, security researchers who investigate Storm-infected machines can expect swift retaliation.

"The Storm Worm [botnet] has the ability to defend itself," Sop explains. "When you scan it, it will tell another portion of the botnet to DDoS you." In a DDoS, or distributed-denial-of-service attack, a bot herder instructs some or all of the botnet to send a flood of garbage data to a particular victim. And often that flood is enough to knock a Web site offline, or to take down a researcher's Internet connection.

Unique Defense

Storm is the only botnet Sop knows of with this kind of automated self-defense. What's more, it's sneaky about how it executes that defense. It won't launch the attack from the same machines that are scanned, or even ones with similar IP addresses, since that would make the attack's cause immediately apparent. Instead, it passes along the researcher's location to other parts of the Storm botnet, so the DDoS attack appears to come from somewhere else.

The Storm Worm has become so ubiquitous, it's even a star on YouTube, where an F-Secure video that shows the worm's spread around the globe has been viewed more than 850,000 times. (Check out the comments, where you'll find some viewers who are convinced that the worm was created by extraterrestrial forces.)

To help ensure that you don't become the next cog of the vast Storm Worm wheel, use a good antivirus program, and keep your applications up-to-date. The Storm Worm and other such malware frequently exploit known holes in old versions of software such as Internet Explorer, Firefox, QuickTime, and even WinZip to infect PCs.

Also, exercise extreme caution with any unsolicited e-mail, even if it appears to come from someone you know. And finally, to help determine whether your computer might have already joined the ranks of the living dead, see "Proper ID for a Zombie PC."

Subscribe to the Security Watch Newsletter

Comments