In 2007, Storm burst onto the scene and spread rapidly. A new form of malware that propagated using a combination of email and websites, it proved extraordinarily sophisticated. Estimates of the number of computers infected with Storm ranged widely, with some security researchers positing that up to 50 million computers had been infected.
IronPort Systems estimates that, at its most destructive point in July 2007, about 1.4 million computers were simultaneously infected and active – but that Storm continued to infect and re-infect around 900,000 computers per month. Storm has since shrunk in size for a variety of reasons, such as computers being disinfected or becoming dormant until needed again, and parts of the network being separated or switched to new, different botnets.
Storm shows several key characteristics, some new and advanced. It uses cunning social engineering techniques – such as tying spam campaigns to a current event or site of interest – as well as a blend of email and the Web to spread. It is highly coordinated, yet decentralized – and with Storm using the latest generation of peer-to-peer (P2P) technology, it cannot be disabled by simply “cutting off its head.” In addition, Storm is self-propagating – once infected, computers send out massive amounts of Storm spam to keep recruiting new nodes.
It is extremely adaptable and can be used for different types of attacks – including email spam, phishing, DDoS, IM attacks and blog spam. Storm is also self-defending – it has launched DoS attacks against researchers and security organizations studying it.
Storm’s presence on the Internet seems to have declined significantly since its mid-2007 peak. On one hand, widely used anti-virus and anti-malware software programs – including Microsoft’s Malicious Software Removal Tool – are now able to detect and clean more variants of Storm, so many computers were cleaned. On the other hand, the creators and operators of Storm seem to be continuing to run and propagate new botnets. Possibly derived from Storm, these operate more quietly, are spread out into smaller networks and are designed to be even harder to track and disinfect.
The 2007 rise of Storm was a harbinger – this new kind of social malware is continuing to grow and increase in sophistication. New, widespread malware botnets which share characteristics with Storm include Srizbi, Bobax and Kraken/Kracken. IronPort is tracking these botnets and implementing protective measures against their infection mechanisms. In addition, IronPort monitors and identifies new threats designed to exploit software vulnerabilities (such as those found in application like Adobe Flash Player), as well as website redirects, Google exploits, and spam attacks that take advantage of “Out of Office” autoreplies to validate email addresses and even hijack corporate mail servers.
For most of the last thirty years, spam has been an annoyance, created by individual amateurs. Those days are over. As Storm shows, today’s extremely organized, technically savvy, well funded malware efforts are comparable in scale to legitimate software vendors. Talented engineering teams have now moved to the dark side, and are a threat to every organizational network and individual with an email account and Web browser.
However, by tracking new threats as they emerge, and utilizing holistic solutions that detect not just particular variants of malware but malicious patterns in network traffic and use, administrators and security organizations can protect users and networks from becoming infected.