Storm botnet divides, preps for sale to spammers

Hackers to "sell" compromised computers to spammers and DOS attackers.

The hackers behind the pernicious, persistent Storm Trojan are getting ready to slice off pieces of the botnet created by their malware so that they can "sell" the compromised computers to spammers and denial-of-service attackers, a researcher said this week.

That's the most likely explanation for the encryption added to secure the command-and-control traffic between the bot herder and some bots, said Joe Stewart, a senior security researcher at SecureWorks. According to Stewart, who has closely tracked Storm since its debut in January, the newest variants include a 40-byte key that encrypts the command traffic. Unlike other bot-building Trojans, Storm uses peer-to-peer (P2P) rather than IRC (Internet Relay Chat) to receive commands, a tactic that has made its bots harder to take down.

"One possibility is that they're splitting [the botnet] and selling off individual botnets to spammers," said Stewart. "If they're going to sell, they need to have it so each botnet is on a separate network. The easiest way to do that is to scramble the peer-to-peer Overnet traffic."

If Stewart is right and the people responsible for Storm are getting ready to cash in, it would be a first. Until now, Storm has busied itself only with spreading more copies to uninfected PCs, and with several pump-and-dump stock-scam spam campaigns. There's no evidence that the botnet has been rented out or sold before, said Stewart.

"This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS [domain name system] and hosting capabilities," Steward said. "If that's the case, we might see a lot more of Storm in the future."

Stewart, who characterized the new encryption used by Storm as "not strong," said that the addition would actually help security researchers in the long run: It should be easier to separate the command-and-control from the rest of the Overnet P2P traffic. "It makes it a little easier. We should be able to tell at a glance whether the traffic is coming from a Storm node or an eDonkey [P2P] client.

"In the short term, though, it will throw everybody [in security] off," said Stewart.

Storm, which first stepped onto the malware stage in January when it spread through e-mail messages hyping the news of a massive, damaging storm in Europe -- hence the name -- has been in the news almost constantly ever since. It's known for its use of rootkits, for using rapidly-changing DNS records to stay ahead of take-down attempts, and for clever social engineering tactics that make it more successful than most other malware at duping users into opening attachments or clicking links.

The size of the bot army Storm has assembled has been disputed. Some researchers claim that it numbers in the millions. Stewart, however, thinks it's much smaller -- somewhere in the range of a quarter of a million PCs. "The numbers that came down from MSRC [the Microsoft Security Response Center] seemed to confirm that in my mind," he added.

Last month, MSRC's Jimmy Kuo analyzed the results of malware-cleansing conducted by the Windows Malicious Software Removal Tool and concluded that Storm actually ranked No. 3, and had been cleared off "only" 274,000 systems.

"Most botnets sold to spammers are in the 1,000 to 5,000 range," said Stewart, indicating that the Storm collection could be split a large number of ways. "So far, though, we've seen just one [encryption] key, so maybe this is a test to see if this works."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Essentials

Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >

Mobile

Exec

Sony WH-1000XM4 Wireless Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?