It is said that change is the one constant in life, and it is proving true in the case of the Storm malware. Usually, change is good, but where the said malware is involved, change may mean another thing.
The infamous Storm worm has gotten an update, with the giant botnet that it employs now broken into segments, or smaller networks. The latest Storm variants now use a 40-byte key to encrypt traffic over the peer-to-peer (P2P) protocol Overnet, as first reported by our counterparts in SecureWorks. Overnet aids singular bots to connect to other infected systems. Using encryption means that communication is only possible between botnet nodes that are using the same key.
This may be an indication that the Storm worm creators are set to go to market with Storm variants, which they could sell in malware forums to other malicious users (spammers or DoS attackers). This could translate to automated spam kits, which could in turn lead to a skyrocketing of Storm infections.
Another reason could be for the Storm authors to more easily manage their networks. The upside could be that system administrators themselves may now be able to better protect their networks against the deluge of the Storm malware, whereas before the Storm botnet was believed difficult to eliminate because of its use of P2P technology (instead of a single C&C server).
The Storm worm began its downpour in January this year, earning its name for its social engineering technique of squatting on the real-world Kyrill storm that was then ravaging Northern Europe. It first sent out spammed email messages that promised more information about the said storm. Users ended up downloading a Trojan that rendered their machines zombies, part of the Storm botnet that is now estimated at 1-50 million PCs.
Since then, the botnet has been constantly evolving, employing one new technique after another. More notably, it came as eCard spam that rode on big occasions like Fourth of July, Labor Day, and the NFL season; contained links that supposedly led to a YouTube video file; offered downloads of the otherwise legitimate application Tor Proxy or a BETA testing program; and posed as “welcome” messages for memberships to various online services. Most recently, it was seen as a worm that came via fake eCards meant for unsuspecting users with a fondness for felines.
There is still no end in sight to the twists and turns in the history of the Storm worm. But if this new development works in the Storm authors’ favor, this malware family is poised to devolve into a cyclone, with said creators bringing more damage to property and earning in the process. For now, the coast is yet unclear.