The Storm Worm and Convergence of Spam and Malware

Bruce Schneier in the recent edition of Cryptogram gives a fascinating and scary insight on the Storm worm (aka Nuwar, Zhelatin, etc.).

The key point is that Storm is much more than a nuisance -- it is also a mechanism to distribute botnet software to deliver spam and is written by skilled hackers seeking profit.

Key features of Storm:

  • While most servers do spam delivery work, a number operate in command-and-control mode. This works as a peer-to-peer network, with no central node to take out. This makes it much harder to destroy than older botnets.
  • The command-and-control servers hide by use of address changing techniques.
  • Storm's delivery mechanisms and email mechanisms morph, making it harder to track, and hitting different sets of users.
  • As well as delivering spam, the Storm botnets are also being used to generate denial-of-service attacks on those trying to track it down.
  • It works slowly and does not consume enough resource to be noticed. This makes it much, much harder to detect than more traditional aggressive worms that are highly visible.

The money quote from Schneier:

If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.

This is scary stuff, and unfortunately we are going to see more of it.

Some more detailed analysis at:

... Steve Kille and Richi Jennings

One Comment

  1. Posted November 9, 2007 at 3:09 PM | Permalink

    Although much of Storm’s machines are in fact outside the US, over half are inside the US. So simply blocking traffic from, say, China, won’t be very effective. That’s the power of a distributed botnet. Storm is rather scary, and getting scarier.

Post a comment

You must be logged in to post a comment. To comment, first join our community.