Just over a year since it was first detected,Storm, the blended malware attack,looks like becoming a major vehicle for criminals, say
malware researchers.
After months of relative dormancy, traffic generated by the
Storm
botnet ramped up just before Valentine's Day to peak at between
4% and 5% of internet traffic, said researchers at e-mail hosting
service MessageLabs, and security supplier Kaspersky Labs.
Dan Hubbard, vice-president of security research at Websense,
said most Storm traffic in the past month was phishing messages.
The messages tried to lure recipients into opening e-mails with
subject lines such as Love Rose, Just You, I Love You, Lovetrain,
My Heart, Poem About Us, Sweetest Things Aren't Things!, Valentine
Day and Valentine Dad.
The e-mails contained links that apparently went to a Valentine
e-card or song that the supposed beloved had chosen. Clicking on
the link may well have delivered a card or song, but it also
installed malware on the user's PC to capture keystrokes, load
viruses, copy and transmit or delete files, and enrol the PC as
part of Storm's botnet.
Storm uses
social engineering techniques - typically temptation and
falsely based trust in unsolicited e-mail messages - to lure people
to infectious websites. Once a visiting PC is infected, the code
hides itself on the user's PC. Using a variety of methods it then
goes on to infect and remember other PCs, thus setting up a
peer-to-peer botnet.
Each infected PC carries the entire Storm malcode. This means
there is no central "mothership" to detect and keep off the
internet. Once the botnet is set up, the owners can seed infected
PCs with a malcode program to capture keystrokes, copy, transmit or
delete files.
Botnets can be hired by anybody.
Several researchers suggested this Valentine's Day was the first
example of botnets being hired by criminals on a large scale. In
effect, Storm is becoming the virtual internet service provider for
the criminal class, they say.
According to Hubbard, Storm's success rate has been remarkable
around one in three messages resulted in an infection, making it
attractive to criminals.
Graham Cluley, senior technology consultant at Sophos, an IT
security company, said Storm's owners are now showing less care in
coding, despite the huge number of variations they have brought
out. This was a symptom of Storm's maturity as a product. "It is
almost as if they always have another version in the pipeline. It
is now about driving cost down and getting the job done," he
said.
Cluley said what distinguished Storm was the "ferocity" with
which its developers have combined different techniques to make
Storm a means to make money. They do this by renting it to
criminals who sell pornography or counterfeit products, extort
money from banks and gambling companies whose website they block,
and who steal personal details to commit fraud, among others.
Almost all the Storm traffic comes from as many as a million
home PCs connected to broadband networks, researchers said. The
chances of cleansing them all are remote. That means Storm may have
become pervasive, said Mark Murtagh, technical director of
Websense.
Its pervasiveness, its persistence, its technology and its
management make Storm impossible to defeat purely with technology,
researchers say. Because Storm depends on people clicking to
connect to an insecure website, users will have to stop doing that,
and law enforcement and police have to trace and arrest the Storm
gang, they say.
But there is no globally enforceable legal injection against
developing products such as Storm, Murtagh said. "We have to hope
that the criminals break some other law connected to pornography,
paedophilia, counterfeiting or gambling so that the police can
act."
Researchers note that Storm's owners "have a life" outside
computers. All Storm attacks to date have related to social events
such as Valentine's Day, New Year, and news. "The Olympics promises
to be huge (for Storm)," said Hubbard. Then there's Easter, the US
election, and ad hoc news events.
So far, the attacks have related to Western social events, and
English in particular. But as home computer populations grow in
India, China and Eastern Europe, Storm is likely to find fresh
markets.
Corporate networks, which are better defended than home PCs,
contribute relatively little Storm traffic. That does not mean
chief information security officers can sleep easy. Any staff
member who uses a home PC for work could inadvertently introduce
the malware to the company. The company still needs to protect both
entrance and exit points on its networks, and staff and their
family need to practise safe surfing.