Just over a year since it was first detected, Storm, the blended malware attack, looks like becoming a major vehicle for criminals, say malware researchers.
After months of relative dormancy, traffic generated by the Storm botnet ramped up just before Valentine's Day to peak at between 4% and 5% of internet traffic, said researchers at e-mail hosting service MessageLabs, and security supplier Kaspersky Labs.
Dan Hubbard, vice-president of security research at Websense, said most Storm traffic in the past month was phishing messages. The messages tried to lure recipients into opening e-mails with subject lines such as Love Rose, Just You, I Love You, Lovetrain, My Heart, Poem About Us, Sweetest Things Aren't Things!, Valentine Day and Valentine Dad.
The e-mails contained links that apparently went to a Valentine e-card or song that the supposed beloved had chosen. Clicking on the link may well have delivered a card or song, but it also installed malware on the user's PC to capture keystrokes, load viruses, copy and transmit or delete files, and enrol the PC as part of Storm's botnet.
Storm uses social engineering techniques - typically temptation and falsely based trust in unsolicited e-mail messages - to lure people to infectious websites. Once a visiting PC is infected, the code hides itself on the user's PC. Using a variety of methods it then goes on to infect and remember other PCs, thus setting up a peer-to-peer botnet.
Each infected PC carries the entire Storm malcode. This means there is no central "mothership" to detect and keep off the internet. Once the botnet is set up, the owners can seed infected PCs with a malcode program to capture keystrokes, copy, transmit or delete files.
Botnets can be hired by anybody.
Several researchers suggested this Valentine's Day was the first example of botnets being hired by criminals on a large scale. In effect, Storm is becoming the virtual internet service provider for the criminal class, they say.
According to Hubbard, Storm's success rate has been remarkable around one in three messages resulted in an infection, making it attractive to criminals.
Graham Cluley, senior technology consultant at Sophos, an IT security company, said Storm's owners are now showing less care in coding, despite the huge number of variations they have brought out. This was a symptom of Storm's maturity as a product. "It is almost as if they always have another version in the pipeline. It is now about driving cost down and getting the job done," he said.
Cluley said what distinguished Storm was the "ferocity" with which its developers have combined different techniques to make Storm a means to make money. They do this by renting it to criminals who sell pornography or counterfeit products, extort money from banks and gambling companies whose website they block, and who steal personal details to commit fraud, among others.
Almost all the Storm traffic comes from as many as a million home PCs connected to broadband networks, researchers said. The chances of cleansing them all are remote. That means Storm may have become pervasive, said Mark Murtagh, technical director of Websense.
Its pervasiveness, its persistence, its technology and its management make Storm impossible to defeat purely with technology, researchers say. Because Storm depends on people clicking to connect to an insecure website, users will have to stop doing that, and law enforcement and police have to trace and arrest the Storm gang, they say.
But there is no globally enforceable legal injection against developing products such as Storm, Murtagh said. "We have to hope that the criminals break some other law connected to pornography, paedophilia, counterfeiting or gambling so that the police can act."
Researchers note that Storm's owners "have a life" outside computers. All Storm attacks to date have related to social events such as Valentine's Day, New Year, and news. "The Olympics promises to be huge (for Storm)," said Hubbard. Then there's Easter, the US election, and ad hoc news events.
So far, the attacks have related to Western social events, and English in particular. But as home computer populations grow in India, China and Eastern Europe, Storm is likely to find fresh markets.
Corporate networks, which are better defended than home PCs, contribute relatively little Storm traffic. That does not mean chief information security officers can sleep easy. Any staff member who uses a home PC for work could inadvertently introduce the malware to the company. The company still needs to protect both entrance and exit points on its networks, and staff and their family need to practise safe surfing.