There are many errors in this story, which I believe result from Mr. Henry's misunderstanding or misinterpreting the source materials mentioned in Bruce Schneier's blog entry (cited in this story.) I recognize the errors, as I talked about some of these issues at the Information Security Decisions 2007 conference in November, provided an interview to Dennis Fischer for his Information Security Magazine article quoted in Bruce's blog, and I co-authored the two papers in the December USENIX ;login: magazine cited by Bruce. This article mistakes and confuses facts I presented on three malware artifacts I and my co-authors have studied recently: Storm, Nugache, and a variant of Rizo (derived from Rbot source code.) These original sources are not cited, and from what I can tell Mr. Henry and Secure Computing are confusing Nugache with the Rizo variant I spoke of.

For example:

• Nugache has always had strong encryption (at least as far back as October 2005);
• Nugache has had P2P as the primary command and control mechanism going back to at least April 2006;
• Nugache uses a simple custom packer, with no accompanying rootkit (it is Rizo that is multiply-packed, as is Storm, but in a different way);
• Rizo is a standard IRC bot, which neither uses P2P for command and control, nor encrypts the command and control traffic like Storm or Nugache;
• I have seen no evidence what so ever that Nugache has been revamped, or is being actively propagated or sold (that is likely the Rizo variant, which again is an unrelated, normal IRC bot);
• Nugache is not currently rivaling Storm in number, nor is it building on Storm (in fact, Nugache predates Storm, and in some respects is more sophisticated than Storm, and appears to be in decline in number);
• Storm, Nugache, Rizo, and probably other malware are (or were) being propagated using similar multi-level attacks involving more indirect social-engineering attacks, but that does not mean they all trace back to the same source, or that anything being propgated using web based attacks involving blogs are Nugache.

Other articles have appeared in the tech press, and other blog postings, in early January 2008. All cite this erroneous article, have other erroneous quotes by Mr. Henry, and/or repeat these same errors. The quote about the price of botnets going down due to Nugache is almost certainly associated with Rizo or Rbot IRC bots, not Nugache: even someone on offensivecomputing.net makes this same mistake of confusing Nugache with Rizo. One even suggests Storm and Nugache are the same thing, which is certainly not true. This is unfortunate, and does not help anyone properly respond to (or even adequately understand) the "threat." At least in one of them, Trend Micro disputes the claims made in this article based on their own research.

If you are interested the subject, see the cited first-hand publications cited by Bruce Schneier in his blog, not this Seriously Confused repackaging of those sources.