Storm Worm's virulence may change tactics

The swiftly spiking onslaught of the Storm Worm may signal an upcoming change in how its creators intend to wield their weapon.

I caught up with Joe Stewart, senior security researcher at managed security company SecureWorks, at the Black Hat conference. He says that since June 1st, his company has blocked a boggling 20 million attack e-mails carrying the Storm Worm payload. That's up from just over 70,000 attacks seen during the longer span from the beginning of the year through the end of May.

"It's getting out of hand," Stewart says.

And that's just from the networks they're seeing. Mail security company Postini recently said that the during the most recent Storm Worm flood, it saw 120 million attack e-mails in the span of five days.

The misnamed Storm Worm isn't actually a worm; it's a bot, used to corral infected computers together into a network called a botnet, which can then be issued commands by a central criminal controller. One common command is to send vast amounts of spam.

For example, "sending out billions of e-mails per day is effortless" for the Storm Worm botnet, Stewart says.

From the number of infected machines he's found, Stewart estimates that the Storm botnet could comprise anywhere from 250,000 to 1 million infected computers. And that raises questions, along with eyebrows.

"Why do you need a botnet that big?" he asks. "You don't need a million [infected computers] to send spam."

For spam, a million-strong botnet might be overkill. But botnets can do much more - like launching denial-of-service attacks. These attacks aim to overwhelm a Web site or Internet server by sending it a constant stream of garbage data at a particular Web site or Internet server.

Garbage data from one source isn't hard to deal with. But multiply that by a million, and you're talking about a raging deluge.

The Storm Worm is capable of launching DoS attacks, and has already been used for them. So the huge rise in the malware's spread may mean that its creator is getting ready to expand his revenue stream and rent out his botnet for powerful DoS attacks.

The good news is that if you're smart, it's not hard to avoid becoming a Storm Worm victim. So far, the bot spreads as e-mail attachments sent to addresses harvested from infected machines. There's a good chance you've seen it already, in the guise of a fake news story or a supposed e-greeting card.

If you were smart enough to avoid opening those attachments, and are smart enough to continue to avoid all unexpected attachments in the future, you'll likely stay safe from the Storm Worm. Unfortunately, as the malware's continued spread proves, there are plenty who aren't so smart.

This story, "Storm Worm's virulence may change tactics" was originally published by PCWorld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.