Network News

X My Profile
View More Activity

Wishing an (Un)Happy Birthday to the Storm Worm

This week marks the one-year anniversary of the emergence of the spam-enabling Storm worm, a tenacious strain of malicious software that probably speaks more about the future of online crime than almost any other malware family circulating online today.

This chronological account from security firm Trend Micro visually sums up Storm's evolution more than I could with yet another recitation of the malware's machinations.

What I'd prefer to focus on in this post is the effect Storm had on the state of Internet security over the past year, and why we should be worried about the future.

Dmitri Alperovitch, director of intelligence analysis and hosted security for San Jose, Calif.-based Secure Computing, said federal law enforcement officials who need to know have already learned the identities of those responsible for running the Storm worm network, but that U.S. authorities have thus far been prevented from bringing those responsible to justice due to a lack of cooperation from officials in St. Petersburg, Russia, where the Storm worm authors are thought to reside. In a recent investigative series on cyber crime featured on washingtonpost.com, St. Petersburg was fingered as the host city for one of the Internet's most profligate and cyber-crime enabling operation -- the Russian Business Network.

Alperovitch blames the government of Russian President Vladimir Putin and the political influence of operatives within the Federal Security Service (the former Soviet KGB) for the protection he says is apparently afforded to cybercrime outfits such as RBN and the Storm worm gang.

"The right people now know who the Storm worm authors are," Alperovitch said. "It's incredibly hard because a lot of the FSB leadership and Putin himself originate from there, where there are a great deal of people with connections in high places."

Alperovitch believes the majority of Storm worm victims are Microsoft Windows users who for whatever reason have ignored the best advice of security professionals by not running anti-virus software and/or regularly applying software security updates. Indeed, the infection statistics seem to support that analysis. I spoke with Vincent Gullotto, head of Microsoft's security research and response team, who explained that Microsoft's "malicious software removal tool" -- shipped as part of its monthly patch updates -- has removed an average of 200,000 versions of the Storm worm from Windows systems each month since November, when the software giant first started shipping removal routines for Storm.

Interestingly, versions of the Storm worm fell from the no. 3-most-removed piece of malware back in November to no. 5 this past month, Gullotto said.

According to Trend, nearly 12,000 pieces of Storm-connected malware were unleashed online over the past year (this includes the Trojan that drops the payload, the Storm worm itself, as well as regular -- sometimes hourly -- updates pushed out to infected machines to stay a step ahead of any anti-virus software installed on the host system.) As big as Storm got this past year, Symantec's numbers help put things in a bit more perspective. Storm-related malware made up slightly more than one-quarter of one percent of all potential malicious code infections in 2007, Symantec said.

All this talk of rounding up the Storm worm author(s) reminded me of the dormant bounty program initiated by Microsoft in 2003, which was sparked by the emergence of the "Blaster" worm, a highly contagious program that spread back in the good-old-days when a majority of virus writers were still crafting their wares for fun and mischief instead of for profit. So far, Microsoft has paid out a half million bucks total -- to people who turned in the miscreants behind a Blaster variant and the author of the "Sasser" worm.

I asked Gullotto whether Microsoft had considered resurrecting the "Most Wanted" reward program for things like Storm. Gullotto said the subject has been discussed and considered, but that no final decision had been made.

But Gullotto said he suspects the cybercrime landscape has changed since those minor victories in an important way that may make it unlikely that a bounty on major virus writers would do much good. Namely, he said, it may now be more profitable -- and far less dangerous -- for those in-the-know about who's behind the latest most-wanted malware to simply keep their mouths shut than it is to turn in their erstwhile employers or overseers.

"When the bounty program was put together, it was really about finding these bad guys who were pure virus writers," Gullotto said. "That's not to say the same isn't true today, but when you have the whole money aspect injected into it, this changes the playing field and may make it a bit more difficult to track down who it might be or prove more succinctly that they wrote it."

By Brian Krebs  |  January 17, 2008; 9:37 AM ET
Categories:  Fraud , From the Bunker , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Targeted Attacks Use Unpatched Excel Flaw
Next: Apple Patches QuickTime, iPhone and iPod Security Holes

Comments

The root problem here is all the low hanging fruit, computer systems that are not properly secured and the ignorant operators behind the keyboard.

Honestly, it's not difficult to secure a computer (yes, even a Windows one) and learn to operate it safely. Yet, I see it everyday at work and via family/friends who just can't be bothered to take a few simple steps of prevention to avoid being that low hanging fruit (even when I provide all the resources for them). In their world, ignorance is bliss, but in reality it's just dangerously stupid! The bad guys are banking (pun intended) on that ignorance!

Granted governments and law enforcement have a role to play, but it is NOT their responsibility to ensure your computer system is secure and stays that way. Yet, that seems to be the mentality of the populace. It's someone else's responsibility! I'm just the victim.

There is so much truth in the old saying an ounce of prevention is worth a pound of cure!

Posted by: TJ | January 17, 2008 12:20 PM | Report abuse

Hi Brian,

That MS Malicious S/W Removal Tool - I get the monthly updates but never see any results from it being on my XP Pro system. Do we have to in some way run it from time to time, or is it active in the background?

Posted by: Bartolo | January 17, 2008 1:10 PM | Report abuse

HappyBirthday.exe to you. HappyBirthday.exe to you. :)

Posted by: David | January 17, 2008 1:28 PM | Report abuse

HappyBirthday.exe to you. HappyBirthday.exe to you. :)

Posted by: David | January 17, 2008 1:36 PM | Report abuse

Posted by: TJ | January 17, 2008 2:01 PM | Report abuse

"That MS Malicious S/W Removal Tool - I get the monthly updates but never see any results from it being on my XP Pro system. Do we have to in some way run it from time to time, or is it active in the background?"

The tool scans for malware during the update process, but you won't see any results unless it finds anything. It's not a background scanner- for that you'll an AV program.

Posted by: FreewheelinFrank | January 17, 2008 2:43 PM | Report abuse

This MS graf seems to explain it:

"Note The version of the tool delivered by Microsoft Update and Windows Update runs in the background and then reports if an infection is found. If you would like to run this tool more than once a month, use the version on this Web page or install the version that is available in the Download Center."

and matches what FwF wrote. Thanks.

Posted by: Bartolo | January 17, 2008 3:25 PM | Report abuse

Correction, The ROOT problem is that there is unethical, illegal use of electronics by people who hack someone's computer and steal their personal information, which is an invasion of their privacy. This is a crime and thus punishable by law. If proof exists send their sorry butts to jail, PERIOD. Can you think of a better way to stop them?

Posted by: popingrad | January 17, 2008 6:32 PM | Report abuse

Why am I not surprised that Putin and Gang is protecting criminals ?

Posted by: G.S.G. | January 17, 2008 6:58 PM | Report abuse

popingrad | January 17, 2008 06:32 PM

"Can you think of a better way to stop them?"

Yes, by NOT becoming a victim in the first place!

Don't be the low hanging fruit. In other words, don't make it easy for the bad guys. Be proactive and take responsibility for your own security whether in the electronic world or the physical. Don't rely ONLY on law enforcement or government intervention.

The first and best line of defense starts with you.

Posted by: TJ | January 18, 2008 9:23 AM | Report abuse

I read your column regularly and depend upon it for info and help. This time I am sending you a report (first time)...yesterday I got my 3 automatic MS patches (Jan. 17) EXPRESS (Urgent)

Windows XP Security Update for Windows XP (KB943485) Thursday, January 17, 2008 Windows Update
Windows XP Security Update for Windows XP (KB941644) Thursday, January 17, 2008 Windows Update
Windows XP Windows Malicious Software Removal Tool - January 2008 (KB890830) Thursday, January 17, 2008 Windows Update

and subsequently spent 2 HOURS w/ Dell help to fix my computer. It was fine when I used it in AM, then in aft. the shock of opening an entirely unfamiliar screen: the 3 ("essential")updates had messed up my video driver...the screen colors and presentation were entirely changed and I had some kind of silly photo next to my name in the start-up screen. The "Welcome screen" had changed too. The fonts were tiny, too tiny to read. The drivers had to be uninstalled & reinstalled several times (w/Dell Help) & it kept reverting to pale blue instead of the usual plain unadorned dark blue. I was too shocked to try anything myself, after I did the usual simple things. This is really bad.I had not had to ask for Dell Help, or any help, in the 2 years since I got my new Dell computer.
Furthermore, last week Symantec did some kind of patch, also automatically, & Symantec online help had to restore everything.
I know, I know I should not have "automatic installation", (I didn't before my new Dell computer...)but even if I just checked for "urgent" patches myself on the MS Update site, I would have installed them eventually after fear & dread installed itself in my mind. So....I am still curious as to whether the new stupid welcome screen & pale blue colors were somehow related to Vista (I am sticking w/ Windows XP as long as I can...I am one of the few who never had a moment's problems w/ Windows ME.)..however, I do not know what Vista's look is, & it certainly was not Windows anything else. If it was Vista, it was incredibly hard on the eyes, too pale, too white, too blue, too bad.
I would be interested if anyone else had this nasty experience, I am sure I am not the only one,...but the road of Unpatched happiness is not exactly risk-free either, so...what to do?
Many thanks for your columns, always.
Iris

Posted by: Iris | January 18, 2008 10:06 AM | Report abuse

Iris, I always go first to sites like Brian's and also to http://isc.sans.org/
to see what they might have to say about the monthly updates before I say yes to the downloads.

Others may have additional strategies to share...

Posted by: Bartolo | January 18, 2008 10:52 AM | Report abuse

Iris -- the new startup/login screen you see, and the color and font changes suggests that maybe you've had auto-login as your default (single-user) setup and that's been changed, and/or that the color theme for your user has been changed. Windows updates should not cause such changes, but you say that Dell Help talked you through uninstalling and reinstalling video drivers. More likely the problem you describe is due to issues with those drivers which happened to be "tickled" by the update process rather than that the update itself took liberties with your system. Of course, Dell is not likely to offer this suggestion, especially as you seemed to have already decided that the updates were to blame.

If your color themes and such are still all messed up, get back on the phone with Dell and get them to talk you through the fix for that -- if this is due to "their" video drivers, they'll have had a deal more experience dealing with folk in your situation by now, and should be ready for handling your call...

Posted by: Nick FitzGerald | January 18, 2008 5:08 PM | Report abuse

Perhaps we can fight fire with fire. Instead of offering money to those who can only identify the writers and purveyors of malware, why not offer a bounty for identifying and taking the lives of these criminals? If the law is ineffective then perhaps it is time to hire our own criminals.

Posted by: Robert | January 29, 2008 5:58 AM | Report abuse

The REAL root problem is that OS vendors have failed to implement a decent UI for end-users to manage the trust relationship between themselves and programs operating on their systems. That, and the lack of easy-to-understand visual tools to indicate to the user what programs are up to. This has led to a situation where people think of their computers as a giant, mysterious landscape where actions occurring without their knowledge or consent is simply commonplace.

Posted by: Tim | January 29, 2008 2:43 PM | Report abuse

TJ, you can blame "clueless" users all you want. It's not going to solve anything. As long as Internet connectivity is given to people with no computer skills there will be Internet connected computers out there that will be compromised.

Not to mention the fact that exploits always get exploited BEFORE they get patched.

You're simply wrong about how to fix or who to blame about the problem. The fix is to hunt down these criminals wherever they are, put them in jail and throw away the key. Nobody but the criminals are to blame.

Posted by: tpp | January 29, 2008 2:44 PM | Report abuse

I can't agree that the problem is caused by people who don't run an AV program.

If you leave your car unlocked, and someone steals it, is the theft your fault? No. It is the fault of some miscreant sociopath.

Posted by: Chad | January 29, 2008 6:08 PM | Report abuse

I have to agree with Chad. While the problem is compounded by clueless users, it's not their fault. It's squarely the fault of the people writing malware. Go after them. Hard. Take away everything they have. If the do it again simply shoot them. Easy. Simple.

I *don't* use AV software as a rule - it is too easy to become complacent and lazy. A properly configured *hardware* firewall in combination with a good software firewall and some simple common sense really goes a long way.

Finally if people would learn to use the lump of pudding they call a brain, we could really see some improvement.

Posted by: Cosgrach | January 29, 2008 7:49 PM | Report abuse

The problem is - the proof does NOT exist. All that we have is just words of Dmitri Alperovitch, who blames Putin and KGB for something.
Remember cyberattacks on Estonia? They said - Kremlin is guilty! No proof for nearly a year.
Have you ever heard of presumption of innocence? If you blame someone, then YOU should prove that they are guilty, not the other way.
And if you deny someone their rights and call them villains, they wouldn't work hard to change your mind - they will just act like villains - because they aren't going to lose ANYTHING. And it's your fault.

Posted by: Leoric | January 31, 2008 3:23 AM | Report abuse

Posted by: Russian | January 31, 2008 9:12 AM | Report abuse

The link posted above (from Webplanet e-magazine) is perfect example of what Russians think about the publications like Brian Krebs's. Just wonder if Brian ever contacted ANY security expert from Russia? Or his job is to copy common western myphs? You know Russians laugh a lot reading this kind of stories!

Just a quote:
"The only clear message we got from The Guardian: western security experts and government agencies want more money. For this purpose, they use media to create Big Enemy Image and start Cold War 2.0".
http://webplanet.ru/english

Posted by: Alex | January 31, 2008 9:27 AM | Report abuse

"You're simply wrong about how to fix or who to blame about the problem. The fix is to hunt down these criminals wherever they are, put them in jail and throw away the key. Nobody but the criminals are to blame.
Posted by: tpp | January 29, 2008 02:44 PM"

"If you leave your car unlocked, and someone steals it, is the theft your fault? No. It is the fault of some miscreant sociopath.
Posted by: Chad | January 29, 2008 06:08 PM"

While I agree to lay blame at the feet of the bad guys, it is foolish to ignore our own culpability regarding physical or electronic security. If I leave my house or car unlocked or fail to properly secure my computer, am I not part of the problem? Am I not making it easier for the bad guys? (Rhetorical questions) It's about risk management. Take steps to lower your risk. Be proactive. An ounce of prevention is worth a pound of cure.

Posted by: TJ | January 31, 2008 2:12 PM | Report abuse

The Russian crime syndicates are powerful and ruthless. Their scams are well documented. I don't doubt Putin is involved.

Posted by: nk | January 31, 2008 3:47 PM | Report abuse

Comment 1.

"The root problem here is all the low hanging fruit, computer systems that are not properly secured and the ignorant operators behind the keyboard."

Root problem? Low hanging fruit? Take a bow shot at microsoft, 95% of the blame lies with them, they are the easy to hack low hanging fruit.

Trying for a continual simplified windows 'experience' its like handing a toddler the
keys to your car and expecting them to be a mechanic too.

Flawed product saying hack me please, while they are getting better windows is notorious for
its blatant trust - from internet sharing flaw to remote assistant/guest user, the list goes on. Its not unreasonable to expect a secure-ish OS out of the box.

Lack of control - 98 etc task manager was stupid - just stop the exe and if a process is hidden shrug, now....now you can see the processes, but what does it do? Theres no human description behind say the spooler service, theres often no way to stop a process because its protected itself or windows is running the debugger - or once stopped to keep it from coming back - no you have to regedit/safemode/msconfig to do anything useful. Unrealistic
to expect a user to do that. So the solution is to install some software which may or not be bona fide.

Lack of trust. Hey Windows _could_ work well with trusted anti malware companies - but you know the windows team doesnt trust anyone else to do a decent job at something, they'll just make their own half baked version and throw in some security centre that is a mish mash.

Pushing out flawed updates. Microsoft has a history of this, i take it youve never been at the end of a helpdesk call saying i just installed some service pack or update and now im bluescreening or something else doesnt work. Partially this is because windows is installed on howevermany configured systems. Unless something is super critical I wont install an update, let someone else cut themselves on the cutting edge.

Windows itself is the low hanging fruit. Knock yourself out updating and chastising your friends for not installing updates - ignorance really is bliss.

As for storm coming from Russia - it probably does, but wether it does or not i dont see Russia going sure you guys, come in and trawl through our networks and see if you can nab those miscreants - would it be reasonable to expect an organization like the pentagon to handle it that way?

Posted by: Anonymous | January 31, 2008 7:58 PM | Report abuse

Russia is now a dictatorship, ex-KGB officer Putin is rapidly suppressing democratic political opposition. One major presidental candidate was just banned from running by annuling his collection of 2 million supporting signatures. Industry tycoons are selectively robbed of their wealth and sent to the Gulags just because they happen to be jews. Russia is all about military build-up and secret services controlled state machiner. The malware (cyberweapon) field is also becoming state-controlled as new cold war is inevitable. The free world must prepare, NATO and EU will stand guard.

Posted by: Yuji Kaido | February 1, 2008 4:49 AM | Report abuse

to Yuji Kaido: "free world" - you must be kidding!

Do you really think that Echelon'ed, Carnivor'ed, NATO'ed and RIAA'ed world could be FREE?

Posted by: Russian | February 4, 2008 4:44 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company