Wishing an (Un)Happy Birthday to the Storm Worm
This week marks the one-year anniversary of the emergence of the spam-enabling Storm worm, a tenacious strain of malicious software that probably speaks more about the future of online crime than almost any other malware family circulating online today.
What I'd prefer to focus on in this post is the effect Storm had on the state of Internet security over the past year, and why we should be worried about the future.
Dmitri Alperovitch, director of intelligence analysis and hosted security for San Jose, Calif.-based Secure Computing, said federal law enforcement officials who need to know have already learned the identities of those responsible for running the Storm worm network, but that U.S. authorities have thus far been prevented from bringing those responsible to justice due to a lack of cooperation from officials in St. Petersburg, Russia, where the Storm worm authors are thought to reside. In a recent investigative series on cyber crime featured on washingtonpost.com, St. Petersburg was fingered as the host city for one of the Internet's most profligate and cyber-crime enabling operation -- the Russian Business Network.
Alperovitch blames the government of Russian President Vladimir Putin and the political influence of operatives within the Federal Security Service (the former Soviet KGB) for the protection he says is apparently afforded to cybercrime outfits such as RBN and the Storm worm gang.
"The right people now know who the Storm worm authors are," Alperovitch said. "It's incredibly hard because a lot of the FSB leadership and Putin himself originate from there, where there are a great deal of people with connections in high places."
Alperovitch believes the majority of Storm worm victims are Microsoft Windows users who for whatever reason have ignored the best advice of security professionals by not running anti-virus software and/or regularly applying software security updates. Indeed, the infection statistics seem to support that analysis. I spoke with Vincent Gullotto, head of Microsoft's security research and response team, who explained that Microsoft's "malicious software removal tool" -- shipped as part of its monthly patch updates -- has removed an average of 200,000 versions of the Storm worm from Windows systems each month since November, when the software giant first started shipping removal routines for Storm.
Interestingly, versions of the Storm worm fell from the no. 3-most-removed piece of malware back in November to no. 5 this past month, Gullotto said.
According to Trend, nearly 12,000 pieces of Storm-connected malware were unleashed online over the past year (this includes the Trojan that drops the payload, the Storm worm itself, as well as regular -- sometimes hourly -- updates pushed out to infected machines to stay a step ahead of any anti-virus software installed on the host system.) As big as Storm got this past year, Symantec's numbers help put things in a bit more perspective. Storm-related malware made up slightly more than one-quarter of one percent of all potential malicious code infections in 2007, Symantec said.
All this talk of rounding up the Storm worm author(s) reminded me of the dormant bounty program initiated by Microsoft in 2003, which was sparked by the emergence of the "Blaster" worm, a highly contagious program that spread back in the good-old-days when a majority of virus writers were still crafting their wares for fun and mischief instead of for profit. So far, Microsoft has paid out a half million bucks total -- to people who turned in the miscreants behind a Blaster variant and the author of the "Sasser" worm.
I asked Gullotto whether Microsoft had considered resurrecting the "Most Wanted" reward program for things like Storm. Gullotto said the subject has been discussed and considered, but that no final decision had been made.
But Gullotto said he suspects the cybercrime landscape has changed since those minor victories in an important way that may make it unlikely that a bounty on major virus writers would do much good. Namely, he said, it may now be more profitable -- and far less dangerous -- for those in-the-know about who's behind the latest most-wanted malware to simply keep their mouths shut than it is to turn in their erstwhile employers or overseers.
"When the bounty program was put together, it was really about finding these bad guys who were pure virus writers," Gullotto said. "That's not to say the same isn't true today, but when you have the whole money aspect injected into it, this changes the playing field and may make it a bit more difficult to track down who it might be or prove more succinctly that they wrote it."
January 17, 2008; 9:37 AM ET
Categories: Fraud , From the Bunker , Safety Tips
Save & Share: Previous: Targeted Attacks Use Unpatched Excel Flaw
Next: Apple Patches QuickTime, iPhone and iPod Security Holes
Posted by: TJ | January 17, 2008 12:20 PM | Report abuse
Posted by: Bartolo | January 17, 2008 1:10 PM | Report abuse
Posted by: David | January 17, 2008 1:28 PM | Report abuse
Posted by: David | January 17, 2008 1:36 PM | Report abuse
Posted by: TJ | January 17, 2008 2:01 PM | Report abuse
Posted by: FreewheelinFrank | January 17, 2008 2:43 PM | Report abuse
Posted by: Bartolo | January 17, 2008 3:25 PM | Report abuse
Posted by: popingrad | January 17, 2008 6:32 PM | Report abuse
Posted by: G.S.G. | January 17, 2008 6:58 PM | Report abuse
Posted by: TJ | January 18, 2008 9:23 AM | Report abuse
Posted by: Iris | January 18, 2008 10:06 AM | Report abuse
Posted by: Bartolo | January 18, 2008 10:52 AM | Report abuse
Posted by: Nick FitzGerald | January 18, 2008 5:08 PM | Report abuse
Posted by: Robert | January 29, 2008 5:58 AM | Report abuse
Posted by: Tim | January 29, 2008 2:43 PM | Report abuse
Posted by: tpp | January 29, 2008 2:44 PM | Report abuse
Posted by: Chad | January 29, 2008 6:08 PM | Report abuse
Posted by: Cosgrach | January 29, 2008 7:49 PM | Report abuse
Posted by: Leoric | January 31, 2008 3:23 AM | Report abuse
Posted by: Russian | January 31, 2008 9:12 AM | Report abuse
Posted by: Alex | January 31, 2008 9:27 AM | Report abuse
Posted by: TJ | January 31, 2008 2:12 PM | Report abuse
Posted by: nk | January 31, 2008 3:47 PM | Report abuse
Posted by: Anonymous | January 31, 2008 7:58 PM | Report abuse
Posted by: Yuji Kaido | February 1, 2008 4:49 AM | Report abuse
Posted by: Russian | February 4, 2008 4:44 AM | Report abuse
The comments to this entry are closed.