The Storm Worm's Family Tree
New research suggests that the infamous Storm worm has its roots in a computer worm that first surfaced as early as 2004, two-and-a-half years prior to Storm's widely-recognized birthday.
The findings come from security researchers at Damballa, a start-up in Atlanta that monitors activity from botnets, large groupings of hacked, remotely-controlled computers that criminals use for spamming and other online illegal activity.
According to the researchers, Storm was born from the ashes of the "Bobax worm," one of the most successful botnet-related computer worms of the past few years. Bobax spread by exploiting various vulnerabilities in the Microsoft Windows operating system, and turned infected machines into spam-spewing zombies. By early 2005, Bobax had spread to hundreds of thousands of PCs, after a highly successful spam campaign that used infected e-mail attachments disguised as pictures purportedly showing Saddam Hussein or Osama Bin Laden captured or dead.
Many security Web sites (including this one) "celebrated" Storm's one-year anniversary during the third week of January, when it earned its namesake as an e-mail touting videos of the death and destruction wrought by violent storms lashing the coast of Europe at the time. But Damballa researcher Chris Davis maintains that the first instance of the Storm worm actually surfaced in late 2006 (see this SANS Internet Storm Center alert on Dec. 29, 2006.).
Yet that initial effort to jump-start the Storm worm network fizzled, probably because there were so few systems used to "seed" the infections and blast out the Storm recruitment e-mails, Davis said. As it posed little threat at the time, nobody paid much attention.
That is, until Jan. 19, when anti-virus firm F-Secure reported receiving a flood of spam advertising new versions of Storm. Researchers soon discovered that all infected systems were controlled using the eDonkey peer-to-peer file (P2P) communications protocol, the same technology and networks used by millions of people to share movies and music online.
What Davis and his colleagues found last fall in poring over dozens of Bobax malware samples collected during the end of Jan. 2007 was that for about the last eight days of that month, the Bobax botnet - then estimated to have numbered more than 100,000 PCs - began cannibalizing itself. Davis said Bobax had adopted the eDonkey P2P communications method in order to replace itself with a copy of Storm.
"These guys tried to create a Storm botnet and keep the Bobax separate, but they were fairly unsuccessful," said Paul Royal, Damballa's principal researcher. "They basically took Bobax and made all of them become Storm victims, and then started the propagation of Storm through that method. So Storm used a big botnet to bootstrap itself, and it was the vehicle by which Storm became very popular very quickly."
With remnants of the once-mighty Bobax botnet abound, Damballa estimates that roughly 17,000 systems remain infected with Bobax. Royal said these systems most likely were either offline or unreachable during the window of time other Bobax systems were being upgraded.
Davis and Royal say the e-mails that Bobax started sending after it adopted Storm's P2P communication method were identical to those sent by newly-infected Storm systems at the time, with subject lines such as "A Kiss for You," "Dream Girl," "Two of a Kind," and "Wild Nights--Wild Nights." The names of the poisoned attachments that accompanied each also matched those spammed by Storm: "Flash Postcard.exe," "Greeting Card.exe," and "Postcard.exe."
Posted by: won worried guy | February 7, 2008 9:35 PM | Report abuse
Posted by: Ferrand | February 11, 2008 3:24 PM | Report abuse
The comments to this entry are closed.