There's a Storm Coming
Posted by Will Irace on October 04, 2007 at 1:52 PM EDT.
We've come a long way since the first malware started making our lives more complicated, and everyone knows the threat has evolved. We've witnessed this evolution in the shifting motivations of the online bad guys, from glory to profit. We've witnessed this evolution in the shifting attitude malware takes to its target: from ignoring the victim without regard to the mess it makes, to hiding from the victim in hopes of silently achieving a specific purpose to (someday, perhaps soon) actively engaging the victim in pursuit of its goals. We've witnessed this evolution in the growth of attacks that are not based on software vulnerabilities. And we've witnessed this evolution in the level of creativity and innovation today's malware exhibits.
The leading example of this in 2007 is Storm. Is it a worm? A trojan? A bot? It can be any of these: malware wranglers aren't just in it to spread infections far and wide because they can. Today's malware has a purpose, and usually that purpose centers on owning as many devices as possible--and herding the assembled bot network to do all kinds of bad stuff. What's Storm's specific purpose? There are clues. Soon after the initial infections, Storm sent off a few small DDoS attacks, but there's no indication that these were anything more than small-scale experiments, which have continued all year. This month brought more experiments demonstrating some of the mechanisms being tested to grow the Storm network. Some NFL fans were taken in by an IM phishing scam offering up-to-date scores and statistics. Those who took the bait unwittingly joined the botnet. In another scheme, a spam went out warning about the legal risks of MP3 file sharing; the spam conveniently offered Tor as a means to reduce this risk. Tor is as real as the NFL; but the link in the spam was to a compromised version of the Tor client, and those who took the bait unwittingly joined forces with those newly Storm'd NFL fans. And just a few days ago, a months-long attack against a notable anti-spam operation ended (presumably just long enough for the Storm folks to analyze the result and fine tune the next attack).
We don't know how big the nearly ten percent of computers known to be infected with any malware. And we know that Storm'd zombies form decentralized peer to peer networks--not unlike the swarms which appear and vanish to support your Bittorrent downloads--making the prospect of locating and eradicating every last Storm agent almost laughable. And we know that efforts to grow the Storm botnet have been wildly successful: as many as 50 million hosts are now under control of the malware’s architects, and Storm is now by far the world’s largest botnet. Properly harnessed, it’s also arguably the world’s biggest distributed computing network.
This is significant. Storm is now bigger than SETI@Home (under 200,000 active users), WCG (326,213) and all of the other distributed computing projects combined. Some folks have declared it the world’s largest supercomputer. If you broke into the Pentagon and got away with some encrypted
The good news if you hold the reins to the most powerful distributed spamming and DDoS engine yet seen, is that your goals can be achieved without resorting to such crude methods. An infected greeting card here, a pump-n-dump scam there, top it off with some sexual enhancement products, and that should keep you pretty well satisfied.
Until the next big idea comes along