As the medical profession struggles with "superbugs" and drug-resistant bacteria, the computer world has a superbug of its own that it can't seem to eradicate: the Storm worm.
This polymorphic monster is mutating faster than staphylococcus in a hospital and is the launch pad for many of the recent spam floods and denial of service attacks plaguing networks worldwide.
Volvo Ocean Race 2008/2009::
'Calm before the storm'. All right, what next? The emails remain full of and it keeps blowing harder until dogs on chains should be fearful.
http://www.volvooceanrace.org/news/article/2008/october/TEN-ZULU-L1-D16/HOME |
"West of the Tracks," p. 3::
Trying to keep warm and looking at family photographs . But a storm is blowing in from Paradise; it has got caught in his wings with such
http://www.ejumpcut.org/currentissue/WestofTracks/3.htmlHOME |
The Storm worm first surfaced in January in the U.S. and Europe with the distribution of a spam letter that referred to recent weather disasters in Europe. "230 dead as storm batters Europe," it said.
Attached to the e-mail was a small executable that—if someone was foolish enough to run it—set in motion a chain of unpleasant and all but irrevocable events. Storm, a.k.a. Small.Dam, a.k.a. Win32/Nuwar, would then proceed to install all kinds of software on the hapless computer, including an updating component.
Part of what makes the Storm worm so hard to eradicate is the fact that it constantly mutates, around every 30 minutes or so. This makes signature-based detection that antivirus software products use fairly useless because it pulls down new code much faster than antivirus vendors can push out signatures to detect it.
Testament of Youth: An Autobiographical Study of the Years 1900-1925 - Google Books Result::
href=http://books.google.com/books?id=kkOWKOOvJW4C&pg=PA331&lpg=PA331&dq=The+'Storm'+That+Keeps+Blowing&source=web&ots=0DgWKb6031&sig=WXkfcKcZqC5B5_pty5AeTwSgufk&hl=en&sa=X&oi=book_result&resnum=36&ct=result class=l onmousedown=return clk(this.href,,,res,60,)>Testament of Youth: An Autobiographical Study of the Years 1900-1925 - Google Books Resultby Vera Brittain - 1994 - History - 661 pages sea roaring . . . with a hurricane lamp which the wind keeps blowing out. are frightened of the storm.) Do you remember how afraid I used to be of
http://books.google.com/books?id=kkOWKOOvJW4C&pg=PA331&lpg=PA331&dq=The+'Storm'+That+Keeps+Blowing&source=web&ots=0DgWKb6031&sig=WXkfcKcZqC5B5_pty5AeTwSgufk&hl=en&sa=X&oi=book_result&resnum=36&ct=resultHOME |
Wisconsin Weather Stories::
It was quite a storm. By that time it had been blowing quite a bit and . a lot of time you can, you can kind of keep going through some deep snow.
http://weatherstories.ssec.wisc.edu/work/transportation/storm_w.htmlHOME |
Also, Storm doesn't use the hub-and-spoke method of command and control like most worms. Taking out a few command and control servers is a simple way to take down a standard botnet, but Storm is immune to this tactic.
Instead, it's a peer-to-peer method of taking a payload and instructions and passing it on to other computers it knows to be infected. They communicate using a modified peer-to-peer file sharing network protocol from eDonkey, the communication between peers is encrypted, and they change the encryption keys constantly, too.
All this sophisticated skulduggery comes from a shadowy group of Russian hackers.
"The way they've been able to constantly update their attacks and release something new every week has been fascinating to watch. It's been as surprising to everybody in the security industry as it has been to everyone else," Dmitri Alperovitch, principal research scientist at Secure Computing’s TrustedSource Labs told InternetNews.com.
Paul Ferguson, network architect for antivirus vendor Trend Micro, called Storm's construction "one of the most sophisticated designs anyone has come across." He said it's highly componentized and upgrades and changes itself constantly to avoid detection. In addition to the P2P nature, he noticed the worm seems to be partitioning itself into a number of smaller Storm botnets rather than one huge network as it was when it originally began.
Why the worm partitions itself in this way, Ferguson doesn't know. But he disagrees with some security experts who have downplayed Storm's potential threat to computers and networks. At the Toorcon security conference held last week, Brandon Enright, a network security analyst at the University of California at San Diego said Storm has been steadily shrinking in size and threat and went so far as to say Storm was now a "squall."
One of the things Enright showed was that a sizable dent was made in the population of Storm-infected machines last month. This was attributed to Microsoft's monthly Patch Tuesday release on September 11 where its Malicious Software Removal Toolkit was patched to cover the variants of Win32/Nuwar.
That cut the population of Storm-infected computers by about 20 percent, according to Alperovitch, but the number came right back up after a few weeks and was reflected in Enright's own research.
So Ferguson thinks Storm remains a threat. "To assume the Storm botnet is on its way into decline is a dangerous assumption," he said. "They are segmenting it into smaller botnets. It has shrunken in size because we know it has been partitioned. So I think people are misinterpreting it because they don't know all the data available."
"Some headway has been made against Storm but it's not down for the count," said Randy Abrams, director of technical education for antivirus vendor ESET Software. "The guys behind it have displayed some resiliency." And with Storm mutating every 30 minutes and sending out new code, it's easy to get re-infected again, he added.
Wise Up, People
Alperovitch said that the MSRT support for Storm was a big help because it's on practically every Windows XP computer, except those that are pirated. "A lot of the infected machines are probably running illegal copies of Windows and don't want to register with Microsoft, or they are running older versions of the OS or have turned off Windows Update for some reason," he said.
But the real reason Storm is so effective is users remain so gullible. It would seem like common sense not to click on a link or run an executable sent by a stranger, but some still do it.
"The Storm worm exploits the only vulnerability that's never been patched and that's the user," said Abrams. "I fully expect spam in the coming weeks with references to the fires in Southern California that will have links to Storm worm infections."
Chenxi Wang, principal analyst for security and risk management at Forrester Research, agreed. "Internet users are still not vigilant enough against Storm (or any other kind of virus)," he wrote in an e-mail to InternetNews.com. "They are not updating their signatures as promptly as they should or they're not vigilant enough against suspicious emails. As a result, Storm continues to find new victims."
However, if history is any indication, once these worms come out, they are with us for the long haul. Two of the most common worm variants are Bagel and Netsky, which have been around for years. "I'm quite confident we're going to be dealing with Storm for quite a while," said Alperovitch.
 Nortel Unveils Vision, Strategy for Israeli High-Performance Net
 Busy Friday Leads to Strong Close for Net Stocks
| 