Back in 1999 when I first covered security--initially for ZDNet, then CNET--there seemed to be a new virus released every day. Today, of course, things are different. So when the Storm worm first appeared in January 2007, I didn't initially cover it. In retrospect, Storm has become the most interesting worm in a long while, in part because it carries bot code, which in turn builds large botnets for use by criminal enterprises. I recently had a chance to talk with Dr. Jose Nazario of Arbor Networks, who agreed. "Back in January, I began working on some materials and I thought not many people will remember the Storm worm. I didn't expect that when I was using the training later in the year, that Storm would still be as big a problem as it was." I've covered Storm before, but here's an overview of Storm's accomplishments within the last few months. Next week, Narzario will present some insights on how researchers go about detecting and killing botnets--or at least managing them.

The lure
Botnets themselves are not new. They are platforms made of thousands of infected computers worldwide. Initial code infects a vulnerable computer, then establishes a link to a Web server that downloads instructions for the compromised computer. The bot-infected computer can spew spam, assist in a denial-of-service attack on a target, or spread new versions of the originating worm.

	Spammers are incredibly adept and have a lot of pressure to evolve and evade filters. The Storm worm helps them amplify that attack.

With Storm, Narzario said what changed was the lure to get you to visit a Storm node, a node within the active botnet, a Web server that serves up the latest malicious code. Like traditional viruses of the past, the recent Storm variations have been timely in the hopes that someone new will be caught off-guard and become infected. "They've gone from e-cards and postcards to Fourth of July greetings, some Labor Day greetings, and most recently Halloween greetings, psycho kitties, and stuff like that."

Spam
The second thing that Nazario said changed with Storm is how it sends spam once a machine has been infected. "The use of spamming is nothing new; it's been going on all year. The methods by which is sends the spam out have changed; they've gone from PDF Excel files and recently MP3 files, and back to text files and other documents."

As long as the bot code is out there, we'll always be able to work past the encryption because you can always trace it.

Nazario said the change in tactics is "designed to slip past filters and try basically to get the spam message out. Spammers are incredibly adept and have a lot of pressure to evolve and evade filters. The Storm worm helps them amplify that attack."

Encryption
Unlike most botnets, the one created by the Storm worm can receive commands from the peer-to-peer network and act upon them. Nazario said Storm is one of the most high-profile of the active botnets to use encrypted command and control instructions. Fortunately, the encryption used by Storm isn't strong, and most researchers are able to access the data inside. "As long as the bot code is out there, we'll always be able to work past the encryption because you can always trace it." Even if the encryption gets better, "there are other ways you can get at the data, even if it has to be encrypted at some stage."

"Other botnets that we've seen have been using--I don't want to call it trivial--but certainly minor forms of encryption or coding of the commands to try and thwart real-time analysis. And they're generally using nothing like SSL or stream-level encryption but rather in channel communication encryption. They're encrypting or encoding packets," which Nazario said was relatively easy to dissect and study.

Who's responsible?
It's hard to say who's to blame. Nazario said it appears Storm is still under one group of users who send the pump-and-dump spam as a way to make money, and who also defend the bot through DDoS (Distributed Denial of Service) attacks "to try and get researchers to go away. We haven't heard much about DDoS attacks lately; it has appeared to have died off, although apparently have launched DDoS attacks [on other targets] on occasion…either themselves on behalf of others, or others have used the same sort of botnet."

There have also been indications of other activities associated with the Storm worm . "It's hard to say if it's the same people or if something else is going on." Nazario suggested a PC might have multiple infections, serving up both Storm malcode and spyware and fraud software. "That we had not previously seen associated with Storm worm." Indeed, Storm is one worm/botnet that keeps evolving.

Next week, I'll ask Narzario to explain how researchers look inside botnets, and what, if any, hope exists to manage or eliminate botnets in the future.

For more on on this part of the conversation, hear my latest Security Bites podcast here.

Do you agree the Storm worm is probably a laboratory for criminal hackers to try new and different methods of infection and deployment? Or is the media just sensationalizing Storm?
TalkBack to me.