New and Improved Storm Worm botnet coming in 2008

Posted Monday, December 31, 2007 4:36 PM by hwaldron

Storm While Microsoft's MSRT facilities cleaned hundreds of thousands of copies found on client PCs, the Storm Worm botnet continues to launch new attacks and thankfully with fewer copies due to the diminished size now.  Still, malware innovations continue for this highly advanced attack to mitigate spam and AV detection controls.  A high degree of security is built into the botnet (e.g., fast-flux servers and DDoS traps), which makes it difficult to locate the master servers and the malware authors themselves.  All new developments for the Storm Worm are important to watch for during 2008.    

New and Improved Storm Worm botnet coming in 2008
http://rbnexploit.blogspot.com/2007/12/rbn-new-and-improved-storm-botnet-for.html

QUOTE: Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff. The key objective for the Russian Business Network (RBN) is to rebuild the Storm Botnet which is shown in various reports over the last few months, from a few million enslaved PCs to more recently a few 100,000’s. One can only further guess as to what the RBN’s main goal is to use a rebuilt Storm Botnet for, e.g. earlier DDOS (Denial of Service attack) on Estonia.

Lightning There are some interesting elements which make this new attack innovative:

-- Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links

-- Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.

-- The fast-flux technique used to avoid detection in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses. It is also safe to say this newer Storm Network has now also has improved defense mechanisms, if examined too closely.

Lightning More information can be found here:

Comments

No Comments