0 Replies Latest reply on Dec 31, 2007 12:21 PM by HarryWaldron

    New and Improved Storm Worm botnet coming in 2008

      While Microsoft's MSRT facilities have cleaned hundreds of thousands of copies found on client PCs, the Storm Worm botnet continues to launch new attacks (and thankfully with fewer copies due to the diminished size now).
      Still, malware innovations continue for this highly advanced attack that mitigate spam and AV detection controls.

      A high degree of security is built into the botnet (e.g., fast-flux servers and DDoS traps), which makes it difficult to locate the master servers and the malware authors themselves. All new developments for the Storm Worm are important to follow during 2008.

      New and Improved Storm Worm botnet coming in 2008
      http://rbnexploit.blogspot.com/2007/12/rbn-new-and-improved-storm-botnet-for.htm l

      QUOTE: Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.
      The key objective for the Russian Business Network (RBN) is to rebuild the Storm Botnet which is shown in various reports over the last few months, from a few million enslaved PCs to more recently a few 100,000’s. One can only further guess as to what the RBN’s main goal is to use a rebuilt Storm Botnet for, e.g. earlier DDOS (Denial of Service attack) on Estonia.

      There are some interesting elements which make this new attack innovative:

      -- Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links

      -- Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.

      -- The fast-flux technique used to avoid detection in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses. It is also safe to say this newer Storm Network has now also hasimproved defense mechanisms, if examined too closely.

      More information related to the most recent Christmas and New Year's e-card attacks can be found here