The perfect storm

28 Feb 2008

A new piece of malicious code that first appeared last year has become one of the biggest threats on the internet. Gordon Smith tracks its development.

When notice of a new malware threat surfaced on 17 January last year, few outside the IT security community probably paid it much heed and few within could have guessed its impact. Like many attacks before it, this piece of code tried to trick people into clicking on an email attachment containing code designed to hijack their computer.

It was dubbed Storm because the emails supposedly offered information about the bad weather that was hitting Europe at the time. This online storm, however, did anything but fade away quietly. Experts believe it’s a sign of bad things to come; more than a year since its first appearance Storm is still adding new infected computers worldwide.

Storm was the most pervasive of the recorded internet attacks during 2007, according to IBM’s X-Force security team. “It morphed and grew very quickly. We collected over 50,000 different samples of storm malware throughout 2007. It represented 13pc of our entire malware zoo from that year,” says Holly Stewart, product manager with IBM X-Force in the US.

According to security guru Bruce Schneier of Counterpane, Storm “represents the future of malware.”

He’s worried about the way it behaves, notably how it bides its time between strikes, which makes it much harder to detect. Whoever is behind Storm – and their identity is hearsay at best – carefully chooses key moments to attack.

A variant of Storm will usually appear before holidays or major events such as Hallowe’en, Christmas or St Valentine’s Day, aiming to exploit people when they are most likely to inadvertently click on an email from a stranger.

“Their use of social engineering is probably the best I’ve ever seen,” comments Robert McArdle, an antivirus researcher with Trend Micro in Cork. “Three to four weeks before, they will start sending spam. Then one week before they see which ones are doing well and use that technique to really push it.”

Whoever is behind Storm is constantly adapting it, says McArdle. In its guise as a stock market scam, it began as a basic text email. When antivirus engines got wise to this, the senders then started obfuscating the text using pictures, later moving to PDF attachments and even MP3s with an audio message.

When it wants to turn a machine into a bot, Storm’s payload is hidden in an executable file which appears as an attachment with the email. By clicking on it, users’ computers become infected and part of a botnet – a group of compromised machines that can be used to send spam email or attack another computer without the owner’s knowledge.

The X-Force annual report categorises modern malware as “the digital equivalent of the Swiss Army knife” and Storm fits that description to a T – a multi-purpose piece of code that arrives in various forms and can fulfil many tasks.

“Not only does the bot have access to information specific to the user of the system, information that could be sold off in batches with other similar information or individually, but the bot controller can also use it as a spam or phishing relay and lease that capacity to others,” says Stewart.

“It could also become a distribution point to infect other machines, either through spam with malicious attachments and links to malicious websites or through locally exploiting neighbouring computers.” She adds: “Although we had seen bots before, Storm pioneered the formation of its own ‘bot nation’ – a sort of army that could be puppeteered by the man behind the curtain for any number of purposes.”

The botnet created by Storm operates on a peer-to-peer basis, which serves many purposes. “You take the network and subdivide it and then sublet it out to other customers on the black market. Some might be used for sending spam, some for websites that host malware,” says McArdle.

In addition, this technique is an extremely clever way to avoid detection. In a peer-to-peer environment, no one computer knows every other computer on the bot network; like a terrorist cell, each part of the botnet functions as a small independent group.

“The technique has been around in crime for centuries – people acting in self-contained cells,” says McArdle. “If there is one control server and you take it out, the whole army goes down. A peer-to-peer botnet means that if you take one out, the rest continue to function.”

The old tactics of finding the control server, contacting the ISP and getting it shut down is not possible with Storm because there’s no one computer controlling everything. Even if you roll out a new antivirus pattern that takes out 20pc of the botnet, that still leaves 80pc.”

That’s not the only approach Storm’s masters take to hide their tracks. “To make it difficult to stop, when they know if they’re being monitored, they will launch denial of service attacks against us. It’s a form of built-in protection,” says McArdle. These attacks are also routed through multiple countries to hide the origin of the attack.

“For someone to trace that back, you need to have co-operation between all law enforcement agencies. The people behind Storm do that between countries that have hostility to one another just to slow down investigations. We’re not dealing with the stereotypical teenager doing things for attention – we’re dealing with professional criminal organisations and they’re 100pc focused on making money.”

Estimates vary as to Storm’s reach: various experts put it at anywhere between one million and 50 million infected machines, which if the latter is accurate would give Storm more power than any supercomputer available today. Some believe its influence has diminished, thanks to more vigilant computer users and more effective antivirus systems from security software providers.

“We hope this is the case and that they haven’t simply morphed into something that is more difficult to track,” says Stewart, who nonetheless sounds a word of warning. “Even if they are truly declining, other bots are moving in to take their place.”

Bots as a whole certainly did not decline in 2007. In fact, the trojan category of malware is the fastest-growing category of 2007. If Storm’s trail of destruction won’t serve to make users aware of how important it is to keep their computers secure, what will?

By Gordon Smith