My 1/27/08 Missoulian column
I’ve been reading about the Storm worm for nearly a year now and have found what it delivers to my e-mail in-box at least a few times a week: spam. Those e-mails entice you to open an attachment containing a hot stock tip, a holiday greeting or a link to a Web site to read a breaking news item. Doing any of these will install a malware program called a Trojan horse that will hijack a personal computer and turn it into a zombie remotely controlled by hackers.
Malware and scams are typical of spam, but the Storm worm is particularly serious business, with a complex story behind it. The Storm worm is a sophisticated bit of malware written by hackers who have assembled a botnet of thousands of rouge computers around the world, all controlled by hackers presumed to be based in Russia and funded by organized crime. The owners of the botnet have retaliated against security professionals researching the Storm worm and ways to fight it, attacking university networks with millions of bits of bogus Internet traffic and forcing them offline. The botnet itself regularly spews out billions of spam e-mails, seemingly reserving the vast power of the network for attacks.
Google “Storm worm” and you’ll find many articles covering the rapidly changing landscape and forecast. (Technically, if you keep up with such details, the Storm worm isn’t really a worm; it’s a Trojan horse – a disguised program – and the botnet that controls it). The Storm worm got its name from some of the first spam that was sent out to lure victims into clicking a link: “230 dead as storm batters Europe,” the subject line said, and thousands of people clicked on the link to read the story. Later subject lines claimed a serial killer was on the loose, Christmas greetings were inside and more.
This month is the Storm worm’s first anniversary, and there’s a new twist. The Washington Post’s Brian Krebs wrote last week that “federal law enforcement officials have learned the identities of those responsible for running the Storm network, but U.S. authorities have thus far been prevented from bringing those responsible to justice due to a lack of cooperation from officials in St. Petersburg, Russia.”
Last fall, the Storm botnet was partially killed off by anti-virus software and Windows updates to PCs that had been taken over. Lately, the network has been growing again, primarily because of the different capabilities built in by the hackers: the botnet herders can update their software in response to anti-virus software, and the malware itself can encrypt itself to evade detection – even shutting off for a while – then communicate with other copies of itself around the Internet.
Storm will be with us for a while longer, because the holidays are good times for hackers to add to their network. Christmas spam – and the resulting clicks by readers – allowed the botnet to jump in strength from around 10,000 PCs to 40,000 or more. Valentine’s Day is coming up, and I’ve already gotten “I Love You” spam that will install Storm, so experts are predicting another jump in strength.
“In terms of power, (the Storm botnet) utterly blows the supercomputers away. … It’s very frightening that criminals have access to that much computing power, but there’s not much we can do about it,” Matt Sergeant, chief anti-spam technologist with MessageLabs, told Information Week’s Sharon Gaudin for a September story.
A record was set Aug. 22, 2007, when 57 million virus-infected e-mail messages – 99 percent of them from the Storm worm – were spit out by somewhere around 2 million infected PCs, trying to add to the botnet. At about the same time, the botnet attacked researchers who were studying it with what are called “distributed denial of service,” or DDOS, attacks. Those attacks are like dialing a phone number a hundred times a second and hanging up, not connecting, which denies anyone else the chance to get through. The government of Estonia may also have been a victim; it was knocked offline for days last May by an intense DDOS attack orchestrated by a vast botnet, probably Storm.
But, as Krebs wrote last week, Microsoft’s malicious software removal tool – shipped as part of its monthly updates – has deleted an average of 200,000 versions of the Storm worm from Windows systems each month since November, so the huge power of the botnet may be blunted. According to experts at anti-virus labs who watch Storm, the botnet is currently being broken up and rented out to other spammers and Internet scammers who use malware. Few will take a guess at what will next happen with Storm.
So, how not to get caught by Storm?
Run Windows Update on your PC, and have it set to run automatically. You’ll need to install all available Windows patches. Keep your anti-virus up to date, too. This will help disable the Storm Trojan horse if it’s hiding on your PC. If you use an Apple Macintosh, you’re not susceptible to Storm, except for the scams contained in its e-mail links.
The bottom line: Don’t open file attachments from people you don’t know, and don’t click spam links. Good rules to live by if you want to keep from getting rained on.
Follow-up: The Montana Historical Society has started the Montana History Wiki that anyone can add to.