Tracking down the Storm Worm malware

Tracking down the Storm Worm malware

Summary: What is the current state of Storm Worm activity, how many infected IPs are found to host the malware on a daily basis, which are the latest domains used by the Storm Worm, and which countries have the largest infected population?

SHARE:
TOPICS: Malware
11

What is the current state of Storm Worm activity, how many infected IPs are found to host the malware on a daily basis, which are the latest domains used by the Storm Worm, and which countries have the largest infected population? You can easily find that out, if you keep an eye on TrustedSource's Storm Tracker, a handy tool providing both, researchers and end users with a real-time overview of the current Storm Worm activity, of course, based on a single vendor's sensor network as a sample of malicious activity. What are some of the categories monitored by the service?

Infected Storm Worm PCs

TrustedSource's Storm Tracker monitors the following categories :

- Daily New Web Proxy IPs - Most Active Storm Web Proxy IPs - Top Storm Domains - Newly Activated Storm Web Proxy IPs - Recently Seen Storm Web Proxy IPs - Geolocation of Storm Web Proxy IPs

After taking credit for the pioneering of P2P botnet command and control, next to the rest of commonly used botnet communication platforms, as well as the fast-fluxed botnet structure in order to create a dynamic and harder to shut down botnet, Storm Worm is currently in the orienting process if we're to consider the OODA loop. What does this mean? It means that, for instance, once observing the success rate of the recent SQL injection attacks,  the botnet masters decided to enjoy all the noise generated by the copycats, reintroduce the same tactic that they were using in August, 2007, and started injecting their exploit serving domains into vulnerable sites hoping they would go unnoticed in between the rest of the currently active SQL injection campaigns.

Considering Storm Worm's historical pattern of utilizing event-based social-engineering campaigns, and periods of passive behaviour, once the botnet masters orient and decide, they'll act again for sure. It's always calm before the real storm, especially in times when multiple storms are fighting for market share, isn't it?

Topic: Malware

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Having Knowledge Isn't Necessarily Communicating Knowledge

    I respect Mr. Danchev's superior techincal knowledge of Web security. But it's very frustrating to read his run-on, wandering, multiple-car-wreck sentences.

    Absent a good editor at ZD, Mr. Danchev needs a course in business composition or journalism. Both disciplines teach the value of clear, short sentences. Even when concepts are complex and interrelated, short sentences explain them better.

    Sorry to be so blunt, but I hate to see agile minds shackle themselves with bad communication. Writing IS easy to learn.
    archetuthus
  • RE: Tracking down the Storm Worm malware

    I think Dancho Danchev needs to spend less time drinking strong coffee and more time considering how to communicate. This is hyper-hype and of little or no value to IT professionals. May sound good to your mates, Dancho, but the rest of us need to know what's actually happening and what we can do about it. I know no more after reading this article than I did before reading it.
    tgilbert@...
    • RE: Tracking down the Storm Worm malware

      Do your homework if you know what you're looking for exactly, and you'll find it. Start by going through my previous coverage of Storm Worm, and catch up :

      http://ddanchev.blogspot.com/search?q=storm+worm

      Storm worm's activities since 2007, who's behind it, graphs and detection rates, propagation and infection vectors used, as well as all the known domains used by the malware so far.

      Else, move onto the next article or find something more valuable to do.
      ddanchev
      • give it to them

        Thank you for not rewriting the same thing over and over just to pacify the cry baby?s
        I for one do keep up with threats and news
        And do prefer to read new information rather than something written for newbie?s
        cwhull
  • RE: Tracking down the Storm Worm malware

    "Do your homework if you know what you're looking for exactly, and you'll find it. ...."

    Just an observation, not a flame:
    Most bloggers will cite references to their previous posts on a subject and not expect their reader to hunt them down.
    esalkin
    • RE: Tracking down the Storm Worm malware

      "Most bloggers will cite references to their previous posts on a subject and not expect their reader to hunt them down."

      If you actually go through the post you'll find the references to my historical research into storm worm's tactics and developments for 2007. The reason for including these is to update those who haven't had the chance to see them already, and to expand the discussion on storm worm's differentiation factors compared to the majority of commodity malware currently in the wild.
      ddanchev
  • RE: Tracking down the Storm Worm malware

    I don't think the writing is as bad as others say. I can follow the post, but, as I came in in the middle of this problem I want to know what is being done to stop it and get it off the computers. If someone would just point me in the right direction, please.
    cristinoel
    • RE: Tracking down the Storm Worm malware

      Wow, this is among the few comments focusing on something important and not whining about something.

      A lot is being done to stop it, a connection between storm worm and several malware gangs has already been established from a law enforcement perspective, and the community is actively exchanging data on the latest campaigns, malicious domains are also getting shut down. As always, this is happening behind the curtains, like pretty much everything important, the point is that storm worm is being successfully tracked down each and every time they launch a new campaign. Don't forget that storm worm is just one of the many other botnets currently in the wild, a list of which you can find in a link at the end of the post.

      What you can do, is ensure you're free of client-side related vulnerabilities by self-auditing yourself with Secunia's personal software inspector :

      https://psi.secunia.com/

      and stay away from emails including links to IP addresses such as http://127.0.0.1 enticing you to download a file.

      You can also take advantage of a handy, and free behavior-based malware protection courtesy of Threatfire,

      http://www.threatfire.com/

      Since I don't what level of technical knowledge or currently used products by other companies, making sure you're not running outdated software will prevent over 90% of the current campaigns in the wild from infecting you.

      Storm worm is the best example that using outdated and already patched vulnerabilities can end up in the world's largest botnet compared to the common wisdom of using zero day vulnerablities, since all the storm worm campaigns were using outdated vulnerabilities which end users still living in the antivirus and firewall perimeter defense world missed to patch.
      ddanchev
  • RE: Tracking down the Storm Worm malware

    It's really sad to see how dumb IT admin's have gotten. If you guys can't call support or have someone holding your hands to fix your problems, then you can't get it fixed. Their is really a lack of technical knowledge now in the world. Do some research, pick up a book. I personally appreciate the technical knowledge Dancho shares with us. So for the previous posters please stop crying because things have gotten to technical for you to understand. Start keeping up to date or find another job, because this whole botnet thing is not getting any easier.....
    john_stansky
  • Get his direct "blog"

    Far more data as the members there are far more, how shall I say, Not Fan Boys nor Zealots. Sadly, here at ZDnet, a writer must apparently appeal to the software religious.
    dragon@...
  • RE: Tracking down the Storm Worm malware

    Thanks so much for this information. It takes all of us working together, i know, to get rid of the worms, etc.
    cristinoel