Storm botnet

Last updated
Circle of spam.svg
The typical lifecycle of spam that originates from a botnet:
(1) Spammer's web site (2) Spammer (3) Spamware (4) Infected computers (5) Virus or trojan (6) Mail servers (7) Users (8) Web traffic
Common nameStorm Botnet
Technical name
AliasesDorf, Ecard
Point of origin Russia
Author(s) Russian Business Network (speculated)
Operating system(s) affected Windows 95, Windows 98, Windows ME, Windows XP

The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware [1] ) was a remotely controlled network of "zombie" computers (or "botnet") that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, [2] [3] and accounted for 8% of all malware on Microsoft Windows computers. [4] It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier. [5]

Contents

As of December 2012, the original creators of Storm have not been found. The Storm botnet has displayed defensive behaviors that indicated that its controllers were actively protecting the botnet against attempts at tracking and disabling it, by specifically attacking the online operations of some security vendors and researchers who had attempted to investigate it. [6] Security expert Joe Stewart revealed that in late 2007, the operators of the botnet began to further decentralize their operations, in possible plans to sell portions of the Storm botnet to other operators. It was reportedly powerful enough to force entire countries off the Internet, and was estimated to be capable of executing more instructions per second than some of the world's top supercomputers. [7] The United States Federal Bureau of Investigation considered the botnet a major risk to increased bank fraud, identity theft, and other cybercrimes. [8] [9]

Origins

First detected on the Internet in January 2007, the Storm botnet and worm are so-called because of the storm-related subject lines its infectious e-mail employed initially, such as "230 dead as storm batters Europe." Later provocative subjects included "Chinese missile shot down USA aircraft," and "U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel." [2] [10] [11] It is suspected by some information security professionals that well-known fugitive spammers, including Leo Kuvayev, may have been involved in the operation and control of the Storm botnet. [12] According to technology journalist Daniel Tynan, writing under his "Robert X. Cringely" pseudonym, a great portion of the fault for the existence of the Storm botnet lay with Microsoft and Adobe Systems. [13] Other sources state that Storm Worm's primary method of victim acquisition was through enticing users via frequently changing social engineering (confidence trickery) schemes. [14] According to Patrick Runald, the Storm botnet had a strong American focus, and likely had agents working to support it within the United States. [15] Some experts, however, believe the Storm botnet controllers were Russian, some pointing specifically at the Russian Business Network, citing that the Storm software mentions a hatred of the Moscow-based security firm Kaspersky Lab, and includes the Russian word "buldozhka," which means "bulldog." [16]

Composition

The botnet, or zombie network, comprises computers running Microsoft Windows as their operating system. [17] Once infected, a computer becomes known as a bot. This bot then performs automated tasks—anything from gathering data on the user, to attacking web sites, to forwarding infected e-mail—without its owner's knowledge or permission. Estimates indicate that 5,000 to 6,000 computers are dedicated to propagating the spread of the worm through the use of e-mails with infected attachments; 1.2 billion virus messages have been sent by the botnet through September 2007, including a record 57 million on August 22, 2007 alone. [17] Lawrence Baldwin, a computer forensics specialist, was quoted as saying, "Cumulatively, Storm is sending billions of messages a day. It could be double digits in the billions, easily." [2] One of the methods used to entice victims to infection-hosting web sites are offers of free music, from artists such as Beyoncé Knowles, Kelly Clarkson, Rihanna, The Eagles, Foo Fighters, R. Kelly, and Velvet Revolver. [18] Signature-based detection, the main defense of most computer systems against virus and malware infections, is hampered by the large number of Storm variants. [19]

Back-end servers that control the spread of the botnet and Storm worm automatically re-encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread. Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called 'fast flux', making it difficult to find and stop virus hosting sites and mail servers. In short, the name and location of such machines are frequently changed and rotated, often on a minute by minute basis. [20] The Storm botnet's operators control the system via peer-to-peer techniques, making external monitoring and disabling of the system more difficult. [21] [22] There is no central "command-and-control point" in the Storm botnet that can be shut down. [23] The botnet also makes use of encrypted traffic. [24] Efforts to infect computers usually revolve around convincing people to download e-mail attachments which contain the virus through subtle manipulation. In one instance, the botnet's controllers took advantage of the National Football League's opening weekend, sending out mail offering "football tracking programs" which did nothing more than infect a user's computer. [25] [26] According to Matt Sergeant, chief anti-spam technologist at MessageLabs, "In terms of power, [the botnet] utterly blows the supercomputers away. If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." [17] It is estimated that only 10–20% of the total capacity and power of the Storm botnet is currently being used. [27]

Computer security expert Joe Stewart detailed the process by which compromised machines join the botnet: attempts to join the botnet are made by launching a series of EXE files on the compromised machine, in stages. Usually, they are named in a sequence from game0.exe through game5.exe, or similar. It will then continue launching executables in turn. They typically perform the following: [28]

  1. game0.exe Backdoor/downloader
  2. game1.exe SMTP relay
  3. game2.exe E-mail address stealer
  4. game3.exe E-mail virus spreader
  5. game4.exe Distributed Denial of Service (DDoS) attack tool
  6. game5.exe Updated copy of Storm Worm dropper

At each stage the compromised system will connect into the botnet; fast flux DNS makes tracking this process exceptionally difficult.

This code is run from %windir%\system32\wincom32.sys on a Windows system, via a kernel rootkit, and all connections back to the botnet are sent through a modified version of the eDonkey/Overnet communications protocol.

Method

The Storm botnet and its variants employ a variety of attack vectors, and a variety of defensive steps exist as well. The Storm botnet was observed to be defending itself, and attacking computer systems that scanned for Storm virus-infected computer systems online. [29] The botnet will defend itself with DDoS counter-attacks, to maintain its own internal integrity. [30] At certain points in time, the Storm worm used to spread the botnet has attempted to release hundreds or thousands of versions of itself onto the Internet, in a concentrated attempt to overwhelm the defenses of anti-virus and malware security firms. [31] According to Joshua Corman, an IBM security researcher, "This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit." [32] Researchers are still unsure if the botnet's defenses and counterattacks are a form of automation, or manually executed by the system's operators. [32] "If you try to attach a debugger, or query sites it's reporting into, it knows and punishes you instantaneously. [Over at] SecureWorks, a chunk of it DDoS-ed [distributed-denial-of-service attacked] a researcher off the network. Every time I hear of an investigator trying to investigate, they're automatically punished. It knows it's being investigated, and it punishes them. It fights back", Corman said. [1]

Spameater.com as well as other sites such as 419eater.com and Artists Against 419, both of which deal with 419 spam e-mail fraud, have experienced DDoS attacks, temporarily rendering them completely inoperable. The DDoS attacks consist of making massed parallel network calls to those and other target IP addresses, overloading the servers' capacities and preventing them from responding to requests. [33] Other anti-spam and anti-fraud groups, such as the Spamhaus Project, were also attacked. The webmaster of Artists Against 419 said that the website's server succumbed after the attack increased to over 100Mbit. Similar attacks were perpetrated against over a dozen anti-fraud site hosts. Jeff Chan, a spam researcher, stated, "In terms of mitigating Storm, it's challenging at best and impossible at worst since the bad guys control many hundreds of megabits of traffic. There's some evidence that they may control hundreds of Gigabits of traffic, which is enough to force some countries off the Internet." [7]

The Storm botnet's systems also take steps to defend itself locally, on victims' computer systems. The botnet, on some compromised systems, creates a computer process on the Windows machine that notifies the Storm systems whenever a new program or other processes begin. Previously, the Storm worms locally would tell the other programs—such as anti-virus, or anti-malware software, to simply not run. However, according to IBM security research, versions of Storm also now simply "fool" the local computer system into thinking it has run the hostile program successfully, but in fact, they are not doing anything. "Programs, including not just AV exes, dlls and sys files, but also software such as the P2P applications BearShare and eDonkey, will appear to run successfully, even though they didn't actually do anything, which is far less suspicious than a process that gets terminated suddenly from the outside", said Richard Cohen of Sophos. Compromised users, and related security systems, will assume that security software is running successfully when it in fact is not. [34]

On September 17, 2007, a Republican Party website in the United States was compromised, and used to propagate the Storm worm and botnet. [35] [36] In October 2007, the botnet took advantage of flaws in YouTube's captcha application on its mail systems, to send targeted spam e-mails to Xbox owners with a scam involving winning a special version of the video game Halo 3 . [37] Other attack methods include using appealing animated images of laughing cats to get people to click on a trojan software download, and tricking users of Yahoo!'s GeoCities service to download software that was claimed to be needed to use GeoCities itself. [38] [39] The GeoCities attack in particular was called a "full-fledged attack vector" by Paul Ferguson of Trend Micro, and implicated members of the Russian Business Network, a well-known spam and malware service. [39] On Christmas Eve in 2007, the Storm botnet began sending out holiday-themed messages revolving around male interest in women, with such titles as "Find Some Christmas Tail", "The Twelve Girls of Christmas", and "Mrs. Claus Is Out Tonight!" and photos of attractive women. It was described as an attempt to draw more unprotected systems into the botnet and boost its size over the holidays, when security updates from protection vendors may take longer to be distributed. [40] [41] A day after the e-mails with Christmas strippers were distributed, the Storm botnet operators immediately began sending new infected e-mails that claimed to wish their recipients a "Happy New Year 2008!" [42]

In January 2008, the botnet was detected for the first time to be involved in phishing attacks against major financial institutions, targeting both Barclays and Halifax. [43]

Encryption and sales

Around October 15, 2007, it was uncovered that portions of the Storm botnet and its variants could be for sale. [44] [45] This is being done by using unique security keys in the encryption of the botnet's Internet traffic and information. [24] The unique keys will allow each segment, or sub-section of the Storm botnet, to communicate with a section that has a matching security key. However, this may also allow people to detect, track, and block Storm botnet traffic in the future, if the security keys have unique lengths and signatures. [44] Computer security vendor Sophos has agreed with the assessment that the partitioning of the Storm botnet indicated likely resale of its services. Graham Cluley of Sophos said, "Storm's use of encrypted traffic is an interesting feature which has raised eyebrows in our lab. Its most likely use is for the cybercriminals to lease out portions of the network for misuse. It wouldn't be a surprise if the network was used for spamming, distributed denial-of-service attacks, and other malicious activities." [46] Security experts reported that if Storm is broken up for the malware market, in the form of a "ready-to-use botnet-making spam kit", the world could see a sharp rise in the number of Storm related infections and compromised computer systems. [47] The encryption only seems to affect systems compromised by Storm from the second week of October 2007 onwards, meaning that any of the computer systems compromised after that time frame will remain difficult to track and block. [48]

Within days of the discovery of this segmenting of the Storm botnet, spam e-mail from the new subsection was uncovered by major security vendors. On the evening of October 17, security vendors began seeing new spam with embedded MP3 sound files, which attempted to trick victims into investing in a penny stock, as part of an illegal pump-and-dump stock scam. It was believed that this was the first-ever spam e-mail scam that made use of audio to fool victims. [49] Unlike nearly all other Storm-related e-mails, however, these new audio stock scam messages did not include any sort of virus or Storm malware payload; they were simply part of the stock scam. [50]

In January 2008, the botnet was detected for the first time to be involved in phishing attacks against the customers of major financial institutions, targeting banking establishments in Europe including Barclays, Halifax [43] and the Royal Bank of Scotland. [51] The unique security keys used indicated to F-Secure that segments of the botnet were being leased. [51]

Claimed decline of the botnet

On September 25, 2007, it was estimated that a Microsoft update to the Windows Malicious Software Removal Tool (MSRT) may have helped reduce the size of the botnet by up to 20%. [52] The new patch, as claimed by Microsoft, removed Storm from approximately 274,372 infected systems out of 2.6 million scanned Windows systems. [53] However, according to senior security staff at Microsoft, "the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the 'Storm' botnet," indicating that the MSRT cleaning may have been symbolic at best. [54]

As of late October 2007, some reports indicated that the Storm botnet was losing the size of its Internet footprint, and was significantly reduced in size. [55] Brandon Enright, a University of California at San Diego security analyst, estimated that the botnet had by late October fallen to a size of approximately 160,000 compromised systems, from Enright's previous estimated high in July 2007 of 1,500,000 systems. [56] Enright noted, however, that the botnet's composition was constantly changing, and that it was still actively defending itself against attacks and observation. "If you're a researcher and you hit the pages hosting the malware too much… there is an automated process that automatically launches a denial of service [attack] against you", he said, and added that his research caused a Storm botnet attack that knocked part of the UC San Diego network offline. [57]

The computer security company McAfee is reported as saying that the Storm Worm would be the basis of future attacks. [58] Craig Schmugar, a noted security expert who discovered the Mydoom worm, called the Storm botnet a trend-setter, which has led to more usage of similar tactics by criminals. [59] One such derivative botnet has been dubbed the "Celebrity Spam Gang", due to their use of similar technical tools as the Storm botnet controllers. Unlike the sophisticated social engineering that the Storm operators use to entice victims, however, the Celebrity spammers make use of offers of nude images of celebrities such as Angelina Jolie and Britney Spears. [60] Cisco Systems security experts stated in a report that they believe the Storm botnet would remain a critical threat in 2008, and said they estimated that its size remained in the "millions". [61]

As of early 2008, the Storm botnet also found business competition in its black hat economy, in the form of Nugache, another similar botnet which was first identified in 2006. Reports have indicated a price war may be underway between the operators of both botnets, for the sale of their spam E-mail delivery. [62] Following the Christmas and New Year's holidays bridging 2007–2008, the researchers of the German Honeynet Project reported that the Storm botnet may have increased in size by up to 20% over the holidays. [63] The MessageLabs Intelligence report dated March 2008 estimates that over 20% of all spam on the Internet originates from Storm. [64]

Present state of the botnet

The Storm botnet was sending out spam for more than two years until its decline in late 2008. [65] One factor in this—on account of making it less interesting for the creators to maintain the botnet—may have been the Stormfucker [66] tool, which made it possible to take control over parts of the botnet. [67]

Stormbot 2

On April 28, 2010, McAfee made an announcement that the so-called "rumors" of a Stormbot 2 were verified. Mark Schloesser, Tillmann Werner, and Felix Leder, the German researchers who did a lot of work in analyzing the original Storm, found that around two-thirds of the "new" functions are a copy and paste from the last Storm code base. The only thing missing is the P2P infrastructure, perhaps because of the tool which used P2P to bring down the original Storm. Honeynet blog dubbed this Stormbot 2. [68]

See also

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Blaster (computer worm)</span> 2003 Windows computer worm

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

<span class="mw-page-title-main">Zombie (computing)</span> Compromised computer used for malicious tasks on a network

In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hacker. Zombie computers often coordinate together in a botnet controlled by the hacker, and are used for activities such as spreading e-mail spam and launching distributed denial-of-service attacks against web servers. Most victims are unaware that their computers have become zombies. The concept is similar to the zombie of Haitian Voodoo folklore, which refers to a corpse resurrected by a sorcerer via magic and enslaved to the sorcerer's commands, having no free will of its own. A coordinated DDoS attack by multiple botnet machines also resembles a "zombie horde attack", as depicted in fictional zombie films.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">Email spoofing</span> Creating email spam or phishing messages with a forged sender identity or address

Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed, but forwards mail sent to it to the user's real address.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Since Internet users and system administrators have deployed a vast array of techniques to block, filter, or otherwise banish spam from users' mailboxes and almost all Internet service providers forbid the use of their services to send spam or to operate spam-support services, special techniques are employed to deliver spam emails. Both commercial firms and volunteers run subscriber services dedicated to blocking or filtering spam.

Daprosy worm was a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

United States of America v. Ancheta is the name of a lawsuit against Jeanson James Ancheta of Downey, California by the U.S. Government and was handled by the United States District Court for the Central District of California. This is the first botnet related prosecution in U.S history.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span>

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cyber crime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

Dorkbot is a family of malware worms that spreads through instant messaging, USB drives, websites or social media channels like Facebook. It originated in 2015 and infected systems were variously used to send spam, participate in DDoS attacks, or harvest users' credentials.

References

  1. 1 2 Lisa Vaas (2007-10-24). "Storm Worm Botnet Lobotomizing Anti-Virus Programs". eWeek. Retrieved 4 July 2015.
  2. 1 2 3 Spiess, Kevin (September 7, 2007). "Worm 'Storm' gathers strength". Neoseeker. Retrieved 2007-10-10.
  3. "Storm Worm's virulence may change tactics". British Computer Society. August 2, 2007. Archived from the original on October 12, 2007. Retrieved 2007-10-10.
  4. Dvorsky, George (September 24, 2007). "Storm Botnet storms the Net". Institute for Ethics and Emerging Technologies. Retrieved 2007-10-10.
  5. Keizer, Gregg (9 April 2008). "Top botnets control 1M hijacked computers". Computer World. Retrieved 24 December 2012.
  6. Leyden, John (September 25, 2007). "Storm Worm retaliates against security researchers". The Register. Retrieved 2007-10-25.
  7. 1 2 Gaudin, Sharon (September 18, 2007). "Storm Worm Botnet Attacks Anti-Spam Firms". InformationWeek . Retrieved 2007-10-10.
  8. Fisher, Dennis (2007-10-22). "Experts predict Storm Trojan's reign to continue". Search Security. Archived from the original on 2007-12-17. Retrieved 2007-12-26.
  9. Coca, Rick (2007-12-18). "FBI: 'Botnets' threaten online security". Inside Bay Area. Retrieved 2007-12-27.
  10. Brodkin, Jon (September 7, 2007). "Financially motivated malware thrives" . Retrieved 2007-10-10.
  11. Null, Christopher (2007-10-22). "Devastating "Storm" Computer Worm Waiting in the Wings". Yahoo! News. Retrieved 2007-12-26.
  12. Utter, David (July 13, 2007). "Storm Botnet Driving PDF Spam". Archived from the original on 2007-09-23. Retrieved 2007-10-10.
  13. Cringely, Robert X. (October 17, 2007). "The Gathering Storm". InfoWorld.
  14. Holz, Thorsten (April 9, 2008). "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm". Usenix. Retrieved 2008-04-23.
  15. Singel, Ryan (2007-12-07). "Report: Cybercrime Stormed the Net in 2007". Wired News. Retrieved 2007-12-27.
  16. Larkin, Erik (2007-12-03). "The Internet's Public Enemy Number One". PC World. Archived from the original on 2009-03-16. Retrieved 2010-03-21.
  17. 1 2 3 Gaudin, Sharon (September 6, 2007). "Storm Worm Botnet More Powerful Than Top Supercomputers" . Retrieved 2007-10-10.
  18. Gaudin, Sharon (September 4, 2007). "After Short Break, Storm Worm Fires Back Up With New Tricks". InformationWeek . Retrieved 2007-10-10.
  19. Fisher, Dennis (2007-12-17). "Storm, Nugache lead dangerous new botnet barrage". Search Security. Archived from the original on 2007-12-24. Retrieved 2007-12-27.
  20. Leyden, John (September 14, 2007). "Storm Worm linked to spam surge". The Register. Retrieved 2007-10-17.
  21. Schneier, Bruce (October 4, 2007). "Gathering 'Storm' Superworm Poses Grave Threat to PC Nets". Wired News . Retrieved 2007-10-17.
  22. Gaudin, Sharon (October 3, 2007). "Hackers Breaking Up Botnets To Elude Detection". InformationWeek . Retrieved 2007-10-17.
  23. Sorensen, Chris (October 15, 2007). "Storm Worm the 'syphilis' of computers". The Star. Retrieved 2007-10-17.
  24. 1 2 Utter, David (October 16, 2007). "Storm Botnets Using Encrypted Traffic". Security Pro News. Archived from the original on 2007-12-10. Retrieved 2007-10-17.
  25. "Storm DDoS hits anti-scam sites". Virus Bulletin.com. September 10, 2007. Retrieved 2007-10-17.
  26. Gaudin, Sharon (September 10, 2007). "NFL Kickoff Weekend Brings Another Storm Worm Attack". InformationWeek . Retrieved 2007-10-17.
  27. Hernandez, Pedro (October 4, 2007). "Storm Worm Rewrote the Botnet and Spam Game". Enterprise IT Planet. Retrieved 2007-10-17.
  28. Stewart, Joe. "Storm Worm DDoS Attack". Secureworks.com. SecureWorks. Retrieved 9 March 2016.
  29. McCloskey, Paul (September 14, 2007). "Storm Warning: Botnet Gearing Up To Attack Defenders". InformationWeek . Retrieved 2007-10-17.
  30. Gaudin, Sharon (September 17, 2007). "Storm botnet puts up defenses and starts attacking back". InformationWeek . Retrieved 2007-10-17.
  31. "Storm Worm offers coal for Christmas". Security Focus. 2007-12-26. Retrieved 2007-12-27.
  32. 1 2 Wilson, Tim (2007-10-29). "Researchers Fear Reprisals From Storm". Dark Reading. Retrieved 2007-12-28.
  33. Paul, Ryan (September 12, 2007). "Spammers launch denial of service attacks against antispam sites". Ars Technica News. Retrieved 2007-10-17.
  34. Sophos Labs (2007-10-22). "Process-patching, the Dorf way". Naked security. Retrieved 4 July 2015.
  35. Farrell, Nick (September 17, 2007). "Republicans infect voters with Storm Trojan". "The Inquirer". Archived from the original on January 21, 2016. Retrieved 2007-10-17.{{cite news}}: CS1 maint: unfit URL (link)
  36. Keizer, Gregg (September 14, 2007). "Hacked GOP Site Infects Visitors with Malware". Computerworld. Archived from the original on 2007-10-15. Retrieved 2007-10-17.
  37. Tung, Liam (October 10, 2007). "'Storm worm' exploits YouTube". CNET News. Archived from the original on 2020-08-22. Retrieved 2007-10-17.
  38. Keizer, Gregg (October 12, 2007). "Storm Trojan flaunts crazy cat to build out botnet". ComputerWorld. Archived from the original on October 13, 2007. Retrieved 2007-10-17.
  39. 1 2 Keizer, Gregg (2007-11-16). "Storm Botnet Spreading Malware Through GeoCities". PC World. Archived from the original on 2007-11-21. Retrieved 2007-12-27.
  40. McMillan, Robert (2007-12-24). "Storm Worm Tempts With Christmas Strip Show". PC World. Archived from the original on 2007-12-27. Retrieved 2007-12-27.
  41. Hruska, Joel (2007-12-25). "Storm Worm delivering coal this Christmas". Ars Technica. Retrieved 2007-12-27.
  42. Keizer, Gregg (2007-12-26). "Storm Botnet Drops Strippers Lure, Switches to New Year's". PC World. Retrieved 2007-12-27.
  43. 1 2 Rogers, Jack (2008-01-08). "Fortinet: Storm Worm botnet used to mount phishing attacks on Barclays, Halifax banks". SC Magazine. Archived from the original on 2008-01-11. Retrieved 2008-01-09.
  44. 1 2 Stewart, Joe (October 15, 2007). "The Changing Storm". Secure Works. Retrieved 2007-10-17.
  45. Francia, Ruben (October 16, 2007). "Researcher: Storm Worm botnet up for sale". Tech.Blorge. Archived from the original on October 16, 2007. Retrieved 2007-10-17.
  46. Espiner, Tom (2007-10-16). "Security expert: Storm botnet 'services' could be sold". CNet news. Archived from the original on 2008-05-17. Retrieved 2007-10-17.
  47. Vaas, Lisa (October 16, 2007). "Storm Botnet Kits Loom on the Horizon". EWeek. Archived from the original on 2020-08-22. Retrieved 2007-10-17.
  48. Goodin, Dan (October 15, 2007). "The balkanization of Storm Worm botnets". The Register. Retrieved 2007-10-17.
  49. Keizer, Gregg (October 18, 2007). "Spammers pump up volume with major spoken scam slam". Computerworld. Archived from the original on March 2, 2007. Retrieved 2007-10-19.
  50. Prince, Brian (October 18, 2007). "MP3 Spam Scam Hits In-boxes". EWeek. Archived from the original on 2020-08-22. Retrieved 2007-10-19.
  51. 1 2 Vamosi, Robert (January 9, 2008). "Phishers now leasing the Storm worm botnet". CNET News. Archived from the original on 2008-11-22. Retrieved 2008-05-11.
  52. Beskerming, Sûnnet (September 25, 2007). "Guessing at compromised host number". The Register. Retrieved 2007-10-17.
  53. Naraine, Ryan (September 24, 2007). "Storm Worm botnet numbers, via Microsoft". ZDNet. Archived from the original on 2007-10-24. Retrieved 2007-10-17.
  54. Krebs, Brian (October 1, 2007). "Just How Bad Is the Storm Worm?". The Washington Post. Retrieved 2007-10-17.
  55. Chapman, Matt (2007-10-22). "Storm Worm may have blown itself out". VNUnet. Archived from the original on December 25, 2007. Retrieved 2007-12-26.
  56. Francia, Ruben (2007-10-21). "Storm Worm network shrinks to about one-tenth of its former size". Tech.Blorge. Archived from the original on 2013-08-26. Retrieved 2007-12-26.
  57. McMillan, Robert (2007-10-21). "Storm Worm Now Just a Squall". PC World. Archived from the original on 2008-01-03. Retrieved 2007-12-26.
  58. Vassou, Andrea-Marie (2007-11-29). "Cyber war to escalate in 2008". Computer Active. Archived from the original on 2008-01-02. Retrieved 2007-12-27.
  59. Messmer, Ellen (2007-12-11). "Attackers poised to exploit Olympics, presidential elections in 2008". Network World. Archived from the original on 2007-12-27. Retrieved 2007-12-27.
  60. "New botnet as powerful as Storm worm revealed". Secure Computing. 2007-11-29. Retrieved 2007-12-27.[ permanent dead link ]
  61. Rogers, Jack (2007-12-26). "Cisco reports Storm botnet may be sublet to criminals in 2008 as holiday-themed attacks proliferate". SC Magazine. Archived from the original on 2007-12-28. Retrieved 2007-12-27.
  62. Dunn, John E. (2008-01-07). "Nugache – the next Storm?". Tech World. Archived from the original on 2008-01-08. Retrieved 2008-01-07.
  63. Utter, David (2008-01-04). "Storm Botnet Triples In Size". Security Pro News. Archived from the original on 2008-01-23. Retrieved 2008-01-07.
  64. "One fifth of all spam springs from Storm botnet" (PDF). MessageLabs Intelligence: Q1 / March 2009. MessageLabs. 2008-04-01. Archived from the original (PDF) on 2008-05-17.
  65. Felix Leder (2010-04-28). "A Breeze of Storm". Honeynet Project Blog. Retrieved 2010-05-24.
  66. Full Disclosure: Stormfucker
  67. Georg 'oxff' Wicherski, Tillmann Werner, Felix Leder, Mark Schlösser (2008). Stormfucker: Owning the Storm Botnet (Conference talk). Chaos Computer Club e.V. Archived from the original on October 6, 2009. Retrieved 2010-05-24.
  68. Dirro, Toralv (2010-04-28). "Dark and Stormy–Comeback of a Botnet?". McAfee Research Blog. Retrieved 2010-05-01.
Listen to this article (27 minutes)
noicon
Sound-icon.svg
This audio file was created from a revision of this article dated 19 May 2008 (2008-05-19), and does not reflect subsequent edits.
(Audio help  · More spoken articles)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.