New variant of Storm worm emerges

The new version of the prolific worm is based on old code but does not appear to be as robust

A new variant of the Storm worm has emerged, but it does not appear to be as well-designed as its older relative, according to computer security researchers.

The Storm worm first appeared in early 2007 and spread quickly, making it one of the most prolific and widespread worms ever. Once it infected people's computers, the worm sent million upon millions of spam messages.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

The Shadowserver Foundation, which tracks botnets, first received a sample of the new version of the worm on April 13, said Steven Adair, via instant message.

Security iGuide

The worm was then reverse-engineered by the Honeypot Project, which studies threats on the Internet. The new worm was found to be based on the old code, but some of the elements that made Storm difficult to disrupt were gone, according to a blog post from the organization.

The new Storm doesn't communicate using a peer-to-peer system, a decentralized way to have computers infected with the code communicate with each other and receive new spam instructions. That may be because researchers have been effective in disrupting peer-to-peer botnets, Adair said.

The new Storm communicates via HTTP traffic, but it is programmed to receive instructions from one IP (Internet Protocol) address hosted by a server in the Netherlands. The ISP hosting that server has been contacted, Adair said.

Since it is receiving instructions from just one IP address, it means the new Storm may not last that long, Adair said. It is also not employing fast flux, which allows an administrator to quickly point a domain name to a new IP address, making it harder to shut down.

The new Storm "doesn't seem as resilient as the older version," Adair said.

It's not known how many computers may be infected with the new Storm. Computers are believed to be getting infected through drive-by downloads, where a Web site attacks a user's computer looking for software vulnerabilities in order to deliver malicious software.

Adair said those Web sites delivering Storm via Neosploit, a toolkit used to attack a computer several different ways.

The worm is sending out pharmaceutical, adult dating and celebrity-related spam messages, wrote Ricardo Robielos III, a research engineer with CA. He wrote it was sending out a "massive" volume of spam to targeted recipients.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies