The new piece of malware that surfaced this week and has been hailed as a return of the Storm worm, is in fact simply the worm’s original spam engine with some new components wrapped around it, researchers say, and not a rebirth of the botnet itself.
Storm was a major botnet threat during its heyday in 2007, accounting for nearly a quarter of all of the spam on the Internet at its peak, by some estimates. It used a special peer-to-peer protocol for communication and also proved to be quite resilient to takedown efforts for a while until researchers hit on the right strategy for disrupting its operations. But since the time it was crippled, Storm has been completely off the radar until earlier this week when the researchers at The Honeynet Project did a detailed analysis of the new malware, which they said looked a lot like the original Storm code.
“Just like Storm, this new malware decompresses itself into a heap
section and jumps to the unpacked code. We just dumped the heap section
to a file and fixed the imports to get an executable we can analyze
conveniently,” the Honeynet researchers said in their analysis. “Although this is already pretty good evidence that the two specimens
are related, the question remains whether this is really a new Storm
version, so let’s have a look at the actual functionality.
“We compared
the last version of storm to the new samples. Around 2/3s of the
functions in the new sample are simply copy&paste from the last
storm code base. Since the source code of storm has never been public,
the same team of developers has finally created a new variant or sold
it’s code. The original version was rather large, having more than 800 function. A
large portion of this was the P2P code. This is missing completely in
the new version and the actual command protocol is based on HTTP instead
of plain TCP connections.”
The new version does not use the Overnet protocol that the original Storm bot used for P2P communications.
Since the Honeynet analysis appeared, other researchers have been looking closely at the new malware and have found that its creators have essentially lifted the spam engine from the original Storm bot and wrapped some new code around it and let it loose. However, this version isn’t nearly as prolific as its predecessor was, experts say.
“The glaring difference is that the new malware does not use a
peer-to-peer communication model based on the Overnet protocol. The
original Storm communicated over UDP with many other nodes using a
modified version of this protocol, whereas this malware has none of
that. In its place is a stripped down and more standard model, where the
infected node contacts a command server via HTTP and downloads spam
templates and other instructions. Broadly speaking, it is little no
different in concept to the many other template-based spambots
that we regularly encounter,” researchers at M86 Labs said in a blog post.
“So in essence, this is a new stripped
down spambot, based on a portion of Storm code. The spam emanating from
it is hardly registering in our spam traps – less than 0.01 percent, so
it is a very minor spamming botnet at this stage – merely another one
to add to the dozens out there already.”