Spam rates are rising, rapidly, with a lot of the blame being placed on the
"storm worm." The
worm is targeted at PCs, to build an enormous botnet for purposes
that can only be speculated upon. Estimates of the size of the
botnet vary, but it is probably fair to say that millions of machines are
infected. Interestingly, the techniques used to propagate the worm are
evolving and some defense mechanisms are emerging.
The storm worm has been with us since January, its name stems from the
subject of the earliest emails that propagated it, attacking in
multiple waves of spam since then. It uses the simplest of all infection
techniques: tricking recipients into running a program. Those programs,
which, from all reports, only run on Windows, then install various kinds of
malware, including programs to connect the machine to a massive botnet.
At its root, the storm worm uses various "social engineering" tactics to
convince people to either open an executable in the email or to visit a
website and download software from there. Several different messages have
been tried recently, electronic greeting cards, welcome messages from
various "groups" (Wine Lovers, Poker Players, etc.) and the most recent,
that claims to be a pointer to a YouTube video that shows you or your
family. These messages have been pumped out at enormous rates by the
botnet as it tries to grow bigger.
behavior has been noted as well. When infected machines are scanned
for vulnerabilities or malware, they sometimes react by calling in a
distributed denial-of-service (DDoS) attack on the scanning machine.
The main concern is for academic networks that sit directly on the
internet, machines behind firewalls are generally protected, unless a
of the botnet also lives there.
These evolving tactics and defensive measures are not being implemented
for fun, the botnet herders probably have a plan for using such a huge
botnet, the only question is: for what? The most likely explanation is for
DDoS attacks on targeted sites, quite possibly to get paid to
stop, which is also known as extortion. They presumably also get paid to send spam
– other than that used to increase their size – but extorting
money from sites that depend on traffic is probably much more lucrative.
Unlike other botnets, storm's does not rely on a single central server that
can be shut down, destroying the botnet. Instead it uses peer-to-peer
technology, distributing its command and control infrastructure throughout
the network, making it much more difficult to combat. That coupled with
the furious spamming and defensive responses makes this the most robust
botnet we have seen yet.
While this particular attack does not appear to affect Linux users
directly, we should not be resting on our laurels. Linux users likely have
a higher clue level, overall, than Windows users, but that level is
dropping. As Ubuntu and other desktop, newbie-oriented distributions gain
ground, the average computer literacy of the Linux community drops. There
is no defense, other than educating users, against folks who download
random things and run them on their computer. If the storm botnet herders
decide they need even more machines for their plan for total world
domination, they might just turn to Linux.
to post comments)