Storm Worm Stalkers Share Research

Secure Computing has created Storm Tracker as part of its TrustedSource Web portal to provide the latest information about the storm worm to IT professionals.

Storm worm - two words that continue to brew up agita among IT professionals as it stalked vulnerable computers across the Internet. Now officials at Secure Computing have created a special section on their Web-based research portal dedicated to providing the public with up-to-date information on it.

Dubbed Storm Tracker, the section offers a real-time view into information about IPs and domains associated with Storm. The service was launched this week to coincide with the one-year anniversary of the Storm worm's appearance.

"Storm, without question, has been the most innovative and adaptive worm of 2007," said Dmitri Alperovitch, principal research scientist at Secure Computing's TrustedSource Labs.

First detected in January 2007, the Storm botnet and worm earned their names because of the storm-related subject lines its early rounds of infectious emails, such as "230 dead as storm batters Europe". Starting out as spam, the creators moved on to denial of service attacks and most recently, phishing. Just last week, a number of security researchers discovered phishers posing as Barclays Bank and the Halifax unit of the National Bank of Scotland were using the botnet to send fake messages to unwary users.

"The biggest decline in Strom activity occurred on Sept. 11, 2007, when an update to Microsoft's Malicious Software Removal Tool (MSRT) that included signatures for what had been the latest Storm malware variants at the time, was responsible for cleaning up over 20 percent of the machines in the botnet," the scientist said. "Unfortunately, Storm adapted within less than 24 hours of the update and new variants had been released that avoided MSRT detection."

According to Secure Computing, the U.S. is home to some 36 percent of Storm IPs. "The largest percentage of Storm IPs that serve malware-laden Web pages have always been located in U.S., primarily because Storm puts an extra premium on available bandwidth capacity and unfettered access to the Internet for that part of its operation and countries like United States and South Korea have one of the largest population of machines that match that criteria," Alperovitch said.

The hope is that organizations, individuals and researchers can use the information on the site to improve their filtering systems and secure their end-users, he continued, adding the longevity of the worm and the cleverness of its creators make them worthy of a reluctant nod of respect.

"(Storm) has clearly been extremely successful in changing its message and utilizing social engineering tactics to infect hundreds of thousands of users over the past year," he said. "Its success and longevity most certainly has been surprising, and the ingenuity of the people behind this botnet triggers a certain amount of begrudging respect."