The voice of the Storm botnet
Science fiction writers theorise that if a computer becomes super powerful and learns enough information, it will become self-aware and start attempting to communicate with us.
Well, Storm isn't quite at that level yet :-) But it is speaking. The latest round of Storm-sent spam attempts to inflate the price of EXTO shares by... wait for it... SPEAKING to you in an almost incomprehensible voice. Or rather, it sends you an MP3 file of this speech.
Are these files pre-made and distributed to the botnet? Or are they generated by the botnet's computers on-the-fly? I have downloaded two samples of them, which have the same content, and their MD5 sums don't match. So they aren't exactly the same file. I don't know if someone has changed the ID3 tags or something on purpose, though.
I'll end this post by saying "I don't have to worry about it" as I'm using Linux, which doesn't get this infection; and here is a rather worrying article from TrendLabs Malware Blog about the future of Storm.
Storm in Segments
October 17th, 2007 by Mayee Corpin
It is said that change is the one constant in life, and it is proving true in the case of the Storm malware. Usually, change is good, but where the said malware is involved, change may mean another thing.
The infamous Storm worm has gotten an update, with the giant botnet that it employs now broken into segments, or smaller networks. The latest Storm variants now use a 40-byte key to encrypt traffic over the peer-to-peer (P2P) protocol Overnet, as first reported by our counterparts in SecureWorks. Overnet aids singular bots to connect to other infected systems. Using encryption means that communication is only possible between botnet nodes that are using the same key.
This may be an indication that the Storm worm creators are set to go to market with Storm variants, which they could sell in malware forums to other malicious users (spammers or DoS attackers). This could translate to automated spam kits, which could in turn lead to a skyrocketing of Storm infections.
Another reason could be for the Storm authors to more easily manage their networks. The upside could be that system administrators themselves may now be able to better protect their networks against the deluge of the Storm malware, whereas before the Storm botnet was believed difficult to eliminate because of its use of P2P technology (instead of a single C&C server).
The Storm worm began its downpour in January this year, earning its name for its social engineering technique of squatting on the real-world Kyrill storm that was then ravaging Northern Europe. It first sent out spammed email messages that promised more information about the said storm. Users ended up downloading a Trojan that rendered their machines zombies, part of the Storm botnet that is now estimated at 1-50 million PCs.
Since then, the botnet has been constantly evolving, employing one new technique after another. More notably, it came as eCard spam that rode on big occasions like Fourth of July, Labor Day, and the NFL season; contained links that supposedly led to a YouTube video file; offered downloads of the otherwise legitimate application Tor Proxy or a BETA testing program; and posed as “welcome” messages for memberships to various online services. Most recently, it was seen as a worm that came via fake eCards meant for unsuspecting users with a fondness for felines.
There is still no end in sight to the twists and turns in the history of the Storm worm. But if this new development works in the Storm authors’ favor, this malware family is poised to devolve into a cyclone, with said creators bringing more damage to property and earning in the process. For now, the coast is yet unclear.
Comments