Weathering the Storm Worm

The notorious web nasty commonly known as "Storm Worm" shows no signs of coming to an end, as the already-massive Storm botnet (the infected machines controlled by Storm's creators) is growing daily.

Understanding the Threat

What type of malware are we dealing with? While this threat is frequently referred to as "Storm Worm," it is technically not a worm; according to Lavasoft researchers, Storm is actually a download Trojan. At Lavasoft, we classify it as "Win32.Worm.Zhelatin".

The name "Storm" was coined in January 2007, when the threat was first spotted in e-mail messages claiming to have news of the deadly storms plaguing Europe at that time. Since then, it has changed tactics numerous times to mimic current events and news stories. While size estimates vary, some researchers believe that the Storm Worm botnet is made up of more than one million infected machines, making it one of the largest known botnets.

The Bad Behavior

Storm Worm's method of operation is to use social engineering to infect users, compromise PCs, and ultimately form a botnet used to propagate cyber crime.

Here's how it works: the computer user receives a spam message, disguised as an e-greeting card, news article, or notification of other current event in an attempt to con the person into installing the botnet-forming Trojan. The recipient becomes infected after opening an attachment or clicking on a link in the message. While it is a less common method, Storm has also been known to spread through website exploits. Either way, the compromised computer becomes part of a botnet - a network of zombie computers controlled remotely - which is then used to spread more malware.

This relatively simple method of attack has resulted in an astounding success rate. Part of Storm Worm's proliferation is due to its tendency to change tactics by way of releasing new variants, changing e-mail subject lines, and altering the malicious file's name.

To make matters worse, according to reports, the Storm botnet acts on the defensive; it has displayed behavior that indicates its controllers actively protect the botnet against efforts to track or interrupt it. According to researchers, investigation of the file has been known to be prevented by the Trojan calling home, resulting in the botnet launching a DDoS attack on the IP address of whoever is probing is.

Winning Strategies

To avoid getting infected and becoming part of the growing Storm botnet, it is critical that home users install up-to-date firewalls, anti-virus and anti-spyware software, patch operating systems and applications against known vulnerabilities, and be cautious when opening e-mail.

A few more tips:

  • Use extreme caution when opening attached files or clicking on links in e-mail messages. Even if you use a reliable anti-spam program, do not let your guard down. The Storm Worm is constantly updated by malware authors, changing tactics to manipulate innocent users and entice them to open attachments or to visit infection-hosting websites.
  • Play it safe by getting your news from legitimate sources. No matter how tempting the subject line is, do not click on links or download attachments in unsolicited e-mail messages promising to deliver news about current events and issues.
  • While you may love to get online greeting cards from friends and family, you need to be especially cautious of these types of messages. Many e-card service providers, such as Hallmark, have helpful information on their websites that you can you use to check the validity of electronic greetings. Take a look at these types of tips before opening e-mail attachments or clicking URLs within a message.