The Summer Storm

Seventy-seven megabytes of network traffic, 356 spam emails sent and 10,082 unique IP addresses contacted. All in just under 60 minutes.

This is what a system infected by one recent Storm rootkit pumps out. Since Storm first arrived on the scene in January of last year, it has made headlines throughout the world as one of the most successful and persistent threats currently operating in the wild. At Symantec, our global spam traps caught just under 150,000 Storm-generated emails during June and July this year: 

And, the tried-and-true method by which the Storm team successfully infects machines hasn't changed either. The method consists of bulk emailing with "interesting" content aimed at enticing the victim into either visiting a Web site or opening an attachment.

The various topics used per spam round included war, politics, murder, adult entertainment, romance, public holidays, sporting events, business transactions, surveys, terrorism and natural disasters and these are certainly a contributing factor to the prevalence and persistence of infections. Such topics, based both on real-world current events and false-but-interesting scenarios, still appear to be a fairly successful propagation technique and are clearly favoured by those behind Storm.

At the heart of the rootkit are two files: in this case, glok+serv.config and glok+767-4e80.sys. The first file contains a list of encrypted peers with which the infected host maintains contact with and is updated periodically with new nodes, and the second is the rootkit-based service which performs all of the primary functions of the zombie including spamming, denial-of-service and component updates. A range of API calls are hooked by the rootkit in an attempt to hide its presence on the system, such as ZwEnumerateValueKey and ZwQueryDirectoryFile.

The botnet itself runs its main operations over UDP, communicating via a fairly aggressive peer-to-peer network. The resulting traffic surge is fairly easy to spot:

The sale of spam-capable services that run from public hosts can net a bot controller a nice income, because fresh zombies can send upwards of 10,000 emails a day. And even if a particular Storm zombie is added to one of the many available spam blocking lists, the bot controller can still run distributed denial-of-service attacks with devastating speed. Also, the variances in the operation of Storm aren't restricted to email subjects, as we have watched its operators use polymorphic packers to defeat CRC-based detection, then experiment by removing the rootkit functionality to leave a plainly visible executable, and then return once again to a rootkit-enabled version.

We get quite a few questions in the form of "Yes, but if I get infected what does this actually mean?" To sum it all up, it means that:

• Complete control of your computer system is in someone else's hands.
• Any unprotected private information stored on your system is effectively no longer private.
• Your machine can be used to attack other machines on the Internet.

It is true that an unusable machine is of no use to a bot herder, and this is perhaps one of the reasons that infected nodes that make up the Storm worm are still quite operational (from the end users' experience). It is in the interest of the players behind botnets that infected machines remain operational and that the suspicions of users are not aroused. This is a clear indication of the financial gains available for criminals who can successfully create and manage a botnet. And, at the time of writing this entry, our monitoring systems show that the spammed emails sent from infected systems are all related to the sale of male enhancement pills.

But nothing really hits a point home more than an example involving your money. If you run a company with just 1,000 computers total and you have just 0.5% of your machines infected with the Storm worm, you could be transacting up to 10 gigabytes a day unnecessarily. That's about 3.5 terabytes every year. For those out there who pay per gigabyte for traffic, this is hardly good news.