Home : Networking : News

Storm worm heralds next generation of malware

Aggressive defences and fluctuations in IP traffic prompt security vendors to quantify risk and develop new safeguards.

By Miya Knights, 24 Oct 2007 at 16:10

The success of the 'storm worm' as it has become known since it was first detected in January this year reveals a new level of malware sophistication, according to security experts.

The storm worm or Trojan.Peacomm, that is also known as Nuwar, Tibs and Zhelatin, is the first malware to use peer-to-peer networking (P2P) or mesh topologies to target unsuspecting Microsoft Windows computers across the internet.

Its use of a fully P2P control channel that can aggressively defend itself from attempts to reverse engineer its logic, means that attempts to take down the servers running the worm are ineffective, as each infected PC acts as a hybrid, self-sufficient combined client-server.

Thomas Parsons, Symantec's security response quality assurance manager told IT PRO this worm differs from previous 'botnet' malware that uses the infected PC as a host from which to send out more spam, because of its use of the Overnet protocol, decentralised P2P network.

"We've probably reverse engineered nearly every aspect of peacomm," said Parsons. "But the fact that it's so widely spread means that when a critical mass of PCs is infected it can be self-sustaining."

The storm worm's ability to establish a control channel that allows its infected clients to operate as a coordinated collective or botnet has led many security vendors' estimates as to the actual spread of the worm to vary wildly.

This is because the vendors use different metric approaches to measuring its network size. MessageLabs says there are two million bots, while F-Secure said the botnet is one million strong. And, using a snapshot approach to graph metrics, Secure Science reports an average of just over 53,000 active Peacomm bots.

Symantec's DeepSight Threat Analyst team monitored Peacomm's spam activity over a 24-hour period also using the 'snapshot' approach. Spam messages captured over a 24-hour period by the vendor's anti-spam sensors on 18 August and 18 September found a rise of 1,706 unique IPs for the worm, of which 1,277 were acting as SMTP servers and 429 IPs were acting as HTTP servers.

Parsons said the spread of the worm has been helped by users who don't update their desktop PC's security, as the anti-virus solutions out there are "more than adequate," he added.

"There are additional things that administrators can do at a higher, network level," said Parsons. "When a machine is infected there tends to be a surge in network activity with a increase in packets to other IP addresses coming from the host PC. This is something you can look for at the networking and firewall level."