Storm worm heralds next generation of malware
By Miya Knights,
The success of the 'storm worm' as it has become known since it was first detected in January this year reveals a new level of malware sophistication, according to security experts.
The storm worm or Trojan.Peacomm, that is also known as Nuwar, Tibs and Zhelatin, is the first malware to use peer-to-peer networking (P2P) or mesh topologies to target unsuspecting Microsoft Windows computers across the internet.
Its use of a fully P2P control channel that can aggressively defend itself from attempts to reverse engineer its logic, means that attempts to take down the servers running the worm are ineffective, as each infected PC acts as a hybrid, self-sufficient combined client-server.
Thomas Parsons, Symantec's security response quality assurance manager told IT PRO this worm differs from previous 'botnet' malware that uses the infected PC as a host from which to send out more spam, because of its use of the Overnet protocol, decentralised P2P network.
"We've probably reverse engineered nearly every aspect of peacomm," said Parsons. "But the fact that it's so widely spread means that when a critical mass of PCs is infected it can be self-sustaining."
The storm worm's ability to establish a control channel that allows its infected clients to operate as a coordinated collective or botnet has led many security vendors' estimates as to the actual spread of the worm to vary wildly.
This is because the vendors use different metric approaches to measuring its network size. MessageLabs says there are two million bots, while F-Secure said the botnet is one million strong. And, using a snapshot approach to graph metrics, Secure Science reports an average of just over 53,000 active Peacomm bots.
Symantec's DeepSight Threat Analyst team monitored Peacomm's spam activity over a 24-hour period also using the 'snapshot' approach. Spam messages captured over a 24-hour period by the vendor's anti-spam sensors on 18 August and 18 September found a rise of 1,706 unique IPs for the worm, of which 1,277 were acting as SMTP servers and 429 IPs were acting as HTTP servers.
Parsons said the spread of the worm has been helped by users who don't update their desktop PC's security, as the anti-virus solutions out there are "more than adequate," he added.
"There are additional things that administrators can do at a higher, network level," said Parsons. "When a machine is infected there tends to be a surge in network activity with a increase in packets to other IP addresses coming from the host PC. This is something you can look for at the networking and firewall level."
advertisement
Latest Internet Features
Q&A: DNS inventor Paul Mockapetris
Four months after serious flaws in the internet’s addressing system were proven, its inventor is looking beyond the threats to help bolster web security.
- Q&A: Cuil co-founder Tom Costello
- What does Internet Explorer 8 mean for you?
- Blogging for business
- Social networking in business and branding
- Internet search secrets
- Big IT for CERN's particle smashing experiment
- The saga of Scrabulous
- Q&A: Motorola's enterprise VP John Coon
- IT around the world: Russia
Latest Internet Reviews
Fortinet FortiGate-3810A
Rating: 
advertisement
Latest News Videos in Internet
Video: Q&A with Easynet Connect's Chris Stening
PlayIT PRO spoke to Chris Stening, managing director of Easynet’s SME division, about whether ISPs are giving businesses the service they deserve.
White papers
Want more background on today's hottest IT trends?
Visit IT PRO's white paper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free white papers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Social Bookmark this article: What is this?