Storm botnet: A Comprehensive Guide to Its History and Impact

Author

Reads 7.9K

Scenic view of a countryside field with dark storm clouds overhead, capturing a moody and dramatic atmosphere.
Credit: pexels.com, Scenic view of a countryside field with dark storm clouds overhead, capturing a moody and dramatic atmosphere.

The Storm botnet was one of the largest and most notorious botnets in history, compromising an estimated 1 million to 2 million computers worldwide.

It was first discovered in January 2007, and its peak activity was in February 2007.

The botnet was known for its DDoS (Distributed Denial of Service) attacks, which overwhelmed websites with traffic and made them inaccessible to users.

The Storm botnet was also used for spamming, with over 1 million spam emails sent per day.

The botnet's command and control (C2) servers were located in the Netherlands and the United States.

The Storm botnet was eventually dismantled in 2008, but not before it had caused significant harm to the internet community.

Origins and Composition

Some information security professionals suspect that well-known fugitive spammers, including Leo Kuvayev, may have been involved in the operation and control of the Storm botnet.

Origins

The Storm botnet's primary method of victim acquisition was through social engineering schemes, which often changed frequently to entice users. Some experts believe the botnet controllers were Russian, possibly linked to the Russian Business Network.

A Person with Mask Using a Computer
Credit: pexels.com, A Person with Mask Using a Computer

The Storm botnet comprised computers running Microsoft Windows as their operating system, and once infected, a computer became a bot that performed automated tasks without its owner's knowledge. These tasks included gathering data on the user, attacking web sites, and forwarding infected e-mail.

The botnet used e-mails with infected attachments to spread the worm, with estimates indicating that 5,000 to 6,000 computers were dedicated to this task. By September 2007, the botnet had sent 1.2 billion virus messages, including a record 57 million on August 22, 2007 alone.

Composition

The composition of [subject] is a fascinating topic. It's made up of various elements that work together to create its unique character.

The primary elements of [subject] are [list primary elements]. These elements are the building blocks of its composition.

The secondary elements of [subject] include [list secondary elements]. These elements add depth and complexity to its composition.

The proportions of [subject] are carefully balanced, with [list proportions]. This balance is crucial to its overall aesthetic appeal.

Worth a look: Mailing List

Black and white cityscape of Bucharest with dramatic storm clouds.
Credit: pexels.com, Black and white cityscape of Bucharest with dramatic storm clouds.

The color palette of [subject] features a range of [list colors]. These colors work together to create a cohesive and visually appealing composition.

The textures of [subject] add depth and interest to its composition. From smooth to rough, the textures of [subject] are expertly combined to create a unique visual experience.

Method and Operation

The Storm botnet's systems take steps to defend itself locally on victims' computer systems. It creates a computer process on the Windows machine that notifies the Storm systems whenever a new program or other processes begin.

This process is designed to fool the local computer system into thinking it has run the hostile program successfully, but in fact, it's not doing anything. The compromised system will assume that security software is running successfully when it's not.

The botnet can make security software appear to run successfully by not terminating the process, making it less suspicious than a process that gets terminated suddenly from the outside. This allows the Storm systems to remain hidden on the compromised system.

Method

Three People Hacking a Computer System
Credit: pexels.com, Three People Hacking a Computer System

The Storm botnet takes steps to defend itself locally on compromised computer systems, creating a process that notifies the Storm systems whenever a new program or process begins.

This process is designed to evade detection by security software, which is a clever move by the botnet's creators. The Storm worms will tell the local computer system to simply not run the security software, or they'll "fool" the system into thinking it has run successfully when it hasn't.

The Storm botnet is particularly sneaky in this regard, as it will even make programs like anti-virus and anti-malware software appear to run successfully, when in fact they're not doing anything. This makes it difficult for compromised users and related security systems to detect the botnet's presence.

The compromised machine becomes merged into a botnet, which acts in a similar way to a peer-to-peer network with no centralized control.

For more insights, see: Domain Name System Blocklist

Rootkit

The Storm Worm's rootkit component, Win32.agent.dh, was installed by the malware, causing some of its author's plans to be flawed. This rootkit was designed to remain hidden on infected computers.

Credit: youtube.com, What Are Rootkit Malware Implants? - Tactical Warfare Experts

Symantec pointed out that the rootkit code was flawed, which compromised its effectiveness. Later variants of the malware loaded the rootkit component by patching existing Windows drivers.

Peter Gutmann estimated that the Storm botnet comprised between 1 and 10 million PCs, although the exact number is disputed. The botnet's size is comparable to massive computing resources like grid computing projects.

The Storm botnet's size was also compared to distributed memory and distributed shared memory high-performance computers. This comparison was made to appreciate the botnet's massive scale.

A network security analyst reported that the Storm botnet had shrunk to about 20,000 active hosts by October 2007. However, this claim was disputed by security researcher Bruce Schneier.

Financial and Security Aspects

The Storm botnet was a massive operation, with the researchers estimating that it could be raking in as much as $7,000 a day, or $9,500 if it was actively conducting a campaign.

The botnet's profit margins were surprisingly low, with a conversion rate of "well under" 0.00001 percent, meaning that out of 350 million email messages sent, only 28 "male enhancement" products were sold for just under $100 each.

Credit: youtube.com, Storm Worm: The Malware that Took Down Warnings of Itself

This works out to a total revenue of $2,731.88 over 26 days, or around $100 a day - a far cry from the estimated daily profits of the botnet.

The botnet's reliance on massive campaigns was likely due to the low profit margins, with the researchers suggesting that even a small increase in the cost of sending an email could have significant ramifications for the botnet industry.

The Storm botnet was also found to be for sale, with portions of it being offered for resale using unique security keys in the encryption of its internet traffic and information.

This partitioning of the botnet indicated likely resale of its services, with security experts warning that if it was broken up for the malware market, the world could see a sharp rise in the number of Storm-related infections and compromised computer systems.

The encryption used by the Storm botnet only seemed to affect systems compromised by it from the second week of October 2007 onwards, making any systems compromised after that time frame difficult to track and block.

Status and Decline

Credit: youtube.com, Infosecurity: Storm botnet - TVtech

The Storm botnet was a massive network of compromised computers that was estimated to have peaked at 1.5 million systems in July 2007.

As of late October 2007, the botnet's size had fallen to approximately 160,000 compromised systems, according to a University of California at San Diego security analyst.

The Storm botnet's composition was constantly changing, and it was still actively defending itself against attacks and observation. This made it difficult for researchers to track its size and behavior.

McAfee reported that the Storm Worm would be the basis of future attacks, and a noted security expert called the Storm botnet a trend-setter that led to more usage of similar tactics by criminals.

The Storm botnet's size remained in the "millions" by early 2008, according to Cisco Systems security experts.

A price war may have been underway between the operators of the Storm botnet and another similar botnet called Nugache, for the sale of their spam email delivery.

You might like: DDoS Attacks on Dyn

Credit: youtube.com, GREENFIST CHALLENGE: STORM BOTNET (GROUP C PRESENTATION)

The Storm botnet may have increased in size by up to 20% over the 2007-2008 Christmas and New Year's holidays, according to the GermanHoneynet Project.

The Storm botnet was sending out spam for more than two years until its decline in late 2008, and a tool called Stormfucker may have made it less interesting for the creators to maintain the botnet by allowing others to take control over parts of it.

Tech Time Warp: No Secret Admirer

In 2008, the FBI had a serious warning for us: those unexpected Valentine's Day e-cards weren't from secret admirers, but from the Storm Worm botnet.

The Storm Worm botnet was first detected in January 2007, following deadly storms in Europe. It promised users a news story, but instead loaded malware that added their computer to the botnet.

The botnet's creators used social engineering to make the e-card appear as if it came from a known contact. They even used a scintillating headline like "FBI vs. Facebook" to draw in victims.

Storm Worm exploited patched vulnerabilities, including QuickTime and WinZip security holes, to do its dirty work.

For more insights, see: 2021 FBI Email Hack

Frequently Asked Questions

How do I know if I am in a botnet?

Excessive processor, hard drive, or fan activity without cause, slow Internet, or slow reboots and shutdowns may indicate botnet activity. If you're experiencing these issues, it's essential to investigate further to determine the root cause and take corrective action

Is a botnet a virus?

A botnet is not a virus itself, but rather a network of infected computers controlled by malware, including viruses. Malware is the underlying cause of a botnet, not the botnet itself.

Danny Orlandini

Writer

Danny Orlandini is a passionate writer, known for his engaging and thought-provoking blog posts. He has been writing for several years and has developed a unique voice that resonates with readers from all walks of life. Danny's love for words and storytelling is evident in every piece he creates.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.