Storm botnet dies down

According to analysis by the Marshal Threat Research and Content Engineering (TRACE) team, spam originating from the Storm botnet has been dwindling for months and finally ceased altogether in September 2008.

No one knows for sure how many computers Storm succeeded in infecting at its peak; industry estimates currently range from 500,000 to 1 million infected computers at the botnet’s height.

The Storm botnet is said to be the most successful botnet of its type, and was one of the first botnets to use ‘Malicious Spam’ tactics -- using spam to distribute malware -- on a mass scale.

It first came into prominence in January 2007, when the botnet’s creators spammed fake news headlines to entice web users into clicking on links that infected the user’s PC with malware.

One of the earliest such campaigns used a headline describing lethal storms in Europe, which led to the botnet receiving its now notorious name.

“Storm ... established the basic template for developing a spam empire that other botnets have since copied,” said Phil Hay, Lead Threat Analyst for Marshal’s TRACE Team.

“Whoever was behind Storm really set the benchmark at the time for the kind of scale that was achievable with a spambot.”

At its peak in September 2007, Storm was said to be responsible for 20 percent of the world’s spam, including fake e-greeting cards and spam about popular Internet sites such as YouTube.

Its success finally captured the attention of Microsoft. In September 2007, Microsoft began targeting Storm through the Malicious Software Removal Tool, which is estimated to have cleaned 274,372 computers in its first month.

Marshal’s TRACE team reported in January 2008 that Storm had dwindled in the face of competition and Microsoft’s efforts from 20 percent to just 2 percent of spam by volume in the space of four months.

Rival botnets such as Srizbi, Mega-D and Rustock had begun to surpass Storm. In May 2008, Marshal attributed more than 50 percent of all spam in circulation to Srizbi.

While the Storm botnet has no longer been found to be circulating spam, no one is clear on what precisely happened to Storm.

Some suggest that the botnet was sold or morphed into another botnet and still continues to produce spam.

“We have seen occasional surviving Storm bot peers still trying to communicate with each other but the Storm’s command and control servers are unresponsive,” Hay said. “Our data indicates that Storm has stopped.”

“A distinct possibility is that the creators of Storm have abandoned it in favor of a newer botnet that they have created,” he said. “If they have, it is possibly one of the top spam botnets that we continue to track. It seems unlikely that Storm’s creators simply gave up and went home.”

botnetmarshalsecuritystormteamtrace