Cast Iron Chaos RecentChanges
XMLFacebookTwitter

LoginLogoutRegisterContact the WebmasterPayPal Me

Storm Botnet

www.f-secure.com/v-descs/email-worm_w32_zhelatin_cq.shtml

This sounds like a plot from science fiction or a bad horror movie. Picture a crazed, evil scientist laughing with glee as he proclaims, "Nyah ha ha ha ha ha! Soon my specially engineered supervirus will take over millions of machines all of the world! They will all become mindless zombie slaves, and they will obey OUR commands! We will take over the world!!!"

Believe it or not, this is exactly what is happening today, right now, as you read this! Only the creator of this mysterious monster isn't a mad scientist, and his creation wasn't bred in a secret military lab. The supervirus is spread through email spam, and it is infecting millions of computers across the world right now. If this happens to you, then it turns your PC into a zombie. Your PC is wide open to commands from the virus operators, but because it is running in the background (and you're not using anti-virus software), you don't even know that your machine is infected. The infected machines (including yours) are all linked together, and they are joining into a huge, monstrous network of computers known as the Storm Botnet. (The name for this site in Russian is Zhelatin. This particular network has been running rampant across the Internet since April of 2007, affecting PCs worldwide.) Once the network is up and running, the operator of the network can command all of the millions of zombie PCs in the botnet to send out spam (containing the virus), at the rate of millions of emails per day. What's more, they can also make the zombies all point towards a single target (or multiple targets) and launch sophisticated DDOS (Distributed Denial of Service) attacks at those targets, overwhelming their Web hosts and causing the sites to crash and burn.

How is this happening? It's happening because people are stupid! The "zhelatin" virus is known to anti-virus software developers…but all the anti-virus protections in the world won't stop this virus from infecting PCs because it preys on human stupidity. Every day, millions upon millions of spam emails are showing up in people's email. You'd think people would be smart enough not to open emails with such obvious titles as "A family member sent you an e-card!" (without saying who the family member is), or "Dude, this band isn't on MTV yet!" or "Here are the latest NFL stats." But every day people open up these obvious troll emails, and their PCs are infected by the Storm worm without their even realizing it.

A message about the botnet posted to the Evil Avatar gaming forums describes it as follows:

Alright, a little history, the Storm Worm (actually a trojan) first picked up attention on January 12, 2007 when anti-spam websites got hammered with DDoS attacks, (Distributed Denial of Service), and was officially discovered on January 17, 2007.
No big deal right? It's probably like every other botnet and will sooner or later get shut down when the central server gets shutdown.
Then it starts sending out spam, tons of it. Not just regular spam, but smart spam that's relevant. There's a storm in Europe, send them spam that says something about it, and the website or attachment installs the exploits and your part of the botnet. Other topics that sounded legitimate were used, and the Storm Worm quite literally exploded across the internet, accounting for a massive percent of infections across the globe.
In just a short time it became one of the most powerful and massive botnets in existence, and as time progressed it started to change it's method of delivery and the code actually updates itself. It incorporates a rootkit to hide itself from antivirus and malware scanners. If a network scans for it, it hits the scanning computer and others linked to it in a massive DDoS attack.
It operates more like a P2P network off the eDonkey protocol, which makes it almost impossible to shut down, and is set up in tier's and super-tiers that coordinate the spread and subsequent installation of the trojan. [1]
– message posted Sept. 7, 2007, by user pirateTITAN

How powerful is the botnet? As of September 2007, Internet security and antispam organizations report that it is very probably the most powerful supercomputer in the entire world. An Information Week article from September 6, 2007 states: ""If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." [2]

Who owns the botnet? Russian spammers do. One report on the botnet notes: The Storm botnet is (probably) owned by a large scale Russian spammer called Zliden with links to Kuvayev and Yambo. MessageLabs knows very little about the inside operations of it because obviously those spammers don't want people to find out. [3]

(Kuvayev is a mega-spammer named Leo Kuvayev, who in 2005 ran afoul of Massachusetts authorities for running one of the world's biggest spam operations. Apparently he is now in cahoots with criminal Russian spammers about whom we know very little.
Meanwhile, Yambo refers to Yambo Financials, a Ukraine-based spam gang organization specializing in criminal fraud and scams: genuine child porn, bogus medications and "pharmacies," pirated software, and other unsavory activities.)

Okay, so you're a criminal spammer with control of the most powerful computer network on the planet. What do you do with it? That's what authorities and networks around the world are watching and waiting to see. Its zombie bots are sending out unending floods of tens of millions of virus-laced spam emails every day, and it is growing and becoming stronger each day; but the real threat stems from what happens when all of this vast power is focused on any particular target. One clue as to what the Internet can expect from the Storm network came in September 2007, when the botnet flexed its muscles and shut down a number of very popular anti-fraud and anti-scamming Web sites, including 419 Eater, Scamwarners, Artists Against 419, and other anti-scam sites. Spam watchers speculate that scammers and other criminals paid the Storm gang to take these sites down. [4]

However, because people are stupid and millions of spam emails are sent out every day, then the Storm Botnet isn't likely to make mainstream news unless they do something really big to get millions of people – and major law enforcement – ticked off at them. But who knows? Their egos might get the better of them, and they might do something exceptionally stupid, such as taking down Google Blogger or the network of a major American bank. When that happens, you can bet the Department of Homeland Security will get on their case and label them "terrorists." Which is what spammers really are…except that no one seems to care about that.

So what can you do to keep your PC from being taken over by the Storm Botnet…or any other zombie programs? A little common sense goes a long way:

See also: a Video explaining the Storm Botnet's activities