Storm Ending? Don't Count On It

Storm Ending? Don't Count On It


American and Russian law enforcement agencies have identified some of the masterminds behind the notorious Storm botnet, according to a recent report. But whether the criminals will be arrested, much less whether the arrests will have any impact on the virus, is anyone's guess.

The identities and exact number of those involved could not be released as Russian authorities plod through various legal channels, according to the internetnews.com report. While no arrests have yet been made, a Secure Computing researcher maintained in the article that Russian government agencies are increasingly pursuing Internet criminals and more rigorously enforcing cyber law.

Yet while that might be true, some security researchers say Storm isn't stopping anytime soon -- mainly because the lethal botnet is propelled by highly complex international criminal organizations driven by enormous financial gain. If some of the foot soldiers are apprehended, there are certainly more to take their place, experts said.

"Some of the issues here are that these guys are hard to identify," said Paul Ferguson, network architect for Trend Micro. "It's not just one or two guys. There are probably several different individuals involved here."

"They usually have so many funds controlling everything," echoed Jamz Yaneza, senior threat researcher for Trend Micro. "You have to take the whole organization down."

Since its inception in January 2006, the Storm has left a legacy as one of the most destructive bots in history, infecting millions of computers around the world in its wake. Affected computers are at the mercy of Trojans and keystroke loggers that can silently transmit passwords, bank account numbers and other valuable information from an unsuspecting user's computer into the hands of criminals.

Experts say that attackers are increasingly finding ways to capitalize on Storm because of its ability to evolve and adapt to its environment -- the botnet mutates about once every 30 minutes, making it impossible to be detected by signature-based antivirus products.

Lately Storm has expanded to include phishing as a vehicle for delivering malicious code. So far unsuspecting users have been pelted with a series of holiday messages, solicitations for campaign contributions and news of celebrity deaths, including former Pakistani Prime Minister Benazir Bhutto and actor Heath Ledger. Its latest phishing attempts are part of a series of messages purporting to offer cheap pharmaceuticals.

Lately, experts have linked much of the malicious spam to the Russian Business Network, one of the world's most notorious cybercrime rings, based in St. Petersburg, Russia. Members of the RBN have used variations of Storm to send out copious amounts of phishing spam, using the fast flux botnet with a constantly changing DNS, which makes it almost impossible to pinpoint the source of the attacks.

"These guys are pretty much operating just as they always have, flying under the radar, making millions of dollars off of unsuspecting users," said Ferguson.

Ferguson said, however, that the organization has since deployed a "divide and conquer" strategy, executing their attacks from numerous locations across the globe in order to avoid international scrutiny.

"They basically attracted too much publicity," said Ferguson. "Basically they just diversified instead of operating out of a single network block, operating in dozens of cheap hosting providers around the world."

Which is precisely why RBN and other cybercrime rings remain so elusive. But would Storm come to halt if its creators were further pursued by international law enforcement agencies?

"All evidence points to the contrary," said Ferguson. "At this point, knowing who's behind it is not contributing to stopping the criminal organization."