Storm botnet
Encyclopedia
The Storm botnet or Storm worm botnet (not to be confused with StormBot, which is a TCL script that is not malicious) is a remotely controlled network of "zombie" computers
(or "botnet
") that have been linked by the Storm Worm
, a Trojan horse
spread through e-mail spam
. Some have estimated that by September 2007 the Storm botnet was running on anywhere from 1 million to 50 million computer systems. Other sources have placed the size of the botnet to be around 250,000 to 1 million compromised systems. More conservatively, one network security analyst claims to have developed software that has crawled the botnet and estimates that it controls 160,000 infected computers. The Storm botnet was first identified around January 2007, with the Storm worm at one point accounting for 8% of all malware
on Microsoft Windows
computers.
The Storm botnet has been used in a variety of criminal activities. Its controllers and the authors of the Storm Worm have not yet been identified. The Storm botnet has displayed defensive behaviors that indicated that its controllers were actively protecting the botnet against attempts at tracking and disabling it. The botnet has specifically attacked the online operations of some security vendors and researchers who attempted to investigate the botnet. Security expert Joe Stewart revealed that in late 2007, the operators of the botnet began to further decentralize their operations, in possible plans to sell portions of the Storm botnet to other operators. Some reports as of late 2007 indicated the Storm botnet to be in decline, but many security experts reported that they expect the botnet to remain a major security risk online, and the United States
Federal Bureau of Investigation
considers the botnet a major risk to increased bank fraud
, identity theft
, and other cybercrime
s.
The botnet is reportedly powerful enough as of September 2007 to force entire countries off the Internet, and is estimated to be capable of executing more instructions per second
than some of the world's top supercomputer
s. However, it is not a completely accurate comparison, according to security analyst James Turner, who said that comparing a botnet to a supercomputer is like comparing an army of snipers to a nuclear weapon. Bradley Anstis, of the United Kingdom
security firm Marshal, said, "The more worrying thing is bandwidth. Just calculate four million times a standard ADSL connection. That's a lot of bandwidth. It's quite worrying. Having resources like that at their disposal—distributed around the world with a high presence and in a lot of countries—means they can deliver very effective distributed attacks against hosts
."
-related subject lines its infectious e-mail
employed initially, such as "230 dead as storm batters Europe." Later provocative subjects included, "Chinese missile shot down USA aircraft," and "U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel." It is suspected by some information security
professionals that well-known fugitive spammers, including Leo Kuvayev
, may be involved in the operation and control of the Storm botnet. According to technology journalist Daniel Tynan
, writing under his "Robert X. Cringely
" pseudonym, a great portion of the fault for the existence of the Storm botnet lay with Microsoft
and Adobe Systems
. Other sources state that Storm Worm's primary method of victim acquisition is through enticing users via frequently changing social engineering (confidence trick
ery) schemes. According to Patrick Runald, the Storm botnet has a strong American focus, and likely has agents working to support it within the United States. Some experts, however, believe the Storm botnet controllers are Russia
n, some pointing specifically at the Russian Business Network
, citing that the Storm software mentions a hatred of the Moscow
-based security firm Kaspersky Lab
, and includes the Russian word "buldozhka," which means "bulldog
."
as their operating system
. Once infected, a computer becomes known as a bot. This bot then performs automated tasks—anything from gathering data on the user, to attacking web sites, to forwarding infected e-mail—without its owner's knowledge or permission. Estimates indicate that 5,000 to 6,000 computers are dedicated to propagating the spread of the worm through the use of e-mails with infected attachments; 1.2 billion virus messages have been sent by the botnet through September 2007, including a record 57 million on August 22, 2007 alone. Lawrence Baldwin, a computer forensics
specialist, was quoted as saying, "Cumulatively, Storm is sending billions of messages a day. It could be double digits in the billions, easily." One of the methods used to entice victims to infection-hosting web sites are offers of free music, for artists such as Beyoncé Knowles
, Kelly Clarkson
, Rihanna
, The Eagles, Foo Fighters
, R. Kelly
, and Velvet Revolver
. Signature-based detection, the main defense of most computer systems against virus and malware infections, is hampered by the large number of Storm variants.
Back-end servers that control the spread of the botnet and Storm worm automatically re-encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread. Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS
technique called ‘fast flux
’, making it difficult to find and stop virus hosting sites and mail servers. In short, the name and location of such machines are frequently changed and rotated, often on a minute by minute basis. The Storm botnet's operators control the system via peer-to-peer
techniques, making external monitoring and disabling of the system more difficult. There is no central "command-and-control
point" in the Storm botnet that can be shut down. The botnet also makes use of encrypted
traffic. Efforts to infect computers usually revolve around convincing people to download e-mail attachment
s which contain the virus through subtle manipulation
. In one instance, the botnet's controllers took advantage of the National Football League
's opening weekend, sending out mail offering "football tracking programs" which did nothing more than infect a user's computer. According to Matt Sergeant, chief anti-spam
technologist
at MessageLabs
, "In terms of power, [the botnet] utterly blows the supercomputers away. If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." It is estimated that only 10%-20% of the total capacity and power of the Storm botnet is currently being used.
Computer security expert Joe Stewart detailed the process by which compromised machines join the botnet: attempts to join the botnet are made by launching a series of EXE
files on the said machine, in stages. Usually, they are named in a sequence from game0.exe through game5.exe, or similar. It will then continue launching executables in turn. They typically perform the following:
At each stage the compromised system will connect into the botnet; fast flux
DNS makes tracking this process exceptionally difficult.
This code is run from %windir%\system32\wincom32.sys on a Windows system, via a kernel rootkit
, and all connections back to the botnet are sent through a modified version of the eDonkey
/Overnet
communications protocol.
security researcher, "This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit." Researchers are still unsure if the botnet's defenses and counter attacks are a form of automation, or manually executed by the system's operators. "If you try to attach a debugger, or query sites it's reporting into, it knows and punishes you instantaneously. [Over at] SecureWorks
, a chunk of it DDoS-ed [distributed-denial-of-service attacked] a researcher off the network. Every time I hear of an investigator trying to investigate, they're automatically punished. It knows it's being investigated, and it punishes them. It fights back," Corman said.
Spameater.com as well as other sites such as 419eater.com
and Artists Against 419
, both of which deal with 419 spam e-mail fraud
, have experienced DDoS attacks, temporarily rendering them completely inoperable. The DDoS attacks consist of making massed parallel network calls to those and other target IP addresses, overloading the servers' capacities and preventing them from responding to requests. Other anti-spam and anti-fraud groups, such as the Spamhaus Project, were also attacked. The webmaster of Artists Against 419 said that the website's server succumbed after the attack increased to over 100Mbit
. As the theoretical maximum is never practically attainable, the number of machines used may have been as much as twice that many, and similar attacks were perpetrated against over a dozen anti-fraud site hosts. Jeff Chan, a spam researcher, stated, "In terms of mitigating Storm, it's challenging at best and impossible at worst since the bad guys control many hundreds of megabits of traffic. There's some evidence that they may control hundreds of Gigabits of traffic, which is enough to force some countries off the Internet."
The Storm botnet's systems also take steps to defend itself locally, on victims' computer systems. The botnet, on some compromised systems, creates a computer process on the Windows machine that notifies the Storm systems whenever a new program or other processes begin. Previously, the Storm worms locally would tell the other programs — such as anti-virus, or anti-malware software, to simply not run. However, according to IBM security research, versions of Storm also now simply "fool" the local computer system to run the hostile program successfully, but in fact, they are not doing anything. "Programs, including not just AV exes
, dlls
and sys
files, but also software such as the P2P
applications BearShare
and eDonkey
, will appear to run successfully, even though they didn't actually do anything, which is far less suspicious than a process that gets terminated suddenly from the outside," said Richard Cohen of Sophos
. Compromised users, and related security systems, will assume that security software is running successfully when it in fact is not.
On September 17, 2007, a Republican Party
website in the United States
was compromised, and used to propagate the Storm worm and botnet. In October 2007, the botnet took advantage of flaws in YouTube
's captcha
application on its mail systems, to send targeted spam e-mails to Xbox
owners with a scam involving winning a special version of the video game Halo 3
. Other attack methods include using appealing animated images of laughing cats to get people to click on a trojan software download, and tricking users of Yahoo!
's GeoCities
service to download software that was claimed to be needed to use GeoCities itself. The GeoCities attack in particular was called a "full-fledged attack vector" by Paul Ferguson of Trend Micro
, and implicated members of the Russian Business Network
, a well-known spam and malware service. On Christmas Eve in 2007, the Storm botnet began sending out holiday-themed messages revolving around male interest in women, with such titles as "Find Some Christmas Tail", "The Twelve Girls of Christmas," and "Mrs. Claus Is Out Tonight!" and photos of attractive women. It was described as an attempt to draw more unprotected systems into the botnet and boost its size over the holidays, when security updates from protection vendors may take longer to be distributed. A day after the e-mails with Christmas stripper
s were distributed, the Storm botnet operators immediately began sending new infected e-mails that claimed to wish their recipients a "Happy New Year 2008!"
In January 2008, the botnet was detected for the first time to be involved in phishing
attacks against major financial institutions, targeting both Barclays and Halifax.
of Sophos said, "Storm's use of encrypted traffic is an interesting feature which has raised eyebrows in our lab. Its most likely use is for the cybercriminals to lease out portions of the network for misuse. It wouldn't be a surprise if the network was used for spamming, distributed denial-of-service attacks, and other malicious activities." Security experts reported that if Storm is broken up for the malware market, in the form of a "ready-to-use botnet-making spam kit", the world could see a sharp rise in the number of Storm related infections and compromised computer systems. The encryption only seems to affect systems compromised by Storm from the second week of October 2007 onwards, meaning that any of the computer systems compromised before that time frame will remain difficult to track and block.
Within days of the discovery of this segmenting of the Storm botnet, spam e-mail from the new subsection was uncovered by major security vendors. In the evening of October 17, security vendors began seeing new spam with embedded MP3
sound files, which attempted to trick victims into investing in a penny stock
, as part of an illegal pump-and-dump stock scam. It was believed that this was the first-ever spam e-mail scam that made use of audio to fool victims. Unlike nearly all other Storm-related e-mails, however, these new audio stock scam messages did not include any sort of virus or Storm malware payload; they simply were part of the stock scam.
In January 2008, the botnet was detected for the first time to be involved in phishing
attacks against the customers of major financial institutions, targeting banking establishments in Europe
including Barclays, Halifax and the Royal Bank of Scotland
. The unique security keys used indicated to F-Secure
that segments of the botnet were being leased.
(MSRT) may have helped reduce the size of the botnet by up to 20%. The new patch, as claimed by Microsoft, removed Storm from approximately 274,372 infected systems out of 2.6 million scanned Windows systems. However, according to senior security staff at Microsoft, "the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the 'Storm' botnet," indicating that the MSRT cleaning may have been symbolic at best.
As of late October 2007, some reports indicated that the Storm botnet was losing the size of its Internet footprint, and was significantly reduced in size. Brandon Enright, a University of California at San Diego
security analyst, estimated that the botnet had by late October fallen to a size of approximately 160,000 compromised systems, from Enright's previous estimated high in July 2007 of 1,500,000 systems. Enright noted, however, that the botnet's composition was constantly changing, and that it was still actively defending itself against attacks and observation. "If you're a researcher and you hit the pages hosting the malware too much… there is an automated process that automatically launches a denial of service [attack] against you," he said, and added that his research caused a Storm botnet attack that knocked part of the UC San Diego network offline.
The computer security company McAfee
is reported as saying that the Storm Worm would be the basis of future attacks. Craig Schmugar, a noted security expert who discovered the Mydoom worm, called the Storm botnet a trend-setter, which has led to more usage of similar tactics by criminals. One such derivative botnet has been dubbed the "Celebrity Spam Gang", due to their use of similar technical tools as the Storm botnet controllers. Unlike the sophisticated social engineering that the Storm operators use to entice victims, however, the Celebrity spammers make use of offers of nude images of celebrities such as Angelina Jolie
and Britney Spears
. Cisco Systems
security experts stated in a report that they believe the Storm botnet would remain a critical threat in 2008, and said they estimated that its size remained in the "millions".
As of early 2008, the Storm botnet also found business competition in its black hat
economy, in the form of Nugache, another similar botnet which was first identified in 2006. Reports have indicated a price war may be underway between the operators of both botnets, for the sale of their spam E-mail delivery. Following the Christmas
and New Year's
holidays bridging 2007-2008, the researchers of the German
Honeynet
Project reported that the Storm botnet may have increased in size by up to 20% over the holidays. The MessageLabs Intelligence report dated March 2008 estimates that over 20% of all spam on the Internet originates from Storm.
made an announcement that the so-called "rumors" of a Stormbot 2 were verified. Mark Schloesser, Tillmann Werner, and Felix Leder, the German researchers who did a lot of work in analyzing the original Storm, found that around two-thirds of the “new” functions are a copy and paste from the last Storm code base. The only thing missing is the P2P
infrastructure, perhaps because of the tool which used P2P to bring down the original Storm. Honeynet blog dubbed this Stormbot 2.
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
(or "botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
") that have been linked by the Storm Worm
Storm Worm
The Storm Worm is a backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007...
, a Trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
spread through e-mail spam
E-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
. Some have estimated that by September 2007 the Storm botnet was running on anywhere from 1 million to 50 million computer systems. Other sources have placed the size of the botnet to be around 250,000 to 1 million compromised systems. More conservatively, one network security analyst claims to have developed software that has crawled the botnet and estimates that it controls 160,000 infected computers. The Storm botnet was first identified around January 2007, with the Storm worm at one point accounting for 8% of all malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
on Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
computers.
The Storm botnet has been used in a variety of criminal activities. Its controllers and the authors of the Storm Worm have not yet been identified. The Storm botnet has displayed defensive behaviors that indicated that its controllers were actively protecting the botnet against attempts at tracking and disabling it. The botnet has specifically attacked the online operations of some security vendors and researchers who attempted to investigate the botnet. Security expert Joe Stewart revealed that in late 2007, the operators of the botnet began to further decentralize their operations, in possible plans to sell portions of the Storm botnet to other operators. Some reports as of late 2007 indicated the Storm botnet to be in decline, but many security experts reported that they expect the botnet to remain a major security risk online, and the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
Federal Bureau of Investigation
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...
considers the botnet a major risk to increased bank fraud
Bank fraud
Bank fraud is the use of fraudulent means to obtain money, assets, or other property owned or held by a financial institution, or to obtain money from depositors by fraudulently representing to be a bank or financial institution. In many instances, bank fraud is a criminal offense...
, identity theft
Identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
, and other cybercrime
CyberCrime
CyberCrime was an innovative, weekly America television program on TechTV that focused on the dangers facing computer users. Filmed in San Francisco, California, the show was hosted by Alex Wellen and Jennifer London...
s.
The botnet is reportedly powerful enough as of September 2007 to force entire countries off the Internet, and is estimated to be capable of executing more instructions per second
Instructions per second
Instructions per second is a measure of a computer's processor speed. Many reported IPS values have represented "peak" execution rates on artificial instruction sequences with few branches, whereas realistic workloads typically lead to significantly lower IPS values...
than some of the world's top supercomputer
Supercomputer
A supercomputer is a computer at the frontline of current processing capacity, particularly speed of calculation.Supercomputers are used for highly calculation-intensive tasks such as problems including quantum physics, weather forecasting, climate research, molecular modeling A supercomputer is a...
s. However, it is not a completely accurate comparison, according to security analyst James Turner, who said that comparing a botnet to a supercomputer is like comparing an army of snipers to a nuclear weapon. Bradley Anstis, of the United Kingdom
United Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...
security firm Marshal, said, "The more worrying thing is bandwidth. Just calculate four million times a standard ADSL connection. That's a lot of bandwidth. It's quite worrying. Having resources like that at their disposal—distributed around the world with a high presence and in a lot of countries—means they can deliver very effective distributed attacks against hosts
Web hosting service
A web hosting service is a type of Internet hosting service that allows individuals and organizations to make their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own or lease for use by their clients as well as providing Internet...
."
Origins
First detected on the Internet in January 2007, the Storm botnet and worm are so-called because of the stormStorm
A storm is any disturbed state of an astronomical body's atmosphere, especially affecting its surface, and strongly implying severe weather...
-related subject lines its infectious e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
employed initially, such as "230 dead as storm batters Europe." Later provocative subjects included, "Chinese missile shot down USA aircraft," and "U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel." It is suspected by some information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
professionals that well-known fugitive spammers, including Leo Kuvayev
Leo Kuvayev
Leonid Aleksandrovitch Kuvayev, , who usually goes by the name of Leo, is a Russian/American spammer believed to be the ringleader of one of the world's biggest spam gangs. In 2005, he and six business partners were fined $37 million as a result of a lawsuit brought by the Massachusetts attorney...
, may be involved in the operation and control of the Storm botnet. According to technology journalist Daniel Tynan
Daniel Tynan
Daniel Tynan is an American journalist, television and radio commentator who specializes in technology, humor, and humorous takes on technology. A contributing editor for PC World, InfoWorld.com, and Family Circle magazine, he recently launched a new Geek Humor Web site titled eSarcasm, along with...
, writing under his "Robert X. Cringely
Robert X. Cringely
Robert X. Cringely is the pen name of both technology journalist Mark Stephens and a string of writers for a column in InfoWorld, the one-time weekly computer trade newspaper published by IDG.- Biography :...
" pseudonym, a great portion of the fault for the existence of the Storm botnet lay with Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
and Adobe Systems
Adobe Systems
Adobe Systems Incorporated is an American computer software company founded in 1982 and headquartered in San Jose, California, United States...
. Other sources state that Storm Worm's primary method of victim acquisition is through enticing users via frequently changing social engineering (confidence trick
Confidence trick
A confidence trick is an attempt to defraud a person or group by gaining their confidence. A confidence artist is an individual working alone or in concert with others who exploits characteristics of the human psyche such as dishonesty and honesty, vanity, compassion, credulity, irresponsibility,...
ery) schemes. According to Patrick Runald, the Storm botnet has a strong American focus, and likely has agents working to support it within the United States. Some experts, however, believe the Storm botnet controllers are Russia
Russia
Russia or , officially known as both Russia and the Russian Federation , is a country in northern Eurasia. It is a federal semi-presidential republic, comprising 83 federal subjects...
n, some pointing specifically at the Russian Business Network
Russian Business Network
The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale...
, citing that the Storm software mentions a hatred of the Moscow
Moscow
Moscow is the capital, the most populous city, and the most populous federal subject of Russia. The city is a major political, economic, cultural, scientific, religious, financial, educational, and transportation centre of Russia and the continent...
-based security firm Kaspersky Lab
Kaspersky Lab
Kaspersky Lab is a Russian computer security company, co-founded by Natalia Kaspersky and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products...
, and includes the Russian word "buldozhka," which means "bulldog
Bulldog
Bulldog is the name for a breed of dog commonly referred to as the English Bulldog. Other Bulldog breeds include the American Bulldog, Olde English Bulldogge and the French Bulldog. The Bulldog is a muscular heavy dog with a wrinkled face and a distinctive pushed-in nose...
."
Composition
The botnet, or zombie network, comprises computers running Microsoft WindowsMicrosoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
as their operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
. Once infected, a computer becomes known as a bot. This bot then performs automated tasks—anything from gathering data on the user, to attacking web sites, to forwarding infected e-mail—without its owner's knowledge or permission. Estimates indicate that 5,000 to 6,000 computers are dedicated to propagating the spread of the worm through the use of e-mails with infected attachments; 1.2 billion virus messages have been sent by the botnet through September 2007, including a record 57 million on August 22, 2007 alone. Lawrence Baldwin, a computer forensics
Forensics
Forensic science is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action...
specialist, was quoted as saying, "Cumulatively, Storm is sending billions of messages a day. It could be double digits in the billions, easily." One of the methods used to entice victims to infection-hosting web sites are offers of free music, for artists such as Beyoncé Knowles
Beyoncé Knowles
Beyoncé Giselle Knowles , often known simply as Beyoncé, is an American singer, songwriter, record producer, and actress. Born and raised in Houston, Texas, she enrolled in various performing arts schools and was first exposed to singing and dancing competitions as a child...
, Kelly Clarkson
Kelly Clarkson
Kelly Brianne Clarkson is an American pop rock singer-songwriter and actress. Clarkson came into prominence after becoming the winner of the inaugural season of the television series American Idol in 2002 and would later become the runner-up in the television special World Idol in 2003.In 2003,...
, Rihanna
Rihanna
Robyn Rihanna Fenty , better known as simply Rihanna, is a Barbadian recording artist. Born in Saint Michael, Barbados, Rihanna moved to the United States at the age of 16 to pursue a recording career under the guidance of record producer Evan Rogers...
, The Eagles, Foo Fighters
Foo Fighters
Foo Fighters is an American alternative rock band originally formed in 1994 by Nirvana drummer Dave Grohl as a one-man project following the dissolution of his previous band. The band got its name from the UFOs and various aerial phenomena that were reported by Allied aircraft pilots in World War...
, R. Kelly
R. Kelly
Robert Sylvester Kelly , better known by his stage name R. Kelly, is an American singer-songwriter and record producer. A native of Chicago, Kelly began performing during the late 1980s and debuted in 1992 with the group Public Announcement. In 1993, Kelly went solo with the album 12 Play...
, and Velvet Revolver
Velvet Revolver
Velvet Revolver is an American hard rock supergroup consisting of former Guns N' Roses members Slash, Duff McKagan, and Matt Sorum, alongside Dave Kushner formerly of punk band Wasted Youth. Stone Temple Pilots vocalist Scott Weiland was Velvet Revolver's lead singer from their formation until...
. Signature-based detection, the main defense of most computer systems against virus and malware infections, is hampered by the large number of Storm variants.
Back-end servers that control the spread of the botnet and Storm worm automatically re-encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread. Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
technique called ‘fast flux
Fast flux
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy...
’, making it difficult to find and stop virus hosting sites and mail servers. In short, the name and location of such machines are frequently changed and rotated, often on a minute by minute basis. The Storm botnet's operators control the system via peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
techniques, making external monitoring and disabling of the system more difficult. There is no central "command-and-control
Command and Control (military)
Command and control, or C2, in a military organization can be defined as the exercise of authority and direction by a properly designated commanding officer over assigned and attached forces in the accomplishment of the mission...
point" in the Storm botnet that can be shut down. The botnet also makes use of encrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
traffic. Efforts to infect computers usually revolve around convincing people to download e-mail attachment
E-mail attachment
An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images...
s which contain the virus through subtle manipulation
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
. In one instance, the botnet's controllers took advantage of the National Football League
National Football League
The National Football League is the highest level of professional American football in the United States, and is considered the top professional American football league in the world. It was formed by eleven teams in 1920 as the American Professional Football Association, with the league changing...
's opening weekend, sending out mail offering "football tracking programs" which did nothing more than infect a user's computer. According to Matt Sergeant, chief anti-spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
technologist
Technology
Technology is the making, usage, and knowledge of tools, machines, techniques, crafts, systems or methods of organization in order to solve a problem or perform a specific function. It can also refer to the collection of such tools, machinery, and procedures. The word technology comes ;...
at MessageLabs
MessageLabs
Symantec.cloud, is a major provider of integrated messaging and web security services , with over 19,000 clients ranging from small business to the Fortune 500 located in more than 86 countries and the United Kingdom Parliament...
, "In terms of power, [the botnet] utterly blows the supercomputers away. If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." It is estimated that only 10%-20% of the total capacity and power of the Storm botnet is currently being used.
Computer security expert Joe Stewart detailed the process by which compromised machines join the botnet: attempts to join the botnet are made by launching a series of EXE
EXE
EXE is the common filename extension denoting an executable file in the DOS, OpenVMS, Microsoft Windows, Symbian, and OS/2 operating systems....
files on the said machine, in stages. Usually, they are named in a sequence from game0.exe through game5.exe, or similar. It will then continue launching executables in turn. They typically perform the following:
-
game0.exe
- Backdoor/downloader -
game1.exe
- SMTP relay -
game2.exe
- E-mail address stealer -
game3.exe
- E-mail virus spreader -
game4.exe
- Distributed denial of service (DDoS) attack tool -
game5.exe
- Updated copy of Storm Worm dropper
At each stage the compromised system will connect into the botnet; fast flux
Fast flux
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy...
DNS makes tracking this process exceptionally difficult.
This code is run from %windir%\system32\wincom32.sys on a Windows system, via a kernel rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
, and all connections back to the botnet are sent through a modified version of the eDonkey
EDonkey network
The eDonkey network is a decentralized, mostly server-based, peer-to-peer file sharing network best suited to share big files among users, and to provide long term availability of files...
/Overnet
Overnet
Overnet was a decentralized peer-to-peer computer network, usually used for sharing large files . Overnet implements the Kademlia algorithm. In late 2006, Overnet and all Overnet-owned resources were taken down as a result of legal actions from the RIAA and others...
communications protocol.
Methodology
The Storm botnet and its variants employ a variety of attack vectors, and a variety of defensive steps exist as well. The Storm botnet was observed to be defending itself, and attacking computer systems that scanned for Storm virus-infected computer systems online. The botnet will defend itself with DDoS counter-attacks, to maintain its own internal integrity. At certain points in time, the Storm worm used to spread the botnet has attempted to release hundreds or thousands of versions of itself onto the Internet, in a concentrated attempt to overwhelm the defenses of anti-virus and malware security firms. According to Joshua Corman, an IBMIBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
security researcher, "This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit." Researchers are still unsure if the botnet's defenses and counter attacks are a form of automation, or manually executed by the system's operators. "If you try to attach a debugger, or query sites it's reporting into, it knows and punishes you instantaneously. [Over at] SecureWorks
SecureWorks
SecureWorks, Inc Headquartered in Atlanta, Georgia, SecureWorks, Inc. is a U.S.-based managed security services provider that provides information security services and protection of computer, network and information assets from malicious activity or cybercrime for its customers...
, a chunk of it DDoS-ed [distributed-denial-of-service attacked] a researcher off the network. Every time I hear of an investigator trying to investigate, they're automatically punished. It knows it's being investigated, and it punishes them. It fights back," Corman said.
Spameater.com as well as other sites such as 419eater.com
419eater.com
419eater.com is a scam baiting website which focuses on advance-fee fraud. The name 419 comes from "419 fraud", another name for advance fee fraud, and itself derived from the relevant section of the Nigerian criminal code. The website founder, Michael Berry, goes by the alias Shiver Metimbers...
and Artists Against 419
Artists Against 419
Artists Against 419 is an Internet community dedicated to identifying and shutting down 419 scam websites...
, both of which deal with 419 spam e-mail fraud
Advance fee fraud
An advance-fee fraud is a confidence trick in which the target is persuaded to advance sums of money in the hope of realizing a significantly larger gain...
, have experienced DDoS attacks, temporarily rendering them completely inoperable. The DDoS attacks consist of making massed parallel network calls to those and other target IP addresses, overloading the servers' capacities and preventing them from responding to requests. Other anti-spam and anti-fraud groups, such as the Spamhaus Project, were also attacked. The webmaster of Artists Against 419 said that the website's server succumbed after the attack increased to over 100Mbit
Megabit
The megabit is a multiple of the unit bit for digital information or computer storage. The prefix mega is defined in the International System of Units as a multiplier of 106 , and therefore...
. As the theoretical maximum is never practically attainable, the number of machines used may have been as much as twice that many, and similar attacks were perpetrated against over a dozen anti-fraud site hosts. Jeff Chan, a spam researcher, stated, "In terms of mitigating Storm, it's challenging at best and impossible at worst since the bad guys control many hundreds of megabits of traffic. There's some evidence that they may control hundreds of Gigabits of traffic, which is enough to force some countries off the Internet."
The Storm botnet's systems also take steps to defend itself locally, on victims' computer systems. The botnet, on some compromised systems, creates a computer process on the Windows machine that notifies the Storm systems whenever a new program or other processes begin. Previously, the Storm worms locally would tell the other programs — such as anti-virus, or anti-malware software, to simply not run. However, according to IBM security research, versions of Storm also now simply "fool" the local computer system to run the hostile program successfully, but in fact, they are not doing anything. "Programs, including not just AV exes
EXE
EXE is the common filename extension denoting an executable file in the DOS, OpenVMS, Microsoft Windows, Symbian, and OS/2 operating systems....
, dlls
Dynamic-link library
Dynamic-link library , or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems...
and sys
.sys
.sys is a filename extension in Microsoft Windows and DOS-type operating system.Most .sys files are real-mode device drivers. Certain files using this extension are not, however: MSDOS.SYS and IO.SYS are core operating system files in MS-DOS and Windows 9x...
files, but also software such as the P2P
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
applications BearShare
BearShare
BearShare is a peer-to-peer file sharing application originally created by Free Peers, Inc. for Microsoft Windows, and now sold by MusicLab, LLC .- History :...
and eDonkey
EDonkey2000
eDonkey2000 was a peer-to-peer file sharing application developed by US company MetaMachine, using the Multisource File Transfer Protocol...
, will appear to run successfully, even though they didn't actually do anything, which is far less suspicious than a process that gets terminated suddenly from the outside," said Richard Cohen of Sophos
Sophos
Sophos is a developer and vendor of security software and hardware, including anti-virus, anti-spyware, anti-spam, network access control, encryption software and data loss prevention for desktops, servers, email systems and other network gateways....
. Compromised users, and related security systems, will assume that security software is running successfully when it in fact is not.
On September 17, 2007, a Republican Party
Republican Party (United States)
The Republican Party is one of the two major contemporary political parties in the United States, along with the Democratic Party. Founded by anti-slavery expansion activists in 1854, it is often called the GOP . The party's platform generally reflects American conservatism in the U.S...
website in the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
was compromised, and used to propagate the Storm worm and botnet. In October 2007, the botnet took advantage of flaws in YouTube
YouTube
YouTube is a video-sharing website, created by three former PayPal employees in February 2005, on which users can upload, view and share videos....
's captcha
CAPTCHA
A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a person. The process usually involves one computer asking a user to complete a simple test which the computer is able to generate and grade...
application on its mail systems, to send targeted spam e-mails to Xbox
Xbox
The Xbox is a sixth-generation video game console manufactured by Microsoft. It was released on November 15, 2001 in North America, February 22, 2002 in Japan, and March 14, 2002 in Australia and Europe and is the predecessor to the Xbox 360. It was Microsoft's first foray into the gaming console...
owners with a scam involving winning a special version of the video game Halo 3
Halo 3
Halo 3 is a first-person shooter video game developed by Bungie for the Xbox 360 console. The third installment in the Halo franchise, the game concludes the story arc begun in Halo: Combat Evolved and continued in Halo 2...
. Other attack methods include using appealing animated images of laughing cats to get people to click on a trojan software download, and tricking users of Yahoo!
Yahoo!
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California, United States. The company is perhaps best known for its web portal, search engine , Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Groups, Yahoo! Answers, advertising, online mapping ,...
's GeoCities
GeoCities
Yahoo! GeoCities is a web hosting service, currently available only in Japan.GeoCities was originally founded by David Bohnett and John Rezner in late 1994 as Beverly Hills Internet . In its original form, site users selected a "city" in which to place their web pages...
service to download software that was claimed to be needed to use GeoCities itself. The GeoCities attack in particular was called a "full-fledged attack vector" by Paul Ferguson of Trend Micro
Trend Micro
Trend Micro Inc. is a computer security company. It is headquartered in Tokyo, Japan and markets Trend Micro Internet Security, Trend Micro Worry-Free Business Security, OfficeScan, and other related security products and services...
, and implicated members of the Russian Business Network
Russian Business Network
The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale...
, a well-known spam and malware service. On Christmas Eve in 2007, the Storm botnet began sending out holiday-themed messages revolving around male interest in women, with such titles as "Find Some Christmas Tail", "The Twelve Girls of Christmas," and "Mrs. Claus Is Out Tonight!" and photos of attractive women. It was described as an attempt to draw more unprotected systems into the botnet and boost its size over the holidays, when security updates from protection vendors may take longer to be distributed. A day after the e-mails with Christmas stripper
Stripper
A stripper is a professional erotic dancer who performs a contemporary form of striptease at strip club establishments, public exhibitions, and private engagements. Unlike in burlesque, the performer in the modern Americanized form of stripping minimizes the interaction of customer and dancer,...
s were distributed, the Storm botnet operators immediately began sending new infected e-mails that claimed to wish their recipients a "Happy New Year 2008!"
In January 2008, the botnet was detected for the first time to be involved in phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
attacks against major financial institutions, targeting both Barclays and Halifax.
Encryption and sales
Around October 15, 2007, it was uncovered that portions of the Storm botnet and its variants could be for sale. This is being done by using unique security keys in the encryption of the botnet's Internet traffic and information. The unique keys will allow each segment, or sub-section of the Storm botnet, to communicate with a section that has a matching security key. However, this may also allow people to detect, track, and block Storm botnet traffic in the future, if the security keys have unique lengths and signatures. Computer security vendor Sophos has agreed with the assessment that the partitioning of the Storm botnet indicated likely resale of its services. Graham CluleyGraham Cluley
Graham Cluley is a British computer programmer and Senior Technology Consultant at Sophos well known in the anti-virus industry. However, he is better known nowadays as a security blogger and educationalist, and media contact point for Sophos...
of Sophos said, "Storm's use of encrypted traffic is an interesting feature which has raised eyebrows in our lab. Its most likely use is for the cybercriminals to lease out portions of the network for misuse. It wouldn't be a surprise if the network was used for spamming, distributed denial-of-service attacks, and other malicious activities." Security experts reported that if Storm is broken up for the malware market, in the form of a "ready-to-use botnet-making spam kit", the world could see a sharp rise in the number of Storm related infections and compromised computer systems. The encryption only seems to affect systems compromised by Storm from the second week of October 2007 onwards, meaning that any of the computer systems compromised before that time frame will remain difficult to track and block.
Within days of the discovery of this segmenting of the Storm botnet, spam e-mail from the new subsection was uncovered by major security vendors. In the evening of October 17, security vendors began seeing new spam with embedded MP3
MP3
MPEG-1 or MPEG-2 Audio Layer III, more commonly referred to as MP3, is a patented digital audio encoding format using a form of lossy data compression...
sound files, which attempted to trick victims into investing in a penny stock
Penny stock
In the United States, penny stocks are common shares of small public companies that trade at less than $1.00. In some countries, similar shares of stock are known as cent stocks.-Concerns for investors:...
, as part of an illegal pump-and-dump stock scam. It was believed that this was the first-ever spam e-mail scam that made use of audio to fool victims. Unlike nearly all other Storm-related e-mails, however, these new audio stock scam messages did not include any sort of virus or Storm malware payload; they simply were part of the stock scam.
In January 2008, the botnet was detected for the first time to be involved in phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
attacks against the customers of major financial institutions, targeting banking establishments in Europe
Europe
Europe is, by convention, one of the world's seven continents. Comprising the westernmost peninsula of Eurasia, Europe is generally 'divided' from Asia to its east by the watershed divides of the Ural and Caucasus Mountains, the Ural River, the Caspian and Black Seas, and the waterways connecting...
including Barclays, Halifax and the Royal Bank of Scotland
Royal Bank of Scotland
The Royal Bank of Scotland Group is a British banking and insurance holding company in which the UK Government holds an 84% stake. This stake is held and managed through UK Financial Investments Limited, whose voting rights are limited to 75% in order for the bank to retain its listing on the...
. The unique security keys used indicated to F-Secure
F-Secure
F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
that segments of the botnet were being leased.
Claimed decline of the botnet
On September 25, 2007, it was estimated that a Microsoft update to the Windows Malicious Software Removal ToolWindows Malicious Software Removal Tool
Microsoft Windows Malicious Software Removal Tool is a freely-distributed virus removal tool developed by Microsoft for the Microsoft Windows operating system. First released on January 13, 2005, it is an on-demand anti-virus tool that scans the computer for specific widespread malware and tries to...
(MSRT) may have helped reduce the size of the botnet by up to 20%. The new patch, as claimed by Microsoft, removed Storm from approximately 274,372 infected systems out of 2.6 million scanned Windows systems. However, according to senior security staff at Microsoft, "the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the 'Storm' botnet," indicating that the MSRT cleaning may have been symbolic at best.
As of late October 2007, some reports indicated that the Storm botnet was losing the size of its Internet footprint, and was significantly reduced in size. Brandon Enright, a University of California at San Diego
University of California, San Diego
The University of California, San Diego, commonly known as UCSD or UC San Diego, is a public research university located in the La Jolla neighborhood of San Diego, California, United States...
security analyst, estimated that the botnet had by late October fallen to a size of approximately 160,000 compromised systems, from Enright's previous estimated high in July 2007 of 1,500,000 systems. Enright noted, however, that the botnet's composition was constantly changing, and that it was still actively defending itself against attacks and observation. "If you're a researcher and you hit the pages hosting the malware too much… there is an automated process that automatically launches a denial of service [attack] against you," he said, and added that his research caused a Storm botnet attack that knocked part of the UC San Diego network offline.
The computer security company McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
is reported as saying that the Storm Worm would be the basis of future attacks. Craig Schmugar, a noted security expert who discovered the Mydoom worm, called the Storm botnet a trend-setter, which has led to more usage of similar tactics by criminals. One such derivative botnet has been dubbed the "Celebrity Spam Gang", due to their use of similar technical tools as the Storm botnet controllers. Unlike the sophisticated social engineering that the Storm operators use to entice victims, however, the Celebrity spammers make use of offers of nude images of celebrities such as Angelina Jolie
Angelina Jolie
Angelina Jolie is an American actress. She has received an Academy Award, two Screen Actors Guild Awards, and three Golden Globe Awards, and was named Hollywood's highest-paid actress by Forbes in 2009 and 2011. Jolie is noted for promoting humanitarian causes as a Goodwill Ambassador for the...
and Britney Spears
Britney Spears
Britney Jean Spears is an American recording artist and entertainer. Born in McComb, Mississippi, and raised in Kentwood, Louisiana, Spears began performing as a child, landing acting roles in stage productions and television shows. She signed with Jive Records in 1997 and released her debut album...
. Cisco Systems
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
security experts stated in a report that they believe the Storm botnet would remain a critical threat in 2008, and said they estimated that its size remained in the "millions".
As of early 2008, the Storm botnet also found business competition in its black hat
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
economy, in the form of Nugache, another similar botnet which was first identified in 2006. Reports have indicated a price war may be underway between the operators of both botnets, for the sale of their spam E-mail delivery. Following the Christmas
Christmas
Christmas or Christmas Day is an annual holiday generally celebrated on December 25 by billions of people around the world. It is a Christian feast that commemorates the birth of Jesus Christ, liturgically closing the Advent season and initiating the season of Christmastide, which lasts twelve days...
and New Year's
New Year's Day
New Year's Day is observed on January 1, the first day of the year on the modern Gregorian calendar as well as the Julian calendar used in ancient Rome...
holidays bridging 2007-2008, the researchers of the German
Germany
Germany , officially the Federal Republic of Germany , is a federal parliamentary republic in Europe. The country consists of 16 states while the capital and largest city is Berlin. Germany covers an area of 357,021 km2 and has a largely temperate seasonal climate...
Honeynet
Honeypot (computing)
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...
Project reported that the Storm botnet may have increased in size by up to 20% over the holidays. The MessageLabs Intelligence report dated March 2008 estimates that over 20% of all spam on the Internet originates from Storm.
Present state of the botnet
The Storm botnet was sending out spam for more than two years until its decline in late 2008. One factor in this — on account of making it less interesting for the creators to maintain the botnet — may have been the Stormfucker tool, which made it possible to take control over parts of the botnet.Stormbot 2
On April 28, 2010, McAfeeMcAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
made an announcement that the so-called "rumors" of a Stormbot 2 were verified. Mark Schloesser, Tillmann Werner, and Felix Leder, the German researchers who did a lot of work in analyzing the original Storm, found that around two-thirds of the “new” functions are a copy and paste from the last Storm code base. The only thing missing is the P2P
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
infrastructure, perhaps because of the tool which used P2P to bring down the original Storm. Honeynet blog dubbed this Stormbot 2.
See also
- E-mail spamE-mail spamEmail spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
- Internet crime
- Internet securityInternet securityInternet security is a branch of computer security specifically related to the Internet. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud,...
- Operation: Bot RoastOperation: Bot RoastOperation: Bot Roast is an operation by the FBI to track down bot herders, crackers, or virus coders who install malicious software on computers through the Internet without the owners’ knowledge, which turns the computer into a zombie computer that then sends out spam to other computers from the...
- Kraken botnetKraken botnetThe Kraken botnet was the world's largest botnet . Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day...
External links
- "Storm Worm DDoS Attack" - information on how the Storm botnet's attacks and P2P functionality work.