Press Room
Storm Botnet Fades Away to Nothing
October 14, 2008
LONDON, 14 October, 2008 – The former King of Spam, the most talked about and studied botnet ever, has stopped producing spam say security experts from Marshal’s TRACE Team. Spam originating from the Storm botnet has been dwindling for months and finally ceased altogether in September 2008.
The Storm botnet first came to prominence in January 2007 when the botnet’s creators spammed fake news headlines to entice web users into clicking on links that infected the user’s PC with malware. One of the earliest such campaigns used a headline describing lethal storms in Europe, which led to the botnet receiving its now notorious name.
The tactic of using spam to spread malware on a mass scale was unprecedented at the time. The practice became known as ‘Malicious Spam’ to security researchers at Marshal who began documenting Storm’s trail of destruction. The botnet’s creators developed new, constantly evolving malicious spam campaigns over the following months in their attempt to stay ahead of anti-spam vendors and to infect as many computers as possible.
Storm’s creators used varying social engineering ploys, including fake e-greeting cards, taking advantage of holidays and major sporting events, and exploiting popular Internet sites such as YouTube, to con computer users into clicking on links and infecting themselves with malware. Storm continued to grow unchecked, reaching its spamming peak in September 2007 when it was responsible for 20 percent of the world’s spam according to Marshal.
“Storm was one of the first botnets to use these tactics on a mass scale. It became the most successful botnet of its type and established the basic template for developing a spam empire that other botnets have since copied. Whoever was behind Storm really set the benchmark at the time for the kind of scale that was achievable with a spambot. They also led the way in using self-perpetuating malicious spam to grow the botnet. They utilized every social engineering trick in the book and invented quite a few of their own,” said Phil Hay, Lead Threat Analyst for Marshal’s TRACE Team.
No one knows for sure how many computers Storm succeeded in infecting at its peak, particularly due to its constantly changing composition. Industry estimates in 2007 ranged wildly from 1 million to 10 million infected computers. Some drew parallels between Storm and the processing power of the world’s top Supercomputers. With the benefit of hindsight, more conventional thinking now is that Storm achieved between 500,000 and 1 million infections at its height. However, Storm’s success ultimately led to its downfall. In September 2007, Microsoft targeted Storm through the Malicious Software Removal Tool, signaling the beginning of the end for Storm.
Microsoft reported that it cleaned 274,372 computers of the Storm bot in the first month that it was targeted and continued to clean hundreds of thousands of computers in the following weeks. Marshal’s TRACE team reported in January 2008 that Storm had dwindled in the face of competition and Microsoft’s efforts from 20 percent to just 2 percent of spam by volume in the space of four months. By now rival botnets such as Srizbi, Mega-D and Rustock had begun to surpass Storm. Srizbi claimed the King of Spam record in May 2008 with Marshal attributing over 50 percent of all spam in circulation to Srizbi.
Since mid-2008 Storm has struggled on but rarely achieved more than 1 percent of spam in Marshal’s statistics. While Microsoft certainly made a major contribution to the downfall of the Storm botnet, no one is clear on what precisely happened to Storm. Some suggest that the botnet was sold or morphed into another botnet and still continues to produce spam. Nevertheless, Marshal’ TRACE team no longer observes Storm bots sending spam and no longer receives any spam attributable to Storm.
“We have seen occasional surviving Storm bot peers still trying to communicate with each other but the Storm’s command and control servers are unresponsive. Our data indicates that Storm has stopped. Maybe not forever but the most likely scenario we can envision is that Storm has become obsolete in the face of other botnets like Srizbi which are more resistant against detection and removal by anti-malware solutions,” said Hay.
“A distinct possibility is that the creators of Storm have abandoned it in favor of a newer botnet that they have created. If they have, it is possibly one of the top spam botnets that we continue to track. It seems unlikely that Storm’s creators simply gave up and went home.”
Storm Timeline:
Jan 2007: Storm botnet comes to prominence with the headline “230 Dead as Storm Batters Europe” and rapidly infects hundreds of thousands of computers in a matter of days.
Feb 2007: Storm’s next campaigns feature malicious executable attachments. But, the Storm controllers quickly change tactics to drive-by malware provided through URL links when they realize that attachments are often detected by anti-spam/anti-virus solutions.
Feb-Sep 2007: Storm uses fast flux DNS to avoid detection and ever-changing malicious spam campaigns to infect as many as 1 million computers worldwide. Storm’s self-perpetuating malicious spam campaigns establish the templates for other would-be botnet spammers to develop their own botnets.
Sep 2007: Marshal announces Storm has become the single biggest spam producer by volume and attributes 20 percent of all spam globally to Storm. This is the peak of Storm’s dominance.Microsoft targets Storm with the Malicious Software Removal Tool, cleaning almost 275,000 infected computers in the first month.
Oct 2007 – Jan 2008: Storm dwindles steadily down to just 2 percent of spam according to Marshal. Microsoft claims credit for reducing the Storm threat with MSRT.
Jan-Sep 2008: Storm is never a major spam player again. Rarely exceeding 1 percent in Marshal’s spam statistics, Storm carries on at a trickle compared to other botnets – the top botnets now routinely exceed 20 percent of spam and cumulatively account for over 90 percent of spam in circulation.
Sep 2008: Marshal’s TRACE security analysts conclude that Storm has stopped sending spam.
More Information
Marshal’s TRACE Team blog - http://marshal.com/trace/traceitem.asp?article=786
About Marshal
Marshal is a global leader in content security across multiple protocols, enabling organizations to secure their IT environment, protect against threats and comply with corporate governance needs. Marshal provides customers with a complete portfolio of policy-driven email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. Forty percent of the Global Fortune 500 companies use Marshal security solutions to secure their corporate messaging networks and Web access against internal abuse and external threats such as viruses, spam and malicious code. More than 7 million users in over 18,000 companies worldwide use Marshal solutions to protect their networks, employees, business assets and corporate reputation and to comply with corporate governance legislation requirements.
Marshal is headquartered in London (UK) with offices in Atlanta (USA), Auckland (New Zealand), Houston (USA), Johannesburg (South Africa), Munich (Germany), Paris (France) and Sydney (Australia). More information is available at www.marshal.com.
About the Marshal TRACE Team
TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats through the TRACE website at www.marshal.com/trace. TRACE services are provided as part of standard product maintenance that includes updates to Marshal’s unique, proprietary anti-spam technology, SpamCensor. TRACE analyses spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. It also provides “Zero Day” security protection against new email and virus exploits the day they emerge.
The Storm botnet first came to prominence in January 2007 when the botnet’s creators spammed fake news headlines to entice web users into clicking on links that infected the user’s PC with malware. One of the earliest such campaigns used a headline describing lethal storms in Europe, which led to the botnet receiving its now notorious name.
The tactic of using spam to spread malware on a mass scale was unprecedented at the time. The practice became known as ‘Malicious Spam’ to security researchers at Marshal who began documenting Storm’s trail of destruction. The botnet’s creators developed new, constantly evolving malicious spam campaigns over the following months in their attempt to stay ahead of anti-spam vendors and to infect as many computers as possible.
Storm’s creators used varying social engineering ploys, including fake e-greeting cards, taking advantage of holidays and major sporting events, and exploiting popular Internet sites such as YouTube, to con computer users into clicking on links and infecting themselves with malware. Storm continued to grow unchecked, reaching its spamming peak in September 2007 when it was responsible for 20 percent of the world’s spam according to Marshal.
“Storm was one of the first botnets to use these tactics on a mass scale. It became the most successful botnet of its type and established the basic template for developing a spam empire that other botnets have since copied. Whoever was behind Storm really set the benchmark at the time for the kind of scale that was achievable with a spambot. They also led the way in using self-perpetuating malicious spam to grow the botnet. They utilized every social engineering trick in the book and invented quite a few of their own,” said Phil Hay, Lead Threat Analyst for Marshal’s TRACE Team.
No one knows for sure how many computers Storm succeeded in infecting at its peak, particularly due to its constantly changing composition. Industry estimates in 2007 ranged wildly from 1 million to 10 million infected computers. Some drew parallels between Storm and the processing power of the world’s top Supercomputers. With the benefit of hindsight, more conventional thinking now is that Storm achieved between 500,000 and 1 million infections at its height. However, Storm’s success ultimately led to its downfall. In September 2007, Microsoft targeted Storm through the Malicious Software Removal Tool, signaling the beginning of the end for Storm.
Microsoft reported that it cleaned 274,372 computers of the Storm bot in the first month that it was targeted and continued to clean hundreds of thousands of computers in the following weeks. Marshal’s TRACE team reported in January 2008 that Storm had dwindled in the face of competition and Microsoft’s efforts from 20 percent to just 2 percent of spam by volume in the space of four months. By now rival botnets such as Srizbi, Mega-D and Rustock had begun to surpass Storm. Srizbi claimed the King of Spam record in May 2008 with Marshal attributing over 50 percent of all spam in circulation to Srizbi.
Since mid-2008 Storm has struggled on but rarely achieved more than 1 percent of spam in Marshal’s statistics. While Microsoft certainly made a major contribution to the downfall of the Storm botnet, no one is clear on what precisely happened to Storm. Some suggest that the botnet was sold or morphed into another botnet and still continues to produce spam. Nevertheless, Marshal’ TRACE team no longer observes Storm bots sending spam and no longer receives any spam attributable to Storm.
“We have seen occasional surviving Storm bot peers still trying to communicate with each other but the Storm’s command and control servers are unresponsive. Our data indicates that Storm has stopped. Maybe not forever but the most likely scenario we can envision is that Storm has become obsolete in the face of other botnets like Srizbi which are more resistant against detection and removal by anti-malware solutions,” said Hay.
“A distinct possibility is that the creators of Storm have abandoned it in favor of a newer botnet that they have created. If they have, it is possibly one of the top spam botnets that we continue to track. It seems unlikely that Storm’s creators simply gave up and went home.”
Storm Timeline:
Jan 2007: Storm botnet comes to prominence with the headline “230 Dead as Storm Batters Europe” and rapidly infects hundreds of thousands of computers in a matter of days.
Feb 2007: Storm’s next campaigns feature malicious executable attachments. But, the Storm controllers quickly change tactics to drive-by malware provided through URL links when they realize that attachments are often detected by anti-spam/anti-virus solutions.
Feb-Sep 2007: Storm uses fast flux DNS to avoid detection and ever-changing malicious spam campaigns to infect as many as 1 million computers worldwide. Storm’s self-perpetuating malicious spam campaigns establish the templates for other would-be botnet spammers to develop their own botnets.
Sep 2007: Marshal announces Storm has become the single biggest spam producer by volume and attributes 20 percent of all spam globally to Storm. This is the peak of Storm’s dominance.Microsoft targets Storm with the Malicious Software Removal Tool, cleaning almost 275,000 infected computers in the first month.
Oct 2007 – Jan 2008: Storm dwindles steadily down to just 2 percent of spam according to Marshal. Microsoft claims credit for reducing the Storm threat with MSRT.
Jan-Sep 2008: Storm is never a major spam player again. Rarely exceeding 1 percent in Marshal’s spam statistics, Storm carries on at a trickle compared to other botnets – the top botnets now routinely exceed 20 percent of spam and cumulatively account for over 90 percent of spam in circulation.
Sep 2008: Marshal’s TRACE security analysts conclude that Storm has stopped sending spam.
More Information
Marshal’s TRACE Team blog - http://marshal.com/trace/traceitem.asp?article=786
About Marshal
Marshal is a global leader in content security across multiple protocols, enabling organizations to secure their IT environment, protect against threats and comply with corporate governance needs. Marshal provides customers with a complete portfolio of policy-driven email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. Forty percent of the Global Fortune 500 companies use Marshal security solutions to secure their corporate messaging networks and Web access against internal abuse and external threats such as viruses, spam and malicious code. More than 7 million users in over 18,000 companies worldwide use Marshal solutions to protect their networks, employees, business assets and corporate reputation and to comply with corporate governance legislation requirements.
Marshal is headquartered in London (UK) with offices in Atlanta (USA), Auckland (New Zealand), Houston (USA), Johannesburg (South Africa), Munich (Germany), Paris (France) and Sydney (Australia). More information is available at www.marshal.com.
About the Marshal TRACE Team
TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats through the TRACE website at www.marshal.com/trace. TRACE services are provided as part of standard product maintenance that includes updates to Marshal’s unique, proprietary anti-spam technology, SpamCensor. TRACE analyses spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. It also provides “Zero Day” security protection against new email and virus exploits the day they emerge.
Last Reviewed: October 14, 2008 |
- Next Steps
- Call Direct:
877.369.8686 - Have M86 contact me
- Register for Free
Product Evaluation - Follow us on
- © 2010 M86 Security. All Rights Reserved.
- Terms
- Privacy
- Feedback
- Contact Us