X
Tech

Storm worm botnet threatens national security?

In just eight months the Storm worm has infected more than 20 million computers and built a zombie army -- or botnet -- capable of launching DDoS attacks that could be used against any organisation or even damage critical infrastructure, according to security experts.
Written by Liam Tung, Contributing Writer

In just eight months the Storm worm has infected more than 20 million computers and built a zombie army -- or botnet -- capable of launching DDoS attacks that could be used against any organisation or even damage critical infrastructure, according to security experts.

The Storm worm was first seen in January of this year. Initially the worm spread as an executable file attached to an e-mail disguised as an electronic greeting card. However, Storm has constantly changed its tactics and was recently caught fooling victims into clicking on links that lead them to an infected file.

According to antivirus firm Sophos, almost seven percent of all spam last week seemed to be related to Storm worm activity -- much of it greeting card related. The United States Computer Emergency Readiness Team (US-CERT) last week warned Web users about the Storm worm which, it said, is "currently on the rise".

The Storm worm's build-up has concerned managed service security vendor SecureWorks, which recently speculated that the computers under Storm's control could be used to bring down virtually any online property.

The company has reported that in the four months leading to August 2007, Storm worm infections increased from 71,342 to over 20 million.

IBRS security analyst, James Turner said the Storm worm worked by changing its configuration through peer-to-peer networks rather than an IRC channel and that its distributed nature would make the resultant botnet particularly difficult to contain.

Joe Stewart, senior security researcher for SecureWorks said: "We don't know the motive of the Storm author; however ... it could be that the hacker is rapidly building up the botnet so it can be leased to other hackers so that they can launch massive attacks against whatever target they choose: an organisation, country, etc."

Is Storm the weapon of cyberwarfare?
Alexander Gostev, senior virus analyst at Kaspersky said that international disputes are spilling over to the Internet, which means world leaders, for the first time, are seriously discussing the possibility of a "cyberwar".

Cyberwars between countries, which involve only Internet-based attacks on critical infrastructure and government services, could be waged using malware such as the Storm worm, according to experts who analysed the recent DDoS attacks on Estonia.

Internet attacks are not recognised by NATO as a form of military action and therefore cannot be used as a justification for a military response. However, this April, Estonia experienced a series of massive distributed-denial of service (DDoS) attacks on its government Web sites.

The attacks seemed to follow a decision to remove a monument dedicated to Soviet soldiers. Over the next two weeks 128 DDoS attacks were unleashed on Estonia's police and government Web sites, which also affected its Internet services.

The Estonians accused the Russian Government of using its notorious secret service to launch the cyber attack.

This may not be the first time international disputes have resulted in attacks on government Internet services but according to Kaspersky's Gostev, this was the first time a government has accused another of cyberwarfare.

In the hope of roping in its NATO allies, the Estonian Minister of Defence, Yaak Aaviksoo, called on NATO to amend its agreement on military protection to recognise the attack as a form of military action or "cyberwar".

The Estonian Government was ultimately unable to prove its claim that one of the several attacks could be traced back to a Russian government IP address but Gostev said this result is not surprising: the problem with the notion of cyberwar is that it is very difficult to prove.

Gady Evron, an Israeli security expert who conducted a post-mortem on the Estonian attacks said: "I don't think it was Russia, but how do you prove that? The Internet is ideally suited for plausibly refuting anything."

Kaspersky's Gostev said the DDoS attack may have been the result of malware that was distributed to thousands of impassioned citizens cum voluntarily cyber soldiers to launch an attack against an opposition government.

Editorial standards