This joker carries a dangerous payload.  (Source: Arbor Networks)
Everyone's favorite botnet makes an encore appearance

Storm is back, reports security firm Arbor Networks, and dressed to kill in its April Fools’ outfit.

Arbor Networks blogger Jose Nazario notes that Storm's latest variant began appearing sometime during March 31, greeting users with a simple “Doh! April’s Fool. (sic)” message that hyperlinks to an IP address.

Users clicking the link are taken to a web page with a cute picture and an automatic download, prompting them to run the download as soon as it completes. If the user follows these directions, he or she will find his or her computer added to the decentralized Storm botnet, which security analysts think contains anywhere from 20,000 to 10 million computers.

April Fools’ Day is only the latest such occasion to be exploited by Storm, which in the past has sent out e-mail messages with headlines like, “Saddam Hussein alive!” and “Fidel Castro dead.”

The original Storm variant earned it namesake in January 2007, when it infected thousands of computers in the United States and Europe with the headline “230 dead as storm batters Europe.” Six more waves appeared within three days of the worm’s initial attack, and by January 22 the Storm Worm was responsible for 8% of virus infections around the world.

The worm’s author is still unknown, and its decentralized structure leaves investigators little to target, let alone quantify: an October 2007 estimate that the Storm botnet is down to 20,000 computers was disputed by security researcher Bruce Schneier, who noted that the botnet’s owner is partitioning the network into discrete units, likely for their independent sale.

Nazario warns users to look out for the following signs of infection:

  • C:\WINDOWS\aromis.config, which contains the botnet’s decentralized peerlist – a list containing a very small subset of its overall network.
  • C:\WINDOWS\aromis.exe, the program that this variant of the Storm installs itself as.
  • “Services.exe” or “Aromis.exe” listening on a random UDP port, as well as a large volume of outbound connections – the worm will attempt to create a firewall rule for itself and use windows services to update its internal clock.

"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer
Related Articles

Latest Blog Posts

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki