In the world of botnets, Storm isn’t king anymore, but Storm’s botnet owners aren’t giving up. This article is a reminder by Michael Kassner of the need to remain vigilant and not fall prey to the Storm worm or its relatives.


It appears that the Storm worm is making a comeback. I first made mention of this botnet maker in the article “Kraken: The Biggest, Baddest Botnet Yet,” where I explained how Storm was losing its grip as being the largest botnet in history to Kraken and Srizbi as the second largest. Well, Storm developers have added a few new twists to their arsenal and are seeing a resurgence in the size of their botnets. Therefore it’s very important to not become complacent about this type of malware as it relies on social engineering to propagate. I’d like to take a few moments to go over the process so we’re all clear on how the infestation occurs.

How my computer became a zombie

Let’s follow the process of becoming infected with Storm and the aftereffects:

  1. I receive an e-mail informing me that the attachment contains some very important information. Not knowing any better, I open the attachment.
  2. I was just conned. The attachment has the Storm trojan/bot client hiding in it. My computer is now infected and just became part of a botnet. The scary part is that this all happened without my knowing it.
  3. What’s worse is that my AV application is useless as Storm’s code changes constantly, so any AV signature is out of date within an hour.
  4. My computer now follows the bidding of the “botmaster,” which normally means it’s going to be used as a spam relay. There are other more malicious activities, such as “distributed denial of service attacks,” but botnets are usually for hire and spamming is a lucrative business.

That’s one scenario and as botnet malware matures other more sophisticated attack venues are introduced. For instance, the delivery mechanism used by the Storm worm changes regularly. It starts out as PDF spam progressing to links for e-cards or invites to Web sites. The worm developers will try any method possible to entice users to click on a phony link or attachment. The initial e-mail used by Storm also morphs. There are new subject lines and body text that refer to relevant news or issues — any way to subjugate human nature.

The willingness to prey on human nature is why Storm is back in the news. It’s propagating successfully using an e-mail with a subject line of “FBI May Strike Facebook” or “The FBI has a new way of tracking Facebook.” It appears that once again the developers have touched on a chord of human nature and are getting a decent infection rate.

Final thoughts

I could spend all sorts of time on the intricacies of how each of the top three botnets work or how successful they are at evading detection, but that wouldn’t help. This article is my regular attempt at making sure all of us are cognizant of the need to be web-savvy, always questioning whether that link or attachment makes sense. Doing so will go a long way to reducing the amount of spam we receive. This certainly includes me, as I’ve been very close to becoming an unwilling botnet member myself.


Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer and independent wireless consultant. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.