It is official: Storm is back. The notorious botnet that ballooned into one of the biggest botnets ever and then basically disappeared for months last year is rebuilding — with all-new malware and a more sustainable architecture less likely to be infiltrated and shut down.
Storm all but disappeared off of the grid last year, basically going dormant in mid-September after its last major spam campaign in July — a “World War III” scam. In October, researchers started to write off Storm, at least in the short term. But now they say the big botnet has reinvented itself with new binary bot code, and that it is no longer using noisy peer-to-peer communications among its bots. It has instead moved to HTTP communications, which helps camouflage its activity among other Web traffic.
The manager of security research for Arbor Networks says he was initially skeptical of speculation that Waledac and Storm were one in the same. But the latest findings on the malcode and its activity, the botnet is using many of the same IP addresses that were used in Storm, changed his mind. But the biggest difference is it is no longer as easily detectable now that it has converted to HTTP communications. “P2P was part of the reason for Storm’s demise. It was easy to filter it,” the manager says. “With HTTP, it is a little harder [to filter] because you have got to know what you are looking for.”
Source: Dark Reading