Another Storm Worm Update
Posted by jeremy on April 25th, 2008
All of the Domain Names I published a few weeks ago in a article titled "Storm Worm gone Domain registrant happy again!" have now been taken offline, and are no longer resolving to Storm Worm web servers. I noticed "loveinlive.cn" stopped resolving earlier this week, but I just haven't had enough time in the day to publish it. This is definitely good news for all of us in this seemingly never ending cycle of Storm Worm trickery providing us with the constant reminder the Storm Worm is still around.
Recently many security professionals and security companies have begun to downplay the presence and size of the Storm Worm Bot network due to new and/or old (depending on who you ask) bot networks such as Kraken or Bobax , Srizbi, RUSTOCK, Cutwail, and Grum. This could be a sign of hope that just maybe this trend of a shrinking in size Storm Worm botnet will continue.
A humorous article published by Gregg Keizer from Compterworld titled "Microsoft: We took out Storm botnet" has sparked some interesting conversations in the security community. With Jimmy Kuo making statements like "it was the hammering Microsoft gave the Storm botnet that sent the hackers packing" and "Even though they were able to maintain parts of their botnet, they knew they were in our gun sights. And ultimately they gave up" it would seem Jimmy is very passionate about declaring Microsoft the sole winner in this war and leaves us with the impression it was the quick and precise workings of the Malicious Software Removal Tool (MSRT) that sent the Storm Worm authors packing. Did I mention I thought this article was humorous? I don't like throwing rocks normally, but is there something in the water in Redmond that breeds this type of thinking? We all know the Storm Worm has driven numerous security professionals, companies, and even "Microsoft" a bit crazy since it was first discovered in January of 2007, but to insinuate you and your company alone drove the Storm Worm authors packing swiftly and effectively by deploying a removal tool 9 months later is down right distasteful in my personal opinion. What about giving some of the credit to Security professionals such as Joe Stewart who published detailed information regarding the Storm Worm in his February 8, 2007 article "Storm Worm DDoS Attack" or even the recent detailed case study from the University of Mannheim titled "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm" in which they disclosed a detailed report of how the infiltrated and analyzed the Storm Worm Bot network infrastructure up close and personal.
I was very pleased to read a follow up article published by Gregg Keizer from Computerworld just two days later titled "Microsoft didn't crush Storm, counter researchers". I don't agree with everything stated in this article, but I do 100% agree with Paul Ferguson's statement "Storm is not down and out".
April 25th, 2008 at 11:50 pm
From that InfoWorld write up, which it would appear everyone is glossing over:
But while Kuo was happy to take the credit on behalf of Microsoft for shrinking Storm, he was realistic about the overall impact.
“What we did was to drive them [the Storm bot herders] elsewhere,” he said. “They’re probably out there still making money with some other botnet.”
So I don’t see it so much as MS claiming they did much of anything all too significant, but I guess that’s just me.
April 26th, 2008 at 8:28 am
Yea, you could very well be right, as we all have been taken out of context in one way or another at some point in time. This could very well be the misfortune of Jimmy Kuo being quoted by Gregg Keizer without portraying the true context of the message that Jimmy Kuo intended. This type of one sided reporting has become almost the standard in today’s media coverage. Thanks for the feedback TeMerc!