The Storm Worm, October 2007

The key force shaping the threat landscape remains the focus on reaping financial rewards from Internet-based fraud and computer attacks. The Storm worm, having infected millions of systems in 2007, accomplished this mainly by acting as a venue for pump-and-dump spam campaigns. The worm's bot networks relayed email messages that extolled the virtues of obscure public companies, allowing attackers to make as much as $20,000 in a weekend through speculative trading.

The Storm worm possessed key characteristics of modern malware. It was self-propagating, capable of automatically compromising new systems with copies of the program. The attackers controlled and updated instances of the worm remotely, which allowed them to shift tactics to ensure continues effectiveness. The early versions of the worm sent pump-and-dump text in the body of email messages. Attackers later switched to embedding the text as Adobe Acrobat PDF attachments. Later variants included an MP3 file with an audio version of the text. Here is a sample of the audio file; you can download it here:

The Storm worm was highly resilient, employing peer-2-peer and fast-flux DNS techniques to make it difficult for its bot networks to be shut down. Furthermore, a REN-ISAC alert warned higher education institutions about the worm's distributed denial-of-service (DDoS) capabilities: if it detected that its systems were subjected to a security scan, it could retaliate by attempting to shut down the scanning computer.

As attackers adapt to bypass our security controls, we, as defenders, need to keep learning from each other, sharing threat information and defense strategies. This is the only way to ensure we do not fall behind in the arms race between attackers and defenders.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more