The Storm Worm is aptly named, for any mention of it creates a media storm, regardless of the reality behind the malware. Yesterday reports surfaced today of a renewed Storm, as researchers from CA announced the “Come back of the Storm Worm.” The news media was not slow to pick it up, for example, the Register’s headlines read “Infamous Storm botnet rises from the grave.”

Despite its nickname, the Storm Worm was actually not a worm. Rather, it was once a major spamming botnet, representing some 20% of spam at its peak in mid-2007. It was also one of the most discussed and studied botnets ever, due to its size, distinctive spam campaigns, and revolutionary peer-to-peer communication model. Following all the attention and the targeting of Storm by Microsoft with its Malicious Software Removal Tool in September 2007 among other infiltration attempts, Storm died a slow death, which we duly noted here.

So what is going on with these latest pronouncements? Has Storm suddenly sprung back from the dead?

The folks at the Honeynet Project have done a detailed analysis of the malware, and consider it to share a significant amount of code with the original Storm. Notable similarities include:

• Use of the same-named config file herjek.config located in the C:\WINDOWS directory.
• TCP Communications are base64 encoded and gzipped compressed.
• Peculiar random letter path data followed by jpg, htm or gif, and the “Windoss” user agent specified in the HTTP POST request, see below:

Figure 1: Random 3 letter path and “Windoss” user agent in HTTP POST request.

The Spamming templates, too, are very similar. Take this example from the original Storm:

%^G%^Fpharma^% http://%^Flinksh^%/%^P%^R2-7^%:qwertyuiopasdfghjklzxcvbnmeui=oaeuioa^%/^%
~!3~!1201910750~!Received: from [%^C6%^I^%.%^I^%.%^I^%.%^I^%^%] (helo=3D%^C=
0%^P%^R3-6^%:qwertyuiopasdfghjklzxcvbnm^%^%)
    by %^A^% with smtp (Exim 4.62 (FreeBSD))
    id %^M%^C5%^R20-300^%^%^%-000%^P1:12345678^%%^P1:GHIJKLMNOPQRSTUVWXYZabcde=
fghijklmn^%%^P1:0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw=
xyz^%-%^P1:0123456789ABCDEFGHIJKLMNOPQRSTUV^%%^P1:0123456789ABCDEFGHIJKLMNO=
PQRSTUVWXYZabcdefghijklmnopqrstuvwxyz^%; %^D%^V5^%^%
Message-ID: <%^Z^%.%^R1-9^%0%^R0-9^%0%^R0-9^%0%^R0-9^%@%^C1%^Fdomains^%^%>
Date: %^D^%
From: <%^Fnames^%@%^V1^%>
User-Agent: Thunderbird %^Ftrunver^%
MIME-Version: 1.0
To: %^0^%
Subject: %^Fwormsubj^%
Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed
Content-Transfer-Encoding: 7bit

And compare it with this one from the new bot:

5~!1272366542~!Date: %^D^%From: "%^C2%^Fnames^%^%" <%^V2^%@%^C1%^Fdomains^%^%>
MIME-Version: 1.0
To: %^0^%
Subject: %^Fpharma2^%
Content-Type: text/plain; charset=%^Fcharset^%
Content-Transfer-Encoding: 7bit
Message-ID: <%^Z^%.%^R1-9^%0%^R0-9^%0%^R0-9^%0%^R0-9^%@%^V1^%>

%^Forder.txt^% %^Frxmeds.txt^%  online today!
%^Fbrowse.txt^% our web site today  -> %^Frxdomains2.txt^%

Incidentally, both of these spamming templates also closely resemble the template used by the Waledac bot, again indicating shared code.

The glaring difference is that the new malware does not use a peer-to-peer communication model based on the Overnet protocol. The original Storm communicated over UDP with many other nodes using a modified version of this protocol, whereas this malware has none of that. In its place is a stripped down and more standard model, where the infected node contacts a command server via HTTP and downloads spam templates and other instructions. Broadly speaking, it is little no different in concept to the many other template-based spambots that we regularly encounter.

So in essence, this is a new stripped down spambot, based on a portion of Storm code. The spam emanating from it is hardly registering in our spam traps – less than 0.01 percent, so it is a very minor spamming botnet at this stage – merely another one to add to the dozens out there already.