Storm Outbreak: Building A Bigger, Better BotnetStorm Outbreak: Building A Bigger, Better Botnet

The new Storm worm outbreak that buffeted the Internet with malware-laden spam on Thursday slowed down early Friday morning.

The massive spam campaign died off in the early morning hours, according to Adam Swidler, a senior manager with Postini. The security company had reported the day before that the new Storm variant drove Thursday's virus level to 60 times the average. At the same time, the Internet Storm Center reported detecting at least 20,000 infections, while the Security Response Team at Symantec said they received several hundred thousand reports of the malicious e-mail making the rounds.

That all changed on Friday morning when the attack went quiet.

"Typically, we see a burst in the initial attack from the folks who control the botnets that are sending out the spam," Swidler said in an interview. "I'm not surprised it died down so quickly."

The spam messages carried a variant of the virulent Storm worm that plagued the Internet in January. In that initial malware attack, the malicious code was in an executable attachment in the e-mail. This time it's disguised in an encrypted zip file and the password is embedded in an image in the body of the e-mail. Encrypting the malicious code makes it much more difficult for anti-virus programs to catch it, and if they can't catch it, they can't stop it.

If a user opens the file, his machine is infected with the malware and it then connects to a peer-to-peer network where it can upload data, including personal information from the infected computer. It also can download additional malware onto the infected system.

The fact that infected computers connect through a peer-to-peer system and not to a standalone server or even a node makes it extremely hard to shut down. "We traditionally can shut down the IRC server or whatever controls it," said Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center. "But with this, there is no single server or node to shut down. To deal with this, you'd have to shut down those 20,000 infected hosts. We would have to walk up to every single one of them and pull the plug."

Paul Henry, VP of technology evangelism with Secure Computing, said in an interview that this latest Storm attack was aimed at building out the hackers' botnet.

"The whole end game is building a bigger, better botnet," he said in an interview. "It's whole purpose is to create a money-printing engine for the bad guys. They get all these [infected machines] under control so they can rent them out as a botnet that can send spam."