In early 2007, network administrators began dealing with a trojan that grew into a massive botnet and even stumped Microsoft for more than a year.
The Storm worm initially spread via email, promising the recipient news about dangerous storms in Europe. The email didn’t carry the malware in an attachment; rather, it contained a link to a malicious site that downloaded the worm. Once infected, the user’s machine became part of a massive botnet further disseminating the virus—a botnet estimated to be at least one million machines strong.
Social engineering tactics help spread the worm
What made this a near-perfect storm was not the code itself, but the social engineering genius displayed by the worm’s creators. Once the European storms were old news, the included link changed and promised everything from racy videos to e-greeting cards.
Subject lines were often tied to current or cultural events—and even though the spammers lacked a command of American English, they had American culture down pat. Eventually, the spammers moved away from the email link bait-and-switch and began using the email-to-post feature within Blogger to spread Storm.
The malware’s creators were identified as the Russian Business Network (RBN), or the “Zhelatin gang.” Originally based in St. Petersburg, Russia, the hackers managed to outsmart Microsoft for months by releasing new versions of Storm right before the scheduled monthly update to Microsoft’s Malicious Software Removal Tool (MSRT). The RBN knew it would take Microsoft a month to catch up to each release, creating lead time for its next deviation.
However, in September 2007, Microsoft added a “Storm detector” to the MSRT and began aggressively cleaning Storm from infected PCs, ultimately cleaning more than 500,000 machines. Microsoft ruled the day—at least until a Storm variant reappeared in 2010.
Photo: Vasin Lee / Shutterstock