Post Sat Feb 14, 2009 5:16 pm

Storm resurgence

Seems like Storm/Waledac is coming back with a vengeance on v-day. Polymorphic code, stronger encryption, and http command and control.

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=213403915

The botnet formerly known as Storm is ramping up its ability to evade detection by automatically generating thousands of different variants of its malware each day as it spreads and recruit more bots.

...

Meanwhile, constantly changing the look and feel of its malware is consistent with the new and improved Storm's M.O.: to avoid attracting too much attention like it used to do. Researchers last month confirmed that Waledac was basically Storm reincarnated, but with all-new malware and a more sustainable architecture that's less likely to get infiltrated and shut down. The notorious botnet Storm went MIA last fall, and researchers started to write it off. But the operators of Storm made a comeback this year with new binary bot code and stronger encryption, plus it replaced its peer-to-peer communications among its machines to HTTP, which helps camouflage its activity among other Web traffic. HTTP also makes it tough to distinguish a bot from a command and control server.