DoS Attack Feared As Storm Worm Siege Escalates

As the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a botnet of nearly 2 million computers -- researchers worry about the damage hackers could wreak if they unleash a denial-of-service attack with it.

Between July 16 and Aug. 1, researchers at software security firm Postini have recorded 415 million spam e-mails luring users to malicious Web sites, according to Adam Swidler, a senior manager with Postini. Before the Storm worm began its attack, an average day sees about 1 million virus-laden e-mails crossing the Internet. On July 19, Postini recorded 48.6 million and on July 24, researchers tracked 46.2 million malicious messages -- more than 99% of them are from the Storm worm.

Researchers at SecureWorks are seeing similar staggering numbers, as well.

Joe Stewart, a senior security researcher at SecureWorks, noted that the number of zombie computers that the Storm worm authors have amassed as skyrocketed in the past month. From the first of January to the end of May, the security company noted that there were 2,815 bots launching the attacks. By the end of July, that number had leapt of 1.7 million.

"It's really gotten enormous," said Stewart. "It's been building with exponential growth. It's one of the largest botnets I've ever heard of."

And both Stewart and Swidler said they think the Storm worm authors are cultivating such an enormous botnet to do more than send out increasing amounts of spam. All of the bots are set up to launch denial-of-service (DoS) attacks and that's exactly what they're anticipating. Denial-of-service attacks -- sometimes called DoS -- are designed to pound each computer with countless questions that flood its ability to respond, effectively taking the machine down.

"When a computer is added to a botnet, it becomes a platform for issuing further attacks," said Swidler. "I shudder to think should they turn this botnet on an organization... It's harnessing the benefits of the grid computing architecture for evil purposes."

Stewart added that the botnet has been launching small DoS attacks, but only a small percentage of the botnet has been used for it and the attacks have only been directed at seemingly random IP addresses or small organizations. A large directed attack could be much different.

"At any time, the botnet could launch a massive attack at anyone. We're wondering if it's being geared up for some sort of large scale attack," said Stewart. "Who couldn't they take offline with all the computers in this botnet?.. They could take a small country out."

This past May, Estonia, a country in Eastern Europe, was hammered with a DoS attack from a botnet. Swidler said he believes there's a good chance that the Storm worm authors were behind the Estonia attacks.

SecureWorks is warning IT managers and home users that they need to be aware of the scams connected to the Storm worm, which include e-mails with links leading to fake e-cards and news stories highlighting catastrophic events.

"Storm relies on social engineering as its best ally so it is really important that computer users keep their guard up and be suspicious of any unsolicited email containing an attachment or a link," said Stewart. "Even if it mentions something you are familiar with or promises some sort of critical data, always check with the sender to see what it is and why the sent it."

He also warns that users and IT managers can protect their systems by blocking peer-to-peer networking. When the malware runs, it tries to link up with other infected hosts via P2P networks. Stewart noted that if that function is blocked, then the user's computer cannot become a part of the botnet.