Measuring the Success Rate of Storm Worm
Just around Christmas, machines infected with Storm Worm started to send out spam e-mails again. These e-mails contained different kinds of Christmas or New Year's Eve wishes. Within the Storm botnet, such mails are sent to propagate the bot: the botherders hope that innocent users fall for this social engineering trick and click on the link contained in the mail. Once they click on the link, they are redirected to a website which contains a link to the actual Storm binary. This website commonly also contains browser exploits (depending on the user-agent and they are served only once per IP address) to compromise the web browser of a visitor in order to install the Storm binary.
The picture illustrates the success rate of the botnet: The x-axis shows the date, starting a few days before Christmas and ending today. The y-axis represents the number of infected machines within Stormnet, the "encrypted" part of the botnet in which the actual communication is XORed with a 40 byte key. As you can see, the first days before Christmas the size of the botnet was around 5-14 thousand infected machines. However, just around Christmas the size grows again due to successful infections and new victims which fell for the social engineering mails. For now, the botnet has peaked at about 40 thousand infected machines being online at a time.
Moreover, the picture also shows a clear diurnal pattern: the size of the botnet changes over time each day. This could indicate that a majority of the infected machines are located within a certain region. A closer examination of this phenomenon is necessary.
The actual picture was generated by Moritz Steiner, a colleague of mine with whom I analyze the Storm botnet.
Update: Brandon Enright pointed out that the diurnal pattern could also have other causes and thus I updated this part.
The picture illustrates the success rate of the botnet: The x-axis shows the date, starting a few days before Christmas and ending today. The y-axis represents the number of infected machines within Stormnet, the "encrypted" part of the botnet in which the actual communication is XORed with a 40 byte key. As you can see, the first days before Christmas the size of the botnet was around 5-14 thousand infected machines. However, just around Christmas the size grows again due to successful infections and new victims which fell for the social engineering mails. For now, the botnet has peaked at about 40 thousand infected machines being online at a time.
Moreover, the picture also shows a clear diurnal pattern: the size of the botnet changes over time each day. This could indicate that a majority of the infected machines are located within a certain region. A closer examination of this phenomenon is necessary.
The actual picture was generated by Moritz Steiner, a colleague of mine with whom I analyze the Storm botnet.
Update: Brandon Enright pointed out that the diurnal pattern could also have other causes and thus I updated this part.
".
January 8th, 2008 by Pierre-Marc Bureau Researcher at ESET There was another twist today in the Nuwar story: it is now being used to host phishing sites. The gang behind this prolific malware has registered several domain names similar those used
Tracked: Jan 09, 17:41