This year's NFL season arrived with a twist for millions of computer users, who
discovered emails in their inboxes advertising free "online game trackers" and
links to an official-looking website adorned with the National Football League's
logo.
Fans who tried to download the program from the compromised website unwittingly infected their computers with a version of the Storm Worm, a malicious piece of software that, despite being flagged more than half a year earlier, has proven to be remarkably resilient.
Once installed, the "malware" drafts the unwitting user's computer into a vast army of infected machines that can be remotely instructed to spread Storm Worm, shut down Internet sites or pump out millions of spam emails promoting everything from stock market scams to sketchy pharmaceuticals – usually without the user's knowledge.
But experts fear the Storm Worm, or something similar, could one day be used for more sinister purposes.
"It's not so much this particular threat itself," says Dean Turner, the director of Symantec Corp.'s Global Intelligence Network, which sells computer security services, "but the possibilities that it presents for attackers."
He speculates the Storm Worm could be used to deliver sophisticated programs to computers that are designed to monitor keystrokes and steal confidential information such as online bank user names and passwords, personal tax information and just about anything else stored on people's hard drives. The confidential data could then be transferred to a central computer server and sold to criminals, leaving little or no trail, he said.
The Storm Worm is unique among malware since its purpose isn't to create havoc and headlines, thereby showcasing the prowess of its creators, but to make them rich by quietly taking control of other people's machines.
"The threat environment now is dominated by profit," says Turner. "It's not that the hackers have all of a sudden turned into a bunch of criminals, it's that the criminals are finally starting to leverage the technology available to them."
Estimated to have infected at least a million machines, the Storm Worm is believed to have been created in Russia and so far appears to be focused on building a large botnet, a network of hijacked "zombie" computers. A botnet is centrally controlled and can be used to send spam to millions of inboxes – either by the worm's creators, or by less-than-reputable individuals or firms willing to pay money to access the hijacked network.
While that may not sound like a terribly lucrative criminal activity, the unique economics of spam means there's big money to be made even if only a tiny percentage of the millions of emailed advertisements actually result in a sale. That's because emails cost next to nothing to produce and distribute – particularly if they are sent using a network of hijacked machines.
Graham Cluley, a senior technology consultant for anti-virus firm Sophos PLC, says his company estimates that more than 90 per cent of all spam, and more than 80 per cent of all infected Web pages, come from computers that have been "borrowed" by cyber criminals.
The Storm Worm first made headlines in January when emails with the subject line "230 dead as storm batters Europe" landed in inboxes around the globe, hence the name "Storm Worm." When users clicked on a link that promised a video clip, they were instead taken to a compromised website that downloaded a copy of the Storm Worm onto their computer. Because the original email contained no attachments or other suspicious attributes, it tended to be ignored by security software.
The attack was noted for its timeliness since it came on the heels of a killer European storm. Subsequent variants have also tried to cash in on current events, offering titillating headlines with the following subject lines: "A killer at 11, he's free at 21," "British Muslims Genocide," and "Naked teens attack home director."
Later versions came with subject lines that preyed on people's loneliness – "Want to Meet?" – while still others spuriously claimed that a user's computer had already been infected with a worm. The recommended fix? A downloadable patch that was actually a version of the Storm Worm.
The most recent bait involved emails that purported to contain links to YouTube videos in a bid take advantage of the video sharing site's soaring popularity.
But while those behind the Storm Worm have demonstrated considerable skill in social engineering, observers are equally impressed with the worm's design and method of propagating itself.
Unlike other botnets, the network of computers created by the Storm Worm communicates through a peer-to-peer network like one often used to swap digital music files. That makes it difficult to trace and disable since there is no centralized command-and-control point. "It's about being able to operate from a widely distributed and ever moving target," says Cluley.
As well, the code used by the Storm Worm to spread itself morphs constantly, making typical anti-virus techniques less effective.
Finally, the Storm Worm's use of compromised Web pages to spread its malicious code is part of a larger trend away from emailed attachments, which are now difficult to get through security barriers.
"Increasingly, we're seeing trusted websites being compromised," says Symantec's Turner, who predicts that one day we'll be talking about "white-listed," or safe sites instead of black-listed ones.
In a recent column in Wired Magazine, Bruce Schneier, a security specialist and author, dubbed the worm the "future of malware" and compared it to a difficult-to-detect but potentially deadly illness. "Symptoms don't appear immediately, and an infected computer can sit dormant for a long time," he wrote. "If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain."
Others aren't convinced that the Storm Worm is really all that special – at least on a technical level.
"As far as malware goes, it's not particularly new and doesn't have any cutting-edge functionality," says Dave Marcus, a security research and communications manager for McAfee Avert Labs.
Marcus acknowledges that the Storm Worm has proven to be a favourite of hackers.
"I think Storm has just been popular simply because it's been so successful."