The Storm and Nugache trojans represent the face of future crimeware, or its facelessness: These two malicious bot programs are distinct from their ancestors because they lack a head that can be severed to stop them.
Previous generations of bots could be cut off from their control server, which communicated over Internet Relay Chat. Storm and Nugache bots do not depend on IRC communications; they use encrypted peer-to-peer networking to update themselves and exchange information.
Storm first came to attention in early 2007 and spread through an e-mail message that made reference to a recent European storm in the message subject line. It has created a massive botnet that has been estimated to range from a few hundred thousand to over 2 million machines. In an interview with InformationWeek last September, Matt Sergeant, chief anti-spam technologist with MessageLabs, likened the Storm botnet to a supercomputer in terms of its power.
Nugache appeared in mid-2006, initially as a trojan distributed through chat applications. Initially, it lagged behind Storm in terms of sophistication. For example, it couldn't send spam in regionally appropriate languages, as Storm can. But Paul Henry, VP of technology evangelism at Secure Computing, said that security experts now believe it has caught up with Storm's capabilities and will likely become a more significant threat as its controllers move to profit from their malware.
"[Nugache] is not as large as Storm yet, but from a technical perspective, it's just as good," said Henry.
The maturation of Nugache has resulted in a decrease in the price and quality of spam, according to Henry, who put the current cost of spamming at $100 per million messages.
Like Storm, Nugache relies on encrypted peer-to-peer communication for command and control, said Henry. But it has an advantage over Storm in that it's not tied to a specific set of ports. "[Nugache] will look at pretty much any port to establish communication," he said.
Storm and Nugache communication cannot be detected reliably by intrusion detection systems (IDS). In a paper published last month, computer security researchers Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich said, "User education is likely the only mitigation method to prevent installation of the malware."