We like to imagine that hackers are smart, but it is their collective incompetence that has allowed the IT industry to survive their attacks as long as they have.
Viruses may be unleashed, worms may spread, but usually the McAfees and Symantecs of the world are quick enough to help isolate and deal with such malware in a manner of weeks, if not days. This was the case with Sasser, Nimda, and even Code Red. Rare is the malware that acts with the consistent, determined approach of a stealth marketing campaign. This, however, has been the hallmark of Storm, a quietly professional example of online organised crime at its best. And scariest.
You know something's different when Storm starts cropping up in the pages of mainstream newspapers, as it did in the Toronto Star here in Canada last week. In a story which described Storm as the "syphilis of computers", the Star explained in very basic, accessible terms what the threat is and how it is growing. It's the kind of story you would have expected to find written about head lice in elementary schools or, before SARS hit Toronto, the nature of pandemics. A problem historically of concern to specialists such as doctors (or in Storm's case, IT managers) is translated for a mass audience, because the specialists are proving incapable of stopping the worst of its effects.
The most recent reports about Storm, particularly a blog post from Secure Works researcher Joe Stewart, suggest that the hackers behind it are splitting up access to the compromised computers for sale to spammers. It doesn't matter whether you believe there are millions of such zombie machines or, as some experts say, a quarter of a million. We're potentially talking about an army of infected machines the size of several corporate enterprises. Selling them to those who send unsolicited commercial email is the least of the dangers such a "market" of botnets poses.
We've become so used to the identify-contain-forget cycle of security that Storm may require a completely different mind set, both for IT managers and their users. Storm has already hung on for the better part of a year. There's little to indicate it will be on the wane anytime soon. Instead of seeing such malware as a short-term event which we combat and vanquish, we may have to think of coping strategies that extend to several years. This would, of course, have major implications for enterprise IT security policies, which typically focus on user behaviour in exceptional circumstances (illegal downloads, connecting an unknown device to the network) rather than guidelines for ongoing vigilance.
Storm got its name because of an email message that warned of a disastrous weather event that was taking place in Europe, but the metaphor may not really apply anymore. When a real storm ends, people can usually walk around the way they did before. With the Storm malware, the rain might keep falling. IT managers will have to decide whether to permanently carry an umbrella, or get used to being wet.