The Changing StormBy: Joe Stewart
The latest Storm variants have a new twist. They now use a 40-byte key to encrypt their Overnet P2P traffic. This means that each node will only be able to communicate with nodes that use the same key. This effectively allows the Storm author to segment the Storm botnet into smaller networks. This could be a precursor to selling Storm to other spammers, as an end-to-end spam botnet system, complete with fast-flux DNS and hosting capabilities. If that's the case, we might see a lot more of Storm in the future.
The good news is, since we can now distinguish this new Storm traffic from "legitimate" (cough) Overnet P2P traffic, it makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic (I.E. not corporate networks, we hope!).
Matt Jonkman over at Bleedingthreats.net has written some signatures to detect Storm nodes on a network in a generic way. These signatures look for certain UDP packet sizes typical of Storm, occurring over a certain threshold. Since there?s no content matching, these could be prone to false positives in certain cases, so the usual caveats with bleeding-edge signatures apply.