The new version of Storm is more streamlined than the original version, because it uses HTTP as its command-and-control mechanism, with the address of the command-and-control server embedded in an encrypted form. According to an analysis of the code conducted by members of the Honeynet Project, there is no list of peers in the configuration file, which uses the same file name as the original version of the malware. The installation technique used by this version of Storm is identical to that used by the original.
"We compared the last version of Storm to the new samples. Around two thirds of the functions in the new sample are simply copied and pasted from the last Storm code base," said Felix Leder, a member of the computer science department at the University of Bonn involved with the Honeynet Project. "Since the source code of Storm has never been made public, the same team of developers has finally created a new variant or sold its code."
The original version had more than 800 functions, much of which is missing in the new versions because of the shift to HTTP. Leder mused that the Stormfucker program that he developed with other German researchers may have been responsible for the alternate approach to command and control. That tool took advantage of flaws in the P2P command network to take down a Storm bot. However, it would have generally involved installation without the victim's consent, limiting its legitimate use.
The command protocol used by the new version is identical to the original, and enables different commands to be sent to clients, instructing them to deliver spam, or participate in a DDoS attack.
The new code was originally discovered by Stephen Adair of the Shadowserver Foundation.