Storm Worm Now Just a Squall
The Storm Worm's days may be numbered, according to a University of California researcher.
Brandon Enright, a network security analyst at UC San Diego, has been tracking Storm since July and said that, despite the intense publicity that the network of infected computers has received, it's actually been shrinking steadily and is presently a shadow of its former self. On Saturday, he presented his findings at the Toorcon hacker conference in San Diego.
Storm is not really a computer worm. It's a network of computers that have been infected via malicious e-mail messages, and are centrally controlled via the Overnet P-to-P protocol. Enright said he has developed software that crawls through the Storm network and he thinks that he has a pretty accurate estimate of how big Storm really is.
Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world's most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time.
Enright guessed that a total of about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority of those have been cleaned up and are no longer part of the Storm network.
Since July, it's been downhill for Storm. That's when antivirus vendors began stepping up their tracking of Storm variants and got a lot better at identifying and cleaning up infected computers, Enright said.
Then on September 11, Microsoft added Storm detection (Microsoft's name for Storm's components is Win32/Nuwar) into its Malicious Software Removal tool, which ships with every Windows system. Overnight, Storm infections dropped by another 20 percent.
Today, Enright said that Storm is about one-tenth of its former size. His most recent data counts 20,000 infected PCs available at any one time, out of a total network of about 160,000 computers. "The size of the network has been falling pretty rapidly and pretty consistently," he said.
Still, Storm has had a remarkably successful run. It's called Storm because it first popped up in mid-January in spam e-mails that offered late-breaking information on powerful storms that had been battering Europe. Users who clicked on the "Full Story.exe" or "Video.exe" attachments that accompanied the spam were infected by malicious software, making them part of the Storm network.
These machines were then used to send out more spam and launch attacks against other computers. The recent MP3 stock spam that was first spotted earlier this week was sent out by the Storm network, Enright said.
Storm was effective because its creators were really good at creating messages that victims would feel compelled to click, Enright said. In its first few days, it managed to infect more than 300,000 computers, making it the worst malware outbreak since 2005. Its creators have since been masters at creating timely messages for their spam and have also had success getting victims to click on fake e-greeting cards.
The Storm network itself is constantly changing, and has used a variety of technologies that have made it an interesting phenomenon to study. In addition to the peer to peer network, it has used rootkit software to disguise its presence on the PC and a server-switching technique called "fast-flux," which makes the Storm servers harder to find on the network.
It's also developed some interesting ways of keeping researchers like Enright at bay. "If you're a researcher and you hit the pages hosting the malware too much... there is an automated process that automatically launches a denial of service [attack] against you," he said. This attack, which floods the victim's computer with a deluge of Internet traffic, knocked part of the UC San Diego network offline when it first struck.
Lately Storm has been responsible for a large quantity of "pump and dump" spam, which tries to temporarily boost the price of penny stocks. But one area that does not seem to be of interest to Storm's creators is identity theft. "Believe it or not, credit card numbers aren't worth that much money," Enright said. "It's much better to make money... via pump and dump."