Network News

X My Profile
View More Activity

Storm Worm Dwarfs World's Top Supercomputers

The network of compromised Microsoft Windows computers under the thumb of the criminals who control the Storm Worm has grown so huge that it now has more raw distributed computing power than all of the world's top supercomputers, security experts say.

Estimates on the number of machines infected by Storm range from one million to 10 million, depending upon which security sources you believe. But hardly anyone would argue that many thousands of new PCs are being stricken by the worm each day, largely because the worm authors are continuously changing their tactics to trick people into installing it.

Massive pools of virus or worm-infected PCs, known as "botnets," are principally used to blast out spam, host scam Web sites, or to flood targeted Web sites with so much junk traffic all at once that they simply crash and are rendered unreachable by legitimate visitors. But the criminals who control these infected machines could just as easily use them to do some serious number-crunching, the kind of computational analysis typically left to the world's fastest supercomputers.

IBM's BlueGene/L supercomputer.

In a posting today to a data security mailing list, Peter Gutmann, a computer science professor with the University of Auckland in New Zealand, said the Storm botnet could easily outperform IBM's BlueGene/L, currently the top-ranked supercomputer on the planet.

Gutmann's analysis assumes that the average infected PC is fueled by something close in processing power and memory to the class of machine used by the average computer gamer. Valve, the maker of the blockbusters CounterStrike and Half Life video games, says the typical machine has somewhere between a 2.3 to 3.3 GHz processor, with roughly 1 gigabyte worth of system RAM (system memory).

If we assume the average Storm worm victim machine falls within this range, the Storm cluster has the equivalent of one to 10 million 2.8 GHz Pentium 4 processors with one to 10 million petabytes worth of RAM. Whether we're talking about disk space or the size of a computer's temporary memory space, a petabyte is a truly staggering number. To put the size of a petabyte into perspective, Google, as of Aug. 2007, uses between 20 and 200 petabytes of disk space, according to In comparison, Gutmann said, BlueGene/L currently contains 128,000 computer processor cores, and has a paltry 32 terabytes of RAM. A terabyte is about 1,000 times smaller than a petabyte.

In fact, Gutmann said, the Storm botnet has better hardware resources than the entire world's top 10 supercomputers.

Even if you bring the average processing power or RAM down quite a bit, the numbers still favor the computational abilities of the Storm worm over the world's most powerful supercomputers.

Lawrence Baldwin, chief forensics officer for and a researcher who closely monitors the spread of the Storm worm, said the sheer power of the Storm network is "scary."

"People aren't respecting the threat this thing represents," Baldwin said. "But when you pit it against the biggest military and government supercomputing resources, they're like a speck on the back of a fly compared to the power that's under the control of this one criminal group."

Baldwin said the raw power of the Storm botnet might be taken more seriously if it were more often used to take out large swaths of the Internet, or in attempting to crack some uber-complex type of encryption key used to secure electronic commerce transactions. "I'm sure there are other types of computationally intensive tasks that could be accomplished with a couple of millions of computers that would help the miscreants."

By Brian Krebs  |  August 31, 2007; 6:32 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Hit By Attack On
Next: A Time-to-Patch: Apple 2006


Bad math! By several orders of magnitude!

Average RAM per computer of 1GB means that there is a total of 1 to 10 million GB of RAM in the botnet - NOT 1 to 10 million PB (petabyte). And 1 to 10 million GB is equivalent 1 to 10 PB.

Posted by: Ron | August 31, 2007 8:17 PM | Report abuse

Just another note even with a "gazillion" infected machines other than a DDOS attacks and skimming user info off the machines themselves,they are not that powerful. Why?

Because the users that have the storm worm will usually have about 2 bazillion (post speak for quantities) other worms, keyloggers, and adware on the machine are jamming up processor and NIC functions enough with it's respective bot,logger, or adware server that it renders the machine pretty much useless.

About all it can do at that point is spread itself to other machines or jam up a network. But raw calculating power to outdo a clean supercomputer.... doubtful!

Posted by: Devin | September 1, 2007 11:20 AM | Report abuse

Ha, wondered when this bit would surface. It is in a novel I'm writing, used for password cracking. OH, see:

Posted by: G4Cube | September 1, 2007 1:18 PM | Report abuse

Any way to check your computer for the Storm Worm, or resources to take care of it?

Posted by: PJ | September 1, 2007 1:41 PM | Report abuse

F-Secure Blacklight detects it:

I have a pdf file on protecting your computer with free software. email me for more information:

Posted by: jim collins | September 1, 2007 7:10 PM | Report abuse

One comment about this (I'm the author of the original post), the standard benchmark used to rate supercomputers is the LINPACK linear-algebra mathematical benchmark. Now in practice the LINPACK performance of a botnet is likely to be nowhere near that of a specially-designed supercomputer, since it's more a distributed grid than a monolithic system. On the other hand bot-herders are unlikely to care much about the linear algebra performance of their botnet since it doesn't represent the workload of any of the tasks that such a system would be used for.

Where Storm leaves every conventional supercomputer in the dust is in terms of the sheer hardware resources (number of CPUs, amount of memory, and network bandwidth) at its disposal. It's quite scary to think of *that* much computing power in the hands of criminals.

Posted by: Peter Gutmann | September 1, 2007 10:29 PM | Report abuse

One would think that difference maker between Storm and a Supercomputer would be the bandwidth at its disposal; that is, the amount of internet usage it can use at any one time.
One Comcast user == X amount of bandwidth
Storm == Y Comcast users
X * Y == Holy Crap

Posted by: jim collins | September 1, 2007 11:43 PM | Report abuse

@Peter: Who do you think could find an enormous distributed computer network to be a good thing? Considering it's never stopped access to the Internet? You could even say that shutting it down would be a crime seeing as it's never stopped access...

Posted by: Jim Collins | September 1, 2007 11:57 PM | Report abuse

The Storm Worm doesn't affect the millions of Win98 users who opted out of MS's upgrading and patching rat race.

Posted by: BillK | September 2, 2007 8:17 AM | Report abuse

Is it a Windows only problem or do I (Linux only user) have to care?

Posted by: Sven | September 2, 2007 8:48 AM | Report abuse

From Wikipedia-

Windows 2000, Windows XP and presumably Windows Vista can be infected by all the Storm Worm variants, but Windows Server 2003 cannot, as the malware's author specifically excluded that edition of Windows from the code.

Posted by: BillK | September 2, 2007 9:12 AM | Report abuse

It would appear, to me, that the Storm Worm is using the same, or near, processes that is used by BOINC to run seti@home, einstein@home, etc. to do massive amounts of number crunching for research.
This is truly awesome AND frightening!
It's a shame these people do not use their knowledge for good instead of evil. It almost makes one ashamed to be part of the human race; but there is still a lot of good people out there.

Posted by: PeteBB | September 2, 2007 1:13 PM | Report abuse

@Peter: good one!

Posted by: Rick | September 2, 2007 1:21 PM | Report abuse

It would be nice if we could get a list of which anti-virus software detects Storm instead of a constant stream of articles scaring the hell out of people with useless masturbatory geek data. I think it would be a lot more useful to know how to rid our computers of it. The sheer size is impressive, but it almost like people are idolizing the criminals here.

But hey (butt hay), it's always more sexy to write about the doom & gloom. I realize that. Be if a few software solutions were included to help people out though.

Just a thought...

Posted by: Frank Turd | September 2, 2007 3:57 PM | Report abuse

You won't get Windows pc protection in a couple of sentences! :)
The antivirus companies are struggling to keep up as Storm Worm seems to mutate to a different signature every 30 minutes or so.
You need multi-layer protection including intrusion detection, rootkit detection, firewall (hardware and software), etc.
And safe computing training, which most infected users don't have.

Buy a Mac or use Linux. It's easier.

Posted by: BillK | September 2, 2007 4:16 PM | Report abuse

@Frank: your criticism is well taken. However, it highlights I think a perception that helps fuel the success of things like the Storm worm.

Understandably, most Windows users don't want to become experts on security just to use the machines. They want to rely on some type of software solution to protect them from direct threats, but more importantly to protect them from themselves when they do something ill-advised or plain risky (such as clicking on links in spam e-mails or opening up e-mail attachments in unsolicited e-mail, or downloading and installing pirated software).

The truth is, anti-virus and most security software cannot keep up with the rapid morphing of the Storm worm. So telling people to keep their anti-virus software updated is somewhat hollow advice, IMO. They're dealing with hundreds of new Storm variants each day.

I have attached at the end of this reply a scan of a Storm variant that is nearly a day old now, and you can see how well it is detected. In this case only 31 percent of the many anti-virus products out there today detected this thing as malicious (bear in mind that just because a particular anti-virus product detects this variant does not in any way mean they will detect the next hour's variant of the same worm.)

I have chosen, time and again, to emphasize the importance avoiding these risky behaviors and of keeping your system and the software that runs on top of it updated with the latest security updates.

Scan of Video.exe at

File video.exe received on 09.02.2007 22:46:54 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 10/32 (31.25%)

Antivirus Version Last Update Result
AhnLab-V3 2007.9.1.0 2007.09.01 -
AntiVir 2007.09.02 Worm/Storm.tch
Authentium 4.93.8 2007.09.02 -
Avast 4.7.1029.0 2007.09.02 -
AVG 2007.09.02 -
BitDefender 7.2 2007.09.02 -
CAT-QuickHeal 9.00 2007.09.01 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.09.02 -
DrWeb 4.33 2007.09.02 Trojan.Packed.142
eSafe 2007.09.02 Suspicious Trojan/Worm
eTrust-Vet 31.1.5100 2007.08.31 -
Ewido 4.0 2007.09.02 -
FileAdvisor 1 2007.09.02 -
Fortinet 2007.09.02 -
F-Prot 2007.09.02 -
F-Secure 6.70.13030.0 2007.09.02 -
Ikarus T3.1.1.12 2007.09.02 -
Kaspersky 2007.09.02 -
McAfee 5110 2007.08.31 -
Microsoft 1.2803 2007.09.02 TrojanDropper:Win32/Nuwar.gen!avkill
NOD32v2 2497 2007.09.01 -
Norman 5.80.02 2007.09.02 Tibs.gen134
Panda 2007.09.02 -
Prevx1 V2 2007.09.02 -
Rising 2007.09.02 -
Sophos 4.21.0 2007.09.02 Mal/Dorf-A
Sunbelt 2.2.907.0 2007.08.31 VIPRE.Suspicious
Symantec 10 2007.09.02 Trojan.Packed.13
TheHacker 2007.09.02 -
VBA32 2007.09.01 -
VirusBuster 4.3.26:9 2007.09.02 -
Webwasher-Gateway 6.0.1 2007.09.02 Worm.Storm.tch
Additional information
File size: 140021 bytes
MD5: f8eca24bc31a4a336d05d61fd814a3fb
SHA1: 479ea8cf44de3fbf2e43481cdf6e12ed6e7908d6
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Posted by: Bk | September 2, 2007 4:57 PM | Report abuse

The Storm worm spreads via e-mail mainly because of home users running with
a. full administrator rights and
b. who are using webmail sites that don't block executable attachments like .exe

It has to be home users as
a. Corporate users are typically running with limited user rights.

b. plus, updated & patched Outlook 2000, 2002, 2003 as well as Outlook Express mail clients block nearly all executable attachments (including the .exe used by Storm).

c. And that's on top of whatever screening is done at corporate e-mail gateways.

Posted by: Ken L | September 2, 2007 6:27 PM | Report abuse

Isn't Peter Gutmann the author of the Vista/DRM hoax?

Nobody takes him seriously.

Posted by: Bruce | September 2, 2007 8:46 PM | Report abuse

Not on the storm worm but on:



Posted by: | September 3, 2007 12:04 AM | Report abuse

Something else you didn't mention, it's not like all these PC's have a very fast connection to whatever distributed software thingy a botnet operator might come up with. Waiting for some tiny code to crunch through 8 hops over dialup error correction and 8 hops back, you must be kidding to compare that junk to IBM supercomputers. Also how many of those million PC's are turned on at the same time to do anything serious with them?

And last but not least, you're crazy to think the average home user has a system anything like that of a gamer. Sure, there's lots of gamers out there and they buy the most blazing fast PC's they can get. But most of us busy people with a life, we don't have time to upgrade to the latest processor when it comes out, or care what moron is trying to hack the Internet. You could probably get some real CPU info from somebody like Alexa or WebSideStory.

Posted by: PJ Ferodynamics | September 3, 2007 12:14 AM | Report abuse

I do not know about "most users" but a friend and I each have Verizon FiOS connections to the Internet, and several others have ComCast connections, and the last has DSL. So that is quite a bit of bandwidth. OTOH, I run Linux and another friend runs MACs. That leaves the Windows users that are currently running XP and presumably the Windows firewall (that I suppose is of some use). My closest friend ran Symmantec's firewall until the subscription that was included with her computer expired. She still ran it, but got no more security updates. When her computer slowed down way too much, she appealed for help. I removed a few trojans and a lot of viruses. I got her the free version of the AVG virus scanner, and spent about a week (part time) removing other malware. LimeWire was a big problem to remove, but I got it out of there finally. But then her husband reinstalled Limewire so it is getting quite slow again. Sigh.

I have two computers and so do several of my friends. I keep the old one when I get a new one. The oldest one I give away. I do no gaming other than nethack. But my main machine has two 3.06 Hyperthreaded Xeon Processors and 8 GBytes RAM. I suppose the bad guys would like to take it over, but there would be some difficulty in their doing that. I run no servers open to the Internet. My root user does not have easy access to FireFox or Thunderbird. I cannot run .exe files... . I am not saying the CIA, FBI, or NSA could not hack into my machine, but they would have a more difficult time than with Windows machines. They would probably break into my house and put a keylogger in the keyboard if they seriously wanted to crack my machine. Or just steal it.

I do think these DDoS threats are becoming an increasing threat. Already, e-mail is almost useless and at the current rate, another two years and it will be the end of that. Likewise, the UseNet is becomming increasingly polluted by spammers to the point where I sometimes just delete all posts to some newsgroups without even looking at them.

It is a shame.

Posted by: JeanDavid | September 3, 2007 7:50 AM | Report abuse

I think it's time to rally the troops and grab your pitchforks, and storm the M$ castle. This is ridiculous it's 2007 and Windows is still a beta OS at best full of security holes. When will we wake up and demand M$ fix these problems! Buy a Mac or use Linux if you are a home user.
Enough said

Posted by: iggyfan | September 4, 2007 1:32 PM | Report abuse

Good lord, this article is filled with so much implied scaremongering and actual gross overestimation that I'll never again take this part of the Washington Post seriously. Geebus, Gutmann, you're a great self-promoter, but what a worthless, slimeball hack you are!

Posted by: Peter Gutmann's Pimp | September 4, 2007 1:44 PM | Report abuse

Proof: Civilization will never catch up to Technology.

Posted by: Spock | September 5, 2007 3:47 PM | Report abuse

For starters, any links here provided to anti spy ware sites are probably Scrutinized heavily as an excuse to advertise. For example if I said that Norton was the best, then no one would believe me, except to accuse me of advertising for Norton. (let it be known that I'm not.)

With something as complex as this I personally find that by reinstalling my copy of Windows XP from time to time, the reformatting of the drive and the fresh OS help greatly in keeping my computer running speedily. I generally turn off windows updates because I listen to my computer, and if its processing something when I've not told it to run any programs I know there's a problem.

The truth is that the issue lies more in the behavior of people than having anything to do with the machines themselves. Most of us that posted have demonstrated some net intellect in this matter. We know that spam filters are not perfect, we know not to open .exe, or to run software we don't trust. Most people don't.

Gamers in particular, are those that take security seriously, and if they don't, you simply have to explain to them that Trojans and worms like this make the games run slower and cause lag, and they instantly learn security for the sole purpose of making games more enjoyable.

I think our terminology is behind too, or if not that then at least its not widely circulated enough. Again, most of us are somewhat educated, but does the common person REALLY know the difference between a Trojan, a worm, a spy horse, and an enema? I doubt it, my father doesn't, and he works for a decently prestigious company and claims to spend hours sweeping his computer with anti-spy ware software, finding tons and tons of....malicious programs, as I prefer to word it.

Truth is, if you want to become that critical, then realize that if your computer runs slow from viruses, and then it runs slow because of all your spy sweep software, then have you really done anything useful?

Merge out.

Posted by: Merge Sigskay | September 6, 2007 2:39 AM | Report abuse

It seems clear to me that the only practical way to tackle this problem is for some white hat hackers to release a competing worm that infects vulnerable machines, removes any malware found, and applies any needed patches and updates. Let's face facts: There are millions of clueless lusers that don't know and don't care about securing their computers, or who have a false sense of security because their machine came with (now-expired) AV software pre-installed, and the criminals get more sophisticated by the minute. Sure, in a perfect, theoretical world it's unethical to infect someone else's computer, but here in the real world where the criminals are winning in a rout, and we have no hope of getting a critical mass of lusers to properly secure their machines, and the idiots in Redmond badly botched what was probably the last, best hope of making Windoze secure with the debacle that is Vista and its worse-than-useless UAC system, sitting back and letting them win is far worse.

Posted by: windoze sux | September 6, 2007 12:46 PM | Report abuse

@windoze sux

"It seems clear to me that the only practical way to tackle this problem is for some white hat hackers to release a competing worm that infects vulnerable machines, removes any malware found, and applies any needed patches and updates."

Actually there was a virus like this that was discovered in Aug.2003 it was called Welchia or better known as NACHI.

It did help some systems out that were infected but the traffic it generated brought most networks it was going across to a Crawl.

Posted by: Devin | September 7, 2007 4:03 PM | Report abuse

I just had to respond, I think I saw a post asking where to get antivirus software. I just want to point out that the beginning of the article stated that you would be lured into the worm by touchin an email on storms. Here's another thought, what idiot would open email they don't recognize. Another thought, the average gamer uses webmail, ( usually fairly safe from worms unless you're dumb enough to run active X controls) so don't open the email. Hear about a storm? Check the web if you're truly concerned. I don't see why this worm is such a problem. Moresoever why so many people could be infected yet not take the necessary steps to have a professional remove this crap.

Posted by: Badge wearer, bug driver | September 9, 2007 1:00 PM | Report abuse

You would not believe how many TOTALLY IGNORANT & WILLFULLY STUPID windoze users there are who download anything and everything. they know NOTHING about the most basic win pc maintenance, nothing about software, nothing about what to do when or WHY and zero about anti-virus or trojans -- they are TOTALLY OBLIVIOUS.

I know because I've worked with and known a zillion of them -- JUST every day users in offices, homes, etc -- 99.9% of all windoze users i've ever known know nothing about any of this stuff. ZERO. they think you just set it up and go and push any button that pops up, buy or download any thing a popup tells them to. they are COMPLETELY INTIMIDATED AND IGNORANT AND DON'T WANT TO TAKE THE TIME TO LEARN BECAUSE IT SHOULD JUST WORK but the reality is it's not user friendly when it comes to protection, security, fixing, maintaining.

Posted by: multi-platform | September 9, 2007 5:40 PM | Report abuse

Ok, I'm tired of the Windows bashing. If your OS, meaning Linux or Mac, were installed in let's say 75% or more of the worlds computers, there would be a crapload of security exploits on them as well. It's not Windows security specifically, it's the install base that hackers go after for obvious reasons. So STFU already about Windows, any OS holding the popularity title will be subject to greater attack. No OS is secure. Period. Now blaming uneducated users is another story.

Posted by: Jobu | October 25, 2007 1:29 PM | Report abuse

@ Jobu
True, but the OSX and linux in particular are more resistant to attacks, given their permissions systems. In windows, everyone (more or less) runs as an admin, meaning everything they do is given the go-ahead and not questioned, every program is run etc. On unix-based oses, everyone (again, exclude one or two) runs a limited account, needing root access to do anything, so viruses etc can't run.

Posted by: Anonymous | October 25, 2007 3:07 PM | Report abuse

Ah, but Windows has the same ideas behind it. Most people just don't bother to setup another account without admin rights. Linux makes you, but the average user isn't going to install soemthing that requires two accounts and two passwords, then only use one of them every so often when installing something.
You do need root access, but root is just another name for administrator and good only if you use it like it's meant to be used.

Posted by: Whitetigersx | October 25, 2007 8:31 PM | Report abuse

@All the windows vs Linux flames. Because trolls need to be fed too.

Linux isn't perfect and there are some serious architectural problems in its security system it inherited from UNIX.These are architectural flaws, not implementation bugs.

However even given that windows security architecture is much weaker from both a pure theory as well as a practical standpoint.

Neither OS is secure and neither OS can be secure in the presence of threats, they are at a fundamental level designed wrong for it.

Second is the weird 'security from obscurity' argument often made in that linux is not widely enough installed to be a good target.

According to some LAMP stacks make up 60% of web servers, I can't say if they are right or wrong but lets go with a simple 'around half'. These are not just desktop computers they are running web servers on the wild and woolly internet with scripting turned on, this is extremely risky behavior. And yet there are relatively few attempts to attack the stack itself, most of the exploits focus on using badly written scripts, often unique to that server to do whatever the intended harm is. Compare that with the attacks mounted on windows+ISS or +Apache where there are far more attempts aimed at the much more vulnerable stack, which is also much harder to secure in my experience.

And before anyone complaints websevers are not a good comparison to desktops they are not. Webservers are a choice cut of prime meat for criminals wether it's some recreational phising, piking some delicious data from those oh so plump databases, or if it's just to add a machine that probably sends out a lot of legitimate emails with a always on broadband connection that never gets shut down to your botnet.
Webservers are a prime target, much more so than desktops. They are worth personal attention from the criminal, unlike the home users.

Ok that does it for my windows vs Linux rant. Neither is good, but linux is still better.


@the article.

Well people make a good point in that the botnet could better be compared to something like BOINC network and even SETI at home with it's record breaking only has 5 million users, so Storm worm should be roughly comparable to that. Seems somewhat less impressive now doesn't it?
Maybe this will increase the respect for what the SETI project has accomplished, since it spearheaded the distributed computing stuff.

Posted by: Catty | October 26, 2007 2:31 AM | Report abuse

Nobody knows who is controlling the bot nets.
Why just assume it's a criminal organization?
A bot net has a multitude of applications on both sides of the law. Intelligence and Military being obvious 'legal' examples.

Posted by: Myztry | November 12, 2007 6:49 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company