Just How Bad Is the Storm Worm?
The Storm worm has earned its share of superlatives, but security experts disagree over just how many computers running Microsoft Windows have been compromised by the e-mail worm. Some new figures released from Microsoft and estimates obtained by Security Fix may help shed some light on the size and sheer firepower of what's being called one of the largest and most sophisticated cyber fraud networks ever constructed.
Some experts have put the number of Storm-infected PCs at close to 10 million, but most estimates are more conservative, pegging the infected pool at between a few hundred thousand and a million or so machines. In an attempt to learn more precise and timely estimates, Security Fix decided to combine the resources of two well-regarded security and spam sources.
A PC infected with Storm will either be used to blast out millions of junk e-mails advertising Web links that when clicked attempt to download a copy of the worm, or it will serve as the destination for that link -- essentially hosting the latest copy of the worm for download. Ever since its release in January, the Storm worm has been used almost exclusively either to spread the worm or to tout penny stocks in "pump-and-dump" investment scams. Recently, however, security experts have spotted evidence that the Storm network is being rented out to online pharmacy spammers as well.
I figured that by counting the number of unique Internet addresses spamming out links to several thousand Internet addresses known to be download addresses for the Storm worm, perhaps we could get an accurate picture of the total number of Storm-infected machines. But this method provides at best a partial view of the scale of the Storm worm.
I started with a list of some 6,500 download addresses advertised in Storm-generated spam on Sept. 9, as gathered by Lawrence Baldwin, chief forensics officer for myNetWatchman.com. I then asked anti-spam provider IronPort Systems to count the number of junk e-mails it received that day advertising those addresses.
IronPort found that on Sept. 9, roughly 280,000 distinct Storm-infected systems sent about 2.7 billion e-mails advertising those addresses, making Storm responsible for about 4 percent of all spam sent that day.
"This is actually a relatively quiet day by Storm standards," said Craig Sprosts, senior product manager for IronPort. "I've seen as many as 1.4 million Storm bots sending e-mail on one day earlier this summer, so it's likely that the bots used on September 9th represent at most 20 percent of the Storm botnet."
The spam-vertized Web sites were spread out across some 1,100 networks in 108 countries. More than half of these Web sites were hosted in the United States, and in excess of 80 percent of the U.S.-based sites were hosted on home-user machines on just two networks, Comcast and SBC Internet Services (now part of AT&T).
Fast forward to Sept. 20, when Security Fix took its second snapshot. In that analysis, IronPort found approximately 55,000 distinct Storm-infected systems being used to spam and spread the worm. While far smaller in size, this group of Storm-infected machines was spread over a much more diverse set of networks. Whereas in the first measurement 60 percent of the senders resided on just 10 networks, this second cross-section of Storm showed that the top 10 networks accounted for just 29 percent of the spam. What's more, there was relatively little overlap in the Internet addresses of both the spamming and Storm hosting machines from each sample days.
That number has remained somewhat constant. According to Secure Science Corp., which has been closely tracking the Storm worm outbreak, as of 7 a.m. ET, Oct. 1 there were roughly 53,000 Storm-infected PCs either sending spam or acting as Web hosts to spread the worm.
So what accounts for the apparent drop in the number of active Storm infected machines? One explanation is clean-up activity by Microsoft. Each month, the company pushes out updates to its "malicious software removal tool," a utility bundled with security updates released on the second Tuesday of each month. The MSRT is designed to do one thing -- remove malware. And on Sept. 11, Microsoft finally tweaked the tool to detect and remove Storm variants.
Microsoft reports that within 24 hours of that update, the MSRT scrubbed copies of the Storm worm from roughly 91,000 systems. By the end of that week, Redmond had removed Storm from 274,372 PCs.
Shortly after the incorporation of Storm into the MSRT, the Storm authors rolled out an upgrade to the worm in an attempt to rebuild the network's strength, Microsoft said. The company also suggested that at any given time the number of active Storm systems may be a small subset of the total number of Storm-infected PCs.
"Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the "Storm" botnet," wrote Jimmy Kuo, a senior security researcher at Microsoft. "The September release of the MSRT probably cleaned up approximately one hundred thousand machines from the active 'Storm' botnet. Such numbers might project that the strength of that botnet possibly stood at almost half a million machines with an additional few hundred thousand infected machines that the 'Storm' botnet perhaps were not actively incorporating."
Microsoft says despite all of the media attention that Storm has garnered, the worm's ranks still pale in comparison to other families of malware, noting that the Renos family of malware has been removed from 668,362 distinct machines, while the Zlob family has been removed from 664,258 machines.
If the Storm has won special attention it's probably not so much due to its size as it is the novel tactics its creators have employed to stymie security researchers.
Most worm and virus networks are controlled and updated via online Web servers or chat networks. These nodes represent potential pressure points for security researchers, who can often cut the criminals off from their network of infected machines simply by shuttering the server that controls the network. But the Storm network avoids this vulnerability by distributing instructions and updates over a peer-to-peer system, a decentralized network that actually uses the very same communications protocol as the eDonkey network, which is currently used to trade audio and video files, as well as computer software.
The Storm network also employs another evasion technique known as "fast-flux," which involves assigning multiple (often thousands) of Internet addresses to the same Web site domain name. In fast-flux attacks, the owner of the domain constantly changes settings on the network's back end so that any requests for that Web site get routed through a different Internet address every few minutes.
Finally, the Storm network has a built-in self-defense mechanism, a sort of digital booby trap. Security experts often will scan networks for signs of irregular network activity that may indicate a worm or other malware infection. The Storm network is designed to launch a massive denial-of-service attack against any Internet address it detects as the source of such scanning activity.
October 1, 2007; 10:31 AM ET
Categories: Fraud , From the Bunker , Latest Warnings
Save & Share: Previous: Microsoft's Stealth Update Backfires for Some Users
Next: iPhone (in)Security
Posted by: PJ | October 1, 2007 2:47 PM | Report abuse
Posted by: sc | October 1, 2007 10:07 PM | Report abuse
Posted by: Teresa Binstock | October 2, 2007 7:26 AM | Report abuse
Posted by: CS | October 2, 2007 12:40 PM | Report abuse
Posted by: Anonymous | October 2, 2007 3:18 PM | Report abuse
Posted by: Anonymous | October 2, 2007 3:21 PM | Report abuse
Posted by: Otto | October 5, 2007 4:56 PM | Report abuse
Posted by: Chris Lees | October 7, 2007 3:54 AM | Report abuse
Posted by: Killian | October 25, 2007 4:16 AM | Report abuse
Posted by: House appartament | December 18, 2007 12:52 AM | Report abuse
Posted by: Shagowski | January 16, 2008 9:53 AM | Report abuse
The comments to this entry are closed.