Network News

X My Profile
View More Activity

Just How Bad Is the Storm Worm?

The Storm worm has earned its share of superlatives, but security experts disagree over just how many computers running Microsoft Windows have been compromised by the e-mail worm. Some new figures released from Microsoft and estimates obtained by Security Fix may help shed some light on the size and sheer firepower of what's being called one of the largest and most sophisticated cyber fraud networks ever constructed.

Some experts have put the number of Storm-infected PCs at close to 10 million, but most estimates are more conservative, pegging the infected pool at between a few hundred thousand and a million or so machines. In an attempt to learn more precise and timely estimates, Security Fix decided to combine the resources of two well-regarded security and spam sources.

A PC infected with Storm will either be used to blast out millions of junk e-mails advertising Web links that when clicked attempt to download a copy of the worm, or it will serve as the destination for that link -- essentially hosting the latest copy of the worm for download. Ever since its release in January, the Storm worm has been used almost exclusively either to spread the worm or to tout penny stocks in "pump-and-dump" investment scams. Recently, however, security experts have spotted evidence that the Storm network is being rented out to online pharmacy spammers as well.

I figured that by counting the number of unique Internet addresses spamming out links to several thousand Internet addresses known to be download addresses for the Storm worm, perhaps we could get an accurate picture of the total number of Storm-infected machines. But this method provides at best a partial view of the scale of the Storm worm.

I started with a list of some 6,500 download addresses advertised in Storm-generated spam on Sept. 9, as gathered by Lawrence Baldwin, chief forensics officer for I then asked anti-spam provider IronPort Systems to count the number of junk e-mails it received that day advertising those addresses.

IronPort found that on Sept. 9, roughly 280,000 distinct Storm-infected systems sent about 2.7 billion e-mails advertising those addresses, making Storm responsible for about 4 percent of all spam sent that day.

"This is actually a relatively quiet day by Storm standards," said Craig Sprosts, senior product manager for IronPort. "I've seen as many as 1.4 million Storm bots sending e-mail on one day earlier this summer, so it's likely that the bots used on September 9th represent at most 20 percent of the Storm botnet."

The spam-vertized Web sites were spread out across some 1,100 networks in 108 countries. More than half of these Web sites were hosted in the United States, and in excess of 80 percent of the U.S.-based sites were hosted on home-user machines on just two networks, Comcast and SBC Internet Services (now part of AT&T).

Fast forward to Sept. 20, when Security Fix took its second snapshot. In that analysis, IronPort found approximately 55,000 distinct Storm-infected systems being used to spam and spread the worm. While far smaller in size, this group of Storm-infected machines was spread over a much more diverse set of networks. Whereas in the first measurement 60 percent of the senders resided on just 10 networks, this second cross-section of Storm showed that the top 10 networks accounted for just 29 percent of the spam. What's more, there was relatively little overlap in the Internet addresses of both the spamming and Storm hosting machines from each sample days.

That number has remained somewhat constant. According to Secure Science Corp., which has been closely tracking the Storm worm outbreak, as of 7 a.m. ET, Oct. 1 there were roughly 53,000 Storm-infected PCs either sending spam or acting as Web hosts to spread the worm.

So what accounts for the apparent drop in the number of active Storm infected machines? One explanation is clean-up activity by Microsoft. Each month, the company pushes out updates to its "malicious software removal tool," a utility bundled with security updates released on the second Tuesday of each month. The MSRT is designed to do one thing -- remove malware. And on Sept. 11, Microsoft finally tweaked the tool to detect and remove Storm variants.

Microsoft reports that within 24 hours of that update, the MSRT scrubbed copies of the Storm worm from roughly 91,000 systems. By the end of that week, Redmond had removed Storm from 274,372 PCs.

Shortly after the incorporation of Storm into the MSRT, the Storm authors rolled out an upgrade to the worm in an attempt to rebuild the network's strength, Microsoft said. The company also suggested that at any given time the number of active Storm systems may be a small subset of the total number of Storm-infected PCs.

"Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the "Storm" botnet," wrote Jimmy Kuo, a senior security researcher at Microsoft. "The September release of the MSRT probably cleaned up approximately one hundred thousand machines from the active 'Storm' botnet. Such numbers might project that the strength of that botnet possibly stood at almost half a million machines with an additional few hundred thousand infected machines that the 'Storm' botnet perhaps were not actively incorporating."

Microsoft says despite all of the media attention that Storm has garnered, the worm's ranks still pale in comparison to other families of malware, noting that the Renos family of malware has been removed from 668,362 distinct machines, while the Zlob family has been removed from 664,258 machines.

If the Storm has won special attention it's probably not so much due to its size as it is the novel tactics its creators have employed to stymie security researchers.

Most worm and virus networks are controlled and updated via online Web servers or chat networks. These nodes represent potential pressure points for security researchers, who can often cut the criminals off from their network of infected machines simply by shuttering the server that controls the network. But the Storm network avoids this vulnerability by distributing instructions and updates over a peer-to-peer system, a decentralized network that actually uses the very same communications protocol as the eDonkey network, which is currently used to trade audio and video files, as well as computer software.

The Storm network also employs another evasion technique known as "fast-flux," which involves assigning multiple (often thousands) of Internet addresses to the same Web site domain name. In fast-flux attacks, the owner of the domain constantly changes settings on the network's back end so that any requests for that Web site get routed through a different Internet address every few minutes.

Finally, the Storm network has a built-in self-defense mechanism, a sort of digital booby trap. Security experts often will scan networks for signs of irregular network activity that may indicate a worm or other malware infection. The Storm network is designed to launch a massive denial-of-service attack against any Internet address it detects as the source of such scanning activity.

By Brian Krebs  |  October 1, 2007; 10:31 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft's Stealth Update Backfires for Some Users
Next: iPhone (in)Security


Two questions, Is there a spoofing element to the Storm Worm network? And is there a tool or a virus scan that detects the Storm Worm best?

I wiped my hard drive and changed the passwords for my server, and once or twice a week I still get a number of bounced messages that contain the usual Storm Worm links and spam variations. Checking the bounced messages, most of them originated from the Asia Pacific network.

I import my own blocklists, and I may just ban as many Asia Pacific IP blocks as I can find.

Posted by: PJ | October 1, 2007 2:47 PM | Report abuse

Very interesting, thank you.

Is there any way for a home PC owner to tell what things, if any, have been removed by the MS malicious software removal tool from one's PC? I've wondered about this since there's never any indication of results from month to month. It would be useful to know these things on an individual as well as aggregate basis.

Posted by: sc | October 1, 2007 10:07 PM | Report abuse

MRST: Does that program need to be called up and run or does it run in the background once Microsoft has downloaded it into my and most everyone else's computer?

Posted by: Teresa Binstock | October 2, 2007 7:26 AM | Report abuse

Your questions about how Microsoft's malicious software removal tool works are answered on the Microsoft website at:

Posted by: CS | October 2, 2007 12:40 PM | Report abuse

microsoft is the biggest purveyor of viruses/worms/whatever; it's called windows.

Posted by: Anonymous | October 2, 2007 3:18 PM | Report abuse

microsoft is the biggest purveyor of viruses/worms/whatever; it's called windows.

Posted by: Anonymous | October 2, 2007 3:21 PM | Report abuse

Why doesn't law enforcement arrest whomever is "renting out" this network? They can arrest some kid collecting Britney Spears songs. They can't find out where something really damaging is originating?

Posted by: Otto | October 5, 2007 4:56 PM | Report abuse

In reply to Otto's post of October 5, no. The law enforcement agencies cannot find out where the worm's controllers are situated, because the communication between the controllers and the botnet happens in a distributed manner. The controllers connect to one or two infected computers, send the commands, and those computers send the commands on to others, and so on. Computers that are down the chain do not know the IP address or physical location of the controllers or even of the first 2 computers. Law enforcement agencies would need to find the first two computers in order to know anything about where the botnet is being controlled from. 2 computers in a couple of million compromised machines - that is a needle in a haystack indeed. And do it without alerting whoever is controlling the network.

Posted by: Chris Lees | October 7, 2007 3:54 AM | Report abuse

Don't know why but I had the impression that the origin of this storm is well known but it's so "deep" everyone just have to hush hush

Posted by: Killian | October 25, 2007 4:16 AM | Report abuse

flat flat buy apartament

Posted by: House appartament | December 18, 2007 12:52 AM | Report abuse

For once I wish all these hackers out there would leave microsoft alone and concentrate on taking down these worthless spammers.....

Posted by: Shagowski | January 16, 2008 9:53 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company