The family of malware variously known as Storm, Peacomm and Nuwar has proven to be among the more resilient and adaptive malicious programs in recent memory. These traits also have helped it become perhaps the most widespread threat since the glory days of Code Red, Slammer and Nimda.
Or is it?
Antivirus vendors and security researchers have said the size of the botnet created by Storm is well into the millions of machines, with some estimates going as high as 50 million infected PCs. The size of such covert networks is notoriously hard to pin down thanks to a number of factors, especially the fact that bots join and leave the network constantly. But, despite all of the press attention Storm has gotten, new research into its behavior and scope shows that the number of active Storm bots operating at any one time is significantly less than one million, and probably closer to 200,000.
"I have seen a lot of high numbers, but in reality those are probably just the overall number of infected machines, not the active ones at any one time," said Javier Santoyo, a manager in Symantec Corp.'s Security Response unit, based in Cupertino, Calif. "It's a constantly moving target."
Symantec's research on Storm, which is based on the spam messages that infected PCs send out, shows that in a 24-hour period in August, there were 4,375 unique IP addresses involved in the spam operation. About half of those machines were only sending spam and the remainder were acting as HTTP servers, hosting the exploits and binaries used to infect new machines, and as SMTP servers for relaying spam. A month later, the total number of unique IP addresses was around 6,000, and only about 25% of them overlapped with the previous month's.
And, Brandon Enright, a member of the network operations group at the University of California at San Diego, said in a presentation at ToorCon over the weekend that a crawler he built specifically to track Storm activity saw a peak of about 200,000 active peers on the botnet in July. So while the Storm family obviously is still quite active in its efforts to infect new machines, the scope of the network of compromised machines is considerably less scary than it might seem.
However, the economies of scale on the Internet these days can magnify the power and efficiency of botnets even one-tenth the size of Storm's. Ubiquitous broadband connections and powerful PCs mean that a malware author doesn't necessarily need a botnet of several million—or even several hundred thousand—machines in order to make a tidy living sending spam or selling processing power to attackers. In fact, huge networks can be a detriment to criminals looking to evade detection. No need to attract attention with a massive botnet when a much smaller one will do the job just fine, thank you.
Storm's creator has modified and updated the software a number of times this year, and experts expect that to continue. At least for now, they say, there is no end in sight to Storm's reign.