News Stay informed about the latest enterprise technology news and product updates.

Experts predict Storm Trojan's reign to continue

While estimates of its size and scope vary, security researchers say the Storm Trojan's grip is here to stay.

The family of malware variously known as Storm, Peacomm and Nuwar has proven to be among the more resilient and adaptive malicious programs in recent memory. These traits also have helped it become perhaps the most widespread threat since the glory days of Code Red, Slammer and Nimda.

I have seen a lot of high numbers, but in reality those are probably just the overall number of infected machines, not the active ones at any one time.
Javier Santoyo,
managerSymantec Security Response

Or is it?

Antivirus vendors and security researchers have said the size of the botnet created by Storm is well into the millions of machines, with some estimates going as high as 50 million infected PCs. The size of such covert networks is notoriously hard to pin down thanks to a number of factors, especially the fact that bots join and leave the network constantly. But, despite all of the press attention Storm has gotten, new research into its behavior and scope shows that the number of active Storm bots operating at any one time is significantly less than one million, and probably closer to 200,000.

"I have seen a lot of high numbers, but in reality those are probably just the overall number of infected machines, not the active ones at any one time," said Javier Santoyo, a manager in Symantec Corp.'s Security Response unit, based in Cupertino, Calif. "It's a constantly moving target."

Symantec's research on Storm, which is based on the spam messages that infected PCs send out, shows that in a 24-hour period in August, there were 4,375 unique IP addresses involved in the spam operation. About half of those machines were only sending spam and the remainder were acting as HTTP servers, hosting the exploits and binaries used to infect new machines, and as SMTP servers for relaying spam. A month later, the total number of unique IP addresses was around 6,000, and only about 25% of them overlapped with the previous month's.

Storm Trojan:
Is the Storm worm virus still a serious threat? Today, attackers continue to have success with the Storm worm and its many variations, using the malware to strengthen their nasty botnets. In this Q&A, expert Ed Skoudis explains why these rather run-of-the-mill attacks are still a problem today.

Microsoft Corp. is also looking closely at the malware, and its numbers reveal a non-trivial botnet, but not one that is verging on taking over the Internet. The company in September added detection for Storm, which it calls Nuwar, to its Malicious Software Removal Tool, and by the middle of the month the tool had cleaned Storm components from more than 274,000 infected PCs. Given the installed base of Windows, Microsoft's researchers have a rather broad view of the network's size, and the company said that it had eliminated about 20% of the malware's DDoS capability in one day, according to data an outside researcher gave the company.

And, Brandon Enright, a member of the network operations group at the University of California at San Diego, said in a presentation at ToorCon over the weekend that a crawler he built specifically to track Storm activity saw a peak of about 200,000 active peers on the botnet in July. So while the Storm family obviously is still quite active in its efforts to infect new machines, the scope of the network of compromised machines is considerably less scary than it might seem.

However, the economies of scale on the Internet these days can magnify the power and efficiency of botnets even one-tenth the size of Storm's. Ubiquitous broadband connections and powerful PCs mean that a malware author doesn't necessarily need a botnet of several million—or even several hundred thousand—machines in order to make a tidy living sending spam or selling processing power to attackers. In fact, huge networks can be a detriment to criminals looking to evade detection. No need to attract attention with a massive botnet when a much smaller one will do the job just fine, thank you.

Storm's creator has modified and updated the software a number of times this year, and experts expect that to continue. At least for now, they say, there is no end in sight to Storm's reign.

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.