Since early 2007 a new form of malware has made its presence known on the Internet by its prolific growth rate, its ability to distribute large volumes of spam, and its ability to avoid detection and eradication. Storm Worm (or W32.Peacomm, Nuwar, Tibs, Zhelatin), as it is known, is a highly prolific new generation of malware that has gained a significant foothold in unsuspecting Microsoft Windows computers across the Internet. Storm, like all bots, distinguishes itself from other forms of malware (viruses, Trojan horses, worms) by its ability to establish a control channel that allows its infected clients to operate as a coordinated collective, or botnet. However, even among botnets Storm has further distinguished itself by being among the first to introduce a fully P2P control channel, to utilize fast-flux to hide its binary distribution points, and to aggressively defend itself from those who would seek to reverse engineer its logic.

The developers of Storm have retrofitted and improved its codebase over the last year, but its primary mission has remained to be a prolific propagator of spam (e.g., a spambot). While the worm at its peak was deemed responsible for generating 99% of all spam messages seen by a large service provider, a reliable size estimate of the Storm botnet is hard to gauge because it uses a P2P communication protocol and there is no comprehensive measurement study to date. The only report that we are aware of is a conservative lower bound by Microsoft of over half a million infected machines of which it claims to have cleaned up over 267,000 machines infected with Storm. While certain other reports place Storm’s botnet size at 50 million, most security experts consider this number to be unfounded and suspect a reasonable estimate to be between 1 million and 5 million. CTA Anonymizer - Cyber-TA Overview

Technorati Tags: , , ,