Information Warfare: Overestimating Storm

Archives

April 23,2008: Computer security researchers had an "oops!" moment recently when they realized that their monitoring and investigative tools had led to overestimating the size of the Storm botnet. Last year, it was believed that the Storm botnet was the largest botnet ever seen. Because of that, it was believed that the Storm network was capable of shutting down any military or commercial site on the planet, or do some major damage in ways that had not yet been experienced. There was the impression that there had never been anything quite like Storm. But it turned out that Storm was only about a tenth of its estimated size. That is, 200,000-400,000 zombie PCs. Still pretty formidable. There are other botherds out there with 400,000 or more PCs, and they all are built in a similar fashion to Storm. That's the scary part. Yes, Storm was not as big as originally believed, but then it turns out that there are a dozen or more Storms in the wild.

The Storm computer virus had been spreading since early last year, grabbing control of PCs around the world. Storm was believed to have infected millions of computers with a secret program that turned those PCs into unwilling slaves (or "zombies") of those controlling this network (or botnet) of computers. Many of you may have noticed spam directing you to look at an online greeting card, or accompanied by pdf files, or directing you to a site with pictures of a huge storm that hit Europe a year ago (thus the name). That was Storm. When you try to look at the PDF file, Storm secretly takes over your computer. But Storm tries very hard to hide itself. All it wants to do is use your Internet connection to send spam, or other types of malicious data.

What makes Storm the perfect Internet weapon is how it has been designed to survive. The Storm zombie does no damage to the PCs it infects, and simply sits there, waiting for an order. Those orders come via a peer-to-peer system (similar to things like Kazaa or Bittorrent). A small percentage of the zombies spend short periods of time trying to spread themselves, then turn off. This makes it more difficult to locate infected PCs. Commands from the Storm operators are sent through several layers of zombie PCs, again making it very difficult to identify where those commands come from. Moreover, Storm operates as a horde of clusters, each of two or three dozen zombie PCs. No existing methods can shut down Storm, although computer security organizations have been able to limit the spread. In fact, all that will work to kill Storm is to find the people running it, arrest them, and seize their access data. The programmers who put Storm together know their stuff, and police in dozens of country have cooperated to get their hands on them. The Storm owners were traced to Russia, but the government blocked efforts to shut down the hacker operation.

Criminal gangs are increasingly active in producing things like Storm, and, in the case of China, so are government Cyber War operations. Russia is also believed to rely on criminal hackers for help in carrying out Cyber War tasks, usually espionage. Meanwhile, it's clear what Storm is up to. It has been launching attacks at web sites involved in stopping or investigating Storm. This involves transmitting huge quantities of bogus messages ,that shut down targeted web sites (this is a DDOS, or distributed denial or service attack). The Storm botherders are also advertising their botnet as available for the usual illegal activities (various types of spam).

Early on, it was believed that Storm was owned by a Russian criminal syndicate, but once more detailed proof was available, the Russian government refused to cooperate, treating Storm like some kind of secret military resources. And to the Russians, that's apparently what Storm is. Meanwhile, the investigation indicates that the Storm crew have some American members, and now the search is on for them, or any other non-Russians who worked on Storm, and are not inside Russia.

 

X

ad

Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close