[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Storm Worm Botnet More Powerful Than Top Supercomputers


By Sharon Gaudin
September 6, 2007

The Storm worm botnet has grown so massive and far-reaching that it 
easily overpowers the world's top supercomputers.

That's the latest word from security researchers who are tracking the 
burgeoning network of Microsoft (MSFT) Windows machines that have been 
compromised by the virulent Storm worm, which has pounded the Internet 
non-stop for the past three months. Despite the wide ranging estimates 
as to the size of the botnet, researchers tend to agree that it's one of 
the largest zombie grids they've ever seen -- one capable of doing great 

"In terms of power, [the botnet] utterly blows the supercomputers away," 
said Matt Sergeant, chief anti-spam technologist with MessageLabs, in an 
interview. "If you add up all 500 of the top supercomputers, it blows 
them all away with just 2 million of its machines. It's very frightening 
that criminals have access to that much computing power, but there's not 
much we can do about it."

Sergeant said researchers at MessageLabs see about 2 million different 
computers in the botnet sending out spam on any given day, and he adds 
that he estimates the botnet generally is operating at about 10% of 
capacity. "We've seen spikes where the owner is experimenting with 
something and those spikes are usually five to 10 times what we normally 
see," he said, noting he suspects the botnet could be as large as 50 
million computers. "That means they can turn on the taps whenever they 
want to."

No one could provide detailed and specific comparisons between the 
strength of the botnet and the top supercomputers, mainly because it is 
hard to know for sure the size of the botnet or the power of each 
computer that is part of the botnet.

Adam Swidler, a senior manager with security company Postini, told 
InformationWeek that while he thinks the botnet is in the 1 million to 2 
million range, he still thinks it can easily overpower a major 
supercomputer. "If you calculate pure theoretical throughput, then I'm 
sure the botnet has more capacity than [IBM(IBM)'s] BlueGene. If you sat 
them down to play chess, the botnet would win."

Since the botnet won't be entered in any supercomputer competition, what 
does this mean for the IT or security manager trying to protect a 

It means the cyber criminals who control the botnet have a tremendous 
amount of destructive power at their fingertips. Early this summer, the 
Baltic nation of Estonia was pounded in a cyberwar that saw distributed 
denial-of-service attack primarily targeting the Estonian government, 
banking, media, and police sites. To protect its network, the country 
had to shut down key computer systems, and targeted sites were 
inaccessible outside the country for extended periods.

Swidler said he has no doubt if the Storm worm bosses focused a 
denial-of-service (DoS) attack on a company, Internet service provider, 
or government agency inside the United States, it could do a great deal 
of damage. "I think there's no question they could damage any single 
company, whether through a DoS attack or a spam barrage," he added. "I'd 
be less worried about a Yahoo (YHOO) or a Bank of America than the 
thousands of mid-sized banks that aren't as well protected. But 
undoubtedly, this could do a great deal of damage."

Swidler said there's always the background thought that an enemy of a 
country could basically rent the botnet and launch a DoS attack, 
shutting down government agencies, utilities or financial centers. "It's 
a lot of computing power that could be focused to do a lot of damage," 
he added. "It's grid computing gone bad."

Last month, Ren-Isac, a collaboration of higher-education security 
researchers, sent out a warning that the Storm worm authors had another 
trick up their sleeves. The botnet actually is attacking computers that 
are trying to weed it out. It's set up to launch a distributed 
denial-of-service attack against any computer that is scanning a network 
for vulnerabilities or malware. The warning noted that researchers have 
seen "numerous" Storm-related DoS attacks recently.

MessageLabs' Sergeant said the botnet also has been launching DoS 
attacks against anti-spam organizations and even individual researchers 
who have been investigating it.

"If a researcher is repeatedly trying to pull down the malware to 
examine it the botnet knows you're a researcher and launches an attack 
against you," he said.

Lawrence Baldwin, chief forensic officer of MyNetWatchman.com, said he 
doesn't have a handle on how big the overall botnet has become but he's 
calculated that 5,000 to 6,000 computers are being used just to host the 
malicious Web sites that the Storm worm spam e-mails are linking users 
to. And he added that while the now-well-known e-cards and fake news 
spam is being used to build up the already massive botnet, the authors 
are using pump-and-dump scams to make money.

"That's pretty scary," he said. "Cumulatively, Storm is sending billions 
of messages a day. It could be double digits in the billions, easily."

Swidler said that since mid-July, Postini researchers have recorded 1.2 
billion e-mails that have been spit out by the botnet. A record was set 
on Aug. 22 when 57 million virus-infected messages -- 99% of them from 
the Storm worm -- were tracked crossing the Internet.

According to researchers at SecureWorks, the botnet sent out 6,927 
e-mails in June to the company's 1,800 customers. In July, that number 
ballooned to 20,193,134. Since Aug. 8, they've counted 10,218,196.

Visit the InfoSec News Bookstore