The Calm Before The Storm | Jason Irwin dot Net

In a world where the media tries to scare us at every opportunity, I’m really quite surprised there isn’t more discussion about the new plague that is slowly infecting millions of Windows computers around the world.

It started earlier this year, quietly at first. The worm would find it’s way to a person’s inbox with a subject line of “230 dead as storm battles Europe”. Anyone opening the email and included attachment would then instantly add their computer to an ever-growing botnet, without any knowledge of the fact. I’ve recieved this email twice in the last few months, but never once have I opened the message as it was from someone I’d never heard of.

The threat this worm represents to our security and wellbeing may not be quite as dramatic as those seen on CNN or Al Jazeera, but it has the potential to cause much more damage than the existing weapons employed by global terrorists. But this isn’t the scariest part of all. Not by a long-shot. This little nuisance has been online since January and, despite all the incredibly talented people working on the problem, nobody knows how to counter the worm.

Say hello to “Storm”.

Storm has been spreading steadily since the beginning of the year, gradually constructing its huge botnet. It affects only computers running Microsoft Windows, but that means that 90% of the world’s PCs and servers are vulnerable. Nobody knows just how big the botnet has become, but reputable security professionals cite estimates between one and fifty-million computers worldwide. As of this writing, the botnet has only been used intermittently, which is a little odd. This means that someone, somewhere is quietly building the world’s most effective doomsday machine that can be rented out to the highest bidder, or used for purposes we might only get to see in a good Michael Crichton book.

Computer worms are almost as old as computers themselves, which may explain why the mainstream media hasn’t really said much about this growing threat. Previous worms like Sasser and Slammer were written by vandals and designed to spread very quickly. Slammer, for example, had infected about 75,000 computers in ten minutes and therefore attracted lots of attention. The strength of the onslaught made it much easier for the anti-virus firms to detect and destroy the problem.

Storm, though, is a different story altogether. It spreads quietly, without drawing any attention to itself. There are no symptoms for people to identify while using their computers, and an infected PC can remain dormant for a very long time.

Bruce Schneier, a malware expert, thinks that Storm represents the future of malware due to the technical virtuosity of its design. That is to say, the way this worm operates is lightyears ahead of anything we’ve seen in viruses and worms before.

Like a beehive, the Storm worm operates with a clear seperation of duties. Only a small fraction of infected hosts spread the worm, while a much smaller fraction control and command the millions of computers in the network. The rest are dormant and awaiting orders. By working in this fashion Storm can resist most attacks because, even if some of the control and command servers are discovered and taken offline, the botnet is still mostly intact and other dormant machines can be given the role of replacing the offline servers.

What’s more, Storm doesn’t have any noticable effects on the infected computers. Like a parasite, it needs the infected computer to appear healthy for its own survival. This makes it even harder to detect, because system administrators and other power users will not notice any abnormal behaviour most of the time. When they do, they’ll just restart their machine and think it was a “Windows problem.”

Storm started by propigating through infected PDFs, then emails, YouTube invites and those insufferable e-greeting cards. It’s now being seen with some blog comments, where the commenter’s homepage is actually an infected website. I haven’t seen one of these myself, but I hope the infected sites are .info so that nobody is tempted to click. The last thing the blogosphere needs right now is a reason for people to *not* click backlinks. Heck, we just recently won the “No-Follow” battle with some of the blogging platforms … something like this could be detrimental to the whole purpose of leaving a website
For the moment, nobody knows who’s behind this bit of code. To date, the controllers of this botnet have used it for relatively trivial purposes such as simple DOS (Denial of Service) attacks against certain sites, but who knows when this will morph into something far more devastating. Experts believe the owners are simply biding their time, waiting for a critical mass point where they will have the resources to effectively take a country off the internet if they so chose. It wouldn’t take much, either. If 50 million naive Windows users have unknowingly added their computers to the botnet after 10 months, another 50 million wouldn’t be as far away.