By Sharon Gaudin
September 6, 2007
The Storm worm botnet has grown so massive and far-reaching that it
easily overpowers the world's top supercomputers.
That's the latest word from security researchers who are tracking the
burgeoning network of Microsoft (MSFT) Windows machines that have been
compromised by the virulent Storm worm, which has pounded the Internet
non-stop for the past three months. Despite the wide ranging estimates
as to the size of the botnet, researchers tend to agree that it's one of
the largest zombie grids they've ever seen -- one capable of doing great
"In terms of power, [the botnet] utterly blows the supercomputers away,"
said Matt Sergeant, chief anti-spam technologist with MessageLabs, in an
interview. "If you add up all 500 of the top supercomputers, it blows
them all away with just 2 million of its machines. It's very frightening
that criminals have access to that much computing power, but there's not
much we can do about it."
Sergeant said researchers at MessageLabs see about 2 million different
computers in the botnet sending out spam on any given day, and he adds
that he estimates the botnet generally is operating at about 10% of
capacity. "We've seen spikes where the owner is experimenting with
something and those spikes are usually five to 10 times what we normally
see," he said, noting he suspects the botnet could be as large as 50
million computers. "That means they can turn on the taps whenever they
No one could provide detailed and specific comparisons between the
strength of the botnet and the top supercomputers, mainly because it is
hard to know for sure the size of the botnet or the power of each
computer that is part of the botnet.
Adam Swidler, a senior manager with security company Postini, told
InformationWeek that while he thinks the botnet is in the 1 million to 2
million range, he still thinks it can easily overpower a major
supercomputer. "If you calculate pure theoretical throughput, then I'm
sure the botnet has more capacity than [IBM(IBM)'s] BlueGene. If you sat
them down to play chess, the botnet would win."
Since the botnet won't be entered in any supercomputer competition, what
does this mean for the IT or security manager trying to protect a
It means the cyber criminals who control the botnet have a tremendous
amount of destructive power at their fingertips. Early this summer, the
Baltic nation of Estonia was pounded in a cyberwar that saw distributed
denial-of-service attack primarily targeting the Estonian government,
banking, media, and police sites. To protect its network, the country
had to shut down key computer systems, and targeted sites were
inaccessible outside the country for extended periods.
Swidler said he has no doubt if the Storm worm bosses focused a
denial-of-service (DoS) attack on a company, Internet service provider,
or government agency inside the United States, it could do a great deal
of damage. "I think there's no question they could damage any single
company, whether through a DoS attack or a spam barrage," he added. "I'd
be less worried about a Yahoo (YHOO) or a Bank of America than the
thousands of mid-sized banks that aren't as well protected. But
undoubtedly, this could do a great deal of damage."
Swidler said there's always the background thought that an enemy of a
country could basically rent the botnet and launch a DoS attack,
shutting down government agencies, utilities or financial centers. "It's
a lot of computing power that could be focused to do a lot of damage,"
he added. "It's grid computing gone bad."
Last month, Ren-Isac, a collaboration of higher-education security
researchers, sent out a warning that the Storm worm authors had another
trick up their sleeves. The botnet actually is attacking computers that
are trying to weed it out. It's set up to launch a distributed
denial-of-service attack against any computer that is scanning a network
for vulnerabilities or malware. The warning noted that researchers have
seen "numerous" Storm-related DoS attacks recently.
MessageLabs' Sergeant said the botnet also has been launching DoS
attacks against anti-spam organizations and even individual researchers
who have been investigating it.
"If a researcher is repeatedly trying to pull down the malware to
examine it the botnet knows you're a researcher and launches an attack
against you," he said.
Lawrence Baldwin, chief forensic officer of MyNetWatchman.com, said he
doesn't have a handle on how big the overall botnet has become but he's
calculated that 5,000 to 6,000 computers are being used just to host the
malicious Web sites that the Storm worm spam e-mails are linking users
to. And he added that while the now-well-known e-cards and fake news
spam is being used to build up the already massive botnet, the authors
are using pump-and-dump scams to make money.
"That's pretty scary," he said. "Cumulatively, Storm is sending billions
of messages a day. It could be double digits in the billions, easily."
Swidler said that since mid-July, Postini researchers have recorded 1.2
billion e-mails that have been spit out by the botnet. A record was set
on Aug. 22 when 57 million virus-infected messages -- 99% of them from
the Storm worm -- were tracked crossing the Internet.
According to researchers at SecureWorks, the botnet sent out 6,927
e-mails in June to the company's 1,800 customers. In July, that number
ballooned to 20,193,134. Since Aug. 8, they've counted 10,218,196.
Visit the InfoSec News Bookstore