The Storm Worm Is Not Causing the Sky to Fall

The scope of the Storm botnet, made up of zombie computers controlled remotely and used to blanket the world in spam, has been estimated to reach from 1 million to 50 million infected systems as of September.

But has it really?

Those numbers have reached epic and steadily growing proportions in the media, but they well may be off. SecureWorks thinks the Storm botnet may comprise between 250,000 to 1 million bots overall—”not a terrible threat,” says Joe Stewart, senior security researcher for SecureWorks.

Microsoft’s Malicious Software Removal Tool cleaned it off about 300,000 hosts recently—a number that would be far greater if the botnet were really running on a 50-million-botnet engine, Stewart says.

As for why the numbers have been pumped so high, it might be that some researchers are counting the total number of peers talking on the Overnet P2P protocol, he suggested. Using that figure wouldn’t discriminate between systems compromised with Storm from normal peers talking to each other, however.

“Overnet is not just Storm; it’s all these other clients. They could be counting the entire P2P network,” he said.

For those who like to keep track of what worms or virus families are at the top of the risk list, Microsoft ran some numbers for me on the morning of Oct. 16 PST, based on MSRT telemetry from the October release. The current ranking:

Win32/Zlob Win32/Renos Win32/RJump Win32/Rbot Win32/Brontok Win32/Jeefo Win32/Hupigon Win32/Virut Win32/Banker

The Storm virus rate has dropped from No. 3 on the list to No. 10, right below all the worms listed above.

Here’s why:

“Storm has dropped on the list because during the first month after the MSRT is updated to remove new malware variants, the MSRT will clean all the available machines that have been infected in the past by this malware. In subsequent months, the MSRT will clean up the machines that are re-infected as well as those that are running MSRT for the first time,” a Microsoft spokesperson said in an e-mail.