Storm Worm Botnet More Powerful Than Top Supercomputers

The Storm worm botnet has grown so massive and far-reaching that it easily overpowers the world's top supercomputers.

That's the latest word from security researchers who are tracking the burgeoning network of Microsoft Windows machines that have been compromised by the virulent Storm worm, which has pounded the Internet non-stop for the past three months. Despite the wide ranging estimates as to the size of the botnet, researchers tend to agree that it's one of the largest zombie grids they've ever seen -- one capable of doing great damage.

"In terms of power, [the botnet] utterly blows the supercomputers away," said Matt Sergeant, chief anti-spam technologist with MessageLabs, in an interview. "If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it."

Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10% of capacity. "We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see," he said, noting he suspects the botnet could be as large as 50 million computers. "That means they can turn on the taps whenever they want to."

No one could provide detailed and specific comparisons between the strength of the botnet and the top supercomputers, mainly because it is hard to know for sure the size of the botnet or the power of each computer that is part of the botnet.

Adam Swidler, a senior manager with security company Postini, told InformationWeek that while he thinks the botnet is in the 1 million to 2 million range, he still thinks it can easily overpower a major supercomputer. "If you calculate pure theoretical throughput, then I'm sure the botnet has more capacity than [IBM's] BlueGene. If you sat them down to play chess, the botnet would win."

Since the botnet won't be entered in any supercomputer competition, what does this mean for the IT or security manager trying to protect a company?

It means the cyber criminals who control the botnet have a tremendous amount of destructive power at their fingertips. Early this summer, the Baltic nation of Estonia was pounded in a cyberwar that saw distributed denial-of-service attack primarily targeting the Estonian government, banking, media, and police sites. To protect its network, the country had to shut down key computer systems, and targeted sites were inaccessible outside the country for extended periods.

Swidler said he has no doubt if the Storm worm bosses focused a denial-of-service (DoS) attack on a company, Internet service provider, or government agency inside the United States, it could do a great deal of damage. "I think there's no question they could damage any single company, whether through a DoS attack or a spam barrage," he added. "I'd be less worried about a Yahoo or a Bank of America than the thousands of mid-sized banks that aren't as well protected. But undoubtedly, this could do a great deal of damage." Swidler said there's always the background thought that an enemy of a country could basically rent the botnet and launch a DoS attack, shutting down government agencies, utilities or financial centers. "It's a lot of computing power that could be focused to do a lot of damage," he added. "It's grid computing gone bad."

Last month, Ren-Isac, a collaboration of higher-education security researchers, sent out a warning that the Storm worm authors had another trick up their sleeves. The botnet actually is attacking computers that are trying to weed it out. It's set up to launch a distributed denial-of-service attack against any computer that is scanning a network for vulnerabilities or malware. The warning noted that researchers have seen "numerous" Storm-related DoS attacks recently.

MessageLabs' Sergeant said the botnet also has been launching DoS attacks against anti-spam organizations and even individual researchers who have been investigating it.

"If a researcher is repeatedly trying to pull down the malware to examine it the botnet knows you're a researcher and launches an attack against you," he said.

Lawrence Baldwin, chief forensic officer of MyNetWatchman.com, said he doesn't have a handle on how big the overall botnet has become but he's calculated that 5,000 to 6,000 computers are being used just to host the malicious Web sites that the Storm worm spam e-mails are linking users to. And he added that while the now-well-known e-cards and fake news spam is being used to build up the already massive botnet, the authors are using pump-and-dump scams to make money.

"That's pretty scary," he said. "Cumulatively, Storm is sending billions of messages a day. It could be double digits in the billions, easily."

Swidler said that since mid-July, Postini researchers have recorded 1.2 billion e-mails that have been spit out by the botnet. A record was set on Aug. 22 when 57 million virus-infected messages -- 99% of them from the Storm worm -- were tracked crossing the Internet.

According to researchers at SecureWorks, the botnet sent out 6,927 e-mails in June to the company's 1,800 customers. In July, that number ballooned to 20,193,134. Since Aug. 8, they've counted 10,218,196.