FAQ: Storm worm

Network World - What type of malware is it? That answer depends on who you ask, as it has been labeled a number of different types of malware.

Storm is often referred to as a worm, although many point out that it doesn't truly fit the definition, which is a piece of malware that self-propagates by spreading itself around a network of attached computers. Others say Storm is indeed a worm because once it infiltrates a PC it can access the e-mail client's address book and send spam to those addresses that point to a server that downloads more Storm.

Still others say Storm is a Trojan Horse, malware that looks like one thing but actually is another. When a Storm spam recipient clicks on the link embedded in the e-mail message, often they are instructed to click again once they arrive at the Web site to download some software. Instead, they become infected with Storm.

The most important thing about Storm, and the point on which everyone seems to agree, is that it creates botnets. Once a PC visits an infected Web site and Storm is downloaded, the PC is considered compromised, which means it can be controlled by someone else without the user knowing it. Together these compromised PCs create botnets that can be used to covertly send spam, launch distributed denial-of-service attacks, or host Web sites that download more malware.

What is the scope of Storm; how many spam messages has it been behind, and how many computers has it infected? Most experts say there's no way to know how many recipients of Storm spam clicked through and became infected, and therefore the actual size of the Storm botnet is unknown. (However antivirus company F-Secure believes the botnet is at least 1 million PCs strong). One way to get a sense of Storm's scope is to look at the amount of spam associated with it. E-mail security vendors that trap unwanted messages in their spam filters have offered some statistics on the amount of Storm spam sent out during a given blast.

For example, in August the amount of spam sent that asked the recipient to confirm their account with a spoofed organization grew from 18 percent of all spam messages on Aug. 21 to 35 percent of all spam sent on Aug. 22. Not only does that mean there was a high concentration of e-mail messages with links to Storm-infested sites in circulation at that time, but it's likely that the many of the PCs sending out those spam messages were part of the Storm botnet.

What other names does Storm go by? Different antivirus vendors tend to give one piece of malware different names. Although Storm is the most popular name for this malware, it's also been referred to ask Downloader-BAI, Troj/Dorf-Fam, Trojan-Downloader.Win32.Small.dam, Trojan.DL.Tibs.Gen!Pac13, Trojan.Downloader-647, Trojan.Peacomm, TROJ_SMALL.EDW, Win32/Nuwar, Win32/Nuwar.N@MM!CME-711, W32/Zhelatin, Trojan.Peed, and Trojan.Tibs.