The Storm Botnet is a distributed computer network consisting of computers remotely controlled without their owner's knowledge. Computers in the Storm Botnet are home and small office machines running the Microsoft Windows operating system which have been infected by the Storm worm. Storm got it's name as the worm was first spread though spam email with the subject "230 dead as storm batters Europe." Today, the Storm Botnet is considered to be the largest botnet in the world, with as many as 5 million computers under it's control. Efforts to combat Storm have been met with targeted resistance, suggesting that artificial intelligence and automated adaptive defense techniques are being utilized.
The Storm worm, termed Nuwar by Microsoft but popularly referred to as Storm, was first identified in January 2007. Within one week of it's discovery, the worm had successfully infected over one million personal computers. This success is credited to the ambiguous yet catchy email subject lines in propagation emails, which like the original "storm" subject often referred to current news events. When these email messages are opened in an insecure email client such as Outlook or Outlook Express, an executable attachment downloads and installs several malware packages to the host computer. Usually, in addition to a trojan and a worm update, a rootkit is installed on the host computer, thereby masking any evidence of infection. In fact, the Storm rootkit had been proven to disable any anti-virus programs running on the computer while leaving it's executable file running. The updated worm then mutates slightly, harvests email addresses in the email client and browser cache, and sends itself to those addresses. Unlike other worms which have a master computer hard-coded into their code, the mutated Storm worm contains only a list of other Storm-infected machines with which it can communicate, but not the address of the botnet master. Communication between each Storm node and the master is performed in a P2P fashion, with each machine functioning as both a slave and as a messenger between nodes.
Once a computer is infected with the Storm worm, it becomes part of the Storm Botnet. With 250,000 nodes active at any particular time, the Storm Botnet is estimated to range between 2 million and 5 million computers total. This provides the network with more RAM, disk space, and computing power than many of the world's most powerful supercomputers. However, Storm's strength is not in it's shear computing resources but rather in it's distributed nature, as the computers consisting of the botnet have more available bandwidth than most countries have in their entirety. DDoS attacks originating from even a tenth of the Storm Botnet could shut down many governments and international organizations such as the United Nations and the Red Cross which today depend upon the Internet for vital communications. However, as of late 2007 the only DDoS attacks attributed to Storm are those targeted at IP addresses that have been used to probe Storm nodes in malware research.
Microsoft Security Terminology Questions