Storm Drain

Over the past few months, there has been talk about a wave of malware known commonly as “Storm”. “Storm” has been noted to be responsible for Distributed Denial of Service (DDoS) attacks, mass phishing emails, spam, botnets, and all sorts of online malicious activity.

While the name “Storm” was adopted by press, security companies had already adopted a myriad of names for the set of malware that encompasses this attack. Here at Microsoft, we refer to certain components as Win32/Nuwar and others as Win32/Tibs. Other names such as Zhelatin and shorter names associated with brief attacks have also been used, such as e-card or nfltracker. As I noted, there are many different components, each with its own specialized functionality, so over time, many names have been used.

In August, Microsoft’s Malware Protection Center (MMPC), the group of researchers responsible for each month’s additions to the Malicious Software Removal Tool (MSRT), decided to add this family to the September MSRT release based on its prevalence. The MSRT updates are released monthly in conjunction with Microsoft’s security software updates, and are free to the public in an effort to remove prevalent malware from the Windows eco-system and improve everyone’s ability to enjoy the Internet. With more than 350 million machines around the world that run this program, it requires great care and planning to release each new version.

After much work and testing, we made this month’s MSRT available for download September 11, and nowafter one week, we would like to share some of the statistics with you. But before I do, the researcher in me requires that I give you the caveats. First, MSRT is targeted against very specific known malware. It is well known that the “Storm” attacks are engineered by criminals who update their malware frequently. As a result, we are in an endless chase. But that doesn’t mean we shouldn’t try to make things better. Also, once we decide to take on a family in the MSRT, we continue the assault on that family moving forward, so we will keep at it. Because of all the testing that has to be done, we have to freeze our signature additions weeks in advance to make sure we have ample time to do the testing required to release a product as error free as possible (since even a small percentage of errors will impact thousands or millions of people).

 

Finally, to the numbers (numbers as of 2PM Tuesday, PDT).

The Renos family of malware has been removed from 668,362 distinct machines. The Zlob family has been removed from 664,258 machines. And the Nuwar family has been removed from 274,372 machines. In total, malware has been removed by this month’s MSRT from 2,574,586 machines.

So, despite some public concern in the press and among researchers about the “Storm” worm, it ranks third among the families of malware whose signatures have been added to the MSRT.

 

Another antimalware researcher who has been tracking these recent attacks has presented us with data that shows we knocked out approximately one-fifth of “Storm’s” Denial of Service (DoS) capability on September 11th. Unfortunately, that data does not show a continued decrease since the first day. We know that immediately following the release of MSRT, the criminals behind the deployment of the “Storm” botnet immediately released a newer version to update their software. To compare, one day from the release of MSRT, we cleaned approximately 91,000 machines that had been infected with any of the number of Nuwar components. Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the “Storm” botnet. Machines that will be cleaned by MSRT in the subsequent days will be of similar nature.

The effort by criminals who try to usurp machines on the Internet for their criminal enterprise continues. The September release of the MSRT probably cleaned up approximately one hundred thousand machines from the active “Storm” botnet. Such numbers might project that the strength of that botnet possibly stood at almost half a million machines with an additional few hundred thousand infected machines that the “Storm” botnet perhaps were not actively incorporating.

Unfortunately, “the virus you are most likely to be infected with is the one that you most recently cleaned” because people with a habit of doing something are likely to repeat whatever they did. Despite so many machines having been cleaned recently by MSRT, the “Storm” botnet will slowly regain its strength. This highlights the importance that MSRT is only effective if it is used in conjunction with a real-time antimalware program or package.

As I said before, once we set our sights on a particular malware family, we will continue in that fight. So, we await the next release of MSRT when hopefully, we will take another bite out of crime.

-- Jimmy Kuo