Raimund Genes, Anthony Arrott and David Sancho Trend Micro
download slides (PDF)
The mixed web threat known as Storm is widely acknowledged as the most significant digital security event of 2007. Storm combined the global epidemic aspects of traditional viruses and worms with the stealth and economic activity of today's massive botnets.
Historically, malware outbreaks have been fast-spreading, single-purposed and soon over. Storm continued to spread for many months in successive bursts using different techniques. It sustained its potency by recruiting hundreds of thousands of infected computers into a gigantic botnet. Its purpose appears to be a service-for-hire for multiple fraudulent web activities.
The many months duration over which the Storm infection spread and its successive methods of attack provide far more data to threat researchers than past virus and worm outbreaks. Studying the development of the Storm botnet has been compared to watching an ant colony grow; whereas traditional virus outbreaks are more like studying a bomb explosion.
Conditions before the initial appearance of the Storm worm in January 2007 are compared with measurements made during the various stages of Storm's evolution throughout 2007. Storm provides a first opportunity for quantitative analysis of what may prove to be a new generation of intensive malware outbreaks.