Stormy Weather: a quantitative assessment of the Storm web threat in 2007
Raimund Genes, Anthony Arrott and David Sancho Trend Micro
download slides (PDF)
The mixed web threat known as Storm is widely acknowledged as the most significant digital security event of 2007. Storm
combined the global epidemic aspects of traditional viruses and worms with the stealth and economic activity of today's
massive botnets.
Historically, malware outbreaks have been fast-spreading, single-purposed and soon over. Storm continued to spread for
many months in successive bursts using different techniques. It sustained its potency by recruiting hundreds of thousands
of infected computers into a gigantic botnet. Its purpose appears to be a service-for-hire for multiple fraudulent web
activities.
The many months duration over which the Storm infection spread and its successive methods of attack provide far more data
to threat researchers than past virus and worm outbreaks. Studying the development of the Storm botnet has been compared
to watching an ant colony grow; whereas traditional virus outbreaks are more like studying a bomb explosion.
Conditions before the initial appearance of the Storm worm in January 2007 are compared with measurements made during
the various stages of Storm's evolution throughout 2007. Storm provides a first opportunity for quantitative
analysis of what may prove to be a new generation of intensive malware outbreaks.
