Storm Worm botnet numbers, via Microsoft

Storm Worm botnet numbers, via Microsoft

Summary: If the statistics from Microsoft's MSRT (malicious software removal tool) are anything to go by, the Storm Worm botnet is not quite the world's most powerful supercomputer.


If the statistics from Microsoft's MSRT (malicious software removal tool) are anything to go by, the Storm Worm botnet is not quite the world's most powerful supercomputer.

The tool -- which is updated and shipped once a month on Patch Tuesday -- removed malware associated with Storm Worm from 274,372 machines in the first week after September 11. In all the tool scanned more about 2.6 million Windows machines.

These numbers, released by Microsoft anti-virus guru Jimmy Kuo, puts the size of the botnet on the low end of speculation that Storm Worm has commandeered between 1 million and 10 million Windows machines around the world.

[ SEE: Storm Worm botnet could be world’s most powerful supercomputer ]

The MSRT numbers, though helpful, shouldn't be relied on as gospel. For starters, the tool targets a very specific known malware (it only finds exactly what it's looking for) and attackers constantly tweak malware files to get around detection. In addition, it is only delivered to Windows machines that have automatic updates turned on, which means there are liely tons and tons of hijacked machines that never gets a copy of the MSRT.

Still, Kuo claims that the September version of MSRT made a dent in the botnet.

Another antimalware researcher who has been tracking these recent attacks has presented us with data that shows we knocked out approximately one-fifth of Storm's Denial of Service (DoS) capability on September 11th. Unfortunately, that data does not show a continued decrease since the first day. We know that immediately following the release of MSRT, the criminals behind the deployment of the Storm botnet immediately released a newer version to update their software. To compare, one day from the release of MSRT, we cleaned approximately 91,000 machines that had been infected with any of the number of Nuwar components. Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the Storm botnet. Machines that will be cleaned by MSRT in the subsequent days will be of similar nature.

The September release of the MSRT probably cleaned up approximately one hundred thousand machines from the active Storm botnet. Such numbers might project that the strength of that botnet possibly stood at almost half a million machines with an additional few hundred thousand infected machines that the Storm botnet perhaps were not actively incorporating.

Kuo also confirmed fears that the botnet will slowly regain its strength once those cleaned machines become reinfected because those machines are likely unpatched and not equipped with any security software.

Topics: Software, CXO, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Something to fear

    I dont know but storm's botnet sure seems like something to fear. With over half a million infected computers it can take down any site/network in the world (besides the government). Whats stopping them from just doing a DoS on microsoft?
    • What makes you think government...

      networks are not at risk. They are not the most secure.

      The reason the Botnet is not taking down networks is because it is being used to generate revenue with things such as spam.
  • RE: Storm Worm botnet numbers, via Microsoft

    0.27 million infected/2.6 million scanned = 10 percent.

    • My thoughts exactly

      and that was only 10% of those that the tool ran on. How many Windows machines are there that never have updates installed? How many of those are infected? What are the odds of MSRT being run on any of them?
    • 2.6 million machines had malware removed

      NOT "scanned". Sorry, don't have the "Scanned" number handy.

      Also, because the computation is based on taking out 1/5 of the active botnet, the computation is "accurate" regardless of the percentage of machines that had MSRT enabled. The logic is this: X machines in the world. N are infected by Storm. N/5 had Storm and were cleaned. Thus, X/5 likely to have had MSRT executed.
  • How "clean" are the cleaned machines?

    The tool may think it cleaned the machines... rootkits might be on there, and the machines reinfected. Spyware can be tough to get off a computer. How many of those users fdisked/reformatted?