The prolific Storm Worm may be on the way out, according to a University of California researcher.
Brandon Enright, a security analyst at UC San Diego, has been tracking Storm since July and said that it's been shrinking steadily and is now a shadow of its former self. On Saturday, he presented his findings at the Toorcon hacker conference in San Diego.
Storm is not really a worm. It's a network of computers that have been infected via email, and are centrally controlled via the Overnet P-to-P protocol. Enright said he has developed software that crawls through the network and he thinks that he has a pretty accurate estimate of how big Storm really is.
Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world's most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time.
Enright guessed that about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority have since been cleaned and are no longer part of the Storm network.
Since July, it's been downhill for Storm. That's when anti-virus vendors began stepping up their tracking of Storm variants and got a lot better at identifying and cleaning up infected computers, Enright said.
Then on 11 September, Microsoft added Storm detection (Microsoft's name for Storm's components is Win32/Nuwar) into its Malicious Software Removal tool, which ships with every Windows system. Overnight, Storm infections dropped by another 20 percent.
Enright said that Storm is now about one-tenth of its former size. His most recent data counts 20,000 infected PCs available at any one time, out of a total network of about 160,000 computers. "The size of the network has been falling pretty rapidly and pretty consistently," he said.
Still, Storm has had a remarkably successful run. It's called Storm because it first emerged in mid-January in spam that offered late-breaking news on the powerful storms that had been battering Europe. Users who clicked on the "Full Story.exe" or "Video.exe" attachments were infected.