Summary: HiNRG Technical Report: 01-10-2007
Measuring the Storm Worm Network
Sandeep Sarat Andreas Terzis
The Storm worm is a botnet which appeared in the early months of 2007. Its prolific
growth, the use of decentralized command and control communication based on the
Overnet P2P protocol and fast-flux servers for secondary-stage binary distribution, as
well as the capability to aggressively defend itself, make Storm a notable species in
the malware ecosystem. Despite considerable interest, Storm's defensive capabilities
and its distributed nature have complicated the accurate estimation of its size and
understanding of its network behavior.
In this paper, we actively probe the Storm botnet using Overnet queries to estimate
its size approximately 600,000 and 430,000 during the second and third week of Oc-
tober 2007, respectively. At the same time, we found several other surprising artifacts.
Unlike traditional DHTs, the distribution of peer IDs is not uniform. Furthermore,
we observed a small percentage of nodes which publish a large number of IDs, what
we believe is an indication of index poisoning. Taken as a whole, these results provide
insights which may facilitate researchers to curtail the Storm phenomenon as well as
future P2P-based botnets.