An incredible threat has emerged on the internet: Witness the rise of the Storm Worm.

By steadily infecting and taking control of computers, it has become one of the most powerful networked computer systems in the world. It is growing larger every day as it infects new machines, and its rapidly evolving computer code helps it avoid detection and hides its source so it can continue spreading across the net.

The Storm Worm is an innovative and dangerous new form of malware. It is a worm, a trojan and a bot all combined, encompassing a broad range of capabilities and uniting into a single entity that spans the globe.

Another way to describe the Storm Worm is as a zombie army of Microsoft Windows computers controlled by a mysterious arch villain.

It has been around for about a year, and yet the world's leading security companies are still effectively powerless to deal with it. It's not that the technology itself in the Storm Worm is all that impressive, but rather that the strategy and methodology behind its deployment is brilliant.

Malware

Before getting into why the Storm Worm is so powerful and how dangerous it could be, it helps to understand exactly what malware is, and explicitly what a worm, trojan and bot are.

Malware is a type of software that serves a malicious purpose. Its primary characteristic is that it does not require computer owners' consent to start working and to damage their systems and files. Malware comes in all forms: sometimes as a virus, but most often as more advanced applications that engage in sending out spam, attacking other internet-based targets and hijacking a user's files or computer.

A worm is not a virus, as it acts independently and does not have to attach itself to another computer program in order to be run. A worm is a type of basic software that primarily seeks its own replication. It moves along networks from one computer to the next, infecting each, and sometimes carries a payload (a program or a message) that it leaves in its wake.

A trojan (also called a trojan horse) is a type of software that deceives a computer user by fooling them into running a program that claims to do one thing but in fact does something completely different, usually malicious. Trojans tend to be delivery mechanisms for malware, worms, spyware and other programs that wreak havoc.

The Storm Worm uses a trojan program that carries a bot. A bot, short for "robot," is software that can be remotely controlled and that can execute commands on the computer on which it is running. Many bots also come equipped with "root kits," a type of malware that makes the bot invisible to the computer system and its owner, and difficult to remove.

When a series of computers that are infected with bots link up under the command of a single source, they are then called a botnet, or a "zombie" army of slave computers. They can act in unison, harnessing the combined computational power of thousands if not millions of infected machines. The people controlling the network of zombie computers can use them for everything from serving out spam to cracking encryption codes.

In the eye of the Storm Worm

The Storm Worm targets computers running versions of Microsoft's Windows operating system. It does this primarily via the e-mail program Microsoft Outlook and the web browser Internet Explorer. Computers can be compromised when the user opens an infected file, browses an infected website or installs tainted plug-ins for either Outlook or Explorer.

The Storm Worm uses multiple methods of attack that are not necessarily technically sophisticated, but are culturally appropriate, employing language that is clever and enticing.

The content of messages or websites that carry the Storm Worm changes constantly. It started with PDF attachments and ordinary spam in messages that typically had a subject line about fatalities after a major storm hit Europe, then went on to e-cards, love letters, YouTube invites, comments on blogs, files in peer-to-peer networks, fake news headlines and weather alerts. The Worm even adapts its messages to co-opt popular events such as the start of the NFL season and the beginning of the playoffs for Major League Baseball.

Not only is the content of the worm's messages always changing, so too is the code that makes up the Storm Worm. It evolves, changing itself every 30 minutes, making it practically impossible for security software to keep up and prevent further spread and infection.

Detection also becomes difficult because the software is patient. Upon infection, it demonstrates few if any symptoms and can lie dormant for an indefinite period. Even when the computer is "woken up" by remote commands from its new master and tasked to engage in some nefarious activity, the worm may still remain undetectable because of its ability to disguise its presence within a system.

Massive network

Many security researchers estimate the Storm Worm could comprise anywhere between one million and 10 million zombie computers, and some have speculated the number could be as high as 50 million. At this point, the Storm Worm is experiencing a snowball effect — the faster it infects, the stronger it grows, the more powerful it becomes and the faster it is able to spread. The network of machines under the Storm Worm's control has been declared more powerful than any supercomputer currently employed by any state, university or educational institution.

However, what worries security experts is that its full potential or capability has yet to be exercised. Estimates suggest that only 10 per cent of the Storm Worm's power has been demonstrated, and that perhaps it is biding its time for a much larger co-ordinated action or attack.

This consideration raises the question as to what it could be used for.

There are many potential applications, each equally dangerous and powerful. Spam is the first activity that the Storm Worm has been observed engaging in. Often this spam is sent in part to spread the worm itself, but the Storm Worm network's resources could easily be sold out to crass marketers who want to blast their message out to billions of e-mail addresses or push pump-and-dump stock schemes in which obscure stocks in small markets are manipulated via fraudulent messages.

Identity theft is another obvious example of what the Storm Worm could be up to, harvesting personal data and fooling people into visiting fake financial websites where their account details can be stolen and used elsewhere.

The Storm Worm has also been observed engaging in denial-of-service attacks. These are essentially overwhelming floods of data that can take an entire company's (or even an entire country's) computer network off-line. Some security researchers suspect the Storm Worm was involved in the recent attack against Estonia's infrastructure last May.

As well, the computational power of the Storm Worm is such that it could easily be used to break encryption and to launch brute-force attacks against secure computers, whether government or private sector.

In blunt terms, anything that a super computer can do, so, too, can the Storm Worm.

Built-in defences

To make things more interesting, the Storm Worm also has counter-espionage capabilities. Once it detects that a researcher or forensics expert is attempting to track it down and learn more, it will attack that person's computer (or network) and use that moment of chaos to escape back into wild. This is perhaps the most alarming aspect to researchers, as well as why so little is known about the source of this threat and why very little can be done to combat it.

The Storm Worm creates a new kind of fog of war that allows it to hide from its enemies while actively engaging in an attack that is global in reach and shows no sign of slowing.

Taking the military analogy further, the Storm Worm has its own distributed command-and-control structure that uses encryption to mask its internal commands. Not all computers in the worm are the same. Only a small number of computers are actually employed in spreading infection, and an even smaller number are part of the control mechanism, comprising an officer corps within this growing zombie army.

Perhaps another way of looking at the Storm Worm is as a new kind of weapon. It is a new kind of battleship that at present has no peer.

We're left with a glaring question: Who is behind the Storm Worm? Nobody knows, and speculation ranges from organized crime to a new breed of cyber-militant. Are we witnessing a new kind of mercenary force that can be hired to engage in all sorts of internet criminal activity, or is this a new weapon being honed, to be wielded by an organization or a group seeking to disrupt the internet and the economy at large?

Geographically speaking, several researchers have been able to trace the Storm Worm back to Russia. However, given the ability to obfuscate one's origins on the internet, this could be a deliberate deception to throw investigators off the real source.

The only way to stop the Storm Worm is to find the power behind it. So far, it seems a technical solution will not be forthcoming. This is the first time the computer security industry as a whole has thrown its hands up and admitted that it, too, is struggling to figure things out.

In fact, the threat from the Storm Worm is so severe that this may be the first time an internet security problem of this type grows to become a political problem, one that governments around the world must solve.

Unfortunately, for anything to happen, we need to further understand exactly what the Storm Worm is.

Is this the start of a new arms race to build stronger and more powerful internet-based weaponry?

Is this the end of the Windows operating system, which may become so overwhelmed that the only solution may be to abandon it for a new and more secure computing platform?

Or dare I suggest something even crazier and more radical: Is the Storm Worm an entity that is, for all intents and purposes, alive online? Is it the artificially intelligent entity that science fiction and cyberpunk authors have speculated about for decades?

One thing is certain: A lot of security researchers are desperate to know the answer.

[an error occurred while processing this directive]