2007 – Malware Takes the World by Storm

The central piece of the new campaign is the Storm Worm, a mixed-type piece of malware that combines worm features with backdoor and Trojan capabilities. Initially spotted in the wild on January the 17th 2007, the worm is trying to infect computers, and then to add them to the Storm botnet. The worm disguises itself as a newsletter containing a film about forged news stories. Just like its predecessors, it relies on users’ curiosity in order to make them download and execute the attachment.

The worm initially started as an announcement about a weather cataclysm (the initial subject read "230 dead as storm batters Europe" -  a reference to the European windstorm Kyrill). However, as the infection evolved, the subject tag got changed. The worm was highly efficient, and security experts claimed that an infected machine could send bursts of almost 1,800 messages in less than five minutes.

When the attachment is opened, it installs the wincom32.exe service. The computer itself becomes part of a large botnet, controlled by a botmaster. However, the Storm Botnet was built using a peer-to-peer approach, rather than the conventional “centralized control” approach, which makes it even harder to kill.

It is alleged that on 7 September, the Storm Botnet  was comprised of between 1 and 10 million infected computers, acting like a single processing entity. The Storm Worm hit once again on April 1, this time accompanied by April Fools-themed subject titles.