For any of you who are nostalgic for the halcyon days of 2001 and 2002 when network-aware worms such as Code Red, Slammer and Nimda ruled the headlines, the success of the Storm worm in the last year must bring back some fond memories. Or not. But at the very least it has shown us that the malware writers have not completely abandoned their craft. The good folks at the Microsoft Anti-Malware Engineering Team have been on the ball as well, and the team has put together a fascinating analysis of the Storm worm–which they call Nuwar–and its prevalence and resilience.
After much work and testing, we made this month’s Malicious Software Removal Tool available for download September 11, and now after one week, we would like to share some of the statistics with you. But before I do, the researcher in me requires that I give you the caveats. First, MSRT is targeted against very specific known malware. It is well known that the “Storm” attacks are engineered by criminals who update their malware frequently. As a result, we are in an endless chase. But that doesn’t mean we shouldn’t try to make things better. Also, once we decide to take on a family in the MSRT, we continue the assault on that family moving forward, so we will keep at it. Because of all the testing that has to be done, we have to freeze our signature additions weeks in advance to make sure we have ample time to do the testing required to release a product as error free as possible (since even a small percentage of errors will impact thousands or millions of people).
Finally, to the numbers (numbers as of 2PM Tuesday, PDT).
The Renos family of malware has been removed from 668,362 distinct machines. The Zlob family has been removed from 664,258 machines. And the Nuwar family has been removed from 274,372 machines. In total, malware has been removed by this month’s MSRT from 2,574,586 machines.
So, despite some public concern in the press and among researchers about the “Storm” worm, it ranks third among the families of malware whose signatures have been added to the MSRT.
Jimmy Kuo, who wrote the Storm post, said that information from other AV researchers tells Microsoft that the MSRT took out about 20% of the worm’s DDoS capabilities in one day on Sept. 11. Not too bad. The only problem is that the worm’s authors know when Microsoft releases a new version of the tool and typically releases a new version of Storm the next day. So the cat-and-mouse game continues.