Joshua Corman serves as Principal Security Strategist for IBM Internet Security Systems. With more than ten years of experience in security and networking software development, Corman is responsible for the technical vision and direction of host protection solutions. He is currently leading an industry charge to evolve defenses against the latest generations and innovations of malicious code. Corman is also charged with strategy for Data Security and End-Point Admission Control solutions.

In this Q&A session he discusses the Storm Worm.

Why is Storm so dangerous?

Its danger lies in the fact that it is a sleeping giant. The computational power of this system is tremendous. What could you do with the world’s largest supercomputer? The answer is, a lot. The current owners of Storm appear to be financially motivated. But if this same technology was in the hands of a politically motivated group it would represent a clear and present danger. Just look at recent independent cyber-attacks that have been carried out including the DDOS (distributed Denial of Service) attacks on Estonia, power outages in New Orleans, and the successful cyber reconnaissance on U.S. federal organizations. None of these were executed by Storm itself, but they give you a glimpse of what an organization like Storm could be capable of. Ultimately, despite the efforts of the security industry, Storm is still successful over one year from its birthday.


Why has Storm been so successful?

The social engineering capability of Storm is unprecedented. The true secret to its success is not technology based, it is the ability to understand human nature and what files users will open, forward and execute. Its delivery mechanisms are constantly changing from attached PDFs to mp3 files or spoofed YouTube videos to free NFL GameTrackers. Each download or execution adds another computer to its growing botnet network. The largest “recruitment” campaigns are seen around the holidays prompting users to download the dancing skeleton for Halloween or read the animated Valentines card from a secret admirer. Storm’s decentralized resilient peer to peer (P2P) botnet architecture allows it to adapt independently. It is like vapor, it just vanishes when you try to attack it.

Is it still the largest botnet? How large is it?

This security industry’s concern is not solely about the specific code that is Storm; it is about the phenomenon pioneered by Storm. The world of cyber-crime is not unlike any other emerging market, there is always an innovator and then there are copycats. As you eliminate elements of Storm, copycat versions such as MayDay, Mega-D, etc appear. The model is thriving despite the security industry’s best efforts. The archetype Storm pioneered is being improved upon.