The Worm That Roared

During the week of Jan. 15, an innocuous-looking e-mail appeared in thousands of inboxes around the world. Its subject line read, “230 dead as storm batters Europe.” The e-mail came with a file attached, bearing a plausible-sounding name like Full Story.exe or Read More.exe. Plenty of people clicked on it. After all, storms really were battering Europe at the time; that week high winds and rain had killed 14 in the U.K. alone. But all great cons have a grain of truth in them somewhere.

The file that arrived with the e-mail was, of course, a computer virus, immediately christened the Storm Worm by the Finnish computer security firm F-Secure, which was among the first to spot it. Since then, the Storm Worm has proved remarkably hard to kill. Nine months later, it’s still out there, infecting something like a million computers worldwide. It’s not the most damaging virus in history, but it may be the most sophisticated. Whoever created it is to viruses what Michelangelo was to ceilings.

The Storm Worm is a marvel of social engineering. Its subject line changes constantly. Whoever produced it–and its many later variants–has a lively feel for the seductive come-on and a thorough grounding in human nature. It preys on shock (“Saddam Hussein Alive!”) and outrage (“A killer at 11, he’s free at 21 and …”) and prurience (“Naked teens attack home director”) and romance (“You Asked Me Why”). It mutates at a ferocious rate, constantly changing its size and tactics to evade virus filters, and finds evolving ways to exploit other online media like blogs and bulletin boards. Newer versions might contain, instead of a file, a single link to a fake YouTube page, which crashes your browser while quietly slipping the virus into your computer. “I’ve heard people talk about this like virus 2.0, just like people talk about Web 2.0, because it’s so different from the traditional attacks,” says Mikko Hypponen, chief research officer of F-Secure. “It’s probably the largest collection of infected machines we’ve ever seen.”

Like any good parasite, the Storm Worm doesn’t kill its host. In fact, most of the victims–some of whom are undoubtedly reading this article–will never know their machines are infected. It doesn’t cripple your computer (and can be removed once identified), but the Storm Worm does give its authors the power to quietly control your computer. What do they do with this power? Mostly they send out spam. Back in the day, computer viruses were a relatively innocent affair, written as pranks by teenagers with too much time on their hands between Star Wars sequels. Now they’re written by organized criminals looking to make money from fake offers.

Nobody knows who’s behind the Storm Worm. F-Secure suspects a group based in Russia, but there’s no way to be sure, and recent Storm Worm subject lines referring to Labor Day and the start of the football season suggest that those involved have an American connection. What is certain is that they are very smart–prodigious innovators engaged in a cat-and-mouse game with security firms that so far they’re winning. “I don’t think these guys have day jobs,” says Hypponen. “They’re really active and really closely watching us. I don’t see them stopping anytime soon.”

It’s also clear that they’ve been pulling their punches. Right now the Storm Worm gang controls a massive amount of computing power, as much as some of the world’s largest supercomputers, and all they do with it is send out spam and conduct the occasional denial-of-service attack (bombarding a specific server with traffic until it shuts down). We’re lucky: so far they haven’t gone in for more lucrative, damaging activities like online gambling, stock scams and stealing passwords and credit-card information. Is it possible that even a worm can have a conscience?