Worming Into Your Hard Drive

A growing computer virus is proving unusually hard to beat

By + More

'Hello, this is an investor alert." The female voice drones on for 15 seconds about a new stock that is a "huge success in Canada" and expecting big returns in the United States. But anyone who opened Elvis.mp3 or its variants, which appeared last week as an attachment to a spam E-mail, has actually just invited a cutting-edge computer virus to come live on his hard drive and spread. The audio file is just the newest delivery vehicle for a diabolically clever virus that has amazed analysts with its ability to flood the Internet with spam while protecting itself—and its creators —from detection.

The virus is called Storm Worm, and since it showed up in January under the E-mail subject line of "230 dead as storm batters Europe," it has infected what most experts say is at least 1 million computers and what some estimate is 10 million. The infection represents the future of cyberthreats, they say, proving the need for new ways to protect information online.

Storm is not the most damaging of computer viruses, but it may be the most sophisticated. Unlike some viruses, Storm's goal is not to destroy its host computer. "Any good parasite wants to keep its host alive," says Don Jackson of the cybersecurity firm SecureWorks. Instead, the virus commandeers the computer's resources to attack competing viruses or to send out billions of pieces of junk E-mail, all the while looking for new hosts to infect.

Once Storm installs, it secretly receives orders from its controllers. But, in a twist, most copies of the virus don't contact the controllers directly; instead commands are relayed through other infected computers to conceal the source. It is this method of diffusing control that has prevented authorities from tracing Storm back to its authors.

Quick-change tricks. A battery of other defenses makes the virus uniquely impregnable. It quickly adapts as authors update it with new E-mail subject lines that mimic the news or pop-culture alerts—"A killer at 11, he's free at 21" or "Dude, this is not even on MTV yet." And recently it has been spreading through YouTube's internal message service by creating fraudulent messages from other users.

Experts say Storm Worm's creators are capable of using it for more nefarious means, such as flooding a website with so much traffic that it shuts down or downloading software that attacks the user's machine. Storm also points to a worrisome trend: The virus makers are starting to cooperate with each other. "We've seen a couple of these .... families really branch out as the trend goes from individual authors to small confederations to large teams," says Jackson. Meanwhile, the virus has begun splitting into smaller pieces, allowing its authors to sell its services to even more cybercriminals at once.

Antivirus companies have caught some versions of Storm, and Microsoft reported removing about 275,000 cases in September. Still, says Vinny Gullotto, who tracks infections for Microsoft, keeping on top of Storm Worm requires updates every day.


Other innovative viruses that, like Storm Worm, are finding new ways to cause trouble.

IRS scam: Targets business executives with bogus tax or business complaints. If opened, it installs viruses that collect personal information sent through Internet Explorer.

Bubbles: Spreads through the messaging service on Skype, a popular Internet phone service. It then disables security software.

Renos: Displays a bogus security alert that connects PCs to a malicious server and downloads harmful software.