Storm botnet is a
former featured article. Please see the links under Article milestones below for its original nomination page (for older articles, check
the nomination archive) and why it was removed.
This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of
computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join
the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles
This article is within the scope of WikiProject Spoken Wikipedia, a collaborative effort to improve the coverage of articles that are spoken on Wikipedia. If you would like to participate, please visit the project page, where you can join
the discussion and see a list of open tasks.Spoken WikipediaWikipedia:WikiProject Spoken WikipediaTemplate:WikiProject Spoken WikipediaSpoken Wikipedia articles
The article needs more background. What type of virus/worm is this? How does it relate to other worms/viruses? What is the evolution of computer infections that led to this one? What are the possible motivations of its creator?
"Way forward" section. What are the plans of network/security engineers to defeat it? What are the plans to safeguard against this type of infection in the future?
Article is Out of Date
There is no new information (as of 2009) that I can see in this article. While citing references at FA quality is not my strong suit, I would like to draw the attention of those more skilled editors than myself with an ~{~{outofdate~}~} tag.
Dragonnas (
talk)
21:05, 14 November 2009 (UTC)reply
Methodology, first paragraph. A tad too much drama there? I suggest you log all the IP's that modify this site and tracert them (at least), this is written quite surely by some minor admins of some bot net... --
Sigmundur (
talk)
20:24, 29 May 2008 (UTC)reply
Unsourced info
I just pulled this from the article:
It should be noted that the distributed and anonymous nature of the botnet would make it difficult to be used on any computing task that relies on being able to access information from other computers in the botnet. Most supercomputers have fast interconnects between nodes, and all nodes are easily addressable, whereas the botnet has little to no interconnection between nodes, and nodes aren't easily addressable.
Matt Sergeant was also using the absolute upper-most estimates for the size of the botnet, which aren't based on evidence, have massive uncertainty, and will have been popularized by a media looking for whoever will give the largest estimate. (Other estimates in the range of 250,000 to 1,000,000 are often ignored in favor of the 10,000,000 to 50,000,000 estimate which is more frequently cited.)citation needed
There is also not very much that criminals could do with a vast amount of computing power. Some applications include breaking password hashes, but the applications are limited. The botnet is likely to only be useful to spread spam and make
DDoS attacks, and not to give the author(s) computing power.citation needed
There's a lot of info here that's going to end up as some corner of information technology folklore, I'm sure. "Boy, back in the winter a' two thousand dickety seven, I seen me the biggest botnet you ever did seen!"
Lawrence Cohen22:19, 14 January 2008 (UTC)reply
I don't think anyone's done a good analysis of what they could do with that much CPU power. One thing that they can/do do is generate unique messages for every email, and regenerate the worm signatures on the fly by mutating the payload.
SteveLoughran (
talk)
20:48, 23 January 2008 (UTC)reply
Peer review
Try to avoid one paragraph sections. Either expand them or combine them with other sections.
The article needs more background. What type of virus/worm is this? How does it relate to other worms/viruses? What is the evolution of computer infections that led to this one? What are the possible motivations of its creator?
"Way forward" section. What are the plans of network/security engineers to defeat it? What are the plans to safeguard against this type of infection in the future?
How does this internet attack relate to the "big picture"? What does it mean for internet security and usage in general? What are its long-term ramifications?
I am glad to report that this article nomination for
good article status has been promoted. This is how the article, as of October 21, 2007, compares against the
six good article criteria:
1. Well written?: Fascinating article. Well worded, good use of language, clear and understandable.
2. Factually accurate?: 35 citations used, with good formatting, looks like the
Wikipedia:Citation templates were used. Nice work.
3. Broad in coverage?: The four main sections do cover a broad area. Looking at the talk page, moving forward to FA status eventually, I would suggest following that informal Peer Review and expanding it further, i.e. what has been done lately about this, even more developing current events, etc. The next place to seek advice is
Wikipedia:Peer Review.
4. Neutral point of view?: Worded quite neutrally, no sense of any bias here.
5. Article stability? Article seems quite stable, I only saw one vandalism issue, keep an eye on this.
6. Images?: No images. Therefore, there are no image licensing problems - but it would be nice going towards FA if there were some relevant images that could be included.
Definitely. There are lots of good sources that came out since I list hit it, but I've been short on time/distracted by other articles. Feel free to take a whack at it if you're game. :) •
Lawrence Cohen14:51, 28 October 2007 (UTC)reply
Images for the article
I'm going to personally get back to work on expanding this out more in December. Its been idle for too long. In the meanwhile, does anyone have any suggestions for images for this article? The images on
malware and
botnet type articles are passable, but not the very best. Suggestions? •
Lawrence Cohen19:48, 27 November 2007 (UTC)reply
How about a graph (hits vs time) of one of the DDoS attacks mentioned in the article? It seems like that data should be available somewhere. --
W0lfie (
talk)
17:25, 28 November 2007 (UTC)reply
I think that could work, and wouldn't be original research. I'm pretty terrible at any sorts of graphing or graphics work, though. Is that something you can do? •
Lawrence Cohen17:43, 29 November 2007 (UTC)reply
I think the preferred format for graphs here is SVG. I'll look and see if there's a good tool to manipulate data and spit out an SVG file. Would you be able to get the data? --
W0lfie (
talk)
22:48, 13 December 2007 (UTC)reply
Tremendous read. I've not commented in the FAC yet as that requires rather more attention to detail (checking for top quality prose, checking the quality of the sources you have referenced, and so on) but on an informal basis let me say it's a great effort. --
kingboyk (
talk)
19:42, 28 December 2007 (UTC) PS Can't help but be impressed by the sinister geniuses behind this botnet, eitherreply
Thank you! :) And yes, the masterminds behind it all are frighteningly clever--especially since unless you're an IT professional, you may never know you're under their control. And even then, maybe not?
Lawrence Cohen20:19, 28 December 2007 (UTC)reply
Location of malware servers?
Is there a public posting of current locations of the malware servers? How many times or in what way do they have to be accessed to trigger a DDOS attack from the botnet? It does not seem to me that it would be in any way unethical for a dissatisfied employee or protesting student to intentionally mimic a DDOS researcher's actions to provoke such an attack against his network, since it simply redirects the ongoing activities of a criminal organization, and it would have the curious side effect of making life easier for the researchers. But is that what people involved in security and enforcement believe?
Wnt (
talk)
18:08, 6 January 2008 (UTC)reply
Most of this from my understanding of digging up this article is that the researchers (and obviously the botmasters) guard this information very carefully, so no one gives away to much, except to law enforcement. If you could possibly find something like this in a valid source, I'd love to add it. Could be very interesting.
Lawrence Cohen06:18, 7 January 2008 (UTC)reply
Sorry, I thought the community collaboration to track these people would be more open than that - I certainly have no special knowledge and was surprised when I couldn't find it in a Web search.
Wnt (
talk)
02:44, 8 January 2008 (UTC)reply
Wording in the lead
I undid FrummerThanThou's wording change. FrummerThanThou, please explain why you think your version is better. The wording there in unclear compared to what it was.
Lawrence Cohen06:40, 9 January 2008 (UTC)reply
The current incarnation is a Featured Article, so does the wording of the lead need to be changed if the article itself isn't changing in a significant way?
Hewinsj (
talk)
13:37, 9 January 2008 (UTC)reply
hi lawrence, plz take up issue with the exact words you didn't like. i thought they spoke for themselves, such as "speculate" on a few instances.
frummer (
talk)
17:30, 9 January 2008 (UTC)reply
Well, since you asked,
this is the diff of reverting your changes, to act as a reading guide for this (open it in a new tab):
"which has come to worldwide attention amongst
computer security vendors due to its speculated size and control."
No source for your sentence here. Who said this was receiving attention because of it's size, implying it was feeding on itself? Who said worldwide?
"speculated to control"
Not needed: we can quote experts as authorities, and in nearly all cases their very wording is speculative. No need to say this here, and we shouldn't say they speculated--who said they were speculating? We can quote experts factually.
"instant messaging and link spam"
Source?
"alltime biggest"
Source?
"or have shrunken to"
This wording is just plain awkward.
"but with the
C&C server constantly evading detection, the seizure of which would lend veracity either ways, conflicting reports only spike further speculation."
Very awkward wording, and there is no point in getting into the high concepts of the C&C that early as an acronym, because it's confusing there. It's explained in context it belongs in later under the composition of the botnet section.
"As of September 2007 the botnet was reportedly powerful enough to force entire
countries off the
Internet, and is speculated it to potentially" ...
On the section, I'm certainly not married to the wording, either can work, so I'd be inclined to leave it as-is if its fine now. What do others besides ourselves think? Please weigh in.
"as a decentralised system, its comparison to a supercomputer is"
My version of "according to security analyst James Turner" is needed here, to attribute who said that.
"Known to be used" vs. "used"
Used is fine, as we have this cited from the expert authorities on the matter. No need to qualify this in any way.
hi lawrence, i know you've put allot of work into the
storm botnet article but i must remind you that we musnt piss on our turf here and be careful to take up issue with changes on the talk page. the Storm, Nugache, Peacomm, and Nuw botnets are an entirely new bread of malware in that they are completely decentralized and impossible to crawl deeply and make authoritative estimations of their size and control.
the wide ranging estimates as to the size of the botnet that the researchers come up with show how in fact these estimations are in fact speculations. the only way proper estimations can be made would be if we could actually crawl the entire botnet, but with the C2 server evading detection and bots talking to each in an encrypted IRC channel, morphing their code every 30 mins and popping up and down like rabbits in holes, it is simply not possible.
as Schneier
says to this affect, until the controller is cuffed, there won't be much we'll can for sure know. in regards to every possible detail of its size over time, we can only speculate.
And I agree, but I still think it is more important to only put sourced information into the article, attributable to the cited experts. We can't come to our own conclusions, and Schneier's statement from learning about this I feel is accurate, but not a single definitive point. I'll move this over to the Storm botnet talk page. What do you mean by pissing on our turf?
Lawrence Cohen18:01, 9 January 2008 (UTC)reply
Hi Frummer, in reply to your email, I don't have IM, unfortunately, and very, very strongly prefer to do content or policy talk in public so that others can weigh in. Thanks. We are in no rush, so I can wait for your points here instead of real time.
Lawrence Cohen18:24, 9 January 2008 (UTC)reply
Purported?
Re: The section header "Purported decline of the botnet", Purported is quite a loaded word to use in a front page FA section header. The original wording of Reported, changed in December 2007, seems more in keeping with NPOV policy and is backed by the section's content (a report need not be accurate in everyone's view; being backed by substantial verifiable sources, as here, suffices). Even Claimed, though not entirely free of bias, would be a better choice for neutrality.
I personally believe there is a content slant throughout the article which is at odds with featured article critera #1d "Neutral" means that the article presents views fairly and without bias, but at a minimum, I think most can agree it is vital to avoid using titles which immediately cast doubt on the truth of the content. --
Michael Devore (
talk)
06:54, 14 March 2008 (UTC)reply
Why is the image in this article not used on the main page? It is in the public domain so I don't see any fair use problems with it, and I think it illustrates the idea behind this article very well.
Gary King (
talk)
00:05, 16 March 2008 (UTC)reply
Whoa, I just noticed the article I began got there!! Where was the discussion for that, I totally missed it (I am not complaining, though, wow)! Lawrence §
t/
e04:29, 16 March 2008 (UTC)reply
Yeah I kept thinking of what the makers of the virus thought of this page. They could easily take down Wiki or take control of this pages content. I assume they are okay with it.
Rekija (
talk)
23:25, 16 March 2008 (UTC)reply
Estimate in the intro
In the intro paragraph, I didn't understand what is meant by "it was estimated to run on as many as 1 to 50 million computer systems"? Should it instead say "it was estimated to run on a million computer systems; some estimates suggested 50 million computer systems". or did I misunderstand?
Sam Staton (
talk)
10:40, 16 March 2008 (UTC)reply
1 to 50 million means between 1000000-50000000. An anlogous statement might be, "fred has 1-20 cats" meaning that fred owns at least 1 cat, but he may have up to 20 cats.
However I agree it could have been worded better. Though even if given the worst interpretation.ie. that at times there amy only be one PC in the net, it is probably true enough. It is indeed possible that at times there may only be one bot in the net - thought this is improbabable, it is not impossible. —Preceding
unsigned comment added by
219.90.158.147 (
talk)
12:31, 16 March 2008 (UTC)reply
"As many as" is often used incorrectly before a range. It should precede a single, upper-limit number. I changed the wording to what I think the author meant to express. -
Erictalk13:13, 16 March 2008 (UTC)reply
I'm also finding the phrase "1 to 50 million" confusing/ambiguous -- I read it as "1 to 50,000,000" rather than as "1,000,000 to 50,000,000." (This may be an artifact of
different dialects of English.) I'm going to
boldly change this to "1 million to 50 million", which is both correct and unambiguous. --
Writtenonsand (
talk)
13:38, 16 March 2008 (UTC)reply
Cute. I always did wonder when building this article if the defensive steps where done manually, or if they actually wrote some sort of system into Storm to have it respond in a list of ways to certain things. Lawrence §
t/
e18:09, 16 March 2008 (UTC)reply
I too couldn't help but draw similarities between this and Skynet. If there was someone notable connecting the dots I wouldn't be against mentioning it in the article but so far I've not seen anything.
Rekija (
talk)
23:21, 16 March 2008 (UTC)reply
Partial deletion
Given the...colorful metaphors just used by a vandal in his edit summaries, it might be advisable to outright delete those versions (by deleting the article and restoring everything but those edits) so those aren't visible to the public-at-large in the article history. Probably should wait until after the article is no longer the FA of the day though.
Postdlf (
talk)
17:38, 16 March 2008 (UTC)reply
I don't believe that profanity in edit summaries is considered a big problem. We have profanity in the bodies and the names of many articles, in fact. See
Fuck (disambiguation). The method you suggested is used when edit summaries contain serious
WP:BLP violations, like accusing real people of crimes; I don't think anyone would think it was worth the time just to get profanity removed. --
Xyzzyplugh (
talk)
18:05, 16 March 2008 (UTC)reply
I'm very surprised this page doesn't bring any information on how to clean an infected machine. Even how to know your computer is infected. Am I missing something here? —Preceding
unsigned comment added by
201.42.190.169 (
talk)
22:58, 16 March 2008 (UTC)reply
It would be redundant info, the sort of people who have been infected are the sorts of clowns who don't know it exists or alternaively can't follow simple instructions for safety e.g. "don't open email from anyone unless you are sure you know them" so won't be able to follow any simple removal instructions either provided directly or via a link.. —Preceding
unsigned comment added by
219.90.176.8 (
talk)
09:32, 17 March 2008 (UTC)reply
We'd need a reliable source, really on this. Anyone ever seen anything on Storm removal? Half the stuff is still so secret that I've never seen such a thing, let alone in an reliable source. Lawrence §
t/
e17:22, 17 March 2008 (UTC)reply
Yeah, saw it earlier. Someone mailed me today saying I should keep an eye on it for a new article section on both sides in case "they go to war". Crazy world... Lawrence §
t/
e23:28, 7 April 2008 (UTC)reply
For the facts on the guts of the thing, don't expect anything soon. It took months after Storm became public for that kind of info to come out. Lawrence §
t/
e23:30, 7 April 2008 (UTC)reply
Yeah, that kind of information is generally closely held by those in the know, on both sides of the equation, for a variety of reasons. It'll be a while before there's anything significant publicly known about it (at which time the reports from now will almost certainly be proven erroneous, quite possibly by orders of magnitude - in which direction, I could only guess). —
Krellis (
Talk)
23:48, 7 April 2008 (UTC)reply
Sort of like the early estimates (that first got me curious about Storm, actually) that this botnet was "7,000,000+ strong, can knock nations offline, destroy Western civilization, and sell your children into slavery!!" Lawrence §
t/
e23:51, 7 April 2008 (UTC)reply
Even the current estimates of Storm are highly controversial and widely disputed. Only the controllers likely really know the extent of the network (and perhaps even they don't!) —
Krellis (
Talk)
23:53, 7 April 2008 (UTC)reply
MOSNUM no longer encourages date autoformatting, having evolved over the past year or so from the mandatory to the optional after much discussion there and elsewhere of the disadvantages of the system. Related to this, MOSNUM prescribes
rules for the raw formatting, irrespective of whether or not dates are autoformatted.
MOSLINK and
CONTEXT are consistent with this.
There are at least six disadvantages in using date-autoformatting, which I've capped here:
Disadvantages of date-autoformatting
(1) In-house only
(a) It works only for the WP "elite".
(b) To our readers out there, it displays all-too-common inconsistencies in raw formatting in bright-blue underlined text, yet conceals them from WPians who are logged in and have chosen preferences.
(c) It causes visitors to query why dates are bright-blue and underlined.
(2) Avoids what are merely trivial differences
(a) It is trivial whether the order is day–month or month–day. It is more trivial than color/colour and realise/realize, yet our consistency-within-article policy on spelling (
WP:ENGVAR) has worked very well. English-speakers readily recognise both date formats; all dates after our signatures are international, and no one objects.
(3) Colour-clutter: the bright-blue underlining of all dates
(a) It dilutes the impact of high-value links.
(b) It makes the text slightly harder to read.
(c) It doesn't improve the appearance of the page.
(4) Typos and misunderstood coding
(a) There's a disappointing error-rate in keying in the auto-function; not bracketing the year, and enclosing the whole date in one set of brackets, are examples.
(b) Once autoformatting is removed, mixtures of US and international formats are revealed in display mode, where they are much easier for WPians to pick up than in edit mode; so is the use of the wrong format in country-related articles.
(c) Many WPians don't understand date-autoformatting—in particular, how if differs from ordinary linking; often it's applied simply because it's part of the furniture.
(5) Edit-mode clutter
(a) It's more work to enter an autoformatted date, and it doesn't make the edit-mode text any easier to read for subsequent editors.
(6) Limited application
(a) It's incompatible with date ranges ("January 3–9, 1998", or "3–9 January 1998", and "February–April 2006") and slashed dates ("the night of May 21/22", or "... 21/22 May").
(b) By policy, we avoid date autoformatting in such places as quotations; the removal of autoformatting avoids this inconsistency.
Removal has generally been met with positive responses by editors. Does anyone object if I remove it from the main text (using a script) in a few days’ time on a trial basis? The original input formatting would be seen by all WPians, not just the huge number of visitors; it would be plain, unobtrusive text, which would give greater prominence to the high-value links.
Tony(talk)06:54, 24 July 2008 (UTC)reply
Hello everyone - Unfortunately, this article does not meet the current
standards for a featured article. The major issue is that it is significantly out-of-date, as has been pointed out by the cleanup banner that has been located at the top of the article for almost two years. The majority of the article's information ending at 2008, and absolutely nothing since 2010. What has happened with this system over the past 2-4 years? There are also several dead links, see
here. If work is not completed on these issues in the next few weeks, this article will need to be taken to
WP:Featured article review for a possible revocation of its featured status.
Dana boomer (
talk)
15:00, 24 September 2012 (UTC)reply
External links modified
Hello fellow Wikipedians,
I have just added archive links to one external link on
Storm botnet. Please take a moment to review
my edit. If necessary, add {{
cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{
nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes: