Upstart Storm swiftly gained Web strength

If Rock Phish is the Microsoft of the cybercrime world, Storm is akin to Google: the upstart that has quickly gained enormous reach and the potential to generate loads of cash.

Its meteoric rise has left security experts unsure who is behind Storm, and why such an enormous botnet was built.

It started in late January, with messages bearing a simple subject line: "230 dead as storm batters Europe." Hurricane-force winds were blowing through Europe at the time, and Internet users across the continent clicked on the file attachment to learn more — unwittingly allowing the cybercriminals known as the Storm Worm group to take control of their computers.

Other enticing e-mails followed, spreading around the world in waves. There were headlines about the death of President Bush and war breaking out against Iran.

Some of the most successful arrived as e-greeting cards: Users thought they were receiving Easter or Fourth of July wishes from friends. Other messages lured users to a Web site packed with NFL stats — and filled with malware.

In just a few months, Storm created a network that Peter Gutmann, computer-science professor at the University of Auckland in New Zealand, estimates has more power than the world's largest government and corporate supercomputers. No one knows for sure how large: Many security researchers put the number at more than 100,000; some say 50 times that.

Security experts wonder why Storm has built such an enormous botnet. Cloudmark researcher Adam O'Donnell believes the goal was merely to build the network for rental to criminal enterprises.

Large botnets can be used to launch massive scams, including e-mail pump-and-dump schemes, in which criminals purchase cheap stocks, trick others into buying to briefly drive up the price, and then unload them at a profit. They might also capture passwords and account information stored within infected computers.

Experts are similarly uncertain who created Storm. Some data has pointed toward servers in China, and a Chinese woman's name was used to register some domains. Others believe it's headquartered in Russia.

But there is not much solid evidence. "We have no idea where the heck these guys are," said Arbor Networks' Jose Nazario.